COMPREHENSIVE INTERNET SECURITY ™ SonicWALL Internet Security Appliances ADMINISTRATOR’S GUIDE
Contents Copyright Notice ..................................................................................................11 About this Guide ..................................................................................................12 SonicWALL Technical Support ...........................................................................13 Firmware Version ................................................................................................13 1 Introduction ..............................
Primary Interface .................................................................................................65 Failover Settings .................................................................................................65 Configuring a Modem Profile for Manual Dial-Up .............................................66 Status ...................................................................................................................69 Modem Status ...........................................
7 Logging and Alerts ............................................................................ 91 View Log ...............................................................................................................91 SonicWALL Log Messages ..................................................................................92 Log Settings .........................................................................................................93 Configure the following settings: .........................
Ping ....................................................................................................................122 Packet Trace ......................................................................................................123 Trace Route .......................................................................................................126 10 Network Access Rules ................................................................... 127 Viewing Network Access Rules ........................
11 Advanced Features ....................................................................... 148 Proxy Relay ........................................................................................................148 Web Proxy Forwarding ......................................................................................148 Configuring Web Proxy Relay ............................................................................149 Bypass Proxy Servers Upon Proxy Failure ....................................
12 DHCP Server .................................................................................. 166 Setup ..................................................................................................................166 Allow DHCP Pass Through in Standard Mode .................................................166 Configuring the SonicWALL DHCP Server ........................................................167 Deleting Dynamic Ranges and Static Entries .................................................
Enable Perfect Forward Secrecy ......................................................................189 Phase 2 DH Group ............................................................................................189 Default LAN Gateway ........................................................................................189 VPN Terminated at the LAN, DMZ, or LAN/DMZ .............................................190 Advanced Settings for VPN Configurations .................................................
15 SonicWALL Options and Upgrades ................................................ 234 SonicWALL VPN Client ......................................................................................234 SonicWALL Network Anti-Virus .........................................................................234 Content Filter List Subscription ........................................................................235 Vulnerability Scanning Service ....................................................................
Copyright Notice © 2002 SonicWALL, Inc. All rights reserved. Under the copyright laws, this manual or the software described within, can not be copied, in whole or part, without the written consent of the manufacturer, except in the normal use of the software to make a backup copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed to the original.
About this Guide Thank you for purchasing the SonicWALL Internet Security appliance. The SonicWALL protects your PC from attacks and intrusions, filters objectional Web sites, provides private VPN connections to business partners and remote offices, and offers a centrally-managed defense against software viruses. This manual covers the configuration of the SonicWALL Internet Security appliance installation and features.
Chapter 16, Hardware Descriptions - provides a description of the front and back of SonicWALL Internet security appliances, including LED lights and ports. Chapter 17, Troubleshooting Guide - shows solutions to commonly encountered problems. Appendix A, Technical Specifications - lists the SonicWALL specifications. Appendix B, SonicWALL Support Solutions - describes available support packages from SonicWALL.
1 Introduction Your SonicWALL Internet Security Appliance The SonicWALL Internet Security Appliance provides a complete security solution that protects your network from attacks, intrusions, and malicious tampering. In addition, the SonicWALL filters objectionable Web content and logs security threats. SonicWALL VPN provides secure, encrypted communications to business partners and branch offices. The SonicWALL Internet Security Appliance uses stateful packet inspection to ensure secure firewall filtering.
SonicWALL Internet Security Appliance Features Internet Security • ICSA-Certified Firewall After undergoing a rigorous suite of tests to expose security vulnerabilities, SonicWALL Internet security appliances have received Firewall Certification from ICSA, the internationally-accepted authority on network security. The SonicWALL uses stateful packet inspection, the most effective method of packet filtering, to protect your LAN from hackers and vandals on the Internet.
Content Filtering • SonicWALL Content Filtering You can use the SonicWALL Web content filtering to enforce your company's Internet access policies. The SonicWALL blocks specified categories, such as violence or nudity, using an optional Content Filter List. Users on your network can bypass the Content Filter List by authenticating with a unique user name and password.
Dynamic Host Configuration Protocol (DHCP) • DHCP Server The DHCP Server offers centralized management of TCP/IP client configurations, including IP addresses, gateway addresses, and DNS addresses. Upon startup, each network client receives its TCP/IP settings automatically from the SonicWALL DHCP Server. • DHCP Client The DHCP Client allows the SonicWALL to acquire TCP/IP settings (such as IP address, gateway address, DNS address) from your ISP.
2 Configuring the Network Mode on the SonicWALL The SonicWALL Internet security appliance allows the following common network configurations: Standard, NAT Enabled, NAT with PPPoE Client, NAT with DHCP Client, NAT with L2TP Client, and NAT with PPTP Client are included in this chapter. Standard Mode Configuring the SonicWALL in Standard mode requires a static IP address from your ISP. In this mode, you must have separate static IP addresses for all computers on your network.
NAT with DHCP Client NAT with DHCP Client is a networking mode that allows you to obtain an IP address for a specific length of time from a DHCP server. The length of time is called a lease, which is renewed by the DHCP server typically after a few days. When the lease is ready to expire, the client contacts the server to renew the lease. This is a common network configuration for customers with cable or DSL modems. You are not assigned a specific IP address by your ISP.
Configuring the SonicWALL in NAT Enabled Mode This section describes configuring the SonicWALL appliance in the NAT mode. Essentially, NAT translates the IP addresses in one network into those for a different network. As a form of packet filtering for firewalls, it protects a network from outside intrusion from hackers by replacing the internal (LAN) IP address on packets passing through a SonicWALL with a “fake” one from a fixed pool of addresses.
Setting the Password 2. To set the password, enter a new password in the New Password and Confirm New Password fields. Alert It is very important to choose a password which cannot be easily guessed by others. This page also displays the Use SonicWALL Global Management System check box. SonicWALL Global Management System (SonicWALL GMS) is a Web browser-based security management system.
4. Select the appropriate Time Zone from the Time Zone menu. The SonicWALL internal clock is set automatically by a Network Time Server on the Internet. Click Next to continue. Connecting to the Internet The Connecting to the Internet screen lists the information required to complete the installation. You need instructions for obtaining an IP address automatically or IP addresses from your ISP. 5.
Confirming Network Address Translation (NAT) Mode If you select Assigned you a single static IP address in the Connecting to the Internet page, the Use Network Address Translation (NAT) page is displayed. The Use Network Address Translation (NAT) page verifies that the SonicWALL has a registered IP address. Selecting NAT Enabled Mode If you selected Assigned you two or more static IP Addresses, the Optional-Network Address Translation page is displayed. 7.
Configuring WAN Network Settings If you selected either NAT or Standard mode, the Getting to the Internet page is displayed. 8. Enter the IP address provided by your ISP in the SonicWALL WAN IP Address, WAN/DMZ Subnet Mask, WAN Gateway (Router) Address, and DNS Server Addresses. Click Next to continue. Configuring LAN Network Settings 9. The Fill in information about your LAN page allows the configuration of the SonicWALL LAN IP Address and the LAN Subnet Mask.
Configuration Summary 10. The Configuration Summary page displays the configuration defined using the Installation Wizard. To modify any of the settings, click Back to return to the Connecting to the Internet page. If the configuration is correct, click Next to proceed to the Congratulations page. Congratulations Alert The new SonicWALL LAN IP address, displayed in the URL field of the Congratulations page, is used to log in and manage the SonicWALL. 11. Click Restart to restart the SonicWALL.
Restarting Alert The final page provides important information to help configure the computers on the LAN. Click Print this Page to print the window information. 12. The SonicWALL takes 90 seconds to restart. During this time, the yellow Test LED is lit. Click Close to exit the SonicWALL Wizard. Configuring NAT with PPPoE Client The SonicWALL Installation Wizard simplifies the initial installation and configuration of the SonicWALL.
Setting the Password Alert It is very important to choose a password which cannot be easily guessed by others. 1. To set the password, enter a new password in the New Password and Confirm New Password fields. This window also displays the Use SonicWALL Global Management System check box. 2. Do not select the Use Global Management System check box unless your SonicWALL is remotely managed by SonicWALL GMS. Click Next to continue. Setting the Time and Date 3.
Connecting to the Internet The Connecting to the Internet page lists the information required to complete the installation. Tip Confirm that you have the necessary network information from your ISP before proceeding with the Connecting to the Internet pages. 4. Click the hyperlinks for definitions of the networking terms. Click Next to continue. Selecting Your Internet Connection 5.
Setting the User Name and Password for PPPoE 6. If you selected Provided you with desktop software, a user name and password (PPPoE), the SonicWALL ISP Settings (PPPoE) page is displayed. 7. Enter the User Name and Password provided by your ISP into the User Name and Password fields. Configuring LAN Network Settings 8. The Fill in information about your LAN page allows the configuration of the SonicWALL LAN IP Address and the LAN Subnet Mask.
Configuring the SonicWALL DHCP Server 9. The Optional-SonicWALL DHCP Server page configures the SonicWALL DHCP Server. If enabled, the SonicWALL automatically configures the IP settings of computers on the LAN. To enable the DHCP server, select the Enable DHCP Server check box, and specify the range of IP addresses that are assigned to computers on the LAN. If the Enable DHCP Server check box is not selected, the DHCP Server is disabled. Click Next to continue. Configuration Summary 10.
Congratulations Alert The new SonicWALL LAN IP address, displayed in the URL field of the Congratulations page, is used to log in and manage the SonicWALL. 11. Click Restart to restart the SonicWALL. Restarting Alert The final window provides important information to help configure the computers on the LAN. 12. Click Print this Page to print the window information. The SonicWALL takes 90 seconds to restart. During this time, the yellow Test LED is lit. Click Close to exit the SonicWALL Wizard.
Configuring NAT with DHCP Client Accessing the Installation Wizard The SonicWALL Installation Wizard simplifies the initial installation and configuration of the SonicWALL. The Wizard provides a series of menu-driven instructions for setting the administrator password and configuring the settings necessary to access the Internet. Tip To bypass the Wizard, click Cancel. Then log into the SonicWALL Management Interface by entering the User Name "admin" and the Password "password".
Setting the Time and Date 4. Select the appropriate Time Zone from the Time Zone menu. The SonicWALL internal clock is set automatically by a Network Time Server on the Internet. Click Next to continue. Connecting to the Internet The Connecting to the Internet page lists the information required to complete the installation. Tip Confirm that you have the necessary network information from your ISP before proceeding with the Connecting to the Internet pages. 5.
Selecting Your Internet Connection 6. Select the option, Automatically assigns you a dynamic IP address (DHCP). 7. The Obtain an IP address automatically page is displayed. The Obtain an IP address automatically page states that the ISP dynamically assigns an IP address to the SonicWALL. To confirm this, click Next.
Configuring LAN Network Settings 8. The Fill in information about your LAN page allows the configuration of the SonicWALL LAN IP Address and the LAN Subnet Mask. The SonicWALL LAN IP Address is the private IP address assigned to the LAN port of the SonicWALL. The LAN Subnet Mask defines the range of IP addresses on the LAN. The default values provided by the SonicWALL work for most networks. If you do not use the default settings, enter the SonicWALL LAN settings and click Next to continue.
Configuration Summary 10. The Configuration Summary page displays the configuration defined using the Installation Wizard. To modify any of the settings, click Back to return to the Connecting to the Internet window. If the configuration is correct, click Next to proceed to the Congratulations page. Congratulations Alert The new SonicWALL LAN IP address, displayed in the URL field of the Congratulations window, is used to log in and manage the SonicWALL. 11. Click Restart to restart the SonicWALL.
Restarting Tip The final window provides important information to help configure the computers on the LAN. Click Print this Page to print this information. The SonicWALL takes 90 seconds to restart. During this time, the yellow Test LED is lit. Click Close to exit the SonicWALL Wizard. Configuring NAT with L2TP Client This section describes configuring the SonicWALL in NAT with L2TP Client mode. You must have a single, static IP address to begin configuration. Follow the instructions below.
13. Enter the host name in the L2TP Host Name field. 14. Enter the server IP address in the L2TP Server IP Address field. 15. Enter your user name and password in the User Name and User Password fields. 16. Select Disconnect after ___ minutes of inactivity if you want to end an inactive connection. Enter the number of minutes of inactivity before the connection is dropped. The default value is 10 minutes. 17. The L2TP settings are filled in once a connection is made to the L2TP settings. 18. Click Update.
Alert It is very important to choose a password which cannot be easily guessed by others. 1. To set the password, enter a new password in the New Password and Confirm New Password fields. 2. Do not select the Use Global Management System check box unless your SonicWALL is remotely managed by SonicWALL GMS. Click Next to continue. Setting the Time and Date 3. Select the appropriate Time Zone from the Time Zone menu.
Connecting to the Internet The Connecting to the Internet page lists the information required to complete the installation. Tip Confirm that you have the necessary network information from your ISP before proceeding with the Connecting to the Internet pages. 4. Confirm that you have the proper network information necessary to configure the SonicWALL to access the Internet. Click the hyperlinks for definitions of the networking terms. Click Next to proceed to the next step.
Setting the User Name and Password for PPTP. 6. The SonicWALL ISP Settings (PPTP) page is displayed. Enter the server IP address in the Server IP field, and your user name and password in the User Name and Password fields. Configuring LAN Network Settings 7. The Fill in information about your LAN page allows the configuration of the SonicWALL LAN IP Address and the LAN Subnet Mask. The SonicWALL LAN IP Address is the private IP address assigned to the LAN port of the SonicWALL.
Configuring the SonicWALL DHCP Server 8. The Optional-SonicWALL DHCP Server page configures the SonicWALL DHCP Server. If enabled, the SonicWALL automatically configures the IP settings of computers on the LAN. To enable the DHCP server, select the Enable DHCP Server check box, and specify the range of IP addresses that are assigned to computers on the LAN. If the Enable DHCP Server check box is not selected, the DHCP Server is disabled. Click Next to continue. Configuration Summary 9.
Congratulations Alert The new SonicWALL LAN IP address, displayed in the URL field of the Congratulations page, is used to log in and manage the SonicWALL. 10. Click Restart to restart the SonicWALL. Restarting Tip The final window provides important information to help configure the computers on the LAN. Click Print this Page to print this information. The SonicWALL takes 90 seconds to restart. During this time, the yellow Test LED is lit. Click Close to exit the SonicWALL Wizard.
Logging into the SonicWALL Management Interface Once the SonicWALL restarts, contact the SonicWALL Management interface at the new SonicWALL LAN IP address. Enter the User Name “admin” and enter the new administrator password to log into the SonicWALL.The Status page is displayed. The Status tab displays the following information: • SonicWALL Serial Number - the serial number of the SonicWALL unit.
Other SonicWALL general status information is displayed in this section relating to other features in the SonicWALL such as the type of network settings in use, log settings, content filter use, and if Stealth Mode is enabled on the SonicWALL.
3 Registering at mySonicWALL.com After you complete the initial installation and configuration of your SonicWALL, you should register your SonicWALL Internet Security Appliance at . MySonicWALL.com delivers a convenient, centralized way to register all your SonicWALL Internet Security appliances and Security Services. It eliminates the need to individually register SonicWALL appliances and upgrades to streamline the management of all your SonicWALL security services.
Account Information 3. All field marked with an * are required fields. Be sure to fill out the form completely before submitting to the user database. Create a User Name and password for your mySonicWALL account. Confirm the password by typing it in the Confirm Password field. For your convenience, you can record the information below. User Name:______________________ Password:__________________ Alert You must remember your user name and password until you have activated your account.
Personal Information 5. Complete the Personal Information section of the Registration form. Be sure to enter the correct e-mail address as the subscription code for your SonicWALL user account is e-mailed to you. The subscription code is necessary to activate your account. 6. Select your time zone from the Time Zone menu, and then select any or all of the following options: •Yes, I would like to be a Beta Tester. •No, I do not want to be contacted by SonicWALL via e-mail.
9. If all the information is correct, click OK. A confirmation message appears notifying you that your account must be activated within 72 hours of creating it. You also receive an e-mail with your subscription code in it. Write your subscription code below: Subscription code:_______________________________ Note: For security reasons, the subscriber name and part of the subscription code are masked. 10. Return to the mySonicWALL.
_ 11. Enter the subscription code you received via e-mail into the Subscription Code field, and click Submit. 12. Your Account Management interface appears and you can now register SonicWALL Internet Security Appliances or Services. You can also delete or transfer appliances from your user account.
Problems Creating a MysonicWALL.com User Account? If you’re having trouble creating a user account on the mySonicWALL.com Web site, be sure to check the following items in your browser: •Accept Cookies •Internet Explorer 5.0 or higher •Netscape 4.5 or higher •Allow Java scripts •Correct Password for MysonicWALL.com User Name and Password Functions If you forget your user name, you must send an e-mail message to Tech Support requesting your user name.
Quick Registration To quickly register a SonicWALL Internet Security Appliance, enter the serial number in the field under the Quick Register section, and click Go. The serial number automatically appears in the Serial Number field. You can then create a Friendly Name for the appliance. If you enter the incorrect serial number into the Serial Number field, a message stating that the appliance is previously registered may be returned. Write your SonicWALL serial number below.
Status and Options Click Status and Options underneath the login information to search for the status and options relating to a particular SonicWALL appliance. Enter the SonicWALL serial number to search for the related information. Information displayed includes • Serial Number • Product • Registration Code • Node Support Upgrade Key There is also a list of applicable services with their activation keys as well as expiration dates for subscriptions. Registering at mySonicWALL.
Managing Your SonicWALL You can rename your SonicWALL, transfer your SonicWALL, or delete your SonicWALL in this section of Services Management. Renaming Your SonicWALL You can rename your SonicWALL at any time in order to manage your SonicWALLs. To rename your SonicWALL, click Rename in the Manage Products section. Enter the new name in the Friendly Name field, and click Submit. After clicking Submit, a new page appears with the message that you have successfully renamed your SonicWALL.
Transferring a SonicWALL Product You can transfer a SonicWALL to another mySonicWALL.com user at any time. Transferring a SonicWALL is necessary if you sell the appliance to another user, or if you want to transfer it to another person in your company. For example, the sales manager for the East Coast has left, and you were managing the services for his SonicWALL. However, another manager may have an immediate need for the SonicWALL, and requests that you transfer the appliance to him.
Also, an e-mail message is sent to both the old and new user as a notification that the appliance was transferred. Tip You can only transfer a SonicWALL to another registered user of mySonicWALL.com. Delete Product You can also delete a SonicWALL from your mySonicWALL.com user account. Click on the Friendly Name for the appliance, and then click Delete. A confirmation message appears in the next window, and you have successfully deleted a SonicWALL from your user account.
Managing Services for SonicWALL Internet Security Appliances In the Applicable Services section of mySonicWALL.com, a list of installed and inactivated services for your SonicWALL is displayed. Activated services are indicated by the Installed icon with a green check mark. Inactive services are indicated by the Activate icon with a red arrow. Activated service names are also hyperlinked to an information page with Activation Status and the Expiration Date of the service.
Activating Services Using mySonicWALL.com To activate a service such as Content Filter, use the following steps: 1. Log into mySonicWALL.com using your username and password. Select the appliance to be upgraded with the Content Filter List subscription, and click the name. 2. Click Activate next to Content Filter. The following screen appears with an Activation Key field, and a Terms and Conditions message. 3.
Registering at mySonicWALL.
4 Configuring the TELE3 SP Modem Connection To improve the operational availability of networks and ensure fast recovery from network failures, the SonicWALL has the capability of using a modem to dial a secondary network connection for the WAN. In the event that the WAN Ethernet connection is lost or failing, the modem dials an ISP using a preconfigured profile preventing a lengthy interruption in active network connectivity.
Configuring Modem Profiles You can configure modem profiles on the SonicWALL using your dial-up ISP information for the connection. Multiple modem profiles can be used when you have a different profile for individual ISPs. Click Profiles, and follow the instructions below to configure your Dial-up Configuration. Tip The SonicWALL supports a maximum of ten (10) configuration profiles. Dial-Up Configuration The current profile is displayed in the Current Profile field.
ISP Settings To configure your ISP settings, you must obtain your Internet information from your dial-up Internet Service Provider. Use the information to configure the following dial-up ISP Settings: 1. Enter the primary number used to dial your ISP in the Primary Phone Number field. Tip If a specific prefix is used to access an outside line, such as 9, &, or , , enter the number as part of the primary phone number. 2.
•Manual Dial - Selecting Manual Dial for a Primary Profile means that WAN Failover does not automatically occur. Manual Dial requires you to log into the SonicWALL, click Modem, then Configure. Click Connect and the modem uses the Primary Profile information to dial an ISP. Alert If you are configuring two dial-up profiles for WAN failover, the modem behavior should be the same for each profile.
TELE3 SP Modem Configuration The Configure tab allows you to enable the modem to provide secondary dial-up ISP connection support and configure the modem settings. There are two sections available: Modem Settings and Failover Settings. Modem Settings The Modem Settings section lets you select from a list of modem profiles, select the volume of the modem, and also configure AT commands for modem initialization. To configure the SonicWALL modem settings, follow these steps: 1.
Primary Interface The SonicWALL TELE3 SP automatically detects if a WAN Ethernet connection exists when the SonicWALL is powered on. Because it can automatically detect the Ethernet connection, the Primary Interface is Ethernet. Failover Settings You can enable WAN failover for the SonicWALL by configuring settings in this section. Select Enable WAN Failover to use this feature on the SonicWALL. The Secondary Interface Setting defaults to Modem.
6. Enter a value for the number of successful probes required to reactivate the primary connection in the Successful Probes to Reactivate Primary field. The default value is five (5). By requiring a number of successful probes before the SonicWALL returns to its primary connection, you can prevent the SonicWALL from returning to the primary connection before the primary connection becomes stable. 7.
Location Settings 1. Select Manual Dial to have the modem dial only when you click Connect on the Configure page. 2. Enter the number of minutes the connection is allowed to be inactive in the Inactivity Timeout (minutes) field. The default value is five (5) minutes. 3. Select the connection speed from the Max Connection Speed (bps) menu. Auto is the default setting. 4. If you have call waiting on your telephone line, you should disable it or another call can interrupt your connection to your ISP.
Configuring Your TELE3 SP in Modem Only Mode Configuring the Network Settings Follow these steps to configure your TELE3 SP to use only the modem for Internet access: 1. When the Installation Wizard launches, follow the steps in your Quick Start Guide until the Set Your Password page appears. Enter and confirm your new password. Tip If you do not set a new password, the Installation Wizard relaunches when the SonicWALL is rebooted. 2. Continue with the Installation Wizard.
Status The Status tab displays dial-up connection information when the modem is active. Modem Status In the Modem Status section, the current active network information from your ISP is displayed when the modem is active: •WAN Gateway (Router) Address •WAN IP (NAT Public) Address •WAN Subnet Mask •DNS Server 1 •DNS Server 2 •DNS Server 3 •Current Active Dial-Up Profile (id) •Current Connection Speed If the modem is inactive, the Status page displays a list of possible reasons that your modem is inactive.
Chat Scripts Some legacy servers can require company-specific chat scripts for logging onto the dial-up servers. A chat script, like other types of scripts, automates the act of typing commands using a keyboard. It consists of commands and responses, made up of groups of expect-response pairs as well as additional control commands, used by the chat script interpreter on the TELE3 SP.
Custom Chat Scripts Custom chat scripts can be used when the ISP dial-up server does not use PAP or CHAP as an authentication protocol to control access. Instead, the ISP requires a user to log onto the dial-up server by prompting for a user name and password before establishing the PPP connection. For the most part, this type of server is part of the legacy systems rooted in the dumb terminal login architecture.
5 Managing Your SonicWALL Internet Security Appliance This chapter contains a brief overview of SonicWALL management commands and functions. The commands and functions are accessed through the SonicWALL Web Management Interface. You can manage the SonicWALL from any computer connected to the LAN port of the SonicWALL using a Web browser. The computer used for management is referred to as the “Management Station". 1. Log into the SonicWALL using a Web Browser.
The first time you access the SonicWALL Management interface using HTTPS, you may see the following information message: Click Yes to continue the login process. SSL is supported by Netscape 4.7 and higher, as well as Internet Explorer 5.5 and higher. HTTPS management supports the following versions of SSL: SSLv2, SSLv3, and TLSv1. Also, the following encryption ciphers are supported: RC4-MD5, EXP-RC4-MD5, DES-CBC3-SHA, DES-CBCSHA, RC4-SHA, EXP-RC2-CBC-MD5, NULL-SHA, and NULL-MD5.
Note: The Status window displays the unique characteristics of the SonicWALL Internet Security Appliance, such as the presence of VPN acceleration hardware or a different amount of memory. Your Status window will be different from the window displayed above, depending on your settings. The Status tab displays the following information: • • SonicWALL Serial Number - the serial number of the SonicWALL unit.
CLI Support and Remote Management Out-of-band management is available on SonicWALL Internet Security Appliances using the CLI (Command Line Interface) feature. SonicWALL Internet Security Appliances can be managed from a console using typed commands and a modem or null-modem cable that is connected to the serial port located on the back of the SonicWALL appliance. The only modem currently supported is the US Robotics v.90/v.92 modem.
6 General and Network Settings This chapter describes the tabs in the General section and the configuration of the SonicWALL SonicWALL Internet Security appliance Network Settings. The Network Settings include the SonicWALL IP settings, the administrator password, and the time and date. There are three tabs other than Status in the General section: • • • Network Time Administrator Network Settings To configure the SonicWALL Network Settings, click General, and then click the Network tab.
• • NAT with L2TP Client mode uses IPSec to connect a L2TP server and encrypts all data transmitted from the client to the server. However, it does not encrypt network traffic to other destinations. NAT with PPTP Client mode uses Point to Point Tunneling Protocol (PPTP) to connect to a remote server. It supports older Microsoft implementations requiring tunneling connectivity. LAN Settings • SonicWALL LAN IP Address The SonicWALL LAN IP Address is the IP address assigned to the SonicWALL LAN port.
WAN Settings • WAN Gateway (Router) Address The WAN Gateway (Router) Address is the IP address of the WAN router or default gateway that connects your network to the Internet. If you use Cable or DSL, your WAN router is typically located at your ISP. If you use a router located at your site, use the IP address assigned to it. If you select NAT with DHCP Client or NAT with PPPoE mode, the WAN Gateway (Router) Address is assigned automatically.
Standard Configuration If your ISP provided you with enough IP addresses for all the computers and network devices on your LAN, enable Standard mode. To configure Standard addressing mode, complete the following instructions: 1. Select Standard from the Network Addressing Mode menu. Because NAT is disabled, you must assign valid IP addresses to all computers and network devices on your LAN. 2. Enter a unique, valid IP address from your LAN address range in the SonicWALL LAN IP Address field.
When NAT is enabled, users on the Internet cannot access machines on the LAN unless they have been designated as Public LAN Servers. To enable Network Address Translation (NAT), complete the following instructions. 1. Select NAT Enabled from the Network Addressing Mode menu in the Network window. 2. Enter a unique IP address from your LAN address range in the SonicWALL LAN IP Address field.
• • • The SonicWALL WAN IP (NAT Public) Address is "10.1.1.25". The private SonicWALL LAN IP Address is "192.168.168.1". Computers on the LAN have private IP addresses ranging from "192.168.168.2" to "192.168.168.255". In this example, "192.168.168.1", the SonicWALL LAN IP Address, is used as the gateway or router address for all computers on the LAN. NAT with DHCP Client Configuration The SonicWALL can receive an IP address from a DHCP server on the Internet.
When your SonicWALL has successfully received a DHCP lease, the Network window displays the SonicWALL WAN IP settings. • • The Lease Expires value shows when your DHCP lease expires. The WAN Gateway (Router) Address, SonicWALL WAN IP (NAT Public) Address, WAN/LAN Subnet Mask, and DNS Servers are obtained from a DHCP server on the Internet. Alert Enable and configure the SonicWALL DHCP server or manually configure client DNS settings to obtain DNS name resolution.
3. Enter your network subnet mask in the LAN Subnet Mask field. The LAN Subnet Mask tells your SonicWALL which IP addresses are on your LAN. Use the default value, "255.255.255.0", if there are less than 254 computers on your LAN. 4. Enter the user name provided by your ISP in the User Name field. The user name identifies the PPPoE client. 5. Enter the password provided by your ISP in the Password field. The password authenticates the PPPoE session. This field is case sensitive. 6.
NAT with L2TP Client Configuration The SonicWALL can use L2TP over Ethernet to connect to a L2TP server. To configure NAT with L2TP Client, complete the following instructions. 1. Select NAT with L2TP Client from the Network Addressing Mode menu. 2. Enter a unique IP address from your LAN address range in the SonicWALL LAN IP Address field. The SonicWALL LAN IP Address is the address assigned to the SonicWALL LAN port and is used for management of the SonicWALL. 3.
9. Select the Disconnect after __ Minutes of Inactivity check box to automatically disconnect the L2TP connection after a specified period of inactivity. Define a maximum number of minutes of inactivity in the Minutes field. This value can range from 1 to 99 minutes. 10. Click Update. Once the SonicWALL has been updated, a message confirming the update is displayed at the bottom of the browser window. Restart the SonicWALL for these changes to take effect.
NAT with PPTP Client Configuration The SonicWALL can use Point-to-Point Tunneling Protocol over Ethernet to connect to a PPTP server. This option supports older network implementations requiring tunneling support. To configure NAT with PPTP Client, complete the following instructions. 1. Select NAT with PPTP Client from the Network Addressing Mode menu. 2. Enter a unique IP address from your LAN address range in the SonicWALL LAN IP Address field.
7. Enter the IP address of the PPTP server in the PPTP Server IP Address field. 8. Enter your user name and password in the User Name and User Password fields. 9. Select the Disconnect after __ Minutes of Inactivity check box to automatically disconnect the L2TP connection after a specified period of inactivity. Define a maximum number of minutes of inactivity in the Minutes field. This value can range from 1 to 99 minutes. 10. Click Update.
Setting the Time and Date The SonicWALL uses the time and date settings to time stamp log events, to automatically update the Content Filter List, and for other internal purposes. 1. Click the Time tab. 2. Select your time zone from the Time Zone menu. 3. Click Update to add the information to the SonicWALL. You can also enable automatic adjustments for daylight savings time, use universal time (UTC) rather than local time, and display the date in International format, with the day preceding the month.
Configuring the Administrator Settings The Password tab is now the Administrator tab. In this section, you can configure a new administrator name, an administrator password, inactivity timeout, and login failure handling. Administrator Name The Administrator Name can be changed from the default setting of admin to any word using alphanumeric characters up to 30 characters in length. To create an new administrator name, enter the new name in the Administrator Name field.
Setting the Administrator Inactivity Timeout The Administrator Inactivity Timeout setting allows you to configure the length of inactivity that can elapse before you are automatically logged out of the Web Management Interface. The SonicWALL is preconfigured to log out the administrator after 5 minutes of inactivity.
7 Logging and Alerts This chapter describes the SonicWALL Internet security appliance logging, alerting, and reporting features, which can be viewed in the Log section of the SonicWALL Web Management Interface.There are four tabs in the Log section: • • • • View Log Log Settings Reports ViewPoint (requires a purchased upgrade) View Log The SonicWALL maintains an Event log which displays potential security threats.
SonicWALL Log Messages Each log entry contains the date and time of the event and a brief message describing the event. It is also possible to copy the log entries from the management interface and paste into a report. • TCP, UDP, or ICMP packets dropped When IP packets are blocked by the SonicWALL, dropped TCP, UDP and ICMP messages are displayed. The messages include the source and destination IP addresses of the packet. The TCP or UDP port number or the ICMP code follows the IP address.
Log Settings Click Log on the left side of the browser window, and then click the Log Settings tab. Configure the following settings: 1. Mail Server - To e-mail log or alert messages, enter the name or IP address of your mail server in the Mail Server field. If this field is left blank, log and alert messages are not e-mailed. 2. Send Log To - Enter your full e-mail address(username@mydomain.com) in the Send log to field to receive the event log via e-mail.
5. Syslog Server - In addition to the standard event log, the SonicWALL can send a detailed log to an external Syslog server. The SonicWALL Syslog captures all log activity and includes every connection source and destination IP address, IP service, and number of bytes transferred. The SonicWALL Syslog support requires an external server running a Syslog daemon on UDP Port 514. Syslog Analyzers such as WebTrends Firewall Suite can be used to sort, analyze, and graph the Syslog data.
Log Categories You can define which log messages appear in the SonicWALL Event Log. All Log Categories are enabled by default except Network Debug. • System Maintenance Logs general system activity, such as administrator log ins, automatic downloads of the Content Filter Lists, and system activations. • System Errors Logs problems with DNS, e-mail, and automatic downloads of the Content Filter List.
Alerts/SNMP Traps Alerts are events, such as attacks, which warrant immediate attention. When events generate alerts, messages are immediately sent to the e-mail address defined in the Send alerts to field. Attacks and System Errors are enabled by default, Blocked Web Sites is disabled. • Attacks Log entries categorized as Attacks generate alert messages. • System Errors Log entries categorized as System Errors generate alert messages.
The Reports window includes the following functions and commands: • Start Data Collection Click Start Data Collection to begin log analysis. When log analysis is enabled, the button label changes to Stop Data Collection. • Reset Data Click Reset to clear the report statistics and begin a new sample period. The sample period is also reset when data collection is stopped or started, and when the SonicWALL is restarted. • View Data Select the desired report from the Report to view menu.
SonicWALL ViewPoint SonicWALL ViewPoint is a software solution that creates dynamic, Web-based reports of network activity. ViewPoint generates both real-time and historical reports to provide a complete view of all activity through your SonicWALL Internet Security Appliance. With SonicWALL ViewPoint, you are able to monitor network access, enhance network security and anticipate future bandwidth needs. SonicWALL ViewPoint • • • • Displays bandwidth use by IP address and service.
8 Content Filtering and Blocking Internet content filtering allows you to create and enforce Internet access policies tailored to the needs of your organization. You can block harmful Web applications from entering your network. and select Web content categories to block or monitor, such as pornography or racial intolerance, from a pre-defined Content Filter List.
Configuring SonicWALL Content Filtering The Configure tab is common between the three types of Content Filtering. Click Filter on the left side of the browser window, and then click on the Configure tab. Select the type of Content Filter from the Content Filter Type menu. To enforce Content Filtering on the LAN, select Apply Content Filter. Content filtering can also be enforced on the LAN, DMZ, or both. Select LAN, DMZ, or both. Both LAN and DMZ are selected by default.
Trusted Domains Trusted Domains can be added in the Restrict Web Features section of the Configure tab. If you trust content on specific domains, you can select Don’t block Java/ActiveX/Cookies to Trusted Domains and then add the Trusted Domains to the SonicWALL using the Add Trusted Domain field. Java scripts, ActiveX, and cookies are not blocked from Trusted Domains if the checkbox is selected.
Download Automatically every Selecting Download Automatically every allows you to configure a specific time to download your Content Filter List. Select a day of the week and a time (24-hour format), for example, Sun. at 22:00 hours. Or, you can click Download Now to immediately download your Content Filter List. Tip It is recommended to download the URL List at a time when access to the Internet is at a minimum as downloading the URL List disrupts connectivity to the Internet.
Customizing the Content Filtering List The Customize tab allows you to customize your URL List by manually entering domain names or keywords to be blocked or allowed. Custom Filter You can customize your URL list to include Allowed Domains, Forbidden Domains, and Keywords. By customizing your URL list, you can include specific domains to be allowed (accessed), forbidden (blocked), and include specific keywords to be used to block sites.
Tip Customized domains do not have to be re-entered when the Content Filter List is updated each week and do not require a URL list subscription. • Enable Allowed/Forbidden Domains To deactivate Custom Filter customization, clear the Enable Allowed/Forbidden Domains, and click Update. This option allows you to enable and disable customization without removing and re-entering custom domains.
Consent The Consent tab allows you to enforce content filtering on designated computers and provide optional filtering on other computers. Consent can be configured to require the user to agree to the terms outlined in an Acceptable Use Policy window before Web browsing is allowed. Click Filter on the left side of the browser window, and then click the Consent tab.
• “Consent Accepted” URL (Filtering Off) When a user accepts the terms outlined in the Consent page and chooses to access the Internet without the protection of Content Filtering, they are shown a Web page confirming their selection. Enter the URL of this page in the “Consent Accepted” (Filtering Off) field. This page must reside on a Web server and be accessible as a URL by users on the LAN.
Configuring N2H2 Internet Filtering N2H2 is a third party Internet filtering package that allows you to use Internet content filtering through the SonicWALL. When you select N2H2 as your Content Filter List, the N2H2 tab is available. Restrict Web Features Select any of the following applications to block: Block: • ActiveX ActiveX is a programming language that embeds scripts in Web pages. Malicious programmers can use ActiveX to delete files or compromise security.
warranted by these fraudulent certificates. If digital certificates are proven fraudulent, then the SonicWALL blocks the Web content and the files that use these fraudulent certificates. Known fraudulent certificates blocked by SonicWALL include two certificates issued on January 29 and 30, 2001 by VeriSign to an impostor masquerading as a Microsoft employee.
N2H2 Server Status This section displays the status of the N2H2 Internet Filtering Protocol (IFP) server you are using for Internet filtering. Settings Server Host Name or IP Address Enter the Server Host Name or the IP address of the N2H2 Internet Filtering Protocol (IFP) server used to receive IFP requests. Listen Port Enter the UDP port number for the N2H2 Internet Filtering Protocol (IFP) server to “listen” for the N2H2 traffic. The default port is 4005.
Configuring the Websense Enterprise Content Filter Websense is a third party software package that allows you to use Internet content filtering through the SonicWALL. Select Websense Enterprise from the Content Filter Type menu. Customization of the Content Filter List is not available if you select Websense as your source for content filtering. Restrict Web Features Select any of the following applications to block: Block: • ActiveX ActiveX is a programming language that embeds scripts in Web pages.
• Known Fraudulent Certificates Digital certificates help verify that Web content and files originated from an authorized party. Enabling this feature protects users on the LAN from downloading malicious programs warranted by these fraudulent certificates. If digital certificates are proven fraudulent, then the SonicWALL blocks the Web content and the files that use these fraudulent certificates.
Configuring the Websense Content Filter List Configure the Websense Enterprise settings on this page. Websense Server Status This section displays the status of the Websense Enterprise server used for content filtering. Settings Server Host Name or IP Address Enter the Server Host Name or the IP address of the Websense Enterprise server used for the Content Filter List. Server Port Enter the UDP port number for the SonicWALL to “listen” for the Websense Enterprise traffic.
If Server is unavailable for 5 secs: If the Websense Enterprise server becomes unavailable, select from the following two options: • • Block traffic to all Web sites Allow traffic to all Web sites URL Cache Configure the size of the URL Cache in KB.
9 Web Management Tools This chapter describes the SonicWALL Management Tools, available in the Tools section of the SonicWALL Web Management Interface. The Web Management Tools section allows you to restart the SonicWALL, import and export configuration settings, update the SonicWALL firmware, and perform several diagnostic tests.
Preferences Click Tools on the left side of the browser window, and then click the Preferences tab. You can save the SonicWALL settings, and then retrieve them later for backup purposes. SonicWALL recommends saving the SonicWALL settings when upgrading the firmware. The Preferences window also provides options to restore the SonicWALL factory default settings and launch the SonicWALL Installation Wizard. These functions are described in detail in the following pages.
Importing the Settings File After exporting a settings file, you can import it back to the SonicWALL. 1. Click Import in the Preferences tab. 2. Click Browse to locate a settings file which was saved using Export. 3. Select the file, and click Import. 4. Restart the SonicWALL for the settings to take effect. Alert The Web browser used to Import Settings must support HTTP uploads. Microsoft Internet Explorer 5.0 and higher, as well as Netscape Navigator 4.0 and higher, are recommended.
Alert The SonicWALL LAN IP Address, LAN Subnet Mask, and the Administrator Password are not reset. Updating Firmware The SonicWALL has flash memory and can be easily upgraded with new firmware. Current firmware can be downloaded from SonicWALL, Inc. Web site directly into the SonicWALL. Alert Firmware updates are only available to registered users. You can register your SonicWALL online at . Click Tools on the left side of the browser window, and then click the Firmware tab.
Firmware Update Wizard simplifies and automates the upgrade process. Follow the instructions in the Firmware Update Wizard to update the firmware. Updating Firmware Manually You can also upload firmware from the local hard drive. Click Upload Firmware. Alert The Web browser used to import settings must support HTTP uploads. Microsoft Internet Explorer 5.0 and higher as well as Netscape Navigator 4.0 and higher are recommended. When firmware is uploaded, the SonicWALL settings can be erased.
Upgrade Features SonicWALL Internet Security Appliances can be upgraded to support new or optional features. Chapter 15, SonicWALL Options and Upgrades, provides a summary of the SonicWALL firmware upgrades, subscription services, and support offerings. You can contact SonicWALL or your local reseller for more information about SonicWALL options and upgrades. You can also purchase upgrades by registering your SonicWALL at , and using the Buy Now option. Web:http://www.sonicwall.
Diagnostic Tools The SonicWALL has several built-in tools which help troubleshoot network problems. Click Tools on the left side of the browser window and then click the Diagnostic tab. DNS Name Lookup The SonicWALL has a DNS lookup tool that returns the numerical IP address of a domain name or if you enter an IP address, it returns the domain name. 1. Select DNS Name Lookup from the Choose a diagnostic tool menu. 2. Enter the host name to lookup in the Look up the name field and click Go.
Find Network Path The Find Network Path tool shows whether an IP host is located on the LAN or the WAN. This is helpful in determining if the SonicWALL is properly configured. For example, if the SonicWALL “thinks” that a computer on the Internet is located on the LAN, then the SonicWALL Network or Intranet settings can be misconfigured. Find Network Path shows if the target device is behind a router, and the Ethernet address of the target device.
Ping The Ping test bounces a packet off a machine on the Internet and returns it to the sender. This test shows if the SonicWALL is able to contact the remote host. If users on the LAN are having problems accessing services on the Internet, try pinging the DNS server, or another machine at the ISP location. If this test is successful, try pinging devices outside the ISP. This shows if the problem lies with the ISP connection. 1. Select Ping from the Choose a diagnostic tool menu. 2.
Packet Trace The Packet Trace tool tracks the status of a communications stream as it moves from source to destination. This is a useful tool to determine if a communications stream is being stopped at the SonicWALL, or is lost on the Internet. To interpret this tool, it is necessary to understand the three-way handshake that occurs for every TCP connection. The following displays a typical three-way handshake initiated by a host on the SonicWALL LAN to a remote host on the WAN. 1.
1. Select Packet Trace from the Choose a diagnostic tool menu. Tip Packet Trace requires an IP address. The SonicWALL DNS Name Lookup tool can be used to find the IP address of a host. 2. Enter the IP address of the remote host in the Trace on IP address field, and click Start. You must enter an IP address in the Trace on IP address field; do not enter a host name, such as “www.yahoo.com”. 3. Contact the remote host using an IP application such as Web, FTP, or Telnet. 4.
Generating a Tech Support Report 1. Select Tech Support Report from the Choose a diagnostic tool menu. 2. Select the Report Options to be included with your e-mail. 3. Click Save Report to save the file to your system. When you click Save Report, a warning message is displayed. 4. Click OK to save the file. Attach the report to your Tech Support Request e-mail.
Trace Route Trace Route is a diagnostic utility to assist in diagnosing and troubleshooting router connections on the Internet. By using Internet Connect Message Protocol (ICMP) echo packets similar to Ping packets, Trace Route can test interconnectivity with routers and other hosts that are farther and farther along the network path until the connection fails or until the remote host responds. Enter the IP address or domain name of the destination host. For example, enter yahoo.com and click Go.
10 Network Access Rules Network Access Rules are management tools that allow you to define inbound and outbound access policy, configure user authentication, and enable remote management of the SonicWALL. By default, the SonicWALL’s stateful packet inspection allows all communication from the LAN to the Internet, and blocks all traffic to the LAN from the Internet.
Services Click Access on the left side of the browser window, and then click the Services tab. Note: The LAN In column is not displayed if NAT is enabled. The Services window allows you to customize Network Access Rules by service. Services displayed in the Services window relate to the rules in the Rules window, so any changes on the Services window appear in the Rules window. The Default rule, at the bottom of the table, encompasses all Services.
Public LAN Server A Public LAN Server is a LAN server designated to receive inbound traffic for a specific service, such as Web or e-mail. You can define a Public LAN Server by entering the server's IP address in the Public LAN Server field for the appropriate service. If you do not have a Public LAN Server for a service, enter "0.0.0.0" in the field. Windows Networking (NetBIOS) Broadcast Pass Through Computers running Microsoft Windows communicate with one another through NetBIOS broadcast packets.
Add Service To add a service not listed in the Services window, click Access on the left side of the browser window, and then click the Add Service tab. The list on the right side of the window displays the services that are currently defined. These services also appear in the Services window. Two numbers appear in brackets next to each service. The first number indicates the service's IP port number. The second number indicates the IP protocol type (6 for TCP, 17 for UDP, or 1 for ICMP).
4. Select the IP protocol type, TCP, UDP or ICMP, from the Protocol list. 5. Click Add. The new service appears in the list on the right side of the browser window. Tip If multiple entries with the same name are created, they are grouped together as a single service and can not function as expected. Enable Logging You can enable and disable logging of events in the SonicWALL Event Log. For example, if Linux authentication messages are filling up your log, you can disable logging of Linux authentication. 1.
Maximum Number of Rules by Product Product Maximum Rules Rules Available for Bandwidth Management GX Series 300 100 PRO 300, PRO 330 200 100 PRO 100, PRO 200, PRO 230 100 50 TELE3, SOHO3 100 50 TELE2, SOHO2, XPRS2, XPRS, PRO, PRO-Vx 100 20 To create custom Network Access Rules, click Access on the left side of the browser window, and then click the Rules tab.
Network Access Rule Logic List It is important to fully consider the logic behind the new rule before it is added to the list. Use the following guidelines to help you evaluate the impact of a rule before adding it to the list: 1. State the intent of the rule. For example, “This rule restricts all IRC access from the LAN to the Internet.” 2. Is the intent of the rule to allow or deny traffic? 3. What is the direction of the traffic? From the LAN to the WAN, or from the WAN to the LAN? 4.
Add A New Rule 1. Click Add New Rule... in the Rules window to open the Add Rule window. 2. Select Allow or Deny in the Action list depending upon whether the rule is intended to permit or block IP traffic. 3. Select the name of the service affected by the Rule from the Service list. If the service is not listed, you must define the service in the Add Service window. The Default service encompasses all IP services. 4.
9. Do not select the Allow Fragmented Packets check box. Large IP packets are often divided into fragments before they are routed over the Internet and then reassembled at a destination host. Because hackers exploit IP fragmentation in Denial of Service attacks, the SonicWALL blocks fragmented packets by default. You can override the default configuration to allow fragmented packets over PPTP or IPSec. 10. Enable Bandwidth Management, and enter the Guaranteed Bandwidth in Kbps. 11.
9. If you want the Rule to have guaranteed bandwidth, select Enable Outbound Bandwidth Management, and enter values for Guaranteed Bandwidth, Maximum Bandwidth, and Bandwidth Priority. 10. Click Update to add the rule to the SonicWALL. Tip The source part (WAN or LAN) can be limited to certain parts of the Internet using a range of IP addresses on the WAN or LAN.
7. Since the intent is to allow a ping only to the SonicWALL, enter the SonicWALL LAN IP Address in the Destination Addr Range Begin field. 8. Select Always from the Apply this rule menu to ensure continuous enforcement. 9. Click Update to add your new Rule. Current Network Access Rules Table All Network Access Rules are listed in the Current Network Access Rules table in the Rules window. The rules are listed from most to least specific.
Understanding the Access Rule Hierarchy The rule hierarchy has two basic concepts: 1. Specific rules override general rules: An individual service is more specific than the Default service. A single Ethernet link, such as LAN or WAN, is more specific than * (all). A single IP address is more specific than an IP address range. 2. Equally specific Deny rules override Allow rules.
Users Extensive features are available on the Users tab in the Access section of the Management interface. User level access can be configured for authentication and access to the network. Authentication can be performed using a local user database, RADIUS, or a combination of the two applications. For instructions on configuring individual users on RADIUS servers, see Appendix I.
Users • Use RADIUS - Select Use Radius if you have configured RADIUS to authenticate users accessing the network through the SonicWALL. If you have more than 100 users requiring authentication, you must use a RADIUS server. If you select Use RADIUS, users must log into the SonicWALL using HTTPS in order to encrypt the password sent to the SonicWALL. If a user attempts to log into the SonicWALL using HTTP, the browser is automatically redirected to HTTPS.
Current Users A list of all current users is displayed in a table at the bottom of the page. The Current Users table lists the User Name, the IP Address of the user, the Session Time, Time Remaining of the session, and the Inactivity Remaining time. Users Currently Locked Out After Login Failures A list of current users locked after failing to log into the SonicWALL correctly is displayed in this section. The table lists the User Name Tried, the IP Address, Lockout Time Remaining, and an Unlock icon.
User Login When a user other than the administrator logs into the SonicWALL Management interface, a page is displayed with the user’s privileges listed. The user can set the maximum time for a login session, but it cannot be longer than the session time set by the administrator. The connection closes when the user exceeds the inactivity time-out period or the maximum session time is exceeded. If the connection is closed, the user must re-authenticate to regain their access through the SonicWALL.
RADIUS RADIUS can provide control over user access and VPN access. RADIUS configuration is located in the Access window. To configure RADIUS settings, complete the following instructions. Click the RADIUS tab. 1. Define the number of times the SonicWALL attempts to contact the RADIUS server in the RADIUS Server Retries field. If the RADIUS server does not respond within the specified number of retries, the connection is dropped.
RADIUS Users You can select the default privileges for all RADIUS users in this section. • • • • • Remote Access - Enable this check box if the user accesses the SonicWALL from a remote computer. This option is only available in Standard mode. Bypass Filters - Enable Bypass Filters if the user can bypass Content Filter settings. Access to VPNs - Enable the check box if the user can send information over VPN Security Associations.
Management SonicWALL SNMP Support SNMP (Simple Network Management Protocol) is a network protocol used over User Datagram Protocol (UDP) that allows network administrators to monitor the status of the SonicWALL Internet security appliances and receive notification of any critical events as they occur on the network. SonicWALL Internet security appliances support SNMP v1/v2c and all relevant Management Information Base II (MIBII) groups except egp and at.
5. Create a name for a group or community of administrators who can view SNMP data, and enter it in the Get Community Name field. 6. Create a name for a group or community of administrators who can view SNMP traps, and enter it in the Trap Community Name field. 7. Enter the IP address or hostname of the SNMP management system receiving the SNMP traps in the Host 1 through 4 fields. Up to 4 addresses or hostnames can be specified.
To enable secure remote management, click Access on the left side of the browser window, and click the Management tab. Then select Enable Management Using VPN Client to enable secure remote management using Manual Key. When remote management is enabled, a Management SA is automatically generated. The Management SA uses Manual Keying to set up a VPN tunnel between the SonicWALL and the VPN client.
11 Advanced Features This chapter describes the SonicWALL Advanced Features, such as Web Proxy Forwarding, DMZ Address settings, and One-to-One NAT. The Advanced Features can be accessed in the Advanced section of the SonicWALL Web Management Interface.
Configuring Web Proxy Relay 1. Connect your Web proxy server to a hub, and connect the hub to the SonicWALL WAN port. Alert The proxy server must be located on the WAN or the DMZ; it can not be located on the LAN. 2. Log into the SonicWALL Web Management Interface. Click Advanced at the left side of the browser window, and then click the Proxy Relay tab at the top of the window. 3.
Intranet The SonicWALL can be configured as an Intranet firewall to prevent network users from accessing sensitive servers. By default, users on your LAN can access the Internet router, but not devices connected to the WAN port of the SonicWALL. To enable access to the area between the SonicWALL WAN port and the Internet, you must configure the Intranet settings on the SonicWALL. Creating an Intranet firewall is achieved by connecting the SonicWALL between an unprotected and a protected segment.
Intranet Configuration Click Advanced on the left side of the browser window, and then click the Intranet tab. To enable an Intranet firewall, you must specify which machines are located on the LAN, or you must specify which machines are located on the WAN. It is best to select the network area with the least number of machines. For example, if only one or two machines are connected to the WAN, select Specified address ranges are attached to the WAN link.
VPN Single-Armed Mode (stand-alone VPN gateway) Note: This feature is available only on the PRO 100, 200, 300, 230, 330, and GX series. VPN Single-Armed Mode allows you to deploy a SonicWALL with single port (WAN) utilized as a VPN tunnel termination point. Clear text traffic is routed to the single interface and the data is encapsulated to the appropriate IPSec gateway. An example of a deployment is to place the SonicWALL between the existing firewall and the router connected to the Internet.
Configuring a SonicWALL for VPN Single Armed Mode You can use the following example information to configure the IP addresses on a SonicWALL for VPN Single Armed Mode: Remote SonicWALL Corporate SonicWALL WAN IP Address: 66.120.118.11 WAN IP Address:66.120.118.25 Subnet Mask: 255.255.255.0 Subnet Mask: 255.255.255.0 LAN IP Address 192.168.1.1 LAN IP Address: 192.168.3.1 Subnet Mask: 255.255.255.0 Subnet Mask: 255.255.255.0 VPN Single Armed Mode SonicWALL WAN IP Address: 66.120.118.
Routes If you have routers on your Local Area Network (LAN), Demilitarized Zone (DMZ), or Wide Area Network (WAN), you can configure Static Routes on the SonicWALL. Tip On the TELE3 TZ and TELE3 TZX, the LAN is labeled WorkPort and the DMZ is labeled HomePort. Click Advanced on the left side of the browser window, and then click the Routes tab. Static routes must be defined if the LAN, DMZ, or WAN are segmented into subnets, either for size or practical considerations.
LAN Route Advertisement Note: This feature is only available on the PRO 100, PRO 200, PRO 230, PRO 300, and PRO 330. The SonicWALL uses RIPv1 or RIPv2 to advertise its static and dynamic routes to other routers on the network. Changes in the status of VPN tunnels between the SonicWALL and remote VPN gateways are also reflected in the RIPv2 advertisements. Choose between RIPv1 or RIPv2 based on your router’s capabilities or configuration.
• • • Change Damp Time (seconds) field. The default value is 30 seconds. A lower value corresponds with a higher volume of broadcast traffic over the network. Deleted Route Advertisements - enter the number of advertisements that a deleted route broadcasts until it stops in the Deleted Route Advertisements field. The default value is 5. Route Metric (1-15) - Enter a value from 1 to 15 in the Route Metric field.
Click Advanced on the left side of the browser window, and then click DMZ Addresses. Servers on the DMZ must have unique, valid IP addresses in the same subnet as the SonicWALL WAN IP Address. Your ISP should be able to provide these IP addresses, as well as information on setting up public servers. DMZ in Standard Mode To configure DMZ Addresses, complete the following instructions. 1. Enter the starting IP address of your valid IP address range in the From Address field. 2.
3. If you choose to use DMZ NAT Many to One Public Address (Optional), enter the DMZ public IP address which is on the same subnet as the WAN for access to devices on the DMZ interface. DMZ NAT Many to One Public Address is only available if your SonicWALL is configured in NAT Enabled networking mode. Delete a DMZ Address Range To delete an address or range, select it in the Address Range list and click Delete.
3. Click Update. Once the SonicWALL has been updated, a message confirming the update is displayed at the bottom of the browser window. If you receive an error when you click Update, confirm that the HomePort Address Range does not include the SonicWALL WAN IP Address, the WAN Gateway (Router) Address, or any IP addresses assigned on the One-to-One NAT or Intranet windows. Tip The SonicWALL supports up to 64 HomePort address ranges.
One-to-One NAT One-to-One NAT maps valid, external addresses to private addresses hidden by NAT. Computers on your private LAN are accessed on the Internet at the corresponding public IP addresses. You can create a relationship between internal and external addresses by defining internal and external address ranges.
One-to-One NAT Configuration Example This example assumes that you have a SonicWALL running in the NAT-enabled mode, with IP addresses on the LAN in the range 192.168.1.1 - 192.168.1.254, and a WAN IP address of 208.1.2.2. Also, you own the IP addresses in the range 208.1.2.1 - 208.1.2.6. Alert If you have only one IP address from your ISP, you cannot use One-to-One NAT. You have three web servers on the LAN with the IP addresses of 192.168.1.10, 192.168.1.11, and 192.168.1.12.
Ethernet The Ethernet tab allows the management of Ethernet settings using the SonicWALL Management interface. The tab has the following settings: • • • • • • WAN Link Settings Enable Bandwidth Management DMZ/WorkPort Link Settings LAN/HomePort Link Settings Proxy Management workstation Ethernet Address on WAN MTU Settings The default selection for all of the link settings is Auto Negotiate because the Ethernet links automatically negotiate the speed and duplex mode of the Ethernet connection.
Update to apply the changes to the SonicWALL. Now that you have enabled Bandwidth Management, you can begin configuring Rules to use bandwidth management. See Bandwidth Management at the end in this section for more information SonicWALL’s Bandwidth Management features. TIP! Traffic inbound from the WAN to the LAN/DMZ based on a Rule using bandwidth management is allowed as if there is no bandwidth management in place.
SonicWALL Bandwidth Management Bandwidth management is a means of allocating bandwidth resources to critical applications on a network. By controlling the amount of bandwidth to an application or user, the network administrator can reduce network traffic congestion, prevent a small number of users from consuming all available bandwidth, or allow priority applications to run smoothly.
. Bandwidth Management Schema Examples of Bandwidth Management Rules Rule Service Priority Guaranteed Maximum Allow SMTP 0 300 Kbps 1000 Kbps Allow FTP 1 100 Kbps 200 Kbps Allow HTTP 2 100 Kbps 200 Kbps Advanced Features Page 165
12 DHCP Server This chapter describes the configuration of the SonicWALL DHCP Server. DHCP, Dynamic Host Configuration Protocol, is a method to distribute TCP/IP settings from a centralized server to computers on a network. The SonicWALL DHCP Server distributes IP addresses, gateway addresses and DNS server addresses to the computers on your LAN. To access the SonicWALL DHCP Setup window, click DHCP on the left side of the browser window.
Configuring the SonicWALL DHCP Server To configure the SonicWALL DHCP server for the LAN, complete the following instructions. 1. Select the Enable DHCP Server. Alert Make sure there are no other DHCP servers on the LAN before you enable the DHCP server. 2. Enter the maximum length of the DHCP lease in the Lease Time field. The Lease Time determines how often the DHCP Server renews IP leases. The default Lease Time is 60 minutes. The length of time can range from 1 to 9999 minutes. 3.
Deleting Dynamic Ranges and Static Entries • To remove a range of addresses from the dynamic pool, select it from the list of dynamic ranges, and click Delete Range. When the range has been deleted, a message confirming the update is displayed at the bottom of the browser window. • To remove a static address, select it from the list of static entries and click Delete Static. When the static entry has been deleted, a message confirming the update is displayed at the bottom of the browser window.
Configuring the Central Gateway for VPN over DHCP To configure DHCP over VPN for the Central Gateway, use the following steps: 1. Log into the Management interface, click DHCP, and then DHCP over VPN. 2. Select Central Gateway from the DHCP Relay Mode menu. 3. If you want to send DHCP requests to specific servers, enable the Send DHCP requests to the server addresses listed below check box. Enter the IP addresses of DHCP servers in the Add DHCP Server field, and click Update.
2. Select Remote Gateway from the DHCP Relay Mode menu. LAN IP Addresses 3. Select the VPN Security Association to be used for the VPN tunnel from the Obtain using DHCP through this SA menu. Alert Only VPN Security Associations using IKE can be used as VPN tunnels for DHCP. 4. The Relay IP address is a static IP address from the pool of specific IP addresses on the Central Gateway. It should not be available in the scope of DHCP addresses. The SonicWALL can also be managed through the Relay IP address. 5.
LAN Device Configuration 7. To configure Static Devices on the LAN, enter the IP address of the device in the IP Address field and then enter the Ethernet Address of the device in the Ethernet Address field. An example of a static device is a printer as it cannot obtain an IP lease dynamically. If you do not have Block traffic through tunnel when IP spoof detected enabled, it is not necessary to enter the Ethernet address of a device. 8.
DHCP Status A Status page is now available to review DHCP Server Status and DHCP over VPN Status. The DHCP Server Status section reports the number of Current, Available Dynamic, Available Static leases as well as the Total leases. The DHCP over VPN Status section reports the number of Current Dynamic, Current Static, and the Total leases.Click the Status tab.
DHCP Server on the SonicWALL TELE3 TZ and TZX This section explains the configuration of the SonicWALL DHCP Server on the SonicWALL TELE3 TZ and TZX. DHCP, Dynamic Host Configuration Protocol, is a method to distribute TCP/IP settings from a centralized server to computers on a network. The SonicWALL DHCP Server distributes IP addresses, gateway addresses and DNS server addresses to the computers on your WorkPort or your HomePort.
Configuring the SonicWALL DHCP Server To configure the SonicWALL DHCP server for the WorkPort, the HomePort, or both, complete the following instructions. 1. Select the Enable DHCP Server. Alert Make sure there are no other DHCP servers on the WorkPort or HomePort before you enable the DHCP server. 2. Enter the maximum length of the DHCP lease in the Lease Time field. The Lease Time determines how often the DHCP Server renews IP leases. The default Lease Time is 60 minutes.
Tip The DHCP Server does not assign an IP address from the dynamic range if the address is already being used by a computer on your WorkPort. 11. The DHCP Server can also assign Static Entries, or static IP addresses, to computers on the LAN. Static IP addresses should be assigned to servers that require permanent IP settings. Enter the IP address assigned to your computer or server in the Static IP Address field. 12. Enter the Ethernet (MAC) address of your computer or server in the Ethernet Address field.
DHCP Status A Status page is available to review DHCP Server Status and DHCP over VPN Status. The DHCP Server Status section reports the number of Current, Available Dynamic, Available Static leases as well as the Total leases. The DHCP over VPN Status section reports the number of Current Dynamic, Current Static, and the Total leases. Click the Status tab.
13 SonicWALL VPN SonicWALL VPN provides secure, encrypted communication to business partners and remote offices at a fraction of the cost of dedicated leased lines. Using the SonicWALL intuitive Web Management Interface, you can quickly create a VPN Security Association to a remote site. Whenever data is intended for the remote site, the SonicWALL automatically encrypts the data and sends it over the Internet to the remote site, where it is decrypted and forwarded to the intended destination.
VPN Management Interface Summary Tab The Summary tab has four sections: Global VPN Settings, VPN Bandwidth Management, VPN Policies, and Currently Active VPN tunnels. Global VPN Settings The Global VPN Settings section displays the following information: • • • • • • • Unique Firewall Identifier - the default value is the serial number of the SonicWALL appliance. You can change the Identifier, and use it for configuring VPN tunnels. Enable VPN - must be selected to allow VPN security associations.
in the Failure Trigger Level (missed heartbeats) field. The default value is 3. If the trigger level is reached, the VPN connection is dropped by the SonicWALL. The SonicWALL uses a UDP packet protected by Phase 1 Encryption as the heartbeat. VPN Bandwidth Management You can allocate bandwidth to all outbound VPN traffic. To enable VPN Bandwidth Management, select Enable VPN Bandwidth Management, and enter the amount of bandwidth in Kbps for VPN guaranteed bandwidth and VPN maximum bandwidth.
SonicWALL NAT Traversal Support VPN NAT Traversal is an Internet Draft proposed to IETF (Internet Engineering Task Force) to overcome problems faced when IPSec traffic is intended to pass through a NAT device. NAT Traversal addresses the issue of UDP (User Datagram Protocol) encapsulation by wrapping an IPSec packet inside a UDP packet when a NAT or NAPT (Network Address Port Translator) device is detected between peers. Encapsulation of the IPSec packet requires decapsulation of the IPSec packet.
Configure Tab Add/Modify IPSec Security Associations The Configure tab settings change depending on the Security Association (SA) and IPSec Keying options you choose in the Add/Modify IPSec Security Associations. You can choose either Group VPN (default) or Add New SA from the Security Association list. If you select Add New SA, a Name field is displayed that allows you to create a name for the SA, such as Boston Office, Corporate Site, etc.
Security Policy Settings The following sections describe the Security Policy settings for Group VPN, IKE using Pre-shared Secret, and Manual Key. Security Policy Settings for Group VPN • Phase 1 DH Group - Diffie-Hellman (DH) key exchange (a key agreement protocol) is used during phase 1 of the authentication process to establish pre-shared keys. Groups 1, 2, 5 use ModularExponential with different prime lengths as listed below. If network speed is preferred, select Group 1.
- Strong Encrypt and Authenticate (ESP 3DES HMAC SHA1) - uses 168-bit 3DES encryption and HMAC SHA1 authentication. 3DES is an extremely secure encryption method, and HMAC SHA1 is used to verify integrity. This method significantly impacts the data throughput of the SonicWALL. - Strong Encrypt and Authenticate (ESP 3DES HMAC MD5) - uses 168-bit 3DES encryption and HMAC MD5 authentication. 3DES is an extremely secure encryption method, and HMAC MD5 is used to verify integrity.
• Phase 1 Encryption/Authentication - select an encryption method from the Encryption/Authentication for the VPN tunnel. If you select IKE using Pre-Shared Secret for your SA, you can select from one of eight encryption methods: *AES DES & MD5 AES-128 & MD5* DES & SHA1 AES-128 & SHA1* 3DES & MD5 AES-256 & MD5* 3DES & SHA1 AES-256 & SHA1* support is available only on the PRO 230 and PRO 330. The encryption methods are listed in order from least secure to most secure.
- Encrypt and Authenticate (ESP DES HMAC MD5) - uses 56-bit DES encryption and HMAC MD5 authentication. This method impacts the data throughput of VPN communications. SonicWALL VPN client supports this method. - Authenticate (AH MD5) - uses AH to authenticate and MD5 to generate a 128-bit message digest. - Authenticate (AH SHA1) - uses AH to authenticate and SHA1 to generate a 160-bit message digest.
Destination Networks In this section, enter the network settings for the remote VPN site (the “Destination Network”). Include the subnet mask which determines broadcast addresses for NetBIOS support. • • • Use this SA as the default route for all Internet traffic (Security Associations using IKE with Preshared Secret and Manual Key) - Enable this check box if all remote VPN connections access the Internet through this SA. You can only configure one SA to use this setting.
Advanced Settings All of the Advanced Settings for VPN connections are accessed by clicking the Advanced Settings button located on the Configure tab.
Require authentication of local users Selecting this check box requires that all outbound VPN traffic on this SA is from an authenticated user. Unauthenticated traffic is not allowed on the VPN tunnel. Require authentication of remote users Enabling this feature requires that all inbound traffic on this SA is from an authenticated user. Unauthenticated traffic is not allowed on the VPN tunnel. Select Remote users behind VPN gateway if remote users have a VPN tunnel terminating on the VPN gateway.
Security Association in your SonicWALL. Traffic can travel from a branch office to a branch office via the corporate office. Route all internet traffic through this SA Selecting this box allows a network administrator to force all WAN-destined traffic to go through a VPN tunnel to a central site. Outgoing packets are checked against the remote network definitions for all Security Associations (SA). If a match is detected, the packet is then routed to the appropriate destination.
a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped. VPN Terminated at the LAN, DMZ, or LAN/DMZ Selecting this option allows you to terminate a VPN tunnel on a specific destination instead of allowing the VPN tunnel to terminate on the SonicWALL network.
Advanced Settings for VPN Configurations The following table lists the available settings for each VPN configuration. The boxes checked are applicable to the given configuration mode.
Configuring SonicWALL VPN This section covers the configuration of SonicWALL VPN for the SonicWALL Internet Security Appliance as well as the installation and configuration of the SonicWALL VPN client software. Group Configuration, Manual Key Configuration, and IKE Configuration (SonicWALL to SonicWALL) are described in this chapter. You can create a VPN client Security Association by using Manual Key Configuration, Group Configuration or Advanced Configuration.
Group VPN Configuration for the SonicWALL and VPN Client Configuring Group VPN on the SonicWALL Click VPN on the left side of the SonicWALL browser window, and then click Configure. The SonicWALL VPN tab defaults to a Group VPN setting. This feature facilitates the set up and deployment of multiple VPN clients by the administrator of the SonicWALL appliance. Security settings can now be exported to the remote client and imported into the remote VPN client settings.
8. Create and enter a Shared Secret in the Shared Secret field or use the Shared Secret automatically generated by the SonicWALL. The Shared Secret should consist of a combination of letters and numbers rather than the name of a family member, pet, etc. It is also casesensitive. 9. Click Advanced Settings to open the window. Select any of the following boxes that apply to your SA: Require authentication of VPN clients via XAUTH - requires VPN client authentication via a RADIUS server.
Group VPN Client Setup Installing the VPN Client Software 1. When you register your SonicWALL or SonicWALL VPN Upgrade, a unique VPN client serial number and link to download the SonicWALL VPN Client zip file is displayed. 2. Unzip the SonicWALL VPN Client zip file. 3. Double-click setup.exe and follow the VPN client setup program step-by-step instructions. Enter the VPN client serial number when prompted. 4. Restart your computer after you have installed the VPN client software.
3. A dialogue box confirming the request to import the security file appears. Click Yes, and another box appears confirming that the file is successfully imported into the client. The client application now has an imported Group VPN policy. 4. Click the + sign next to Group VPN to reveal two sections: My Identity and Security Policy. Select My Identity to view the settings. 5. Click Pre-Shared Key to enter the Pre-Shared Secret created in the Group VPN settings in the SonicWALL appliance.
6. Click File, then Save Changes to save the settings to the security policy. Group VPN can also be configured using digital certificates in the Security Association settings. For more information on Group VPN configuration using digital certificates, refer to the Authentication Service User's Guide on the SonicWALL Website: .
Verifying the VPN Tunnel as Active After the Group VPN Policy is active on the VPN Client, you can verify that a secure tunnel is active and sending data securely across the connection. You can verify the connection by verifying the type of icon displayed in the system tray near the system clock. The SonicWALL VPN Client icon is displayed in the System Tray if you are running a Windows operating system. The icon changes to reflect the current status of your communication over the VPN tunnel.
Manual Key Configuration for the SonicWALL and VPN Client Configuring the SonicWALL To configure the SonicWALL appliance, click VPN on the left side of the browser window, and select Enable VPN to allow the VPN connection. 1. Select Disable VPN Windows Networking (NetBIOS) broadcast. Leave the Enable Fragmented Packet Handling unselected until the SonicWALL logs show many fragmented packets transmitted. 2. Click the Configure tab and select Add New SA from the Security Association menu.
7. Enter a 16 character hexadecimal encryption key in the Encryption Key field or use the default value. This encryption key is used to configure the remote SonicWALL client's encryption key, therefore, write it down to use when configuring the client. 8. Enter a 32 character hexadecimal authentication key in the Authentication Key field or use the default value. Write down the key to use while configuring the client settings.
Launching the SonicWALL VPN Client To launch the VPN client, select SonicWALL VPN Client Security Policy Editor from the Windows Start menu, or double-click the icon in the Windows Task Bar. Click My Connections, and right click to select Add > Connection at the top of the Security Policy Editor window. TIP! The security policy is renamed to match the SA name created in the SonicWALL.
Configuring VPN Client Identity To configure the VPN Client Identity, click My Identity in the Network Security Policy window. 1. Select None from the Select Certificate menu. 2. Select the method used to access the Internet from the Internet Interface menu. Select PPP Adapter from the Name menu if you have a dial-up Internet connection. Select the Ethernet adapter if you have a dedicated cable, ISDN, or DSL line. Configuring VPN Client Security Policy 3.
Configuring VPN Client Key Exchange Proposal 1. Select Key Exchange (Phase 2) in the Network Security Policy box. Then select Proposal 1 below Key Exchange (Phase 2). 2. Select Unspecified in the SA Life menu. 3. Select None from the Compression menu. 4. Select the Encapsulation Protocol (ESP) check box. 5. Select DES from the Encryption Alg menu. 6. Select MD5 from the Hash Alg menu. 7. Select Tunnel from the Encapsulation menu. 8. Leave the Authentication Protocol (AH) check box unselected.
Configuring Inbound VPN Client Keys 1. Click Inbound Keys. The Inbound Keying Material box appears. 2. Click Enter Key to define the encryption and authentication keys. 3. Enter the SonicWALL Outgoing SPI in the Security Parameter Index field. 4. Select Binary in the Choose key format options. 5. Enter the SonicWALL 16-character Encryption Key in the ESP Encryption Key field. 6. Enter the SonicWALL 32-character Authentication Key in the ESP Authentication Key field, then click OK.
Verifying the VPN Tunnel as Active After configuring the VPN Client, you can verify that a secure tunnel is active and sending data securely across the connection. You can verify the connection by verifying the type of icon displayed in the system tray near the system clock. Open a command prompt window and ping an address on the remote network. The icon should turn green indicating an active connection.
IKE and Manual Key Configuration for Two SonicWALLs VPN between two SonicWALLs allows users to securely access files and applications at remote locations. The first step to set up a VPN between two SonicWALLs is creating corresponding Security Associations (SAs). The instructions below describe how to create an SA using Manual Keying and Internet Key Exchange (IKE). These instructions are followed by an example illustrating a VPN tunnel between two SonicWALLs.
6. Define an SPI that the local SonicWALL uses to identify the Security Association in the Outgoing SPI field.SPIs should range from 3 to 8 characters in length and include only hexadecimal characters. Alert Each Security Association must have unique SPIs; no two Security Associations can share the same SPIs. However, each Security Association Incoming SPI can be the same as the Outgoing SPI. 7. Select an encryption algorithm from the Encryption Method menu.
Default LAN Gateway if specifying the IP address of the default LAN route for incoming IPSec packets for this SA. This is used in conjunction with the Route all internet traffic through this SA check box. VPN Terminated at LAN, DMZ, or LAN/DMZ- select one of the three terminating points for the VPN tunnel. 15. Click OK to close the Advanced Settings window. Then click Update to update the SonicWALL.
10. Click Add New Network. Enter the IP address, “192.168.22.1” in the Range Start field. Enter the IP address, “192.168.22.254” in the Range End field. This Range End value is appropriate even if NetBIOS broadcast support is enabled. Leave the subnet mask field blank. Click Update. 11. Click Advanced Settings and select the features that apply to the SA. Enable Windows Networking (NetBIOS) broadcast - if the remote clients use Windows Network Neighborhood to browse remote networks.
Route all internet traffic through this SA - if forcing internet traffic from the WAN to use this SA to access a remote site. Default LAN Gateway if specifying the IP address of the default LAN route for incoming IPSec packets for this SA. This is used in conjunction with the Route all internet traffic through this SA check box. VPN Terminated at LAN, DMZ, or LAN/DMZ- select one of the three terminating points for the VPN tunnel. 12. Click OK, and then click Update.
IKE Configuration for Two SonicWALLs An alternative to Manual Key configuration is Internet Key Exchange (IKE). IKE transparently negotiates encryption and authentication keys. The two SonicWALL appliances authenticate the IKE VPN session by matching preshared keys and IP addresses or Unique Firewall Identifiers. To create an IKE Security Association, click VPN on the left side of the browser window, and then click the Configure tab. 1. Select IKE using pre-shared secret from the IPSec Keying Mode menu. 2.
7. Define the length of time before an IKE Security Association automatically renegotiates in the SA Life Time (secs) field. The SA Life Time can range from 120 to 2,500,000 seconds. Tip A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys. However, every time the VPN tunnel renegotiates, users accessing remote resources are disconnected. Therefore, the default SA Life Time of 28,800 seconds (8 hours) is recommended. 8.
Example of IKE Configuration for Two SonicWALLs The following example illustrates the steps necessary to create an IKE VPN tunnel between a SonicWALL PRO 200 and a SonicWALL TELE3. A company wants to use VPN to link two offices together, one in Chicago and the other in San Francisco. To do this, the SonicWALL PRO 200 in Chicago and the SonicWALL TELE3 in San Francisco must have corresponding Security Associations. Configuring a SonicWALL PRO 200 in Chicago 1.
10. Select a VPN encryption method from the Phase 2 Encryption/Authentication menu. Since data throughput and security are the primary concern, select Encrypt and Authenticate (ESP 3DES HMAC SHA1). 11. Define a Shared Secret. Write down this key as it is required when configuring the San Francisco Office SonicWALL TELE3. 12. Click Add New Network... to open the VPN Destination Network window and enter the destination network addresses. 13.
6. Select Group 2 from the Phase 1 DH Group menu. 7. Enter 28800 in the SA Life time (secs) field to renegotiate keys daily. 8. Select 3DES & SHA1 from the Phase 1 Encryption/Authentication menu. 9. Select the encryption algorithm from the Phase 2 Encryption/Authentication menu. The San Francisco office Phase 2 Encryption/Authentication must match Chicago, so Encrypt and Authenticate (ESP 3DES HMAC SHA1) must be selected. 10.
SonicWALL Third Party Digital Certificate Support Tip This section assumes that you are familiar with Public Key Infrastructure (PKI) and the implementation of digital certificates with VPN. A digital certificate is an electronic means to verify identity by a trusted third party known as a Certificate Authority (CA). SonicWALL now supports third party certificates in addition to the existing Authentication Service.
Overview of Third Party Digital Certificate Support X.509 Version 3 Certificate Standard X.509 v3 certificate standard is a specification to be used with cryptographic certificates and allows you to define extensions which you can include with your certificate. SonicWALL has implemented this standard in its third party certificate support. You can use a certificate signed and verified by a third party CA to use with a VPN SA.
Importing Certificate with private key After a certificate is signed by the CA and returned to you, you can import the certificate into the SonicWALL to be used as a Local Certificate for a VPN Security Association. Use the following steps to import the certificate into the SonicWALL: 1. In the Import Certificate with private key section of Local Certificates, enter the Certificate Name. 2. Enter the Certificate Management Password. This password was created when you exported your signed certificate. 3.
Creating a Certificate Signing Request To create a certificate for use with a VPN SA, follow these steps: Tip! You should create a Certificate Policy to used in conjunction with local certificates. A Certificate Policy determines the authentication requirements and the authority limits required for the validation of a certificate. 1. Click VPN, then Local Certificates. 2. In the Generate Certificate Signing Request section, enter a name for the certificate in the Certificate Name field.
Configuring a VPN Security Association using IKE and a Third Party Certificate To create a VPN SA using IKE and third party certificates, follow these steps: 1. Click VPN, then Configure. In the Add/Modify IPSec Associations section, Select IKE using 3rd Party Certificates from the IPSec Keying Mode menu. 2. Enter a Name for the Security Association in the Name field. 3. Select a certificate from the Select Certificate list. 4. Enter the Gateway address in the IPSec Gateway Address field. 5.
3. Select the Network Debug check box, and then click Update to enable the Network Debug setting. Testing a VPN Tunnel Connection Using PING To verify that your VPN tunnel is working properly, it is necessary to ping the IP address of a computer on the remote network. By pinging the remote network, you send data packets to the remote network and the remote network replies that it has received the data packets. Your administrator supplies the remote IP address that you can use for testing.
If you are unable to ping the remote network, wait a few minutes for the VPN tunnel to become established, and try pinging the network again. If you are still unable to ping the remote network, contact your network administrator. Configuring Windows Networking After you have successfully pinged the remote host and confirmed that your VPN tunnel is working, your administrator can ask you to configure your computer for Windows Networking.
3. Select the Logon to Windows NT Domain check box, and enter the domain name provided by your administrator into the Windows NT domain text box. Select Quick Logon under Network logon options section. 4. Click on the Identification tab, and enter the domain name provided by your administrator in the Workgroup text box.
5. Click on TCP/IP or Dial-Up Adapter, and then Properties. Click the WINS Configuration tab, and select Enable WINS Resolution. Enter the WINS server IP address given to you by the administrator, and click Add. The WINS server address now appears in the text box below the address entry box. 6. If your administrator has given you an internal DNS address, click the DNS Configuration tab and enter the DNS IP address. 7.
14 High Availability Given the critical nature of Internet connections, SonicWALL High Availability is standard on the SonicWALL product line. SonicWALL High Availability eliminates network downtime by allowing the configuration of two SonicWALLs (one primary and one backup) as a High Availability pair. In this configuration, the backup SonicWALL monitors the primary SonicWALL and takes over operation in the event of a failure.
Configuring High Availability on the Primary SonicWALL Click High Availability on the left side of the SonicWALL browser window, and then click Configure at the top of the window. The top half of the window displays the primary SonicWALL serial number and network settings. The bottom half of the window displays the backup SonicWALL information boxes. To configure High Availability, follow the steps below: 1.
4. In the Web Management interface for the primary SonicWALL, configure the backup SonicWALL settings as follows: •Serial Number - Enter the serial number of the backup SonicWALL. •LAN IP Address - The unique LAN IP address used to access and manage the backup SonicWALL whether it is Active or Idle. Alert This IP address is different from the IP address used to contact the SonicWALL in the General Network settings.
Alert It is important during initial configuration that the backup SonicWALL has not been previously configured for use. If the backup SonicWALL has previous network settings, it is recommended to reset the SonicWALL to the factory default settings using Restore Factory Default Settings located in the Tools section. Additionally, the password must be changed back to the default password of “password” using the Password tab in the General section. 10. Power on the backup SonicWALL used for High Availability.
Alert If you change the IP address of either SonicWALL, synchronization cannot occur between the two SonicWALLs without updating the changes manually in the High Availability configuration. Synchronizing Changes between the Primary and Backup SonicWALLs Changes made to the Primary or Backup firewall are synchronized automatically between the two firewalls. If you click Synchronize Now, the Backup SonicWall restarts and becomes temporarily unavailable for use as a backup firewall.
High Availability Status Window One method to determine which SonicWALL is active is to check the High Availability Status page for the High Availability pair. To view the High Availability Status window, you can log into the primary or backup SonicWALL LAN IP Address. Click High Availability on the left side of the browser window and then click Configure at the top of the window.
The first line in the status window indicates that the backup SonicWALL is currently Active. It is also possible to check the status of the backup SonicWALL by logging into the LAN IP Address of the backup SonicWALL. If the primary SonicWALL is operating normally, the status window indicates that the backup SonicWALL is currently Idle. If the backup has taken over for the primary, this window indicates that the backup is currently Active.
View Log The SonicWALL also maintains an event log that displays these High Availability events in addition to other status messages and possible security threats. This log may be viewed with a browser using the SonicWALL Web Management Interface or it may be automatically sent to the administrator’s Email address. To view the SonicWALL log, click Log on the left side of the browser window and then click on View Log at the top of the window.
To restart the active SonicWALL, log into the primary SonicWALL LAN IP Address and click Tools on the left side of the browser window and then click Restart at the top of the window. Click Restart SonicWALL, then Yes to confirm the restart. Once the active SonicWALL restarts, the other SonicWALL in the High Availability pair takes over operation.
15 SonicWALL Options and Upgrades SonicWALL, Inc. offers a variety of options and upgrades to enhance the functionality of your SonicWALL Internet security appliance.
Content Filter List Subscription Inappropriate online content can create an uncomfortable work environment, lead to harassment lawsuits, or expose children to pornography or racially intolerant sites. The SonicWALL Content Filter List subscription allows your organization to create and enforce Internet access policies tailored to the requirements of the organization.
SonicWALL ViewPoint Reporting SonicWALL ViewPoint, a Web-based graphical reporting tool, enables administrators to understand and manage their network. ViewPoint compliments and extends SonicWALL's complete security platform by delivering comprehensive, high-level historical reports and real-time monitoring. SonicWALL ViewPoint includes everything you need to get up and running in one easy-to-install product, including a Web server, syslog server, database and reporting software.
16 Hardware Descriptions This chapter provides detailed illustrations and descriptions of the SonicWALL Internet Security Appliances front and back panels by model. Refer to this chapter to learn about the location of LEDs, switches, and connectors. More information is provided in Appendix A, Technical Specifications.
• Reset Switch Resets the SonicWALL PRO 200 or the SonicWALL PRO 300 to its factory clean state. This can be required if you forget the administrator password, or the SonicWALL firmware has become corrupt. SonicWALL PRO 230 and PRO 330 Rear Panel Description Power Input Power Switch (PRO 330 Only) Power Switch • Power Input (PRO 330 only) Cooling Vents Power Switch(es) Powers the SonicWALL on and off. • Power Input(s) Connects the SonicWALL to power input.
SonicWALL PRO 200 and PRO 300 Front Panel The SonicWALL PRO 200 front panel is shown below, followed by a description of each item. The SonicWALL PRO 300 is identical to the SonicWALL PRO 200 except for the PRO 300 label on the front panel and the inclusion of VPN accelerator hardware and an additional 8MB of RAM.
SonicWALL PRO 200 and PRO 300 Back Panel The SonicWALL PRO 200 back panel is shown below, followed by a description of each item. The SonicWALL PRO 300 back panel is identical to the SonicWALL PRO 200.
SonicWALL PRO 100 Front Panel The SonicWALL PRO 100 front panel is shown below, followed by a description of each item. Test LED Power LED WAN Port LEDs Link, 100, Activity DMZ Port LEDs Link, 100, Activity LAN Port LEDs Link, 100, Activity SonicWALL PRO 100 Front Panel Description • Power Lights up when power is applied to the SonicWALL PRO 100. • Test Lights up when the SonicWALL PRO 100 is first powered up and performing diagnostic tests to check for proper operation.
SonicWALL PRO 100 Back Panel The SonicWALL PRO 100 back panel is shown below, followed by a description of each item. Cooling Vents Reset Switch Serial Port 5VDC,2A 10Mbps/100Mbps LAN Ethernet Port 10Mbps/100Mbps DMZ Ethernet Port Power input 10Mbps/100Mpbs WAN Ethernet Port SonicWALL PRO 100 Back Panel Description • Reset Switch Erases the firmware and resets SonicWALL PRO 100 to its factory clean state.
SonicWALL TELE3 SP Front Panel The SonicWALL TELE3 SP front panel is shown below, followed by a description of each item. Modem LED Power LED WAN Port LEDs Link, 100, Activity LAN Port LEDs Link, 100, Activity Test LED SonicWALL TELE3 SP Front Panel Description • Power Lights up when power is applied to the SonicWALL TELE3 SP. • Modem Lights up when the modem has established a dial-up connection.
SonicWALL TELE3 SP Back Panel The SonicWALL TELE3 SP back panel is shown below, followed by a description of each item. Cooling Vents 5VDC,2A Power input Reset Switch CLI Port 10Mbps/100Mbps LAN Ethernet Port 10Mbps/100Mpbs WAN Ethernet Port WAN Modem Port The SonicWALL TELE3 SP Back Panel Description • Power Input Connects to the external power supply that is provided with the SonicWALL TELE3 SP.
SonicWALL TELE3 TZ Front Panel The SonicWALL TELE3 TZ front panel is shown below, followed by a description of each item. Power LED WAN Port LEDs Link, 100, Activity HomePort Port LEDs Link, 100, Activity WorkPort LEDs Link, 100, Activity Test LED SonicWALL TELE3 TZ Front Panel Description • Power Lights up when power is applied to the SonicWALL TZ. • Test Lights up when the SonicWALL TZ is first powered up and performing diagnostic tests to check for proper operation.
SonicWALL TELE3 TZ Back Panel Cooling Vents 5VDC,2A Power input Reset Switch 10Mbps/100Mbps WorkPort Ethernet Port 10Mbps/100Mbps HomePort Ethernet Port 10Mbps/100Mpbs WAN Ethernet Port SonicWALL TELE3 TZ Back Panel Description • Reset Switch Erases the firmware and resets SonicWALL TZ to its factory clean state. This can be necessary if the administrator password is forgotten, or the firmware has become corrupt. • Serial Port DB-9 RS-232 Serial port for Command Line Interface support.
SonicWALL TELE3 TZX Front Panel The SonicWALL TELE3 TZX front panel is shown below, followed by a description of each item. Power LED WAN Port LEDs Link, 100, Activity HomePort LEDs Link WorkPort LEDs Link, 100, Activity Test LED SonicWALL TELE3 TZX Front Panel Description • Power Lights up when power is applied to the SonicWALL TZX. • Test Lights up when the SonicWALL TZX is first powered up and performing diagnostic tests to check for proper operation. These tests take about 90 seconds.
SonicWALL TELE3 TZX Back Panel l Reset Switch Serial Port 10Mbps/100Mbps WorkPort Ethernet Port 10Mbps/100Mbps 10Mbps/100Mpbs HomePort Ethernet PortWAN Ethernet Port 5VDC,2A Power input SonicWALL TELE3 TZX Back Panel Description • Reset Switch Erases the firmware and resets SonicWALL TZX to its factory clean state. This can be necessary if the administrator password is forgotten, or the firmware has become corrupt. • Serial Port DB-9 RS-232 Serial port for Command Line Interface support.
SonicWALL SOHO3 and TELE3 Front Panel The SonicWALL SOHO3 front panel is shown below, followed by a description of each item. The SonicWALL TELE3 is identical to the SonicWALL SOHO3 except for the TELE3 label on the front panel and the inclusion of SonicWALL VPN. Test LED LAN Port LEDs Link, 100, Activity Power LED WAN Port LEDs Link, 100, Activity SonicWALL SOHO3 and TELE3 Front Panel Description • Power Lights up when power is applied to the SonicWALL SOHO3 or SonicWALL TELE3.
SonicWALL SOHO3 and TELE3 Back Panel The SonicWALL SOHO3 back panel is shown below, followed by a description of each item. The SonicWALL TELE3 back panel is identical to the SonicWALL SOHO3. Cooling Vents Reset Switch Serial Port 10Mbps/100Mbps LAN Ethernet Port 10Mbps/100Mbps WAN Ethernet Port 5VDC,2A Power Input SonicWALL SOHO3 and TELE3 Back Panel Description • Reset Switch Erases the firmware and resets the SonicWALL to its factory clean state.
SonicWALL GX 250 and GX 650 Front Panel The SonicWALL GX 250 front panel is shown below, followed by a description of each item. The SonicWALL GX 650 is identical to the SonicWALL GX250 except for the GX 650 label on the front panel and the types of network interfaces installed. Power Test Serial Port WAN DMZ LAN SonicWALL GX250 and GX 650 Front Panel Description • Power Lights up green if both power supplies are functioning on the SonicWALL GX250 or SonicWALL GX 650.
SonicWALL GX250 Front Panel Three Fast Ethernet interfaces provide connectivity for either Ethernet and Fast Ethernet networks. The Ethernet ports connect the SonicWALL to the LAN, DMZ, and WAN using category 5 twisted pair cable with RJ-45 connectors. The standard NIC has two LEDs: • Link/Activity The Link light is green when a twisted pair connection is made to another Ethernet device (usually a switch or a hub) on the port.
SonicWALL GX 250 and GX 650 Back Panel Description Power Inputs Power Switches Alarm Reset Cooling Vents • Power Inputs There are two power input receptacles to connect the SonicWALL to the AC power input. The unit comes standard with redundant hot swappable power supplies with active power function correction (100-240 VAC 50/60 Hz). • Power Switches One power switch for each hot swappable power supply module. The audible alarm sounds if only one power supply is functioning.
17 Troubleshooting Guide This chapter provides solutions for problems that you might encounter when using the SonicWALL. If you are unable to solve your problem, please visit the SonicWALL Tech Support Web site at . There, you will find resources to help you resolve most technical issues, as well as a means to contact one of the SonicWALL Technical Support engineers. The Link LED is off • • • • Make sure the SonicWALL is powered on.
• If you are using an Internet Explorer browser, you can want to click the Refresh button several times to fully load the Java and Java script programs. Also, wait until Java applet has completely loaded before attempting to log in. The SonicWALL does not save changes that you have made • • When configuring the SonicWALL, be sure to click Update before moving to another window or tab, or all changes will be lost. Click Refresh or Reload in the Web browser.
Appendix.
Appendix B - SonicWALL Support Solutions SonicWALL’s powerful security solutions give unprecedented protection from the risks of Internet attacks. SonicWALL’s comprehensive support services protect your network security investment and offer the support you need - when you need it. Knowledge Base All SonicWALL customers have immediate, 24X7 access to our state-of-the-art electronic support tools.
SonicWALL Support 24X7 For customers with mission-critical network requirements who cannot afford downtime, SonicWALL Support 24X7 is an annual subscription service that offers • Advanced-exchanged replacement of defective hardware • Telephone or electronic support, 24 hours, seven days a week • Enhanced escalation for high priority problems • Access to SonicWALL’s electronic support and Knowledge Base systems All of SonicWALL Support Services offer a variety of support services to meet your unique needs in
Warranty Support - North America Included with all SonicWALL products, SonicWALL warranty support includes return-to-factory hardware replacement for one year. Warranty Support also includes technical support and software/firmware updates for 90 days. Coverage is provided during normal business hours. Coverage Hours Support is provided during standard business hours, 24 hours per day local time, seven days per week, including locally-recognized SonicWALL holidays.
Warranty Support - International Included with all SonicWALL products, SonicWALL warranty support includes return-to-factory hardware replacement for one year. Warranty Support also includes technical support and software/firmware updates for 90 days. Coverage is provided during normal business hours. Coverage Hours Support is provided during standard business hours, 24 hours per day local time, seven days per week, including locally-recognized SonicWALL holidays.
SonicWALL Support 24X7 Available for all SonicWALL products, SonicWALL Support 24X7 includes software/firmware technical support, and factory replacement of defective hardware. Coverage is provided 24 hours a day, seven days a week. Coverage Hours Support is provided during standard business hours, 24 hours per day local time, seven days per week, including locally-recognized SonicWALL holidays.
SonicWALL Support 8X5 Available for all products, SonicWALL Support 8X5 includes software/firmware technical support and factory hardware replacement. Coverage is provided during standard business hours. Coverage Hours Support is provided during standard business hours, 8:00 a.m. - 5:00 p.m. local time, Monday through Friday, excluding locally-recognized SonicWALL holidays.
Appendix C - Introduction to Networking This appendix provides a non-technical overview of the network protocols supported by the SonicWALL and includes a discussion of Internet Protocol (IP) addressing. It can be helpful to review a book on TCP/IP for an overview of protocols such as TCP (Transmission Control Protocol), UDP (User Datagram Protocol), and ICMP (Internet Control Message Protocol).
Network Protocols The method that used to regulate a workstation’s access to a computer network to prevent data collisions. The SonicWALL uses the TCP/IP protocol. • • • • • • • • • • • TCP/IP - Internet Protocol, or "IP", provides connectionless data transfer over a TCP/IP network. Since IP alone does not provide end-to-end data reliability as well as some other services, other protocols such as TCP (Transmission Control Protocol) can be added to provide these services.
IP Addressing To become part of an IP network, a network device must have an IP address. An IP address is a unique number that differentiates one device from another on the network to avoid confusion during communication. To help illustrate IP addresses, the following sections compare an IP address to the telephone numbering system, a system that is used every day. Like a phone number with its long distance “1” and area code, an IP address contains a set of four numbers.
Subnet Mask The IP addressing system allows subnetworks or “interchanges” to be created and device numbers or “extensions” to be established within these subnetworks. These numbers are created using a mathematical device called a subnet mask. A subnet mask, like the IP address, is a set of four numbers in dotted decimal notation. Subnet masks typically take three forms: • 255.0.0.0 • 255.255.0.0 • 255.255.255.
begins to count IP addresses against the license, and continues to count new LAN IP addresses accessing the Internet until the appliance is rebooted. When a computer or other device connects to the LAN port of the SonicWALL, it is detected via broadcast and stores the computer or other device IP address in memory. If 5, 10, or 50 IP addresses have been stored in the SonicWALL, the SonicWALL does not permit any additional machines to access the Internet.
Appendix D - IP Port Numbers The port numbers are divided into three ranges: Well Known Ports, Registered Ports, and Dynamic and/or Private Ports. Well Known Ports range from 0 through 1023. Registered Ports range from 1024 through 49151. Dynamic and/or Private Ports range from 49152 through 65535. Well Known Port Numbers Well Known Ports are controlled and assigned by the Internet Assigned Numbers Authority (IANA)
Appendix E - Configuring TCP/IP Settings The following steps describe how to configure the Management Station TCP/IP settings in order to initially contact the SonicWALL. It is assumed that the Management Station can access the Internet through an existing connection. The SonicWALL is pre-configured with the IP address “192.168.168.168". During the initial configuration, it is necessary to temporarily change the IP address of the Management Station to one in the same subnet as the SonicWALL.
Windows NT 1. From the Start list, highlight Settings and then select Control Panel. 2.Double-click the Network icon in the Control Panel window. 3.Double-click TCP/IP in the TCP/IP Properties window. 4.Select the Specify an IP Address radio button. 5.Enter "192.168.168.200" in the IP Address field. 6.Enter "255.255.255.0" in the Subnet Mask field. 7.Click DNS at the top of the window. 8.Enter the DNS IP address in the Preferred DNS Server field.
Windows 2000 1. In Windows 2000, click Start, then Settings. 2. Click Network and Dial-up Connections. Double-click the network connection name to open the Status window. 3.Click Status to open the Properties window. 4.Double-click Internet Protocol (TCP/IP) to open the TCP/IP properties window. 5.Select Use the following IP address 192.168.168.200 in the IP address field. and enter 6.Enter 255.255.255.0 in the Subnet mask field. 7.Enter the DNS IP address in the Preferred DNS Server field.
Windows XP 1. Open the Local Area Connection Properties window. 2.Double-click Internet Protocol (TCP/IP) to open the Internet Protocol (TCP/IP) Properties window. 3.Select Use the following IP address and enter 192.168.168.200 in the IP address field. 4.Enter 255.255.255.0 in the Subnet Mask field. 5.Enter the DNS IP address in the Preferred DNS Server field. If you have more than one address, enter the second one in the Alternate DNS server field.
Macintosh OS 10 From a Macintosh computer, do the following: 1. From the Apple list, choose Control Panel, and then choose TCP/IP to open the TCP/IP Control Panel. 2. From the Configure list, choose Manually. 3. Enter "192.168.168.200" in the IP address field. 4. Enter the Subnet Mask address in the Subnet Mask field. 5. Click OK. Follow the SonicWALL Installation Wizard instructions to perform the initial setup of the SonicWALL.
Appendix F - Basic VPN Terms and Concepts • VPN Tunnel A VPN Tunnel is a term that describes a connection between two or more private nodes or LANs over a public network, typically the Internet. Encryption is often used to maintain the confidentiality of private data when traveling over the Internet. • Encryption Encryption is a mathematical operation that transforms data from "clear text" (something that a human or a program can interpret) to "cipher text" (something that cannot be interpreted).
• Internet Key Exchange (IKE) IKE is a negotiation and key exchange protocol specified by the Internet Engineering Task Force (IETF). An IKE SA automatically negotiates Phase 1 Encryption/Authentication Keys. With IKE, an initial exchange authenticates the VPN session and automatically negotiates keys that is used to pass IP traffic. The initial exchange occurs on UDP port 500, so when an IKE SA is created, the SonicWALL automatically opens port 500 to allow the IKE key exchange.
Using AH increases the processing requirements of VPN and also increases the communications latency. The increased latency is primarily due to the calculation of the authentication data by the sender, and the calculation and comparison of the authentication data by the receiver for each IP packet containing an Authentication Header.
• Data Encryption Standard (DES) When DES is used for data communications, both sender and receiver must know the same secret key, which can be used to encrypt and decrypt the message, or to generate and verify a message authentication code. SonicWALL DES encryption algorithm uses a 56 bit key. The SonicWALL VPN DES Key must be exactly 16-characters long and is comprised of hexadecimal characters.
Appendix G- Erasing the Firmware There can be instances when it is necessary to reset the SonicWALL to its factory clean state if the following events happen to the appliance: • Administrator password is forgotten • The firmware has become corrupt, and you cannot contact the Management Interface • The test light comes on and stays on for more than a few minutes. • During the troubleshooting process, you must start from a “known” state.
Appendix H- Mounting the SonicWALL PRO 200 and PRO 300 The SonicWALL PRO 200 and SonicWALL PRO 300 are designed to be mounted in a standard 19inch rack mount cabinet. The following conditions are required for proper installation: • • • • • • Use the mounting hardware recommended by the rack manufacturer and ensure that the rack is adequate for the application. Four mounting screws, compatible with the rack design, must be used and hand tightened to ensure secure installation.
Appendix I - Configuring RADIUS and ACE Servers Individual users must have their privileges defined on the RADIUS server used for authenticating the users. Global user privileges can be configured on the RADIUS tab of the SonicWALL management interface, but SonicWALL-specific privileges must be configured on the RADIUS server. Different vendors also have different methods of configuring the privileges on their servers.
Configuring User Privileges To configure user privileges, follow these steps: 1. With Steel Belted RADIUS Administrator open, click Users and select the User to configure. Or select a profile to be configured from the Profile Name menu. 2. Click Ins and select SonicWALL-User-Privilege from the Available Attributes list. 3. Select the privilege to be set, and click Add. Repeat until all of the privileges are added for the user.
ACS Server (Cisco) The ACS server, version 2.6, from Cisco does not support the configuration of vendor-specific privileges. Therefore, if a ACS Server is deployed, user privileges cannot be configured on the server. The ACS server can still be used for authentication if the RADIUS users are configured globally on the SonicWALL to have the same privileges. Also, the ACS server supports CHAP, so it can be used if HTTPS is not available when logging into the SonicWALL management interface.
RADIUS Attributes Dictionary The following is the RADIUS dictionary in the format used with Funk Software’s Steel Belted RADIUS server.
Notes Page 284 SonicWALL Internet Security Appliance Administrator’s Guide
Notes Appendices Page 285
Notes Page 286 SonicWALL Internet Security Appliance Administrator’s Guide
Notes Appendices Page 287
Notes Page 288 SonicWALL Internet Security Appliance Administrator’s Guide
Notes Appendices Page 289
Index A Activation Key 119 ActiveX 100, 107, 110 Add New Network... 200 Add Service 130 Add/Modify IPSec Security Associations 182 Alert Categories 96 Alert Traps 145 Allow BootP clients to use range 167, 174 Allow DNS access 139 Allow Fragmented Packets 135 Allowed Domains 103 Anti-Virus 234 Apply NAT and firewall rules 188 ARCFour 277 Asymmetric vs.
Dynamic Host Configuration Protocol (DHCP) 17 Dynamic Ranges 167, 174 E Edit a Rule 137 E-mail Alerts 16, 231 E-mail Log Now 94 Enable Allowed/Forbidden Domains 103 Enable Bandwidth Management 133 Enable DHCP Server 30, 35, 42, 167, 174 Enable Fragmented Packet Handling 178 Enable Keep Alive 187 Enable VPN 178 Enable/Disable a Rule 137 Enabling Ping 136 Encapsulating Security Payload (ESP) 275 Encapsulation 203 Encapsulation Protocol (ESP) 203 Encryption 274 Encryption Alg 203 Encryption Key 200 Encryption
Log and Block Access 104 Log Categories 16 Log Only 104 Log Settings 93 Logout 74 M Management SA 146 Management Tools 114 Mandatory Filtering 106 Manual Key 177 Manual Key Configuration 199 Manual Keying 275 Mask 201 MD5 203 Modem Port 244 My Identity 196 N N2H2 99 NAT Enabled 76 NAT Enabled Configuration 79 NAT Traversal Support 178 NAT with DHCP 76 NAT with DHCP Client 81 NAT with PPPoE 76, 82, 84, 86 Network 225 Network Access Rules 15 Network Address Translation (NAT) 15 Network Anti-Virus 234 Networ
Syslog Individual Event Rate 94 Syslog Server 94 Syslog Server 1 94 Syslog Server Support 16 System Errors 95, 96 System Maintenance 95 T Tech Support Report 124 Tech Support Request Form 124 Temporary Lease Time 170 Third Party Digital Certificate 216 Time 88 Time of Day 104 Time users out 139 Trace Route 126 Tunnel 203 Twisted Pair 243 U Unique Firewall Identifier 178 Updating Firmware 117 Upgrade Key 119 URL List 101 Use Aggressive Mode 187 User Activity 95 Users 139 V View Data 97 View Log 91, 232 Vi
SonicWALL,Inc. 1143 Borregas Avenue Sunnyvale,CA 94089-1306 T: 408.745.9600 F: 408.745.9300 www.sonicwall.com © 2002 SonicWALL, Inc. SonicWALL is a registered trademark of SonicWALL, Inc. Other product and company names mentioned herein may be trademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.
