SONICWALL Internet Security Appliances SonicWALL, Inc. 1160 Bordeaux Drive Sunnyvale, CA 94089-1209 Tel: (408) 745-9600 Fax: (408) 745-9300 E-mail: info@sonicwall.com Web: www.sonicwall.com Part# 232-000219-00 Rev.
integrated_manual.book Page 1 Friday, October 12, 2001 2:56 PM Contents Copyright Notice ............................................................................ 5 About this Guide ............................................................................ 7 SonicWALL Technical Support ......................................................... 8 1 Introduction Your SonicWALL Internet Security Appliance ................................... 9 SonicWALL Internet Security Appliance Functional Diagram ......
integrated_manual.book Page 2 Friday, October 12, 2001 2:56 PM Customize ....................................................................................57 Keywords .....................................................................................59 Consent .......................................................................................59 7 Web Management Tools Restarting the SonicWALL .............................................................63 Preferences ................................
integrated_manual.book Page 3 Friday, October 12, 2001 2:56 PM Deleting Dynamic Ranges and Static Entries ................................. 110 DHCP Status .............................................................................. 110 SonicWALL TELE3 and SOHO3 IP Address Management ................ 111 11 SonicWALL VPN VPN Applications ........................................................................ 113 The VPN Interface ......................................................................
integrated_manual.book Page 4 Friday, October 12, 2001 2:56 PM 13 Hardware Description SonicWALL PRO 200 and PRO 300 Front Panel ............................. 165 SonicWALL PRO 200 and PRO 300 Back Panel .............................. 166 SonicWALL PRO 100 Front Panel ................................................. 167 SonicWALL PRO 100 Front Panel Description ................................ 167 SonicWALL PRO 100 Back Panel ..................................................
integrated_manual.book Page 5 Friday, October 12, 2001 2:56 PM Copyright Notice © 2001 SonicWALL, Inc. All rights reserved. Under the copyright laws, this manual or the software described within, can not be copied, in whole or part, without the written consent of the manufacturer, except in the normal use of the software to make a backup copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed to the original.
integrated_manual.book Page 6 Friday, October 12, 2001 2:56 PM THIS WARRANTY AND THE REMEDIES SET FORTH ABOVE ARE EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES, ORAL OR WRITTEN, EXPRESS OR IMPLIED. No dealer, agent, or employee of SonicWALL is authorized to make any extension or addition to this warranty.
integrated_manual.book Page 7 Friday, October 12, 2001 2:56 PM About this Guide Thank you for purchasing the SonicWALL Internet Security Appliance. The SonicWALL protects your Local Area Network (LAN) from attacks and intrusions, filters objectional Web sites, provides private VPN connections to business partners and remote offices, and offers a centrally-managed defense against software viruses.
integrated_manual.book Page 8 Friday, October 12, 2001 2:56 PM Chapter 14, Troubleshooting Guide, shows solutions to commonly encountered problems. Appendix A, Technical Specifications, lists the SonicWALL specifications. Appendix B, Introduction to Networking, provides an overview of the Internet, TCP/IP settings, IP security, and other general networking topics. Appendix C, IP Port Numbers, offers information about IP port numbering.
integrated_manual.book Page 9 Friday, October 12, 2001 2:56 PM 1 Introduction Your SonicWALL Internet Security Appliance The SonicWALL Internet security appliance provides a complete security solution that protects your network from attacks, intrusions, and malicious tampering. In addition, the SonicWALL filters objectionable Web content and logs security threats. SonicWALL VPN provides secure, encrypted communications to business partners and branch offices.
integrated_manual.book Page 10 Friday, October 12, 2001 2:56 PM SonicWALL Internet Security Appliance Functional Diagram The following figure illustrates the SonicWALLInternet Security Appliance functions. By default, the SonicWALL allows outbound access from the LAN to the Internet and blocks inbound access from the Internet to the LAN.
integrated_manual.book Page 11 Friday, October 12, 2001 2:56 PM SonicWALL Internet Security Appliance Features Internet Security • ICSA-Certified Firewall After undergoing a rigorous suite of tests to expose security vulnerabilities, SonicWALL Internet security appliances have received Firewall Certification from ICSA, the internationally-accepted authority on network security.
integrated_manual.book Page 12 Friday, October 12, 2001 2:56 PM Content Filtering • SonicWALL Content Filtering Overview You can use the SonicWALL Web content filtering to enforce your company's Internet access policies. The SonicWALL blocks specified categories, such as violence or nudity, using an optional Content Filter List. Users on your network can bypass the Content Filter List by authenticating with a unique user name and password.
integrated_manual.book Page 13 Friday, October 12, 2001 2:56 PM Dynamic Host Configuration Protocol (DHCP) • DHCP Server The DHCP Server offers centralized management of TCP/IP client configurations, including IP addresses, gateway addresses, and DNS addresses. Upon startup, each network client receives its TCP/IP settings automatically from the SonicWALL DHCP Server.
integrated_manual.book Page 14 Friday, October 12, 2001 2:56 PM Contact SonicWALL, Inc. for information about the Content Filter List, Network AntiVirus subscriptions, and other upgrades. Web: E-mail: Phone: Fax: http://www.sonicwall.com sales@sonicwall.
integrated_manual.book Page 15 Friday, October 12, 2001 2:56 PM 2 SonicWALL Installation This chapter describes the procedure used to install your SonicWALL and perform the initial configuration.
integrated_manual.book Page 16 Friday, October 12, 2001 2:56 PM Connecting the SonicWALL to the Network The following diagram illustrates how the SonicWALL is connected to the network: The following steps describe integration of the SonicWALL into the network. 1. Connect the WAN Ethernet port on the back of the SonicWALL to the Ethernet port on your Internet router or modem. Use a crossover cable when connecting the SonicWALL to a router. Use a standard Ethernet cable when connecting to a modem or a hub.
integrated_manual.book Page 17 Friday, October 12, 2001 2:56 PM SonicWALL Installation Checklist The SonicWALL requires information about the IP address configuration of your network. Your Internet Service Provider (ISP) should be able to provide this information. If you are unfamiliar with the terms used in the section, review Appendix B for networking basic terms and information.
integrated_manual.book Page 18 Friday, October 12, 2001 2:56 PM Performing the Initial Configuration Setting up your Management Station All management functions on the SonicWALL are performed from a Web browser-based user interface. Management can be performed from any computer connected to the LAN port of the SonicWALL. The computer used for management is referred to as the Management Station. The SonicWALL is pre-configured with the IP address “192.168.168.
integrated_manual.book Page 19 Friday, October 12, 2001 2:56 PM To configure your SonicWALL appliance, read the instructions on the Wizard Welcome window and click Next to continue. Setting the Password Note: It is very important to choose a password which cannot be easily guessed by others. 2. To set the password, enter a new password in the New Password and Confirm New Password fields. This window also displays the Use SonicWALL Global Management System check box.
integrated_manual.book Page 20 Friday, October 12, 2001 2:56 PM Setting the Time and Date 4. Select the appropriate Time Zone from the Time Zone menu. The SonicWALL internal clock is set automatically by a Network Time Server on the Internet. Click Next to continue. Connecting to the Internet The Connecting to the Internet screen lists the information required to complete the installation. You need instructions for obtaining an IP address automatically or IP addresses from your ISP. 5.
integrated_manual.book Page 21 Friday, October 12, 2001 2:56 PM Selecting Your Internet Connection 6. Select Assigned you a single static IP address, if your ISP has provided you with a single, valid IP address. Now go to Step 10. 7. Select the second option, Assigned you two or more IP addresses, if your ISP has provided you with two or more IP addresses. Either NAT or Standard mode can be enabled if your network has two or more valid IP addresses. If you select the second option, go to Step 11. 8.
integrated_manual.book Page 22 Friday, October 12, 2001 2:56 PM The Use Network Address Translation (NAT) window verifies that the SonicWALL has a registered IP address. To confirm this, click Next and go to Step 10. Selecting Standard or NAT Enabled Mode If you selected Assigned you a single static IP Address in Step 6, the OptionalNetwork Address Translation window is displayed. 10. The Optional-Network Address Translation (NAT) window offers the ability to enable NAT.
integrated_manual.book Page 23 Friday, October 12, 2001 2:56 PM Configuring WAN Network Settings If you selected either NAT or Standard mode, the Getting to the Internet window is displayed. 11. Enter the valid IP address provided by your ISP in the Getting to the Internet window. Enter the SonicWALL WAN IP Address, WAN/DMZ Subnet Mask, WAN Gateway (Router) Address, and DNS Server Addresses. Click Next to continue. If NAT is disabled, go to Step 13. If Standard mode is selected, go to Step 14.
integrated_manual.book Page 24 Friday, October 12, 2001 2:56 PM Confirming DHCP Client Mode If you select DHCP in Step 6, the Obtain an IP address automatically window is displayed. 13. The Obtain an IP address automatically window states that the ISP dynamically assigns an IP address to the SonicWALL. To confirm this, click Next and go to Step 15. Configuring LAN Network Settings 14.
integrated_manual.book Page 25 Friday, October 12, 2001 2:56 PM Configuring the SonicWALL DHCP Server 15. The Optional-SonicWALL DHCP Server window configures the SonicWALL DHCP Server. If enabled, the SonicWALL automatically configures the IP settings of computers on the LAN. To enable the DHCP server, select the Enable DHCP Server check box, and specify the range of IP addresses that are assigned to computers on the LAN. If the Enable DHCP Server check box is not selected, the DHCP Server is disabled.
integrated_manual.book Page 26 Friday, October 12, 2001 2:56 PM Congratulations Note:The new SonicWALL LAN IP address, displayed in the URL field of the Congratulations window, is used to log in and manage the SonicWALL. 17. Click Restart to restart the SonicWALL. Restarting Note:The final window provides important information to help configure the computers on the LAN. Click Print this Page to print the window information. The SonicWALL takes 90 seconds to restart.
integrated_manual.book Page 27 Friday, October 12, 2001 2:56 PM 18. Reset the Management Station Information Reset the IP address of the Management Station according to the information displayed in the final window of the Installation Wizard. 19. Log into the SonicWALL Management Interface Once the SonicWALL restarts, contact the SonicWALL Web Management Interface at the new SonicWALL LAN IP address. Type the User Name “admin” and enter the new administrator password to log into the SonicWALL. 20.
integrated_manual.book Page 28 Friday, October 12, 2001 2:56 PM 3 Managing Your SonicWALL This chapter contains a brief overview of SonicWALL management commands and functions. The commands and functions are accessed through the SonicWALL Web Management Interface. The configuration is the same for all SonicWALL Internet security appliances; any exceptions are noted. 1.
integrated_manual.book Page 29 Friday, October 12, 2001 2:56 PM Status To view the Status tab, log into your SonicWALL using your web browser. Click General and then click the Status tab. Note: The SonicWALL Status window is displayed above. Each SonicWALL Internet Security appliance displays unique characteristics, such as the presence of VPN acceleration hardware or a different amount of memory.
integrated_manual.book Page 30 Friday, October 12, 2001 2:56 PM • VPN Hardware Accelerator Detected - indicates the presence of a VPN Hardware Accelerator in the firewall. This allows better throughput for VPN connections. • RAM - the amount of Random Access Memory on the board • Flash - the size of the flash on the board • Ethernet Speeds - network speeds of the network card • Current Connections - number of computers connected to the SonicWALL.
integrated_manual.book Page 31 Friday, October 12, 2001 2:56 PM accessed, type in the User Name and password: admin for User Name and then the password used for the management interface. The following CLI commands are available for the SonicWALL: • ? or Help - displays a listing of the top level commands available. • Export - exports preferences from the SonicWALL using Z-modem file transfer protocol. • Import - imports preferences from the SonicWALL using Z-modem file transfer protocol.
integrated_manual.book Page 32 Friday, October 12, 2001 2:56 PM 4 General and Network Settings This chapter describes the tabs in the General section and the configuration of the SonicWALL Network Settings. The Network Settings include the SonicWALL IP settings, the administrator password, and the time and date.
integrated_manual.book Page 33 Friday, October 12, 2001 2:56 PM Network Settings Network Addressing Mode The Network Addressing Mode menu determines the network address scheme of your SonicWALL. It includes five options: Standard, NAT Enabled, NAT with DHCP Client, NAT with PPPoE, and NAT with L2TP Client . • Standard mode requires valid IP addresses for all computers on your network, but allows remote access to authenticated users.
integrated_manual.book Page 34 Friday, October 12, 2001 2:56 PM to your Internet router on the same subnet. All users on the subnet you are configuring must use this IP address as their default router/gateway address. • Subnet Mask - This value defines the size, and based upon the Network Gateway entry, the scope of the subnet. If you are configuring a subnet mask that currently exists on the LAN, enter the existing subnet mask address into the Subnet Mask field.
integrated_manual.book Page 35 Friday, October 12, 2001 2:56 PM DNS Settings • DNS Servers DNS Servers, or Domain Name System Servers, are used by the SonicWALL for diagnostic tests with the DNS Lookup Tool, and for upgrade and registration functionality. DNS Server addresses should be assigned by your ISP. If you select NAT with DHCP Client or NAT with PPPoE mode, the DNS Server addresses is assigned automatically.
integrated_manual.book Page 36 Friday, October 12, 2001 2:56 PM • Additional security and anonymity because your LAN IP addresses are invisible to the outside world. If your ISP hasn't provided enough IP addresses for all machines on your LAN, enable NAT and assign your network a private IP address range. You should use addresses from one of the following address ranges on your private network: 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.
integrated_manual.book Page 37 Friday, October 12, 2001 2:56 PM 2. Enter a unique IP address from your LAN address range in the SonicWALL LAN IP Address field. The SonicWALL LAN IP Address is the address assigned to the SonicWALL LAN port and is used for management of the SonicWALL. 3. Enter your network subnet mask in the LAN Subnet Mask field. The LAN Subnet Mask tells the SonicWALL which IP addresses are on your LAN. Use the default value, "255.255.255.
integrated_manual.book Page 38 Friday, October 12, 2001 2:56 PM 1. Select NAT with DHCP Client from the Network Addressing Mode menu. 2. Enter a unique IP address from your LAN address range in the SonicWALL LAN IP Address field. The SonicWALL LAN IP Address is the address assigned to the SonicWALL LAN port and is used for management of the SonicWALL. 3. Enter your network subnet mask in the LAN Subnet Mask field. The LAN Subnet Mask tells your SonicWALL which IP addresses are on your LAN.
integrated_manual.book Page 39 Friday, October 12, 2001 2:56 PM Note: The SonicWALL does not relay DNS settings to the LAN; you must enable and configure the SonicWALL'DHCP server or manually configure DNS settings on your computers to obtain DNS name resolution. In the WAN/DMZ Settings section of Network, you can Renew and Release the SonicWALL WAN IP (NAT Public) Address lease. When you click on Renew, the SonicWALL renews the IP address used for the WAN IP address.
integrated_manual.book Page 40 Friday, October 12, 2001 2:56 PM 4. Enter the user name provided by your ISP in the User Name field. The user name identifies the PPPoE client. 5. Enter the password provided by your ISP in the Password field. The password authenticates the PPPoE session. This field is case sensitive. 6. Select the Disconnect after __ Minutes of Inactivity check box to automatically disconnect the PPPoE connection after a specified period of inactivity.
integrated_manual.book Page 41 Friday, October 12, 2001 2:56 PM NAT with L2TP Client L2TP is a standard tunneling protocol that is used to encapsulate Point-to-Point Protocol (PPP) frames for transmission over TCP/IP, X.25, frame relay, or Asynchronous Transfer Mode (ATM) networks. It can be used to create virtual private networks (VPN) over public networks such as the Internet. It also provides interoperability between different VPN vendors which other protocols do not provide.
integrated_manual.book Page 42 Friday, October 12, 2001 2:56 PM 2. Configure the LAN Settings by typing in the IP addresses for the SonicWALL LAN and the LAN Subnet Mask. 3. Type the IP address for the WAN in the WAN Gateway (Router) Address field. Then enter the IP address for the SonicWALL WAN IP (NAT Public) Address, and the WAN/DMZ Subnet Mask. 4. Configure the DNS Settings by typing the DNS Server IP address into the DNS Server field. 5.
integrated_manual.book Page 43 Friday, October 12, 2001 2:56 PM Setting the Time and Date 1. Click the Time tab. The SonicWALL uses the time and date settings to time stamp log events, to automatically update the Content Filter List, and for other internal purposes. 2. Select your time zone from the Time Zone menu. 3. Click Update to add the information to the SonicWALL.
integrated_manual.book Page 44 Friday, October 12, 2001 2:56 PM by default. To remove an NTP server, highlight the IP address and click Delete NTP Server. When you have configured the Time window, click Update. Once the SonicWALL has been updated, a message confirming the update is displayed at the bottom of the browser window. Setting the Administrator Password 1. Click the Password tab.
integrated_manual.book Page 45 Friday, October 12, 2001 2:56 PM Setting the Administrator Inactivity Timeout The Administrator Inactivity Timeout setting allows you to configure the length of inactivity that can elapse before you are automatically logged out of the Web Management Interface. The SonicWALL is preconfigured to log out the administrator after 5 minutes of inactivity.
integrated_manual.book Page 46 Friday, October 12, 2001 2:56 PM 5 Logging and Alerts This chapter describes the SonicWALL Internet Security appliance logging, alerting, and reporting features, which can be viewed in the Log section of the SonicWALL Web Management Interface.There are three tabs in the Log section: • View Log • Log Settings • Reports A fourth tab, ViewPoint™, is available on the PRO 200 and PRO 300. It is a purchased upgrade for the PRO 200, but it is included with the PRO 300.
integrated_manual.book Page 47 Friday, October 12, 2001 2:56 PM SonicWALL Log Messages Each log entry contains the date and time of the event and a brief message describing the event. It is also possible to copy the log entries from the management interface and paste into a report. • TCP, UDP, or ICMP packets dropped When IP packets are blocked by the SonicWALL, dropped TCP, UDP and ICMP messages is displayed. The messages include the source and destination IP addresses of the packet.
integrated_manual.book Page 48 Friday, October 12, 2001 2:56 PM Log Settings Click Log on the left side of the browser window, and then click the Log Settings tab. Configure the following settings: 1. Mail Server - To e-mail log or alert messages, enter the name or IP address of your mail server in the Mail Server field. If this field is left blank, log and alert messages are not be e-mailed. 2. Send Log To - Enter your full e-mail address(username@mydomain.
integrated_manual.book Page 49 Friday, October 12, 2001 2:56 PM activity and includes every connection source and destination IP address, IP service, and number of bytes transferred. The SonicWALL Syslog support requires an external server running a Syslog daemon on UDP Port 514. Syslog Analyzers such as WebTrends Firewall Suite can be used to sort, analyze, and graph the Syslog data. Enter the Syslog server name or IP address in the Syslog Server field. Restart the SonicWALL for the change to take effect.
integrated_manual.book Page 50 Friday, October 12, 2001 2:56 PM Log Categories You can define which log messages appear in the SonicWALL Event Log. All Log Categories are enabled by default except Network Debug. • System Maintenance Logs general system activity, such as administrator log ins, automatic downloads of the Content Filter Lists, and system activations. • System Errors Logs problems with DNS, e-mail, and automatic downloads of the Content Filter List.
integrated_manual.book Page 51 Friday, October 12, 2001 2:56 PM Alert Categories Alerts are events, such as attacks, which warrant immediate attention. When events generate alerts, messages are immediately sent to the e-mail address defined in the Send alerts to field. Attacks and System Errors are enabled by default, Blocked Web Sites is disabled. • Attacks Log entries categorized as Attacks generate alert messages. • System Errors Log entries categorized as System Errors generate alert messages.
integrated_manual.book Page 52 Friday, October 12, 2001 2:56 PM The Reports window includes the following functions and commands: • Start Data Collection Click Start Data Collection to begin log analysis. When log analysis is enabled, the button label changes to Stop Data Collection. • Reset Data Click Reset to clear the report statistics and begin a new sample period. The sample period is also reset when data collection is stopped or started, and when the SonicWALL is restarted.
integrated_manual.book Page 53 Friday, October 12, 2001 2:56 PM 6 Content Filtering and Blocking This chapter describes the SonicWALL content filtering features configured in the Filter section of the SonicWALL Web Management Interface. Content Filtering and Blocking records Web site blocking by Filter List category, domain name, and keyword.
integrated_manual.book Page 54 Friday, October 12, 2001 2:56 PM • Java Java is used to embed small programs, called applets, in Web pages. It is safer than ActiveX since it has built-in security mechanisms. Select the Java check box to block Java applets from the network. • Cookies Cookies are used by Web servers to track Web usage and remember user identity. Cookies can also compromise users' privacy by tracking Web activities. Select the Cookies check box to disable Cookies.
integrated_manual.book Page 55 Friday, October 12, 2001 2:56 PM The following is a list of the Content Filter List categories: Violence/Profanity Satanic/Cult Partial Nudity Drugs/Drug Culture Full Nudity Militant/Extremist Sexual Acts Sex Education Gross Depictions Questionable/Illegal Gambling Intolerance Alcohol & Tobacco Visit for a detailed description of the criteria used to define Content Filter List categories.
integrated_manual.book Page 56 Friday, October 12, 2001 2:56 PM Click Filter on the left side of the browser window, and then click the List Update tab. Configure the following settings in the List Update window. • Download Now Click Download Now to immediately download and install a new Content Filter List. This process takes several minutes and requires a current subscription to Content Filter List updates.
integrated_manual.book Page 57 Friday, October 12, 2001 2:56 PM In the If Filter List Not Loaded section, select either Block traffic to all web sites except for Trusted Domains or Allow traffic to all web sites. If Allow traffic to all web sites is selected, Forbidden Domains and Keywords are still blocked. Note: The SonicWALL does not ship with the Content Filter List installed. Registering the SonicWALL provides a one month trial subscription to the Content Filter List.
integrated_manual.book Page 58 Friday, October 12, 2001 2:56 PM To block a Web site that is not blocked by the Content Filter List, enter the host name, such as “www.bad-site.com” into the Forbidden Domains field. 256 entries can be added to the Forbidden Domains list. Note: Do not include the prefix “http://” in either the Trusted Domains or Forbidden Domains the fields. All subdomains are affected. For example, entering “yahoo.com” applies to “mail.yahoo.com” and “my.yahoo.com”. Click Update.
integrated_manual.book Page 59 Friday, October 12, 2001 2:56 PM Keywords Click Filter on the left side of the browser window, and then click the Keywords tab. The SonicWALL allows you to block Web URLs containing keywords. For example, if you add the keyword "XXX", the Web site is blocked, even if it is not included in the Content Filter List. To enable this function, select the Enable Keyword Blocking check box.
integrated_manual.book Page 60 Friday, October 12, 2001 2:56 PM Click Filter on the left side of the browser window, and then click the Consent tab. • Require Consent Select the Require Consent check box to enable the Consent features. • Maximum Web usage In an environment where there are more users than computers, such as a classroom or library, time limits are often imposed.
integrated_manual.book Page 61 Friday, October 12, 2001 2:56 PM • Consent page URL (Optional Filtering) When a user opens a Web browser on a computer requiring consent, they are shown a consent page and given the option to access the Internet with or without content filtering. An example of this page is shown below: You must create this Web (HTML) page. It can contain the text from, or links to an Acceptable Use Policy (AUP).
integrated_manual.book Page 62 Friday, October 12, 2001 2:56 PM • “Consent Accepted” URL (Filtering On) When a user accepts the terms outlined in the Consent page and chooses to access the Internet with the protection of Content Filtering, they are shown a Web page confirming their selection. Enter the URL of this page in the “Consent Accepted” (Filtering On) field. This page must reside on a Web server and be accessible as a URL by users on the LAN.
integrated_manual.book Page 63 Friday, October 12, 2001 2:56 PM 7 Web Management Tools This chapter describes the SonicWALL Management Tools, available in the Tools section of the SonicWALL Web Management Interface. The Web Management Tools section allows you to restart the SonicWALL, import and export configuration settings, update the SonicWALL firmware, and perform several diagnostic tests.
integrated_manual.book Page 64 Friday, October 12, 2001 2:56 PM Preferences Click Tools on the left side of the browser window, and then click the Preferences tab. You can save the SonicWALL settings, and then retrieve them later for backup purposes. SonicWALL recommends saving the SonicWALL settings when upgrading the firmware. The Preferences window also provides options to restore the SonicWALL factory default settings and launch the SonicWALL Installation Wizard.
integrated_manual.book Page 65 Friday, October 12, 2001 2:56 PM Exporting the Settings File It is possible to save the SonicWALL configuration information as a file on your computer, and retrieve it for later use. 1. Click Export in the Preferences tab. 2. Click Export again to download the settings file. Then choose the location to save the settings file. The file is named “sonicwall.exp” by default, but it can be renamed. 3. Click Save to save the file. This process can take up to a minute.
integrated_manual.book Page 66 Friday, October 12, 2001 2:56 PM Importing the Settings File After exporting a settings file, you can import it back to the SonicWALL. 1. Click Import in the Preferences tab. 2. Click Browse to locate a settings file which was saved using Export. 3. Select the file, and click Import. 4. Restart the SonicWALL for the settings to take effect. Note: The Web browser used to Import Settings must support HTTP uploads. Netscape Navigator 3.0 and above is recommended.
integrated_manual.book Page 67 Friday, October 12, 2001 2:56 PM Restoring Factory Default Settings You can erase the SonicWALL configuration settings and restore the SonicWALL to its factory default state. 1. Click Restore on the Preferences tab to restore factory default settings. 2. Click Yes, and then restart the SonicWALL for the change to take effect. Note: The SonicWALL LAN IP Address, LAN Subnet Mask, and the Administrator Password are not reset.
integrated_manual.book Page 68 Friday, October 12, 2001 2:56 PM To be automatically notified when new firmware is available, select the Notify me when new firmware is available check box. Then click Update. If you enable firmware notification, your SonicWALL sends a status message to SonicWALL, Inc. Firmware Server on a daily basis.
integrated_manual.book Page 69 Friday, October 12, 2001 2:56 PM Updating Firmware Manually You can also upload firmware from the local hard drive. Click Upload Firmware. Note: The Web browser used to upload new firmware into the SonicWALL must support HTTP uploads. Netscape Navigator 3.0 and above is recommended. When firmware is uploaded, the SonicWALL settings can be erased. Before uploading new firmware, export and save the SonicWALL settings so that they can be restored later.
integrated_manual.book Page 70 Friday, October 12, 2001 2:56 PM Click Browse and select the firmware file from your local hard drive or from the SonicWALL Companion CD. Click Upload, and then restart the SonicWALL. Note: When uploading firmware to the SonicWALL, you must not interrupt the Web browser by closing the window, clicking a link, or loading a new page. If the browser is interrupted, it can corrupt the SonicWALL firmware.
integrated_manual.book Page 71 Friday, October 12, 2001 2:56 PM Diagnostic Tools The SonicWALL has several built-in tools which help troubleshoot network problems. Click Tools on the left side of the browser window and then click the Diagnostic tab. DNS Name Lookup The SonicWALL has a DNS lookup tool that returns the numerical IP address of a domain name or if you type in an IP address, it returns the domain name. 1. Select DNS Name Lookup from the Choose a diagnostic tool menu. 2.
integrated_manual.book Page 72 Friday, October 12, 2001 2:56 PM 1. Select Find Network Path from the Choose a diagnostic tool menu. 2. Enter the IP address of the device and click Go. The test takes a few seconds to complete. Once completed, a message showing the results is displayed in the browser window. If the network path is incorrect, select the SonicWALL Intranet and Static Routes settings. Note: Find Network Path requires an IP address.
integrated_manual.book Page 73 Friday, October 12, 2001 2:56 PM 1. Select Ping from the Choose a diagnostic tool menu. 2. Enter the IP address of the target device to ping and click Go. The test takes a few seconds to complete. Once completed, a message showing the results is displayed in the browser window. Note: Ping requires an IP address. The SonicWALL DNS Name Lookup tool can be used to find the IP address of a host.
integrated_manual.book Page 74 Friday, October 12, 2001 2:56 PM Packet Trace The Packet Trace tool tracks the status of a communications stream as it moves from source to destination. This is a useful tool to determine if a communications stream is being stopped at the SonicWALL, or is lost on the Internet. To interpret this tool, it is necessary to understand the three-way handshake that occurs for every TCP connection.
integrated_manual.book Page 75 Friday, October 12, 2001 2:56 PM When using packet traces to isolate network connectivity problems, look for the location where the three-way handshake is breaking down. This helps to determine if the problem resides with the SonicWALL configuration, or if there is a problem on the Internet. 1. Select Packet Trace from the Choose a diagnostic tool menu. Note: Packet Trace requires an IP address. The SonicWALL DNS Name Lookup tool can be used to find the IP address of a host.
integrated_manual.book Page 76 Friday, October 12, 2001 2:56 PM In the Tools section, click the Diagnostic tab, and then select Tech Support Report from the Choose a diagnostic tool menu. Four Report Options are available in the Tech Support Report section: • VPN Keys - saves shared secrets, encryption, and authentication keys to the report. • ARP Cache - saves a table relating IP addresses to the corresponding MAC or physical addresses. • DHCP Bindings - saves entries from the SonicWALL DHCP server.
integrated_manual.book Page 77 Friday, October 12, 2001 2:56 PM 8 Network Access Rules This chapter describes the SonicWALL Network Access Rules, which determine inbound and outbound access policy, user authentication and remote management. Network Access Rules are configured in the Access section of the SonicWALL Web Management Interface.
integrated_manual.book Page 78 Friday, October 12, 2001 2:56 PM LAN Out If the LAN Out check box is selected, users on your LAN are able to access that service on the Internet. Otherwise, they are blocked from accessing that service. By default, LAN Out check boxes are selected. DMZ In (Optional) If a DMZ In check box is selected, users on the Internet can access that service on the DMZ. Otherwise, they are blocked from accessing that service on the DMZ. By default, DMZ In check boxes are selected.
integrated_manual.book Page 79 Friday, October 12, 2001 2:56 PM Network Connection Inactivity Timeout If a connection to a remote server remains idle for more than five minutes, the SonicWALL closes the connection. Without this timeout, Internet connections could stay open indefinitely, creating potential security holes. You can increase the Inactivity Timeout if applications, such as Telnet and FTP, are frequently disconnected.
integrated_manual.book Page 80 Friday, October 12, 2001 2:56 PM Add a Known Service 1. Select the name of the service you want to add from the Add a known service list. 2. Click Add. The new service appears in the list box on the right side of the browser window. Note that some services add more than one entry to the list. Add a Custom Service 1. Select [Custom Service] from the Add a known service list. 2. Type a unique name, such as “CC:mail” or “Quake” in the Name field. 3.
integrated_manual.book Page 81 Friday, October 12, 2001 2:56 PM To create custom Network Access Rules, click Access on the left side of the browser window, and then click the Rules tab. Note: Use extreme caution when creating or deleting Network Access Rules, because you can disable firewall protection or block access to the Internet. Add A New Rule 1. Click Add New Rule... to open the Add Rule window. 2.
integrated_manual.book Page 82 Friday, October 12, 2001 2:56 PM 3. Select the name of the service affected by the Rule from the Service list. If the service is not listed, you must define the service in the Add Service window. The Default service encompasses all IP services. 4. Select the source of the traffic affected by the rule, either LAN, WAN, DMZ, or *, from the Source Ethernet menu.
integrated_manual.book Page 83 Friday, October 12, 2001 2:56 PM For example, to configure the SonicWALL to allow Internet traffic to your web server with an IP address of 208.5.5.5 (Standard mode), create the following rule: 1. Verify that HTTP has been added as a Service as outlined previously. 2. Click the Rules tab, and click Add New Rule.... 3. Select Allow, then Web (HTTP) from the Service menu. 4.
integrated_manual.book Page 84 Friday, October 12, 2001 2:56 PM 192.168.1.11; and the FTP server has an IP address of 192.168.1.12. To enable the servers, click Access on the left side of the Management interface, and then the Services tab. 1. Type in the IP address of the web server in the Public LAN Server field on the Web (HTTP) line. 2. Type in the IP address of the FTP server in the Public LAN Server field on the File Transfer (FTP) line. 3.
integrated_manual.book Page 85 Friday, October 12, 2001 2:56 PM 3. You do not have to remove the Deny Default * to LAN Rule in the Rules window to allow inbound access to a Public LAN Server. 4. Click Update. Once the SonicWALL has been updated, a message confirming the update is displayed at the bottom of the browser window. Repeat these instructions to configure additional Public LAN Servers.
integrated_manual.book Page 86 Friday, October 12, 2001 2:56 PM Current Network Access Rules List All Network Access Rules are listed in the Current Network Access Rules table. The rules are listed from most to least specific. The rules at the top of Current Network Access Rules list take precedence over rules at the bottom of the list. Edit a Rule To edit a rule, click the Note Pad icon on the right side of the browser window.
integrated_manual.book Page 87 Friday, October 12, 2001 2:56 PM The Default Allow Rule (#7) at the bottom of the page allows all traffic from the LAN to the WAN. However, Rule #1 blocks IRC (Chat) traffic from a computer on the LAN to a server on the WAN. The Default Deny Rule (#6) blocks all traffic from the WAN to the LAN, however, Rule #2 overrides this rule by allowing Web traffic from the WAN to the LAN. Examples The following examples illustrate methods for creating Network Access Rules.
integrated_manual.book Page 88 Friday, October 12, 2001 2:56 PM Enabling Ping By default, your SonicWALL does not respond to ping requests from the Internet. This Rule allows ping requests from your ISP servers to your SonicWALL. 1. Click Add New Rule in the Rules window to launch the "Add Network Access Rule" window. 2. Select Allow from the Action menu. 3. Select Ping from the Service menu. 4. Select WAN from the Source Ethernet menu. 5.
integrated_manual.book Page 89 Friday, October 12, 2001 2:56 PM SonicWALL TELE3 and SOHO3 IP Address Management The SonicWALL TELE3 has a five node license which is cannot be upgraded. The SonicWALL SOHO3 10-user license and 50-user license allow a maximum of 10 and 50 LAN IP addresses to access the Internet, respectively. The SonicWALL cannot differentiate between IP addresses designated for Internet access and IP addresses intended for LAN access only.
integrated_manual.book Page 90 Friday, October 12, 2001 2:56 PM Users The SonicWALL provides an authentication method giving authorized Internet users access to LAN resources and allows users on the LAN to bypass Web content filtering. The Users tab allows you to configure the user settings. User Settings Click Access on the left side of the browser window, and then click on the Users tab.
integrated_manual.book Page 91 Friday, October 12, 2001 2:56 PM 4. Choose the privileges to be enabled for the user by selecting one or both check boxes. Two options are available: • Remote Access - This option provides unrestricted access to the LAN from a remote location on the Internet. Only Standard mode supports Remote Access. If NAT is enabled, VPN client remote access is recommended.
integrated_manual.book Page 92 Friday, October 12, 2001 2:56 PM SonicWALL Management SonicWALL SNMP Support SNMP (Simple Network Management Protocol) is a network protocol used over User Datagram Protocol (UDP) that allows network administrators to monitor the status of the SonicWALL Internet Security appliances and receive notification of any critical events as they occur on the network.
integrated_manual.book Page 93 Friday, October 12, 2001 2:56 PM 3. In the System Contact field, type in the name of the network administrator for the SonicWALL appliance. 4. Type in an e-mail address, telephone number, or pager number in the System Location field. 5. Create a name for a group or community of administrators who can view SNMP data, and type it into the Get Community Name field. 6.
integrated_manual.book Page 94 Friday, October 12, 2001 2:56 PM When remote management is enabled, a Management SA is automatically generated. The Management SA uses Manual Keying to set up a VPN tunnel between the SonicWALL and the VPN client. The Management SA also defines Inbound and Outbound Security Parameter Indices (SPIs) which match the last eight digits of the SonicWALL serial number. The preset SPIs are displayed in the Security Association Information section.
integrated_manual.book Page 95 Friday, October 12, 2001 2:56 PM Note: The Management Method list also includes the option for management by SonicWALL Global Management System (SonicWALL GMS). Select this option if the SonicWALL is managed remotely by SonicWALL GMS. Refer to SonicWALL GMS documentation for setup instructions. Manage Using Internet Explorer check box The check box labeled Manage Using Internet Explorer is selected by default.
integrated_manual.book Page 96 Friday, October 12, 2001 2:56 PM 9 Advanced Features This chapter describes the SonicWALL Advanced Features, such as Web Proxy Forwarding, DMZ Address settings, and One-to-One NAT. The Advanced Features can be accessed in the Advanced section of the SonicWALL Web Management Interface.
integrated_manual.book Page 97 Friday, October 12, 2001 2:56 PM If you have a proxy server on your network, instead of configuring each computer to point to the proxy server, you can move the server to the WAN and enable Web ProxyForwarding. The SonicWALL automatically forwards all Web proxy requests to the proxy server without requiring all the computers on the network to be configured. Configuring Web Proxy Relay 1. Connect your Web proxy server to a hub, and connect the hub to the SonicWALL WAN port.
integrated_manual.book Page 98 Friday, October 12, 2001 2:56 PM Intranet The SonicWALL can be configured as an Intranet firewall to prevent network users from accessing sensitive servers. By default, users on your LAN can access the Internet router, but not devices connected to the WAN port of the SonicWALL. To enable access to the area between the SonicWALL WAN port and the Internet, you must configure the Intranet settings on the SonicWALL.
integrated_manual.book Page 99 Friday, October 12, 2001 2:56 PM Intranet Configuration Click Advanced on the left side of the browser window, and then click the Intranet tab. To enable an Intranet firewall, you must specify which machines are located on the LAN, or you must specify which machines are located on the WAN. It is best to select the network area with the least number of machines.
integrated_manual.book Page 100 Friday, October 12, 2001 2:56 PM • Specified address ranges are attached to the WAN link Select this option if it is easier to specify the devices on your WAN. Then enter your WAN IP address range(s). Computers connected to the WAN port that are not included are inaccessible to users on your LAN. • Add Range To add a range of addresses, such as "199.2.23.50" to "199.2.23.
integrated_manual.book Page 101 Friday, October 12, 2001 2:56 PM To add Static Route entries, complete the following instructions: 1. Enter the destination network of the static route in the Dest. Network field. The destination network is the IP address subnet of the remote network segment. Note: If the destination network uses IP addresses ranging from "192.168.1.1" to "192.168.1.255", enter "192.168.1.0" in the Dest. Network field. 2.
integrated_manual.book Page 102 Friday, October 12, 2001 2:56 PM Click Advanced on the left side of the browser window, and then click the DMZ Addresses tab. Servers on the DMZ must have unique, valid IP addresses in the same subnet as the SonicWALL WAN IP Address. Your ISP should be able to provide these IP addresses, as well as information on setting up public servers. To configure DMZ Addresses, complete the following instructions. 1.
integrated_manual.book Page 103 Friday, October 12, 2001 2:56 PM Delete a DMZ Address Range To delete an address or range, select it in the Address Range list and click Delete. Once the SonicWALL has been updated, a message confirming the update is displayed at the bottom of the browser window. Note: Network Address Translation (NAT) does not apply to servers on the DMZ. One-to-One NAT One-to-One NAT maps valid, external addresses to private addresses hidden by NAT.
integrated_manual.book Page 104 Friday, October 12, 2001 2:56 PM To configure One-to-One NAT, complete the following instructions. 1. Select the Enable One-to-One NAT check box. 2. Enter the beginning IP address of the private address range being mapped in the Private Range Begin field. This is the IP address of the first machine that is accessible from the Internet. 3. Enter the beginning IP address of the valid address range being mapped in the Public Range Begin field.
integrated_manual.book Page 105 Friday, October 12, 2001 2:56 PM 5. Type in 3 in the Range length field,. Note: You can configure the IP addresses individually, but it is easier to configure them in a range. However, the IP addresses on both the private and public sides must be consecutive to configure a range of addresses. 6. Click Update. 7. Click Access, then the Rules tab. 8. Click Add New Rule and configure the following settings: •Allow •Service - HTTP •Destination - LAN 192.168.1.10 - 192.168.1.
integrated_manual.book Page 106 Friday, October 12, 2001 2:56 PM The Ethernet Tab The Ethernet tab allows the management of Ethernet settings using the SonicWALL Management interface. The tab has the following settings: • WAN Link Settings • DMZ Link Settings • LAN Link Settings The default selection for all of the link settings is Auto Negotiate because the Ethernet links automatically negotiate the speed and duplex mode of the Ethernet connection.
integrated_manual.book Page 107 Friday, October 12, 2001 2:56 PM MTU Settings A network administrator may set the MTU (Maximum Transmission Unit) allowed over a packet or frame-based network such as TCP/IP. If the MTU size is too large, it may require more transmissions if the packet encounters a router unable to handle a larger packet. If the packet size is too small, this could result in more packet header overhead and more acknowledgements that have to sent and processed.
integrated_manual.book Page 108 Friday, October 12, 2001 2:56 PM 10 DHCP Server This chapter describes the configuration of the SonicWALL DHCP Server. The SonicWALL DHCP Server distributes IP addresses, gateway addresses and DNS server addresses to the computers on your LAN. To access the SonicWALL DHCP Setup window, click DHCP on the left side of the browser window. There are two tabs in the DHCP section: • Setup • Status Setup Disable DHCP Server is enabled by default in the SonicWALL.
integrated_manual.book Page 109 Friday, October 12, 2001 2:56 PM Enable DHCP Server To configure the SonicWALL DHCP server, complete the following instructions. 1. Select the Enable DHCP Server check box. Note: Make sure there are no other DHCP servers on the LAN before you enable the DHCP server. 2. Enter the maximum length of the DHCP lease in the Lease Time field. The Lease Time determines how often the DHCP Server renews IP leases. The default Lease Time is 60 minutes.
integrated_manual.book Page 110 Friday, October 12, 2001 2:56 PM permanent IP settings. Enter the IP address assigned to your computer or server in the Static IP Address field. 9. Enter the Ethernet (MAC) address of your computer or server in the Ethernet Address field. Then click Update. When the SonicWALL has been updated, a message confirming the update is displayed at the bottom of your Web browser window.Continue this process until you have added all the desired static entries.
integrated_manual.book Page 111 Friday, October 12, 2001 2:56 PM The scrolling window shows the details on the current bindings: IP and MAC address of the bindings, along with the type of binding (Dynamic, Dynamic BootP, or Static BootP). To delete a binding, which frees the IP address in the DHCP server, select the binding from the list, and then click Delete Binding. The operation takes a few seconds to complete.
integrated_manual.book Page 112 Friday, October 12, 2001 2:56 PM 11 SonicWALL VPN SonicWALL VPN provides secure, encrypted communication to business partners and remote offices at a fraction of the cost of dedicated leased lines. Using the SonicWALL intuitive Web Management Interface, you can quickly create a VPN Security Association to a remote site.
integrated_manual.book Page 113 Friday, October 12, 2001 2:56 PM VPN Applications • Linking Two or More Networks Together SonicWALL VPN is the perfect way for you to connect to your branch offices and business partners over the Internet. SonicWALL VPN offers an affordable, highperformance alternative to leased site-to-site lines. If NAT is enabled, SonicWALL VPN also provides access to remote devices that have been assigned private IP addresses.
integrated_manual.book Page 114 Friday, October 12, 2001 2:56 PM The VPN Interface Click VPN on the left-side of the SonicWALL management station interface. There are four tabs in the VPN interface: • Summary • Configure • RADIUS • Certificates The Summary tab has two sections: the Global IPSec Settings, and the Current IPSec Security Associations. Global IPSec Settings The Global IPSec Settings section displays the Unique Firewall Identifier which defaults to the serial number of the SonicWALL appliance.
integrated_manual.book Page 115 Friday, October 12, 2001 2:56 PM SonicWALL VPN Client for Remote Access and Management This section covers the configuration of SonicWALL VPN and the installation and configuration of the VPN client software. You can create a VPN client Security Association by using Manual Key Configuration, Group Configuration or Advanced Configuration. Group Configuration, Manual Key Configuration, and IKE Configuration (SonicWALL to SonicWALL) are described in this chapter.
integrated_manual.book Page 116 Friday, October 12, 2001 2:56 PM The Configure Tab The Configure tab contains the following sections: • • • • Add/Modify IPSec Security Associations Security Policy Advanced Settings VPN Client Configuration File Export (only Group VPN) Add/Modify IPSec Security Associations In this section, select the type of Security Association from the list. Choose either Group VPN (default) or Add New SA.
integrated_manual.book Page 117 Friday, October 12, 2001 2:56 PM • Phase 1 Encryption/Authentication - You can also select an encryption method from the Encryption/Authentication for the VPN tunnel. If you select IKE using Pre-Shared Secret for your SA, you can select from one of four encryption methods: - DES & MD5 - DES & SHA1 - 3DES & MD5 - 3DES & SHA1 These are listed in order from least secure to most secure. If network speed is preferred, then select DES & MD5.
integrated_manual.book Page 118 Friday, October 12, 2001 2:56 PM • Outgoing SPI - Enter the Security Parameter Index (SPI) that the local SonicWALL transmits to identify the Security Association used for the VPN Tunnel. The SPI may be up to eight characters long and is comprised of hexadecimal characters. Valid hexadecimal characters are "0" to "9", and "a" to "f" inclusive (0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f).
integrated_manual.book Page 119 Friday, October 12, 2001 2:56 PM VPN Advanced Settings All of the Advanced Settings for VPN connections are accessed by clicking Advanced Settings located on the Configure tab.
integrated_manual.book Page 120 Friday, October 12, 2001 2:56 PM Enable Keep Alive Selecting the Enable Keep Alive check box allows the VPN tunnel to remain active or maintain its current connection by listening for traffic on the network segment between the two connections. Interruption of the signal forces the tunnel to renegotiate the connection.
integrated_manual.book Page 121 Friday, October 12, 2001 2:56 PM check box for each Security Association in your SonicWALL. Traffic can travel from a branch office to a branch office via the corporate office. Route all internet traffic through this SA Selecting this box allows a network administrator to force all WAN-destined traffic to go through a VPN tunnel to a central site. Outgoing packets are checked against the remote network definitions for all Security Associations (SA).
integrated_manual.book Page 122 Friday, October 12, 2001 2:56 PM Default LAN Gateway A Default LAN Gateway is used at a central site in conjunction with a remote site using the Route all internet traffic through this SA check box. The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA. Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL.
integrated_manual.book Page 123 Friday, October 12, 2001 2:56 PM Advanced Settings for VPN Configurations The following table lists the available settings for each VPN configuration. The boxes checked are applicable to the given configuration mode.
integrated_manual.book Page 124 Friday, October 12, 2001 2:56 PM Enabling Group VPN on the SonicWALL Click VPN on the left side of the SonicWALL browser window, and then click the Configure tab. The SonicWALL VPN tab defaults to a Group VPN setting. This feature facilitates the set up and deployment of multiple VPN clients by the administrator of the SonicWALL appliance. Security settings can now be exported to the remote client and imported into the remote VPN client settings.
integrated_manual.book Page 125 Friday, October 12, 2001 2:56 PM 7. Select Encrypt and Authenticate (ESP DES HMAC MD5) from the Phase 2 Encryption/Authentication menu. 8. Type the Shared Secret in the Shared Secret text box or use the Shared Secret automatically generated by the SonicWALL. The Shared Secret should consist of a combination of letters and numbers rather than the name of a family member, pet, etc. It is also case-sensitive. 9. Click Advanced Settings to open the window.
integrated_manual.book Page 126 Friday, October 12, 2001 2:56 PM Installing the VPN Client Software 1. When you register your SonicWALL or SonicWALL VPN Upgrade, a unique VPN client serial number and link to download the SonicWALL VPN Client zip file is displayed. 2. Unzip the SonicWALL VPN Client zip file. 3. Double-click setup.exe and follow the VPN client setup program step-by-step instructions. Enter the VPN client serial number when prompted. 4.
integrated_manual.book Page 127 Friday, October 12, 2001 2:56 PM 2. A file location box appears which allows searching for the location of the saved security file. Select the file, and click Open. 3. A dialogue box asking to import the security file appears. Click Yes, and another box appears confirming the file is successfully imported into the client. The client application now has an imported Group VPN policy. 4.
integrated_manual.book Page 128 Friday, October 12, 2001 2:56 PM 5. Click Pre-Shared Key to enter the Pre-Shared Secret created in the Group VPN settings in the SonicWALL appliance. Click OK. 6. Select None in the Select Certificate menu, and select Domain Name in the ID Type menu. Enter any word or phrase in the field below the ID Type menu. Do not leave this field blank. 7. Select the adapter used to access the Internet from the Internet Interface menu.
integrated_manual.book Page 129 Friday, October 12, 2001 2:56 PM It is not necessary to configure the Security Policy as it is imported directly into the Client application. Exporting the security association to a file facilitates configuration of a large number of VPN clients and you do not have to configure each client individually. You can distribute multiple copies of the configuration file via floppy disk.
integrated_manual.book Page 130 Friday, October 12, 2001 2:56 PM 6. Define an Incoming SPI and an Outgoing SPI. The SPIs are hexadecimal (0123456789abcedf) and can range from 3 to 8 characters in length. Note: SPIs should range from 3 to 8 characters in length and include only hexadecimal characters. Valid hexadecimal characters are “0” to “9”, and “a” to “f” inclusive (0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f).
integrated_manual.book Page 131 Friday, October 12, 2001 2:56 PM Installing the VPN Client Software 1. When you register your SonicWALL or SonicWALL VPN Upgrade at , a unique VPN client serial number and link to download the SonicWALL VPN Client zip file is displayed. Note: SonicWALL PRO 300 lists an additional 50 serial numbers on the back of the SonicWALL VPN Client certificate. 2. Unzip the SonicWALL VPN Client zip file. 3. Double-click setup.
integrated_manual.book Page 132 Friday, October 12, 2001 2:56 PM 5. Select All in the Protocol menu to permit all IP traffic through the VPN tunnel. 6. Select the Connect using Secure Gateway Tunnel check box. 7. Select IP Address in the ID Type menu at the bottom of the Security Policy Editor window. 8. Enter the SonicWALL WAN IP Address in the field below the ID Type menu. Enter the NAT Public Address if NAT is enabled. Configuring VPN Client Security Policy 1.
integrated_manual.book Page 133 Friday, October 12, 2001 2:56 PM Configuring VPN Client Identity 1. Click My Identity in the Network Security Policy box on the left side of the Security Policy Editor window. 2. Select None in the Select Certificate menu on the right side of the Security Policy Editor window. 3. Select IP Address in the ID Type menu. 4. Select the adapter you use to access the Internet from the Internet Interface menu.
integrated_manual.book Page 134 Friday, October 12, 2001 2:56 PM 2. Select Unspecified in the SA Life menu. 3. Select None from the Compression menu. 4. Select the Encapsulation Protocol (ESP) check box. 5. Select DES from the Encryption Alg menu. 6. Select MD5 from the Hash Alg menu. 7. Select Tunnel from the Encapsulation menu. 8. Leave the Authentication Protocol (AH) check box unselected. Configuring Inbound VPN Client Keys 1. Click Inbound Keys. The Inbound Keying Material box appears. 2.
integrated_manual.book Page 135 Friday, October 12, 2001 2:56 PM 3. Type the SonicWALL Incoming SPI in the Security Parameter Index field. 4. Select Binary in the Choose key format menu. 5. Enter the SonicWALL appliance 16-character Encryption Key in the ESP Encryption Key field. 6. Enter the SonicWALL appliance 32-character Authentication Key in the ESP Authentication Key field and then click OK.
integrated_manual.book Page 136 Friday, October 12, 2001 2:56 PM VPN for Two SonicWALLs VPN between two SonicWALLs allows users to securely access files and applications at remote locations. The first step to set up a VPN between two SonicWALLs is creating corresponding Security Associations (SAs). The instructions below describe how to create an SA using Manual Keying and Internet Key Exchange (IKE). These instructions are followed by an example illustrating a VPN tunnel between two SonicWALLs.
integrated_manual.book Page 137 Friday, October 12, 2001 2:56 PM 5. Define an SPI (Security Parameter Index) that the remote SonicWALL uses to identify the Security Association in the Incoming SPI field. 6. Define an SPI that the local SonicWALL uses to identify the Security Association in the Outgoing SPI field. Note: SPIs should range from 3 to 8 characters in length and include only hexadecimal characters.
integrated_manual.book Page 138 Friday, October 12, 2001 2:56 PM Note: Valid hexadecimal characters include 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, and f. 1234567890abcdef is an example of a valid DES or ARCFour encryption key. If you enter an incorrect encryption key, an error message is displayed at the bottom of the browser window. When a new SA is created, a 48-character key is automatically generated in the Encryption Key field. This can be used as a valid key for Triple DES.
integrated_manual.book Page 139 Friday, October 12, 2001 2:56 PM • Apply NAT and firewall rules - to apply NAT and firewall rules to the SA or just firewall rules if in Standard mode. • Route all internet traffic through this SA - if forcing internet traffic from the WAN to use this SA to access a remote site. • Default LAN Gateway if specifying the IP address of the default LAN route for incoming IPSec packets for this SA.
integrated_manual.book Page 140 Friday, October 12, 2001 2:56 PM To configure the main office PRO 300, use the following steps: 1. Configure the network settings for the firewall using the Network tab located in the General section. 2. Click Update and restart the SonicWALL if necessary. 3. Click VPN, then the Configure tab. 4. Create a name for the main office SA, for example, Main Office. 5. Type in the branch office WAN IP address for the IPSec Gateway Address. 6.
integrated_manual.book Page 141 Friday, October 12, 2001 2:56 PM 7. Create an Outgoing SPI using alphanumeric characters. 8. Select Strong Encrypt (ESP 3DES) as the Encryption Method. 9. Enter the Encryption Key from the Main Office configuration. 10. Click Add New Network. Type the IP address, “192.168.11.1” in the Range Start field. Type the IP address, “192.168.11.255” in the Range End field. This Range End value is appropriate even if NetBIOS broadcast support is enabled.
integrated_manual.book Page 142 Friday, October 12, 2001 2:56 PM IKE Configuration for Two SonicWALLs An alternative to Manual Key configuration is Internet Key Exchange (IKE). IKE transparently negotiates encryption and authentication keys. The two SonicWALL appliances authenticate the IKE VPN session by matching preshared keys and IP addresses or Unique Firewall Identifiers. To create an IKE Security Association, click VPN on the left side of the browser window, and then click the Configure tab. 1.
integrated_manual.book Page 143 Friday, October 12, 2001 2:56 PM 5. Select Group 2 from the Phase 1 DH Group menu. 6. Define the length of time before an IKE Security Association automatically renegotiates in the SA Life Time (secs) field. The SA Life Time can range from 120 to 9,999,999 seconds. Note: A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys.
integrated_manual.book Page 144 Friday, October 12, 2001 2:56 PM 10. Click Add New Network... to define the destination network addresses. Clicking Add New Network... updates the VPN configuration and opens the VPN Destination Network window. 11. Enter the IP address of the remote network in the Network field. This address is a private address if the remote LAN has enabled NAT. 12. Enter the subnet mask of the remote network in the Subnet mask field. 13.
integrated_manual.book Page 145 Friday, October 12, 2001 2:56 PM Example: Linking Two SonicWALLs using IKE The following example illustrates the steps necessary to create an IKE VPN tunnel between a SonicWALL PRO 200 and a SonicWALL TELE3. TELE2 A company wants to use VPN to link two offices together, one in Chicago and the other in San Francisco. To do this, the SonicWALL PRO 200 in Chicago and the SonicWALL TELE3 in San Francisco must have corresponding Security Associations.
integrated_manual.book Page 146 Friday, October 12, 2001 2:56 PM 9. Select a VPN encryption method from the Phase 2 Encryption/Authentication menu. Since data throughput and security are the primary concern, select Ecrypt and Authenticate (ESP DES HMAC SHA1). 10. Define a Shared Secret. Write down this key as it is required when configuring the San Francisco Office SonicWALL TELE3. 11. Click Add New Network... to open the VPN Destination Network window and enter the destination network addresses. 12.
integrated_manual.book Page 147 Friday, October 12, 2001 2:56 PM Configuring a SonicWALL TELE3 in San Francisco 1. Enter the SonicWALL TELE3 Unique Firewall Identifier in the VPN Summary window, in this example, "San Francisco Office." 2. Select -Add New SA- from the Security Association menu. 3. Select IKE using pre-shared secret from the IPSec Keying Mode menu. 4. Enter the SonicWALL PRO 200 Unique Firewall Identifier in the SonicWALL TELE3 Name field, in this example, "Chicago Office." 5.
integrated_manual.book Page 148 Friday, October 12, 2001 2:56 PM • Route all internet traffic through this SA if forcing internet traffic from the WAN to use this SA to access a remote site. • Enable Perfect Forward Secrecy - if you want to add another layer of security by adding an additional Diffie-Hellman key exchange. • Phase 2 DH Group - select the type of DH key exchange in Phase 2 for Perfect Forward Secrecy.
integrated_manual.book Page 149 Friday, October 12, 2001 2:56 PM Testing a VPN Tunnel Connection Using PING To verify that your VPN tunnel is working properly, it is necessary to ping the IP address of a computer on the remote network. By pinging the remote network, you send data packets to the remote network and the remote network replies that it has received the data packets. Your administrator supplies the remote IP address that you can use for testing.
integrated_manual.book Page 150 Friday, October 12, 2001 2:56 PM Configuring Windows Networking After you have successfully pinged the remote host and confirmed that your VPN tunnel is working, your administrator can ask you to configure your computer for Windows Networking. By configuring your computer for Windows® Networking, you are able to browse the remote network using Network Neighborhood.
integrated_manual.book Page 151 Friday, October 12, 2001 2:56 PM 4. Click on the Identification tab, and enter the domain name provided by your administrator in the Workgroup text box. 5. Click on TCP/IP or Dial-Up Adapter, and then Properties. Click the WINS Configuration tab, and select Enable WINS Resolution. Enter the WINS server IP address given to you by the administrator, and click Add. The WINS server address now appears in the text box below the address entry box. 6.
integrated_manual.book Page 152 Friday, October 12, 2001 2:56 PM To access shared resources on remote computers, you must know the private IP address of the remote computer, and use the Find tool in the Start menu. Type in the IP address into the Computer Named text box, and click Find Now. To access the computer remotely, double-click on the computer icon in the box. Adding, Modifying and Deleting Destination Networks You can add, modify or delete destination networks.
integrated_manual.book Page 153 Friday, October 12, 2001 2:56 PM RADIUS and XAUTH Authentication An IKE Security Association can be configured to require RADIUS authentication before allowing VPN clients to access LAN resources. This authentication provides an additional layer of VPN security while simplifying and centralizing management. RADIUS authentication allows many VPN clients to share the same VPN configuration, but requires each client to authenticate with a unique user name and password.
integrated_manual.book Page 154 Friday, October 12, 2001 2:56 PM Configuring the RADIUS Settings Click VPN on the left side of the browser window, and then click the RADIUS tab. To configure RADIUS settings, complete the following instructions. 1. Click the RADIUS tab. 2. Define the number of times the SonicWALL attempts to contact the RADIUS server in the RADIUS Server Retries field. If the RADIUS server does not respond within the specified number of retries, the VPN connection is dropped.
integrated_manual.book Page 155 Friday, October 12, 2001 2:56 PM An optional secondary RADIUS server can be defined if a backup RADIUS server exists on the network. 1. Enter the IP address or domain name of the secondary RADIUS server in the IP Address/name field. 2. Enter the UDP port number that the secondary RADIUS server listens on. The SteelBelted RADIUS server is set, by default, to listen on port 1645. 3.
integrated_manual.book Page 156 Friday, October 12, 2001 2:56 PM SonicWALL Enhanced VPN Logging If Network Debug is selected in the Log Settings tab panel, detailed logs are kept of the VPN negotiations with the SonicWALL appliance. Enhanced VPN Logging is useful for evaluating VPN connections when problems can occur with the connections. To use the enhanced VPN Logging feature, perform the following steps: 1. Click Log on the left side of the management interface. 2.
integrated_manual.book Page 157 Friday, October 12, 2001 2:56 PM Disabling Security Associations Administrators can choose to disable certain security associations and still allow access by remote VPN clients. The feature is useful if it is suspected that a remote VPN user connection has become unstable or insecure. It can also temporarily block access to the SonicWALL appliance if necessary. Disable the Security Association by checking the Disable this SA check box.
integrated_manual.book Page 158 Friday, October 12, 2001 2:56 PM Basic VPN Terms and Concepts • VPN Tunnel A VPN Tunnel is a term that describes a connection between two or more private nodes or LANs over a public network, typically the Internet. Encryption is often used to maintain the confidentiality of private data when traveling over the Internet.
integrated_manual.book Page 159 Friday, October 12, 2001 2:56 PM • Internet Key Exchange (IKE) IKE is a negotiation and key exchange protocol specified by the Internet Engineering Task Force (IETF). An IKE SA automatically negotiates Phase 1 Encryption/ Authentication Keys. With IKE, an initial exchange authenticates the VPN session and automatically negotiates keys that is used to pass IP traffic.
integrated_manual.book Page 160 Friday, October 12, 2001 2:56 PM When DES is used for data communications, both sender and receiver must know the same secret key, which can be used to encrypt and decrypt the message, or to generate and verify a message authentication code. SonicWALL DES encryption algorithm uses a 56 bit key. The SonicWALL VPN DES Key must be exactly 16-characters long and is comprised of hexadecimal characters.
integrated_manual.book Page 161 Friday, October 12, 2001 2:56 PM 12 SonicWALL Options and Upgrades SonicWALL, Inc. offers a variety of options and upgrades to enhance the functionality of your SonicWALL Internet security appliance.
integrated_manual.book Page 162 Friday, October 12, 2001 2:56 PM The SonicWALL PRO 200 and SonicWALL PRO 300 include a single VPN client for secure remote management. The SonicWALL PRO 300 includes an additional 50 VPN client licenses for remote access. Single, 10, 50 and 100 VPN client license packs can be purchased separately. SonicWALL Network Anti-Virus SonicWALL Network Anti-Virus offers a new approach to virus protection by delivering managed anti-virus protection over the Internet.
integrated_manual.book Page 163 Friday, October 12, 2001 2:56 PM failure. This feature ensures a secure and reliable connection between the your network and the Internet. The SonicWALL High Availability Upgrade is an optional upgrade. An upgrade license and a second SonicWALL PRO or SonicWALL PRO 300 must be purchased to enable the High Availability Upgrade. Detailed configuration instructions are included with the purchased upgrade.
integrated_manual.book Page 164 Friday, October 12, 2001 2:56 PM SonicWALL ViewPoint includes everything you need to get up and running in one easy-toinstall product, including a Web server, syslog server, database and reporting software. ViewPoint uses a Web-based interface and easily installs on any Windows NT or Windows 2000 computer on the network. SonicWALL Per Incident Support SonicWALL Per Incident Support offers fast, personal assistance for a single technical support issue.
integrated_manual.book Page 165 Friday, October 12, 2001 2:56 PM 13 Hardware Description This chapter provides detailed illustrations and descriptions of the SonicWALL Internet Security Appliances front and back panels by model. Refer to this chapter to learn about where the LEDs, switches, and connectors are located. More information is provided in Appendix A, Technical Specifications.
integrated_manual.book Page 166 Friday, October 12, 2001 2:56 PM • Alarm Lights up and flashes for 10 seconds when an event generates an alert. Alarm LED flashes for 10 seconds. Alert events are defined in the Log Settings section in Chapter 5. There are three Ethernet ports; one for each of the LAN, DMZ, and WAN ports: • Link Lights up when a Twisted Pair connection is made to another Ethernet device (usually a hub) on the port.
integrated_manual.book Page 167 Friday, October 12, 2001 2:56 PM firmware has become corrupt. Please go to Appendix E for instructions on erasing the SonicWALL firmware. • Power Input Connects the SonicWALL to power input. The use of an Uninterruptible Power Supply (UPS) is strongly recommended to protect the SonicWALL against damage, or loss of data due to electrical storms, power failures, or power surges. • Power Switch Powers the SonicWALL on and off.
integrated_manual.book Page 168 Friday, October 12, 2001 2:56 PM There are three Ethernet ports; one for each of the LAN, DMZ, and WAN ports: • Link Lights up when the Twisted Pair port is connected to a 10Mbps or 100Mbps hub or switch, or directly connected to a computer. Note that the connected Ethernet device must support the standard Link Integrity test.
integrated_manual.book Page 169 Friday, October 12, 2001 2:56 PM Connects to the external power supply that is provided with the SonicWALL PRO 100. The use of an Uninterruptible Power Supply (UPS) is recommended to protect the SonicWALL PRO 100 against damage or loss of data due to electrical storms, power failures, or power surges. • Cooling Vents • The SonicWALL PRO 100 is convection cooled; an internal fan is not necessary. Do not block the cooling vents.
integrated_manual.book Page 170 Friday, October 12, 2001 2:56 PM There are two Ethernet ports; one of the following for the LAN and WAN ports: • Link Lights up when the Twisted Pair port is connected to a 10Mbps or 100Mbps hub or switch or directly connected to a computer. Note that the connected Ethernet device must support the standard Link Integrity test.
integrated_manual.book Page 171 Friday, October 12, 2001 2:56 PM • Power Input Connects to the external power supply which is provided with the SonicWALL SOHO3 and the SonicWALL TELE3. The use of an Uninterruptible Power Supply (UPS) is recommended to protect against damage or loss of data due to electrical storms, power failures, or power surges. • Cooling Vents The SonicWALL is convection cooled; an internal fan is not necessary.
integrated_manual.book Page 172 Friday, October 12, 2001 2:56 PM 14 Troubleshooting Guide This chapter provides solutions for problems that you might encounter when using the SonicWALL. If you are unable to solve your problem, please visit the SonicWALL Tech Support Web site at . There, you will find resources to help you resolve most technical issues, as well as a means to contact one of the SonicWALL Technical Support engineers. The Link LED is off.
integrated_manual.book Page 173 Friday, October 12, 2001 2:56 PM • Make sure the users are attempting to log into the correct IP address. The correct address is the SonicWALL LAN IP Address, and not the NAT Public Address if NAT is enabled. • Make sure that users are attempting to log in with a valid user name and password. • Remember that passwords are case-sensitive; make sure the "Caps Lock" key is off.
integrated_manual.
integrated_manual.book Page 175 Friday, October 12, 2001 2:56 PM SonicWALL Hardware and Performance SonicWALL GX 6500 1 6 • Processor: 1GHz Intel Pentium III • Firewall Performance: 1.67 Gbps • RAM: 256MB • Flash Memory: 16MB • Interfaces: (3) 1000BAse-T/ 1000Base-SX • Console: (1) Serial Port • Concurrent Connections: 500,000 • 3DES(168-bit): 285 Mbps • Simultaneous VPN Tunnels: 10,000 • Dimensions: 19” x 19” x 5.25” • Weight: 30 lbs.
integrated_manual.book Page 176 Friday, October 12, 2001 2:56 PM SonicWALL SOHO3, TELE3, & PRO 100 SonicWALL PRO 200 SonicWALL PRO 300 SonicWALL GX 2500 SonicWALL GX 6500 Firewall Firewall Throughput 75 Mbps 200 Mbps 200 Mbps 200 Mbps 1.
integrated_manual.
integrated_manual.book Page 178 Friday, October 12, 2001 2:56 PM Appendix B - Introduction to Networking Overview This appendix provides a non-technical overview of the network protocols supported by the SonicWALL and includes a discussion of Internet Protocol (IP) addressing. It can be helpful to review a book on TCP/IP for an overview of protocols such as TCP (Transmission Control Protocol), UDP (User Datagram Protocol), and ICMP (Internet Control Message Protocol).
integrated_manual.book Page 179 Friday, October 12, 2001 2:56 PM Gateways A gateway can be a computer that acts as a connector between a private internal network and another network such as the Internet. A gateway used as a firewall can transmit information from an internal network to the Internet. Also, gateways can examine incoming information and determine if the information is allowed access to the network.
integrated_manual.book Page 180 Friday, October 12, 2001 2:56 PM • POP3 - Post Office Protocol 3 (POP3) is used to receive e-mail messages and storing messages on a server, referred to as a POP server. • ICMP - Internet Control Messages Protocol (ICMP) reports errors and controls messages on a TCP/IP network. PING uses ICMP protocol to test if a network device is available. IP Addressing To become part of an IP network, a network device must have an IP address.
integrated_manual.book Page 181 Friday, October 12, 2001 2:56 PM Just as one would go to the phone company for a phone number, there are controlling bodies for IP addresses. The overall controlling body for IP addresses worldwide is InterNIC. Businesses or individuals can request one or many IP addresses from InterNIC. It’s a good idea to estimate the network’s future growth when requesting the class and number of IP addresses requested.
integrated_manual.book Page 182 Friday, October 12, 2001 2:56 PM the interior interface. To the Internet, all of the traffic on the network appears to come from the same computer. Nodes A node is a device, such as a PC or a printer, on a network with an IP address. The feature chart shows how many node licenses for PCs or printers are included with a SonicWALL Internet Security appliance.
integrated_manual.book Page 183 Friday, October 12, 2001 2:56 PM Appendix C - IP Port Numbers The port numbers are divided into three ranges: the Well Known Ports, the Registered Ports, and the Dynamic and/or Private Ports. The Well Known Ports range from 0 through 1023. The Registered Ports range from 1024 through 49151. The Dynamic and/or Private Ports range from 49152 through 65535.
integrated_manual.book Page 184 Friday, October 12, 2001 2:56 PM Appendix D - Configuring TCP/IP Settings The following steps describe how to configure the Management Station TCP/IP settings in order to initially contact the SonicWALL. It is assumed that the Management Station can access the Internet through an existing connection. The SonicWALL is pre-configured with the IP address “192.168.168.168".
integrated_manual.book Page 185 Friday, October 12, 2001 2:56 PM 3. Enter "192.168.168.200" in the IP address field. 4. Click OK. Follow the SonicWALL Installation Wizard instructions to perform the initial setup of the SonicWALL. Refer to Chapter 2 for instructions on using the Wizard.
integrated_manual.book Page 186 Friday, October 12, 2001 2:56 PM Appendix E - Erasing the Firmware There can be instances when it is necessary to reset the SonicWALL to its factory clean state if the following events happen to the appliance: • Administrator password is forgotten • The firmware has become corrupt, and you cannot contact the Management Interface • The test light comes on and stays on for more than a few minutes.
integrated_manual.book Page 187 Friday, October 12, 2001 2:56 PM 4. Log back into the SonicWALL at the default IP address, "http://192.168.168.168". Make sure that the Management Station's IP address is in the same subnet as the SonicWALL--for example, "192.168.168.200". 5. The SonicWALL Management Interface displays a message stating that the firmware has been erased. Click the Browse button to locate the SonicWALL firmware file on the Management Station hard drive.
integrated_manual.book Page 188 Friday, October 12, 2001 2:56 PM Appendix F - Securing the SonicWALL Mounting the SonicWALL PRO 200 and SonicWALL PRO 300 The SonicWALL PRO 200 and SonicWALL PRO 300 are designed to be mounted in a standard 19-inch rack mount cabinet. The following conditions are required for proper installation: • Use the mounting hardware recommended by the rack manufacturer and ensure that the rack is adequate for the application.
integrated_manual.book Page 189 Friday, October 12, 2001 2:56 PM Appendix G - Electromagnetic Compatibility FCC Statement This device generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, can cause harmful interference to radio communications.
integrated_manual.book Page 190 Friday, October 12, 2001 2:56 PM Canadian Radio Frequency Emissions Statement This Class A digital apparatus complies with Canadian ICES-003. Cet appareil numérique de la classe A est conforme à toutes la norme NMB-003 du Canada. CISPR 22 (En 55022) Class A Warning: This is a class A product. In a domestic environment, this product may cause radio interference in which case the user may be required to take adequate measures.
integrated_manual.
integrated_manual.
integrated_manual.
integrated_manual.
integrated_manual.
integrated_manual.
integrated_manual.book Page 198 Friday, October 12, 2001 2:56 PM Index A Access 77 Activation Key 70 ActiveX 53 Add New Network... 130 Add Service 79 Alert Categories 51 Allow BootP clients to use range 109 Allow Fragmented Packets 82 Anti-Virus 162 ARCFour 160 Asymmetric vs.
integrated_manual.
integrated_manual.
integrated_manual.
SONICWALL Internet Security Appliances SonicWALL, Inc. 1160 Bordeaux Drive Sunnyvale, CA 94089-1209 Tel: (408) 745-9600 Fax: (408) 745-9300 E-mail: info@sonicwall.com Web: www.sonicwall.com Part# 232-000219-00 Rev.
