SonicWALL 5.8.1 manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490

Ir para a página of

Bom manual de uso

As regras impõem ao revendedor a obrigação de fornecer ao comprador o manual com o produto SonicWALL 5.8.1. A falta de manual ou informações incorretas fornecidas ao consumidor são a base de uma queixa por não conformidade do produto com o contrato. De acordo com a lei, pode anexar o manual em uma outra forma de que em papel, o que é frequentemente utilizado, anexando uma forma gráfica ou manual electrónicoSonicWALL 5.8.1 vídeos instrutivos para os usuários. A condição é uma forma legível e compreensível.

O que é a instrução?

A palavra vem do latim "Instructio" ou instruir. Portanto, no manual SonicWALL 5.8.1 você pode encontrar uma descrição das fases do processo. O objetivo do manual é instruir, facilitar o arranque, a utilização do equipamento ou a execução de determinadas tarefas. O manual é uma coleção de informações sobre o objeto / serviço, um guia.

Infelizmente, pequenos usuários tomam o tempo para ler o manual SonicWALL 5.8.1, e um bom manual não só permite conhecer uma série de funcionalidades adicionais do dispositivo, mas evita a formação da maioria das falhas.

Então, o que deve conter o manual perfeito?

Primeiro, o manual SonicWALL 5.8.1 deve conte:
- dados técnicos do dispositivo SonicWALL 5.8.1
- nome do fabricante e ano de fabricação do dispositivo SonicWALL 5.8.1
- instruções de utilização, regulação e manutenção do dispositivo SonicWALL 5.8.1
- sinais de segurança e certificados que comprovam a conformidade com as normas pertinentes

Por que você não ler manuais?

Normalmente, isso é devido à falta de tempo e à certeza quanto à funcionalidade específica do dispositivo adquirido. Infelizmente, a mesma ligação e o arranque SonicWALL 5.8.1 não são suficientes. O manual contém uma série de orientações sobre funcionalidades específicas, a segurança, os métodos de manutenção (mesmo sobre produtos que devem ser usados), possíveis defeitos SonicWALL 5.8.1 e formas de resolver problemas comuns durante o uso. No final, no manual podemos encontrar as coordenadas do serviço SonicWALL na ausência da eficácia das soluções propostas. Atualmente, muito apreciados são manuais na forma de animações interessantes e vídeos de instrução que de uma forma melhor do que o o folheto falam ao usuário. Este tipo de manual é a chance que o usuário percorrer todo o vídeo instrutivo, sem ignorar especificações e descrições técnicas complicadas SonicWALL 5.8.1, como para a versão papel.

Por que ler manuais?

Primeiro de tudo, contem a resposta sobre a construção, as possibilidades do dispositivo SonicWALL 5.8.1, uso dos acessórios individuais e uma gama de informações para desfrutar plenamente todos os recursos e facilidades.

Após a compra bem sucedida de um equipamento / dispositivo, é bom ter um momento para se familiarizar com cada parte do manual SonicWALL 5.8.1. Atualmente, são cuidadosamente preparados e traduzidos para sejam não só compreensíveis para os usuários, mas para cumprir a sua função básica de informação

Índice do manual

  • Página 1

    PROTECTION A T THE SPEED OF BUSINESS ™ SonicOS 5.8.1 Administ rator’s Guide[...]

  • Página 2

    [...]

  • Página 3

    iii SonicOS 5.8.1 Administrator Guide Table of Contents Table of Contents .................................................................................. ...................iii Part 1: Introduction Chapter 1: Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Preface . . . .[...]

  • Página 4

    iv SonicOS 5.8.1 Administrator Guide Packet Rate Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Packet Size Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Connection Count Monitor . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Página 5

    v SonicOS 5.8.1 Administrator Guide Chapter 8: Configuring Administration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 System > Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Firewall Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Página 6

    vi SonicOS 5.8.1 Administrator Guide Chapter 14: Using Diagnostic Tools & Restart ing the Appliance . . . . . . . . . . . . . . . . . 165 System > Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Tech Support Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Página 7

    vii SonicOS 5.8.1 Administrator Guide Chapter 17: Setting Up Failover and Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 Network > Failover & Load B alancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 Failover and Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Página 8

    viii SonicOS 5.8.1 Administrator Guide Creating NAT Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356 Using NAT Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366 Chapter 24: Managing ARP Traffic . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Página 9

    ix SonicOS 5.8.1 Administrator Guide Chapter 29: Configurin g Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419 Network > Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419 Supported DDNS Providers . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Página 10

    x SonicOS 5.8.1 Administrator Guide Chapter 35: Co nfiguring Wirele ss Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475 Wireless > Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475 Wireless Radio Mode . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Página 11

    xi SonicOS 5.8.1 Administrator Guide VAP Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 35 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535 Resetting the SonicPoint . . . . . . . . . . . . . . . . . . . [...]

  • Página 12

    xii SonicOS 5.8.1 Administrator Guide Chapter 49: C onfigurin g Applicat ion C ontrol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617 Application Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617 Application Control Overview . . . . . . . . . . . . . . . . . . .[...]

  • Página 13

    xiii SonicOS 5.8.1 Administrator Guide Enabling Multicast on LAN-Dedicated Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 748 Enabling Multicast Through a VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 749 Chapter 54: Managing Quality of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Página 14

    xiv SonicOS 5.8.1 Administrator Guide How Does the Anti-Spam Service Work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 835 Purchasing an Anti-Spam License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 838 Anti-Spam > Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Página 15

    xv SonicOS 5.8.1 Administrator Guide Part 14: SSL VPN Chapter 64: SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 1 SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 3 1 SSL VPN NetExtender Overview . .[...]

  • Página 16

    xvi SonicOS 5.8.1 Administrator Guide Users > Guest Stat us . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1129 Logging Accounts off the Applianc e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1129 Part 17: High A v ailability Chapter 68: Setting Up High Availability . .[...]

  • Página 17

    xvii SonicOS 5.8.1 Administrator Guide Chapter 73: Managing SonicWALL Gateway Anti-Virus Service . . . . . . . . . . . . . . . . . 1223 Security Services > Ga teway Anti-Virus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1223 SonicWALL GAV Multi-Layere d Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Página 18

    xviii SonicOS 5.8.1 Administrator Guide Chapter 76: C onfigurin g SonicWAL L Real-Time Blacklist . . . . . . . . . . . . . . . . . . . . . 1259 SMTP Real-Time Black List Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1259 Chapter 77: Configur ing Geo-IP and Bo tnet Filters . . . . . . . . . . . . . . . . . . . .[...]

  • Página 19

    xix SonicOS 5.8.1 Administrator Guide Part 20: Log Chapter 79: Managing Log Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1349 Log > View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 349 Log View Table . . . . . . . . . . . . . . .[...]

  • Página 20

    xx SonicOS 5.8.1 Administrator Guide Chapter 85: Generating Log Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1389 Log > Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1389 Data Collection . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Página 21

    xxi SonicOS 5.8.1 Administrator Guide Part 22: Appendices Appendix A: CLI Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1431 Input Data Format Specif ication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1431 Text Conventions . . . . . . . . . . . . . . . . . . . [...]

  • Página 22

    xxii SonicOS 5.8.1 Administrator Guide[...]

  • Página 23

    SonicOS 5.8 . 1 A dm i ni st r at or Gu ide 23 PART 1 Part 1: Introduction[...]

  • Página 24

    24 SonicOS 5.8.1 Administrator Guide[...]

  • Página 25

    25 SonicOS 5.8.1 Administrator Guide CHAPTER 1 Chapter 1: Preface Preface Copyright Notice © 201 1 SonicW ALL, Inc. All rights reserved. Under the copyright laws, this manual or the so ftware described within, can not be copied, in whole or part, without the written consent of t he manufacturer , except in the normal use of the software to make a [...]

  • Página 26

    Preface 26 SonicOS 5.8.1 Administrator Guide Limited Warranty SonicW ALL, Inc. warrants th at commencing from t he delivery date to Customer (but in any case commencing not more than ninety (90) days afte r the original shipment by SonicW ALL), and continuing for a period of twelve (12) months, th at the product will be free from defects in materia[...]

  • Página 27

    About this Guide 27 SonicOS 5.8.1 Administrator Guide About this Guide Welcome to the SonicOS Enhanced 5.8 Administrator’s Guide . This manual provides the information you need to successfully activa te , configure, and administer SonicOS Enhanced 5.8 for SonicW ALL security appliances. Note Always check <http//: www . sonicwall.com/se rvices/[...]

  • Página 28

    About this Guide 28 SonicOS 5.8.1 Administrator Guide • W AN Failo ver and Load Balancing - configure one of the use r-defined interfaces to act as a secondary W AN port for backup or load balancing. • Zones - configure security zones on your netwo rk. • DNS - set up DNS servers for name resolution. • Address Objects - configure host, netwo[...]

  • Página 29

    About this Guide 29 SonicOS 5.8.1 Administrator Guide Part 10 DPI-SSL This part describes the Deep Packet Inspection Secure Socket Layer (DPI-SSL) feature t o a l lo w for the inspect ion of encrypte d HTTPS traffic and other SSLba sed traffic. Client DPI-SSL is used to inspect HTTPS traf fic when client s on the Soni cW ALL security appliance’ s[...]

  • Página 30

    About this Guide 30 SonicOS 5.8.1 Administrator Guide Part 18 Security Services This part includes an over view of available SonicW ALL Security Services as well as instructions for activating the service, including FREE tria ls. These subscription-based services include SonicW ALL Gateway Anti-V irus, SonicW AL L Intrusion Prevention Service, Soni[...]

  • Página 31

    About this Guide 31 SonicOS 5.8.1 Administrator Guide Icons Used in this Manual These special messages refer to noteworthy information, and include a symbol for quick identification: Caution Important information that cautions about featur es affecting firewall performance, security features, or causing potential problems with your SonicW ALL. Tip [...]

  • Página 32

    About this Guide 32 SonicOS 5.8.1 Administrator Guide Switzerland : +44 193.257.3929 UK : +44 193.257.3929 More Information on SonicWALL Products Contact SonicW ALL, Inc. for information about SonicW ALL products and services at: Web: http://www .sonicwall.com E-mail : sales@sonicwall.com Phone:(408) 745-9600 Fax:(408) 745-9300[...]

  • Página 33

    33 SonicOS 5.8.1 Administrator Guide CHAPTER 2 Chapter 2 : Introduction Introduction SonicOS Enhanced 5.8.1 is the most power fu l SonicOS operating system for SonicW ALL security appliances. This chapter contains the following sections: • “Key Features in SonicOS Enhanced 5.8.1” on p age 33 • “Key Features in SonicOS Enhanced 5.8” on p[...]

  • Página 34

    Introduction 34 SonicOS 5.8.1 Administrator Guide Although the entire SonicOS interface is avai lable in dif ferent languages, sometimes the administrator does not want to change the entire UI language to a specific local one. However , if the firewall require s authentication before users c an access other networks, or enables external access serv[...]

  • Página 35

    Introduction 35 SonicOS 5.8.1 Administrator Guide Anti-virus exclusions which existed befor e the upgrade a nd which apply to hosts residing in custom zones will not be det ected. IP address ranges not fa lling into the supported zones will default to the LAN zone. Conversion to t he LAN zone occurs during the rest art booting process. There is no [...]

  • Página 36

    Introduction 36 SonicOS 5.8.1 Administrator Guide • Wire/T ap Mod e - Wire Mode is a deployment option where the SonicWAL L appliance can be deployed as a "Bump in the Wire." It prov ides a least-intrusive way to deploy the appliance in a network. Wire Mode is very we ll suited for deploying behin d a pre-existing S t ateful Packet Ins [...]

  • Página 37

    Introduction 37 SonicOS 5.8.1 Administrator Guide Appliances newly registered and upgraded to So nicOS 5.8.0.0 or higher will receive a 30- day free trial license of App V isualization by default. Navigate to the Log > Flow Reporting p age to manually Enab le Flow Reporting and Visualization feature. Y ou c an then view real-time applicat ion tr[...]

  • Página 38

    Introduction 38 SonicOS 5.8.1 Administrator Guide capable of utilizing DPI-SSL: Gateway Anti-V irus, Gateway Anti-S pyware, Intrusion Prevention, Content Filt ering, Application Control, Pack et Monitor and Packet Mirror . DPI- SSL is supported on SonicW ALL NSA models 240 and higher . • Gateway Anti-Virus Enhancement s (Cloud GA V) - The Cloud G[...]

  • Página 39

    Introduction 39 SonicOS 5.8.1 Administrator Guide increases the efficiency of your SonicW ALL secu rity appliance by providing you the ability to configure user view settings and filter junk messages before users see it in their inboxes. The following enhancements are now available with CASS 2.0: – The Email Security Junk S tore application can n[...]

  • Página 40

    Introduction 40 SonicOS 5.8.1 Administrator Guide • DHCP Scalability Enhancement s - The DHCP server in S onicW ALL appliances has been enhanced to provide between 2 to 4 times the num ber of leases previously suppor ted. T o enhance the security of the DHCP infrastructure, the SonicOS DHCP server now provides server side conflict detection to en[...]

  • Página 41

    Introduction 41 SonicOS 5.8.1 Administrator Guide features are capab le of utilizing DPI-SSL: Gateway Anti-V irus, Gateway Anti-S pyware, Intrusion Prevention, Content Filtering, Appl ication Firewall, Packet Capture and Packet Mirror . DPI-SSL is initially avail able on NSA-3500 and above hardware platforms. • Dynamic DN S per Interface - Provid[...]

  • Página 42

    Introduction 42 SonicOS 5.8.1 Administrator Guide • Virtual Access Point s for SonicW ALL TZ W ireless Plat forms - The SonicW ALL TZ 100w , TZ 200w and TZ 210w platforms now support V irtual Access Point s (V APs). V APs enable users to segment different wireless groups by creating logical segmentation on a single wireless radio. • Wireless Br[...]

  • Página 43

    Introduction 43 SonicOS 5.8.1 Administrator Guide – Fully Customizable Block Page - The web p age that is displayed when a user attempts to access a blocked site can now be fully customized. This enab les organizations to brand the block page and display any organization-specific information. – Safe Search Enforcement - Safe Search Enforcement [...]

  • Página 44

    Introduction 44 SonicOS 5.8.1 Administrator Guide connections. Once the primary and backup appl iances have been associated as a high availability pair on mysonicwall.com, you can enable th is feature by selecting Enable S t ateful Synchronization in the High A vailability > Advanced page. • Application Firewall - Application Firewall provides[...]

  • Página 45

    Introduction 45 SonicOS 5.8.1 Administrator Guide • Multiple and Read-only Administrator Login - Multiple Administrator Login provides a way for multiple users to be given administrat ion right s, either full or read-only , for the SonicOS security appliance. Additionally , SonicO S Enhanced allows multiple users to concurrently manage the applia[...]

  • Página 46

    Introduction 46 SonicOS 5.8.1 Administrator Guide – EAPOL packe t flood – Weak WEP IV • SMTP A uth en tic at ion - SonicOS Enhanced supports RFC 2554, which defines an SMTP service extension that allows the SMTP cli ent to indicate an authentication method to the server , perform an authentication protocol exchange, and optionally negotiate a[...]

  • Página 47

    Introduction 47 SonicOS 5.8.1 Administrator Guide L2 Bridge Mode employs a secure learning bridge architecture, enabling it to pass and inspect traffic types that c annot be handled by many other methods of transp arent security appliance integration. Using L2 Bridge Mode, a SonicW ALL security appliance can be non- disruptively added to any Ethern[...]

  • Página 48

    Introduction 48 SonicOS 5.8.1 Administrator Guide – Disabled : (Default) when the appliance reboot s, the DHCP client performs a DHCP DISCOVERY query . • Dynamic Route Metric Recalculation Based on Interface A vailability - T o better support redundant or multiple path Advanc ed Routing configurat ions, when a default- route's interface is[...]

  • Página 49

    Introduction 49 SonicOS 5.8.1 Administrator Guide new page, you first click on the heading, and then click on the sub-folder page you want. This eliminates the delay and redundant page loading that occurred in previous versions of SonicOS when clicking on a heading automatically loaded the first sub-folder page. If the navigation bar continues belo[...]

  • Página 50

    Introduction 50 SonicOS 5.8.1 Administrator Guide Applying Changes Click the Accept button at the top right corner of t he SonicW ALL management interface to save any configuration changes you made on the p age. If the settings are contained in a secondary window within the management interface, when you click OK , the settings are automatically ap[...]

  • Página 51

    Introduction 51 SonicOS 5.8.1 Administrator Guide The behavior of the T oolti ps can be configured on the System > Administrat ion page. T ooltips are enabled b y default. T o disable T ooltips, uncheck the Enable T ooltip checkbox. The duration of time before T ooltips display can be configured: • Form T ooltip Delay - Duration in millisecond[...]

  • Página 52

    Introduction 52 SonicOS 5.8.1 Administrator Guide A number of tables now include an option to s pecify the number of it ems displayed per page. Many tables can now be r e-sor ted by clicking on the headings for the various columns. On tables that are sort able, a tooltip will pop-up when you mouseover headings that st ates Click to sort by . When t[...]

  • Página 53

    Introduction 53 SonicOS 5.8.1 Administrator Guide Several tables include a tooltip tha t displa ys the maximum number of entries that the SonicW ALL security appliance supports . For ex ample, the following image shows the maximum number of address groups the appliance support s. T ables that display the maximum entry toolti p include NA T policies[...]

  • Página 54

    Introduction 54 SonicOS 5.8.1 Administrator Guide[...]

  • Página 55

    SonicOS 5.8 . 1 A dm i ni st r at or Gu ide 55 PART 2 Part 2: Dashboard[...]

  • Página 56

    56 SonicOS 5.8.1 Administrator Guide[...]

  • Página 57

    57 SonicOS 5.8.1 Administrator Guide CHAPTER 4 Chapter 4: Using the SonicOS Visualization Dashboard Visualization Dashboard The SonicW ALL Visua lization Dashboard offers administr ators an effective an d efficient interface to visually monitor thei r n etwork in real time, providing ef fective flow chart s of real- time data, customizable rules, a[...]

  • Página 58

    Visualization Dashboard 58 SonicOS 5.8.1 Administrator Guide Note Several of the SonicW ALL Visualization Dashboard pages now cont ain a blue pop-up button that will display the dashboard in a st andalone browser window that allows for a wider display . Click on the blue pop-up icon to the right of the page name in the left-hand navigating bar to d[...]

  • Página 59

    Visualization Dashboard 59 SonicOS 5.8.1 Administrator Guide Ste p 3 Navigate to the Network > Interfaces page.Click the Configure icon for th e interface you wish to enable flow reporting on. Ste p 4 In the Advanced tab, ensure that the Enable flow reporting checkbox is sel ected. Ste p 5 Click the OK button to save your changes. Ste p 6 Repeat[...]

  • Página 60

    Dashboard > Real-Time Monito r 60 SonicOS 5.8.1 Administrator Guide Dashboard > Real-Time Monitor The Real-T ime Monitor provides administrators an inclusive, multi-f unctional display with information about applications, bandwidth usage, p acket rate, p acket size, connection rate, connection count, multi-core monitoring, and memory usage.[...]

  • Página 61

    Dashbo ar d > Re al - Ti m e Mon i to r 61 SonicOS 5.8.1 Administrator Guide This section contains t he following subsections: • “Using the T oolbar” section on page 62 • “Applications Monitor” section on page 63 • “Ingress and Egress Bandwid th Flow” section on p age 66 • “Packet Rate Monitor” section on page 68 • “P[...]

  • Página 62

    Dashboard > Real-Time Monito r 62 SonicOS 5.8.1 Administrator Guide Using the Toolbar The Real-T ime Monitor T oolbar contains features to specify the refresh rate, export details, configure color palettes, change the amount of dat a displa yed, and pause or play the data flow . Changes made to the toolbar apply across all the dat a flows. Optio[...]

  • Página 63

    Dashbo ar d > Re al - Ti m e Mon i to r 63 SonicOS 5.8.1 Administrator Guide Applications Monitor The Applications data flow provides a visual representation of the current applications accessing the network. Options are available to Display , Scal e, and View the Application interface. Option Widget Description Lock Locks the Display options fo[...]

  • Página 64

    Dashboard > Real-Time Monito r 64 SonicOS 5.8.1 Administrator Guide Available Formats Administrators are able to view the Application flow chart s in a bar graph format or flow chart format. The bar graph format displays applications individually , allowing administrators to compare applications. In this graph, the x-axis di splays the name of t[...]

  • Página 65

    Dashbo ar d > Re al - Ti m e Mon i to r 65 SonicOS 5.8.1 Administrator Guide The flow chart format displays over lapping applicat ion data. In this graph, the x-axis displays the current time and the y-axis displays the tr af fic for each application. The following example is a “Bar Chart” view .[...]

  • Página 66

    Dashboard > Real-Time Monito r 66 SonicOS 5.8.1 Administrator Guide Ingress and Egress Bandwidth Flow The Ingress and Egress Bandwidth dat a flow pr ovides a visual repres ent ation of incoming and outgoing bandwidth traf fic. The curr ent percent age of to tal bandwidth used, average flow of bandwidth traf fic, and th e minimum and maximum amou[...]

  • Página 67

    Dashbo ar d > Re al - Ti m e Mon i to r 67 SonicOS 5.8.1 Administrator Guide Options are available to custom ize the Display , Scale, and Vi ew of the Ingress and Egress Bandwidth interface. Tooltips Rolling over the interfaces provides tooltips with informati on about the interface assigned zone , IP address, and current port st atus. Option Wi[...]

  • Página 68

    Dashboard > Real-Time Monito r 68 SonicOS 5.8.1 Administrator Guide Note The Bandwidth flow chart s have no direct co rrelation to the Application flow chart s. Packet Rate Monitor The Packet Rate Monitor provides the administ rator with information on the ingress and egress packet rate in p acket p er second (pp s ). This ca n be configured to [...]

  • Página 69

    Dashbo ar d > Re al - Ti m e Mon i to r 69 SonicOS 5.8.1 Administrator Guide Packet Size Monitor The Packet Size Monitor provides the administrator with information on the ingress and egress packet rate in kilobytes per second (Kps). This can be configured to show packet size by network interface. The graph show s the packet size cu rrent av era[...]

  • Página 70

    Dashboard > AppFlow Mon itor 70 SonicOS 5.8.1 Administrator Guide Connection Count Monitor The Connection Count data flow pr ovides the administrator a vis ual represent ation of “curre nt” total number of connections, “peak” number of connec tions, and maximum. In this example, the y-axis displays the total number of connections from 0C[...]

  • Página 71

    Dashboard > AppFlow Monitor 71 SonicOS 5.8.1 Administrator Guide This section contains t he following subsections: • “Filter Options” section on page 71 • “AppFlow Monitor T abs” section on page 72 • “AppFlow Monitor T oolbar” section on page 73 • “Group Options” section on pag e 74 • “AppFlow Monitor S tatus” secti[...]

  • Página 72

    Dashboard > AppFlow Mon itor 72 SonicOS 5.8.1 Administrator Guide AppFlow Monitor Tabs The AppFlow Monitor T abs contains details about incoming and outg oing ne twor k tr af fic. Each tab provides a faceted view of the network flow . The data is organized by Applications, Users, URLs, Initiators, Responders, Threats, V oIP , VPN, Devices, and C[...]

  • Página 73

    Dashboard > AppFlow Monitor 73 SonicOS 5.8.1 Administrator Guide AppFlow Monitor Toolbar The AppFlow T oolbar allows for customization of the AppFlow Monitor interface. The ability to create rules and add items to filters allows for more application and user control. Different views, pause and play abiliti es, customizable data intervals and ref[...]

  • Página 74

    Dashboard > AppFlow Mon itor 74 SonicOS 5.8.1 Administrator Guide Group Options The Group option sorts data based on the specified group. Each t ab contains different grouping options. • The Applications tab can be grouped by: – Application: Displays all traffic gene rated by individual applications. – Category: Groups all traf fic generat[...]

  • Página 75

    Dashboard > AppFlow Monitor 75 SonicOS 5.8.1 Administrator Guide • The Vo I P tab can be grouped according to: – Media T ype: Groups V oIP flows according to media type. – Caller ID: Groups V oIP flow s according to caller ID. • The VPN tab can be grouped according to: – Remote IP Address: Groups VPN flows acce ss according to the remo[...]

  • Página 76

    Dashboard > AppFlow Mon itor 76 SonicOS 5.8.1 Administrator Guide AppFlow Monitor Views Three views are available for the AppFlow Monito r: Detailed, Pie Chart, and Flow Chart View . Each view provides the administrator a unique display of incoming, real-time data. List View I n th e L i s t V i ew , each AppFlow tab is compris ed of columns dis[...]

  • Página 77

    Dashboard > AppFlow Monitor 77 SonicOS 5.8.1 Administrator Guide • Information pertaining to the category , threat le vel, type of technology the item falls under , and other additional information. • Application details are p articularly useful wh en an Administ rator does not recognize the name of an Application. Graph View The Graph View [...]

  • Página 78

    Dashboard > AppFlow Mon itor 78 SonicOS 5.8.1 Administrator Guide Using Filtering Options Using filtering options allow administrators to reduce the amount of dat a seen in the AppFlow Monitor . By doing so, administrators can focus on points of interest without distraction from other applications. T o us e the Filtering Options: Ste p 1 Log int[...]

  • Página 79

    Dashboard > Threat Reports 79 SonicOS 5.8.1 Administrator Guide Dashboard > Threat Reports This section describes how to use the SonicWALL Threat Reports feature on a SonicW ALL security appliance. This chapter cont ains the following sections: • “SonicW ALL Threat Report s Overview” on page 79 • “SonicW ALL Threat Report s Configur[...]

  • Página 80

    Dashboard > Threat Reports 80 SonicOS 5.8.1 Administrator Guide What Are Threat Reports? The SonicW ALL Threat Report s provides reports of the latest thr eat protection dat a from a single SonicW ALL appliance and aggregate d threat protectio n data from SonicW ALL security appliances deployed globally . The SonicW ALL Th reat Reports displa ys[...]

  • Página 81

    Dashboard > Threat Reports 81 SonicOS 5.8.1 Administrator Guide Each report includes a graph of threats blocked over time and a table of the top blocked threats. Reports, which are updated hour ly , can be customized to display data for the last 12 hours, 14 days, 21 days, or 6 months. For easier viewi ng, SonicWALL Threat Report s reports can b[...]

  • Página 82

    Dashboard > Threat Reports 82 SonicOS 5.8.1 Administrator Guide The SonicW ALL Threat Report s displays automatically upon successful login to a SonicW ALL security appliance. Y ou can access the SonicW A LL Threat Reports at any time by navigating to Dashboard > Threat Report s in the left- hand menu. Y ou may see the introductory screen sho[...]

  • Página 83

    Dashboard > Threat Reports 83 SonicOS 5.8.1 Administrator Guide Switching to Global or Appliance-Level View T o view SonicW ALL Threat Report s global report s, select the radio button next to Global in the top of the Dashboard > Threat Report s screen. T o view appliance- level reports, select the radio button next to the appliance serial nu[...]

  • Página 84

    Dashboard > User Monitor 84 SonicOS 5.8.1 Administrator Guide Dashboard > User Monitor The Dashboard > User Monitor page displays details on all user connections to the SonicW ALL security appliance.[...]

  • Página 85

    Dashboard > BWM Monitor 85 SonicOS 5.8.1 Administrator Guide Dashboard > BWM Monitor The Dashboard > BWM Monitor p age displays pe r-interface bandwidth management for ingress and egress network traf fic. The BWM monitor graphs are available for real -time, highest, high, medium high, medium, medium low , low and lo west policy settings. T[...]

  • Página 86

    Dashboard > Connectio ns Monitor 86 SonicOS 5.8.1 Administrator Guide Viewing Connections The connections are listed in the Connections Monitor table. Filtering Connections Viewed Y ou can filter the results to display only connecti ons matching cert ain criteria. Y ou can filter by Source IP , Destination IP , Destination Port , Src Interface ,[...]

  • Página 87

    Dashboard > Packet Monitor 87 SonicOS 5.8.1 Administrator Guide Dashboard > Packet Monitor Note For increased convenience and accessibility , the Packet Monitor p age can be accessed either from Dashboard > Packet Monitor or S ystem > Packet Monitor . The page is identical regardless of which t ab it is accessed through. For det ailed o[...]

  • Página 88

    Dashboard > Packet Monitor 88 SonicOS 5.8.1 Administrator Guide The Dashboard > Packet Monitor p age is shown below: For an explanation of the status indi cators near the top of the p age, see “Underst anding S t atus Indicators” on page 159 . The other buttons and displays on this page are described in the following sections: • “S t [...]

  • Página 89

    Dashboard > Packet Monitor 89 SonicOS 5.8.1 Administrator Guide Ste p 5 T o stop the packet capture, click Stop Capture . Y ou can view the captured pack et s in the Captured Packet s, Packet Det ail, and Hex Dump sections of the screen. See “Viewing Captured Packet s” on page 89 . Starting and Stopping Packet Mirror Y ou can start packet mi[...]

  • Página 90

    Dashboard > Packet Monitor 90 SonicOS 5.8.1 Administrator Guide • Egress - The SonicW ALL appliance inter face on which the p acket was captured when sent out – The subsystem type abbreviation is shown in p arentheses. See the table above for definitions of subs ystem type abbreviations • Source IP - The source IP address of the packet •[...]

  • Página 91

    Dashboard > Log Monitor 91 SonicOS 5.8.1 Administrator Guide About the Packet De tail Window When you click on a packet in the Captured Packets window , the packet header fields are displayed in the Packet Det ail window . The di splay will vary depending on the type of packet that you select. About the Hex Dump Window When you click on a p acke[...]

  • Página 92

    Dashboard > Log Monitor 92 SonicOS 5.8.1 Administrator Guide[...]

  • Página 93

    SonicOS 5.8 . 1 A dm i ni st r at or Gu ide 93 PART 3 Part 3: System[...]

  • Página 94

    94 SonicOS 5.8.1 Administrator Guide[...]

  • Página 95

    95 SonicOS 5.8.1 Administrator Guide CHAPTER 5 Chapter 5: Viewing Status Information System > Status The System > St atus p age provides a comprehensive colle ction of information and links to help you manage your SonicW ALL security appliance and SonicW ALL Security Services licenses. It includes status information about y our SonicW ALL sec[...]

  • Página 96

    System > Status 96 SonicOS 5.8.1 Administrator Guide Wizards The Wizards button on the Sy stem > St atus p age provides access to the SonicW ALL Configuration Wizard , which allows you to easily confi gure the SonicW ALL security appliance using the following sub-wizards: • Setup Wizard - This wizard helps you quickly conf igur e the SonicW[...]

  • Página 97

    System > Status 97 SonicOS 5.8.1 Administrator Guide • Connections - Displays the maximum number of network connections the So nicW ALL security appliance can suppor t, the peak number of c onncurent connections, and the current number of connections. • Connection Usage - The percentage of the maximum number of connections that are currently[...]

  • Página 98

    System > Status 98 SonicOS 5.8.1 Administrator Guide the Arrow icon displays the System > Licenses pa ge in the SonicW ALL W eb-based management interface. SonicW ALL Security Services and SonicW ALL security appliance registration is managed by mysonicwall.com. Refer to “Security Servic es” on p age 1 175 for more information on SonicW A[...]

  • Página 99

    System > Status 99 SonicOS 5.8.1 Administrator Guide Note mysonicwall.com registration information is not sold or shared with any other comp any . Y ou can also register your security appliance at the https://www .mysonicwall.com site by using the Serial Number and Authentication Code displayed in the Security Services section. Click the SonicW [...]

  • Página 100

    System > Status 100 SonicOS 5.8.1 Administrator Guide Registering Your SonicW ALL Security Appliance If you already have a mysonicwall.com account, fo llow these steps to register your security appliance: Ste p 1 In the Security Services section on the System > S t atus p age, click the Register link in Y our SonicW ALL is not registered. Cli[...]

  • Página 101

    101 SonicOS 5.8.1 Administrator Guide CHAPTER 6 Chapter 6: Managing SonicWALL Licenses System > Licenses The System > Licenses page provides links to activa te, upgrade, or renew SonicW ALL Security Services licenses. From this page in the SonicW ALL Management Interface, you can manage all the SonicW ALL Security Services lic ensed for your [...]

  • Página 102

    System > Licenses 102 SonicOS 5.8.1 Administrator Guide Excluding a Node When you exclude a node, you block it from c onnecting to your network through the security appliance. Excluding a node creates an address object for that IP addr ess and assigns it to the Node License Exclusion List address group. T o exclude a node: Ste p 1 Select the nod[...]

  • Página 103

    System > Licenses 103 SonicOS 5.8.1 Administrator Guide Manage Security Services Online T o activate, upgrade, or renew services, click the link in T o Activate, Upgrade, or Renew services, click here . Click the link in T o synchronize licenses with mysonicwall.com click here to synchronize your mysoni cwall.com account with the Security Servic[...]

  • Página 104

    System > Licenses 104 SonicOS 5.8.1 Administrator Guide Manual Upgrade for Closed Environments If your SonicW ALL security appliance is deploy ed in a high security envir onment th at does no t allow direct Internet connectivity from the SonicW ALL security appliance, you can enter the encrypted license key information from http://www .myson icw[...]

  • Página 105

    105 SonicOS 5.8.1 Administrator Guide CHAPTER 7 Chapter 7: Viewing Support Services System > Support Services The System > Support Services page displays a summary of the current st atus of support services for the SonicW A LL security appliance. The Service St atus ta ble displays all support services for the appliance (Dynam ic Support, Ext[...]

  • Página 106

    System > Support Services 106 SonicOS 5.8.1 Administrator Guide[...]

  • Página 107

    107 SonicOS 5.8.1 Administrator Guide CHAPTER 8 Chapter 8: Configuring Administration Settings System > Administration The System Administration page pr ovides settings for the confi guration of SonicW ALL security appliance for secure and remote manag ement. Y ou can manage the SonicWALL u sing a variety of methods, including HTTPS, SNMP or Son[...]

  • Página 108

    System > Administration 108 SonicOS 5.8.1 Administrator Guide Changing the Administrator Password T o set a new password for SonicW ALL Management Interface access, type the old password in the Old Password field, and the new password in the New Password field. T ype the new password again in the Confirm New Password field and click Accept . Onc[...]

  • Página 109

    System > Administration 109 SonicOS 5.8.1 Administrator Guide Internet Explorer , go to T ools > Internet Options , click on the Advanced tab, and scroll to the bottom of the Settings menu. In Firefox, go to T ools > Options , click on the Advanced tab, and then click on the Encryption t ab. SonicOS Enhanced 5.0 introduced p assword constr[...]

  • Página 110

    System > Administration 110 SonicOS 5.8.1 Administrator Guide Tip If the Administrator Inactivity T imeout is extended beyond five minutes, you should end every management session by clicking Logout to prevent unauthorized access to the SonicW ALL security appliance’ s Management Interface. The Enable administrator/user lockout setting locks a[...]

  • Página 111

    System > Administration 111 SonicOS 5.8.1 Administrator Guide Web Management Settings The SonicW ALL security appliance can be managed using HTTP or HTTPS and a W eb browser . HTTP web-based managem ent is disabled by default. Use HTTPS to log into the SonicOS management interface wi th factory default settings. If you wish to use HTTP managemen[...]

  • Página 112

    System > Administration 112 SonicOS 5.8.1 Administrator Guide Changing the Default Size for Soni cWALL Management Interface Tables The SonicW ALL Management Interface allows you to control the display of large t ables of information across all tables in the management Interface. Y ou can change the default table page size in all t ables displaye[...]

  • Página 113

    System > Administration 113 SonicOS 5.8.1 Administrator Guide The behavior of the T oolti ps can be configured on the System > Administrat ion page. T ooltips are enabled b y default. T o disable T ooltips, uncheck the Enable T ooltip checkbox. The duration of time before T ooltips display can be configured: • Form T ooltip Delay - Duration[...]

  • Página 114

    System > Administration 114 SonicOS 5.8.1 Administrator Guide Enabling SNMP Management SNMP (Simple Network Management Protocol) is a network protocol used over User Dat agram Protocol (UDP) that allows net work administrators to monitor the status of the SonicW ALL security appliance and receive notif ication of critical event s as they occur o[...]

  • Página 115

    System > Administration 115 SonicOS 5.8.1 Administrator Guide Configuring SNMP as a Service and Adding Rules By default, SNMP is disabled on the SonicW ALL security appliance. T o enable SNMP you must first enable SNMP on the System > Administration page, and then enable it for individual interfaces. T o do this, go to the Network > Interf[...]

  • Página 116

    System > Administration 116 SonicOS 5.8.1 Administrator Guide the GMS installation, and e nter the IP address in the NA T Device IP Address field. The default VPN policy settings are di splayed at the bottom of the Configure GMS Sett ings window . • Existing T unnel - If this option is selected, the GMS server and the SonicW ALL security appli[...]

  • Página 117

    System > Administration 117 SonicOS 5.8.1 Administrator Guide • HTTPS - If this option is selected, HTTPS m anagement is allowed from two IP addresses: the GMS Primary Agent and th e S t andby Agent IP address. The SonicW ALL security appliance also sends encrypted syslog p ack ets and SNMP trap s using 3DES and the SonicW ALL security applian[...]

  • Página 118

    System > Administration 118 SonicOS 5.8.1 Administrator Guide not have Internet access, or has a ccess only through a proxy server , you must manually specify a U R L f o r t h e S o n i c P o i n t f i r m w a r e . Y ou do not need to include the http:// prefix, but you do need to include the filename at the end of the URL. The filename should[...]

  • Página 119

    119 SonicOS 5.8.1 Administrator Guide CHAPTER 9 Chapter 9: Managing Certificates System > Certificates T o implement the use of certificates for VPN polic ies, you must locate a source for a valid CA certificate from a third par ty CA service. Once you have a valid CA cert ificate, you can import it into the SonicW ALL security appliance to vali[...]

  • Página 120

    System > Certificates 120 SonicOS 5.8.1 Administrator Guide (DN), validation period for the certificate, and opti onal information such as the t arget use of the certificate. The signature section includes the cryptographic algorithm used by the issuing CA, and the CA digital signature. SonicW ALL security appliances interoperate with any X.509v[...]

  • Página 121

    System > Certificates 121 SonicOS 5.8.1 Administrator Guide • Details - the det ails of the certificat e. Moving the pointer over the icon displays the details of the certificate. • Configure - Displays the edit and delete icons for editing or deleting a certificate entry . – Also displays the Import icon to import either certificate revoc[...]

  • Página 122

    System > Certificates 122 SonicOS 5.8.1 Administrator Guide Importing a Certificate Authority Certificate T o import a certificate from a certificate authority , perform these steps: Ste p 1 Click Import . The Import Certificate window is displayed. Ste p 2 Select Import a CA certificate from a PKCS#7 (*.p 7b) or DER (.der or .cer) encoded file [...]

  • Página 123

    System > Certificates 123 SonicOS 5.8.1 Administrator Guide Importing a Local Certificate T o import a local certificate, perform these step s: Ste p 1 Click Import . The Import Certificate window is displayed. Ste p 2 Enter a certificate name in the Certificate Name field. Ste p 3 Enter the password used by your Certificate Authority to encrypt[...]

  • Página 124

    System > Certificates 124 SonicOS 5.8.1 Administrator Guide T o generate a local certificate, follow these steps: Ste p 1 Click the New Signing Request button. The Certificate Signing Request window is displayed. Ste p 2 In the Generate Certificate Signing Request section, enter an alias name for the certificate in the Certificate Alias field. S[...]

  • Página 125

    System > Certificates 125 SonicOS 5.8.1 Administrator Guide Configuring Simple Certificate Enrollment Protocol The Simple Certificate Enrollm ent Protocol (SCEP) is designed to support the secure issuance of certificates to network dev ices in a scalable manner . There are two enrollment scenarios for SCEP: • SCEP server CA automatica lly issu[...]

  • Página 126

    System > Certificates 126 SonicOS 5.8.1 Administrator Guide[...]

  • Página 127

    127 SonicOS 5.8.1 Administrator Guide CHAPTER 10 Chapter 10: Configuring Time Settings System > Time The System > Time p age defines the time and date settings to time st amp log event s, to automatically update SonicW ALL Security Services, and for other internal purposes. By default, the SonicW ALL security appliance us es an internal list [...]

  • Página 128

    System > Time 128 SonicOS 5.8.1 Administrator Guide If you want to set your time manually , uncheck Set time automatically using NTP . Select the time in the 24-hour format using the Time (hh:mm:ss) menus and the date from the Date menus. Selecting Display UTC in logs (instead of local time) specifies the u se universal time (UTC) rather than lo[...]

  • Página 129

    129 SonicOS 5.8.1 Administrator Guide CHAPTER 11 Chapter 11: Setting Schedules System > Schedules The System > Schedules page allows you to create and manage schedule objects for enforcing schedule times for a variety of SonicW ALL security applian ce features.[...]

  • Página 130

    System > Schedules 130 SonicOS 5.8.1 Administrator Guide The Schedules table displays all your predef ined and custom schedules. In the Schedules table, there are three default schedules: Work Hours , Af ter Hours , and Weekend Hours . Y ou can modify these schedul es by clicking on the edit icon in the Configure column to display the Edit Sched[...]

  • Página 131

    System > Sche dules 131 SonicOS 5.8.1 Administrator Guide Adding a Schedule T o create schedules, click Add . The Add Schedule window is displayed. Ste p 1 Enter a descriptive name for the schedule in the Name field. Ste p 2 Select one of the following radio buttons for Schedule type : • Once – For a one-time schedule between the configured [...]

  • Página 132

    System > Schedules 132 SonicOS 5.8.1 Administrator Guide Ste p 6 Under Recurring , type in the time of day for the schedule to begin in the Start field. The tim e must be in 24-hour format, for example, 17:00 for 5 p.m. Ste p 7 Under Recurring , type in the time of day for the schedule to stop in the Sto p field. The time must be in 24-hour form[...]

  • Página 133

    133 SonicOS 5.8.1 Administrator Guide CHAPTER 12 Chapter 12: Managing SonicWALL Security Appliance Firmware System > Settings This System > Settings page allows yo u to manage your SonicW ALL security appliance’ s SonicOS versions and preferences.[...]

  • Página 134

    System > Settings 134 SonicOS 5.8.1 Administrator Guide Settings Import Settings T o import a previously saved preferences file in to the SonicW ALL secu rity appliance, follow these instructions: Ste p 1 Click Import Settings to import a previously exported pr eferences file into the SonicW ALL security appliance. The Import Settings window is [...]

  • Página 135

    System > Settings 135 SonicOS 5.8.1 Administrator Guide Firmware Management The Firmware Management section provides settings that allow for easy firmware upgrade and preferences management. The Firmware Management section allows you to: • Upload and download firmware im ages and system settings. • Boot to your choice of firmware and system [...]

  • Página 136

    System > Settings 136 SonicOS 5.8.1 Administrator Guide • Size - the size of the firmware file in Mebibytes (MiB). • Download - clicking the icon saves the firmware file to a new location on your computer or network. Only uploaded firmware can be saved to a dif ferent location. • Boot - clicking the icon reboots the SonicW ALL security app[...]

  • Página 137

    System > Settings 137 SonicOS 5.8.1 Administrator Guide After the SonicW ALL security appliance reboot s, open your Web br owser and enter the current IP address of the SonicW ALL security appliance or the default IP address: 192.168.168.168 . The SafeMode page is displayed: SafeMode allows you to do any of the following: • Upload and download[...]

  • Página 138

    System > Settings 138 SonicOS 5.8.1 Administrator Guide Caution Only select the Boot with firmware diagnostics enabled (if available) option if instructed to by SonicW ALL technical support. Firmware Auto-Update Sonic OS Enhanced 5.2 release introduces the Fir mware Auto-Update feature, which help s ensure that your SonicW ALL secu rity applianc[...]

  • Página 139

    139 SonicOS 5.8.1 Administrator Guide CHAPTER 13 Chapter 13: Using the Packet Monitor System > Packet Monitor Note For increased convenience and accessibility , the Packet Monitor p age can be accessed either from Dashboard > Packet Monitor or S ystem > Packet Monitor . The page is identical regardless of which t ab it is accessed through.[...]

  • Página 140

    System > Packet Monitor 140 SonicOS 5.8.1 Administrator Guide • Interface identification • MAC addresses • Ethernet type • Internet Protocol (IP) type • Source and destination IP addresses • Port numbers • L2TP payload det ails • PPP negotiations details Y ou can configure the packet monitor featur e in the SonicOS Enhanced manag[...]

  • Página 141

    System > Packet Monitor 141 SonicOS 5.8.1 Administrator Guide Default settings are provided so that you can st art using p acket monitor without configuring it first. The basic functi onality is as follows: Star t :C l i c k St art Capture to begin capturing all p ackets except those used for communication between the SonicW ALL appliance and th[...]

  • Página 142

    System > Packet Monitor 142 SonicOS 5.8.1 Administrator Guide Refer to the figure below to see a high level view of the p acket monito r subsystem. This shows the different filters and how they are applied. What is Packet Mirror? Packet mirroring is the process of sending a copy of packet s seen on one interface to another interface or to a remo[...]

  • Página 143

    System > Packet Monitor 143 SonicOS 5.8.1 Administrator Guide • Encapsulate the p acket and send it to a remote SonicW ALL appliance. • Send a copy to a physical port with a VLAN configured. Classification is performed on the Mo nitor Filter and Advanced Monitor Filter tab of the Packet Monitor Configuration window . A local Sonicwall firewa[...]

  • Página 144

    System > Packet Monitor 144 SonicOS 5.8.1 Administrator Guide Ste p 2 In the Packet Monitor Configuration window , click the Settings tab. Ste p 3 Under General Settings in the Number of Bytes T o Capture (per p acket) box, type the number of bytes to capture from each p acket. The minimum value is 64. Ste p 4 T o continue capturing packet s af [...]

  • Página 145

    System > Packet Monitor 145 SonicOS 5.8.1 Administrator Guide T o configure the general settings , perform the following steps: Ste p 1 Navigate to the Firewall > Access Rules p age and click Configure icon for the rule(s) you wish to enable packet monitoring or flow repor ting on. Ste p 2 Select the Enable packet monitor checkbox to send pac[...]

  • Página 146

    System > Packet Monitor 146 SonicOS 5.8.1 Administrator Guide Ste p 2 In the Packet Monitor Configuration window , click the Monitor Filter tab. Ste p 3 Choose to Enable filter based on the firewall/app rule if you are using firewall rules to capture specif ic traf fic. Note Before the Enable filter based on the firewall/app rule option is selec[...]

  • Página 147

    System > Packet Monitor 147 SonicOS 5.8.1 Administrator Guide specified; for example: !TCP , !UDP . Y ou can also use hexadecimal values to represent the IP types, or mix hex values with the standard representations; for exam ple: TCP , 0x1, 0x6. See “Supported Packet T ypes” on page 162 . • Source IP Address(es) - Y ou can specify up to t[...]

  • Página 148

    System > Packet Monitor 148 SonicOS 5.8.1 Administrator Guide T o configure Packet Monitor display filt er settings, complete the following steps: Ste p 1 Navigate to the Dashboard > Packet Monitor page and click Configure . Ste p 2 In the Packet Monitor Configuration window , click the Display Filter tab. Ste p 3 In the Interface Name(s) box[...]

  • Página 149

    System > Packet Monitor 149 SonicOS 5.8.1 Administrator Guide Ste p 7 In the Source Port(s) box, type the port numbers from which you want to display packet s, or use the negative format (!25) to display p ackets c aptured from all source port s except those specified. Ste p 8 In the Destination IP Address(es) box, type the IP addr esses for whi[...]

  • Página 150

    System > Packet Monitor 150 SonicOS 5.8.1 Administrator Guide Ste p 2 In the Packet Monitor Configuration window , click the Logging tab. Ste p 3 In the FTP Server IP Address box, type the IP address of the FTP server . Note Make sure that the FTP server IP address is reachable by the SonicWALL appliance. An IP address that is reachable only vi [...]

  • Página 151

    System > Packet Monitor 151 SonicOS 5.8.1 Administrator Guide Restarting FTP Logging If automatic FTP logging is off, either because of a failed connection or simply disabled, you can restart it in Configure > Logging . Ste p 1 Navigate to the Dashboard > Packet Monitor page and click Configure . Ste p 2 In the Packet Monitor Configuration[...]

  • Página 152

    System > Packet Monitor 152 SonicOS 5.8.1 Administrator Guide Even when other monitor filters do not match, this option ensures that packet s generated by the SonicW ALL appliance are captured. This include s packe ts generated by HTTP(S), L2TP , DHCP servers, PPP , PPPOE, and routing protocol s. Captured p ackets are marked with ‘s’ in the [...]

  • Página 153

    System > Packet Monitor 153 SonicOS 5.8.1 Administrator Guide Configuring Mirror Settings This section describes how to c onfigure Packet Monitor mirror se ttings. Mirror settings provide a way to send packet s to a diff erent physical port of the same firewall or to send p ackets to, or receive them from, a remote SonicW ALL firewall. T o confi[...]

  • Página 154

    System > Packet Monitor 154 SonicOS 5.8.1 Administrator Guide Ste p 7 In the Encrypt remote mirrored p acket s via IPSec (preshared key-IKE) field, type the pre- shared key to be used to encrypt traf fic w hen sending mirrored p ackets to the remote SonicW ALL. Configuring this field enables an IPSec transport mode tunnel between this appliance [...]

  • Página 155

    System > Packet Monitor 155 SonicOS 5.8.1 Administrator Guide The Dashboard > Packet Monitor page is shown below: For an explanation of the status indi cators near the top of the p age, see “Underst anding S t atus Indicators” on page 159 . The other buttons and displays on this p age are descr ibed in the following sections: • “S t a[...]

  • Página 156

    System > Packet Monitor 156 SonicOS 5.8.1 Administrator Guide Ste p 5 T o stop the packet capture, click Stop Capture . Y ou can view the captured packets in the C aptured Packet s, Packet Det ail, and Hex Dump sections of the screen. See “Viewing Captured Packet s” on page 156 . Starting and Stopping Packet Mirror Y ou can start packet mirr[...]

  • Página 157

    System > Packet Monitor 157 SonicOS 5.8.1 Administrator Guide • Egress - The SonicW ALL appliance inter face on which the p acket was captured when sent out – The subsystem type abbreviation is show n in p arentheses. S ee the table above for definitions of subs ystem type abbreviations • Source IP - The source IP address of the packet •[...]

  • Página 158

    System > Packet Monitor 158 SonicOS 5.8.1 Administrator Guide About the Packet De tail Window When you click on a packet in the Captured Packets window , the packet header fields are displayed in the Packet Det ail window . The display will vary depending on the type of packet that you select. About the Hex Dump Window When you click on a packet[...]

  • Página 159

    System > Packet Monitor 159 SonicOS 5.8.1 Administrator Guide Verifying Packet Monitor Activity This section describes how to tell if your packet monitor , mirror ing, or FTP logging is working correctly according to the configuration. It contains the following sections: • “Understanding S tatus Indicators” on p age 159 • “Clearing the[...]

  • Página 160

    System > Packet Monitor 160 SonicOS 5.8.1 Administrator Guide Mirroring Status There are three status indicators for packet mir roring: Local mirroring – Packets sent to anothe r physical interface on the same SonicWALL For local mirroring, the status indicator shows one of the following three conditions: • Red – Mirroring is of f • Gree[...]

  • Página 161

    System > Packet Monitor 161 SonicOS 5.8.1 Administrator Guide FTP Logging Status The FTP logging status indicator shows one of the following three conditions: • Red – Automatic FTP logging is of f • Green – Automatic FTP logging is on • Y ellow – The last attempt to contact t he FTP server failed, and logging is now of f T o restart [...]

  • Página 162

    System > Packet Monitor 162 SonicOS 5.8.1 Administrator Guide Related Information This section contains the following: • “Supported Packet T ypes” on page 162 • “File Formats for Expo rt As” on page 162 Supported Packet Types When specifying the Ethernet or IP p acket types t hat you want to monitor or display , you can use either th[...]

  • Página 163

    System > Packet Monitor 163 SonicOS 5.8.1 Administrator Guide Examples of the Html and T ext formats are shown in the following sections: • “HTML Format” on page 163 • “T ext File Format” on page 164 HTML Format Y ou can view the HTM L format in a browser . The following is an example showing the header and part of the data for the f[...]

  • Página 164

    System > Packet Monitor 164 SonicOS 5.8.1 Administrator Guide Text File Format Y ou can view the text format output in a text editor . The following is an example showing the header and part of the data for the first p acket in the buffer .[...]

  • Página 165

    165 SonicOS 5.8.1 Administrator Guide CHAPTER 14 Chapter 14: Using Diagnostic Tools & Restarting the Appliance System > Diagnostics The System > Diagnostics page provides several diagnostic tools which help troubleshoot network problems as well as Active Connections, CPU and Process Monitors.[...]

  • Página 166

    System > Diagnostics 166 SonicOS 5.8.1 Administrator Guide Tech Support Report The T ech Support Report generates a det ailed report of the SonicW ALL security appliance configuration and status, a nd saves it to the local hard disk using the Download Report button. This file can then be e-mailed to SonicW ALL T ec hnical Support to help assist [...]

  • Página 167

    System > Diagnostics 167 SonicOS 5.8.1 Administrator Guide Diagnostic Tools Y ou select the diagnostic tool from the Diagnostic T ool drop-down list in the Diagnostic T ool section of the System > Diagnostics p age. The following diagnostic tools are available: • “Check Network Settings” on page 168 • “Connections Monitor” on page[...]

  • Página 168

    System > Diagnostics 168 SonicOS 5.8.1 Administrator Guide Check Network Settings Check Network Settings is a diagnostic tool which aut omatically checks the network connectivity and service availabili ty of several pre-defined functi onal areas of SonicOS, returns the results, and attempt s to describe the causes if any exce ptions are detec te[...]

  • Página 169

    System > Diagnostics 169 SonicOS 5.8.1 Administrator Guide The Check Network Setti ngs tool is dependent on the Network Monitor feature available on the Network > Network Monitor page of the SonicOS management interface. Whenever the Check Network Settings tool is bein g executed (except during the Content Filter test), a corresponding Networ[...]

  • Página 170

    System > Diagnostics 170 SonicOS 5.8.1 Administrator Guide Active Connections Monitor Settings Y ou can filter the results to display only connecti ons matching cert ain criteria. Y ou can filter by Source IP , Destination IP , Destination Port , Protocol , Src Interface , and Dst Interface . Enter your filter criteria in the Active Connections [...]

  • Página 171

    System > Diagnostics 171 SonicOS 5.8.1 Administrator Guide Multi-Core Monitor The Multi-Core Monitor displays dynamically updat ed st atistics on utilizat ion of the individual cores of the SonicW ALL security appliances. Core 0 handles the control plane. The control plane processes all web server request s for the S onicOS UI as well as functio[...]

  • Página 172

    System > Diagnostics 172 SonicOS 5.8.1 Administrator Guide Core Monitor The Core Monitor displays dynamically updated st atistics on the utilization of a single specified core on the SonicW ALL NSA E-Class series security appliances. The Vi ew St y l e provides a wide range of time intervals that can be displayed to review core usage. Note High [...]

  • Página 173

    System > Diagnostics 173 SonicOS 5.8.1 Administrator Guide CPU Monitor The CPU Monit or diagnostic tool shows real-time CPU ut ilization in second, minute, hour , and day intervals (historical dat a does not persist across reboots). The CPU Monitor is only included on single core SonicW ALL security appliances. T he m ulti-core appliances displa[...]

  • Página 174

    System > Diagnostics 174 SonicOS 5.8.1 Administrator Guide Link Monitor The Link Monitor displays bandwidth utilization for the in terfaces on the SonicW ALL security appliance. Bandwidth utilization is shown as a percent age of total cap acity . The Link Monitor can be configured to display inbound traffic, out bound traffic or both for each of[...]

  • Página 175

    System > Diagnostics 175 SonicOS 5.8.1 Administrator Guide DNS Name Lookup The SonicW ALL security appliance has a DNS l ookup tool that returns the IP address of a domain name. Or , if you enter an IP address, it returns the domain name for that address. Ste p 1 Enter the host name or IP address in the Look up name field. Do not add http to the[...]

  • Página 176

    System > Diagnostics 176 SonicOS 5.8.1 Administrator Guide Core 0 Process Monitor The Core 0 Process Monitor shows the individual system pr ocesses on core 0, their CPU utilization, and their syst em time. The Core 0 process monitor is only available on the multi-core NSA E-Class appliances. Real-Time Black List Lookup The Real-T ime Black List [...]

  • Página 177

    System > Diagnostics 177 SonicOS 5.8.1 Administrator Guide Reverse Name Resolution The Reverse Name Resolution tool is similar to the DNS name lookup tool, except that it looks up a server name, given an IP address. Enter an IP address in the Reverse Lookup the IP Address field, and it checks all DNS servers configured for your security applianc[...]

  • Página 178

    System > Diagnostics 178 SonicOS 5.8.1 Administrator Guide the output is displayed under Result . The results in clude the domain name or IP address that you entered, the DNS server from your list t hat was used, the resolved email server domain name and/or IP address, and the banner received fr om the domain server or a message that the connect[...]

  • Página 179

    System > Diagnostics 179 SonicOS 5.8.1 Administrator Guide User Monitor The User Monitor tool displays details on all user connections to the SonicW ALL security appliance. The following options can be configured to modify the User Monitor display: • View S tyle – Select whether to display the Last 30 Minutes , the Last 24 Hours , or the Las[...]

  • Página 180

    System > Restart 180 SonicOS 5.8.1 Administrator Guide • Show – Select whether to show All Users , Remote Users with GVC/L2TP Client, or Users Authenticated by Web Login . System > Restart The SonicW ALL security appliance can be rest ar ted from the Web Management interface. Click System > Rest art to display the Rest art p age. Click[...]

  • Página 181

    SonicOS 5.8 . 1 A dm i ni st r at or Gu ide 181 PART 4 Part 4: Network[...]

  • Página 182

    182 SonicOS 5.8.1 Administrator Guide[...]

  • Página 183

    183 SonicOS 5.8.1 Administrator Guide CHAPTER 15 Chapter 15: Configuring Interfaces Network > Interfaces The Network > Interfaces p age includes interface object s that are directly linked to physical interfaces. The SonicOS Enhanc ed scheme of interface addressi ng works in conjunction with network zones and address objects. The interfaces d[...]

  • Página 184

    Network > Interfaces 184 SonicOS 5.8.1 Administrator Guide • “IPS Sniffer Mode” on page 214 • “Configuring Interfaces” on page 219 • “Configuring Layer 2 Bridge Mode” on p age 247 • “Configuring IPS Sniffer Mode” on page 258 • “Configuring Wire Mode” on pa ge 262 Setup Wizard The Setup Wizard button accesses the Set[...]

  • Página 185

    Network > Interfaces 185 SonicOS 5.8.1 Administrator Guide • Configure - click the Configure icon to display the Edit Interface window , which allows you to configure the setti ngs for the specified interface. Interface Traffic Statistics The Interface T r affic St atistics t able lists received and transmitted information for all configured i[...]

  • Página 186

    Network > Interfaces 186 SonicOS 5.8.1 Administrator Guide Physical Interfaces Physical interfaces must be assigned to a zone to allow for configuration of Access Rules to govern inbound and outbound traffic. Secur ity z ones are bound to each physical interface where it acts as a conduit for inbound and outbound traf fic. If there is no inte rf[...]

  • Página 187

    Network > Interfaces 187 SonicOS 5.8.1 Administrator Guide Subinterfaces VLAN support on SonicOS Enhanced is achieved by means of subint erfaces, which are logical interfaces nested beneath a physical interfa c e. Every unique VLAN ID requires its own subinterface. For reasons of security and contro l, SonicOS does not p articipate in any VLAN t[...]

  • Página 188

    Network > Interfaces 188 SonicOS 5.8.1 Administrator Guide Zones are the hierarchical apex of SonicOS E nhanced’ s secure obje ct s architecture. SonicOS Enhanced includes predefined zones as well as al low you to define your own zones. Predefined zones include LAN, DMZ, W AN, WLAN, and Cust om. Zones can include multiple interfaces, however ,[...]

  • Página 189

    Network > Interfaces 189 SonicOS 5.8.1 Administrator Guide Y ou can also use L2 Bridge Mode in a High Avail ability deployment. This scenario is explained in the “Layer 2 Bridge Mode with High A v ailability” section on p age 209 . See the following sections: • “Key Features of SonicOS E nhanced Layer 2 Bridge Mode” on page 189 • “[...]

  • Página 190

    Network > Interfaces 190 SonicOS 5.8.1 Administrator Guide Key Concepts to Configuring L2 Bridge Mode and Transparent Mode The following terms will be used when referring to the operation and configuration of L2 Bridge Mode: • L2 Bridge Mode – A method of configuring SonicW A LL security appliance, which enables the SonicW ALL to be inserted[...]

  • Página 191

    Network > Interfaces 191 SonicOS 5.8.1 Administrator Guide does not preclude an interface from conventional behavior; for example, if X1 is configured as a Primary Bridge Interface p aired to X3 as a Secondary Bridge Interface , X1 can simultaneously operate in it s traditional role as the Primary W AN, performing NA T for Internet-bound traffic[...]

  • Página 192

    Network > Interfaces 192 SonicOS 5.8.1 Administrator Guide – Wireless services with SonicPoints, w here communications will occur between wireless clients and host s on the Bridge-Pair . Comparing L2 Bridge Mod e to Transparent Mod e This comparison of L2 Bridge Mode to T ransp ar ent Mode contains the following sections: • “ARP in T ransp[...]

  • Página 193

    Network > Interfaces 193 SonicOS 5.8.1 Administrator Guide interface or through a reboot. Once th e router ’s ARP cache is cleared, it can then send a new ARP request for 192.168.0.100, to which the SonicW ALL will res pond with its X1 MAC 00:06:B1:10:10:1 1. VLAN Support in Transparent Mode While the network depicted in the above diagram is s[...]

  • Página 194

    Network > Interfaces 194 SonicOS 5.8.1 Administrator Guide Simple Transparent Mode Topology ARP in L2 Bridge Mode L2 Bridge Mode employs a learning bridge design where it will dynamically determine which hosts are on which interface of an L2 Bridge (ref erred to as a Bridge-Pair). ARP is p assed through natively , meaning that a host communicati[...]

  • Página 195

    Network > Interfaces 195 SonicOS 5.8.1 Administrator Guide VLAN Support in L2 Bridge Mode On SonicW ALL NSA series appliances, L2 Bridge Mode provides fine contr ol over 802.1Q VLAN traffic traversing an L2 Br idge. The default handling of VLANs is to allow and preserve all 802.1Q VLAN tags as they pass through an L2 Bridge, while still applying[...]

  • Página 196

    Network > Interfaces 196 SonicOS 5.8.1 Administrator Guide – If the VLAN ID is allowed, the pa cket is de-capsulated , the VLAN ID is stored, and the inner packet (including the IP header) is p assed through the full p acket handler . 3. Since any number of subnets is supported by L2 Bridging, no source IP spoof checking is performed on the so[...]

  • Página 197

    Network > Interfaces 197 SonicOS 5.8.1 Administrator Guide Multiple Subnets in L2 Bridge Mode L2 Bridge Mode is cap able of handling any number of subnet s across the b ridge, a s de scribed above. The default behavior is to allow all subnets, but Access Rules can be applied to contr ol traffic as needed. Non-IPv4 Traffic in L2 Bridge Mode Unsup[...]

  • Página 198

    Network > Interfaces 198 SonicOS 5.8.1 Administrator Guide Subnets supported Any number of subnets is supported. Firewall Access Rules can be written to control traffic to /from any of the subnet s as needed. In its default c onfi guration, T ransparent Mode only supports a single subnet (that which is assigned to, and sp anned from the Primary [...]

  • Página 199

    Network > Interfaces 199 SonicOS 5.8.1 Administrator Guide Benefits of Transparent Mode over L2 Bridge Mode The following are circumst ances in which T ransp arent Mode might be preferable over L2 Bridge Mode : • T wo interfaces are the maximum allowed in an L2 Bridge Pair . If more than two interfaces are required to operate on the same subne[...]

  • Página 200

    Network > Interfaces 200 SonicOS 5.8.1 Administrator Guide L2 Bridge Path Determination Packets received by the SonicW ALL on Bridge-P air interfaces must be forwarded along to the appropriate and optimal p ath toward their destinat ion, whether that p ath is the Bridge-Partner , some other physical or sub interface, or a VP N tunnel. Similarly [...]

  • Página 201

    Network > Interfaces 201 SonicOS 5.8.1 Administrator Guide L2 Bridge Interface Zone Selection Bridge-Pair interface zone assignm ent should be done according to your network’s traf fic flow requirements. Unlike T ransparent Mode, which imposes a system of “more trusted to less trusted” by requiring that the source interface be the Primary [...]

  • Página 202

    Network > Interfaces 202 SonicOS 5.8.1 Administrator Guide Based on the source and destinatio n, the packet’ s directionality is categorized as either Incoming or Outgoing, (not to be confused with Inbound and Outbound) where the following criteria is used to make the determination: T able data is subject to change. In addition to this categor[...]

  • Página 203

    Network > Interfaces 203 SonicOS 5.8.1 Administrator Guide Access Rule Defaults Default, zone-to-zone Access Rules. The defaul t Access Rules should be considered, although they can be modified as needed. The defaults are as follows: WAN Connectivity Internet (W AN) connectivity is required for st ack communications, such as licensing, security [...]

  • Página 204

    Network > Interfaces 204 SonicOS 5.8.1 Administrator Guide See the following sections: • “Wireless Layer 2 Bridge” on page 204 • “Inline Layer 2 Bridge Mode” on page 205 • “Perimeter Security” on p age 207 • “Internal Security” on page 208 • “Layer 2 Bridge Mode with High Availability” on page 209 • “Layer 2 Bri[...]

  • Página 205

    Network > Interfaces 205 SonicOS 5.8.1 Administrator Guide T o configure a WLAN to LAN Layer 2 interface b ridge: Ste p 1 Navigate to the Network > Interfaces page in the SonicOS management interface. Ste p 2 Click the Configure icon for the wireless interface you wish to bridge. The Edit Interface window displays. Ste p 3 Select Layer 2 Brid[...]

  • Página 206

    Network > Interfaces 206 SonicOS 5.8.1 Administrator Guide HP’s ProCurve Manager Plus (PCM+) and HP Network Immunity Manager (NIM) server software p ackages can be used to manage the sw itches as well as some aspects of the SonicW ALL UTM appliance. T o configure the SonicW ALL applianc e for this scenario, navigate to the Network > Interfa[...]

  • Página 207

    Network > Interfaces 207 SonicOS 5.8.1 Administrator Guide Perimeter Security The following diagram depicts a network where the SonicW ALL is added to the perimeter for the purpose of providing security services (the network may or may not have an existing firewall between the SonicW ALL and the router). In this scenario, everything below the So[...]

  • Página 208

    Network > Interfaces 208 SonicOS 5.8.1 Administrator Guide Internal Security This diagram depict s a network wher e the SonicW ALL will act as the perimeter security device and secure wireless plat form. Simultaneously , it will provide L2 Bridge security between the workstation and server segments of the network without having to readdress any [...]

  • Página 209

    Network > Interfaces 209 SonicOS 5.8.1 Administrator Guide b. Security services directiona lity would be classified as Outgoing for traf fic from the Workst ations to the Server since the tr af fic would have a T rusted source zone and a Public destination zone. This might be sub-opt imal since it would provide less scrutiny than the Incoming or[...]

  • Página 210

    Network > Interfaces 210 SonicOS 5.8.1 Administrator Guide When setting up this scenario, there are several th ings to take note of on both the SonicW ALLs and the switches. On the SonicW ALL appliances: • Do not enable the Virtual MAC opt ion when configuring High Availability . In a Layer 2 Bridge Mode configuration, this function is not use[...]

  • Página 211

    Network > Interfaces 211 SonicOS 5.8.1 Administrator Guide On the Firewall > Access Rules page, click the Configure icon for the intersection of W AN to LAN traffic. Click the Configure icon next to the default rule that implicitly blocks uninitiated traffic from the W AN to the LAN. In the Edit Rule window , select Allow for the Action setti[...]

  • Página 212

    Network > Interfaces 212 SonicOS 5.8.1 Administrator Guide For the Management setting, select the HTTPS and Ping check boxes. Click OK to save and activate the changes. T o configure the LAN interfac e settings, navigate to the Network > Interfaces p age and click the Configure icon for the LAN interface. For the IP Assign ment setting, selec[...]

  • Página 213

    Network > Interfaces 213 SonicOS 5.8.1 Administrator Guide Click OK to save and activate the change. Y ou ma y be automatically disconnected from the UTM appliance’s management interfa ce. Y ou can now disconnect your management laptop or desktop from the UTM appliance’s X0 interface and power the UTM appliance off before physically connecti[...]

  • Página 214

    Network > Interfaces 214 SonicOS 5.8.1 Administrator Guide Configure or verify settings From a management station inside your netwo rk, you should now be able to access the management interface on the UTM appliance using it s W AN IP address. Make sure that all security services fo r the SonicW ALL UTM appliance are enabled. See “Licensing Ser[...]

  • Página 215

    Network > Interfaces 215 SonicOS 5.8.1 Administrator Guide The W AN interface of the SonicW ALL is used to connect to the SonicW ALL Dat a Center for signature updates or other dat a. In IPS Sniffer Mode, a Layer 2 Bridge is configured between two inter faces in the same zone on the SonicW ALL, such as LAN-LAN or DMZ-DMZ. Y ou can also create a [...]

  • Página 216

    Network > Interfaces 216 SonicOS 5.8.1 Administrator Guide checkbox should also be selected for IPS Snif fe r Mode to ensure that the traf fic from the mirrored switch port is not s ent back out onto the network. (The Never route traffic on this bridge-p air setting is known as Captive-Bridge Mode.) For detailed instructions on configuring inter[...]

  • Página 217

    Network > Interfaces 217 SonicOS 5.8.1 Administrator Guide Sample IPS Sniffer Mode Topology This section provides an example topology that uses SonicW ALL IPS Snif fer Mode in a Hewlitt Packard ProCurve switching environment. This scenario relies on the ability of HP’ s ProCurve Manager Plus (PCM+) and HP Network Immunity Manager (NIM) server [...]

  • Página 218

    Network > Interfaces 218 SonicOS 5.8.1 Administrator Guide T o configure this deploy ment, navigate to the Net work > Interfaces page and click on the configure icon for the X2 interface. On the X2 Settings p age, set the IP Assignment to ‘Layer 2 Bridged Mode’ and set the Bridged T o: interface to ‘X0’. Select the checkbox for Only s[...]

  • Página 219

    Network > Interfaces 219 SonicOS 5.8.1 Administrator Guide Configuring Interfaces This section is divided into: • “Configuring the S t atic Interfaces” on p age 219 • “Configuring Interfaces in T ransparent Mode” on p age 221 • “Configuring Wireless Interfaces” on p age 223 • “Configuring a W AN Inter face” on page 225 ?[...]

  • Página 220

    Network > Interfaces 220 SonicOS 5.8.1 Administrator Guide Note The administrator password is required to regenerate encryption keys after changing the SonicW ALL security appliance’ s address. Configuring Advanced Sett ings for the Interface If you need to force an Ethernet speed, duplex and/or MAC address, click the Advanced tab. The Etherne[...]

  • Página 221

    Network > Interfaces 221 SonicOS 5.8.1 Administrator Guide Configuring Interfaces in Transparent Mode T ranspar ent Mode enables the SonicW ALL securi ty appliance to bridge the W AN subnet onto an internal interface. T o configure an interfac e for transp arent mode, complete the following steps: Ste p 1 Click on the Configure icon in the Confi[...]

  • Página 222

    Network > Interfaces 222 SonicOS 5.8.1 Administrator Guide c. Enter the IP address of the host, the begi nning and ending address of the range, or the IP address and subnet mask of the network. d. Click OK to create the address object and return to the Edit Interf ace window . See “Network > Address Objects” on p age 299 for more informat[...]

  • Página 223

    Network > Interfaces 223 SonicOS 5.8.1 Administrator Guide Configuring Wireless Interfaces A Wireless interface is an interface that has been assigned to a Wireless zone and is used to support SonicW ALL SonicPoint secure access point s. Ste p 1 Click on the Configure icon in the Configure column for the Interface you want to configure. The Edit[...]

  • Página 224

    Network > Interfaces 224 SonicOS 5.8.1 Administrator Guide Note The above table depict s the maximum subnet mask sizes allowed. Y ou can still use class- full subnetting (class A, cl ass B, or class C) or any variabl e length subnet mask that you wish on WLAN interfaces. Y ou are encouraged to use a smaller subnet mask (e.g. 24-bit class C - 255[...]

  • Página 225

    Network > Interfaces 225 SonicOS 5.8.1 Administrator Guide On SonicW ALL NSA series appliances, select the Enable 802.1p t agging checkb ox to tag information passing through this inter face with 802.1p priority information for Quality of Service (QoS) management. Packets sen t through this in terface are t agged with VLAN id=0 and carry 802.1p [...]

  • Página 226

    Network > Interfaces 226 SonicOS 5.8.1 Administrator Guide • L2TP - uses IPsec to connect a L2TP (Layer 2 T u nneling Protocol) server and encrypt s all data transmitted from the client to the ser ver . However , it does not encrypt network traf fic to other destinations. Note For Windows clients, L2TP is supported by Windows 2000 and Windows [...]

  • Página 227

    Network > Interfaces 227 SonicOS 5.8.1 Administrator Guide Ethernet Settings If you need to force an Ethernet speed, duplex and/or MAC address, click the Advanced tab. The Ethernet Set tings section allows you to manage the Et hernet settings of links connected to the SonicW ALL. Auto Negotiate is selected by default as the Link Speed because th[...]

  • Página 228

    Network > Interfaces 228 SonicOS 5.8.1 Administrator Guide Use the Bandwid th Management section of the Edit Interface screen to enable or disable the ingress and egress bandwidth management. Egress and Ingress available link bandwidth can be used to configure the up stream and downstr eam connection speeds in kilobit s per second. Note The Band[...]

  • Página 229

    Network > Interfaces 229 SonicOS 5.8.1 Administrator Guide If you are using PPPoE, a Client Settings section displays in the Protocol t ab: Ste p 3 If you want PPPoE to disconnect after a specific time period, Click the Inactivity Disconnect checkbox and enter the time period (in minutes). Ste p 4 If you want to use LCP echo pa ckets for server [...]

  • Página 230

    Network > Interfaces 230 SonicOS 5.8.1 Administrator Guide Configuring the ADSL Expansion Module ADSL is an acronym for Asymmetric Digital Subs criber Line (or Loop). The line is asymmetric because, when connected to the ISP , the upstream and downstream speeds of transmission are different. The DSL technology allows non-vo ice services (dat a) [...]

  • Página 231

    Network > Interfaces 231 SonicOS 5.8.1 Administrator Guide The ADSL interface never unassigned. When plugge d in, it is always present in the W A N zone and zone assignment cannot be modi fied by the administrator Click on the Configure icon to the right of the interface entry . Y ou will see a menu with three tabs: General, Advanced , and DSL S[...]

  • Página 232

    Network > Interfaces 232 SonicOS 5.8.1 Administrator Guide When the ADSL module is first plu gged in, it should be added to the W AN Load Balancing default group so that the ADSL module can be us ed to handle default route traffic. Go to the Failover and LB screen and click the Configure icon to edit the settings.[...]

  • Página 233

    Network > Interfaces 233 SonicOS 5.8.1 Administrator Guide On the General menu, add the ADSL interfac e to the Load Balancing group. If the default primary W AN, X1, is unused or unconfigure d, it can be removed for a clea ner interface configuration. When done, click OK , and the ADSL module will be added to the group. Configuring the T1/E1 Mod[...]

  • Página 234

    Network > Interfaces 234 SonicOS 5.8.1 Administrator Guide T o configure the T1/E1 Module, perform the following tasks: Ste p 1 Click on the Edit icon in the Configure column for the Interface of the exp ansion module you want to configure. The E dit Interface window is displayed. The General tab allows you to set up the type of encapsulation: P[...]

  • Página 235

    Network > Interfaces 235 SonicOS 5.8.1 Administrator Guide If you want to enable remote management of t he SonicW ALL security appliance from this interface, select the suppor ted management protocol(s): HTTP , HTTPS , SSH , Ping , SNMP , and/or SSH . Y ou can also select HTTP for management traffic. However , bear in mind that HTTP traffic is l[...]

  • Página 236

    Network > Interfaces 236 SonicOS 5.8.1 Administrator Guide Ste p 9 Line Build Out is available with T1. The opti ons are: 0.0 dB, -7.5 dB, -15 dB, -22.5 dB. CRC is configured with an enable/ disable check-box. When T1 is selected, the check-box is labeled CRC6, when E1 is selected the check-box is labeled CRC4. Y ou can also choose to enable mul[...]

  • Página 237

    Network > Interfaces 237 SonicOS 5.8.1 Administrator Guide Configuring the 2 Port SFP or 4 Port Gigabit Ethernet Modules (NSA 2400MX and NSA 250M) Ste p 1 Click on the Edit icon in the Configure column for the Interface of the exp ansion module you want to configure. The E dit Interface window is displayed. Ste p 2 If you’re configuring an Una[...]

  • Página 238

    Network > Interfaces 238 SonicOS 5.8.1 Administrator Guide Configuring the Advanced Settin gs for the Modu le Interface The Advanced tab includes settings for forcing an Ethernet speed and dupl ex, overriding the Default MAC address, enabling multicast s upport on the interface, and enabling 802.1p tagging. Packet s sent out with 802.1p tagging [...]

  • Página 239

    Network > Interfaces 239 SonicOS 5.8.1 Administrator Guide Link Aggregation Link Aggregation is used to increase the availa ble bandwid th between the firewall and a switch by aggregating up to four interfaces into a single aggregate link, referred to as a Link Aggregation Group (LAG). All port s in an aggregate link must be connected to the sam[...]

  • Página 240

    Network > Interfaces 240 SonicOS 5.8.1 Administrator Guide 2. Click on the Advanced tab. 3. In the Redundant/Aggregate Port s pulldown menu, select Link Aggregation . 4. The Aggregate Port option is displayed with a chec kbox for each of the currently unassigned interfaces on the firewall. Select up to three othe r interfaces to assign to the LA[...]

  • Página 241

    Network > Interfaces 241 SonicOS 5.8.1 Administrator Guide Port Redundancy Failover SonicW ALL provides multiple methods for protecting against loss of connectivity in the case of a link failure, including High Availability (HA), Load Balancing Groups (LB Group s), and now Port Redundancy . If all three of these features are configured on a fire[...]

  • Página 242

    Network > Interfaces 242 SonicOS 5.8.1 Administrator Guide Configuring Routed Mode Routed Mode provides an alternative for NA T fo r routing traffic between sep arate public IP address ranges. Consider the following topology wher e the firewall is rout ing traf fic across two public IP address ranges: • 10.50.26.0/24 • 172.16.6.0/24 By enabl[...]

  • Página 243

    Network > Interfaces 243 SonicOS 5.8.1 Administrator Guide 3. Under the Expert Mode Settings heading, select the Use Routed Mode - Add NA T Policy to prevent outboundinbound translation checkbox to enable Routed Mode for the interface. 4. In the Set NA T Policy's outboundinbound interface to pulldown menu, select the W AN interface that i[...]

  • Página 244

    Network > Interfaces 244 SonicOS 5.8.1 Administrator Guide Configuring SonicWALL PortShield Interfaces PortShield architecture enables you to configure some or all of the LAN ports into sep arate security contexts, providing protection not only from the W A N and DMZ, but between devices inside your network as well. In ef fect, each context has [...]

  • Página 245

    Network > Interfaces 245 SonicOS 5.8.1 Administrator Guide T o configure a PortShield inte rface, perform the following step s: Ste p 1 Click on the Network > Interfaces page. Ste p 2 Click the Configure button for the interface you want to configure. The Edit Interface window displays. Ste p 3 In the Zone pulldown menu, select on a zone type[...]

  • Página 246

    Network > Interfaces 246 SonicOS 5.8.1 Administrator Guide Note Y ou can add Por tShield interfaces only to T rusted, Public, and Wireless zones. Ste p 4 In the IP Assignment pulldown menu, select PortShield Switch Mode . Ste p 5 In the PortShield to pulldown menu, select the inte rface you want to map this port to. Only ports that match the zon[...]

  • Página 247

    Network > Interfaces 247 SonicOS 5.8.1 Administrator Guide Ste p 6 Configure the subinterface netw ork settings based on the zone y ou selected. See the interface configuration instructions earlier in this chapter: – “Configuring the S t atic Interfaces” on p age 219 – “Configuring Advanced Settings for the Interface” on p age 220 ?[...]

  • Página 248

    Network > Interfaces 248 SonicOS 5.8.1 Administrator Guide • Apply security services to the appropriate zones Configuring the Common Settings for L2 Bridge Mode Deployments The following settings need to be configured on your SonicW ALL UTM appliance prior to using it in most of the Layer 2 Bridge Mode topologies. Licensing Services When the a[...]

  • Página 249

    Network > Interfaces 249 SonicOS 5.8.1 Administrator Guide Then, click the Configure button. On the SNMP Settings p age, enter all the relevant information for your UTM appliance : the GE T and TRAP SNMP communi ty names that the SNMP server expects, and the IP address of the SNMP server . Click OK to save and activate the changes. Enabling SNMP[...]

  • Página 250

    Network > Interfaces 250 SonicOS 5.8.1 Administrator Guide Enabling Syslog On the Log > Syslog page, click on the Add button and create an entry for the syslog server . Click OK to save and activate the change. Activating UTM Services on Each Zone On the Network > Zones page, for each zone you will be us ing, make sur e that the UTM servic[...]

  • Página 251

    Network > Interfaces 251 SonicOS 5.8.1 Administrator Guide An example of the Intrusion Prev ention settings is shown below: An example of the Anti-S pyware settings is shown below:[...]

  • Página 252

    Network > Interfaces 252 SonicOS 5.8.1 Administrator Guide Creating Firewall Access Rules If you plan to manage the appliance from a different zone, or if you will be using a server such as the HP PCM+/NIM server for m anagement, SN MP , or syslog services, create access rules for traffic between the zon es. On the Firewall > Access Rules p a[...]

  • Página 253

    Network > Interfaces 253 SonicOS 5.8.1 Administrator Guide Configuring Wireless Zone Settings In the case where you are using a HP PCM+/NIM system, if it will be managing a HP ProCurve switch on an interface assigned to a WLAN/Wir eless zone, you will need to deactivate two features, otherwise you will not be able to manage the switch. Go to the[...]

  • Página 254

    Network > Interfaces 254 SonicOS 5.8.1 Administrator Guide Configuring the Primar y Bridge Interface Ste p 1 Select the Network tab, Interfaces folder from the navigation p anel. Ste p 2 Click the Configure icon in the right column of the X1 (W AN) interface. Ste p 3 Configure the interface with a S t atic IP address (e.g. 192.168.0.12). Note Th[...]

  • Página 255

    Network > Interfaces 255 SonicOS 5.8.1 Administrator Guide Configuring the Seconda ry Bridge Interface Ste p 1 On the Network > Interfaces page, click the Co nfigure icon in the right column of the X0 (LAN) interface. Ste p 2 In the IP Assignment drop-down list, select Layer 2 Bridged Mode . Ste p 3 In the Bridged to drop-down list, select th[...]

  • Página 256

    Network > Interfaces 256 SonicOS 5.8.1 Administrator Guide – T ransformations and flow analysis (on SonicWALL NSA series appli ances): H.323, SIP , RTSP , ILS/LDAP , FTP , Oracle, NetBIOS, Real Audio, TFTP – IPS and GA V At this point, if the packet has been validated as accept able tr affic, it is forwarded to its destination. The packet eg[...]

  • Página 257

    Network > Interfaces 257 SonicOS 5.8.1 Administrator Guide When creating a zone (either as p art of general administration, or as a step in creating a subinterface), a checkbox will be presented on the zone creation p age to control the auto- creation of a GroupVPN for that zone. By def ault, only newly created Wireless type zones will have ‘C[...]

  • Página 258

    Network > Interfaces 258 SonicOS 5.8.1 Administrator Guide VPN Integration with Layer 2 Bridge Mode When configuring a VPN on an interface that is also configured for Layer 2 Bridge mode, you must configure an additi onal route to ensur e that incoming VPN traffic properly traverses the SonicW ALL security appl iance. Navigate to the Network >[...]

  • Página 259

    Network > Interfaces 259 SonicOS 5.8.1 Administrator Guide • Connect the mirrored port on the switch to eit her one of the interfaces in the Bridge-Pair • Connect and configure the W AN to allow acce ss to dynamic signature dat a over the Internet Configuring the Primary Bridge Interface Ste p 1 Select the Network tab, Interfaces folder from[...]

  • Página 260

    Network > Interfaces 260 SonicOS 5.8.1 Administrator Guide Ste p 3 In the Edit Interface dialog box on the General t ab, select LAN from the Zone drop-down list. Note that you do not need to configure settings on the Advanced or VLAN Filtering tabs. Ste p 4 In the IP Assignment drop-down list, select Layer 2 Bridged Mode . Ste p 5 In the Bridged[...]

  • Página 261

    Network > Interfaces 261 SonicOS 5.8.1 Administrator Guide T o determine the traps that are possible when us ing IPS Snif fer Mode with Intrusion Prevention enabled, search for Intrusion in the table found in the Index of Log Event Messages section in the SonicOS Log Event Reference Guide . The SNMP trap number , if available for that event, is [...]

  • Página 262

    Network > Interfaces 262 SonicOS 5.8.1 Administrator Guide Configuring Security Services (Unified Threat Management) The settings that you enable in th is section will control what ty pe of malicious traf fic you detect in IPS Sniffer Mode. T ypically you will want to enable Intrusi on Prevention, but you may also want to enable other Security S[...]

  • Página 263

    Network > Interfaces 263 SonicOS 5.8.1 Administrator Guide T able 1 Wire Mode S ettings Wire Mode Setting Descript ion Bypass Mode Bypass Mode allows for the quick and relatively non-interruptive introduction of Wire Mode into a network. Upon selecting a point of insertion into a network (e.g. between a core switch and a perimeter firewall, in f[...]

  • Página 264

    Network > Interfaces 264 SonicOS 5.8.1 Administrator Guide Secure Mode Secure Mode is the progression of Inspect Mode, actively interposing the SonicW ALL security ap pliance’s multi-core processors into the packet processing p ath. This unl eashes the inspection and policy engines’ full-set of capabilities, in cluding Application Intelligen[...]

  • Página 265

    Network > Interfaces 265 SonicOS 5.8.1 Administrator Guide T o summarize the key functional dif ferences between modes of inte rface configuration: Note When operating in Wire-Mode, the Soni cW ALL security appliance’ s dedicated “Management” interface will be used for local management. T o enable remote management and dynamic security ser[...]

  • Página 266

    Network > Interfaces 266 SonicOS 5.8.1 Administrator Guide 3. T o configure the Interface for T ap Mode, in the Mode / IP Assig nment pulldown menu, select T ap Mode (1-Port T ap ) and click OK . 4. T o configure the Interface for Wire Mode, in the Mode / IP Assignment pulldown menu, select Wire Mode (2-Port Wire ). 5. In the Wire Mode T ype pul[...]

  • Página 267

    267 SonicOS 5.8.1 Administrator Guide CHAPTER 16 Chapter 16: Configuring PortShield Interfaces Network > PortShield Groups PortShield architecture enables you to configure some or all of the LAN ports into sep arate security contexts, providing protection not only from the W A N and DMZ, but between devices inside your network as well. In effect[...]

  • Página 268

    Network > PortShield Groups 268 SonicOS 5.8.1 Administrator Guide The Network > PortShield Group s p age allows you to manage the assignment s of ports to PortShield interfaces. Static Mode and Transparent Mode A PortShield interface is a virt ual interface with a set of ports assigned to it. There are two IP assignment methods you can deploy[...]

  • Página 269

    Network > PortShield Groups 269 SonicOS 5.8.1 Administrator Guide Note Make sure the IP address you assign to th e PortShield interface is within the W AN subnetwork. When you create a PortShield interface in Tr ansp arent Mode, you create a range of addresses to be applied to the PortShield interface. Y ou include these addresses in one entity [...]

  • Página 270

    Network > PortShield Groups 270 SonicOS 5.8.1 Administrator Guide 2. Click the Configure button for the interface you want to configure. The Edit Interface window displays. 3. In the Zone pulldown menu, select on a zone type option to which you want to map the interface. Note Y ou can add Por tShield interfaces only to T rusted, Public, and Wire[...]

  • Página 271

    Network > PortShield Groups 271 SonicOS 5.8.1 Administrator Guide • Interfaces that are the same color (other than black or yellow) are part of a PortShield group, with the master interface having a white outline around the color . • Interfaces that are greyed out cannot be added to a PortShield group. On the Network > PortShield Groups p[...]

  • Página 272

    Network > PortShield Groups 272 SonicOS 5.8.1 Administrator Guide Configuring PortShield Interfac es with the PortShield Wizard The PortShield Wizard quickly and easily guides you through several common PortShield group configurations. T o use the PortShield wizard, perfor m the following steps: 1. Click the Wiz ar ds button on the top right of [...]

  • Página 273

    Network > PortShield Groups 273 SonicOS 5.8.1 Administrator Guide • W AN/OP T/LAN Switch • W AN/LAN/HA Note In the WA N/LAN/HA scenario, when High Ava ilability is not enabled, the X6 port is assigned to the LAN zone. • W AN/LAN/LAN2 Swit ch 3. Click Next . 4. The wizard displays a summary of the configur ation changes it is about to make.[...]

  • Página 274

    Network > PortShield Groups 274 SonicOS 5.8.1 Administrator Guide[...]

  • Página 275

    275 SonicOS 5.8.1 Administrator Guide CHAPTER 17 Chapter 17: Setting Up Failover and Load Balancing Network > Failover & Load Balancing This chapter contains the following sections: • “Failover and Load Balancing” on page 275 • “Load Balancing S tatistics” on page 278 • “Multiple W AN (MW AN)” on p age 279 Failover and Load[...]

  • Página 276

    Network > Failover & Load Balancin g 276 SonicOS 5.8.1 Administrator Guide • Any TCP-SYN to Port —This option is available when the Respond to Probes option is enabled. When selected, the app liance will only respond to TCP probe request packet s having the same packet desti nation address TCP port number as the configured value. Load Ba[...]

  • Página 277

    Network > Failover & Load Bal ancing 277 SonicOS 5.8.1 Administrator Guide General Tab T o configure the Group Member Rank settings, click the Configure icon of the Group you wish to configure on the Network > Failover & LB p age. The General tab scr een displays. The General tab allows the user to do modify the following settings: ?[...]

  • Página 278

    Network > Failover & Load Balancin g 278 SonicOS 5.8.1 Administrator Guide Note The Interface Rank does not specify the operat ion that will be performed on the individual member . The operation that will be perfo rmed is specified by the Group T ype. Probing Tab When Logical probing is enabled, test p ackets can be sent to r emote probe tar[...]

  • Página 279

    Network > Failover & Load Bal ancing 279 SonicOS 5.8.1 Administrator Guide • Tx Unicast • Tx Bytes • Throughput (KB/s) • Throughput (Kbits/s) In the Display S t atistics for pulldown menu, select which LB group you want to view st atistics for . Click the Clear St atistic button on the bottom r ight of the Network > Failover &[...]

  • Página 280

    Network > Failover & Load Balancin g 280 SonicOS 5.8.1 Administrator Guide Routing the Default & Se condary Default Gateways Because the gateway address objects previ ously associated with the Primary WAN and Secondary W AN are now deprecated, user-configur ed S t atic Routes need to be re -created in order to use the correct gateway add[...]

  • Página 281

    Network > Failover & Load Bal ancing 281 SonicOS 5.8.1 Administrator Guide DNS When DNS name resolution issues are encountered with this firmware, you may need to select the S pecify DNS Servers Manually option and set the servers to Public DNS Servers (ICANN or non-ICANN). Note Depending on your location, some DNS Servers may respond faster[...]

  • Página 282

    Network > Failover & Load Balancin g 282 SonicOS 5.8.1 Administrator Guide[...]

  • Página 283

    283 SonicOS 5.8.1 Administrator Guide CHAPTER 18 Chapter 18: Configuring Zones Network > Zones This section contains t he following subsections: • “How Zones W ork” on page 284 • “The Zone Settings T able” on page 287 • “Adding and Configuring Zones” on page 288 • “Deleting a Zone” on p age 289 • “Configuring a Zone f[...]

  • Página 284

    Network > Zones 284 SonicOS 5.8.1 Administrator Guide tunnels, which is a feature that users have long requested. SonicW ALL secu rity appliances can also drive VPN traffic thr ough the NA T policy and zone policy , since VP Ns are now logically grouped into their own VPN zone. How Zones Work An easy way to visualize how se curity zones wor k is[...]

  • Página 285

    Network > Zones 285 SonicOS 5.8.1 Administrator Guide doorperson can also elect to force people to put on a costume before traveling to another room, or to exit, or to another remote office. This hides the true identity of the person, masquerading the person as someone else. This process can be thought of as the NA T policy . Predefined Z ones T[...]

  • Página 286

    Network > Zones 286 SonicOS 5.8.1 Administrator Guide • Public : A Public security type of fers a higher le vel of trust than an Untrusted zone, but a lower level of trust than a T rusted zone. Pub lic zones can be thought of as being a secure area between the LAN (protected) side of the security appliance and the W AN (unprotected) side. The [...]

  • Página 287

    Network > Zones 287 SonicOS 5.8.1 Administrator Guide • Enable SSL Control – Requires inspection of all new SS L connections initiated from the zone. Note that SSL Control mu st first be enabled globally on the Firewall > SSL Control page. For more information, see “Firewall Settings > SSL Control” on p age 777 . • Enable SSL VPN[...]

  • Página 288

    Network > Zones 288 SonicOS 5.8.1 Administrator Guide • Enforce Global Security Client s – A check mark indicates us ers on this zone are required to use the Global Security client for desktop security . • Enable SSL Control – A check mar k indicates inspec tion of all new SSL connections initiated from the zone is required. • Enable S[...]

  • Página 289

    Network > Zones 289 SonicOS 5.8.1 Administrator Guide T o configure the zone, perform the following step s: Ste p 1 T ype a name for the new zone in the Name field. Ste p 2 Select a security type Tr u s t e d , Pub lic or Wireless from the Security T ype menu. Use T rusted for zones that you want to assign the highest level of tru st, such as in[...]

  • Página 290

    Network > Zones 290 SonicOS 5.8.1 Administrator Guide Configuring a Zone for Guest Access SonicW ALL User Guest Services providesd network administrators with an easy solution for creating wired and wireless guest passes and/or locked-down Internet-only network access for visitors or untrusted network nodes. This func tionality can be extended t[...]

  • Página 291

    Network > Zones 291 SonicOS 5.8.1 Administrator Guide Ste p 3 Click the Guest Services tab. Ste p 4 Choose from the following configuration options for Guest Services: – Enable Guest Services - Enables guest services on the WLAN zone. – Enable inter-guest communication - Allows guest s to comm unicate directly with other users who are connec[...]

  • Página 292

    Network > Zones 292 SonicOS 5.8.1 Administrator Guide – Enable External Guest Authentication - Requires guest s connecting from the device or network you select to authenticate bef ore gaining access. This feature, based on Lightweight Hotspot Messaging (LHM) is used for authenticating Hotspot user s and providing them p arametrically bound ne[...]

  • Página 293

    Network > Zones 293 SonicOS 5.8.1 Administrator Guide Configuring the WLAN Zone Ste p 1 Click the Edit icon for the WLAN zone. The Ed it Zone window is displayed. Ste p 2 In the General tab, sele ct the Allow Interface T rust setting to automate t he creation of Access Rules to allow traffic to flow between the interfac es of a zone instance. Fo[...]

  • Página 294

    Network > Zones 294 SonicOS 5.8.1 Administrator Guide – Enable Anti-Spyware Service - Enforces anti-spyware d etection and prevention on multiple interfaces in the same T rusted, Public or WLAN zones. – Create Group VPN - creates a GroupVPN policy for t he zone, which is displayed in the VPN Policies table on the VPN > Settings page. Y ou[...]

  • Página 295

    Network > Zones 295 SonicOS 5.8.1 Administrator Guide Tip Uncheck Only allow traffic generated by a SonicPoint and use the zone on a wired interface to allow guest services on that inte rface. Ste p 6 Select SSL VPN Enforcement to require that all traf fic t hat enters into the WLAN zone be authenticated through a SonicW ALL SSL VPN appliance.[...]

  • Página 296

    Network > Zones 296 SonicOS 5.8.1 Administrator Guide Ste p 7 In the SSL VPN Server list, select an address object to di rect traffic to the SonicW ALL SSL VPN appliance. Y ou can select: – Create new address object ... – Default Gateway – Secondary Default Gateway – X0 IP – X1 IP – X2 IP – X3 IP – X4 IP – X5 IP Ste p 8 In the [...]

  • Página 297

    297 SonicOS 5.8.1 Administrator Guide CHAPTER 19 Chapter 19: Configuring DNS Settings Network > DNS The Domain Name System (DNS) is a distributed, hier archical system that provides a method for identifying hosts on the Internet using alphanumeric names called fully qualified domain names (FQDNs) instead of using difficul t to remember numeric I[...]

  • Página 298

    Network > DNS 298 SonicOS 5.8.1 Administrator Guide In the DNS Settings secti on, select S pecify DNS Servers Manually and enter the IP address(es) into the DNS Server fields. Click Accept to save your changes. T o use the DNS Settings configured for the W AN zone, select Inherit DNS Settings Dynamically from the W AN Zone . Click Accept to save[...]

  • Página 299

    299 SonicOS 5.8.1 Administrator Guide CHAPTER 20 Chapter 20: Configuring Address Objects Network > Address Objects Address Objects are one of four object clas ses (Address, User , Service, and Schedule) in SonicOS Enhanced. These Address Objects allo w for entities to be defined one time, and to be re-used in multiple referential instances thr o[...]

  • Página 300

    Network > Address Objects 300 SonicOS 5.8.1 Administrator Guide • MAC Address – MAC Address Objects allow for the i dentification of a host by its hardware address or MAC (Media Access Control) address. MAC addresses are uniquely assigned to every piece of wired or wireless network ing device by their hardware manufacturers, and are intended[...]

  • Página 301

    Network > Address Objects 301 SonicOS 5.8.1 Administrator Guide Y ou can view Address Objects in the following ways using the Vie w St y le menu: • All Address Objects - displays all configured Address Objects. • Custom Address Object s - displays Address Objects with custom pr operties. • Default Address Objects - displays Address Objects[...]

  • Página 302

    Network > Address Objects 302 SonicOS 5.8.1 Administrator Guide Adding an Address Object T o add an Address Object , click Add button under the Address Object s t able in the All Address Objects or Custom Address Object s views to display the Add Address Object window . Ste p 1 Enter a name for the Network Object in the Nam e field. Ste p 2 Sele[...]

  • Página 303

    Network > Address Objects 303 SonicOS 5.8.1 Administrator Guide – If you selected MAC , enter the MAC address and netmask in the Network and MAC Address field. – If you selected FQDN , enter the domain name for the individual site or range of sites (with a wildcard) in the FQDN field. Ste p 3 Select the zone to assign to the Address Object f[...]

  • Página 304

    Network > Address Objects 304 SonicOS 5.8.1 Administrator Guide Creating Group Address Objects As more and more Address Objects are added to the SonicW ALL security appliance, you can simplify managing the addresses and access po licies by creating groups of addresses. Changes made to the group are applie d to each address in the group. T o add [...]

  • Página 305

    Network > Address Objects 305 SonicOS 5.8.1 Administrator Guide See Part 21, Wizards for more information on configuri ng the SonicW ALL security appliance using wizards. Working with Dynamic Addresses From its inception, SonicO S Enhanced has used Addr ess Obje cts ( AOs) to represent IP addresses in most areas throughout the user interf ace. A[...]

  • Página 306

    Network > Address Objects 306 SonicOS 5.8.1 Administrator Guide Key Features of Dynamic Address Objects The term Dynamic Address Object (DAO) des cribes the underlying framework enabling MAC and FQDN AOs. By transforming AOs from static to dynamic structures Firewall > Access Rules can automatically respond to changes in the network. Note Ini[...]

  • Página 307

    Network > Address Objects 307 SonicOS 5.8.1 Administrator Guide FQDN wildcard support FQDN Address Objects suppor t wildcard entries , such as “*.somedomainname.com”, by first resolving the base domain name to all its defined host IP addresses, and then by constantly actively gleaning DNS responses as they pass through the firewall. For exam[...]

  • Página 308

    Network > Address Objects 308 SonicOS 5.8.1 Administrator Guide Enforcing the use of sancti oned servers on the network Although not a requirement, it is recommended to en force the use of author ized or sanctioned servers on the network. This practice can help to reduce illicit network activity , and will also serve to ensure the reli ability o[...]

  • Página 309

    Network > Address Objects 309 SonicOS 5.8.1 Administrator Guide • Create Access Rules in the relevant zones allowing only authorized SMTP servers on your network to communicate outbound SMTP; block all other outbound SMTP traf fic to prevent intentional or unintentional outbound spamming. • Create Access Rules in the relevant zon es allowing[...]

  • Página 310

    Network > Address Objects 310 SonicOS 5.8.1 Administrator Guide Using MAC and FQDN Dynamic Address Objects MAC and FQDN DAOs provide ex tensive Access Rule construc tion flexibility . MAC and FQDN AOs are configured in the same fashion as st atic Address Objects, that is from the Ne twork > Address Objects p age. Once created, their st atus c[...]

  • Página 311

    Network > Address Objects 311 SonicOS 5.8.1 Administrator Guide Step 1 – Create the FQDN Address Object • From Network > Address Object s , select Add and create the following Address Object: • When first created, this entry will resolve only to the address for dyndns.or g, e.g. 63.208.196.1 10. Step 2 – Create the Firewall Access Rul[...]

  • Página 312

    Network > Address Objects 312 SonicOS 5.8.1 Administrator Guide Using an Interna l DNS Server for FQDN-bas ed Access Rule s It is common for dynamically configured (DHCP) network environments to work in combination with internal DNS servers for the purposes of dy namically registering internal host s – a common example of this is Microsoft’s[...]

  • Página 313

    Network > Address Objects 313 SonicOS 5.8.1 Administrator Guide to the 10.50.165.2 server , but to no other LAN resources. All other wireless client s should not be able to access the 10.50.165.2 server , but should have unrestricted access everywhere else. Step 1 – Create the MAC Address Objects • From Network > Address Object s , select[...]

  • Página 314

    Network > Address Objects 314 SonicOS 5.8.1 Administrator Guide Step 2 – Create the Firewall Access Rules • T o create access rules, navigate to the Firewall > Access Rules page, click on the All Rules radio button, and scroll to t he bottom of the page and click the Add button. • Create the following four access rules: Note The ‘Medi[...]

  • Página 315

    Network > Address Objects 315 SonicOS 5.8.1 Administrator Guide Step 2 – Create the Firewall Access Rule • From the Firewall > Access Rules p age, LAN->W AN zone intersection, add an Access Rule as follows: Note If you do not see the Bandwidth tab, you can enable bandwidth management by declaring the bandwidth on your W AN interfa ces.[...]

  • Página 316

    Network > Address Objects 316 SonicOS 5.8.1 Administrator Guide[...]

  • Página 317

    317 SonicOS 5.8.1 Administrator Guide CHAPTER 21 Chapter 21: Configuring Firewall Services Network > Services SonicOS Enhanced supports an exp anded IP protocol support to allow users to create services and access rules based on t hese protocols. See “Supported Protocols” on page 318 for a complete listing of support IP protocols. Services a[...]

  • Página 318

    Network > Services 318 SonicOS 5.8.1 Administrator Guide Default Services Overview The Default Services view displays the SonicW ALL securi ty a ppliance default services in the Services table and Service Group s t able. The Service Group s table displays clusters of multiple default services as a single service object. Y ou cannot delete or edi[...]

  • Página 319

    Network > Servi ces 319 SonicOS 5.8.1 Administrator Guide • ESP ( 50 )—(Encapsulated Security Payload) A method of encapsulating an IP datagram inside of another datagram employed as a fle xible method of data transport ation by IPsec. • AH ( 51 )—(Authentication Header) A security protoc ol that provides data authentication and optional[...]

  • Página 320

    Network > Services 320 SonicOS 5.8.1 Administrator Guide All custom services you create are listed in the Custom Services table. Y ou can group custom services by creating a Custom Services Group for easy policy enforcement. If a protocol is not listed in the Default Services t able, you can add it to the Cu stom Services t able by clicking Add [...]

  • Página 321

    Network > Servi ces 321 SonicOS 5.8.1 Administrator Guide Note The generic service Any will not handle Custom IP T ype Service Objects. In other words, simply defining a Custom IP T ype Ser vice Object for IP T ype 126 will not allow IP T ype 126 traffic to p ass through the default LAN > W AN Allow rule. It will be necessary to create an Acc[...]

  • Página 322

    Network > Services 322 SonicOS 5.8.1 Administrator Guide Ste p 8 Add a Service Group composed of t he Custom IP T ypes Services. Ste p 9 From Firewall > Access Rules > WLAN > LAN , select Add . Step 10 Define an Access Rules allowing myServices from WLAN Subnet s to the 10.50.165.26 Address Object. Note Select your zones, Services and A[...]

  • Página 323

    Network > Servi ces 323 SonicOS 5.8.1 Administrator Guide Adding a Custom Services Group Y ou can add custom services and then create groups of services, including default services, to apply the same policies to them. For instance, y ou can allow SMTP and POP3 traffic only during certain hours or days of the week by adding the two services as a [...]

  • Página 324

    Network > Services 324 SonicOS 5.8.1 Administrator Guide[...]

  • Página 325

    325 SonicOS 5.8.1 Administrator Guide CHAPTER 22 Chapter 22: Configuring Routes Network > Routing If you have routers on your interfaces, you can c onfigure st atic rout es on the SonicW ALL security appliance on the Network > Routing page. Y ou can create stat ic routing policies that create static routing entries that make decis ions based [...]

  • Página 326

    Network > Routing 326 SonicOS 5.8.1 Administrator Guide Route Advertisement The SonicW ALL security appliance uses RIPv1 or RIPv2 to advertise it s static and dynamic routes to other routers on the network. Changes in the status of VPN tunnels between the SonicW ALL security appliance and remote VPN gateways are also re flected in the RIPv2 adve[...]

  • Página 327

    Network > Routing 327 SonicOS 5.8.1 Administrator Guide Ste p 3 In the Advertise Default Route menu, select Never , or When W AN is up , or Always . Ste p 4 Enable Advertise St atic Routes if you have static r outes configured on the SonicW ALL security appliance, enable this feature to exclude them from Route Advertisement. Ste p 5 Enable Adver[...]

  • Página 328

    Network > Routing 328 SonicOS 5.8.1 Administrator Guide Policy Based Routing A simple static routing entry specifies how to handl e traf fic that matches s pecific criteria, such as destination address, destination mask, gateway to forwar d traffi c, the interface that gateway is located, and the route metric. This method of static routing satis[...]

  • Página 329

    Network > Routing 329 SonicOS 5.8.1 Administrator Guide All Policies displays all the routing policies including Custom Policies and Default Policies . Initially , only the Default Policies are displayed in the Route Policie s table when you select All Policies from the View Style menu. The Route Policies table provides easy p agination for view[...]

  • Página 330

    Network > Routing 330 SonicOS 5.8.1 Administrator Guide Ste p 7 Enter the Metric for the route. The default metric for st atic routes is one. For more information on metrics, see the “Policy Based Routing” section on page 328 Ste p 8 (Optional) Select the Disable route when the interface is disconnected checkbox to have the route automatical[...]

  • Página 331

    Network > Routing 331 SonicOS 5.8.1 Administrator Guide Network > W AN Failover & LB page. For this example, choose Per Connection Round- Robin as the load balancing method in the Network > W A N Failover & LB page. Click Accept to save your changes on the Network > W AN Failover & LB page. Ste p 1 Click the Add button under[...]

  • Página 332

    Network > Routing 332 SonicOS 5.8.1 Administrator Guide Advanced Routing Services (OSPF and RIP) In addition to Policy Based Routing and RIP advertising, SonicOS E nhanced offers the option of enabling Advanced Routing Se r vices (ARS). Advanced Routi ng Services provides full advertising and listening support fo r the Routing Information Protoc[...]

  • Página 333

    Network > Routing 333 SonicOS 5.8.1 Administrator Guide • Protocol T ype – Distance V ector protocols such as RIP base routing metrics exclusively on hop counts, while Link state protocols such as OSPF consider the st ate of the link when determining metrics. For example, OSPF det ermines interface metrics by dividing its reference bandwidth[...]

  • Página 334

    Network > Routing 334 SonicOS 5.8.1 Administrator Guide OSPF does not have to impose a hop count li mit because it does not advertise entire routing tables, rather it generally only s ends link st ate updates when changes occur . This is a significant advantage in larger net works in that it converges more quickly , produces less update traffic,[...]

  • Página 335

    Network > Routing 335 SonicOS 5.8.1 Administrator Guide For example, if you had 8 class C networks: 192.168.0.0/24 through 192.168.7.0/ 24, rather than having to have a sep arate r oute statement to each of them, it would be possible to provide a single route to 192.168.0.0/21 which would encompass them all. This ability , in addition to pr ovid[...]

  • Página 336

    Network > Routing 336 SonicOS 5.8.1 Administrator Guide used, which is generally discouraged). Area assi gnment is interface s pecific on an OSPF router; in other words, a router with multiple interfaces can have thos e interfaces configured for the same or dif ferent areas. • Neighbors – OSPF routers on a common ne twork segment have the po[...]

  • Página 337

    Network > Routing 337 SonicOS 5.8.1 Administrator Guide LSA ’s are then exchanged within LSU’ s across these adjacencies rather than between each possible pairing combination of routers on the segment. Link state updates are sent by non-DR routers to the multicast address 225.0.0.6, the RFC 1583 assigned ‘OSPFIGP Designated Routers’ addr[...]

  • Página 338

    Network > Routing 338 SonicOS 5.8.1 Administrator Guide – T ype 5 (AS External Link Advertisements) – Sent by ASBR (Autonomous System Boundary Routers) to describe routes to net works in a different AS. T ype 5 LSA ’s ar e net sent to S tub Areas. There are two ty pes of External Li nk Advertisements: • External T ype 1 - T ype 1 p acket[...]

  • Página 339

    Network > Routing 339 SonicOS 5.8.1 Administrator Guide • ABR (Area Border Router) – A router with inte rfaces in multiple areas. An ABR maint ains LSDB’s for each area to which it is connecte d, one of which is typically the backbone. • Backbone Router – A router with an inte rface connected to area 0, the backbone. • ASBR (Autonomo[...]

  • Página 340

    Network > Routing 340 SonicOS 5.8.1 Administrator Guide The operation of the RIP and OS PF routing protocols is interface dependent. Each interface and virtual subinterface can have RIP and OSPF settings configured sep arately , and each interface can run both RIP and OSPF routers. Configure RIP and OSPF for default routes re ceived from Advance[...]

  • Página 341

    Network > Routing 341 SonicOS 5.8.1 Administrator Guide Note Be sure the device sending RI Pv2 updates uses multicast mode, or the updates will not be processed by the ars-rip router . Send (Available in ‘Send and Rece ive’ and ‘Send Only’ modes) • RIPv1 – Send broadcast RIPv1 packet s. • RIPv2 - v1 compatible – Send multicast RI[...]

  • Página 342

    Network > Routing 342 SonicOS 5.8.1 Administrator Guide Consider the following simple example network: The diagram illustrates an OSPF network where the backbone (area 0.0.0.0) comprises the X0 interface on the SonicW ALL and the int1 interf ace on Router A. T wo additional areas, 0.0.0.1 and 100.100.100.100 are connected, respectively , to the [...]

  • Página 343

    Network > Routing 343 SonicOS 5.8.1 Administrator Guide OSPFv2 Setting • Disabled – OSPF Router is disabled on this interface • Enabled – OSPF Router is enabled on this interface • Passive – The OSPF router is enabled on this interface, but only advertises connected networks using type 1 LSA ’ s (Rout er Link Advertisement s) into [...]

  • Página 344

    Network > Routing 344 SonicOS 5.8.1 Administrator Guide • IBM – For interoperating with IBM’ s ABR be havior , which expects the backbone to be configured before se ttings the ABR flag. • Shortcut – A ‘shortcut area’ enables traf fic to go through the non-backbone area with a lower metric whether or not the ABR router is att ached [...]

  • Página 345

    Network > Routing 345 SonicOS 5.8.1 Administrator Guide Configuring Advanced Routing for Tunnel Interfaces In SonicOS versions 5.6 and higher , VPN T unne l Interfaces can be configured for advanced routing. T o do so, you must enable advanced r outing for the tunnel interface on the Advanced tab of it s configuration. See “Adding a T unnel In[...]

  • Página 346

    Network > Routing 346 SonicOS 5.8.1 Administrator Guide Guidelines for Configuring Tunnel In terfaces for Advanced Routing The following guidelines will ensure success w hen configuring T unnel Interfaces for advanced routing: • The borrowed interface must have a st atic IP address assignment. • The borrowed interface cannot have RIP or OSPF[...]

  • Página 347

    347 SonicOS 5.8.1 Administrator Guide CHAPTER 23 Chapter 23: Configuring NAT Policies Network > NAT Policies This chapter contains the following sections: • “NA T Policies T able” on page 348 • “NA T Policy Settings Explained” on p age 349 • “NA T Policies Q&A” on page 351 The Network Address T ranslation (NA T) engine in S[...]

  • Página 348

    Network > NAT Policies 348 SonicOS 5.8.1 Administrator Guide NAT Policies Table The NA T Policies table allows you to view your NA T Policies by Custom Policies , Default Policies , or All Policies . Tip Before configuring NA T Policies, be sure to create all Address Objects associated with the policy . For instance, if you are creating a O ne-t[...]

  • Página 349

    Network > NAT Polic ies 349 SonicOS 5.8.1 Administrator Guide NAT Policy Settings Explained The following explains the settings us ed to create a NA T policy entry in the Add NA T Policy or Edit NA T Po licy windows. Click the Add button in the Network > NA T Policies page to display the Add NA T Policy window to create a new NA T policy or c[...]

  • Página 350

    Network > NAT Policies 350 SonicOS 5.8.1 Administrator Guide • T ranslated Service : This drop-down menu setting is what the SonicWALL security appliance translates the Original Service to as it exits the So ni cW ALL security ap pliance, whether it be to another interface, or into /ou t-of VPN tunnels. Y ou can use the default services in the[...]

  • Página 351

    Network > NAT Polic ies 351 SonicOS 5.8.1 Administrator Guide NAT Policies Q&A Why is it necessary to specify ‘Any’ as the destination inte rface for inbound 1-2-1 NAT policies? It may seem counter-intuitive to do this, given that other types of NA T policies require you to specify the destination interface, but for this type of NA T pol[...]

  • Página 352

    Network > NAT Policies 352 SonicOS 5.8.1 Administrator Guide Why Do I Have to Write Two Policies for 1-2-1 Traffic? With the new NA T engine, it is necessary to wr ite two policies – one to allow incoming requests to the destination public IP address to reach the destination private IP address (uninitiated inbound), and one to allow the source[...]

  • Página 353

    Network > NAT Polic ies 353 SonicOS 5.8.1 Administrator Guide NAT LB Mechanisms NA T load balancing is configured on the Advanced t ab of a NA T policy . Note This tab can only be activated when a g roup is specified in one of the drop-do wn fields on the General tab of a NA T Policy . Otherwise, the NA T policy defaults to Sticky IP as the NA T[...]

  • Página 354

    Network > NAT Policies 354 SonicOS 5.8.1 Administrator Guide Which NAT LB Method Should I Use? Caveats • The NA T Load Balancing Feature is only av ailable in SonicOS Enhanced 4.0 and higher . • Only two health-check mechanisms at pr esent (ICMP ping and TCP socket open). • No higher-layer persistence mechanism s at present (S ticky IP onl[...]

  • Página 355

    Network > NAT Polic ies 355 SonicOS 5.8.1 Administrator Guide Example one - Mapping to a network: 192.168.0.2 to 192.168.0.4 T ranslated Destination = 10.50.165.0/3 0 (Network) Packet Source IP = 192.168.0.2 192.168.0.2 = C0A80002 = 3232235522 = 1 1000000101010000000000000000010 (IP -> Hex -> Dec -> Binary) S ticky IP Formula = Packet S[...]

  • Página 356

    Network > NAT Policies 356 SonicOS 5.8.1 Administrator Guide Creating NAT Policies NA T policies allow you the flexibility to cont rol Network Address T ranslation based on matching combinations of Source IP addr ess, Destination IP address, and Destination Services. Policy- based NA T allows you to deploy dif ferent types of NA T simult aneousl[...]

  • Página 357

    Network > NAT Polic ies 357 SonicOS 5.8.1 Administrator Guide • Original Service : Any • T ranslated Service : Original • Inbound Interface : X2 • Outbound Interface : X1 • Comment : Enter a short description • Enable NA T Policy : Checked • Create a reflective policy : Unchecked When done, click on the OK button to add a nd activa[...]

  • Página 358

    Network > NAT Policies 358 SonicOS 5.8.1 Administrator Guide Y ou can test the dynamic mapping by insta lling several systems on the LAN interface (by default, the X0 interface) at a spread-out r ange of addresses (for example, 192.168.10 .10, 192.168.10.100, and 192.168.10.200) and acce ssing the public Website htt p:// www .whatismyip.com from[...]

  • Página 359

    Network > NAT Polic ies 359 SonicOS 5.8.1 Administrator Guide Creating a One-to-One NAT Policy for Inbound Traffic (Reflective) Note If “T ranslated Destination: Original” is select ed in the NA T Policy Settings, this section does not apply because the “Create a reflective policy” checkbox is greyed out. This is the mirror policy for th[...]

  • Página 360

    Network > NAT Policies 360 SonicOS 5.8.1 Administrator Guide Configuring One-to-Many NAT Load Balancing One-to-Many NA T policies can be used to persist ently load balance th e translated destination using the original source IP address as the key to persist ence. For example, SonicW ALL security appliances can load balance multiple SonicWALL SS[...]

  • Página 361

    Network > NAT Polic ies 361 SonicOS 5.8.1 Administrator Guide • T ranslated Destination : Select Create new address object... to bring up the Add Address Object screen. – Name : A descriptive name, such as mySSL VPN – Zone assignment : LAN – Ty p e : H ost – IP Address : The IP addresses for the devices to be load balanced (in the topo[...]

  • Página 362

    Network > NAT Policies 362 SonicOS 5.8.1 Administrator Guide Note Make sure you chose Any as the destination interface, and not the interface that the server is on. This may seem counter-intuitive, but it is actually the co rrect thing to do (if you try to specify the interface, you get an error). Ste p 3 When finished, click on the OK button to[...]

  • Página 363

    Network > NAT Polic ies 363 SonicOS 5.8.1 Administrator Guide In this section, we have five t asks to complete: 1. Create two custom service objects for t he unique public port s the servers respond on. 2. Create two address object s for the servers’ pr ivate IP addresses. 3. Create two NA T entries to allow the two servers to initiate traffic[...]

  • Página 364

    Network > NAT Policies 364 SonicOS 5.8.1 Administrator Guide • Enable NA T Policy : Checked • Create a reflective policy : Unchecked When finished, click on the OK button to a dd and activate the NA T policies. With these policies in place, the SonicW ALL security ap pliance trans lates the servers’ private IP addresses to the public IP ad[...]

  • Página 365

    Network > NAT Polic ies 365 SonicOS 5.8.1 Administrator Guide Note With previous versions of fi rmware, it was necessary to wr ite rules to the private IP address. This has been changed as of SonicOS 2.0 Enhan ced. If you write a rule to the private IP address, the rule does not wo rk. Go to the Firewall > Access Rules page and choose th e po[...]

  • Página 366

    Network > NAT Policies 366 SonicOS 5.8.1 Administrator Guide Using NAT Load Balancing This section contains t he following subsections: • “NA T Load Balancing T opology” on page 366 • “Prerequisites” on page 366 • “Configuring NA T Load Balancing” on page 367 • “T roubleshooting NA T Load Balancing” on page 368 NAT Load B[...]

  • Página 367

    Network > NAT Polic ies 367 SonicOS 5.8.1 Administrator Guide Configuring NAT Load Balancing T o configure NA T load balancing, you must complete the following tasks: 1. Create address objects. 2. Create address group. 3. Create inbound NA T LB Policy . 4. Create outbound NA T LB Policy . 5. Create Firewall Rule. 6. V erify and troubleshoot the [...]

  • Página 368

    Network > NAT Policies 368 SonicOS 5.8.1 Administrator Guide Troubleshooting NAT Load Balancing If the Web servers do not seem to be accessible, go to the Firewall > Access Rules p age and mouseover the St atistics icon. If the rule is configured incorrectly you will not see any Rx or TX Byte s; if it is working, you w ill see these increment[...]

  • Página 369

    369 SonicOS 5.8.1 Administrator Guide CHAPTER 24 Chapter 24: Managing ARP Traffic Network > ARP ARP (Address Resolution Protocol) maps layer 3 (IP addresses) to layer 2 (physical or MAC addresses) to enable communications between host s residing on the same subnet. ARP is a broadcast protocol that can cr eate excessive amount s of network traffi[...]

  • Página 370

    Network > ARP 370 SonicOS 5.8.1 Administrator Guide Static ARP Entries The S t atic ARP feature allows for static mappings to be created between layer 2 MAC addresses and layer 3 IP addresses, but also provides the following cap abilities: • Publish Entry - Enabling the Publish Entry option in the Add St atic ARP window causes the SonicW ALL d[...]

  • Página 371

    Network > ARP 371 SonicOS 5.8.1 Administrator Guide Adding a Secondary Subnet us ing the Static ARP Method Ste p 1 Add a 'published' static ARP entry for the gateway address that will be used for the secondary subnet, assigning it the MAC address of the SonicW ALL interface to which it will be connected. Ste p 2 Add a static route for [...]

  • Página 372

    Network > ARP 372 SonicOS 5.8.1 Administrator Guide The entry will appear in the table. Navigate to the Network > Routing page, and add a static route for the 192.168.50.0/24 network, with the 255. 255.255.0 subnet mask on the X3 Interface. T o allow the traffic to reach the 192.168. 50.0/24 subnet, and to allow the 192.168.50.0/24 subnet to [...]

  • Página 373

    Network > ARP 373 SonicOS 5.8.1 Administrator Guide Y ou can enter the policy number (the number listed before the policy name in the # Name column) in the Items field to move to a specific ARP entry . The default table configura tion displays 50 entries per page. Y ou can change this default number of entries for t ables on the System > Admi[...]

  • Página 374

    Network > ARP 374 SonicOS 5.8.1 Administrator Guide[...]

  • Página 375

    375 SonicOS 5.8.1 Administrator Guide CHAPTER 25 Chapter 25: Configuring MAC-IP Anti-Spoof Network > MAC-IP Anti-Spoof This chapter describes how to plan, design, implement, and MAC- IP Anti-Spo of protection in SonicW ALL SonicOS Enhanced. This chapter cont ains the following sections: • “MAC-IP Anti-S poof Protecti on Overview” section o[...]

  • Página 376

    Network > MAC-IP Anti-Spo of 376 SonicOS 5.8.1 Administrator Guide • ARP packet s; both ARP requests and responses • S t atic ARP entries from user-created entries • MAC-IP Anti-S poof Cache The MAC-IP Anti-S poof subsystem achieves egr ess control by locking the ARP cache, so egress packet s (packet s exiting the network) ar e not spoofed[...]

  • Página 377

    Network > MAC-IP Anti-Spoof 377 SonicOS 5.8.1 Administrator Guide T o configure settings for a p a rticular interface, click Configure icon for the desired interface. The Settings window is now displayed for the selected interface. In this window , the following settings can be enabled or disabled by clicking on the co rresponding checkbox. Once[...]

  • Página 378

    Network > MAC-IP Anti-Spo of 378 SonicOS 5.8.1 Administrator Guide Once the settings have been adjusted, the in terface’ s listing will be updated on the MAC-IP Anti-S poof p anel. The green circle with white check mark icons denote which settings have been enabled. Note The following interfaces are excluded from the MAC-IP Anti-S poof list: N[...]

  • Página 379

    Network > MAC-IP Anti-Spoof 379 SonicOS 5.8.1 Administrator Guide If you need to edit a static Anti-S poof cache entry , select the checkbbox to the left of the IP address, then click the pencil icon, under t he “Configure” column, on the same line. Single, or multiple, st atic anti-spoof cache entri es can be deleted. T o do th is, select t[...]

  • Página 380

    Network > MAC-IP Anti-Spo of 380 SonicOS 5.8.1 Administrator Guide Spoof Detect List The S poof Detect List displays devices that fail ed to pass the ingress anti-spoof cache check. Entries on this list can be added as a static anti- spoof entry . T o do this, click on the pencil icon, under the “Add” column, for the desired device. An alert[...]

  • Página 381

    Network > MAC-IP Anti-Spoof 381 SonicOS 5.8.1 Administrator Guide Operator Synt ax Options V alue with a type • Ip=1.1.1.1 or ip=1.1. 1.0/24 • Mac=00:01:02:03:04:05 • Iface=x1 St r i n g • X1 • 00:01 • T st-mc • 1.1. AND • Ip=1.1.1.1;ifac e=x1 • Ip=1.1.1.0/24;iface=x1;just-string OR • Ip=1.1.1.1,2.2.2.2, 3.3.3.0/24 • Iface=[...]

  • Página 382

    Network > MAC-IP Anti-Spo of 382 SonicOS 5.8.1 Administrator Guide Extension to IP Helper In order to support leases from the DHCP rela y subsystem of IP Helper , the following changes have been made in the IP Helper p anel, located at Network > IP Helper : • As part of the DHCP relay logic, IP Hel per learns leases exchanged between client[...]

  • Página 383

    383 SonicOS 5.8.1 Administrator Guide CHAPTER 26 Chapter 26: Setting Up the DHCP Server Network > DHCP Server This chapter contains the following sections: • “DHCP Server Options Overview” on p age 384 • “Multiple DHCP Scopes per Interface” on page 385 • “Configuring the DHCP Server” on page 387 • “DHCP Server Lease Scopes?[...]

  • Página 384

    Network > DHCP Server 384 SonicOS 5.8.1 Administrator Guide The SonicW ALL security appliance includes a D HCP (Dynamic Host C onfiguration Protocol) server to distribute IP addresses, subnet masks, gateway addresses, and DNS server addresses to your network clie nts. The Network > DHCP Server page includes settings for configuring the SonicW[...]

  • Página 385

    Network > DHCP Server 385 SonicOS 5.8.1 Administrator Guide clients on the network, it provides vendor-specific configuration and service information. The “DHCP Option Numbers” on p age 400 provides a list of DHCP options by RFC-assigned option number . Benefits The SonicW ALL DHCP server options feature prov ides a simple interface for sele[...]

  • Página 386

    Network > DHCP Server 386 SonicOS 5.8.1 Administrator Guide Multiple Scopes for Group VPN – When using an internal D HCP server , a SonicW ALL GVC client could be configured using scope ranges t hat differ from the LAN/DMZ subnet. The scope range for the SonicW ALL GVC client is decided by the “Relay IP Address (Optional)” set in the centr[...]

  • Página 387

    Network > DHCP Server 387 SonicOS 5.8.1 Administrator Guide Figure 26:2 Trusted DHCP Relay Agents Configuring the DHCP Server If you want to use the SonicW ALL security appliance’s DHCP server , select Enable DHCP Server on the Network > DHCP Server page. The following DHCP server options can be configured: • Select Enable Conflict Detect[...]

  • Página 388

    Network > DHCP Server 388 SonicOS 5.8.1 Administrator Guide T o configure Option Objects, Option Group s, and T rusted Agents, click the Advanced button. For detailed information on configuring these features, see “Configuring Advanced DHCP Server Options” on page 3 89 . Configuring DHCP Server Persistence DHCP server persistence is the abil[...]

  • Página 389

    Network > DHCP Server 389 SonicOS 5.8.1 Administrator Guide Configuring Advanced DHCP Server Options • “Configuring DHCP Option Objects” on page 389 • “Configuring DHCP Option Groups” on page 390 • “Configuring a T rusted DHCP Re lay Agent Address Group” on pa ge 391 • “Enabling T rusted DHCP Relay Agent s” on p age 392 T[...]

  • Página 390

    Network > DHCP Server 390 SonicOS 5.8.1 Administrator Guide Ste p 5 From the Option Number drop-down list, select the option number that corresponds to your DHCP option. For a list of option numbers and names, refer to “DHCP Option Numbers” on page 400 . Ste p 6 Optionally check the Option Array box to allow entry of multiple option values i[...]

  • Página 391

    Network > DHCP Server 391 SonicOS 5.8.1 Administrator Guide Ste p 5 Enter a name for the group in the Name field. Ste p 6 Select an option object from the lef t column and click the -> button to add it to the group. T o select multiple option objects a t the same time, hold the Ctrl key while selecting the option objects. Ste p 7 Click OK . T[...]

  • Página 392

    Network > DHCP Server 392 SonicOS 5.8.1 Administrator Guide Enabling Trusted DHCP Relay Agents In the DHCP Advanced Settings page, you can enable the T rusted Relay Agent List option using the Default T rusted Relay Agent List Address Group or create another Address Group using existing Address Objects. T o enable the T rusted Relay Agent List o[...]

  • Página 393

    Network > DHCP Server 393 SonicOS 5.8.1 Administrator Guide Configuring DHCP Server for Dynamic Ranges Because SonicOS Enhanced allows multiple DHCP scopes per interface, ther e is no requirement that the subnet range is attached to the interface when configuring DHCP scopes. T o configure DHCP server for dynamic IP address ranges, follow these [...]

  • Página 394

    Network > DHCP Server 394 SonicOS 5.8.1 Administrator Guide BOOTP stands for boot strap protocol, which is a TCP/IP protocol and service that allows diskless workstations to obt ai n their IP address, other TCP/IP configuratio n information, and their boot image file from a BOOTP server . DNS/WINS Settings Ste p 9 Click the DNS/WINS t ab to cont[...]

  • Página 395

    Network > DHCP Server 395 SonicOS 5.8.1 Administrator Guide Advanced Settings Step 14 Click on the Advanced tab. The Advanced t ab allows you to co nfigure the SonicW ALL DHCP server to send Cisco Call Manager informa tion to V oIP clients on the network. Step 15 Under V oIP Call Managers, enter the IP address or FQDN of your V oIP Call Manager [...]

  • Página 396

    Network > DHCP Server 396 SonicOS 5.8.1 Administrator Guide Configuring Static DHCP Entries S t atic entries are IP addresses assigned to se rvers requiring permanent IP settings. Because SonicOS Enhanced allows multiple DHCP scopes per inter face, there is no requirement that the subnet range is att ached to the in terface when configuring DHCP[...]

  • Página 397

    Network > DHCP Server 397 SonicOS 5.8.1 Administrator Guide Ste p 7 T o populate the Default Gateway and Subnet Mask fields with default values for a cert ain interface, select the Interface Pre-Populate checkbox near the bottom of the page and choose the interface from the drop- down list. The populated IP addresse s are in the same private sub[...]

  • Página 398

    Network > DHCP Server 398 SonicOS 5.8.1 Administrator Guide Advanced Settings Step 15 Click on the Advanced tab. The Advanced tab allows you to co nfigure the SonicW ALL DHCP server to send Cisco Call Manager informa tion to V oIP clients on the network. Step 16 Enter the IP address or FQDN of your V oIP Call Manager in the Call Manager 1 field.[...]

  • Página 399

    Network > DHCP Server 399 SonicOS 5.8.1 Administrator Guide Configuring DHCP Generic Options for DHCP Lease Scopes This section provides conf iguration tasks for DHCP generic options for lease scopes. Note Before generic options for a DHCP lease scope can be configured, a static or dynamic DHCP server lease scope must be created. The “DHCP Opt[...]

  • Página 400

    Network > DHCP Server 400 SonicOS 5.8.1 Administrator Guide DHCP Option Numbers This section provides a list of RFC- defined DHCP option numbers and de scriptions: Option Number Name Description 2 T ime Of fset T ime of fset in seconds from UTC 3 Router N/4 router addresses 4 T ime Servers N/4 time server addresses 5 Name Servers N/4 IEN-1 16 se[...]

  • Página 401

    Network > DHCP Server 401 SonicOS 5.8.1 Administrator Guide 33 S tatic Routing T able S t atic routing t able 34 T railer Encap sulation Trailer encaps ulation 35 ARP Cache T imeout ARP cache timeout 36 Ethernet Encap sulation Ethernet encapsulation 37 Default TCP T ime to Live Default TCP time to live 38 TCP Keepalive Interval TCP keepalive int[...]

  • Página 402

    Network > DHCP Server 402 SonicOS 5.8.1 Administrator Guide 65 NIS+ V3 Server Address NIS+ V3 server address 66 TFTP Server Name TFTP server name 67 Boot File Name Boot file name 68 Home Agent Addresses Home agent addresses 69 Si mple Ma il Serv er Addresses Simple mail server addresses 70 Post Of fice Server Addresses Post office server address[...]

  • Página 403

    Network > DHCP Server 403 SonicOS 5.8.1 Administrator Guide 94 Client Network Device Interface Client network device interface 95 LDAP Use Lightweight Directory Access Protocol 96 Undefined N/A 97 UUID/GUID Based Client Identifier UUID/GUID-based client identifier 98 Open Group’ s User Authentication Open group’s user authentication 99 Undef[...]

  • Página 404

    Network > DHCP Server 404 SonicOS 5.8.1 Administrator Guide 124 V endor-Identifying V endor Class V endor-identifying vendor cla ss 125 V endor Identifying V endor Specific V endor-identifying vendor specific 126 Undefined N/A 127 Undefined N/A 128 TFTP Server IP Address TFTP server IP address for IP phone sof tware load 129 Call Server IP Addre[...]

  • Página 405

    Network > DHCP Server 405 SonicOS 5.8.1 Administrator Guide 157 Undefined N/A 158 Undefined N/A 159 Undefined N/A 160 Undefined N/A 161 Undefined N/A 162 Undefined N/A 163 Undefined N/A 164 Undefined N/A 165 Undefined N/A 166 Undefined N/A 167 Undefined N/A 168 Undefined N/A 169 Undefined N/A 170 Undefined N/A 171 Undefined N/A 172 Undefined N/A[...]

  • Página 406

    Network > DHCP Server 406 SonicOS 5.8.1 Administrator Guide 194 Undefined N/A 195 Undefined N/A 196 Undefined N/A 197 Undefined N/A 198 Undefined N/A 199 Undefined N/A 200 Undefined N/A 201 Undefined N/A 202 Undefined N/A 203 Undefined N/A 204 Undefined N/A 205 Undefined N/A 206 Undefined N/A 207 Undefined N/A 208 pxelinux.magic (string) = 241.0[...]

  • Página 407

    Network > DHCP Server 407 SonicOS 5.8.1 Administrator Guide 230 Private Use Private use 231 Private Use Private use 232 Private Use Private use 233 Private Use Private use 234 Private Use Private use 235 Private Use Private use 236 Private Use Private use 237 Private Use Private use 238 Private Use Private use 239 Private Use Private use 240 Pri[...]

  • Página 408

    Network > DHCP Server 408 SonicOS 5.8.1 Administrator Guide[...]

  • Página 409

    409 SonicOS 5.8.1 Administrator Guide CHAPTER 27 Chapter 27: Using IP Helper Network > IP Helper Many User Datagram Protocols (UDP) rely on broadcaset/multicast to find it s respective server , usually requiring their server s to be present on the same broadcast subnet.T o support cases where servers lie on different subn ets than client s, a me[...]

  • Página 410

    Network > IP Helper 410 SonicOS 5.8.1 Administrator Guide Caution The SonicW ALL DHCP Server feature mu st be disabled before you can enable DHCP Support on the IP Helper . The Enable DHCP Support checkbox is greyed out until the DHCP Server setting is disabled. • Enable NetBIOS Support - Enables NetBIOS broadcast fo rwarding. NetBIOS is requi[...]

  • Página 411

    Network > IP Helper 411 SonicOS 5.8.1 Administrator Guide Adding an IP Helper Policy for NetBIOS Ste p 1 Click the Add button under the IP Helper Policies table. The Add IP Helper Policy window is displayed. Ste p 2 The policy is enabled by default. T o configure the policy without enabling it, clear the Enabled check box. Ste p 3 Select NetBIOS[...]

  • Página 412

    Network > IP Helper 412 SonicOS 5.8.1 Administrator Guide • Raw Mode —Unidirectional forwarding t hat does not create an IP Helper cache. This is suitable for most of the user- defined protocol s that are used for discovery , for exa mple WOL/mDNS. Figure 27:3 Enhanced IP Helper UI Each protocol has the foll owing configurable options: • N[...]

  • Página 413

    Network > IP Helper 413 SonicOS 5.8.1 Administrator Guide Adding User-Defined Protocols Click the Add button on the lower lef t side of the protocol list table. The following fields must be configured in order to add a protocol. • Name —Create a unique case-sensitive name. • Port 1/2 —The unique UDP port numbers. • Timeout— This is o[...]

  • Página 414

    Network > IP Helper 414 SonicOS 5.8.1 Administrator Guide Displaying IP Helper Cache from TSR The TSR will show all the IP Helper caches, current policies, and protocols: #IP_HELPER_START IP Helper -----IP Helper Global Run-time Data ------- IP Helper is OFF IP Helper - DHCP Relay is OFF IP Helper - Netb ios Relay is O FF Total Number Of Fwded P[...]

  • Página 415

    Network > IP Helper 415 SonicOS 5.8.1 Administrator Guide mDNS Forwarding In order to enable Apple support for iRemote, iT unes, and Apple TV , the mDNS protocol must be enabled. A policy is needed to forward these pa cket s. The following graphic illustrates the process of how Enhanced IP Helper works with mDNS Forwarding:[...]

  • Página 416

    Network > IP Helper 416 SonicOS 5.8.1 Administrator Guide T o configure SonicOS to support mDNS, perform the following steps: Ste p 1 Navigate to the Network > IP Helper page. Ste p 2 Select the Enable IP Helper checkbox. Ste p 3 In the Relay Protocols section, click the Enable checkbox for mDNS. Ste p 4 In the Policies section, click the Add[...]

  • Página 417

    417 SonicOS 5.8.1 Administrator Guide CHAPTER 28 Chapter 28: Setting Up Web Proxy Forwarding Network > Web Proxy A Web proxy server intercept s HTTP requests a nd determines if it has stored copies of the requested Web p ages. If it does not, the proxy completes the request to the server on the Internet, returning the requested information to th[...]

  • Página 418

    Network > Web Proxy 418 SonicOS 5.8.1 Administrator Guide Configuring Automatic Prox y Forwarding (Web Only) Note The proxy server must be located on the W AN or DMZ; it can not be located on the LAN. T o configure a Proxy W eb sever , select the Network > Web Proxy p age. Ste p 1 Connect your Web proxy server to a hub, and connect the hub to[...]

  • Página 419

    419 SonicOS 5.8.1 Administrator Guide CHAPTER 29 Chapter 29: Configuring Dynamic DNS Network > Dynamic DNS Dynamic DNS (DDNS) is a service provided by various comp anies and organizations that allows for dynamic changing IP addresses to aut omatically update DNS records without manual intervention. This service allows for network access using do[...]

  • Página 420

    Network > Dynamic DNS 420 SonicOS 5.8.1 Administrator Guide Supported DDNS Providers Not all services and features from all prov ider s are supported, and the list of supported providers is subject to change. SonicOS currently supports the following services from four Dynamic DNS providers: • Dyndns.org - SonicOS requires a username, p assword[...]

  • Página 421

    Network > Dynamic DNS 421 SonicOS 5.8.1 Administrator Guide T o configure Dynamic DNS on the SonicW ALL security appliance , perform these step s: Ste p 1 From the Network > Dynamic DNS page, click the Add button. The Add DDNS Profile window is displayed. Ste p 2 If Enable this DDNS Profile is checked, the profile is administra tively enabled[...]

  • Página 422

    Network > Dynamic DNS 422 SonicOS 5.8.1 Administrator Guide – Stat i c - A free DNS service for st atic IP addresses. Step 10 When using DynDNS.org , you may optionally select Enable W ildcard and/or configure an MX entry in the Mail Exchanger field. Check Backup MX if this is the backup mail exchanger . Ste p 11 Click the Advanced tab. Y ou c[...]

  • Página 423

    Network > Dynamic DNS 423 SonicOS 5.8.1 Administrator Guide Dynamic DNS Settings Table The Dynamic DNS Settings table provides a t able view of configured DDNS profiles. Dynamic DN S Settings t able includes the following columns: • Profile Name - The name assigned to the DDNS entry during it s creation. This can be any value, and is used onl [...]

  • Página 424

    Network > Dynamic DNS 424 SonicOS 5.8.1 Administrator Guide[...]

  • Página 425

    425 SonicOS 5.8.1 Administrator Guide CHAPTER 30 Chapter 30: Configuring Network Monitor Network > Network Monitor The Network > Network Monitor page pr ovides a flexible mechanism for monitoring network path viability . The results and st atus of th is monitoring ar e displayed dynamically on the Network Monitor p age, and are also provided [...]

  • Página 426

    Network > Network Monitor 426 SonicOS 5.8.1 Administrator Guide Y ou can view details of the probe st atus by hover ing your mouse over the green, red, or yellow light for a policy . The following information is displayed in the probe status: • The percent of successful probes. • The number of resolved probe t argets. • The total number of[...]

  • Página 427

    Network > Network Monitor 427 SonicOS 5.8.1 Administrator Guide Adding a Network Monitor Policy T o add a network monitor policy on the SonicW ALL secur ity appliance, perform these steps: Ste p 1 From the Network > Network Monitor page, click the Add button. The Add Network Monitor Policy window is displayed. Ste p 2 Enter the following info[...]

  • Página 428

    Network > Network Monitor 428 SonicOS 5.8.1 Administrator Guide same interface within the Response T i meout time window . When a SYN/ACK is received, a RST is sent to close the connec tion. If a RST is received, no response is returned. – Ping (ICMP) - Explicit Route - This probe bypasses the route t able and uses the source IP address of the[...]

  • Página 429

    SonicOS 5.8 . 1 A dm i ni st r at or Gu ide 429 PART 5 Part 5: 3G/Modem[...]

  • Página 430

    430 SonicOS 5.8.1 Administrator Guide[...]

  • Página 431

    431 SonicOS 5.8.1 Administrator Guide CHAPTER 31 Chapter 31: 3G/Modem Selection 3G/Modem SonicW ALL UTM appliances with a USB extensi on port can support either an external 3G interface or analog modem interface. When the app liance does not dete ct an external interface, a 3G/Modem tab is displayed in th e left-side navigation bar .[...]

  • Página 432

    3G/Modem 432 SonicOS 5.8.1 Administrator Guide Selecting the 3G/Modem Status By default, the SonicW ALL UTM appliance will attempt to auto-detect whether a connected external device is a 3G interface or an anal og modem interface. Y ou can manually specify which type of interface you want to configure on the 3G/Modem > Settings page. The 3G/Mode[...]

  • Página 433

    433 SonicOS 5.8.1 Administrator Guide CHAPTER 32 Chapter 32: Configuring 3G 3G This chapter describes how to configure the 3G wireless W AN interfa ce on the SonicW ALL UTM appliance. It contains the following sections: • “3G Overview” on page 433 • “3G > S t atus” on page 440 • “3G > Settings” on page 440 • “3G > Adv[...]

  • Página 434

    3G 434 SonicOS 5.8.1 Administrator Guide • T emporary networks where a pre-configured connection may not be av ailable, such as trade-shows and kiosks. • Mobile networks, where the SonicW ALL appliance is based in a vehicle. • Primary W AN connection where wire-based connections are not available and 3G Cellular is. Wireless Wide Area Network[...]

  • Página 435

    3G 435 SonicOS 5.8.1 Administrator Guide Understanding 3G Failover When the W AN Connection Model is set to Ethernet with 3G Failover , the WA N (Ethernet) interface is the primary connection. If the W AN interface fails, the SonicW ALL appliance fails over to the 3G interface. Note It is important to note that the W AN- to-3G failover process is d[...]

  • Página 436

    3G 436 SonicOS 5.8.1 Administrator Guide Persistent Connection 3G Failover The following diagram depicts the sequence of event s that occur when the W AN ethernet connection fails and the 3G Connect ion Profile is configured for Persistent Connection . 1. Primary Ethernet connection available – The Ethernet W AN interface is connected and used as[...]

  • Página 437

    3G 437 SonicOS 5.8.1 Administrator Guide Dial on Data 3G Failover The following diagram depicts the sequence of event s that occur when the W A N ethernet connection fails and the 3G Connect ion Profile is configur ed for Dial on Dat a . 1. Primary Ethernet connection available – The Ethernet W AN interface is connected and used as the primary co[...]

  • Página 438

    3G 438 SonicOS 5.8.1 Administrator Guide Manual Dial 3G Failover The following diagram depicts the sequence of event s that occur when the W AN ethernet connection fails and the 3G Connect ion Profile is configured for Manual Dial . Caution It is not recommended to use a Manual Dial 3G Co nnection Profile when the WA N Connection Model is set for E[...]

  • Página 439

    3G 439 SonicOS 5.8.1 Administrator Guide 3G Wireless WAN Service Provider Support SonicOS Enhanced supports the following 3G Wireless network providers (this list is subject to change): • Cingular Wireless • H3G • S print PCS Wireless • V erizon Wireless • V odafone • T elecom It alia Mobile • T elefonica • T -Mobile • TDC Song ?[...]

  • Página 440

    3G 440 SonicOS 5.8.1 Administrator Guide 3G > Status The 3G > St atus page displays the current status of 3G on the SonicW AL L appliance. It indicates the status of the 3G connection, the current active W AN interface, or the current backup W AN interface. It also displays IP address information, DNS server addresses, the current active dial[...]

  • Página 441

    3G 441 SonicOS 5.8.1 Administrator Guide • Syslog traffic T o configure the SonicW ALL appliance for Connect on Dat a operation, you must select Dial on Data as the Dial T ype for the Connection Profile. See “3G > Connection Profiles” on page 444 for more deta ils. Management/User Login The Management/User Login section must be configured [...]

  • Página 442

    3G 442 SonicOS 5.8.1 Administrator Guide 3. In the Probe T ype menu, select one of the following options: – Probe succeeds when either Main T arget or Alternate T arget responds – Probe succeeds when both Main T arget and Alternative T arget respond – Probe succeeds when Main T arget responds – Succeeds Always (no probing) 4. For both the M[...]

  • Página 443

    3G 443 SonicOS 5.8.1 Administrator Guide • The SonicW ALL Security Applianc e is configured to be managed using HTTPS , so that the device can be accessed remotely . • It is recommended that you enter a value in the Enable Max Connection Time ( minutes) field. This field is located in the 3G Profile Configuration window on the Parameters tab. S[...]

  • Página 444

    3G 444 SonicOS 5.8.1 Administrator Guide 3G_profiles 3G > Connection Profiles Use the 3G > Connection Profiles to configure 3G connection pr ofiles and set the primary and alternate profiles. Select the Primary 3G connection profile in the Primary Profile pulldown menu. Optionally , you can select up to two alternate 3G profiles. T o create a[...]

  • Página 445

    3G 445 SonicOS 5.8.1 Administrator Guide General Tab The General tab allows the administrator to config ure general connection settings for the 3G service provider . After selecting your country , service provider , and plan type , the rest of the fields are automatically field for most service providers. 1. On the 3G > Connection Profiles page,[...]

  • Página 446

    3G 446 SonicOS 5.8.1 Administrator Guide Parameters Tab The Parameters t ab allows the administrator to confi gure under what conditions the 3G service connects. The three connection typ es are Persistent , Connect on Data , and Manual . The mechanics of these connection types are described in the “Understanding 3G Connection Models” section on[...]

  • Página 447

    3G 447 SonicOS 5.8.1 Administrator Guide 7. Select the Disable VPN when Dialed checkbox to disable VPN connections over the 3G interface. IP Addresses Tab The IP Addresses tab allows the administrator to confi gure dynamic or st atic IP addressing for this interface. In most cases, this f eature is set to Obt ain an IP Address Automatically , howev[...]

  • Página 448

    3G 448 SonicOS 5.8.1 Administrator Guide Note When this feature is enabled, if a the checkbox for a day is not selected, 3G access will be denied for that entire day . 1. Click on the Schedule tab. 2. Select the Limit Times for Connection Profile checkb ox to enable the scheduling feature for this interface. 3. Select the checkbox for each Day of W[...]

  • Página 449

    3G 449 SonicOS 5.8.1 Administrator Guide 2. Select the Enable Data Usage Limiting checkbox to have the 3G interface become automatically disabled when t he specified dat a or time limit has been reached for the month. 3. Select the day of the month to start tracking the monthly dat a or time usage in the Bill ing Cycle St art Date pulldown menu. 4.[...]

  • Página 450

    3G 450 SonicOS 5.8.1 Administrator Guide 3G_data 3G > Data Usage On the 3G > Dat a Usage p age, you can monitor the amount of dat a transferred over the 3G interface in the Dat a Usage table and view det ails of 3G sessions in the Session History table. The Dat a Usage table displays the current dat a usage and online time for the cur rent Y [...]

  • Página 451

    3G 451 SonicOS 5.8.1 Administrator Guide Managing 3G Connections T o initiate a 3G connection, perform the following step s, click on the Manage button in the 3G interface line on the Network > Interfaces page. The 3G Connection window displays. Click the Connect button. The SonicW ALL appliance attempts to connect to the 3G service provider . T[...]

  • Página 452

    3G 452 SonicOS 5.8.1 Administrator Guide • Generation - WW AN protocols are divided by generation, such as 2G , 2.5G , and 3G , where 1G would be the original analog cellular networks. Gene rations advanced is usually characterized by improvements in speed and capacity . Although 3G is most commonly used to describe Wireless Wide Area Networking,[...]

  • Página 453

    3G 453 SonicOS 5.8.1 Administrator Guide allow for a subscriber's identity to move from one GSM device to another . Many operator s lock their devices to prevent the use of ot her operator's SIM cards, but operators will sometimes unlock their devices if certain co nditions are met. • TDMA - Time Division Multiple Ac cess - TDMA is used[...]

  • Página 454

    3G 454 SonicOS 5.8.1 Administrator Guide[...]

  • Página 455

    455 SonicOS 5.8.1 Administrator Guide CHAPTER 33 Chapter 33: Configuring Modem modem Modem The following sections describe how to c onfigure and use the modem functionality on a SonicW ALL UTM appliance: • “Modem > S tatus” on page 455 • “Modem > Settings” on p age 456 • “Modem > Advanced” on page 457 • “Modem > Co[...]

  • Página 456

    Modem 456 SonicOS 5.8.1 Admin istrator Guide If the modem is inactive, the Stat u s page displays a list of possi ble reasons that your modem is inactive. When the modem is active, the network settings from the ISP are used for W AN access. Modem > Settings The Modem > Settings page allows you to configure modem settings, specify Connect on D[...]

  • Página 457

    Modem 457 SonicOS 5. 8 . 1 A dm in is tr a to r Gui de The Connect on Dat a Categories include: • NTP packets • GMS Heartbeats • System log e-mails • A V Profile Updates • SNMP T rap s • Licensed Updates • Firmware Update request s • Syslog traffic Management/User Login The Management/User Login section allows you to enable remote m[...]

  • Página 458

    Modem 458 SonicOS 5.8.1 Admin istrator Guide 3. The SonicW ALL then initiates a modem con nection to its dial-up ISP , based on the configured dial profile. 4. The network administrator accesses the S onicW ALL web management interface to perform the required tasks. Note If LAN- to-W AN traf fic on the SonicW ALL generat es a dial-out request at th[...]

  • Página 459

    Modem 459 SonicOS 5. 8 . 1 A dm in is tr a to r Gui de 2. Click the Enable Ingress Bandwidth Management checkbox to enable bandwid th management policy enforcement on inbound traf fic. 3. Select a Compression Multiplier from the drop-down list. Connection Limit The Connection Limit section allows the administrator to set a host/node limit on the mo[...]

  • Página 460

    Modem 460 SonicOS 5.8.1 Admin istrator Guide Configuring a Profile 1. In the Modem > Connection Profiles page, click the Add button. The Modem Profile Configuration window is displayed for c onfiguring a dialup profile. Once you create your profiles, you can then co n figure specify which profiles to use for W AN failover or Internet access. T o[...]

  • Página 461

    Modem 461 SonicOS 5. 8 . 1 A dm in is tr a to r Gui de 8. Click the ISP Address tab. 9. In the ISP Address Set ting section, select Obtain an IP Address Automatically if you do not have a permanent dialup IP address from y our ISP . If you have a permanent dialup IP address from your ISP , select Use the following IP Address and enter the IP addres[...]

  • Página 462

    Modem 462 SonicOS 5.8.1 Admin istrator Guide applications such as AutoUpdate an d Anti-Virus. If Enable WAN Failover is selected on the Modem > Failover page, the pin gs generated by the probe can trigger the modem to dial when no WAN Ethernet connection is detected. If the Primary Profile cannot connect, the modem uses the Alternate Profile 1 t[...]

  • Página 463

    Modem 463 SonicOS 5. 8 . 1 A dm in is tr a to r Gui de 21. Click the Schedule tab. 22. If you want to specify scheduled ti mes the modem can connect, select Limit T imes for Dialup Profile . Enter times for each day in 24-hour format that you want the modem to be able to make a connection. 23. Click OK to add the dial-up profile to the SonicW ALL s[...]

  • Página 464

    Modem 464 SonicOS 5.8.1 Admin istrator Guide The next line has OK as the expected string, and the interpreters wait s for OK to be returned in response to the previous command, AT V 1 , before continuing the script. If OK is no t returned within the default time period of 50 seconds, t he chat interpreter aborts the script and the connection fails.[...]

  • Página 465

    SonicOS 5.8 . 1 A dm i ni st r at or Gu ide 465 PART 6 Part 6: W i reless[...]

  • Página 466

    466 SonicOS 5.8.1 Administrator Guide[...]

  • Página 467

    467 SonicOS 5.8.1 Administrator Guide CHAPTER 34 Chapter 34: Viewing WLAN Settings, Statistics, and Station Status Wireless Overview Note The wireless features descr ibed apply only to SonicW ALL app liances equipped with internal wireless hardware, such as the TZ ser ies, the NSA 220W , and the NSA 250MW . The SonicW ALL Wireless securi ty applian[...]

  • Página 468

    Wireless Overview 468 SonicOS 5.8.1 Administrator Guide • VPN tunnel Considerations for Using Wireless Connections • Mobility - if the majority of your network is lapt op computers, wireless is more port able than wired connections. • Convenience - wireless networks do not require cabling of individual computers or opening computer cases to i[...]

  • Página 469

    Wireless Overview 469 SonicOS 5.8.1 Administrator Guide • T ry to place the wireless security appliance in a direct line with other wireless component s. Best performance is achieved when wireless co mponents are in direct line of sight with each other . • Building construction can make a dif ference on wireless performance. A void placing the [...]

  • Página 470

    Wireless > Status 470 SonicOS 5.8.1 Administrator Guide Wireless > Status The Wireless > St atus page provides st atus information for wireless network, including WLAN Settings , WLAN St atistics , WLAN Activities and S t ation S t atus . The Wireless > St atus p age has four t ables: • “WLAN Settings” on page 471 • “WLAN S t [...]

  • Página 471

    Wireless > Status 471 SonicOS 5.8.1 Administrator Guide WLAN Settings The WLAN Settings table list s the configuration info rmation for the built-in radio. All configurable settings in the WLAN Settings tab le are hyperlinks to t heir respective pages for configuration. Enabled features are displayed in green, and disabled features a re displaye[...]

  • Página 472

    Wireless > Status 472 SonicOS 5.8.1 Administrator Guide WLAN Statistics The WLAN St atistics t able list s all of the traffic sen t and received through the WLAN. The Wireless St a tistics column lists the kinds of traf fic recorded, the Rx column lists received traffic, and the Tx column list s transmitted traffic. WLAN Activities The WLAN Acti[...]

  • Página 473

    Wireless > Status 473 SonicOS 5.8.1 Administrator Guide Station Status The St ati o n Stat u s table displays information about wire less connections associated with the wireless security appliance. • Stat i o n - the name of the connection used by the MAC address • MAC Address - the wireless network card MAC address • Authenticated - stat[...]

  • Página 474

    Wireless > Status 474 SonicOS 5.8.1 Administrator Guide[...]

  • Página 475

    475 SonicOS 5.8.1 Administrator Guide CHAPTER 35 Chapter 35: Configuring Wireless Settings Wireless > Settings The Wireless > Settings p age allows you to configure setti ngs for the 802.1 1 wireless antenna.[...]

  • Página 476

    Wireless > Settings 476 SonicOS 5.8.1 Administrator Guide Wireless Radio Mode The Radio Role allows you to configur e the SonicW ALL TZ wireless for one of two modes: Note Be aware that when switching between radio ro les, the SonicW ALL may require a rest art. Access Point - Configures the SonicW ALL as an Inter net/network gateway for wireless[...]

  • Página 477

    Wireless > Settings 477 SonicOS 5.8.1 Administrator Guide Wireless Settings Enable WLAN Radio : Check this checkbox to turn the radio on, and enable wireless networking. Click Apply in the top right corner of the management interface to have this setting tak e e ff e c t . Schedule : The schedule determines when the radio is on to send and recei[...]

  • Página 478

    Wireless > Settings 478 SonicOS 5.8.1 Administrator Guide – St andard Channel - This pulldown menu only disp lays when the 20 MHz channel is selected. By default, this is set to Auto , which allows the appli ance to set the optimal channel based on signal strength and integrity . Optionally , you can select a single channel within the range of[...]

  • Página 479

    479 SonicOS 5.8.1 Administrator Guide CHAPTER 36 Chapter 36: Configuring Wireless Security Wireless > Security Note When the SonicW ALL wireless secu rity appliance is configured in Access Point mode, this page is called Securit y . When the appliance is configured in Wireless Bridge mode, this page is called WE P Encryption . Wired Equivalent P[...]

  • Página 480

    Wireless > Security 480 SonicOS 5.8.1 Administrator Guide • T ransparent authentication with Windows log-in • No client software needed in most cases WP A2 • Best security (uses AES) • For use with trusted corporate wireless client s • T ransparent authentication with Windows log-in • Client sof tware inst all may be nece ssary in so[...]

  • Página 481

    Wireless > Security 481 SonicOS 5.8.1 Administrator Guide WPA2 and WPA PSK Settings Encryption Mode : In the Authentication T ype field, select either WP A-PSK , WP A2-PSK , or WP A2-Auto-PSK . WPA Settings • Cypher T ype : select TKIP . T emporal Key Integrity Protocol (TKIP) is a protocol for enforcing key integrity on a per-packet basis. ?[...]

  • Página 482

    Wireless > Security 482 SonicOS 5.8.1 Administrator Guide WPA2 and WPA EAP Settings Encryption Mode : In the Authentication T ype field, select either WP A-EAP , WP A2-EAP , or WP A2-AUTO-EAP . WPA Settings • Cypher T ype : Select TKIP . T emporal Key Integrity Protocol (TKIP) is a protocol for enforcing key integrity on a per-packet basis. ?[...]

  • Página 483

    Wireless > Security 483 SonicOS 5.8.1 Administrator Guide • Both (Open System & Shared Key) : The Default Key assignments are not important as long as the identical keys ar e used in e ach field. If Shared Key is selected, then the key assignment is important. T o configure wireless security on the SonicW ALL, navigate to the Wireless >[...]

  • Página 484

    Wireless > Security 484 SonicOS 5.8.1 Administrator Guide[...]

  • Página 485

    485 SonicOS 5.8.1 Administrator Guide CHAPTER 37 Chapter 37: Configuring Advanced Wireless Settings Wireless > Advanced T o access Advanced configuratio n settings fo r the SonicW ALL wire less security appliance, log into the SonicW ALL, click Wireless , an d then Advanced . The Wireless > Advanced page is only available when the SonicW ALL [...]

  • Página 486

    Wireless > Advanced 486 SonicOS 5.8.1 Administrator Guide Beaconing & SSID Controls 1. Select Hide SSID in Beacon . Suppresses broadcasting of the SSID name and disables responses to probe request s. Checking this optio n helps prevent your wireless SSID from being seen by unauthoriz ed wireless clients. 2. T ype a value in milliseconds for [...]

  • Página 487

    Wireless > Advanced 487 SonicOS 5.8.1 Administrator Guide Ste p 8 The Association Timeout (seconds) is 300 seconds by default, and the allowed range is from 60 to 36000 seconds. If your network is very busy , you can incr ease the timeout by increasing the number of seconds in the Association Timeout (seconds) field. Ste p 9 Set the Maximum Clie[...]

  • Página 488

    Wireless > Advanced 488 SonicOS 5.8.1 Administrator Guide[...]

  • Página 489

    489 SonicOS 5.8.1 Administrator Guide CHAPTER 38 Chapter 38: Configuring MAC Filter List Wireless > MAC Filter List Wireless networking provides nat ive MAC filtering capabilities which prevent s wireless client s from authenticating and associating with the wir eless security appliance. If you enforce MAC filtering on the WLAN, wireless client [...]

  • Página 490

    Wireless > MAC Filter List 490 SonicOS 5.8.1 Administrator Guide The items in the list are address object group s, defined groups of objects th at represent specific IP addresses or ranges of addresses that can be used throughout the management interface to specify network resources. An address object group can contain other address object group[...]

  • Página 491

    491 SonicOS 5.8.1 Administrator Guide CHAPTER 39 Chapter 39: Configuring Wireless IDS Wireless > IDS Wireless Intrusion Detection Services (IDS) gr eatly increase the security capabilities of the SonicW ALL wireless security a ppliances by enabling them to recognize and even t ake countermeasures against the most common types of illicit wireless[...]

  • Página 492

    Wireless > IDS 492 SonicOS 5.8.1 Administrator Guide connectivity for associated wi reless clients. While in Access Point mode, the Scan Now function should only be used if no cli ent s are actively associated, or if the possibility of client interruption is acceptable. Intrusion Detection Settings Rogue Access Points have emerge d as one of the[...]

  • Página 493

    Wireless > IDS 493 SonicOS 5.8.1 Administrator Guide Discovered Access Points The Discovered Access Point s table displays informatio n on every access point that can be detected by all your SonicPoint s or on a individual SonicPoint basis: • MAC Address (BSSID) : The MAC address of the radio in terface of the detected access point. • SSID :[...]

  • Página 494

    Wireless > IDS 494 SonicOS 5.8.1 Administrator Guide[...]

  • Página 495

    495 SonicOS 5.8.1 Administrator Guide CHAPTER 40 Chapter 40: Configuring Virtual Access Points with Internal Wireless Radio Wireless > Virtual Access Point This chapter describes the V irtual Access Poin t feature and includes the following sections: • “Wireless V AP Overview” section on p age 495 • “Wireless V irtual AP Configuration [...]

  • Página 496

    Wireless > Virtual Access Point 496 SonicOS 5.8.1 Administrator Guide to scale their existing wireless LA N infrastructure to provide diff erentiated levels of service. With the Virtual APs (V AP) feature, multiple V APs can exist within a single physical AP in compliance with the IEEE 802.1 1 standard for t he media access control (MAC) protoco[...]

  • Página 497

    Wireless > Virtual Ac cess Point 497 SonicOS 5.8.1 Administrator Guide Wireless VAP Conf iguration Overview The following are required areas of con figuration for V AP deployment: Ste p 1 Zone - The zone is the backbone of your V AP confi guration. Each zone you create will have its own security and access control settings and you can create and[...]

  • Página 498

    Wireless > Virtual Access Point 498 SonicOS 5.8.1 Administrator Guide Network Zones This section contains t he following subsections: • “The Wireless Zone” section on p age 498 • “Custom Wireless Zone Settings” section on p age 498 A network security zone is a logical method of grouping one or more inter faces with friendly , user-co[...]

  • Página 499

    Wireless > Virtual Ac cess Point 499 SonicOS 5.8.1 Administrator Guide General Feature Description Name Create a name for your custom zone Security T ype Select Wireless in order to enable and access wireless security options. Allow Interface T rust Select this option to autom atically create access rules to allow traf fic to flow between the in[...]

  • Página 500

    Wireless > Virtual Access Point 500 SonicOS 5.8.1 Administrator Guide Wireless Feature Description Only allow traf fic generated by a SonicPoint Restricts traf fic on this zone to internally-generated traf fic only . SSL VPN Enforcement Redirects all traffic entering the Wireless zone to a defined SonicW ALL SSL VPN appliance. This allows all wi[...]

  • Página 501

    Wireless > Virtual Ac cess Point 501 SonicOS 5.8.1 Administrator Guide Guest Services The Enable Guest Services option allows the following guest services to be applied to a zone: Feature Description Enable inter-guest communication Allows guests connecting to SonicPoi nts in this Wireless zone to communicate directly and wi relessly with each o[...]

  • Página 502

    Wireless > Virtual Access Point 502 SonicOS 5.8.1 Administrator Guide Wireless LAN Subnets A Wireless LAN (WLAN) subnet allows you to sp lit a single wireless radio interface (W0) into many virtual network connections, each carryin g its own set of configurations. The WLAN subnet solution allows each V AP to have its ow n virtual separate subint[...]

  • Página 503

    Wireless > Virtual Ac cess Point 503 SonicOS 5.8.1 Administrator Guide DHCP Server Scope The DHCP server assigns leased IP addresses to users within sp ecified ranges, known as “Scopes”. T ake care in making these setti ngs manua lly , as a scope of 200 addresses for multiple interfaces that will only use 30 can lead to conne cti on issues d[...]

  • Página 504

    Wireless > Virtual Access Point 504 SonicOS 5.8.1 Administrator Guide Virtual Access Poin t Profile Settings The table below list s configurat ion p arameters and descriptions fo r V irtual Access Point Profile Settings: Feature Description Name Choose a friendly name for this V AP Pr ofile. Choose something descriptive and easy to remember as y[...]

  • Página 505

    Wireless > Virtual Ac cess Point 505 SonicOS 5.8.1 Administrator Guide WPA-PSK / WPA2-PSK Encryption Settings Pre-Shared Key (PSK) is available when using WP A or WP A2. This solution utilizes a shared key . WPA-EAP / WPA2-EAP Encryption Settings Extensible Authentication Protocol (EAP) is available when using WP A or WP A2. This solution utiliz[...]

  • Página 506

    Wireless > Virtual Access Point 506 SonicOS 5.8.1 Administrator Guide General VAP Settings Advanced VAP Settings Advanced settings allows the administrator to configure authentication and encryption settings for this connection. Choose a Profile Name to inher it these settings fr om a user created profile. See “Virtual Access Point Profiles”[...]

  • Página 507

    Wireless > Virtual Ac cess Point 507 SonicOS 5.8.1 Administrator Guide Enabling the Virtual Access Point Group After your V APs are configured and added to a V A P group, that group must be specified in the Wireless > Settings page in order for the V APs to be available through your internal wireless radio. The default group is called Interna[...]

  • Página 508

    Wireless > Virtual Access Point 508 SonicOS 5.8.1 Administrator Guide General Settings Tab Ste p 1 In the General tab, enter a friendly name such as “WLAN_Faculty” in the Name field. Ste p 2 Select Wireless from the Security T ype drop-down menu. Ste p 3 Select the Allow Interface T rust checkbox to allow communi cation between faculty users[...]

  • Página 509

    Wireless > Virtual Ac cess Point 509 SonicOS 5.8.1 Administrator Guide Y our new zone now appears at the bottom of the Network > Zones page, although you may notice it is not yet linked to a Member Interface. This is your next step. Creating a New Wireless Subnet In this section you will create and config ure a new wireless subnet on your cur[...]

  • Página 510

    Wireless > Virtual Access Point 510 SonicOS 5.8.1 Administrator Guide Creating the Wireless V AP In this section, you will create and configure a new V irtual Access Point and a ssociate it with the wireless subnet you created in “Cr eating a New Wireless Subnet” section on p age 509 . General Tab Ste p 1 In the left -hand menu, navigate to [...]

  • Página 511

    Wireless > Virtual Ac cess Point 511 SonicOS 5.8.1 Administrator Guide Deploying VAPs to the Wireless Radio In the following section you will group and deploy your new V APs, associating them with the internal wireless radio. User s will not be able to access your V APs unt il you co mplete thi s process: • Grouping Multiple V APs, page 51 1 ?[...]

  • Página 512

    Wireless > Virtual Access Point 512 SonicOS 5.8.1 Administrator Guide[...]

  • Página 513

    SonicOS 5.8 . 1 A dm i ni st r at or Gu ide 513 PART 7 Part 7: SonicPoint[...]

  • Página 514

    514 S ONIC OS 5.8.1 A DMINISTRATOR G UIDE[...]

  • Página 515

    515 SonicOS 5.8.1 Administrator Guide CHAPTER 41 Chapter 41: Managing SonicPoints SonicPoint > SonicPoints SonicW ALL SonicPoints are wireless acce ss points specially engineered to work with SonicW ALL security appliances to provide wi reless access throughout your enterprise. The SonicPoint section of the Management Interf ace let s you manage[...]

  • Página 516

    SonicPoint > SonicPoints 516 SonicOS 5.8.1 Administrator Guide Before Managing SonicPoints Before you can manage SonicPoint s in t he Management Interface, you must first: • V erify that the SonicPoint image is downloaded to your SonicW ALL security appliance. See “Updating SonicPoint Firmware” on page 527 . • Configure your SonicPoint P[...]

  • Página 517

    SonicPoint > SonicPoints 517 SonicOS 5.8.1 Administrator Guide Configuring a SonicPoint Profile The SonicPoint profile configur ation process for 802.1 1n slightly different than for 802.1 1a or 802.1 1g. The following sectio ns describe how to configure SonicPoint profiles: • “Configuring a SonicPointN Profile for 802.1 1n” on page 517 ?[...]

  • Página 518

    SonicPoint > SonicPoints 518 SonicOS 5.8.1 Administrator Guide – 802.1 1n Virtual AP Group : (optional; on SonicW ALL NSA onl y) Select a Virtual Access Point (V AP) group to assign these SonicPoint Ns to a V AP . This pulldown menu allows you to create a new V AP group. For mor e information on V APs, see “SonicPoint > Virtual Access Poi[...]

  • Página 519

    SonicPoint > SonicPoints 519 SonicOS 5.8.1 Administrator Guide • 5 GHz 802.1 1a Only - Select this mode if only 802.1 1a clients access your wireless network. – SSID : Enter a recognizable string for the SSID of each SonicPoint using this profile. This is the name that will appear in client s’ lists of available wireless connections. Note [...]

  • Página 520

    SonicPoint > SonicPoints 520 SonicOS 5.8.1 Administrator Guide Ste p 4 In the Wireless Security section of the 802.1 1n Radio tab, configure the following settings: – Authentication T ype : Select the method of authenticat ion for your wireless network. Y ou can select WEP - Both (Open System & Shared Key) , WEP - Open System , WEP - Share[...]

  • Página 521

    SonicPoint > SonicPoints 521 SonicOS 5.8.1 Administrator Guide – Schedule IDS Scan : Select a time when there are fewer demands on the wireless network to schedule an Intrusion Detecti on Service (IDS) scan to minimize the inconvenience of dropped wireless connections. – Data Rate : Select the speed at which th e data is transmitted and rece[...]

  • Página 522

    SonicPoint > SonicPoints 522 SonicOS 5.8.1 Administrator Guide Modifications to profiles will not af fect units that have already been provisione d and are in an operational state. Configuration changes to operat ional SonicPoint devic es can occur in two ways: • Via manual con figuration changes – Appropriate when a single, or a small set o[...]

  • Página 523

    SonicPoint > SonicPoints 523 SonicOS 5.8.1 Administrator Guide – 802.1 1g Virtual AP Group and 802.1 1a Virtual AP Group : (optional; on SonicW ALL NSA only) Select a V irtual Access Point (V AP) group to assign these SonicPoints to a V AP . This pulldown menu allows you to create a new V AP group. For more information on V APs, see “SonicPo[...]

  • Página 524

    SonicPoint > SonicPoints 524 SonicOS 5.8.1 Administrator Guide – WEP Key Mode : Select the size of the encryption key . – Default Key : Select which key in the list below is the default key , which will be tried first when trying to authenticate a user . – Key Entry : Select whether the key is alphanumeric or hexadecimal. – Key 1 - Key 4[...]

  • Página 525

    SonicPoint > SonicPoints 525 SonicOS 5.8.1 Administrator Guide The SonicPoint-N wireless security appliance employs three antennas. The Antenna Diversity is set to Best by default, this is the only setting available for this appliance. • 1 : Select 1 to restrict the SonicPoint to us e antenna 1 only . Facing the rear of the SonicPoint, antenna[...]

  • Página 526

    SonicPoint > SonicPoints 526 SonicOS 5.8.1 Administrator Guide If the SonicPoint does locate, or is located by a peer So ni cOS device, via the SonicW ALL Discovery Protocol, an encrypted exchange bet ween the two units w ill ensue wherein the profile assigned to the relevant Wireless zone will be used to automatically configure (provision) the [...]

  • Página 527

    SonicPoint > SonicPoints 527 SonicOS 5.8.1 Administrator Guide Edit SonicPoint Settings T o edit the settings of an individual SonicPoint: Ste p 1 Under SonicPoint Settings , click the Edit icon in the same line as the SonicPoint you want to edit. Ste p 2 In Edit SonicPoint screen, ma ke the changes you want. See “Configuring a Soni cPoint Pro[...]

  • Página 528

    SonicPoint > SonicPoints 528 SonicOS 5.8.1 Administrator Guide Y ou can change the file name of the SonicPoi nt image, but you shoul d keep the extension in tact (ex: .bin.sig). Ste p 3 In the SonicOS user interface on your SonicW ALL appliance, in the navigation pane, click System and then click Administration . Ste p 4 In the System > Admin[...]

  • Página 529

    SonicPoint Deployment Best Practices 529 SonicOS 5.8.1 Administrator Guide • Safemode – Safemode can be engaged by depressing the reset button, or from the SonicOS peer device. Placing a SonicPoint into Safemode returns its configuration to defaults, disables the radios, and disables SDP . The SonicPoint must then be rebooted to enter either a [...]

  • Página 530

    SonicPoint Deployment Best Practices 530 SonicOS 5.8.1 Administrator Guide http://h20195.www2.hp.com/v2/GetPDF .aspx/4AA1-9147ENUC.pdf Best practices information is pr ovided in the following sections: • “Prerequisites” on page 530 • “Layer 2 and Layer 3 Considerat ions for SonicPoint s” on page 531 • “T ested Switches” on page 53[...]

  • Página 531

    SonicPoint Deployment Best Practices 531 SonicOS 5.8.1 Administrator Guide Layer 2 and Layer 3 Consid erations for SonicPoints SonicW ALL uses two proprietary protocol s (SDP and SSPP) and both *canno t* be routed across any layer 3 device. Any SonicPoint that will be deployed must have an Ethernet connection back to the provisioning SonicW ALL UTM[...]

  • Página 532

    SonicPoint Deployment Best Practices 532 SonicOS 5.8.1 Administrator Guide (microwaves, CA T Scan equipment, etc…) In area’ s were a lot of elec trical equipment is placed, also take a look at th e cabling being use d. In areas with a lot of electrical equipment UTP should not be used, FTP or STP is required. • Survey three dimensionally , wi[...]

  • Página 533

    SonicPoint Deployment Best Practices 533 SonicOS 5.8.1 Administrator Guide • Intel PRO/Wireless 2200BG Network Connection • Intel PRO/Wireless 2915ABG Network Connection • Intel PRO/Wireless 3945ABG Network Connection These wireless cards are provided to OE M laptop manufactu rers and are of ten rebranded under the manufacturers name – for [...]

  • Página 534

    SonicPoint Deployment Best Practices 534 SonicOS 5.8.1 Administrator Guide • Because of this, make sure each port can ge t 10 Watt s guaranteed if possible, and set the PoE priority to critical or high. • One thing to be particu larly careful to plan for is that not all PoE switches can provide the full 15.4 watts of power to each of it s PoE p[...]

  • Página 535

    SonicPoint Deployment Best Practices 535 SonicOS 5.8.1 Administrator Guide Troubleshooting Old er SonicPoints If you have an older SonicPoint and it’s consist ently port flapping, or doesn’t power up at all, or is stuck reboot cycling, or reports in the GUI as stuck in provisioning, check to see if you are running a current version of firmware,[...]

  • Página 536

    SonicPoint Deployment Best Practices 536 SonicOS 5.8.1 Administrator Guide • Note that SonicPoints have a ‘S tandalone Mode’ wh ich they will transition to if they can’t find a SonicW ALL UTM appliance. If you have more than one SonicPoint, you may have issues as all of the SonicPoi nts will revert to the same def ault IP address of 192.168[...]

  • Página 537

    SonicPoint Deployment Best Practices 537 SonicOS 5.8.1 Administrator Guide Sample Cisco Catalyst switch configuration Any Cisco POE Switch: On the connecting interface/port, issue the command ‘Power inline static 10000’. 2900/3500-series: 1. On the connecting interface/port, issue t he command ‘spanning-tree port fast’, which will greatly r[...]

  • Página 538

    SonicPoint Deployment Best Practices 538 SonicOS 5.8.1 Administrator Guide • no lldp enable • mdix on • mdix auto • no port storm-control broadcast enable Sample D-Link switch co nfiguration The D-Link PoE switches do not have a CLI, so you will need to use their web GUI. Note that D-Link recommends upgrading to Firmware V ersion 1.20.09 if[...]

  • Página 539

    539 SonicOS 5.8.1 Administrator Guide CHAPTER 42 Chapter 42: Viewing Station Status SonicPoint > Station Status The SonicPoint > St ation S t atus p age reports on the st at istics of each SonicPoint. . The table lists entries for each wireless clie nt connected to each SonicPoint. The sections of the table are divided by SonicPoin t. Under e[...]

  • Página 540

    SonicPoint > Station Stat us 540 SonicOS 5.8.1 Administrator Guide Click on the S tatistics icon to see a det ailed r eport for an individual stat ion. Each SonicPoint device reports for both radios, and for each st at ion, the following information to its SonicOS peer: • MAC Address – The client’ s (S tation’s) hardware address. • S t[...]

  • Página 541

    SonicPoint > Station Status 541 SonicOS 5.8.1 Administrator Guide • Management Frames Received – T otal number of Management frames received. Management Frames include: – Association request – Association response – Re-association request – Re-association response – Probe request – Probe response – Beacon frame – A TIM messag[...]

  • Página 542

    SonicPoint > Station Stat us 542 SonicOS 5.8.1 Administrator Guide[...]

  • Página 543

    543 SonicOS 5.8.1 Administrator Guide CHAPTER 43 Chapter 43: Using and Configuring IDS SonicPoint > IDS Y ou can have many wireless access points within reach of the signal of the SonicPoint s on your network. The SonicPoint > IDS page repor ts on all access poi nt s the SonicW ALL secur ity appliance can find by scanning the 802.1 1a and 802[...]

  • Página 544

    SonicPoint > IDS 544 SonicOS 5.8.1 Administrator Guide Intrusion Detection Settings Rogue Access Points have emerge d as one of the most serious and insidious threat s to wireless security . In general terms, an access point is considered rogue when it has not been authorized for use on a network. The convenience, affordability and availability [...]

  • Página 545

    SonicPoint > IDS 545 SonicOS 5.8.1 Administrator Guide Discovered Access Points The Discovered Access points displays informati on on every access point that can be detected by the SonicPoint radio: • SonicPoint : The SonicPoint that det ected the access point. • MAC Address (BSSID) : The MAC address of the radio in terface of the detected a[...]

  • Página 546

    SonicPoint > IDS 546 SonicOS 5.8.1 Administrator Guide[...]

  • Página 547

    547 SonicOS 5.8.1 Administrator Guide CHAPTER 44 Chapter 44: Configuring Virtual Access Points SonicPoint > Virtual Access Point This chapter describes the V irtual Access Poin t feature and includes the following sections: • “SonicPoint V AP Overview” section on page 547 • “Prerequisites” section on p age 550 • “Deployment Restr[...]

  • Página 548

    SonicPoint > Virtual Access Point 548 SonicOS 5.8.1 Administrator Guide What Is a Virt ual Access Point? A Virtual Access Point is a multiplexed instantiat ion of a sing le physical Access Point (AP) so that it presents it self as multiple discrete Access Point s. T o wireless LAN clients, each Virtual AP appears to be an independent physical AP[...]

  • Página 549

    SonicPoint > Virtual Access Point 549 SonicOS 5.8.1 Administrator Guide What Is an SSID? A Service Set IDentifier (SSID) is the name as signed to a wireless network. Wireless client s must use this same, case-sensitive SSID to comm unicate to the SonicPoi nt. The SSID consists of a text string up to 32 bytes long. Multiple SonicPoints on a net w[...]

  • Página 550

    SonicPoint > Virtual Access Point 550 SonicOS 5.8.1 Administrator Guide Benefits of Using Virtual APs This section includes a list of benefit s in using the Virtual AP feature: • Radio Channel Conservation —Prevents building overlapped infrastructures by allowing a single Physical Access Point to be used for multiple purposes to avoid channe[...]

  • Página 551

    SonicPoint > Virtual Access Point 551 SonicOS 5.8.1 Administrator Guide Deployment Restrictions When configuring your V AP setup, be aware of the following deployment restrictions: • Maximum SonicPoint restrictions apply and dif fer based on your SonicW ALL security appliance. Review these restrictions in the “Custom VLAN Settings” section[...]

  • Página 552

    SonicPoint > Virtual Access Point 552 SonicOS 5.8.1 Administrator Guide must use the same set of WEP keys. Up to 4 keys can be defined per-SonicPoint, and WEP- enabled V APs can use these 4 keys independently . WEP keys are confi gured on individual SonicPoints or on SonicPoint Profiles from the Soni cPoint > SonicPoints p age. Network Zones [...]

  • Página 553

    SonicPoint > Virtual Access Point 553 SonicOS 5.8.1 Administrator Guide A network security zone is a logical method of grouping one or more interfaces with friendly , user-configurable names, and applying security rules as traf fic passes from one zone to another zone. With the zone-based security , the administrator can group similar interfaces[...]

  • Página 554

    SonicPoint > Virtual Access Point 554 SonicOS 5.8.1 Administrator Guide General Feature Description Name Create a name for your custom zone Security T ype Select Wireless in order to enable and access wireless security options. Allow Interface T rust Select this option to autom atically create access rules to allow traf fic to flow between the i[...]

  • Página 555

    SonicPoint > Virtual Access Point 555 SonicOS 5.8.1 Administrator Guide Wireless Feature Description Only allow traf fic generated by a SonicPoint Restricts traf fic on this zone to SonicPoint-generated traffic only . SSL VPN Enforcement Redirects all traffic entering the Wireless zone to a defined SonicW ALL SSL VPN appliance. This allows all w[...]

  • Página 556

    SonicPoint > Virtual Access Point 556 SonicOS 5.8.1 Administrator Guide Guest Services The Enable Guest Services option allows the following guest services to be applied to a zone: Feature Description Enable inter-guest communication Allows guests connecting to SonicPoi nts in th is Wireless zone to communicate directly and wi relessly with each[...]

  • Página 557

    SonicPoint > Virtual Access Point 557 SonicOS 5.8.1 Administrator Guide VLAN Subinterfaces A Virtual Local Area Network (VLAN) allows you to split your physical network connections (X2, X3, etc...) into many virtual network connection, each carrying its own set of configura tions. The VLAN solution allows each V AP to have it s own separate sub [...]

  • Página 558

    SonicPoint > Virtual Access Point 558 SonicOS 5.8.1 Administrator Guide DHCP Server Scope The DHCP server assigns leased IP addresses to users within specified ranges, known as “Scopes”. The default ranges fo r DHCP scopes are often excessive for th e needs of most SonicPoint deployments, for in stance, a scope o f 200 addresses for an inter[...]

  • Página 559

    SonicPoint > Virtual Access Point 559 SonicOS 5.8.1 Administrator Guide Virtual Access Poin t Profile Settings The table below list s configurat ion p arameters and descriptions fo r V irtual Access Point Profile Settings: Feature Description Name Choose a friendly name for this V A P Profile. Choose something descriptive and easy to remember as[...]

  • Página 560

    SonicPoint > Virtual Access Point 560 SonicOS 5.8.1 Administrator Guide WPA-PSK / WPA2-PSK Encryption Settings Pre-Shared Key (PSK) is available when using WP A or WP A2. This solution utilizes a shared key . WPA-EAP / WPA2-EAP Encryption Settings Extensible Authentication Protoc ol (EAP) is available when usi ng WP A or WP A2. This solution uti[...]

  • Página 561

    SonicPoint > Virtual Access Point 561 SonicOS 5.8.1 Administrator Guide Virtual Access Points The V AP Settings feature allows for setup of general V AP settings. SSID and VLAN ID are configured through V AP Settings. V irtual Ac cess Points are configur ed from the SonicPoint > Virtual Access Point page. General VAP Settings Advanced VAP Set[...]

  • Página 562

    SonicPoint > Virtual Access Point 562 SonicOS 5.8.1 Administrator Guide Virtual Access Point Groups The Virtual Access Point Groups feature is av ailable on SonicW ALL NSA appliances. It allows for grouping of multiple V AP object s to be simult aneo usly applied to your SonicPoint(s). Vi rtual Access Point Groups are configured from the SonicPo[...]

  • Página 563

    SonicPoint > Virtual Access Point 563 SonicOS 5.8.1 Administrator Guide A Sample Network The following is a sample V AP network conf iguration, describing four separate V APs: • V AP #1, Corporate Wireless Use rs – A set of users who are commonly in the office, and to whom should be given full access to all net work resources, providing that[...]

  • Página 564

    SonicPoint > Virtual Access Point 564 SonicOS 5.8.1 Administrator Guide How many users will each V AP need to support? A corporate campus has 100 employees, all of whom have wireless capabilities The DHCP scope for the visitor zone is set to provide at least 100 addresses A corporate campus often has a few dozen wireless capable visitors The DHC[...]

  • Página 565

    SonicPoint > Virtual Access Point 565 SonicOS 5.8.1 Administrator Guide VAP Sample Configurations This section provides configur ation examples based on real-world wireless needs. This section contains the following subsections: • “Configuring a V AP for Guest Access” section on p age 565 • “Configuring a V AP for Corporate LAN Access?[...]

  • Página 566

    SonicPoint > Virtual Access Point 566 SonicOS 5.8.1 Administrator Guide General Settings Tab Ste p 1 In the General tab, enter a friendly name such as “V AP-Guest” in the Nam e field. Ste p 2 Select Wireless from the Security T ype drop-down menu. Ste p 3 De-select the Allow Interface T rust checkbox to disallow co mmunication between wirele[...]

  • Página 567

    SonicPoint > Virtual Access Point 567 SonicOS 5.8.1 Administrator Guide Guest Services Tab Ste p 1 In the Guest Services tab , check the Enable Guest Services checkbox. Note In the following example, steps 2 thr ough 7 ar e optional, th ey only r epresent a typical guest V AP configuration using gu est services. S tep s 2 and 7, however , are re[...]

  • Página 568

    SonicPoint > Virtual Access Point 568 SonicOS 5.8.1 Administrator Guide Y our new zone now appears at the bottom of the Network > Zones page, although you may notice it is not yet linked to a Member Interface. This is your next step. Creating a Wireless LA N (WLA N) Inte rfac e In this section you will configure one of your por ts to act as a[...]

  • Página 569

    SonicPoint > Virtual Access Point 569 SonicOS 5.8.1 Administrator Guide Creating a VLAN Subi nterface on th e WLAN In this section you will create and configure a new VLAN subinterface on your current WLAN. This VLAN will be linked to the zone you created in the “Configuring a Zone” section on page 565 . Ste p 1 In the Network > Interface[...]

  • Página 570

    SonicPoint > Virtual Access Point 570 SonicOS 5.8.1 Administrator Guide Note If the interface you created does not appear on the Network > DHCP Server p age, it is possible that you have already exceeded the number of allowed DHCP leases for your SonicW ALL. For more information on D HCP lease exhaustion, refer to the “DHCP Server Scope” [...]

  • Página 571

    SonicPoint > Virtual Access Point 571 SonicOS 5.8.1 Administrator Guide Creating the SonicPoint VAP In this section, you will create and configure a new V irtual Access Point and a ssociate it with the VLAN you created in “Creating a VLAN Subinterface on the WLAN” section on page 569 . Ste p 1 In the left -hand menu, navigate to the SonicPoi[...]

  • Página 572

    SonicPoint > Virtual Access Point 572 SonicOS 5.8.1 Administrator Guide Configuring a VAP for Corporate LAN Access Y ou can use a Corporate LAN V AP for a set of users who are commonly in th e office, and to whom should be given full access to all network resources, providing t hat the connection is authenticated and secure. These users would al[...]

  • Página 573

    SonicPoint > Virtual Access Point 573 SonicOS 5.8.1 Administrator Guide Wireless Settings Tab Ste p 1 In the Wireless t ab, check the Only allow traffic generated by a SonicPoint checkbox. Ste p 2 Select the checkbox for WiFiSec Enforcement to enable WiFiSec secu rity on this connection. Ste p 3 Select T rust WP A/WP A2 traffic as WiFiSec to ena[...]

  • Página 574

    SonicPoint > Virtual Access Point 574 SonicOS 5.8.1 Administrator Guide Creating a VLAN Subi nterface on th e WLAN In this section you will create and configure a new VLAN subinterface on your current WLAN. This VLAN will be linked to the zone you created in the “Configuring a Zone” section on page 572 . Ste p 1 In the Network > Interface[...]

  • Página 575

    SonicPoint > Virtual Access Point 575 SonicOS 5.8.1 Administrator Guide Note If the interface you created does not appear on the Network > DHCP Server p age, it is possible that you have already exceeded the number of allowed DHCP leases for your SonicW ALL. For more information on DHCP lease exhaustion, refer to the “DHCP Server Scope” s[...]

  • Página 576

    SonicPoint > Virtual Access Point 576 SonicOS 5.8.1 Administrator Guide Creating the SonicPoint VAP In this section, you will create and configure a new V irtual Access Point and a ssociate it with the VLAN you created in “Creating a VLAN Subinterface on the WLAN” section on page 574 . General Tab Ste p 1 In the left -hand menu, navigate to [...]

  • Página 577

    SonicPoint > Virtual Access Point 577 SonicOS 5.8.1 Administrator Guide Tip Remember that more V APs can always be added at a later time. New V APs can then be deployed simultaneously to all of your So ni cPoints by following the step s in the “Deploying V APs to a SonicPoint” section on p age 577 . Deploying VAPs to a SonicPoint In the foll[...]

  • Página 578

    SonicPoint > Virtual Access Point 578 SonicOS 5.8.1 Administrator Guide Creating a SonicPoint Provisioning Profile In this section, you will associate the group you created in the “Grouping Multiple V APs” section on page 577 with a SonicPoint by crea ti ng a provisioning profile. This profile will allow you to provision settings from a grou[...]

  • Página 579

    SonicPoint > Virtual Access Point 579 SonicOS 5.8.1 Administrator Guide Associating a VAP Group with your SonicPoint If you did not create a SonicPoi nt Provisioning Pr ofile, you c an provision your SonicPoint(s) manually . Y ou may want to use this method if y ou have only one SonicPoint to provision. This section is not necessary if you have [...]

  • Página 580

    SonicPoint > Virtual Access Point 580 SonicOS 5.8.1 Administrator Guide[...]

  • Página 581

    581 SonicOS 5.8.1 Administrator Guide CHAPTER 45 Chapter 45: Configuring RF Management SonicPoint > RF Management This chapter describes how to plan, design, implement, and maintain the RF Management feature in SonicW ALL SonicOS Enhanced. This chapter cont ains the following sections: • “RF Management Overview” section on p age 582 – ?[...]

  • Página 582

    SonicPoint > RF Management 582 SonicOS 5.8.1 Administrator Guide RF Management Overview The following section provides a brief over view of the RF Management feature found o n SonicW ALL security appliances running Soni cOS Enhanced 5.0 or higher . This section contains the following subsections: • “Why RF Management?” section on pag e 582[...]

  • Página 583

    SonicPoint > RF Management 583 SonicOS 5.8.1 Administrator Guide Enabling RF Management on SonicPoint(s) In order for RF Management to be enforced, you must enable the RF Management option on all available SonicPoint devices. The following se ction provides instructi ons to re-provision all available SonicPoints with RF Management enabled. Ste p[...]

  • Página 584

    SonicPoint > RF Management 584 SonicOS 5.8.1 Administrator Guide Using The RF Management Interface The RF Management interface ( SonicPoint > RF Management ) provides a central location fo r selecting RF signature types, viewing discov ered RF threat statio ns, and adding discovered threat stations to a watch list. This section pr ovides an o[...]

  • Página 585

    SonicPoint > RF Management 585 SonicOS 5.8.1 Administrator Guide Selecting RF Signature Types The RF Management interface allows you to select which types of RF threat s your SonicW ALL monitors and logs. Ste p 1 Navigate to SonicPoint > RF Management in the SonicW ALL secu rity appliance management interface. RF threat types are disp layed, [...]

  • Página 586

    SonicPoint > RF Management 586 SonicOS 5.8.1 Administrator Guide Tip Did you know? It is possible to find approximate loca tions of RF Threat devices by using logged threat statistics. For more practi cal tip s and information on using the RF Management threat statistics, see the “Pr actical RF Management Fi eld Applicati ons” section on pag[...]

  • Página 587

    SonicPoint > RF Management 587 SonicOS 5.8.1 Administrator Guide • Null Probe Response - When a wireless client sends out a probe request, the attacker sends back a response with a Null SSID. This response causes many popular wireless cards and devices to stop responding. • Broadcasting De-Authentication - This DoS variation sends a flood of[...]

  • Página 588

    SonicPoint > RF Management 588 SonicOS 5.8.1 Administrator Guide Before Reading this Section When using RF data to locate threat s, keep in mi nd that wireless signals are af fected by many factors. Before continuing, t ake note of the following: • Signal strength is not always a good indicator of distance - Obstructions such as wal ls, wirele[...]

  • Página 589

    SonicPoint > RF Management 589 SonicOS 5.8.1 Administrator Guide Using RSSI to Determine RF Threat Proximity This section builds on what was learned in the “Using Sensor ID to Determine RF Threat Location” section on page 588 . In the Discovered RF Threat S tations list, the Rssi field indicates the signal strength at which a particular Soni[...]

  • Página 590

    SonicPoint > RF Management 590 SonicOS 5.8.1 Administrator Guide[...]

  • Página 591

    591 SonicOS 5.8.1 Administrator Guide CHAPTER 46 Chapter 46: Using RF Analysis SonicPoint > RF Analysis This chapter describes how to use the RF Analysis featur e in SonicW ALL SonicOS Enhanced to help best utilize the wireless bandwid th with SonicPoint and SonicPoint -N appliances. This chapter contains the following sections: • “RF Analys[...]

  • Página 592

    SonicPoint > RF Analys is 592 SonicOS 5.8.1 Administrator Guide The RF Environment The IEEE 802.1 1maintains that devices use ISM 2.4 GHz and 5GHz bands, with most of the current deployed wireless devices using the 2. 4 GHz band. Because each channel occupies 20MHz wide spectrum, only three channels out of th e 1 1 available are not overlapping.[...]

  • Página 593

    SonicPoint > RF Analysis 593 SonicOS 5.8.1 Administrator Guide Channel Utilization Graphs and Information In searching a way to show how channel is util ized for all connected SonicPoints, we resulted in displaying such a channel utilization graph. Figure 46:2 RF A Channel Utilization There are two color bars for each channel. The number on the [...]

  • Página 594

    SonicPoint > RF Analys is 594 SonicOS 5.8.1 Administrator Guide Making Sense of the RF Score RF Score is a calculated number on a scale of 1-10 which is used to represent the overall condition for a channel. The higher the score, the better the RF envir onment is. Low scores indicate that attention is needed by the administrator . SonicW ALL wir[...]

  • Página 595

    SonicPoint > RF Analysis 595 SonicOS 5.8.1 Administrator Guide RFA Highly Interfered Channels Not only APs working in the same channel will create interference, APs working in adjacent channels (channel number less than 5 ap art) will also interfere with each other . RF A will give a warning when it detects that around a certain SonicPoint, ther[...]

  • Página 596

    SonicPoint > RF Analys is 596 SonicOS 5.8.1 Administrator Guide[...]

  • Página 597

    597 SonicOS 5.8.1 Administrator Guide CHAPTER 47 Chapter 47: SonicPoint FairNet SonicPoint > FairNet This chapter describes how to plan, design, implement, and Soni cPoint FairNet policies in SonicW ALL SonicOS Enhanced to configure bandwidth limits for WLAN client s. This chapter contains the following sections: • “SonicPoint FairNet Ov erv[...]

  • Página 598

    SonicPoi nt > FairNe t 598 SonicOS 5.8.1 Administrator Guide Configuring SonicPoint Fair Net Bandwidth Limit Policies T o configure SonicPoint FairNe t, perform the following t asks: 1. Navigate to the SonicPoint > FairNet page. 2. Select the Enable FairN et checkbox 3. Click Accept at the top of the p age. 4. Click the Add button to add a So[...]

  • Página 599

    SonicPoint > FairNet 599 SonicOS 5.8.1 Administrator Guide 8. In the Min Rate(kbp s) field, enter the minimum bandwid th that clients will be guaranteed. 9. In the Max Rate(kbp s) field, enter the maximum bandwidth that client s wi ll be allowed. 10. In the Interface pulldown menu, select the WLAN interface that corresponds to the IP address ran[...]

  • Página 600

    SonicPoi nt > FairNe t 600 SonicOS 5.8.1 Administrator Guide[...]

  • Página 601

    SonicOS 5.8 . 1 A dm i ni st r at or Gu ide 601 PART 8 Part 8: Firewall[...]

  • Página 602

    602 SonicOS 5.8.1 Administrator Guide[...]

  • Página 603

    603 SonicOS 5.8.1 Administrator Guide CHAPTER 48 Chapter 48: Configuring Access Rules Firewall > Access Rules This chapter provides an overview on your SonicW ALL security appl iance stateful packet inspection default access rules and configuration ex amples to customize your access rules to meet your business requirement s. Access rules are net[...]

  • Página 604

    Firewall > Access Rules 604 SonicOS 5.8.1 Administrator Guide Stateful Packet Inspection Default Access Rules Overview By default, the SonicW ALL security applianc e’ s stateful p acket inspection allows all communication from the LAN to the Internet, and bloc ks all traffic to the LAN from the Internet. The following behaviors are defi ned by[...]

  • Página 605

    Firewall > Access R ules 605 SonicOS 5.8.1 Administrator Guide Using Bandwidth Management with Access Rules Overview Bandwidth management (BWM) allows you to assign guaranteed and maximum bandwidth to services and prioritize traffic on all BWM-enabl ed interfaces. Using access rules, BWM can be applied on specific network traffic. Packet s belon[...]

  • Página 606

    Firewall > Access Rules 606 SonicOS 5.8.1 Administrator Guide Tip Y ou must configure Bandwidth Management individually for ea ch interface on the Network > Interfaces page. Click the Configure icon for the interface, and select the Advanced tab. Enter your available egress and ingress bandwidths in the A vailable interface Egress Bandwi d th[...]

  • Página 607

    Firewall > Access R ules 607 SonicOS 5.8.1 Administrator Guide Each view displays a table of defined netwo rk access rules. Fo r example, selecting All Rules displays all the network access rules for all zone s. Configuring Access Rules for a Zone T o display the Access Rules for a specific zone, select a zo ne from the Matrix , Drop-down Boxes [...]

  • Página 608

    Firewall > Access Rules 608 SonicOS 5.8.1 Administrator Guide Tip If the Delete or Edit icons are dimmed (unavailable), the access ru le cannot be changed or deleted from the list. Adding Access Rules T o add access rules to the SonicW ALL securi ty appliance, perform the following steps: Ste p 1 Click Add at the bottom of the Access Rules table[...]

  • Página 609

    Firewall > Access R ules 609 SonicOS 5.8.1 Administrator Guide Ste p 8 From the Users Allowed menu, add the user or user group af fected by the access rule. Ste p 9 Select a schedule from the Schedule menu. The default schedule is Always on . Step 10 Enter any comment s to help ident ify the access rule in the Comment s field. Ste p 11 The Allow[...]

  • Página 610

    Firewall > Access Rules 610 SonicOS 5.8.1 Administrator Guide Step 16 Select Create a reflexive rule if you want to create a matching access rule to this one in the opposite direction--from your destination zone or address objec t to your source zone or address object. Step 17 Click on the QoS tab if you want to apply DSCP or 802.1p Quality of S[...]

  • Página 611

    Firewall > Access R ules 611 SonicOS 5.8.1 Administrator Guide • 27 - Class 3, Silver (AF32) • 30 - Class 3, Bronze (AF33) • 32 - Class 4 • 34 - Class 4, Gold (AF41) • 36 - Class 4, Silver (AF42) • 38 - Class 4, Bronze (AF43) • 40 - Express Forwarding • 46 - Expedited Forwarding (EF) • 48 - Control • 56 - Control – Map : Th[...]

  • Página 612

    Firewall > Access Rules 612 SonicOS 5.8.1 Administrator Guide Editing an Access Rule T o display the Edit Rule window (includes the same settings as the Add Rule window), click the Edit icon. Deleting an Access Rule T o delete the individual ac cess rule, click on the Delete icon. T o delete all the checkbox selected access rules, c lick the Del[...]

  • Página 613

    Firewall > Access R ules 613 SonicOS 5.8.1 Administrator Guide Note The maximum number of connections a S onicW ALL security appliance can support depends on the specific configuration, incl uding whether App Flow is enabled and if an external collector is c onfigured, as well as the physical ca pabilities of the particular model on the SonicW A[...]

  • Página 614

    Firewall > Access Rules 614 SonicOS 5.8.1 Administrator Guide Access Rule Configuration Examples This section provides c onfiguration examples on adding network access rules: • “Enabling Ping” on p age 614 • “Blocking LAN Access for S pecific Services” on page 614 • “Allowing W AN Primary IP Access from the LAN Zone” on p age 6[...]

  • Página 615

    Firewall > Access R ules 615 SonicOS 5.8.1 Administrator Guide Allowing WAN Primary IP Ac cess from the LAN Zone By creating an access rule, it is possible to allow access to a management IP address in one zone from a diff erent zone on the same SonicW ALL appliance. For example, you can a ll o w HTTP/HTTPS management or pi ng to the W AN IP add[...]

  • Página 616

    Firewall > Access Rules 616 SonicOS 5.8.1 Administrator Guide Enabling Bandwidth Manage ment on an Access Rule Bandwidth management can be applied on both ingr e ss and egress traf fic using access rules. Access rules displaying the Funnel icon are configured for bandwid th management. Tip Do not configure bandwidth management on mult iple inter[...]

  • Página 617

    617 SonicOS 5.8.1 Administrator Guide CHAPTER 49 Chapter 49: Configuring Application Control Application Control This chapter describes how to configure an d manage the Application Control feature in SonicOS. This chapter cont ai ns the following sections: • “Application Control Overview” on page 617 • “Licensing Application Control” on[...]

  • Página 618

    Application Control 618 SonicOS 5.8.1 Administrator Guide What is Application Control? Application Control provides a solution for setting policy r u les for application signatures. Application Control policies in clude global App Control policies, and App Rules policies that are more targeted. Beginning in Soni cOS 5.8.1, you can also cr eate cert[...]

  • Página 619

    Application Control 619 SonicOS 5.8.1 Administrator Guide external network access based on various criteria. Y ou can use Packet Monitor to take a deeper look at application traf fic, and can select among various bandwid th management settings to reduce network bandw idth usage by an application. Based on SonicW ALL ’s Reassembly Free Deep Pa cke[...]

  • Página 620

    Application Control 620 SonicOS 5.8.1 Administrator Guide • Administrators can use the Create Rule button to quickly apply bandwid th management or packet monitoring to an applicati on that they notice while vi ewing the App Flow Monitor page, or can completely block the application. • Administrators can configure po licy settings for individua[...]

  • Página 621

    Application Control 621 SonicOS 5.8.1 Administrator Guide • “App Rules Policy Creation” on p age 630 • “Match Objects” on p age 634 • “Application List Objects” on page 640 • “Action Objects” on pa ge 642 • “Email Address Objects” on page 646 Actions Using Band width Management Application layer bandwidth management (B[...]

  • Página 622

    Application Control 622 SonicOS 5.8.1 Administrator Guide bandwidth management provide a link to the Fire wall Settings > BWM page so that you can easily configure global bandwid th management settings for the type and the guaranteed a nd maximum percentages allowed for each priority level. Figure 49:5 Firewall Sett ings > BWM Page It is a be[...]

  • Página 623

    Application Control 623 SonicOS 5.8.1 Administrator Guide your custom BWM action af ter a change from T ype W AN to Global or back again. The values you set for Guaranteed Bandwidth and Maximum Bandwidth are converted in the action object to the guaranteed and maximum values set in the Global Priority Queue table for the selected priority level. Wh[...]

  • Página 624

    Application Control 624 SonicOS 5.8.1 Administrator Guide Figure 49:8 Bandwidth Management T y pe Gl obal on F irewall Settings > BWM Figure 49:9 shows the Bandwidth Priority selections in the Add/Edit Action Object s screen when the global Bandwidth Management T ype is se t to Global on the Firewall Settings > BWM page. Figure 49:9 Add/Edit [...]

  • Página 625

    Application Control 625 SonicOS 5.8.1 Administrator Guide When the Bandwid th M anagement T ype is set to WA N as in Figure 49:10 , the Add/Edit Action Object screen provides Per Action or Per Policy Bandwid th Aggregation Method options and you can specify values for Guaranteed B andwid th, Maximum Bandwidth, and Bandwid th Priority . Figure 49:10[...]

  • Página 626

    Application Control 626 SonicOS 5.8.1 Administrator Guide • Using the Per Action aggregation method, the dow nloads of exe cutable files and traffic from P2P applications combined ca nnot exceed 500 Kbit/sec. • Using the Per Policy bandwidth aggregation met hod, a bandwid th of 500 Kb it/sec is allowed for executable file downloads while concur[...]

  • Página 627

    Application Control 627 SonicOS 5.8.1 Administrator Guide Figure 49:12 Packet Monitor - Monitor Filter Tab T o set up mirroring, go to the Mi rror tab and pick an interface to which to send the mirrored traffic in the Mirror filtered p acket s to Interface (NSA plat forms only) field under Local Mirroring Settings. Y ou can also c onfigure one of t[...]

  • Página 628

    Application Control 628 SonicOS 5.8.1 Administrator Guide Figure 49:13 shows the Create Rule window displayed over the Dashboard > App Flow Monitor page. Figure 49:13 Dashboard > App Fl ow Monitor Page with Create Rule Window The Create Rule feature is available from App Flow Monitor on the list view page setting. The Create Rule button is vi[...]

  • Página 629

    Application Control 629 SonicOS 5.8.1 Administrator Guide BWM page, see the “Actio ns Using Bandwidth Management” section on p age 621 . The Bandwidth Manage options you see in the Create Rule window reflect the options that are enabled in the Global Priority Queue. The default values are: • BWM Global-High – Guaranteed 30%; Max/Burst 10 0%[...]

  • Página 630

    Application Control 630 SonicOS 5.8.1 Administrator Guide App Rules Policy Creat ion Y ou can use Application Control to create custom App Rules policies to control specific aspects of traffic on your network. A policy is a set of match object s, properties, and specific prevention actions.When you create a policy , you first creat e a match o bjec[...]

  • Página 631

    Application Control 631 SonicOS 5.8.1 Administrator Guide The following table describes the characterist ics of the available App Rules policy types. Policy Ty p e D e s c r i p t i o n V alid Source Service / Default V alid Destination Service / Default V alid Ma tch Object T ype V alid Action Ty p e Connection Side App Control Content Policy usin[...]

  • Página 632

    Application Control 632 SonicOS 5.8.1 Administrator Guide FTP Client File Download Request An attempt to download a file over FTP (RETR command) Any / Any FTP Control / FTP Control Filename, file extension Reset/Drop, Bypass DPI, Packet Monitor , No Action, BWM Global-*, WA N B W M * Client Side FTP Data T ransfer Policy Data transferred over the F[...]

  • Página 633

    Application Control 633 SonicOS 5.8.1 Administrator Guide IPS Content Policy using dynamic Intrusion Prevention related objects for any application layer protocol N/A N/A IPS Signature Category List, IPS Signature List Reset/Drop, Bypass DPI, Packet Monitor , No Action, BWM Global-*, WA N B W M * N/A POP3 Client Policy to inspect traffic generated [...]

  • Página 634

    Application Control 634 SonicOS 5.8.1 Administrator Guide Match Objects Match objects represent the set of conditions wh ich must be matched in order for actio ns to take place. This includes the object type, the ma tch type (exact, p artial, prefix, or suf fix), the input representation (text or hexadecimal), and the actual content to match. Match[...]

  • Página 635

    Application Control 635 SonicOS 5.8.1 Administrator Guide CFS Category List Allows selection of one or more Content Filtering categories N/A No A list of 64 categories is provided to choose from Custom Object Allo ws specification of an IPS-style custom set of conditions. Exact No There are 4 additional, optional parameters that can be set: offset [...]

  • Página 636

    Application Control 636 SonicOS 5.8.1 Administrator Guide File Content Allows specification of a pattern to match in the content of a file. The pattern will be matched even if the file is compressed. Partial No ‘Disable attachment’ action should never be applied to this object. Filename In cases of email, this is an attachment name. In cases of[...]

  • Página 637

    Application Control 637 SonicOS 5.8.1 Administrator Guide HTTP Host Header Content found inside of the HTTP Host header . Represents hostname of the destination server in the HTTP request, such as www .google.com . Exact, Partial, Prefix, Suf fix Ye s N o n e HTTP Referrer Header Allows specification of content of a Referrer header sent by a browse[...]

  • Página 638

    Application Control 638 SonicOS 5.8.1 Administrator Guide Y ou can see the available types of match obje cts in a drop-down list in the Match Object Settings screen. In the Match Object screen, you can add multiple entr ies to create a list of content elements to match. All content that you provide in a matc h object is case-insensit ive for matchi[...]

  • Página 639

    Application Control 639 SonicOS 5.8.1 Administrator Guide Y ou can use the Load From File button to import content from predefined text files that contain multiple entries for a match object to match. Each entry in the file must be on its own line. The Load From File feature allows you to easily move Application Contro l settings from one SonicW AL[...]

  • Página 640

    Application Control 640 SonicOS 5.8.1 Administrator Guide Application List Objects The Firewall > Match Objects p age also cont ains the Add Application List Object button, which opens the Create Match Object screen. This screen provides two t abs: • Application – Y ou can create an application filter object on this tab. This screen allows s[...]

  • Página 641

    Application Control 641 SonicOS 5.8.1 Administrator Guide As you select the applications fo r your filter , they appear in the Application Group field on the right. Y ou can edit the list in this field by deleting indi vidual items or by clicking the eraser to delete all items. The image below shows several applications in the Application Group fie[...]

  • Página 642

    Application Control 642 SonicOS 5.8.1 Administrator Guide Category Filters The Category tab pr ovides a list of application cate gories for selection. Y ou can select any combination of categories and then save your se lections as a category filter object with a custom name. The image below shows the screen with the description of the IM categor y [...]

  • Página 643

    Application Control 643 SonicOS 5.8.1 Administrator Guide levels of BWM are available. If the Bandwid th Management T ype is set to W AN, the predefined actions list includes three levels of W AN BWM. For more information about BWM actions, see the “Actions Using Bandwidth Management” section on p age 621 . The following table shows predef ined[...]

  • Página 644

    Application Control 644 SonicOS 5.8.1 Administrator Guide The following table describes the availabl e action types. Action T ype Description Predefined or Custom BWM Global-Realtime Manages inbound and outbound bandwidth, can be configured for guaranteed bandwid th in varying amounts and maximum/burst bandwidth usage up to 100% of total a vailable[...]

  • Página 645

    Application Control 645 SonicOS 5.8.1 Administrator Guide Bypass DPI Byp asses Deep Packet Inspection components IPS, GA V , Anti-Spyware and Appl ication Control. This action persists for the duration of the entire connection as soon as it is triggered. S pecial handling is applied to FTP control channels that are never bypassed for Application Co[...]

  • Página 646

    Application Control 646 SonicOS 5.8.1 Administrator Guide A priority setting of zero is the highest priority . Guaranteed bandwidth for all levels of BWM combined must not exceed 100%. For a Bandwidth Management T ype of W AN, tot al available bandwidth is defined by the values entered for Available Interface Egress/Ingress Bandwid th when c onfigu[...]

  • Página 647

    Application Control 647 SonicOS 5.8.1 Administrator Guide In the screenshot below , the settings exclude the support group from a policy that prevents executable files from being att ached to outgoing email. Y ou can use t he email address object in either the MAIL FROM or RC P T TO fields of the SMTP cli ent policy . The MAIL FROM field refers to [...]

  • Página 648

    Application Control 648 SonicOS 5.8.1 Administrator Guide Note Upon registration on MySonicW ALL, or when you load Soni cOS 5.8 onto a registered SonicW ALL device, supported SonicW ALL appl iances begin an automatic 30-day trial license for App Visualization and App Cont rol, and application signatures are downloaded to the appliance. A free 30-da[...]

  • Página 649

    Application Control 649 SonicOS 5.8.1 Administrator Guide T o begin using App Control, you must enable it on the Firewall > App Control Advanced page. See the screenshot below . T o create policies using App Rules (included with the App Control license), select Enable App Rules on the Firewall > App Rule s page . See the screenshot below . Th[...]

  • Página 650

    Firewall > App Control Advance d 650 SonicOS 5.8.1 Administrator Guide Note If you disable Visualizati on in the SonicOS management in terface, application signature updates are discontinued until the feature is enabled again. When High Availability is configured between two SonicW ALL appliances , the appliances can share the Security Services [...]

  • Página 651

    Firewall > App Control Advanced 651 SonicOS 5.8.1 Administrator Guide App Control is a licensed service, and you must also enable it to activate the functionality . T o enable App Control and configure the global settings: Ste p 1 T o globally enable App C ontrol, select the Enable App Control checkbox. Ste p 2 T o enable App Control on a netwo [...]

  • Página 652

    Firewall > App Control Advance d 652 SonicOS 5.8.1 Administrator Guide The Network > Zones page displays a green indicator in the App Control column for any zones that have the App Control service enabled. Ste p 4 Y ou can configure a global exclusion list for App Cont rol policies on the Firewa ll > App Control Advanced page. T o configur[...]

  • Página 653

    Firewall > App Control Advanced 653 SonicOS 5.8.1 Administrator Guide Ste p 6 T o use an address object for t he exclusion list, select the Use Application Control Exclusion Address Object radio button, and then select an address object from the drop-down list. Ste p 7 Click OK . Ste p 8 T o reset App Control settings and policy configuration to[...]

  • Página 654

    Firewall > App Control Advance d 654 SonicOS 5.8.1 Administrator Guide Ste p 2 Under App Control Advanced , select an application category from the Category drop-down list. A Configure button appears to the right of the field as soon as a category is selected. Ste p 3 Click the Configure button to open up the App Control Category Settings window[...]

  • Página 655

    Firewall > App Control Advanced 655 SonicOS 5.8.1 Administrator Guide • SU-S 00:00 to 24:00 – Enable the p olicy at all ti mes (Sunday through Satur day , 24 hours a day). • Weekend Hours – Enable the policy Friday at 5:00 PM through Monday at 8:00 AM. Ste p 11 T o specify a delay between log ent ries for repetitive ev ent s, type the nu[...]

  • Página 656

    Firewall > App Control Advance d 656 SonicOS 5.8.1 Administrator Guide default to the current settings of the category to which the application belongs. T o retain this connection to the category settings for one or more fields, leave this selection in place for those fields. Ste p 5 T o block this application, select Enable in the Block drop-do[...]

  • Página 657

    Firewall > App Control Advanced 657 SonicOS 5.8.1 Administrator Guide • Weekend Hours – Enable the policy Friday at 5:00 PM through Monday at 8:00 AM. Step 12 T o specify a delay between log ent ries for repetitive ev ent s, type the number of seconds for the delay into the Log Redundancy Filter field. Step 13 T o see detailed information ab[...]

  • Página 658

    Firewall > App Control Advance d 658 SonicOS 5.8.1 Administrator Guide The default policy settings for the signature are set to the current settings for the application to which the signature belongs. T o retain this c onnection to the applicati on settings for one or more fields, leave this select ion in place for those fields. Ste p 6 T o bloc[...]

  • Página 659

    Firewall > App Rules 659 SonicOS 5.8.1 Administrator Guide • M-T -W-T -F 00:00 to 08:00 – Enable the policy Monday th rough Friday , midnight to 8:00 AM. • M-T -W-T -F 17:00 to 24:00 – Enable the policy Monday through Friday , 5:00 PM to midnight. • SU-S 00:00 to 24:00 – Enable the p olicy at all ti mes (Sunday through Satur day , 24[...]

  • Página 660

    Firewall > App Rules 660 SonicOS 5.8.1 Administrator Guide Y ou m ust enable App Rules to activate the functi onality . App Rules is li censed as part of App Control, which is licensed on www .mysonicwall.com on the Service Management - Associated Products p age under GA TEW A Y SERVICES. Y ou can vi ew the st atus of y our license at the top of[...]

  • Página 661

    Firewall > App Rules 661 SonicOS 5.8.1 Administrator Guide For information about policies and policy types, see “App Rules Policy Creation” on page 630 . 603 T o configure an App Rules policy , perform the following steps: Ste p 1 In the navigation pane on the left side, click Firewall , and then click App Rules . Ste p 2 Below the App Rules[...]

  • Página 662

    Firewall > App Rules 662 SonicOS 5.8.1 Administrator Guide Step 10 For Users/Group s , select from the dr op-down lists for both Included and Excluded . The selected users or group under Excluded will not be affected by the policy . Ste p 11 If the policy type is SMTP Client , select from the dr op-down lists for MAIL FROM and RCPT TO , for both[...]

  • Página 663

    Firewall > App Rules 663 SonicOS 5.8.1 Administrator Guide Using the Application Control Wizard The Application Control wizard provides safe configuration o f App Control policies for many common use cases, but not for everything. If at any time during the wizard you ar e unable to find the options that you need, you can click Cancel and proceed[...]

  • Página 664

    Firewall > App Rules 664 SonicOS 5.8.1 Administrator Guide • Do one of the following: Note If you selected a choice with the words except t he ones specified in the previous step, content that you enter here will be the only content th at does not cause the action to occur . See “Negative Matching” on page 639 . – In the Content text box[...]

  • Página 665

    Firewall > Match Obj ects 665 SonicOS 5.8.1 Administrator Guide The second Application Control Action Settings screen is only displayed when you selected an action in the previous step that requires additional text. For a Web Access policy type, if you selected an action that redirect s the user , you can type the new URL into the Content text b[...]

  • Página 666

    Firewall > Match Objects 666 SonicOS 5.8.1 Administrator Guide Ste p 3 In the Match Object Settings window , in the Object Name text box, type a descriptive name for the object. Ste p 4 Select an Match Object T ype from the drop-down list. Y our selection here will af fect available options in this screen. See “Match Object s” on page 634 fo[...]

  • Página 667

    Firewall > Match Obj ects 667 SonicOS 5.8.1 Administrator Guide Ste p 2 Near the bottom of the page, click the Add Application List Object button. The Create Match Object pa ge opens. Y ou can control which applications are displa yed by selecting one or more application categories, threat levels, and technologies. When the application list is r[...]

  • Página 668

    Firewall > Action Objects 668 SonicOS 5.8.1 Administrator Guide Ste p 7 Click the plus sign next to each application you wa n t to add to your filter object. T o display a description of the application, click its name in the Name column. As you select the applications for your filter , the plus sign icon becomes a green checkmark icon and the s[...]

  • Página 669

    Firewall > Ac tio n Ob je ct s 669 SonicOS 5.8.1 Administrator Guide Ste p 6 If HTTP Block Page was selected as the action, a Color drop-down list is displayed. Choose a background color for the block page from the Color drop-down list. Color choices are white, yellow , red, or blue. Ste p 7 Click OK . Configuring Application La yer Bandwidth Ma[...]

  • Página 670

    Firewall > Action Objects 670 SonicOS 5.8.1 Administrator Guide Ste p 4 Do one or both of the following: • Under Bandwidth Management, to manage outbound bandwid th, select the Enable Egress Bandwidth Management checkbox, and optionally set the A vailable Interface Egres s Bandwi d th (Kbp s) field to the maximum for the interface. • Under B[...]

  • Página 671

    Firewall > Ac tio n Ob je ct s 671 SonicOS 5.8.1 Administrator Guide Ste p 5 In the Bandwid th Aggregation Method dro p-down list, select one of the following: • Per Policy – When multiple policies are using the same Bandwidth Management action, each policy can consume up to the configured bandwidth even when the policies are active at the s[...]

  • Página 672

    Firewall > Address Objects 672 SonicOS 5.8.1 Administrator Guide Firewall > Address Objects Note For increased convenience and accessibility , the Address Object s p age can be accessed either from Network > Address Objects or Fire wall > Address Objects. The p age is identical regardless of which t ab it is accessed th rough. For infor[...]

  • Página 673

    Verifying App Control Configuration 673 SonicOS 5.8.1 Administrator Guide Ste p 5 In the Content text box, type the content to match and then click Add . Repeat this step until you have added as many elements as you want. For example, to match on a domain, select Partial Match in the previous step and then type @ followed by the domain name in the [...]

  • Página 674

    Verifying App Control Co nfiguration 674 SonicOS 5.8.1 Administrator Guide Wireshark Wireshark is a network protocol analyzer that y ou can use to capture packet s from applications on your network. Y ou can examine the pack ets to determine the unique identifier for an application, which you can use to create a ma tch object for use in an App Rule[...]

  • Página 675

    Verifying App Control Configuration 675 SonicOS 5.8.1 Administrator Guide Ste p 3 In the captured output, locate and click the HTTP GET command in the top pane, and view the source for it in the center pane. In th e source code, locate the line beginning with User-Agent . Ste p 4 Scroll to the right to find the unique identifi er for the browser . [...]

  • Página 676

    Verifying App Control Co nfiguration 676 SonicOS 5.8.1 Administrator Guide Ste p 5 T ype the identifier into the Content text box in the Match Object s Settings scree n and click OK to create a match object that you can use in a policy . Hex Editor Y ou can use a hexadecimal (hex) ed itor to view the hex represent ation of a file or a graphic image[...]

  • Página 677

    Verifying App Control Configuration 677 SonicOS 5.8.1 Administrator Guide Using the SonicW ALL graphic as an exampl e, you would take the following steps: Ste p 1 St a r t XVI32 and click File > Open to open the graphic image GIF file. Ste p 2 In the left pane, mark the first 50 hex character block by selecting Edit > Block <n> chars…[...]

  • Página 678

    Verifying App Control Co nfiguration 678 SonicOS 5.8.1 Administrator Guide When the block is marked, it changes to red font. T o unmark a block of characters, press Ctrl+U . Ste p 3 After you mark the block, click Edit > Clipboard > Copy As Hex S tring . Ste p 4 In T extpad or another text editor , press Ctrl+V to p aste the selection and the[...]

  • Página 679

    Verifying App Control Configuration 679 SonicOS 5.8.1 Administrator Guide Step 12 Click Add . Step 13 Click OK . Y ou now have an Match Object containing a unique identifier for the image. Y ou can create an App Rules policy to block or log traf fic that cont ains the image matched by this Match Object. For information about creating a policy , see[...]

  • Página 680

    App Control Use Cases 680 SonicOS 5.8.1 Administrator Guide App Control Use Cases Application Control provides t he functionality to handle several ty pes of access control very efficiently . The following use cases are presented in this section: • “Policy-Based Application Control” on page 680 • “Compliance Enforcement” on page 682 •[...]

  • Página 681

    App Control Use Cases 681 SonicOS 5.8.1 Administrator Guide The example below shows a match object targeted at LimeWire and Napster Peer to Peer sharing applications.[...]

  • Página 682

    App Control Use Cases 682 SonicOS 5.8.1 Administrator Guide After creating a signature-based match object, create a new App Rules policy of type App Control Content that uses the match object. The example below shows a policy which uses the newly created “Nap ster/LimeWire P2P” match objec t to drop all Napster and LimeWire traf fic. Logging Ap[...]

  • Página 683

    App Control Use Cases 683 SonicOS 5.8.1 Administrator Guide When you configure the policy or policies for this purpose, you can select Direction > Basic > Outgoing to specifically apply your file trans fer restr ictions to outbound traffic. Or , you can select Direction > Advanced and then specify t he exact zones between which to prevent [...]

  • Página 684

    App Control Use Cases 684 SonicOS 5.8.1 Administrator Guide Hosted Email Environments A hosted email environment is one in which email is available on a user ’s Internet Service Provider (ISP). T ypically , POP3 is the protocol used for email transfer in this environment. Many small-business owners use this model, and would like to control email [...]

  • Página 685

    App Control Use Cases 685 SonicOS 5.8.1 Administrator Guide Web Browser Control Y ou can also use Application Control to prot ect your Web servers from undesirable browsers. Application Control supplies ma tch object types for Netscape, MSIE, Firefox, Safari, and Chrome. Y ou can define a match object using one of these types, and reference it in a[...]

  • Página 686

    App Control Use Cases 686 SonicOS 5.8.1 Administrator Guide Y ou can use this match object in a policy to block browsers that are not MSIE 6.0. For information about using Wireshark to find a Web browser identifier , see “Wireshark” on page 674 . For information about negative matching, see “Negative Matching” on p age 639 . Another example[...]

  • Página 687

    App Control Use Cases 687 SonicOS 5.8.1 Administrator Guide Wireshark will jump to the first frame that contains the requested dat a. Y ou should see something like the screen shown below . This indicates that the HTTP POST method is transmitted immediately after the TCP header info rmation and is compris ed of the first four bytes (504f5354) of th[...]

  • Página 688

    App Control Use Cases 688 SonicOS 5.8.1 Administrator Guide Next, navigate to Firewall > App Rules and click Add New Policy . Create a policy like the one shown below . T o test, use a browser to open the Post.htm document you created earlier . T ype in your name and then click Submit . The connection should be dropped this time and you should s[...]

  • Página 689

    App Control Use Cases 689 SonicOS 5.8.1 Administrator Guide Navigate to Firewall > Match Objects and click Add New Match Object . Create an object like the one shown below . Next, navigate to Firewall > Action Objects and click Add New Action Object . Create an action like the one shown below .[...]

  • Página 690

    App Control Use Cases 690 SonicOS 5.8.1 Administrator Guide T o create a policy that uses this object and ac tion, navigate to Firewall > App Rules and click Add New Policy . Create a policy like the one shown below . T o test this policy , you can open a W eb brow ser and try to download any of the file types specified in the match object (exe,[...]

  • Página 691

    App Control Use Cases 691 SonicOS 5.8.1 Administrator Guide Some ActiveX types and their classid’ s are shown in the following table. The screenshot below shows an ActiveX type match object that is using the Macromedia Shockwave class ID. Y ou can creat e a policy that uses this matc h object to block online games or other Shockwave-based content[...]

  • Página 692

    App Control Use Cases 692 SonicOS 5.8.1 Administrator Guide Y ou can look up the class ID for these Active X controls on the Internet, or you can view the source in your browser to find it. For example, the screenshot below show s a source file with the class ID for Macromedia Shockwave or Flash. FTP Control Application Control provides control ove[...]

  • Página 693

    App Control Use Cases 693 SonicOS 5.8.1 Administrator Guide First, you would create a match obj ect of type File Content that matches on keywords in files. Optionally , you can create a customized FTP not ification action that sends a message to the client. Next, you would create a policy that references this match object and action. If you prefer [...]

  • Página 694

    App Control Use Cases 694 SonicOS 5.8.1 Administrator Guide Blocking Outbound UTF-8 / UTF-16 Encoded Files Native Unicode UTF-8 and UTF-16 support by App lication Control allows encoded multi-byte characters, such as Chinese or Japanese c haracters, to be entered as match object content keywords using the alphanumeric input type. A pplication Contr[...]

  • Página 695

    App Control Use Cases 695 SonicOS 5.8.1 Administrator Guide Next, create a policy that references the match object, as shown below . This policy blocks the file transfer and resets the connection. Enable Logging is se lected so that any attempt to transfer a file containing the UTF-16 encoded keyword is logged. A log entry is generated after a conn[...]

  • Página 696

    App Control Use Cases 696 SonicOS 5.8.1 Administrator Guide The first step is to create a match object that matches on the pu t command. Because the mput command is a variation of the put command, a match object that matches on the put command will also match on the mput command. Optionally , you can create a customized FTP notif ication action tha[...]

  • Página 697

    App Control Use Cases 697 SonicOS 5.8.1 Administrator Guide Next, you would create a policy that references this match object and action. If you prefer to simply block the put command and reset the connection, you can select the Reset/Drop action when you create the policy . Bandwidth Management Y ou can use application layer bandwidth managem ent [...]

  • Página 698

    App Control Use Cases 698 SonicOS 5.8.1 Administrator Guide The first step is to enable bandwid th management on the interface that will handle the traffic. Y ou can access this setting on the Network > Interfaces screen of the SonicOS management interface, shown below . For complete instructions, see “Configuring Application Layer Bandwidth M[...]

  • Página 699

    App Control Use Cases 699 SonicOS 5.8.1 Administrator Guide Next, you can create an application layer bandw id th management action that limits inbound transfers to 400 kbps. The Bandwid th Management T ype on Firewall Settings > BWM must be set to WA N in order to do this in the Action Object Settings screen. If the BWM T ype is Global , go to [...]

  • Página 700

    App Control Use Cases 700 SonicOS 5.8.1 Administrator Guide Now you are ready to create a policy that app lies the bandwid th management action to the MP3 file extension object. Bypass DPI Y ou can use the Bypass DPI action to increase per formance over the network if you know that the content being accessed is safe. For example, this might be the [...]

  • Página 701

    App Control Use Cases 701 SonicOS 5.8.1 Administrator Guide Only two steps are needed to create the policy . First, you can define a match object for the corporate video using a match object type of HTTP URI Content : Note that the leading slash (/) of the URL shoul d always be included for Ex act Match and Prefix Match types for URI Content match [...]

  • Página 702

    App Control Use Cases 702 SonicOS 5.8.1 Administrator Guide Custom Signature Y ou can create a custom match object that matches any part of a packet if you want to control traffic that does not have a predef ined object type in Application C ontrol. This allows you to create a custom signature for any network protocol. For instance, you can create [...]

  • Página 703

    App Control Use Cases 703 SonicOS 5.8.1 Administrator Guide the first byte in the packet is counted as number one (not zero). Decimal numbers are used rather than hexadecimal to calculate of fset and depth. Of fset and depth associated with a custom match object are calculated st arting fr om the p acket payload (t he beginning of the TCP or UDP pa[...]

  • Página 704

    App Control Use Cases 704 SonicOS 5.8.1 Administrator Guide action or a default action such as Reset/Drop . For the Connection Side , select Client Side . Y ou can also modify other settings. For more information about creating a policy , see “Configuring an App Rules Policy” on p age 660 . Reverse Shell Exploit Prevention The reverse shell exp[...]

  • Página 705

    App Control Use Cases 705 SonicOS 5.8.1 Administrator Guide Note Networks using unencrypted T elnet service mu st configure policie s that exclude those servers’ IP addresses. While this use case refers to the specif ic case of reverse shell payloads (outbound connections), it is more secure to confi gure the policy to be ef fective also for inbo[...]

  • Página 706

    App Control Use Cases 706 SonicOS 5.8.1 Administrator Guide The hexadecimal data can be exported to a te xt file for trimming of f the p acket header , unneeded or variable par ts and sp aces. The relev ant portion here is “Microsoft… reserved.” Y ou can use the Wireshark hexadecimal payload export capability for this. For information about W[...]

  • Página 707

    App Control Use Cases 707 SonicOS 5.8.1 Administrator Guide Defining the Policy After creating the match object s, you can def ine a policy that uses the m. The image below shows the other policy settings. This exampl e as shown is spe cific for reverse shells in both the Policy Name and the Direction settings. As mentioned, it may also be tailored[...]

  • Página 708

    App Control Use Cases 708 SonicOS 5.8.1 Administrator Guide Glossary Application layer: The seventh level of the 7-layer OSI model; examples of application layer protocols are AIM, DNS, FTP , HTTP , IMAP , MSN Messenger , POP3, SMTP , SNMP , TELNET , and Y ahoo Messenger Bandwidth management : The process of measuring and c ontrolling the traf fic [...]

  • Página 709

    SonicOS 5.8 . 1 A dm i ni st r at or Gu ide 709 PART 9 Part 9: Firewall Settings[...]

  • Página 710

    710 SonicOS 5.8.1 Administrator Guide[...]

  • Página 711

    711 SonicOS 5.8.1 Administrator Guide CHAPTER 50 Chapter 50: Configuring Advanced Access Rule Settings Firewall Settings > Advanced T o configure advanced access rule options, select Fi rewall Settings > Advanced under Firewall.[...]

  • Página 712

    Firewall Settings > Advanced 712 SonicOS 5.8.1 Administrator Guide The Firewall Settings > Adva nced page includ es the following firewall configuration option groups: • “Detection Prevention” on page 712 • “Dynamic Ports” on page 712 • “Source Routed Packets” on p age 713 • “Connections” on page 714 • “Access Rule[...]

  • Página 713

    Firewall Settings > Advanced 713 SonicOS 5.8.1 Administrator Guide b. On the Network > Services page, create a custom Service for the FTP Server with the following values: • Name: FTP Custom Port Control • Protocol: TCP(6) • Port Range: 2121 - 2121 c. On the Network > NA T Policies page, create the following NA T Policy , and on the [...]

  • Página 714

    Firewall Settings > Advanced 714 SonicOS 5.8.1 Administrator Guide Connections The Connections section provides the ability to fine-tune the perfor mance of the appliance to prioritize either optimal performance or support for an increased number of simultaneous connections that are inspected by UTM services. There is no c hange in the level of [...]

  • Página 715

    Firewall Settings > Advanced 715 SonicOS 5.8.1 Administrator Guide Apply firewall rules for intra-LAN traffic to/from the same interf ace - Appl ies fi rew all r u les that is received on a LAN interface and that is destined for the same LAN interface. T ypically , this only necessary when secondary LAN subnets are configured. IP and UDP Checksu[...]

  • Página 716

    Firewall Settings > Advanced 716 SonicOS 5.8.1 Administrator Guide[...]

  • Página 717

    717 SonicOS 5.8.1 Administrator Guide CHAPTER 51 Chapter 51: Configuring Bandwidth Management Firewall Settings > BWM Bandwidth management (BWM) is a means of allocating bandwid th resources to critical applications on a network. SonicOS Enhanced of fers an integrated tra ffic shaping mechanism th rough its outbound (Egress) and inbound (Ingress[...]

  • Página 718

    Firewall Settings > BWM 718 SonicOS 5.8.1 Administrator Guide Understanding Bandwidth Ma nagement BWM is controlled by the SonicW ALL Security Appliance on ingress and egress traf fic. It allows network administrators to guar antee minimum bandwidth and prioritize traf fic based on access rules created in the Firewall > Access Rules page on t[...]

  • Página 719

    Firewall Settings > BWM 719 SonicOS 5.8.1 Administrator Guide Configuring the Firewall Settings > BWM Page BWM works by first confi guring the BWM type on the Firewall Settings > BWM page, then enabling BWM on an interface, and then allocating the available bandwidth for that interface on the ingress and egress traf fic. It then assigns in[...]

  • Página 720

    Firewall Settings > BWM 720 SonicOS 5.8.1 Administrator Guide Note When you change the Bandwidth Management T ype from Global to W AN, the default BWM actions that are in use in any App Rules policies will be automatic ally converted to WA N BWM Medium , no matter what level they wer e set to before the change. When you change the T y pe from W [...]

  • Página 721

    Firewall Settings > BWM 721 SonicOS 5.8.1 Administrator Guide Configuring Interfaces T o configure BWM per interface, perform the following step s: Ste p 1 Navigate to the Firewall Settings > BWM page. Ste p 2 Select Bandwidth Management T ype: Global , WAN, or none, and then click Accept . Ste p 3 Navigate to the Network > Interfaces page[...]

  • Página 722

    Firewall Settings > BWM 722 SonicOS 5.8.1 Administrator Guide Ste p 4 Click the Configure icon in the Configure column for the interface for which you want to set BWM. The Edit Interface dialog is displayed. Note If using Bandwidth Management T ype WA N, y ou can only enable BWM on a W AN interface. If using T ype: None, you cannot se t the Ingr[...]

  • Página 723

    Firewall Settings > BWM 723 SonicOS 5.8.1 Administrator Guide Ste p 1 Navigate to the Firewall > Access Rules page. Ste p 2 Click the Configure icon for the rule you want to edit. The Edit Rule General tab dialog is displayed. Ste p 3 Click the Ethernet BWM tab. Ste p 4 Select the checkboxes, select the Bandwidth Priority , and then click OK [...]

  • Página 724

    Firewall Settings > BWM 724 SonicOS 5.8.1 Administrator Guide Configuring Application Rules Application layer BWM allows you to create pol icies that regulate bandw idth consumption by specific file types within a protocol, while allowing other file types to use unlimited bandwid th. This enables you to distinguish between desir able and undesir[...]

  • Página 725

    Firewall Settings > BWM 725 SonicOS 5.8.1 Administrator Guide T o configure BWM for a specific app lication, perform the following step s: Ste p 1 Navigate to the Firewall > App Rules page. Ste p 2 Under App Rules Policies, select the Action T ype: Bandwidth Management . The page will sort by Action T ype Bandwidth Management. Ste p 3 Click t[...]

  • Página 726

    Firewall Settings > BWM 726 SonicOS 5.8.1 Administrator Guide Ste p 4 Change the Action Object to the desired BWM setting, and then click OK . Note All priorities will be displayed (Realtime – Lowest) regardless if all have been configured. Refer to the Firewall Settings > BWM page to determine which prioriti es are enabled. If you select a[...]

  • Página 727

    Firewall Settings > BWM 727 SonicOS 5.8.1 Administrator Guide The following table list s the predefined default actions that are available when adding a policy . Creating a New BWM Action or Policy If you do not want to use the predefined BWM ac tions or policies, you have the option to create a new one that fit s your needs. If BWM T ype = Glob[...]

  • Página 728

    Firewall Settings > BWM 728 SonicOS 5.8.1 Administrator Guide T o create a new BWM action or policy , perform the following steps: Ste p 1 Navigate to the Firewall > Action Objects page. Ste p 2 Click Add New Action Object at the bottom of the page. The Add/Ed it Action Object window is displayed. Ste p 3 If the BWM type is Global, do the fol[...]

  • Página 729

    Firewall Settings > BWM 729 SonicOS 5.8.1 Administrator Guide In case of a BWM type of W AN, the configuratio n of these options is included in the following steps. Note All priorities will be displayed (0 –7) regardl ess if all have been configured. Refer to the Firewall Settings > BWM page to determine which priorities are enabled. If you[...]

  • Página 730

    Firewall Settings > BWM 730 SonicOS 5.8.1 Administrator Guide If you plan to use this custom action for ra te limiting rather than guaranteeing bandwid th, you do not need to change the Guaranteed Bandwidth field. Ste p 7 T o specify the Maximum Bandwid th , optionally enter a value either as a percent age or as kilobits per second. In the drop-[...]

  • Página 731

    Firewall Settings > BWM 731 SonicOS 5.8.1 Administrator Guide T o configure BWM using the App Flow Monitor , perform the following step s: Ste p 1 Navigate to the Dashboard > App Flow Monitor page. Ste p 2 Check the service-based applicati ons or signature-based applicati ons to which you want to apply global BWM. Note General applications ca[...]

  • Página 732

    Firewall Settings > BWM 732 SonicOS 5.8.1 Administrator Guide Note Create rule for service-based applications will result in creating a firewall access rule and create rule for signature-based applications will create an applic ation control policy . Ste p 3 Click Create Rule . The Create Rule pop-up is displayed. Ste p 4 Select the Bandwid th M[...]

  • Página 733

    Firewall Settings > BWM 733 SonicOS 5.8.1 Administrator Guide Ste p 6 Click OK . Ste p 7 Navigate to Firewall > Access Rules page (for service-based applications) and Firewall > App Rules (for signature-based applications) to verify that the rule was created. Note For service-based applications, the new rule is identified with a tack in th[...]

  • Página 734

    Firewall Settings > BWM 734 SonicOS 5.8.1 Administrator Guide Guaranteed Bandwid th: A declared percentage of the total available bandwidth on an interface which will always be gran ted to a certai n class of traf fic. A pplicable to both inbound and outbound BWM. The total Guaranteed Bandwidth across all BWM rules cannot exceed 100% of the tota[...]

  • Página 735

    735 SonicOS 5.8.1 Administrator Guide CHAPTER 52 Chapter 52: Configuring Flood Protection Firewall Settings > Flood Protection The Firewall Settings > Flood Protection page let s you view statistics on TCP T raf fic through the security appliance and manage TCP traf fic setti ngs. The page is divided into four sections • “TCP Settings” [...]

  • Página 736

    Firewall Settings > Flood Protection 736 SonicOS 5.8.1 Administrator Guide TCP Settings The TCP Settings section allows you to: • Enforce strict TCP compliance with RFC 793 and RFC 1 122 – Select to ensure strict compliance with several TCP timeout rules. Th is setting maximizes TCP security , but it may cause problems with the Window Scal i[...]

  • Página 737

    Firewall Settings > Flood Protection 737 SonicOS 5.8.1 Administrator Guide – Maximum value: 60 seconds SYN Flood Protection Methods SYN/RST/FIN Flood protection helps to protec t hosts behind the SonicW ALL from Denial of Service (DoS) or Distributed DoS attacks that attempt to consume the host’ s available resources by creating one of the f[...]

  • Página 738

    Firewall Settings > Flood Protection 738 SonicOS 5.8.1 Administrator Guide Each watchlist entry c ontains a value called a hit count . The hit count value increments when the device receives the an initial SYN packe t fr om a corresponding device. The hit count decrements when the TCP three-way handshake comp letes. The hit count for any p artic[...]

  • Página 739

    Firewall Settings > Flood Protection 739 SonicOS 5.8.1 Administrator Guide A SYN Flood Protection mode is the level of protection that you can select to defend against half-opened TCP sessions and high-frequency SYN p a cket transmissions. This feature enables you to set three dif ferent levels of SYN Flood Pr otection: • W atch and Report Pos[...]

  • Página 740

    Firewall Settings > Flood Protection 740 SonicOS 5.8.1 Administrator Guide • SACK (Selective Acknowledgment) – This p arame ter controls whether or not Selective ACK is enabled. With SACK en abled, a p acket or series of p ackets can be dropped, and the received informs the sender which data has been received and where holes may exist in the[...]

  • Página 741

    Firewall Settings > Flood Protection 741 SonicOS 5.8.1 Administrator Guide The SYN/RST/FIN Blacklisting region contains the following options: • Threshold for SYN/RST/FIN fl ood blacklisting (SYNs / Sec) – The maximum number of SYN, RST , and FIN packet s allowed per sec ond. The default is 1,000. This value should be larger than the SYN Pro[...]

  • Página 742

    Firewall Settings > Flood Protection 742 SonicOS 5.8.1 Administrator Guide • Invalid Flag Packets Dropped - Incremented under the following conditions: – When a non-SYN packet is received that cannot be located in the connection-cache (while SYN Flood protection is disabled). – When a packet with flags other than SYN, RST+ACK or SYN+ACK is[...]

  • Página 743

    Firewall Settings > Flood Protection 743 SonicOS 5.8.1 Administrator Guide T otal SYN, RST , or FIN Floods Detected The total number of events in which a forwarding device has exceeded the lower of either t he SYN att ack threshold or the SYN/RST/FIN flood blacklisting threshold. TCP Connection SYN-Proxy S t ate (W AN only) Indicates whether or [...]

  • Página 744

    Firewall Settings > Flood Protection 744 SonicOS 5.8.1 Administrator Guide[...]

  • Página 745

    745 SonicOS 5.8.1 Administrator Guide CHAPTER 53 Chapter 53: Configuring Multicast Settings Firewall Settings > Multicast Multicasting, also called IP mu lticasting, is a method for sending one Internet Protocol (IP) packet simult aneously to multiple hosts . Multicast is suited to the rapidly growing segment of Internet traffic - multimedia pre[...]

  • Página 746

    Firewall Settings > Multicast 746 SonicOS 5.8.1 Administrator Guide Multicast Snooping This section provides configurat ion tasks for Multicast Snooping. • Enable Multicast - This checkbox is disabled by defaul t. Select this checkbox to support multicast traffic. • Require IGMP Membership reports for multicast dat a forwarding - This checkb[...]

  • Página 747

    Firewall Settings > Multicast 747 SonicOS 5.8.1 Administrator Guide T o create a multicast address object: Ste p 1 In the Enable reception for the following multicast addresses list, select Create new multicast object . Ste p 2 In the Add Address Object window , configure: – Name : The name of the address object. – Zone Assignment : Select M[...]

  • Página 748

    Firewall Settings > Multicast 748 SonicOS 5.8.1 Administrator Guide Enabling Multicast on LA N-Dedicated Interfaces Perform the following steps to enable mult icast support on LAN-dedicated interfaces. Ste p 1 Enable multicast support on your Soni cW ALL security appliance. In the Firewall Settings > Multicast setting, click on the Enable Mul[...]

  • Página 749

    Firewall Settings > Multicast 749 SonicOS 5.8.1 Administrator Guide Enabling Multicast Through a VPN T o enable multicast across the W AN through a VPN, follow: Ste p 1 Enable multicast globally . On the Firewall Settings > Multic ast p age, check the Enable Multicast checkbox, and click the Apply button for each security appliance. Ste p 2 E[...]

  • Página 750

    Firewall Settings > Multicast 750 SonicOS 5.8.1 Administrator Guide Note Notice that the default WLAN'MUL TI CAST access rule for IGMP traffic is set to 'DENY'. This will need to be changed to 'ALLOW' on all particip ating appliances to enable multicast, if they have multicast cli ents on their WLAN zones. Ste p 5 Make s[...]

  • Página 751

    751 SonicOS 5.8.1 Administrator Guide CHAPTER 54 Chapter 54: Managing Quality of Service Firewall Settings > QoS Mapping Quality of Service (QoS) refers to a divers ity of methods intended to provide predictable network behavior and performance. Th is sort of predict ability is vital to cert ain types of applications, such as V oice over IP (V o[...]

  • Página 752

    Firewall Settings > QoS Mapping 752 SonicOS 5.8.1 Administrator Guide But all is not lost. Once SonicOS Enhanc ed classifies the traffic, it can tag the traffic to communicate this classification to certain exter nal systems that are capable of abiding by CoS tags; thus they too can p a rticipate in provid ing QoS. Note Many service providers do[...]

  • Página 753

    Firewall Settings > QoS Mapping 753 SonicOS 5.8.1 Administrator Guide Conditioning The traffic can be conditioned ( or managed) using any of the many policing, queuing, and shaping methods available. SonicOS provides internal conditi oning capabilities with its Egress and Ingress Bandwidth Management (BWM), detailed in the “Bandwid th Manageme[...]

  • Página 754

    Firewall Settings > QoS Mapping 754 SonicOS 5.8.1 Administrator Guide such as DSCP . SonicOS Enhanced has the ability to DSCP mark traf fic afte r classification, as well as the ability to map 802.1p t ags to DSCP tags for external networ k traversal and CoS preservation. For VPN traffic, SonicOS can DSCP mark not only the internal (payload) p a[...]

  • Página 755

    Firewall Settings > QoS Mapping 755 SonicOS 5.8.1 Administrator Guide The behavior of the 802.1p field within these t ags can be controlled by Access Rules. The default 802.1p Access Rule action of None will reset existing 802.1p tags to 0 , unless othe rwise configured (see “Managing QoS Marking” section on page 760 for det ails). Enabling [...]

  • Página 756

    Firewall Settings > QoS Mapping 756 SonicOS 5.8.1 Administrator Guide Example Scenario In the scenario above, we have Remote Site 1 connected to ‘Main Site’ by an IPsec VPN. The company uses an internal 802.1p/DSCP ca pabl e V oIP phone system, with a private V oIP signaling server hosted at the Main Site. The Ma in Site has a mixed gigabit [...]

  • Página 757

    Firewall Settings > QoS Mapping 757 SonicOS 5.8.1 Administrator Guide prioritize the traffic. The Remot e Site switch would treat the V oIP traffic the same as the lower-priority file transfer because of the link saturation, introducing delay—maybe even dropped packet s—to the V oIP flow , r esu lting in call quality degradation. So how can [...]

  • Página 758

    Firewall Settings > QoS Mapping 758 SonicOS 5.8.1 Administrator Guide The following t able shows the commonly used c ode poin ts, as well as their mapping to the legacy Precedence and T oS settings. DSCP marking can be performed on tr affic to/from a ny interface and to/from any zone type, without exception. DSCP marking is controlled by Access [...]

  • Página 759

    Firewall Settings > QoS Mapping 759 SonicOS 5.8.1 Administrator Guide If symptoms of such a scenario emerge (e.g. excess ive retran smissions of low-priority traffic), it is recommended that you create a sep arate VP N policy for the high-prio rity and low-priority classes of traffic. This is mo st easily accomplished by placing the high-priorit[...]

  • Página 760

    Firewall Settings > QoS Mapping 760 SonicOS 5.8.1 Administrator Guide Note Mapping will not occur until you assign Map as an action of the QoS tab of an Access Rule. The mapping table only defines the corres pondence that will be employed by an Access Rule’s Map action. For example, according to the default table, an 802.1p tag with a value of[...]

  • Página 761

    Firewall Settings > QoS Mapping 761 SonicOS 5.8.1 Administrator Guide The following table describes the behavior of each action on both methods of marking: Action 802.1p (layer 2 CoS) DSCP (layer 3) Notes None When packets match- ing this class of traffic (as defined by the Access Rule) are sent out the egress inter- face, no 802.1p tag will be [...]

  • Página 762

    Firewall Settings > QoS Mapping 762 SonicOS 5.8.1 Administrator Guide For example, refer to the following figure wh ich provides a bi-directional DSCP tag action. HTTP access from a Web-browser on 192.168.168. 100 to the Web server on 10.50.165 .2 will result in the tagging of the inne r (payload) p a cket and the outer (encap sulating ESP) pack[...]

  • Página 763

    Firewall Settings > QoS Mapping 763 SonicOS 5.8.1 Administrator Guide The first Access Rule (governing LAN>VPN ) would have the following effect s: • Vo I P traffic (as defined by the Service Group) from LAN Primary Subnet destined to be sent across the VPN to Main Site Subnet s would be evaluated fo r both DSCP and 802.1p tags. – The com[...]

  • Página 764

    Firewall Settings > QoS Mapping 764 SonicOS 5.8.1 Administrator Guide T o examine the effect s of the second Access Rule (VPN>LAN), we’ll look at the Access Rules configured at the Main Site. Vo I P traffic (as defined by the Service Group) arriving from Remote Site 1 Subnet s across the VPN destined to LAN Subnets on the LAN zone at the Ma[...]

  • Página 765

    Firewall Settings > QoS Mapping 765 SonicOS 5.8.1 Administrator Guide Bandwidth Management Although bandwidth management (BWM) is a fu lly integrated QoS service, wherein classification and shaping is performed on the single SonicWALL app liance, ef fectively eliminating the dependency on external systems and thus obviating the need for marking,[...]

  • Página 766

    Firewall Settings > QoS Mapping 766 SonicOS 5.8.1 Administrator Guide Queue processing utilizes a ti me division scheme of approxim ately 1/256th of a second per time-slice. Within a time-sli ce, evaluation begins with prio rity 0 queues, and on a packet-b y- packet basis transmission eligibility is d etermi ned by measuring the packet’s lengt[...]

  • Página 767

    Firewall Settings > QoS Mapping 767 SonicOS 5.8.1 Administrator Guide • Web Sense • Syslog • NTP • Security Services (A V , signature updates, license manager) Outbound BWM Packet Processing Path a. Determine that the packet is bound for the W AN zone. b. Determine that the packet is cla ssifiable as a Firewall packet. c. Match the packe[...]

  • Página 768

    Firewall Settings > QoS Mapping 768 SonicOS 5.8.1 Administrator Guide Example of Outbound BWM The above diagram shows 4 policies are configured for OBWM with a link capacity of 100 Kbps . This means that the link capacity is 12800 Byte s/sec. Below t able give s the BWM values for each rule in Bytes per second. a. For GBW processing, we st art w[...]

  • Página 769

    Firewall Settings > QoS Mapping 769 SonicOS 5.8.1 Administrator Guide e. Since all the queues have been processed for GBW we now move onto use up the left over link credit of 8000. f. S tart of f with the highest priority 0 and process all queues in this priority in a round robin fashion. H323 has Pkt3 of 500B which is sent since it can use up t[...]

  • Página 770

    Firewall Settings > QoS Mapping 770 SonicOS 5.8.1 Administrator Guide An ingress module monitors and reco rds the ingress rate fo r each traf fic class. It also monitors the egress ACKs and queues them if the ingress rate has to be reduced. Accord ing to ingress BW availability and average rate , the ACKs will be released. Algorithm for Inbound [...]

  • Página 771

    Firewall Settings > QoS Mapping 771 SonicOS 5.8.1 Administrator Guide Process ACKs This algorithm is used to update the BW parame ters per class according to the amount of BW usage in the previous time slic e. Amount of BW usage is given by the total number of bytes received for the class in the prev ious time slice. The algorithm is also used t[...]

  • Página 772

    Firewall Settings > QoS Mapping 772 SonicOS 5.8.1 Administrator Guide b. Row 2a shows an egress ACK for the class. Sinc e class credit is less than the rate this packet is queued in the approp riate ingress que ue. And it will not be processed until class credit is at least equal to the rate. c. In the following time slices, class credit gets ac[...]

  • Página 773

    Firewall Settings > QoS Mapping 773 SonicOS 5.8.1 Administrator Guide include at a minimum Default , Assured Forwarding , and Expedited Forwarding . DiffSe rv is supported on SonicW ALL NSA platforms. Refer to the “DSCP Marking” section on page 757 for more information. • Discarding – A congestion avoidance mechanism that is employed by [...]

  • Página 774

    Firewall Settings > QoS Mapping 774 SonicOS 5.8.1 Administrator Guide limiting functionality . Y ou c an now create traffic policies that specify maximum rates for Layer 2, 3, or 4 network traffic. This enables bandwidth management in cases where the primary W AN link fails over to a sec ondary connection th at cannot handle as much traffic.The [...]

  • Página 775

    Firewall Settings > QoS Mapping 775 SonicOS 5.8.1 Administrator Guide – T oken Based CBQ – An enhancement to CBQ that empl oys a token, or a credit-based system that helps to smooth or normalize link utilization, avoiding burstiness as well as under-utilization. Employed by SonicOS’ BWM. • RSVP – Resource Reservation Protocol. An In tS[...]

  • Página 776

    Firewall Settings > QoS Mapping 776 SonicOS 5.8.1 Administrator Guide[...]

  • Página 777

    777 SonicOS 5.8.1 Administrator Guide CHAPTER 55 Chapter 55: Configuring SSL Control Firewall Settings > SSL Control This chapter describes how to plan, design, implement, and maint ain the SSL Control feature. This chapter contains the following sections: • “Overview of SSL Control” section on page 777 • “SSL Control Configuration” [...]

  • Página 778

    Firewall Settings > SSL Control 778 SonicOS 5.8.1 Administrator Guide well-known application being HTTPS (HTTP over SSL). SSL provides digital certificate-based endpoint identification, an d cryptographic and digest-based confidentiality to network communications. An effect of the security provided by SSL is the obscuration of all p ayload, incl[...]

  • Página 779

    Firewall Settings > SSL Control 779 SonicOS 5.8.1 Administrator Guide simple Web-search. The challenge is not the ev er-increasing number of such services, but rather their unpredictable natu re. Since these services are often hosted on home networks using dynamically addressed DSL and cable modem connections, the target s are constantly moving.[...]

  • Página 780

    Firewall Settings > SSL Control 780 SonicOS 5.8.1 Administrator Guide Key Concepts to SSL Control • SSL - Secure Sockets Layer (SSL) is a net work security mechanism introduced by Netscape in 1995. SSL was designed “to pr ovide privacy between two communicating applications (a client and a server) and also to authenticate the server , and op[...]

  • Página 781

    Firewall Settings > SSL Control 781 SonicOS 5.8.1 Administrator Guide SSL is not limited to securing HTTP , but can also be used to secure other TCP protocols such as SMTP , POP3, IM AP , and LDAP . For more information, see http://www .mozilla.org/ projects/security/pki/ nss/ssl/dra f t02.html . SSL session est ablishment occurs as follows: •[...]

  • Página 782

    Firewall Settings > SSL Control 782 SonicOS 5.8.1 Administrator Guide – TLS – T ransport Layer Security (version 1.0), also known as SSLv3.1, is very similar to SSLv3, but improves upon SSLv3 in the following wa ys: • MAC – A MAC (Message Authentication Code) is calculated by applying an algorithm (such as MD5 or SHA1) to data. The MAC i[...]

  • Página 783

    Firewall Settings > SSL Control 783 SonicOS 5.8.1 Administrator Guide mismatch elicits a browser alert, it is not always a sure sign of deception. For example, if a client browses to https://my sonicwall.com, which resolves to the same IP address as www .mysonicwall.com, the serv er will present its certificat e bearing th e subject CN of www .m[...]

  • Página 784

    Firewall Settings > SSL Control 784 SonicOS 5.8.1 Administrator Guide Caveats and Advisories 1. Self-signed and Untrusted CA enforcement – If enf orcing either of thes e two options, it is strongly advised that you add the common names of any SSL secured network appliances within your organization to the whitelist to ens ure that connectivity [...]

  • Página 785

    Firewall Settings > SSL Control 785 SonicOS 5.8.1 Administrator Guide SSL Control Configuration SSL Control is located on Firewall panel, under the SSL Control Folder . SSL Control has a global setting, as well as a per-zone setting. By default, SSL Control is not enabled at the global or zone level. The individual page controls ar e as follows [...]

  • Página 786

    Firewall Settings > SSL Control 786 SonicOS 5.8.1 Administrator Guide • Detect Weak Ciphers (<64 bit s) – Controls the detection of SSL sessions negotiated with symmetric ciphers less than 64 bits, commonly indicating export cipher usage. • Detect MD5 Digest – Controls the detection of certificates that were created using an MD5 Hash.[...]

  • Página 787

    Firewall Settings > SSL Control 787 SonicOS 5.8.1 Administrator Guide Entries can be added, edited and deleted with the buttons beneath each list window . Note List matching will be based on the subject co mmon name in the certificate presented in the SSL exchange, not in the URL (resource) r equested by the client. Changes to any of the SSL Con[...]

  • Página 788

    Firewall Settings > SSL Control 788 SonicOS 5.8.1 Administrator Guide 3 SSL Control: Self-signed certificate Th e certificate is self-signed (the CN of the issuer and the subject match). 4 SSL Control: Untrusted CA The certificate has been issued by a CA that is not in the System > Ce rtificates store of the SonicW ALL. 5 SSL Control: W ebsit[...]

  • Página 789

    Firewall Settings > SSL Control 789 SonicOS 5.8.1 Administrator Guide[...]

  • Página 790

    Firewall Settings > SSL Control 790 SonicOS 5.8.1 Administrator Guide[...]

  • Página 791

    SonicOS 5.8 . 1 A dm i ni st r at or Gu ide 791 PART 10 Part 10: DPI-SSL[...]

  • Página 792

    792 SonicOS 5.8.1 Administrator Guide[...]

  • Página 793

    793 SonicOS 5.8.1 Administrator Guide CHAPTER 56 Chapter 56: Configuring Client DPI-SSL Settings DPI-SSL > Client SSL This chapter contains the following sections: • “DPI-SSL Overview” on page 793 • “Configuring Client DPI-SSL” on page 794 DPI-SSL Overview Deep Packet Inspection of Secure Socket Layer (DPI-SSL ) extends SonicW ALL ?[...]

  • Página 794

    DPI-SSL > Client SSL 794 SonicOS 5.8.1 Administrator Guide The DPI-SSL feature is available in Soni cOS Enhanced 5.6 and higher . The following table shows which platforms support DPI-SSL and the maximum number of concurrent connections on which the appliance can perform DPI-SSL inspection. Configuring Client DPI-SSL TThe Client DPI-SSL deployme[...]

  • Página 795

    DPI-SSL > Client S SL 795 SonicOS 5.8.1 Administrator Guide T o enable Client DPI-SSL inspecti on, perform the following step s: 1. Navigate to the DPI-SSL > Client SSL page. 2. Select the Enable SSL Inspection checkbox. 3. Select which of the following serv ices to perform inspection with: Intrusion Prevent , Gateway Anti-V irus , Gateway An[...]

  • Página 796

    DPI-SSL > Client SSL 796 SonicOS 5.8.1 Administrator Guide Common Name Exclusions The Common Name Exclusions section is used to add domain nam es to the exclusion list. T o add a domain name, type it in the text box and click Add . Cl i ck Apply at the top of the pa ge to confirm the configuration. Note The maximum size of the Common Name Excl u[...]

  • Página 797

    DPI-SSL > Client S SL 797 SonicOS 5.8.1 Administrator Guide Creating PKCS-12 Formatt ed Certificate File PKCS12 formatted certificate file can be created using Linux system with OpenSSL. In order to create a PKCS-12 formatted cert ificate file, one needs to have two main components of the certificate: • Private key (typically a file with .key [...]

  • Página 798

    DPI-SSL > Client SSL 798 SonicOS 5.8.1 Administrator Guide Application Firewall Enable Application Firewall c heckbox on the Client DPI-SS L screen and enable Application Firewall on the Application Firewall >Policies screen. 1. Navigate to the DPI-SSL > Client SSL page 2. Select the Enable SSL Inspection checkbox and the Application Firew[...]

  • Página 799

    799 SonicOS 5.8.1 Administrator Guide CHAPTER 57 Chapter 57: Configuring Server DPI-SSL Settings DPI-SSL > Server SSL This chapter contains the following sections: • “DPI-SSL Overview” on page 799 • “Configuring Server DPI-SSL Settings” on p age 800 DPI-SSL Overview Deep Packet Inspection of Secure Socket Layer (DPI-SSL ) extends Son[...]

  • Página 800

    DPI-SSL > Serv er SSL 800 SonicOS 5.8.1 Administrator Guide The DPI-SSL feature is avail able in SonicOS Enhanced 5.6. T he following table shows which platforms support DPI-SSL and the maximum number of concurrent connections on which the appliance can perform DPI-SSL inspection. Configuring Server DPI-SSL Settings The Server DPI-SSL deployment[...]

  • Página 801

    DPI-SSL > Server SS L 801 SonicOS 5.8.1 Administrator Guide Configuring General Se rver DPI-SSL Settings T o enable Server DPI-SSL inspection, p erform the following steps: 1. Navigate to the DPI-SSL > Server SSL page. 2. Select the Enable SSL Inspection checkbox. 3. Select which of the following serv ices to perform inspection with: Intrusio[...]

  • Página 802

    DPI-SSL > Serv er SSL 802 SonicOS 5.8.1 Administrator Guide • On the User Object/Group line, select a user object or group from the Exclude pulldown menu to exempt it from DPI-SSL inspection . Note The Include pulldown menu can be used to fine tune the specified e xclusion list. For example, by selecting the Remote-office-California address ob[...]

  • Página 803

    SonicOS 5.8 . 1 A dm i ni st r at or Gu ide 803 PART 11 Part 11: Vo I P[...]

  • Página 804

    804 SonicOS 5.8.1 Administrator Guide A NTI -S PAM FO R UTM[...]

  • Página 805

    805 SonicOS 5.8.1 Administrator Guide CHAPTER 58 Chapter 58: Configuring VoIP Support VoIP Overview This section provides an overview of V o IP . It contains the following sections: • “What is V oIP?” on page 805 • “V oIP Security” on page 805 • “V oIP Protocols” on page 806 • “SonicW ALL ’s V oIP Capabilities” on p age 80[...]

  • Página 806

    VoIP Overview 806 SonicOS 5.8.1 Administrator Guide The same security threats that plague data networks tod ay are inherited by V oIP but the addition of V oIP as an application on the netwo rk makes those threats even more dangerous. By adding V oIP components to your network, y ou’re also adding new se curity requirements. V oIP encompasses a n[...]

  • Página 807

    VoIP Overview 807 SonicOS 5.8.1 Administrator Guide H.323 H.323 is a standard developed by the Internati onal T elecommunications Union (ITU). It is a comprehensive suite of protocols for vo ice, video, and data co mmunications between computers, terminals, network devices, and network services. H.323 is designed to enable users to make point-to-po[...]

  • Página 808

    VoIP Overview 808 SonicOS 5.8.1 Administrator Guide SonicWALL’s VoIP Capabilities The following sections describe SonicW ALL ’s integrated V oIP service: • “V oIP Security” on page 808 • “V oIP Network” on page 809 • “V oIP Network Interoperability” on page 809 • “Supported V oIP Protocols” on page 810 • “How SonicOS[...]

  • Página 809

    VoIP Overview 809 SonicOS 5.8.1 Administrator Guide VoIP Network • V oIP over Wireless LAN (WLAN) - Son icW ALL extends complete V oIP security to attached wireless networks with it s Distributed Wireless Solution. All of the security features provided to V oIP devices att ac hed to a wired network behind a SonicW ALL are also provided to V oIP d[...]

  • Página 810

    VoIP Overview 810 SonicOS 5.8.1 Administrator Guide • Configurable inactivity timeouts for signaling and me dia - In order to ensure that dropped V oIP connections do not stay open indef initely , SonicOS m onitors the usage of signaling and media streams associ ated with a V oIP session. S treams that are idle for more than the configured timeou[...]

  • Página 811

    VoIP Overview 811 SonicOS 5.8.1 Administrator Guide – SIP INFO method (RFC 2976) – Reliability of pr ovisional responses in SIP (RFC 3262) – SIP specific event notification (RFC 3265) – SIP UPDA TE method (RFC 331 1) – DHCP option for SI P servers (RFC 3361) – SIP extension for instant messaging (RFC 3428) – SIP REFER method (RFC 3515[...]

  • Página 812

    VoIP Overview 812 SonicOS 5.8.1 Administrator Guide CODECs SonicOS supports media streams f rom any CODEC - Media streams carry audio and video signals that have been processed by a hardware/ sof tware CODEC (COder/DECoder) within the V oIP device. CODECs use c oding and compression techniques to reduce the amount of data required to represent audi[...]

  • Página 813

    VoIP Overview 813 SonicOS 5.8.1 Administrator Guide How SonicOS Handles VoIP Calls SonicOS provides an efficient and secure solution for all V oIP call scenarios. The following are examples of how SonicOS handles V oIP call flows. Incoming Calls The following figure shows the sequence of event s that occurs dur ing an incoming call. The following d[...]

  • Página 814

    VoIP Overview 814 SonicOS 5.8.1 Administrator Guide 11 . V oIP server returns phone B media IP information to phone A - Phone A now has enough information to begin exchanging media with Phone B. Phone A does not know that Phone B is behind a firewall, as it was given t he public address of the firewall by the V oIP Server . 12. Phone A and phone B [...]

  • Página 815

    VoIP Settings 815 SonicOS 5.8.1 Administrator Guide 6. Phone A and phone B directly exchang e audio/video/data - The SonicW ALL security appliance routes traffic direct ly between the two phones over the LAN. Directly connecting the two phones reduces the bandwid th require ments for transmitting data to the V o IP server and eliminates the need fo[...]

  • Página 816

    VoIP Settings 816 SonicOS 5.8.1 Administrator Guide General VoIP Configuration SonicOS includes the V oIP conf iguration settings on the V oIP > S ettings page. This page is divided into three configur ation settings sections: General Settings , SIP Settings , and H.323 Settings . Configuring Consistent Networ k Address Translation (NAT) Consist[...]

  • Página 817

    VoIP Settings 817 SonicOS 5.8.1 Administrator Guide Configuring SIP Settings By default, SIP clients use their private IP address in the SIP Se ssion Definition Protocol (SDP) messages that are sent to the SIP proxy . If your SIP proxy is located on the public (W AN) side of the SonicW ALL security appliance and SIP cl ient s are on the private (LA[...]

  • Página 818

    VoIP Settings 818 SonicOS 5.8.1 Administrator Guide The Addit ional SIP signaling port (UDP) for transformations setting allows you to specify a non-standard UDP port used to carry SIP signaling tr affic. Normally , SIP signaling traf fic is carried on UDP port 5060. However , a number of co mmercial VOIP services use dif ferent ports, such as 1560[...]

  • Página 819

    VoIP Settings 819 SonicOS 5.8.1 Administrator Guide Bandwidth Management SonicOS offers an integrated traffic shaping mechanism through it s Egress (outbound) and Ingress (inbound) management interfaces. Outboun d BWM can be applied to traffic sourced from T rusted and Public zones (such as LAN and DMZ) destined to Untr usted and Encrypted zones (s[...]

  • Página 820

    VoIP Settings 820 SonicOS 5.8.1 Administrator Guide Configuring Bandwidth on the WAN Interface BWM configurations begin by enabling BWM on th e relevant W AN interface, and specifying the available bandwidth on the interfa ce in Kbps. This is performed from the Network > Interfaces page by selecting the Configure icon for the WAN interface, and [...]

  • Página 821

    VoIP Settings 821 SonicOS 5.8.1 Administrator Guide T o configure Bandwidth Management on the SonicW ALL security appliance: Ste p 1 Select Network > Interfaces . Ste p 2 Click the Edit icon in the Configure column in the WA N ( X1 ) line of the Interfaces table . The Edit Interface window is displayed. Ste p 3 Click the Advanced tab. Ste p 4 Ch[...]

  • Página 822

    VoIP Settings 822 SonicOS 5.8.1 Administrator Guide Note Y ou must select Bandwidth Management on the Network > Interfaces page for the WA N interface before you can configure bandwid th management for network access rules. Ste p 1 T o add access rules for V oIP traffic on the SonicW ALL security appliance: Go to the Firewall > Access Rules p[...]

  • Página 823

    VoIP Settings 823 SonicOS 5.8.1 Administrator Guide Step 13 Select Bandwid th Management , and enter the Guaranteed Bandwidt h in Kbps. Step 14 Enter the maximum amount of bandwidth ava ilable to the Rule at any time in the Maximum Bandwidth field. Step 15 Assign a priority from 0 (hi ghest) to 7 (lowest) in the Bandwidth Priority list. For higher [...]

  • Página 824

    VoIP Settings 824 SonicOS 5.8.1 Administrator Guide Note SonicW ALL recommends NOT selecting Vo I P from the Services menu. Selecting this option opens up more TCP/UDP ports than is required, pot entially opening up unnecessary security vulnerabilities. Ste p 5 Enter the name of the server in the Server Name field. Ste p 6 Enter the private IP addr[...]

  • Página 825

    VoIP Settings 825 SonicOS 5.8.1 Administrator Guide • Server Address Objects - The wizard creates the addr ess object for the new server . Because the IP address of the server added in the example is in the IP ad dress range assigned to the LAN zone, the wizard bi nds the address object to the LAN zone. • Server Service Group Object - The wizar[...]

  • Página 826

    VoIP Settings 826 SonicOS 5.8.1 Administrator Guide Generic Deployment Scenario All three of the follow deployment scen arios begin with the followi ng basic configuration procedure: Ste p 1 Enable bandwidth management on the W AN interface on Network > Inte rfaces . Ste p 2 Configure SIP or H.323 transformati ons and inactivity settings on V oI[...]

  • Página 827

    VoIP Settings 827 SonicOS 5.8.1 Administrator Guide See the “ Using the Public Server Wizard ” section for information on configuring this deployment. Deployment Scenario 2: Public VoIP Service The Public V oIP Service deployment uses a V oIP service provider , which maintains the V oIP server (either a SIP Proxy Server or H.323 Gatekeeper). Th[...]

  • Página 828

    VoIP Call Status 828 SonicOS 5.8.1 Administrator Guide Deployment Scenario 3: Trusted VoIP Service The organization deploys its own V oIP server on a DMZ or LAN to provide in-house V oIP services that are accessible to V oIP client s on the Internet or from local network users behind the security gateway . The following figur e shows a trusted V oI[...]

  • Página 829

    VoIP Call Status 829 SonicOS 5.8.1 Administrator Guide • Called IP • Caller-ID • Protocol • Bandwidth • T ime S tarted Click Flush All to remove all V oIP call entries.[...]

  • Página 830

    VoIP Call Status 830 SonicOS 5.8.1 Administrator Guide[...]

  • Página 831

    SonicOS 5.8 . 1 A dm i ni st r at or Gu ide 831 PART 12 Part 12: Anti-S p am[...]

  • Página 832

    832 SonicOS 5.8.1 Administrator Guide[...]

  • Página 833

    833 SonicOS 5.8.1 Administrator Guide CHAPTER 59 Chapter 59: Configuring Anti-Spam Anti-Spam This chapter describes how to activate, configure, and manage the Comprehensive Anti-S pam Service on a SonicW ALL UTM appliance. This chapter contains the following sections: • “Anti-S p am Overview” section on p age 833 • “Purchasing an Anti-S p[...]

  • Página 834

    Anti-Spam 834 SonicOS 5.8.1 Administrator Guide What is Anti-Spam? The Anti-S p am feature provides a quick, effi cient, and ef fective way to add anti-sp am, anti- phishing, and anti-virus capabilities to your existing Soni cW ALL UTM appliance. In a typical configuration of Anti-S pam, the adm inistrator chooses to add Anti-S pam capabilities by [...]

  • Página 835

    Anti-Spam 835 SonicOS 5.8.1 Administrator Guide • Better protection for users from phishing att acks How Does the Anti-Spam Service Work? This section describes the Anti-S pam feature, including the SonicW ALL GRID Network, and how it interacts with SonicOS as a whole. The two point s of significant connection with SonicOS are Address and Service[...]

  • Página 836

    Anti-Spam 836 SonicOS 5.8.1 Administrator Guide Only if the IP address passes all of these test s does the Soni cW ALL UTM appliance allow that server to make a connection and transfer mail. If the IP address does not p ass the tests, there is a message from SonicOS to the requesting serv er indicating that there is no SMTP server . The connection [...]

  • Página 837

    Anti-Spam 837 SonicOS 5.8.1 Administrator Guide Objects Created W hen the An ti-Spam Service Is Enabled This section provides an example of the type of rules and objects generated automatically as Firewall Access Rules, NA T Policies and Ser vic e Objects. These object s are not edit able and will be removed if the Anti-S pam service is disabled. T[...]

  • Página 838

    Purchasing an Anti-Spam Licen se 838 SonicOS 5.8.1 Administrator Guide Figure 59:16 Generated NA T Polici es The rows outlined in red are the policies gener ated when Anti-S pam is activated. The row outlined in green is the default poli cy that Anti- S p am creates if t here are no existing mail server policies. Objects Created by th e Wizard Obje[...]

  • Página 839

    Purchasing an Anti-Spam License 839 SonicOS 5.8.1 Administrator Guide • Anti-S p am License for the UTM • One of the following Microsoft Windows Servers: – Windows Server 2003 (32-bit) – Windows SBS 2003 Server (32-bit) – Windows Server 2008 (32-bit, 64-bit) – Windows SBS 2008 Server (64-bit)[...]

  • Página 840

    Anti-Spam > Status 840 SonicOS 5.8.1 Administrator Guide Purchasing an Anti-S p am license for the firewall be done directly through mySonicW ALL.com or through your reseller . Note Y our UTM appliance must be registered with mySonicWALL.com before use. Refer to the SonicW ALL UTM Getting S tart ed Guide for further information on registering yo[...]

  • Página 841

    Anti-Spam > Status 841 SonicOS 5.8.1 Administrator Guide The status page also includes the Email St ream Diagnostics Capture section. S tart the capture to create an application-formatted report on the SMTP-related traffic passing throu gh your SonicW ALL UTM appliance. S top the capture at any time. Download the data to view the information in [...]

  • Página 842

    Anti-Spam > Settings 842 SonicOS 5.8.1 Administrator Guide Anti-Spam > Settings Once you have registered Anti-S pam for UTM, activate it to start you r UTM appliance-level protection from spam, phishing, and virus messages. Ste p 1 Navigate to the Anti-Sp am menu item in the navigation bar . Y ou are directed to the Settings submenu. Ste p 2 [...]

  • Página 843

    Anti-Spam > Settings 843 SonicOS 5.8.1 Administrator Guide If you are using more than one domain, choos e the Multiple Domains option and cont act SonicW ALL or your SonicW ALL reselle r for more information. User-defined Access Lists designat e which clients are allowed to connect to deliver email. Y ou can also set client s to be automatically[...]

  • Página 844

    Anti-Spam > Settings 844 SonicOS 5.8.1 Administrator Guide Installing the Junk Store Anti-S p am for UTM can create a Junk S tore on your Microsoft Exchange Server . The Junk S tore quarantines messages for end-user analysis and provides statistics. Log in to your Exchange system, then open a br owser and log in to the SonicW ALL Web management [...]

  • Página 845

    Anti-Spam > Statistics 845 SonicOS 5.8.1 Administrator Guide Ste p 7 Navigate to the Anti-Sp am > St atus p age and verify that the SonicW ALL Junk S tore is Operational . It typically takes about 15 minutes fo r the Junk S tore to become operational. Anti-Spam > Statistics Use this page to view the statistics on how ma ny messages are bei[...]

  • Página 846

    Anti-Spam > Real-Time Bla ck List Filter 846 SonicOS 5.8.1 Administrator Guide RBL list providers publish their list s usi ng DNS. Blacklisted IP addresses appear in the database of the list provider's DNS domain using inverted IP notation of the SMTP server in question as a prefix to the domain name. A res ponse code from 127.0.0.2 to 127.[...]

  • Página 847

    Anti-Spam > Real-Time Black Li st Filter 847 SonicOS 5.8.1 Administrator Guide When Enable Real-time Black List Blocking is enabled on the Anti-S pam > RBL Filter page, inbound connections from hosts on the W AN, or outbound connections to host s on the W AN are checked against each enabled RBL servic e with a DNS request to the DNS servers c[...]

  • Página 848

    Anti-Spam > Real-Time Bla ck List Filter 848 SonicOS 5.8.1 Administrator Guide Adding RBL Services Y ou can add additional RBL services in the Real-time Black List Services section. T o add an RBL service, click the Add button. In the Add RBL Domain window , you specify the RBL domain to be queried, enable it for use, and specify its expected re[...]

  • Página 849

    Anti-Spam > Junk Box Summary 849 SonicOS 5.8.1 Administrator Guide Anti-Spam > Junk Box Summary The Junk S t ore sends an email message to users listing all the messages that have been placed in their Junk Box. The Junk Box Sum m ary includes a number of blocked messages (per user) and a list of quarantined emails, with corr esponding links t[...]

  • Página 850

    Anti-Spam > Junk Box View 850 SonicOS 5.8.1 Administrator Guide Anti-Spam > Junk Box View On the Anti-S p am > Junk Box View page, you can view , search, and manage all email messages that are currently in the Junk S tore on the Exchange or SMTP server . This functionality is only available if the Junk S tore is installed. Searching the Ju[...]

  • Página 851

    Anti-Spam > Junk Box View 851 SonicOS 5.8.1 Administrator Guide Click the Go button to perform the search. The results are displayed in the bottom section of the page. Managing the Junk Store in the Junk Box View Use the buttons at the top and bottom of the sear ch results list to perform the following Junk S tore management tasks on the Anti-S [...]

  • Página 852

    Anti-Spam > Junk Box Setting s 852 SonicOS 5.8.1 Administrator Guide Anti-Spam > Junk Box Settings The Junk Box Settings page allows the Administra tor to set the length of time that messages are stored in the Junk Box before being delet ed and the number of Junk Box messages to be displayed per page. Anti-Spam > User View Setup The User V[...]

  • Página 853

    Anti-Spam > Address Books 853 SonicOS 5.8.1 Administrator Guide Address Book T o allow users to see their own Address B ook in the navigation toolbar , select the Address Books toolbar from the User View Setup section. User Download Settings Select the corresponding checkbox to Allow users to download the SonicW ALL Junk Button for Outlook or Al[...]

  • Página 854

    Anti-Spam > Address Books 854 SonicOS 5.8.1 Administrator Guide Allowed List s T o add a sender to the Corporate Allowed List, navigate to the Allow ed tab, then click the Add button. A dialog box will display where you will need to select the list type between People , Companies , or List s . After selecting one of these, you can then enter the[...]

  • Página 855

    Anti-Spam > Address Books 855 SonicOS 5.8.1 Administrator Guide Blocked List s T o add a sender to the Corporat e Blocked List, navigate to the Blocked t ab, then click the Add button. A dialog box will display where you will need to select the list type between People and Companies . Af ter selecting one of these, you can then enter the email a[...]

  • Página 856

    Anti-Spam > Manage Users 856 SonicOS 5.8.1 Administrator Guide Anti-Spam > Manage Users The Users page allows the Administrator to add, remove, and manage all users, both on the Global and LDAP servers. For more information regarding LDAP Configuration, refer to “Anti- S p am > LDAP Configuration” section on p age 857 . User View Setup[...]

  • Página 857

    Anti-S pam > LDAP C onfig uratio n 857 SonicOS 5.8.1 Administrator Guide Adding Users T o add a user to the Global or LDAP Server , click the Add button. Enter the Primary Address of the user , select which server the user belongs to from the Using Source dropdown menu, then enter any Aliases . Cli ck Add to finish adding a user . Anti-Spam >[...]

  • Página 858

    Anti-Spam > LDAP Confi guration 858 SonicOS 5.8.1 Administrator Guide • Port Number —The port number of the LDAP Server . The default port number is 389. • LDAP Server T ype —Choose from the dropdown list of servers: Active Directory , Lotus Domino, Exchange 5.5, S un ONE iPlanet, or Other . • LDAP Page Size —The maximum page size on[...]

  • Página 859

    Anti-S pam > LDAP C onfig uratio n 859 SonicOS 5.8.1 Administrator Guide • Directory Node to Begin Search —S pecify a full LDAP directory path that points toward s a node containing the information for all group s in the directory . • Filter —S pecify an LDAP filter to easily find and identify users and mailing lists on the server . In t[...]

  • Página 860

    Anti-Spam > LDAP Confi guration 860 SonicOS 5.8.1 Administrator Guide 5. Add the NetBIOS domain name(s) to the Domains section, sep arating multiple domains with a comma. 6. Click Save Changes to finish. Conversion Rules On certain LDAP ser vers, such as Lotus Domino, some valid email addresses do not appear in the LDAP . The Conversion Rules se[...]

  • Página 861

    Anti-Spam > Advanced 861 SonicOS 5.8.1 Administrator Guide Anti-Spam > Advanced The Advanced page allows the Administrator to download system or log files, as well as configure the log level. Download System/Log Files Y ou can download log files or syst em configuration files from y our SonicW ALL Email Security server . Select from the T ype[...]

  • Página 862

    Anti-Spam > Downloads 862 SonicOS 5.8.1 Administrator Guide Anti-Spam > Downloads The Downloads page allows the Admin istrato r to download and install one of SonicW ALL ’s latest spam-blocking buttons on your desktop.[...]

  • Página 863

    SonicOS 5.8 . 1 A dm i ni st r at or Gu ide 863 PART 13 Part 13: VPN[...]

  • Página 864

    864 SonicOS 5.8.1 Administrator Guide[...]

  • Página 865

    865 SonicOS 5.8.1 Administrator Guide CHAPTER 60 Chapter 60: Configuring VPN Policies VPN > Settings The VPN > Settings p age provides the SonicW ALL features for configuring your VPN policies. Y ou can configure site-to- site VPN policies and GroupVPN policies from this page. VPN Overview A Virtual Private Network (VPN ) provides a secure co[...]

  • Página 866

    VPN > Settings 866 SonicOS 5.8.1 Administrator Guide Prior to the invention of Internet Protocol Se curity (IPsec) and Secure Socket Layer (SSL), secure connections between remote computers or networks required a dedicated line or satellite link. This was both inflexible and expensive. A VPN creates a connection with similar reliability and secu[...]

  • Página 867

    VPN > Settings 867 SonicOS 5.8.1 Administrator Guide One advantage of SSL VPN is that SSL is built into most W eb Browser s. No special VPN client software or hardware is required. Note SonicWALL makes SSL VPN devices that you can use in concert with or independently of a SonicW ALL UTM ap pliance running SonicO S. For information on SonicW ALL [...]

  • Página 868

    VPN > Settings 868 SonicOS 5.8.1 Administrator Guide Aggressive Mode : T o reduce the number of messages exchanged during authentication by half, the negotiation of which cryptographic algor ithm to use is eliminated. The initiator proposes one algorithm and the responder r eplies if it support s that algorithm: 1. The initiator proposes a crypt[...]

  • Página 869

    VPN > Settings 869 SonicOS 5.8.1 Administrator Guide Initialization and Authentication in IKE v2 IKE v2 initializes a VPN tunnel with a pair of message exchanges (two message/response pai r s) . • Initialize communication: The first p air of messages (IKE_SA_INIT) negotiate cryptographic algorithms, exchange nonces (random val ues generated an[...]

  • Página 870

    VPN > Settings 870 SonicOS 5.8.1 Administrator Guide (DSL or cable) or dialup Internet access can securely and easily access your network resources with the SonicW ALL Global VPN Client and SonicW ALL Gr oupVPN on your SonicW ALL. Remote office networks can secur ely connect to your network using site-to-site VPN connections that enable network-[...]

  • Página 871

    VPN > Settings 871 SonicOS 5.8.1 Administrator Guide – E-Mail ID – Domain name. • Peer ID Filter if using 3rd p a rty certificates. • IKE (Phase 1) Proposal : – DH Group : • Group 1 • Group 2 • Group 5 Note The Windows 2000 L2TP client and Windows XP L2T P client can only work with DH Group 2. They are incompatible with DH Groups[...]

  • Página 872

    VPN > Settings 872 SonicOS 5.8.1 Administrator Guide Note The Windows 2000 L2TP client and Windows XP L2TP client can only work with DH Group 2. They are incompatible with DH Groups 1 and 5. – Life Time (seconds): (default 28800) • Enable Windows Networking (NetBIOS) Broadcast • Enable Multicast • Management via this SA : – HTTP – HT[...]

  • Página 873

    VPN > Settings 873 SonicOS 5.8.1 Administrator Guide • Certificate, if selected on security appliance : • User ’s user name and p assword if XAUT H is required on the security appliance. Site-to-Site VPN Planning Checklist On the Initiator T ypically , the request for an IKE VPN SA is made from the remote site. • Authentication Method : [...]

  • Página 874

    VPN > Settings 874 SonicOS 5.8.1 Administrator Guide • Domain name • IP Address (IPV4) – Peer IKE ID : • Local Networks Choose local network from list (select an address object): Local network obt ains IP addresses using DHCP through this VPN T unnel (not used with IKEv2) Any address • Destination Networks Use this VPN T unnel as defau[...]

  • Página 875

    VPN > Settings 875 SonicOS 5.8.1 Administrator Guide • AH – Encryption : • DES • 3DES • AES-128 • AES-192 • AES-256 • None – Authen ticat ion : • MD5 • SHA1 • None – Enable Perfect Forward Secrecy – Life Time (seconds): (default 28800) • Enable Keep Alive • Suppress automatic Access Rules creation for VPN Policy ?[...]

  • Página 876

    VPN > Settings 876 SonicOS 5.8.1 Administrator Guide • Name of this VPN: • IPsec Primary Gateway Name or Address : not required on the responder • IPsec Secondary Gateway Name or Address : not required on the responder • IKE Authentication for IKE using Preshared Secret: – Local IKE ID : (must match Peer IKE ID on initiator) • IP Add[...]

  • Página 877

    VPN > Settings 877 SonicOS 5.8.1 Administrator Guide VPN Policy Wizard The VPN Policy Wizard walks you step-by-step through the c onfiguration of GroupVPN or site- to-site VPN policies on the SonicW ALL secur ity appliance. After completi ng the configuration, the wizard creates the necessa ry VPN settings for the selected policy . Y ou can use [...]

  • Página 878

    VPN > Settings 878 SonicOS 5.8.1 Administrator Guide • Configure : Clicking the Edit icon allows you to edit the VPN policy . Clicking the Delete icon allows you to delete the VPN policy . The predefined GroupVPN policies cannot be deleted, so the Delete icons are dimm ed. GroupVPN policies also have a Disk icon for exporting the VPN policy c [...]

  • Página 879

    VPN > Settings 879 SonicOS 5.8.1 Administrator Guide • Packet s Out : The number of p ackets sent out from this tunnel. • Bytes In : The number of bytes received from this tunnel. • Bytes Out : The number of bytes sent out from this tunnel. • Fragmented Packet s In : The number of fragmented packets received from this tunnel. • Fragmen[...]

  • Página 880

    VPN > Settings 880 SonicOS 5.8.1 Administrator Guide Configuring GroupVPN with IKE usin g Preshared Secret on the WAN Zone T o configure the W AN GroupVPN, follow these step s: Ste p 1 Click the edit icon for the WA N Grou pVPN entry . The VPN Poli cy window is displayed. Ste p 2 In the General tab, IKE using Preshared Secret is the default sett[...]

  • Página 881

    VPN > Settings 881 SonicOS 5.8.1 Administrator Guide Ste p 4 In the IKE (Phase 1) Proposal section, use the following settings: – Select the DH Group from the DH Group menu. Note The Windows 2000 L2TP client and Windows XP L2TP client can only work with DH Group 2. They are incomp atible with DH Group s 1 and 5. – Select 3DES , AES-128 , or [...]

  • Página 882

    VPN > Settings 882 SonicOS 5.8.1 Administrator Guide – Enter a value in the Life Time (seconds) field. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours. Ste p 6 Click the Advanced tab. Ste p 7 Select any of the following opt ional settings you want to apply to your GroupVPN policy: – Enable Window[...]

  • Página 883

    VPN > Settings 883 SonicOS 5.8.1 Administrator Guide – Allow Unauthenticated VPN Client Access - Allows you to enable unauthenticated VPN client access. If you uncheck Require Authentication of VPN Client s via XAUTH , the Allow Unauthenticated VPN Client Access menu is activated. Select an Address Object or Address Group from menu of predefin[...]

  • Página 884

    VPN > Settings 884 SonicOS 5.8.1 Administrator Guide • DHCP Lease - The Virtual Adapter will obt ain it s IP configuration from the DHCP Server only , as configure in the VPN > DHCP over VPN page. • DHCP Lease or Manual Con figuration - When the GVC connect s to the SonicW ALL, the policy from the Son icW A LL instructs the GVC to use a V[...]

  • Página 885

    VPN > Settings 885 SonicOS 5.8.1 Administrator Guide Configuring GroupVPN with IKE using 3rd Party Certificates T o configure GroupVPN with IKE using 3r d Party Certificates, follow these steps: Caution Before configuring GroupVPN with IKE using 3rd Party Certificat es, your certificates must be installed on the SonicW ALL. Ste p 1 In the VPN &g[...]

  • Página 886

    VPN > Settings 886 SonicOS 5.8.1 Administrator Guide (L=), and vary with the issuing Certificate Authority . The actual Subject Distinguished Name field in an X.509 Certificate is a binary object which must be converted to a string for matching purposes. The fields are separ a ted by the forward slash character , for example: /C=US/O=SonicW ALL,[...]

  • Página 887

    VPN > Settings 887 SonicOS 5.8.1 Administrator Guide compared to st atic routes configured in the SonicW ALL. Since packets can have any IP address destination, it is impossible to configure enough st atic routes to handle the traffic. For packet s received via an IPsec tunnel, the SonicW ALL looks up a route for the LAN. If no route is found, t[...]

  • Página 888

    VPN > Settings 888 SonicOS 5.8.1 Administrator Guide – Allow Connections to - Client network traffic matchi ng destination networks of each gateway is sent through the VPN t unnel of that specific gateway . • This Gateway Only - Allows a single connection to be enabled at a time. T raf fic that matches the destination networks as s pecified [...]

  • Página 889

    VPN > Settings 889 SonicOS 5.8.1 Administrator Guide Exporting a VPN Client Policy If you want to export the Global VPN Client conf iguration settings to a file for user s to import into their Global VPN Clients, follow these instructions: Caution The GroupVPN SA must be enabled on the Soni cW ALL to export a configuration file. Ste p 1 Click th[...]

  • Página 890

    VPN > Settings 890 SonicOS 5.8.1 Administrator Guide Site-to-Site VPN Configurations When designing VPN connections, be sure to docum ent all pertinent IP addressing information and create a network diagram to u se as a refe rence. A sample planning sheet is provided on the next page. The SonicW ALL must have a rout able W AN IP address whether [...]

  • Página 891

    VPN > Settings 891 SonicOS 5.8.1 Administrator Guide Configuring a VPN Policy with IKE using Preshared Secret T o configure a VPN Policy using Internet Key Exchange (IKE), follow the step s below: Ste p 1 Click Add on the VPN > Settings page. The VP N Policy window is displayed. Ste p 2 In the General tab, select IKE using Preshared Se cret f[...]

  • Página 892

    VPN > Settings 892 SonicOS 5.8.1 Administrator Guide Optionally , specify a Local IKE ID (optional) and Peer IKE ID (option al) for this Policy . By default, the IP Address (ID_IPv4_ADDR) is used fo r Main Mode negotiations, and the SonicW ALL Identifier (ID_USER_FQDN) is used for Aggressive Mode. Ste p 7 Click the Network tab. Ste p 8 Under Loc[...]

  • Página 893

    VPN > Settings 893 SonicOS 5.8.1 Administrator Guide Destination network obtains IP addresses using DHCP server through this tunnel . Alternatively , select Choose Destination network from list , and select the address object or group. Step 10 Click Proposals . Ste p 11 Under IKE (Phase 1) Proposal , select either Main Mode , Aggressive Mode , o[...]

  • Página 894

    VPN > Settings 894 SonicOS 5.8.1 Administrator Guide – If you selected Main Mode or Aggressive Mode in the Proposals tab: • Select Enable Keep Alive to use heartbeat messages between peers on this VPN tunnel. If one end of the tunnel fails, using Keepalives will allow for the automatic renegotiation of the tunnel once both sides become avail[...]

  • Página 895

    VPN > Settings 895 SonicOS 5.8.1 Administrator Guide • If you wish to use a router on the LAN for traffic entering this tunnel destined for an unknown subnet, for example, if y ou configured the other side to Use this VPN T unnel as default route for all Internet traffic , you should enter the IP address of your router into the Default LAN Gat[...]

  • Página 896

    VPN > Settings 896 SonicOS 5.8.1 Administrator Guide • T o manage the local SonicW ALL through the VPN tunnel, select HTTP , HTTPS , or both from Management via this SA . Select HTTP , HTTPS , or both in the User login via this SA to allow user s to login using the SA. • Enter the Default LAN Gateway if you have more than one gateway and you[...]

  • Página 897

    VPN > Settings 897 SonicOS 5.8.1 Administrator Guide Ste p 5 Click the Network tab. Ste p 6 Select a local network from Choose local network from list if a specific local network can access the VPN tunnel. If traffic can or iginate from any local network, select Any Address . Use this option is a peer has Use this VPN T unn el as default route f[...]

  • Página 898

    VPN > Settings 898 SonicOS 5.8.1 Administrator Guide Note The values for Protocol , Phase 2 Encryption , and Ph ase 2 Authentication must match the values on the re mote SonicW ALL. Step 10 Enter a 16 character hexadecim al encryption key in the Encryption Key field or use the default value. This encryption key is used to conf igure the remote S[...]

  • Página 899

    VPN > Settings 899 SonicOS 5.8.1 Administrator Guide – If you have an IP address for a gateway , enter it into the Default LAN Gateway (optional) field. – Select an interface from the VPN Policy bound to menu. Step 13 Click OK . Step 14 Click Accept on the VPN > Settings p age to update the VPN Policies. Configuring the Remote SonicWALL S[...]

  • Página 900

    VPN > Settings 900 SonicOS 5.8.1 Administrator Guide Tip V alid hexadecimal characters include 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, and f. 1234567890abcdef is an example of a valid DES or ARCFour encryption key . If you enter an incorrect encryption key , an error message is displayed at the bot tom of the browser window . Step 12 Click [...]

  • Página 901

    VPN > Settings 901 SonicOS 5.8.1 Administrator Guide Configuring a VPN Policy with IKE using a Third Party Certificate Wa r n i n g Y ou must have a valid certificate from a third p arty Certificate Authority inst alled on your SonicW ALL before you can configure your VPN policy with IKE using a third p arty certificate. T o create a VPN SA usin[...]

  • Página 902

    VPN > Settings 902 SonicOS 5.8.1 Administrator Guide – Distinguished Name - Based on the certificates S ubject Distinguished Name field, which is contained in all certificates b y defaul t. As with the E-Mail ID and Domain Name above, the entire Distinguished Name field mu st be entered for site-t o-site VPNs Wild card characters are not suppo[...]

  • Página 903

    VPN > Settings 903 SonicOS 5.8.1 Administrator Guide Ste p 11 Click the Proposals tab. Step 12 In the IKE (Phase 1) Proposal section, select the following settings: – Select Main Mode or Aggressive Mode from the Exchange menu. – Select the desired DH Group from the DH Group menu. Note The Windows 2000 L2TP client and Windows XP L2TP client c[...]

  • Página 904

    VPN > Settings 904 SonicOS 5.8.1 Administrator Guide – Enter a value in the Life Time (seconds) field. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours. Step 14 Click the Advanced tab. Select any optional configuratio n options you want to apply to your VPN policy: – Select Enable Keep Alive to us[...]

  • Página 905

    VPN > Settings 905 SonicOS 5.8.1 Administrator Guide – T o manage the remote SonicW ALL through the VPN tunnel, select HTTP , HTTPS , or both from Management via this SA . Select HTTP , HTTPS , or both in the User login via this SA to allow user s to login using the SA. – If you wish to use a router on the LAN fo r traf fic entering this tun[...]

  • Página 906

    VPN > Settings 906 SonicOS 5.8.1 Administrator Guide Not only does Route Based VPN make configuri ng and maint aining the VPN policy easier , a major advantage of the Route Based VPN feature is that it provides flex ibility on how traffic is routed. With this feature, users can now define multiple paths for overlapping networks over a clear or r[...]

  • Página 907

    VPN > Settings 907 SonicOS 5.8.1 Administrator Guide Ste p 3 Next, navigate to the Proposal tab and configure the IKE and IPSec proposals for the tunnel negotiation. Ste p 4 Navigate to the Advanced tab to configure the advanced proper ties for the T unnel Inter face. By default, Enable Keep Alive is enabled. This is to establish the tunnel with[...]

  • Página 908

    VPN > Settings 908 SonicOS 5.8.1 Administrator Guide • Enable T ran sport Mode - Forces the IPsec negotiation to use Transport mode instead of T unnel Mode. This has been introduced for comp at ibility with Nortel. When this option is enabled on the local firewall, it MUST be enabled on the remote firewall as well for the negotiation to succee[...]

  • Página 909

    VPN > Settings 909 SonicOS 5.8.1 Administrator Guide Route Entries for Different Network Segments After a tunnel interface is created, multiple r oute entries can be confi gured to use the same tunnel interface for diff erent net works. This provides a mechanism to modify the n etwork topology without making any c hanges to the tunnel interface.[...]

  • Página 910

    VPN > Settings 910 SonicOS 5.8.1 Administrator Guide Creating a Static Route for Drop Tunnel Interface T o add a static route for drop tunnel interface, navigate to Network > Routing > Routing Policies . Click the Add button. Similar to configuring a st atic route for a tunnel interface, configure the values for Source , Destination, and S[...]

  • Página 911

    VPN > Settings 911 SonicOS 5.8.1 Administrator Guide are addresses using address spaces that can eas ily be supernetted. For example, assume we wanted to provide access to/from the LAN and DMZ at the hub site to one sub net at each of 2,000 remote sites, addressed as follows: remoteSubnet0=Network 10.0.0.0/24 (mask 255.255.255.0, range 10.0.0.0-[...]

  • Página 912

    VPN > Settings 912 SonicOS 5.8.1 Administrator Guide[...]

  • Página 913

    913 SonicOS 5.8.1 Administrator Guide CHAPTER 61 Chapter 61: Configuring Advanced VPN Settings VPN > Advanced The VPN > Advanced page includes optional settin gs that affect all VPN policies.[...]

  • Página 914

    VPN > Advanced 914 SonicOS 5.8.1 Administrator Guide Advanced VPN Settings • Enable IKE Dead Peer Detection - Select if you want inac tive VPN tunne ls to be dropped by the SonicW ALL. – Dead Peer Detection Interval - Enter the number of seconds between “heartbeat s.” The default value is 60 seconds. – Failure T rigger Level (missed he[...]

  • Página 915

    VPN > Advanced 915 SonicOS 5.8.1 Administrator Guide Note Password updates can only be done by LDAP w hen using Active Directory with TLS and binding to it using an administrative ac count, or when using Novell eDirectory . • IKEv2 Dynamic Client Proposal - SonicOS Enhanced firmwar e versions 4.0 and higher provide IKEv2 Dynamic Client Support[...]

  • Página 916

    VPN > Advanced 916 SonicOS 5.8.1 Administrator Guide Online Certificate S t atus Protocol determines the current status of a digital certificate without using a CRL. OCSP enables the c lient or application to direct ly determine the status of an identified digital certific ate. This provides more timely info rmation about the certificate than is[...]

  • Página 917

    VPN > Advanced 917 SonicOS 5.8.1 Administrator Guide Using OCSP with VPN Policies The SonicW ALL OCSP settings can be configur ed on a policy level or globally . T o configure OCSP checking for individual VPN policies, use the Advanced t ab of the VPN Poli cy configuration page. Ste p 1 Select the radio button next to Enable OCSP Check ing . Ste[...]

  • Página 918

    VPN > Advanced 918 SonicOS 5.8.1 Administrator Guide[...]

  • Página 919

    919 SonicOS 5.8.1 Administrator Guide CHAPTER 62 Chapter 62: Configuring DHCP Over VPN VPN > DHCP over VPN The VPN > DHC P over VPN p age allows you to configure a SonicW ALL security appliance to obtain an IP address lease from a DHCP server at the o ther end of a VPN tunnel. In some network deployments, it is des irable to have all VPN netw[...]

  • Página 920

    VPN > DHCP over VPN 920 SonicOS 5.8.1 Administrator Guide Configuring the Central Gateway for DHCP Over VPN T o configure DHCP over VPN for the Central Gat eway , use the following steps: 1. Select VPN > DHCP over VPN . 2. Select Central Gateway from the DHCP Relay Mode menu. 3. Click Configure . The DHCP over VPN Configuration window is disp[...]

  • Página 921

    VPN > DHCP over VPN 921 SonicOS 5.8.1 Administrator Guide Configuring DHCP over VPN Remote Gateway 1. Select Remote Gateway fr om the DHCP Relay Mode menu. 2. Click Configure . The DHCP over VPN Configuration window is displayed. 3. In the General t ab, the VPN policy name is automat ically displayed in the Relay DHCP through this VPN T unnel fi[...]

  • Página 922

    VPN > DHCP over VPN 922 SonicOS 5.8.1 Administrator Guide Devices 9. T o configure devices on your LAN, click the Devices tab. 10. T o configure S t atic Devices on the LAN , click Add to display the Add LAN Device Entry window , and type the IP addres s of the device in the IP Address field and then type the Ethernet address of the device in th[...]

  • Página 923

    VPN > DHCP over VPN 923 SonicOS 5.8.1 Administrator Guide Tip If a static LAN IP address is out side of the DHCP scope, routing is possible to this IP , i.e. two LANs. Current DHCP over VPN Leases The scrolling window shows the det ails on the current bindings: IP and Ethernet address of the bindings, along with the Lease T ime, and T unnel Name[...]

  • Página 924

    VPN > DHCP over VPN 924 SonicOS 5.8.1 Administrator Guide[...]

  • Página 925

    925 SonicOS 5.8.1 Administrator Guide CHAPTER 63 Chapter 63: Configuring L2TP Server VPN > L2TP Server The SonicW ALL security appliance can terminat e L2TP-over- IPsec connections from incoming Microsoft Windows 2000 and Windows XP clients. In situations where running the SonicW ALL Global VPN Client is not possible, you can use the SonicW A LL[...]

  • Página 926

    VPN > L2TP Server 926 SonicOS 5.8.1 Administrator Guide Configuring the L2TP Server The VPN > L2TP Server page provides the settings for c onfiguring the SonicW ALL security appliance as a L T2P Server . T o configure the L2TP Server , follow these steps: 1. T o enable L2TP Server functionality on the SonicW ALL security appliance, select Ena[...]

  • Página 927

    VPN > L2TP Server 927 SonicOS 5.8.1 Administrator Guide Currently Active L2TP Sessions • User Name - The user name assigned in the loca l user database or the RADIUS user database. • PPP IP - The source IP address of the connection. • Zone - The zone used by the L T2P client. • Interface - The interface used to access the L2TP Server , w[...]

  • Página 928

    VPN > L2TP Server 928 SonicOS 5.8.1 Administrator Guide[...]

  • Página 929

    SonicOS 5.8 . 1 A dm i ni st r at or Gu ide 929 PART 14 Part 14: SSL VPN[...]

  • Página 930

    930 SonicOS 5.8.1 Administrator Guide[...]

  • Página 931

    931 SonicOS 5.8.1 Administrator Guide CHAPTER 64 Chapter 64: SSL VPN SSL VPN This chapter provides information on how to c onfigure the SSL VPN features on the SonicW ALL security appliance. SonicW ALL ’s SSL VPN feat ures provide secure remote access to the network using the NetExtender client. NetExtender is an SSL VPN client for Window s, Mac,[...]

  • Página 932

    SSL VPN 932 SonicOS 5.8.1 Administrator Guide SSL VPN NetExtender Overview This section provides an introduction to the SonicOS Enhanced SSL VPN NetExtender feature. This section contains t he following subsections: • “What is SSL VPN NetExtender?” on p age 932 • “Benefits” on p age 932 • “NetExtender Concepts” on page 932 What is[...]

  • Página 933

    SSL VPN 933 SonicOS 5.8.1 Administrator Guide Once the NetExtender st and-alone client has been installed, Win dows users can launch NetExtender from their PC’ s S t art > Programs menu and configure NetExtender to launch when Windows boots. Mac users can launch NetExtend er from their system Applications folder , or drag the icon to the dock [...]

  • Página 934

    SSL VPN 934 SonicOS 5.8.1 Administrator Guide NetExtender provides three options for configuring proxy settings: • Automatically detect settings - T o use this setting, the proxy server must support W eb Proxy Auto Discovery Protocol (WP AD)), whic h can push the proxy settings script to the client automatically . • Use automatic configuration [...]

  • Página 935

    SSL VPN 935 SonicOS 5.8.1 Administrator Guide Configuring Users for SSL VPN Access In order for users to be able to access SS L VPN services, they must be assigned to the SSL VPN Services group. Users who attempt to login through the Virtual Of fice who do not belong to the SSL VPN Services group will be denied access. The following sections descri[...]

  • Página 936

    SSL VPN 936 SonicOS 5.8.1 Administrator Guide Configuring SSL VPN Ac cess for RADIUS Users T o configure RADIUS users for SSL VPN access, you must add the users to the SSL VPN Services user group. T o do so, perform the following steps: Ste p 1 Navigate to the Users > Settings p age. Ste p 2 In the Authentication Method for login pulldown menu, [...]

  • Página 937

    SSL VPN > Stat us 937 SonicOS 5.8.1 Administrator Guide SSL VPN > Status The SSL VPN > St atus page displays a summary of active NetExtender sessions, including the name, the PPP IP address, the physical IP address, login time , length of time logged in and logout time. The following table provides a description of the status items. St atu[...]

  • Página 938

    SSL VPN > Server Settings 938 SonicOS 5.8.1 Administrator Guide SSL VPN > Server Settings The SSL VPN > Server Settings p age is used to configure details of the SonicW ALL security appliance’s behavior as an SSL VPN server . The following options can be configured on the SSL VPN > Server Settings p age. • SSL VPN S t atus on Zones [...]

  • Página 939

    SSL VPN > Portal Settings 939 SonicOS 5.8.1 Administrator Guide SSL VPN > Portal Settings The SSL VPN > Port al Set tings page is used to configure the appearance and functionality of the SSL VPN Virtual Of fice web port al. The V irtual Office portal is the website that uses log in to launch NetExtender . It can be customized to match any[...]

  • Página 940

    SSL VPN > Client Settings 940 SonicOS 5.8.1 Administrator Guide The Customized Logo field is used to display a logo other than the SonicWALL logo at the top of the Virtual Of fice portal. Enter the URL of the logo in the Customized Logo field. The logo must be in GIF format of size 155 x 36, and a transparent or light background is recommended. [...]

  • Página 941

    SSL VPN > Client Settings 941 SonicOS 5.8.1 Administrator Guide Configuring the SSL VP N Client Address Range The SSL VPN Client Address Range defines t he IP address pool from which addresses will be assigned to remote users during NetExtender sessio ns. The range needs to b e large enough to accommodate the maximum number of concu rrent NetExt[...]

  • Página 942

    SSL VPN > Client Settings 942 SonicOS 5.8.1 Administrator Guide Configuring NetExtender Client Settings NetExtender client settings are configu red on the bottom of the SSL VPN > Client Settings page. The following settings to customize the behavior of NetExtender when users connect and disconnect. • Default Session Timeout (minutes) - The [...]

  • Página 943

    SSL VPN > Client Routes 943 SonicOS 5.8.1 Administrator Guide SSL VPN > Client Routes The SSL VPN > Client Routes page allows the administrator to control the net work access allowed for SSL VPN users. The NetExtender c lient r outes are passed to all NetExtender clients and are used to gover n which private networks and resources remote u[...]

  • Página 944

    SSL VPN > Client Routes 944 SonicOS 5.8.1 Administrator Guide T o configure SSL VPN NetEextender users and gr oups for T unnel All Mode, perform the following steps. Ste p 1 Navigate to the Users > Local Users or Users > Local Group s p age. Ste p 2 Click on the Configure button for an SSL VPN NetExtender user or group. Ste p 3 Click on th[...]

  • Página 945

    SSL VPN > Virtual O ffice 945 SonicOS 5.8.1 Administrator Guide SSL VPN > Virtual Office The SSL VPN > Virtual Office page displays the V irtual Offi ce web port al inside of the SonicOS UI. The following sections describe how to use the Virtual Of fice: • “Accessing the SonicW ALL SSL VPN Portal” section on page 945 • “Using Net[...]

  • Página 946

    SSL VPN > Virtual Office 946 SonicOS 5.8.1 Administrator Guide • One of the following browsers: – Internet Explorer 6.0 and higher – Mozilla Firefox 1.5 and higher • T o initially install the NetExtender client, the user must be logged in to the PC with administrative privileges. • Downloading and running scripted ActiveX file s must b[...]

  • Página 947

    SSL VPN > Virtual O ffice 947 SonicOS 5.8.1 Administrator Guide • “Uninstalling NetExtender ” section on page 963 • “V erifying NetExtender Operation from the System Tray” section on page 964 The following section describe how to in st all and use NetExtender on a MacOS plat form: • “Installing NetExtender on MacOS” section on [...]

  • Página 948

    SSL VPN > Virtual Office 948 SonicOS 5.8.1 Administrator Guide Installing NetExtender Using the Mozilla Firefox Browser T o use NetExtender for the first time using the Mozilla Firefox browser , pe rform the following: Ste p 1 Navigate to the IP address of the SonicW ALL security appliance. Click the link at the botto m of the Login page that sa[...]

  • Página 949

    SSL VPN > Virtual O ffice 949 SonicOS 5.8.1 Administrator Guide Ste p 8 When NetExtender completes inst alling, the NetExtender S t atus window displays, indicating that NetExtender successfully connected. Closing the windows (clicking on the x icon in the upper right corner of the window) will not close the NetExtender session, but wi ll minimi[...]

  • Página 950

    SSL VPN > Virtual Office 950 SonicOS 5.8.1 Administrator Guide Note It may be necessary to restart your computer when installing NetExte nder on Windows Vis ta . Internet Explorer Prerequisites It is recommended that you add the URL or domain name of your SonicW ALL security appliance to Internet Explorer ’s trusted sites list . This will simp[...]

  • Página 951

    SSL VPN > Virtual O ffice 951 SonicOS 5.8.1 Administrator Guide Installing NetExtender from Internet Explo rer T o install and launch NetExtender for the fir st time using the Internet Explorer browser , perform the following: Ste p 1 Navigate to the IP address of the SonicW ALL security appliance. Click the link at the botto m of the Login page[...]

  • Página 952

    SSL VPN > Virtual Office 952 SonicOS 5.8.1 Administrator Guide Ste p 4 Click Instructions to add SSL VPN server address into trusted sites for help. Ste p 5 In Internet Explorer , go to T ools > Internet Options . Ste p 6 Click on the Security tab. Ste p 7 Click on the T rusted Sites icon and click on the Sites... button to open the T rusted [...]

  • Página 953

    SSL VPN > Virtual O ffice 953 SonicOS 5.8.1 Administrator Guide Ste p 8 Enter the URL or domain name of your SonicW ALL security appliance in the Add this Web site to the zone field and click Ad d . Ste p 9 Click OK in the T rusted Sites and Internet Options windows. Step 10 Return to the SSL VPN portal and click on the NetExtender button. The p[...]

  • Página 954

    SSL VPN > Virtual Office 954 SonicOS 5.8.1 Administrator Guide Step 12 If a warning message that NetExtender has not passed Windows Logo testing is displa yed, click Continue Anyway . SonicWALL testing has verified that NetExtender is fully compatib le with Windows V i s t a, XP , 2000, and 2003. Step 13 When NetExtender completes inst alling, t[...]

  • Página 955

    SSL VPN > Virtual O ffice 955 SonicOS 5.8.1 Administrator Guide Launch ing N etE xten der Dire ct ly fr om Your Co mput er After the first access and inst allation of NetExt ender , you can launch NetE xtender directly from your computer without first navigating to the SSL VPN port al. T o launch NetExtender , complete the following procedure: S[...]

  • Página 956

    SSL VPN > Virtual Office 956 SonicOS 5.8.1 Administrator Guide Configuring NetExtender Preferences Complete the following procedure to configure NetExtender preferences: Ste p 1 Right click on the icon in the system tray and click on Prefere nces... The NetExtender Preferences window is displayed. Ste p 2 The Connection Profiles tab displays the[...]

  • Página 957

    SSL VPN > Virtual O ffice 957 SonicOS 5.8.1 Administrator Guide Ste p 5 T o have NetExtender automatic ally connect when you start your computer , check the Automatically connect with Connection Profile checkbox and select the appr opriate connection profile from the pulldown menu. Note Only connection profiles that al low you to save your usern[...]

  • Página 958

    SSL VPN > Virtual Office 958 SonicOS 5.8.1 Administrator Guide Configuring NetExtende r Connection Scripts SonicW ALL SSL VPN provides users with the abi lity to run batch file script s when NetExtender connects and disconnect s. The scripts can be us ed to map or disconnect network drives and printers, launch applications, or open files or webs[...]

  • Página 959

    SSL VPN > Virtual O ffice 959 SonicOS 5.8.1 Administrator Guide Configuring Batch File Commands NetExtender Connection Script s can support any valid batch file commands. For mor e information on batch files, s ee the following Wikipedia entry: http://en.wikipedia.org/wiki/.bat . The following tasks provid e an introduction to some commonly used[...]

  • Página 960

    SSL VPN > Virtual Office 960 SonicOS 5.8.1 Administrator Guide Configuring Proxy Settings SonicW ALL SSL VPN supports NetExtender sessi ons using proxy configurations. Currently , only HTTPS proxy is supported. When launching NetExtender from the web portal, if your browser is already configured for proxy access, NetExtender automatical ly inher[...]

  • Página 961

    SSL VPN > Virtual O ffice 961 SonicOS 5.8.1 Administrator Guide – Use proxy server - Select this option to enter the Address and Port of the proxy server . Optionally , you can enter an IP address or domain in the Byp assProxy field to allow direct connections to those addresses t hat byp ass the proxy server . If required, enter a User name a[...]

  • Página 962

    SSL VPN > Virtual Office 962 SonicOS 5.8.1 Administrator Guide T o save the log, either click the Export icon or go to Log > Export . T o filter the log to display entries fr om a specific duration of time, go to the Filter menu and select the cutoff threshold. T o filter the log by type of entry , go to Filter > Level and select one of th[...]

  • Página 963

    SSL VPN > Virtual O ffice 963 SonicOS 5.8.1 Administrator Guide Disconnecting N etExt ender T o disconnect NetExtender , perform the following steps: Ste p 1 Right click on the NetExtender icon in the syst em tray to display the NetExtender icon menu and click Disconnect . Ste p 2 W ait several seconds. The Ne tExtender session disconnects. Y ou[...]

  • Página 964

    SSL VPN > Virtual Office 964 SonicOS 5.8.1 Administrator Guide Verifying NetExtender Operat ion from the System Tray T o view options in the NetExtender system tr ay , right click on the NetExtender icon in the system tray . The following are some task s you can perform with the system tray . Displaying Route Information T o display the routes t[...]

  • Página 965

    SSL VPN > Virtual O ffice 965 SonicOS 5.8.1 Administrator Guide Installing NetExtender on MacOS SonicW ALL SSL VPN supports NetExtender on Ma cOS. T o use NetExtender on your MacOS system, your system must meet the following prerequisites: • MacOS 10.4 and higher • Java 1.4 and higher • Both PowerPC and Intel Macs are supported. T o instal[...]

  • Página 966

    SSL VPN > Virtual Office 966 SonicOS 5.8.1 Administrator Guide Ste p 5 When NetExtender is successfully inst alled and connected, the NetExtender status window displays. Using NetExtender on MacOS Ste p 1 T o launch NetExtender , go the Ap plications folder in the Finder and double click on NetExtender .app . Ste p 2 The first time you connect, [...]

  • Página 967

    SSL VPN > Virtual O ffice 967 SonicOS 5.8.1 Administrator Guide Ste p 7 When NetExtender is connected, the NetExtender icon is displayed in the st atus bar at the top right of your display . Click on t he icon to display NetExtender options. Ste p 8 T o display a summary of your NetExtender session, click Connection St atus. Ste p 9 T o view the[...]

  • Página 968

    SSL VPN > Virtual Office 968 SonicOS 5.8.1 Administrator Guide Ste p 11 T o generate a diagnostic report with det ailed information on NetExtender performance, go to Help > Generate diagnostic report . Step 12 Click Save to save the diagnostic report using the default nx diag.t xt file name in your NetExtender directory . Installing and Using[...]

  • Página 969

    SSL VPN > Virtual O ffice 969 SonicOS 5.8.1 Administrator Guide T o install NetExtender on your Linux system, perform the following tasks: Ste p 1 Navigate to the IP address of the SonicW ALL security appliance. Click the link at the botto m of the Login page that says “Click here for sslvpn login.” Ste p 2 Click the NetExtender button. A po[...]

  • Página 970

    SSL VPN > Virtual Office 970 SonicOS 5.8.1 Administrator Guide Ste p 6 Launch the NetExtender .tgz file and follow the instructions in the NetExtender installer . The new netExtender directory contains a NetExt ender shortcut that can be dragged to your desktop or toolbar . Ste p 7 The first time you connect, you must enter the server name or IP[...]

  • Página 971

    SSL VPN > Virtual O ffice 971 SonicOS 5.8.1 Administrator Guide Note Y ou must be logged in as root to install NetE xtender , although many Linux systems will allow the sudo ./inst all command to be used if you are not logged in as root. Step 10 T o view the NetExtender routes, go to the NetExtender menu and select Routes . Ste p 11 T o view the[...]

  • Página 972

    SSL VPN > Virtual Office 972 SonicOS 5.8.1 Administrator Guide Step 14 Click Add Bookmark . The Add Bookmark window displays. When user bookmarks are defined, the user will see the defined bookmarks from the SonicW ALL SSL VPN Virtual Office home p age. I ndividual user members are not able to delete or modify bookmarks created by the administra[...]

  • Página 973

    SSL VPN > Virtual O ffice 973 SonicOS 5.8.1 Administrator Guide Ste p 3 For the specific service you select from the Service drop-down list, additional field s may appear . Fill in the information for the service you selected. Select one of the following service types from the Service drop-down list: Terminal Services (RDP - ActiveX) or Terminal[...]

  • Página 974

    SSL VPN > Virtual Office 974 SonicOS 5.8.1 Administrator Guide the RDP Java client on Window s is a native RDP client t hat supports Plugin DLLs by default. The Enable plugin DLLs option is not availabl e for RDP - Java. See “Enabling Plugin DLLs” section on p age 974 . – Optionally select Automatically log in an d select Use SSL VPN accou[...]

  • Página 975

    SSL VPN > Virtual O ffice 975 SonicOS 5.8.1 Administrator Guide Creating Bookmarks with Custom SSO Credentials The administrator can configure custom Single Sign On (SSO) credentials for each user , group , or globally in RDP bookm arks. Thi s f eat ur e i s us ed to a cc es s re so urc es th at n ee d a d om ain pr efi x for SSO authen tication[...]

  • Página 976

    SSL VPN > Virtual Office 976 SonicOS 5.8.1 Administrator Guide • Themes • Bitmap caching If the Java client application is RDP 6, it also support s: • Dual monitors • Font smoothing • Desktop composition Note RDP bookmarks can use a port designation if t he service is not running on the default port. Tip T o terminate your remote deskt[...]

  • Página 977

    SSL VPN > Virtual O ffice 977 SonicOS 5.8.1 Administrator Guide Ste p 3 A window is displayed indicating that the Remo te Desktop Client is loading. The remote desktop then loads in it s own windows. Y ou can now access all of the applications and files on the remote computer . Using VNC Bookmarks Ste p 1 Click the VNC bookmark. The following wi[...]

  • Página 978

    SSL VPN > Virtual Office 978 SonicOS 5.8.1 Administrator Guide Ste p 2 When the VNC client has loaded, you will be pr ompted to enter your p assword in the VNC Authentication window . Ste p 3 T o configure VNC options, click the Options button. The Options window is displayed. T able 2 describes the options that can be configured for VNC. T able[...]

  • Página 979

    SSL VPN > Virtual O ffice 979 SonicOS 5.8.1 Administrator Guide Using Telnet Bookmarks Ste p 1 Click on the T elnet bookmark. Note T elnet bookmarks can use a port designation for servers not running on the default por t. Cursor shape updates Enable Cursor shape updates is a protocol extension used to handle remote cursor movements locally on th[...]

  • Página 980

    SSL VPN > Virtual Office 980 SonicOS 5.8.1 Administrator Guide Ste p 2 Click OK to any warning messages that are displa yed. A Java-based T e lnet window launches. Ste p 3 If the device you are T elnetting to is configured for authentication, enter your user name and password. Using SSHv1 Bookmarks Note SSH bookmarks can use a port designation f[...]

  • Página 981

    SSL VPN > Virtual O ffice 981 SonicOS 5.8.1 Administrator Guide Tip Some versions of the JRE may cause the SSH authentication window to pop up behind the SSH window . Using SSHv2 Bookmarks Note SSH bookmarks can use a port designation fo r servers not r unning on the default port. Ste p 1 Click on the SSHv2 bookmark. A Java-based SSH window disp[...]

  • Página 982

    SSL VPN > Virtual Office 982 SonicOS 5.8.1 Administrator Guide Ste p 3 Enter your password and click OK . Ste p 4 The SSH terminal launches in a new screen.[...]

  • Página 983

    SonicOS 5.8 . 1 A dm i ni st r at or Gu ide 983 PART 15 Part 15: V irtual Assist •[...]

  • Página 984

    984 SonicOS 5.8.1 Administrator Guide[...]

  • Página 985

    985 SonicOS 5.8.1 Administrator Guide CHAPTER 65 Chapter 65: Configuring Virtual Assist Virtual Assist This chapter contains the following sections: • “Virtual Assist Overview” on page 985 • “Virtual Assist > S tatus” on p age 985 • “Virtual Assist > Settings” on page 986 • “Using Virtual Assist” o n page 990 Virtual A[...]

  • Página 986

    Virtual Assist > Settings 986 SonicOS 5.8.1 Administrator Guide The status of each customer includes whether the customer is currently receiving Virtu al Assist support, or their positi on in the queue to receive support. The st atus screen can also provide a summary of each customer ’s issue, and the name of the assi gned technician. The tech[...]

  • Página 987

    Virtual Assist > Settings 987 SonicOS 5.8.1 Administrator Guide By setting a global assistance code for customer s, you can restrict who enters the system to request help. The code can be a maximum of ei ght (8) characters, and can be entered in the Assistance Code field. Customers receive the code through an e mail provided by the technician or[...]

  • Página 988

    Virtual Assist > Settings 988 SonicOS 5.8.1 Administrator Guide These variables can also be used in the “Invit ation Message” field, w here users can further customize the body of the invitation email, by enter ing the desired text. The message can be a maximum length of 800 characters. T o utilize the email invitation cap abilities of V i r[...]

  • Página 989

    Virtual Assist > Settings 989 SonicOS 5.8.1 Administrator Guide In the “Request Settings” screen section, on the Virtual Assist > Settings screen , you can configure various settings re lated to support request limits . The “Maximum Request s” field allows you to limit the number of customers t hat can be awaiting assistance in the qu[...]

  • Página 990

    Using Virtual Assist 990 SonicOS 5.8.1 Administrator Guide Enter the “Source Address T ype” and “IP Address” that you wish to deny suppo rt requests fr om . Click “OK” to submit the information. The ne wly blocked address will now appear in the “Deny Request From Defined Address” screen section. Once you have completed all necessary[...]

  • Página 991

    Using Virtual Assist 991 SonicOS 5.8.1 Administrator Guide The customer can download and inst all the V ASAC from the customer login p age if the option, “Enable Support without Invita tion,” has been previously enabl ed by the administrator . If the option is disabled, customer s must click the provided link from the invite email sent by the t[...]

  • Página 992

    Using Virtual Assist 992 SonicOS 5.8.1 Administrator Guide Once the technician has install ed the V ASAC, they can proceed to login to Virtual Assist. The technician selects the “T echnician” tab, fills in the required login parameters, and clicks the “Login” button. The main panel will then display for the technician. From this p anel, the[...]

  • Página 993

    SonicOS 5.8 . 1 A dm i ni st r at or Gu ide 993 PART 16 Part 16: User Management[...]

  • Página 994

    994 SonicOS 5.8.1 Administrator Guide[...]

  • Página 995

    995 SonicOS 5.8.1 Administrator Guide CHAPTER 66 Chapter 66: Managing Users and Authentication Settings User Management This chapter describes the user management cap abilities of your SonicW ALL security appliance for locally and remotely authenticated us ers. This chapter contains the following sections: • “Introduction to User Management” [...]

  • Página 996

    User Management 996 SonicOS 5.8.1 Administrator Guide SonicW ALL security appliances provide a mechanism for user level authentication that gives users access to the LAN from remote locations on the Internet as well as a means to enforce or bypass content filtering policies for LAN user s attempting to access the Internet. Y ou can also permit only[...]

  • Página 997

    User Management 997 SonicOS 5.8.1 Administrator Guide Creating entries for dozens of users and group s takes time, a lthough once the entries are in place they are not dif ficult to maintain. For networks with larg er numbers of users, user authentication using LDAP or RADIUS servers can be more efficient. T o apply Content Filtering Servic e (CFS)[...]

  • Página 998

    User Management 998 SonicOS 5.8.1 Administrator Guide Y ou can also add or edit local groups. The configur able settings for group s include the following: • Group settings - For administrator group s, you can configure SonicOS to allow login to the management interface without activa ting the login st atus popup window . • Group members - Grou[...]

  • Página 999

    User Management 999 SonicOS 5.8.1 Administrator Guide Using LDAP / Active Director y / eDirectory Authentication Lightweight Directory Access Prot ocol (LDAP) defines a directory services structure for storing and managing information about elements in your netwo rk, such as user account s, user groups, hosts, and ser vers. Several dif ferent stand[...]

  • Página 1000

    User Management 1000 SonicOS 5.8.1 Administrator Guide SonicOS Enhanced provides support for directory servers running the following protocols: • LDAPv2 (RFC3494) • LDAPv3 (RFC2251-2256, RFC3377) • LDAPv3 over TLS (RFC2830) • LDAPv3 with ST ARTTLS (RFC2830) • LDAP Referrals (RFC2251) LDAP Terms The following terms are useful when working [...]

  • Página 1001

    User Management 1001 SonicOS 5.8.1 Administrator Guide Further Information on LDAP Schemas • Microsof t Active Directory : Schema information is available at http://msdn.microsoft.com/ library/default.asp?url=/libra ry/en-us/adschema/adschema/ active_directory_schema.asp and http://msdn.microsoft.com/library/ default.asp?url=/library/en- us/ldap/[...]

  • Página 1002

    User Management 1002 SonicOS 5.8.1 Administrator Guide Single Sign-On Overview This section provides an introduction to t he SonicWALL SonicOS Enhanced Single Sign-On feature. This section contai ns the following subsections: • “What Is Single Sign-On?” on page 1002 • “Benefits of SonicW ALL SSO” on p age 1003 • “Platforms and Suppo[...]

  • Página 1003

    User Management 1003 SonicOS 5.8.1 Administrator Guide Benefits of SonicWALL SSO SonicW ALL SSO is a reliable and time-saving f eature that utilizes a si ngle login to provide access to multiple network resources bas ed on administrator-configured group memberships and policy matching. SonicW ALL SSO is transparen t to end users and requires minima[...]

  • Página 1004

    User Management 1004 SonicOS 5.8.1 Administrator Guide The SonicW ALL SSO feature supports LDAP and local database protocols. SonicW ALL SSO supports SonicW ALL Director y Connector . SonicW ALL SSO can also interwork with ADConnector in an installation that includes a SonicW ALL CSM, but Directory Connector is recommended. For all features of Soni[...]

  • Página 1005

    User Management 1005 SonicOS 5.8.1 Administrator Guide How Does Single Sign-On Work? SonicW ALL SSO requires minimal administrator configuration and is transp arent to the user . SSO is triggered in the following situations: • If firewall access rules requiri ng user authentication apply to traf fic that is not incoming from the W AN zone • Whe[...]

  • Página 1006

    User Management 1006 SonicOS 5.8.1 Administrator Guide SonicWALL SSO Authenticat ion Using the SSO Agent For users on individual Windows workstations, the SSO Agent (on the SSO workst ation) handles the authentication request s from the SonicW ALL appliance. There are six step s involved in SonicW ALL SSO authentication using t he SSO Agent, as ill[...]

  • Página 1007

    User Management 1007 SonicOS 5.8.1 Administrator Guide SonicWALL SSO Authentication Using the Terminal Services Agent For users logged in from a T erminal Services or Citrix server , the SonicW ALL TSA takes the place of the SSO Agent in the authentication proces s. The process is different in several ways: • The TSA runs on the same server that [...]

  • Página 1008

    User Management 1008 SonicOS 5.8.1 Administrator Guide SonicWALL SSO Authentication Usin g Browser NTLM Authentication For users who are browsing using Mozilla-based brow sers (including Internet Explorer , Firefox, Chrome and Safari) the SonicW ALL appliance supports identifying them via NTLM (NT LAN Manager) authentication. NTLM is p art of a bro[...]

  • Página 1009

    User Management 1009 SonicOS 5.8.1 Administrator Guide Note The shared key is generated in the SSO Agent and the key entered in the Son icW ALL security appliance during SS O configuration must match the SSO Agent-generated key exactly . The SonicW ALL security appliance queries the SonicW ALL SSO Agent over the default port 2258. The SSO Agent the[...]

  • Página 1010

    User Management 1010 SonicOS 5.8.1 Administrator Guide • User login denied - SSO Agent agent timeout – Attempts to cont act the SonicWALL SSO Agent have timed out. • User login denied - SSO Agent configuration error – The SSO Agent is not properly configured to allow access for this user . • User login denied - SSO Agent communication pro[...]

  • Página 1011

    User Management 1011 SonicOS 5.8.1 Administrator Guide How Does So nicWALL Termin al Services Agent Work? The SonicW ALL TSA can be installed on any Windo ws Serve r machine with T erminal Services or Citrix installed. The serve r must belong to a Windows domain that can communicate with the SonicW ALL security appliance directly using t he IP addr[...]

  • Página 1012

    User Management 1012 SonicOS 5.8.1 Administrator Guide Multiple TSA Support T o accommodate large inst allations with thous ands of users, SonicW ALL network security appliances are configurable for operation with multiple terminal services agents (one per terminal server). The number of agent s s upported depends on the model, as shown in T able 3[...]

  • Página 1013

    User Management 1013 SonicOS 5.8.1 Administrator Guide Connections to Local Subnets The TSA dynamically learns network topol ogy based on information returned from the appliance and, once learned, it will not send notifications to the appliance for subsequent user connections that do not go through the appliance. As there is no mechanism for the TS[...]

  • Página 1014

    User Management 1014 SonicOS 5.8.1 Administrator Guide • User group memberships can be set locally by duplicating LDAP user names (set in the LDAP configuration and applicable when t he user group membership mechanism is LDAP) • Polling rate NTLM Authentication of Non-Domain Users With NTLM, non-domain users could be users who are logged into t[...]

  • Página 1015

    User Management 1015 SonicOS 5.8.1 Administrator Guide • Browsers on Non-PC Platf orms – Non-PC platfo rms such as Linux and Mac can access resources in a Windows domain through Samba, but do not have the concept of “logging the PC into the domain” as Windows PCs do. Hence, browsers on these plat forms do not have access to the user’s dom[...]

  • Página 1016

    User Management 1016 SonicOS 5.8.1 Administrator Guide How Does Multiple Admini strators Support Work? The following sections describe how the Mult iple Administrators Support feature works: • “Configuration Modes” section on page 1016 • “User Groups” section on page 1017 • “Priority for Preempting Administrators” section on page [...]

  • Página 1017

    User Management 1017 SonicOS 5.8.1 Administrator Guide User Groups The Multiple Administrators Support feat ure introduces two new default user gr oups: • SonicW ALL Administrators - Members of this group have full administrator access to edit the configuration. • SonicW ALL Read- Only Admins - Members of this group have read-only access to vie[...]

  • Página 1018

    User Management 1018 SonicOS 5.8.1 Administrator Guide 3. A user that is a member of the Li mited Administrators user group can only preempt other members of the Limited Administrators group. GMS and Multiple Administrator Support When using SonicW ALL GMS to manage a Soni cW ALL security appliance, GMS frequently logs in to the appliance (for such[...]

  • Página 1019

    User Management 1019 SonicOS 5.8.1 Administrator Guide Configuring Settings on Users > Settings On this page, you can configure the authenticat ion method required, global user settings, and an acceptable user po licy that is displayed to users when loggi ng onto your network.[...]

  • Página 1020

    User Management 1020 SonicOS 5.8.1 Administrator Guide Configuration instructions for the settings on this page are prov ided in the following sections: • “User Login Settings” on p age 1020 • “User Session Settings” on page 1021 • “Other Global User Settings” on p age 1022 • “Acceptable Use Policy” on page 1024 • “Custo[...]

  • Página 1021

    User Management 1021 SonicOS 5.8.1 Administrator Guide • Select Browser NTLM authentication only if you want to authenticate W eb users without using the SonicW ALL SS O Agent or TSA. Users are identif ied as so on as they send HTTP traffic. NTLM requires RADIUS to be configured (in addition to LDAP , if using LDAP), for access to MSCHAP authenti[...]

  • Página 1022

    User Management 1022 SonicOS 5.8.1 Administrator Guide • Enable login session limit : you can limit the time a user is logged into the SonicW ALL by selecting the check box and typing t he amount of time, in minutes, in the Login session limit (minutes) field. The default value is 30 minutes. • Show user login st atus window : causes a status w[...]

  • Página 1023

    User Management 1023 SonicOS 5.8.1 Administrator Guide Auto-Configuration of URLs to Bypass User Authent ication Y ou can use the Auto-Configure utility to tempor arily allow traffic from a single specified IP address to bypass authentication. The destinati ons that traf fic accesses are then recorded and used to allow that traffic to byp ass user [...]

  • Página 1024

    User Management 1024 SonicOS 5.8.1 Administrator Guide Tip Windows Updates access some destinations via HTTPS, and t hose can only be tracked by IP address. However , the actual IP addresses accessed each time may vary and so rather than trying to set up a bypass for each such IP address, it may be better to use th e Convert to network(s) option to[...]

  • Página 1025

    User Management 1025 SonicOS 5.8.1 Administrator Guide Acceptable use policy p age content - Ente r your Acceptabl e Use Policy text in the text box. Y ou can include HTML formatting. The page that is displayed to the user includes an I Accept button or Cancel button for user confirmation. Click the Example T emplate button to populate the content [...]

  • Página 1026

    User Management 1026 SonicOS 5.8.1 Administrator Guide Customize Login Pages SonicOS now provides the ability to customize the text of t he login authenticat ion p ages that are presented to users. Admini strators can translate the login-related p ages with their own wording and apply the changes so that they t ake ef fect without rebooting. Althou[...]

  • Página 1027

    User Management 1027 SonicOS 5.8.1 Administrator Guide Note The "var strXXX =" lines in the template pages are customized JavaScript S trings. Y ou can change them into your preferring wonrding. M odifications should foll ow the JavaScript syntax. Y ou can also edit the wording in the HTML section. 5. Click Preview to preview how the cu s[...]

  • Página 1028

    User Management 1028 SonicOS 5.8.1 Administrator Guide • “Editing Local Users” on page 1031 • “Importing Local Users from LDAP” on page 1031 Configuring Local User Settings The following global settings can be c onfigured for all local users on the Users > Local Users page: • Apply password constraint s for all local users - Applie[...]

  • Página 1029

    User Management 1029 SonicOS 5.8.1 Administrator Guide • In the exp anded view , click the remove icon under Configure to remove the user from a group. • Click the edit icon under Configure to edit the user . • Click the delete icon under Configure to delete the user or group in that row . Adding Local Users Y ou can add local users to the in[...]

  • Página 1030

    User Management 1030 SonicOS 5.8.1 Administrator Guide • If you select a limited lifetime, select the Prune account upon expiration checkbox to have the user account deleted afte r the lifetime expires. Disable this checkbox to have the account simply be disabled afte r the lifetime expires. The adm inistrator can then re-enable the account by re[...]

  • Página 1031

    User Management 1031 SonicOS 5.8.1 Administrator Guide Note Users must be members of the SSL VPN Services group before you can configure Bookmarks for them. Step 12 Click OK to complete the user configuration. Editing Local Users Y ou can edit local users from the Users > Local Users screen. T o edit a local user: Ste p 1 In the list of users, c[...]

  • Página 1032

    User Management 1032 SonicOS 5.8.1 Administrator Guide T o import users from the LDAP server: Ste p 1 In the Users > Settings page, set the Authentication Method to LDAP or LDAP + Local Users . Ste p 2 In the Users > Local Users page, click Import from LDAP .[...]

  • Página 1033

    User Management 1033 SonicOS 5.8.1 Administrator Guide Ste p 3 In the LDAP Import Users dialog box, you can sele ct individual users or select all use rs. T o select all users in the list, select the Select/deselect a ll checkbox at the top of the list. T o clear all selections, click it again. Ste p 4 T o remove one or more users from the displaye[...]

  • Página 1034

    User Management 1034 SonicOS 5.8.1 Administrator Guide • T o remove certain users from the list on the bas is of their location in the LDAP directory , select the All users <field1> <field2> radio button. In the firs t field, select either at or at or under from the drop-down list. In the second fiel d, select the LDAP directory locat[...]

  • Página 1035

    User Management 1035 SonicOS 5.8.1 Administrator Guide A default group, Everyone , is listed in the table. Click the edit icon in the Configure column to review or change the settings for Everyone . See the following sections for configuration instructi ons: • “Creating a Local Group” on p age 1035 • “Importing Local Groups from LDAP” o[...]

  • Página 1036

    User Management 1036 SonicOS 5.8.1 Administrator Guide Note For one-time password capability , remote user s can be controlled at the group level. LDAP users’ email addresses are retrieved from the server when original authe ntication is done. Authenticating remote users through RADIUS requires administrators to manually enter enter email address[...]

  • Página 1037

    User Management 1037 SonicOS 5.8.1 Administrator Guide Note Y ou can config ure SSL VPN Access List s for num er ous users at the group level. T o do this, build an Address Object on the Network > Address Objects management interface, such as for a public file server that all users of a group need access to. This newly created object now appears[...]

  • Página 1038

    User Management 1038 SonicOS 5.8.1 Administrator Guide Importing Local Groups from LDAP Y ou can configure local user groups on the SonicWALL by retrie ving the user group names from your LDAP server . The Import from LDAP ... button launches a dialog box containing the list of user group names available for impor t to the SonicW ALL. Having user g[...]

  • Página 1039

    User Management 1039 SonicOS 5.8.1 Administrator Guide Ste p 3 In the LDAP Import User Group s dialog box, optionally select the checkbox for groups that you do not want to import, and then click Remove from list . Ste p 4 T o undo all changes made to the list of groups, click Undo and then click OK in the confirmation dialog box. Ste p 5 When fini[...]

  • Página 1040

    User Management 1040 SonicOS 5.8.1 Administrator Guide • With L2TP , the relevant RADIUS protocol is automatically selected according to the PPP protocol being used. • With VPN including Global VPN Client, RA DIUS MSCHAP/MSCHAPv2 mode can be forced to allow password updating. This can be sele cted in the VPN > Advanced page and the SSL VPN &[...]

  • Página 1041

    User Management 1041 SonicOS 5.8.1 Administrator Guide RADIUS Servers In the RADIUS Servers section, you can designate the primary and optionally , the secondary RADIUS server . An optional secondary RADIUS server can be defined if a backup RADIUS server exists on the network. Ste p 1 In the Primary Server section, type the host name or IP addr ess[...]

  • Página 1042

    User Management 1042 SonicOS 5.8.1 Administrator Guide RADIUS Users Settings T o configure the RADIUS user settings: Ste p 1 On the RADIUS Users t ab, select Allow only users listed locally if only the users listed in the SonicW ALL database are aut henticated using RADIUS. Ste p 2 Select the mechanism used for setting user gr oup memberships for R[...]

  • Página 1043

    User Management 1043 SonicOS 5.8.1 Administrator Guide Ste p 3 In the Members tab, select the members of the group. Select the users or group s you want to add in the left column and click the -> button. Click Add All to add all users and group s. Note Y ou can add any group as a member of another group except Everybody and All R ADIUS Users . B[...]

  • Página 1044

    User Management 1044 SonicOS 5.8.1 Administrator Guide RADIUS with LDAP for user groups When RADIUS is used for user authentication, there is an option on the RADIUS Users page in the RADIUS configuration to allow LDAP to be selected as the mechanism for setting user group memberships for RADIUS users: When Use LDAP to retrieve user group informati[...]

  • Página 1045

    User Management 1045 SonicOS 5.8.1 Administrator Guide RADIUS Client Test In the RADIUS Configuration dialog box, you can test your RADIUS Client user name, password and other settings by typing in a valid user name and p assword and selecting one of the authentication choices for T est . Performing the test will appl y any changes that you have ma[...]

  • Página 1046

    User Management 1046 SonicOS 5.8.1 Administrator Guide Configuring LDAP Integrat ion in SonicOS Enhanced Integrating your SonicW ALL appliance with an LDAP directory service requires configuring your LDAP server for certificate management, inst alling the correct certificate on your SonicW ALL appliance, and configuring the S onicW ALL appliance to[...]

  • Página 1047

    User Management 1047 SonicOS 5.8.1 Administrator Guide Exporting the CA Certificate fr om the Active Direc tory Serve r T o export the CA certificate from the AD server: Ste p 1 Launch the Certification Autho rity application: St art > Run > cert srv .msc . Ste p 2 Right click on the CA you created, and select properties . Ste p 3 On the Gene[...]

  • Página 1048

    User Management 1048 SonicOS 5.8.1 Administrator Guide Ste p 5 On the Settings tab of the LDAP Configuration wi ndow , configure the following fields: • Name or IP Address – The FQDN or the IP address of the LDAP server against which you wish to authenticate. If using a name, be cert ain that it can be resolved by your DNS server . Also, if usi[...]

  • Página 1049

    User Management 1049 SonicOS 5.8.1 Administrator Guide • The domain components all use “dc=” If the “User tree for login to se rver” field is given as a dn, y ou can also select this option if the bind dn conforms to the first bullet above, but not to the second and/or the third bullet. – Give bind distinguished name – Select this opt[...]

  • Página 1050

    User Management 1050 SonicOS 5.8.1 Administrator Guide • Local certificate for TLS – Optional, to be used only if t he LDAP server requires a client certificate for connections. Useful for LDAP server implementat ions that return p asswords to ensure the identity of the LDAP client (Active Directory does not return p asswords). This setting is [...]

  • Página 1051

    User Management 1051 SonicOS 5.8.1 Administrator Guide • Login name attribute – Select one of the following to de fine the attribute that is used for login authentication: – sAMAccountName for Microsoft Active Directory – inetOrgPerson for RFC2798 inetOrgPerson – posixAccount for RFC2307 Network Information Service – sambaSAMAccount for[...]

  • Página 1052

    User Management 1052 SonicOS 5.8.1 Administrator Guide Ste p 7 On the Directory tab, configure the following fields: • Primary Domain – The user domain used by your LDAP implementation. For AD, this will be the Active Directory domain name, e.g. yourADdomain.com . Changes to this field will, optionally , automatically update the tree informatio[...]

  • Página 1053

    User Management 1053 SonicOS 5.8.1 Administrator Guide Note AD has some built-in containers that do not conform (e.g. the DN for the top level Users container is formatted as “cn=Users,dc =…”, using ‘cn’ rat her than ‘o u’) but the SonicW ALL knows about and deals with these, so they can be entered in the simpler URL format. Ordering [...]

  • Página 1054

    User Management 1054 SonicOS 5.8.1 Administrator Guide If using multiple LDAP/AD servers with referrals, this process can be repeated for each, replacing the Domain to search value accordingly and selecting Append to existing trees on each subsequent run. Ste p 8 On the Referrals tab, configure t he following fields: • Allow referrals – Select [...]

  • Página 1055

    User Management 1055 SonicOS 5.8.1 Administrator Guide Ste p 9 On the LDAP Users tab, configure the following fields: • Allow only users listed locally – Requires that LDAP users also be present in the SonicW ALL local user dat abase for logins to be allowed. • User group membership can be set locally by duplicating LDAP user names – Allows[...]

  • Página 1056

    User Management 1056 SonicOS 5.8.1 Administrator Guide • Import users – Y ou can click this button to conf igure local users on the SonicW ALL by retrieving the user names from your LDAP server . The Import users button launches a window containing the list of user names available fo r impor t to the SonicW ALL. In the LDAP Import Users window [...]

  • Página 1057

    User Management 1057 SonicOS 5.8.1 Administrator Guide • Import user groups – Y ou can click th is button to conf igure user groups on the SonicWAL L by retrieving the user group names from your LDAP server . The Import user group s button launches a window containing the list of user group names available for import to the SonicW ALL. In the L[...]

  • Página 1058

    User Management 1058 SonicOS 5.8.1 Administrator Guide Step 10 On the LDAP Relay tab, configure the following fields: The RADIUS to LDAP Relay feature is designed for use in a topology where there is a central site with an LDAP/AD server and a central S onicW ALL with remote satellite sites connected into it via low-end SonicW ALL security applianc[...]

  • Página 1059

    User Management 1059 SonicOS 5.8.1 Administrator Guide • User groups f or legacy users with Internet access – Defines the user group that corresponds to the legacy ‘Allow Internet ac cess (when access is restricted)’ privileges. When a user in this user group is authenticated, the remote SonicW ALL is notified to give the user the relevant [...]

  • Página 1060

    User Management 1060 SonicOS 5.8.1 Administrator Guide This change in default authentication protocol order , combined with the iOS behavior of accepting the first supported aut hentication protocol will defaul t to SonicOS and iOS devices using RADIUS authenticat ion (because Active Directory does not support CHAP , MS-CHAP , or MS-CHAPv2). T o fo[...]

  • Página 1061

    User Management 1061 SonicOS 5.8.1 Administrator Guide The following sections describe how to configure SSO: • “Installing the SonicW ALL SSO Agent” on p age 1062 • “Installing the SonicW ALL T e rminal Services Agent” on page 1065 • “Configuring the SonicW ALL SSO Agent” on pag e 1067 – “Adding a SonicW ALL Security Appliance[...]

  • Página 1062

    User Management 1062 SonicOS 5.8.1 Administrator Guide Installing the SonicWALL SSO Agent The SonicW ALL SSO Agent is part of the S onicW ALL Directory Connector . The SonicW ALL SSO Agent must be installed on at least one, and up to eight, workst ations or servers in the Windows domain that have access to the Active Directory server using VPN or I[...]

  • Página 1063

    User Management 1063 SonicOS 5.8.1 Administrator Guide Ste p 5 Select the destination folder . T o use the def ault folder , C:Program FilesSonicWALLDCON, click Next . T o specify a custom location, click Browse, select the folder , and click Next . Ste p 6 On the Custom Setup p age, the installation icon is displayed by default next to the Soni[...]

  • Página 1064

    User Management 1064 SonicOS 5.8.1 Administrator Guide Note This section can be configured at a later time . T o skip this step and configure it later , click Skip . Ste p 9 Enter the IP address of your SonicW ALL security appliance in the SonicW ALL Appliance IP field. T ype the port number for the same appliance in the SonicW ALL Appliance Port f[...]

  • Página 1065

    User Management 1065 SonicOS 5.8.1 Administrator Guide If you checked the Launch SonicW ALL Directory Connector box, the SonicW ALL Directory Connector will display . Installing the SonicWALL Terminal Services Agent Install the SonicW ALL TSA on one or more te rminal servers on your network within the Windows domain. The SonicW ALL TSA must hav e a[...]

  • Página 1066

    User Management 1066 SonicOS 5.8.1 Administrator Guide Ste p 5 On the Select Installation Folder window , select the destinatio n folder . T o use the default folder , C:Program FilesSonicW ALLSonicW ALL T erminal Services Agent, click Next . T o specify a custom location, clic k Browse, select the folder , and click Next . Ste p 6 On the Confi[...]

  • Página 1067

    User Management 1067 SonicOS 5.8.1 Administrator Guide Configuring the SonicWALL SSO Agent The SonicW ALL SSO Agent communicates with wo rkstations using NetA PI or WMI, which both provide information about users that are logged in to a workst ation, in cluding domain users, local users, and Windows services. WMI is pre- installed on Windows Server[...]

  • Página 1068

    User Management 1068 SonicOS 5.8.1 Administrator Guide If you clicked Ye s , the message Successfully restored the old configuration will display . Click OK . If you clicked No , or if you clicked Ye s but the default configurati on is incorrect, the message SonicW ALL SSO Agent service is not running. Please check the configura tion and st art the[...]

  • Página 1069

    User Management 1069 SonicOS 5.8.1 Administrator Guide Note When Logging Level 2 is selected, the SSO Ag ent service will terminate if the Windows event log reaches its maximum cap acity . Ste p 4 In the Refresh Ti me field, enter the frequency , in seconds, that the SSO Agent will refresh user log in status. The default is 60 seconds.[...]

  • Página 1070

    User Management 1070 SonicOS 5.8.1 Administrator Guide Ste p 5 From the Query Source pull-down menu, select the protocol that the SSO Agent will use to communicate with workstations, either NET API or WMI . Note NetAPI will provide faster , though possibly sl ightly less accurate, performance. WMI will provide slower , though possib ly more accurat[...]

  • Página 1071

    User Management 1071 SonicOS 5.8.1 Administrator Guide Ste p 6 In the Configuration File field, enter the path fo r the configuration file . The default path is C:Program FilesSonicW A LLDCON SSOCIAConfig.xml . Ste p 7 Click Accept . Ste p 8 Click OK .[...]

  • Página 1072

    User Management 1072 SonicOS 5.8.1 Administrator Guide Adding a SonicWALL Security Appliance Use these instructions to manually add a Soni cW ALL security appliance if you did not add one during installation, or to add additional SonicW ALL security appliances. T o add a SonicW ALL security appliance, perform the following steps: Ste p 1 Launch the[...]

  • Página 1073

    User Management 1073 SonicOS 5.8.1 Administrator Guide Ste p 3 Enter the appliance IP address for your SonicW ALL security appliance in the Appliance IP field. Enter the port for the same appliance in the Appliance Port field. The default port is 2258. Give your appliance a friendly name in the Friendly Name field. Enter a shared key in the Shared [...]

  • Página 1074

    User Management 1074 SonicOS 5.8.1 Administrator Guide Deleting Appliances in SonicWALL SSO Agent T o delete a SonicW ALL security appliance y ou previously added in SonicW ALL SSO Agent, select the appliance from the left-hand navigation p anel and click the delete icon above the left-hand navigation p anel. Modifying Services in SonicWALL SSO Age[...]

  • Página 1075

    User Management 1075 SonicOS 5.8.1 Administrator Guide Adding a SonicWALL Network Security Appliance to SonicWALL TSA Settings Perform the following steps to add a SonicW ALL appliance to the SonicW ALL TSA: Ste p 1 Double-click the Soni cW ALL TSA desktop icon. Ste p 2 The SonicW ALL T erminal Services Agent window displays. On the Settings tab, t[...]

  • Página 1076

    User Management 1076 SonicOS 5.8.1 Administrator Guide Perform the following steps to create a TSR for the SonicW ALL TSA: Ste p 1 Double-click the Soni cW ALL TSA desktop icon. Ste p 2 The SonicW ALL T erminal Services Agent window displays. Click the Reports t ab. Ste p 3 T o generate the TSR and automatically email it to SonicW AL L T echnical S[...]

  • Página 1077

    User Management 1077 SonicOS 5.8.1 Administrator Guide Configuring Your SonicWALL Security Appliance for SonicWALL SSO Agent T o use single sign-on, your S onicW ALL secur ity appliance must be configured to use either SonicW ALL SSO Agent or Browser NTLM authentication only as the SSO method. SonicW ALL SSO Agent is also the correct method to sele[...]

  • Página 1078

    User Management 1078 SonicOS 5.8.1 Administrator Guide Ste p 4 On the Authentication Agent Settings page, click the Add button to add an agent. The page is updated to display a new row in the table at the top, and two new tabs and their input fields in the lower half of the page. Ste p 5 In the Host Name or IP Address field, enter the name or IP ad[...]

  • Página 1079

    User Management 1079 SonicOS 5.8.1 Administrator Guide Step 12 Click the Users tab. The User Settings page displays. Step 13 Check the box next to Allow only users listed locally to allow only users listed locally on the appliance to be authenticated. Step 14 Check the box next to Simple user names in local database to use simple user names. When s[...]

  • Página 1080

    User Management 1080 SonicOS 5.8.1 Administrator Guide network may be blocking them. For example, if yo u have an Access Control List set on a r outer in your network to allow NetAPI from the agent’ s IP address only , that ACL will block the probes to the NetAPI port from the appliance. Probe test mode is useful for initial SSO deployment and tr[...]

  • Página 1081

    User Management 1081 SonicOS 5.8.1 Administrator Guide T o edit a service account nam e, select the name, click Edit , make the desired changes in the Service User name dialog box, and then click OK . T o remove service account names, sele ct one or more names and then click Remove . Step 24 Click on the Enforcement tab if you want to either trigge[...]

  • Página 1082

    User Management 1082 SonicOS 5.8.1 Administrator Guide The second setting is appropriate for user traffic that does not need to be authenticated, and triggering SSO might cause an unaccept able delay for the service. SSO bypass settings do not apply when SSO is tri ggered by firewall access rules requiring user authentication. T o configure this ty[...]

  • Página 1083

    User Management 1083 SonicOS 5.8.1 Administrator Guide As you type in values for the fields, the row at the top is updated in red to highlight the new information. Step 30 In the Port field, enter the port number of the workstation on which S onicW ALL TSA is installed. The default port is 2259. Note that agent s at dif ferent IP addresses can have[...]

  • Página 1084

    User Management 1084 SonicOS 5.8.1 Administrator Guide Step 35 Select one of the following choices from the Use NTLM to authenticate HTTP traffic pulldown list: • Never – Never use NTML authentication. • Before attempting SSO via the agent – T ry to authen ticate users with NTLM before using the SonicW ALL SSO agent. • Only if SSO via the[...]

  • Página 1085

    User Management 1085 SonicOS 5.8.1 Administrator Guide Step 41 Click the T est tab. The T est Authentication Agent Sett ings page displays. Y ou can test the connectivity between the appliance and an SSO age nt or TSA. Y ou can also test whether the SSO agent is properly configured to ident ify a user logged into a workst ation. Note Performing tes[...]

  • Página 1086

    User Management 1086 SonicOS 5.8.1 Administrator Guide Step 43 Select the Check agent connectivity radio button and then click the T est button. This will test communication with the authentic ation agent. If the SonicWALL security appliance can connect to the SSO agent, you will see the message Agent is ready . If testing a TSA, the T est St atus [...]

  • Página 1087

    User Management 1087 SonicOS 5.8.1 Administrator Guide Configuring Your SonicW ALL Appliance for Browser NTLM Authentication T o use single sign-on, your S onicW ALL secur ity appliance must be configured to use either SonicW ALL SSO Agent or Browser NTLM authentication only as the SSO method. The following procedure describes how to configure your[...]

  • Página 1088

    User Management 1088 SonicOS 5.8.1 Administrator Guide Ste p 8 T o use locally configured user group se ttings, select the Local configuration radio button. Ste p 9 In the Polling rate (minutes) field, enter a polling interval, in minutes. The security appliance will poll the workstation running SSO Agent once ever y interval to verify that users a[...]

  • Página 1089

    User Management 1089 SonicOS 5.8.1 Administrator Guide T o configure a Windows 7 or V ista machine to use NTLMv2 Session Security , perform the following steps: Ste p 1 T o open Windows Group Policy , open the Control Panel and select Administrative T ools . Ste p 2 Select Local Security Policy to open the Local Security Policy window . Ste p 3 Exp[...]

  • Página 1090

    User Management 1090 SonicOS 5.8.1 Administrator Guide Advanced LDAP Configuration If you selected Use LDAP to retrieve user group information on the Users t ab in step 19 of “Configuring Y our SonicWALL Security A ppliance for SonicW ALL SSO Agent” on page 1077 , you must configure your LDAP settings. T o configure LDAP settings, perform the f[...]

  • Página 1091

    User Management 1091 SonicOS 5.8.1 Administrator Guide Select Give bind distinguished name to access the tree with the distinguished name. Ste p 7 T o log in with a user ’s name and p assword, enter the user ’s name in the Login user name field and the password in the Login p assword field. The login name will automatically be presented to the [...]

  • Página 1092

    User Management 1092 SonicOS 5.8.1 Administrator Guide Step 14 Click the Schema tab. Step 15 From the LDAP Schema drop-down menu, select one of the following LDAP schemas. Selecting any of the predefined schemas will aut omatically populate the fields used by that schema with their correct values. Selecting ‘use r-defined’ will allo w you to sp[...]

  • Página 1093

    User Management 1093 SonicOS 5.8.1 Administrator Guide Step 19 The User group membership attribute field contains the informat ion in the user object of which groups it belongs to. This is memberOf in Microsoft Active Directory . The other predefined schemas store group membership information in the grou p object rather than the user object, and th[...]

  • Página 1094

    User Management 1094 SonicOS 5.8.1 Administrator Guide Step 25 Select the Directory tab. Step 26 In the Primary Domain field, specify t he user domain used by your LDAP implementation. For AD, this will be the Active Directory domain name, such as yourADdomain.com . Changes to this field will, optionally , automat ically update the tree information[...]

  • Página 1095

    User Management 1095 SonicOS 5.8.1 Administrator Guide Note AD has some built-in containers that do not conf or m (for example, the DN for the top level Users container is formatted as “ cn=Users,dc =…”, using ‘cn’ rather than ‘ou’) but the SonicW ALL knows about and deals with these, so they can be entered in the simpler URL format. [...]

  • Página 1096

    User Management 1096 SonicOS 5.8.1 Administrator Guide Step 31 Select the Referrals tab. Step 32 If multiple LDAP servers are in use in your network, LDAP referrals may be necessary . Select one or more of the following check boxes: • Allow referrals – Select when use r information is located on an LDAP server other than the primary one. • Al[...]

  • Página 1097

    User Management 1097 SonicOS 5.8.1 Administrator Guide Step 33 Select the LDAP Users tab. Step 34 Check the Allow only users listed locally box to require that LDAP users also be present in the SonicW ALL security appliance local user dat abase for logins to be allowed. Step 35 Check the User group membership can be set locally by duplicating LDAP [...]

  • Página 1098

    User Management 1098 SonicOS 5.8.1 Administrator Guide Step 38 Select the LDAP Relay tab. Step 39 Select the Enable RADIUS to LDAP Relay checkbox to enable RADIUS to LDAP relay . The RADIUS to LDAP Relay feature is designed for use in a topology where there is a central site with an LDAP/AD server and a central SonicW ALL security appliance with re[...]

  • Página 1099

    User Management 1099 SonicOS 5.8.1 Administrator Guide Step 42 In the User group s for legacy users fields, define the user groups that correspond to the legacy ‘VPN users,’ ‘VPN client users,’ ‘L2TP users’ and ‘users with In ternet a ccess’ privileges. When a user in one of the given user group s is authenticated, the r emote Sonic[...]

  • Página 1100

    User Management 1100 SonicOS 5.8.1 Administrator Guide Tuning Single Sign-On Advanced Settings This section provides detailed information to help you tune the advanced SSO settings on your SonicW ALL appliance. S ee the following sections: • “Overview” on page 1 100 • “About the Advanced Settings” on page 1 100 • “Viewing SSO Mouseo[...]

  • Página 1101

    User Management 1101 SonicOS 5.8.1 Administrator Guide S t atistics in the TSR” on p age 1 103 and “Viewing SSO Mouseover S t atistics and T ooltips” on page 1 101 ). Requests waiting on the ring buffer for t oo long cou ld lead to slow resp onse times in SSO authentication. This setting works in conjunction with the automatically calculated [...]

  • Página 1102

    User Management 1102 SonicOS 5.8.1 Administrator Guide T o view the st atistics for all SSO activity on the appliance, hover your mouse pointer over the statistics icon at the bottom of the table, in the same row as the Add button. T o close the statistics display , click close . T o clear all the displayed values, click Click to reset . T o view t[...]

  • Página 1103

    User Management 1103 SonicOS 5.8.1 Administrator Guide Using the Single Sign-On Statistics in the TSR A rich set of SSO performance and error st atisti cs is included in the trouble shooting report (TSR). These can be used to gauge how well SSO is performing in your installation. Download the TSR on the System > Diagnostics page and search for t[...]

  • Página 1104

    User Management 1104 SonicOS 5.8.1 Administrator Guide 6. If using multiple agents, then also under SSO agent st atistics look at the error and timeout rates reported for the different agent s, and also their response times. Si gnificant differences between agents could indicate a problem specif ic to one agent that could be addressed by upgrading [...]

  • Página 1105

    User Management 1105 SonicOS 5.8.1 Administrator Guide Configuring Firewall Access Rules Enabling SonicW ALL SSO af fects policies o n the Firewall > Access Rules page of the SonicOS Enhanced management interface. Rules set under Firewall > Access Rules are checked against the user group member ships retur ned from a SSO LDAP query , and are [...]

  • Página 1106

    User Management 1106 SonicOS 5.8.1 Administrator Guide • T o use SonicW ALL SSO with L inux/Mac us ers, the SonicW ALL SSO Agent must be configured to use NetAPI rather than WMI to get the user login information from the u ser's machine. • For Samba to receive and respond to the requests from the SonicW ALL SSO Agent, it must be set up as [...]

  • Página 1107

    User Management 1107 SonicOS 5.8.1 Administrator Guide unauthenticated HTTP connections that match it w ill be directed straight to the login p age. T ypically , the Source field would be set to an address object containing th e IP addresses of Mac and Linux systems. In the case of CFS, a rule with this checkbox enabled can be added “in front of?[...]

  • Página 1108

    User Management 1108 SonicOS 5.8.1 Administrator Guide White Listing IP Addresses to Bypass SSO and Authentication If you have IP addresses that should always be allowed ac cess without re quiring user authentication, they can be white-listed. T o white-list IP addresses so that they do not require authentication and can bypass SSO: Ste p 1 On the [...]

  • Página 1109

    User Management 1109 SonicOS 5.8.1 Administrator Guide That can be done in one of two ways. The source zone is shown as LAN here, but can be any applicable zone(s): 1. Change Users Allowed in the default LAN -> W AN rule to Everyone or Tr u s t e d Users . These are authenticated users. Then add rules to allow out traffic that you do not want to[...]

  • Página 1110

    User Management 1110 SonicOS 5.8.1 Administrator Guide About Firewall Access Rules Firewall access rules provide the administrator with the ability to control us er access. Rules set under Firewall > Access Rules are checked against the user gr oup memberships returned from a SSO LDAP query , and are applied automat ically . Access rules are net[...]

  • Página 1111

    User Management 1111 SonicOS 5.8.1 Administrator Guide • On a failure to identify a user due to co mmunication problems with the TSA, an HTTP browser session is not redirected to the W eb login p age (as happens on a failure in the SSO case). Instead, it goes to a new page with the message “The destination that you were trying to reach is tempo[...]

  • Página 1112

    User Management 1112 SonicOS 5.8.1 Administrator Guide Viewing SSO and LDAP Messages with Pack et Monit or In SonicOS Enhanced 5.6 and above, the Pa cket Monitor feature available on System > Packet Monitor provides two checkboxes to enable capture of decrypted messages to and from the SSO agent, and decrypted LDAP over TLS (LDAPS) messages. In [...]

  • Página 1113

    User Management 1113 SonicOS 5.8.1 Administrator Guide Captured SSO messages are displayed fully decoded on the System > Packet Monitor screen. Capturing LDAP Over TLS Messages T o capture decrypted LDAP over TLS (L DAPS) p ackets, perform the following step s: Ste p 1 Click the Configuration button in the System > Packet Monitor page Ste p 2[...]

  • Página 1114

    User Management 1114 SonicOS 5.8.1 Administrator Guide The packet s will be marked with (ld p) in the ingress/egress interface field. They will have dummy Ethernet, TCP , and IP headers, so some val ues in these fields may not be cor rect. The LDAP server port will be set to 389 so that an external capture analysis program (such as Wireshark) will [...]

  • Página 1115

    User Management 1115 SonicOS 5.8.1 Administrator Guide Configuring Additional Admi nistrator User Profiles T o configure additional administrator us er profiles, perform the following steps: Ste p 1 While logged in as admin , navigate to the Users > Local Users page. Ste p 2 Click the Add User button. Ste p 3 Enter a Name and Password for the us[...]

  • Página 1116

    User Management 1116 SonicOS 5.8.1 Administrator Guide When using RADIUS or LDAP aut hentication, if you want to keep the configuration of administrative users local to the appliance whilst having those users authenticated by RADIUS/ LDAP , perform these steps: Ste p 1 Navigate to the Users > Settings p age. Ste p 2 Select either the RADIUS + Lo[...]

  • Página 1117

    User Management 1117 SonicOS 5.8.1 Administrator Guide Activating Configuration Mode When logging in as a user with administrator rights (that is not the admin user), the User Login Stat u s popup window is displayed. T o go to the SonicW ALL user interface, click the Manage button. Y ou will be prompted to enter your password again. This is a safe[...]

  • Página 1118

    User Management 1118 SonicOS 5.8.1 Administrator Guide If you want some user account s to be administr ative only , while other users need to log in for privileged access through the applianc e, but also with the ability to administer it (that is, some go straight to the management interface on login, while others ge t the User Login St atus popup [...]

  • Página 1119

    User Management 1119 SonicOS 5.8.1 Administrator Guide T o switch from non-config mode to full c onfiguration mode, perfo rm the following step s: Ste p 1 Navigate to the System > Administration page. Ste p 2 In the Web Management Settings section, click on the Configuration mode button. If there is not currently an administrator in configurat i[...]

  • Página 1120

    User Management 1120 SonicOS 5.8.1 Administrator Guide Verifying Multiple Administrators Support Configuration User accounts with administrator and r ead-only administrators can be viewed on the Users > Local Groups p age. Administrators can determine which configuration mode they are in by looking at either the top right corner of the managemen[...]

  • Página 1121

    User Management 1121 SonicOS 5.8.1 Administrator Guide The status bar displays Read-only mode - no changes can be made . When the administrator is in non-config mode, the top right of the interface displays Non- Config Mode . Clicking on this text links to the System > Administration page where you can enter full configuration mode. The status b[...]

  • Página 1122

    User Management 1122 SonicOS 5.8.1 Administrator Guide[...]

  • Página 1123

    1123 SonicOS 5.8.1 Administrator Guide CHAPTER 67 Chapter 67: Managing Guest Services and Guest Accounts Users > Guest Services Guest accounts are temporary account s set up fo r users to log into your network. Y ou can create these accounts manually , as needed or gener ate them in batches. SonicOS includes profiles you can configure in advance[...]

  • Página 1124

    Users > Guest Services 1124 SonicOS 5.8.1 Administrator Guide Global Guest Settings Check Show guest login st atus window with logout button to display a user login window on the users’ s workstation whenever the user is logged in. Users must keep this window open during their login session. The wi ndow displays the time remaini ng in their cu[...]

  • Página 1125

    Users > Guest Accounts 1125 SonicOS 5.8.1 Administrator Guide – Account Lifetime : This setting defines how long an account remains on the security appliance before the ac count expires. If Auto-Prune is enabled, the account is deleted when it expires. If the Auto-Prune checkbox is cleared, the ac count remains in the list of guest accounts wi[...]

  • Página 1126

    Users > Guest Accounts 1126 SonicOS 5.8.1 Administrator Guide Adding Guest Accounts Y ou can add guest accounts individually or generate multiple guest account s automatically . To Add an Individual Account: Ste p 1 Under the list of accounts, click Add Guest . Ste p 2 In the Settings t ab of the Add Guest Account window configure: – Profile :[...]

  • Página 1127

    Users > Guest Accounts 1127 SonicOS 5.8.1 Administrator Guide – Session Lifetime : Defines how long a guest login sess ion remains active after it has been activated. By default, activation occurs the first time a guest user logs into an account. The Session Lifetime cannot exceed the value set in the Account Lifetime . This setting overrides [...]

  • Página 1128

    Users > Guest Accounts 1128 SonicOS 5.8.1 Administrator Guide – Session Lifetime : Defines how long a guest login sess ion remains active after it has been activated. By default, activation occurs the first time a guest user logs into an account. The Session Lifetime cannot exceed the value set in the Account Lifetime . This setting overrides [...]

  • Página 1129

    Users > Guest Status 1129 SonicOS 5.8.1 Administrator Guide Users > Guest Status The Guest S t atus p age reports on all the guest accounts curr ently logged in to the security appliance. The page list s: • Name : The name of the guest account. • IP : The IP address the guest user is connecting to. • Interface : The interface on the sec[...]

  • Página 1130

    Users > Guest Status 1130 SonicOS 5.8.1 Administrator Guide[...]

  • Página 1131

    SonicOS 5.8 . 1 A dm i ni st r at or Gu ide 1131 PART 17 Part 17: High A vailability[...]

  • Página 1132

    1132 SonicOS 5.8.1 Administrator Guide[...]

  • Página 1133

    1133 SonicOS 5.8.1 Administrator Guide CHAPTER 68 Chapter 68: Setting Up High Availability High Availability This chapter describes how to configure and manage the High Availability feature on SonicW ALL security appliances. It cont ains the following sections: • “Benefits of High Av ailability” on page 1 134 • “How High Availability W or[...]

  • Página 1134

    High Availability 1134 SonicOS 5.8.1 Administrator Guide High Availability pr ovides a way to share SonicW ALL licenses between two SonicW ALL security appliances when one is acting as a high av ailability system for the other . T o use this feature, you must r egister the SonicW ALL appliances on MySonicW ALL as Associated Products. Both appliance[...]

  • Página 1135

    High Availability 1135 SonicOS 5.8.1 Administrator Guide How High Availability Works High Availability r equires one SonicW ALL devic e co nfigured as the Primary SonicW ALL, and an identical SonicW ALL devic e configured as the Backu p SonicW ALL. During normal operation, the Primary SonicW ALL is in an Active state and the Backup SonicW ALL in an[...]

  • Página 1136

    High Availability 1136 SonicOS 5.8.1 Administrator Guide • Preempt - Applies to a post-failover condition in which the Primary uni t has failed, and the Backup unit has assumed the Acti ve role. Enabling Preempt will cause the Primary unit to seize the Active role from the Backup a fte r the Primary has been restored to a verified operational sta[...]

  • Página 1137

    High Availability 1137 SonicOS 5.8.1 Administrator Guide • “Benefits” on p age 11 3 7 • “How Does S t ateful High Av ailability Work?” on page 11 3 7 What is Stateful High Availability? The original version of SonicOS Enhanced prov ided a basic High A vailability feature where a Backup firewall assumes the interface IP addr esses of the[...]

  • Página 1138

    High Availability 1138 SonicOS 5.8.1 Administrator Guide The following table list s the inform ation that is synchr onized and information that is not currently synchronized by S tatef ul High Availability . Security Services and Stateful High Availability High Availability p airs share a single set of security services licenses and a single S tate[...]

  • Página 1139

    High Availability 1139 SonicOS 5.8.1 Administrator Guide Stateful High Avai lability Example The following figure shows a sample S tateful High Availability ne twork. In case of a failover , the foll owing sequence of events occurs: 1. A PC user connects to the network, and the Primary SonicW ALL security appliance creates a session for the user . [...]

  • Página 1140

    High Availability 1140 SonicOS 5.8.1 Administrator Guide Active/Active DPI Overview This section provides an introduction to the Ac tive/Active DPI feature. Active/Active DPI requires S tateful High Availability and is supported on SonicW ALL E-Class NSA appliances. This section contains t he following subsections: • “What is Active/Active DPI?[...]

  • Página 1141

    High Availability 1141 SonicOS 5.8.1 Administrator Guide High Availability License Synchronization Overview This section provides an introduction to the SonicWALL High Availability license synchronization feature. This section cont ains the foll owing subsections: • “What is High Availability Li cense Synchronization?” on p age 11 4 1 • “[...]

  • Página 1142

    High Availability 1142 SonicOS 5.8.1 Administrator Guide • On SonicW ALL appliances that support the Po rtShield feature (SonicW ALL TZ series and NSA 240), High Availability can only be enabled if PortShield is disabled on all interfaces of both the Primary and Backup appliances. • Both units must be registered and associat ed as a High Availa[...]

  • Página 1143

    High Availability 1143 SonicOS 5.8.1 Administrator Guide If you will not be using Primary/ Backup W AN Management IP address, make sure each entry fi e l d is s e t t o ‘ 0. 0 . 0 .0 ’ ( i n t h e Hi g h A v a i la b i li t y > M o n i to r i n g Pa g e) – the SonicWALL will report an error if the field is lef t blank. Note If each SonicWA[...]

  • Página 1144

    High Availability 1144 SonicOS 5.8.1 Administrator Guide • Make sure Primar y SonicW ALL and Backup So nicW ALL security appliance’ s LAN, W AN, and other interfaces are properly configured for seamless failover . • Connect the Primary SonicW ALL and Backup SonicW ALL appliances with a CA T5 or CA T6-rated crossover cable. The Primary and Bac[...]

  • Página 1145

    High Availability 1145 SonicOS 5.8.1 Administrator Guide Perform the following steps: Ste p 1 Decide which interface to use for the additi onal connection between the appliances. The same interface must be selected on each appliance. For example, you could connect X4 on the Primary unit to X4 on the Backup, in whic h case X4 would be the HA Data In[...]

  • Página 1146

    High Availability 1146 SonicOS 5.8.1 Administrator Guide T o use S t ateful High A vailability on SonicW ALL NSA appliances, you must purchase a S tateful High Availability Upgrade license for the Primary unit. S tateful High Avai lability is a licensed service that must be activated for the Primar y appliance on mysonicwa ll.com. The license is sh[...]

  • Página 1147

    High Availability 1147 SonicOS 5.8.1 Administrator Guide Associating an Applianc e at First Registration T o register a new SonicW ALL security appliance and associate it as a Ba ckup unit to an existing Primary unit so that it can use High A vailability license synchronization, per form the following steps: Ste p 1 Login to MySonicW ALL. Ste p 2 O[...]

  • Página 1148

    High Availability 1148 SonicOS 5.8.1 Administrator Guide Ste p 6 If you clicked Continue without selecting a choice for HA Primary in the pr eceding step, click the radio button under Child Product T ype to select a choice for HA Secondary (Backup unit), and then click Continue . Y our new appliance will be the HA Primary unit for the device that y[...]

  • Página 1149

    High Availability 1149 SonicOS 5.8.1 Administrator Guide Y ou can click HA Secondary to display the My Product - Associated Product s page for the child/secondary/Backup unit. Note that you can also change the associated p roduct (parent) for this child on this page.[...]

  • Página 1150

    High Availability 1150 SonicOS 5.8.1 Administrator Guide Associating Pre-Re gistered Appliance s T o associate two already-register ed SonicW ALL security appliances so that they can u se High Availability license synchroniza tion, perform the following step s: Ste p 1 Login to MySonicW ALL. Ste p 2 On the main page und er Most Recently Register ed[...]

  • Página 1151

    High Availability 1151 SonicOS 5.8.1 Administrator Guide • If the existing uni t is an HA Primary or an unassociated appliance, click HA Secondary . • If the existing unit is an HA Secondary appliance, click HA Primary . Ste p 6 On the My Product - Associated Product s page, in the text boxes under Associate New Products, type the serial number[...]

  • Página 1152

    High Availability 1152 SonicOS 5.8.1 Administrator Guide Removing an HA As soci ation Y ou can remove the association between two SonicW ALL security appliances on MySonicW ALL at any time. Y ou might need to remo ve an existing HA associ ation if you replace an appliance or reconfigure your network. For example, if one of your SonicW ALL security [...]

  • Página 1153

    High Availability 1153 SonicOS 5.8.1 Administrator Guide Replacing a SonicWALL Security Appliance If your SonicW ALL security ap pliance has a hardware failure while still under war ranty , SonicW ALL will replace it. In this case, you n eed to remove the HA association containing the failed appliance in MySonicW ALL, and add a new HA association t[...]

  • Página 1154

    High Availability 1154 SonicOS 5.8.1 Administrator Guide Configuring High Availability in SonicOS T o configure High A vailability , you must confi gure High A vailability in the SonicOS management interface using the two Soni cW ALL appliances associated on MySonicWALL. For information about associating tw o appliances, see “Associating Applianc[...]

  • Página 1155

    High Availability 1155 SonicOS 5.8.1 Administrator Guide Disabling PortShield with the PortShield Wizard On SonicW ALL applia nces that support the Port Shield feature, High A vailability can only be enabled if PortShield is disabled on all interf aces of both the Primary and Backup appliances. Perform the procedure for each of the appliances while[...]

  • Página 1156

    High Availability 1156 SonicOS 5.8.1 Administrator Guide Disabling PortShield Manually On SonicW ALL applia nces that support the Port Shield feature, High A vailability can only be enabled if PortShield is disabled on all interf aces of both the Primary and Backup appliances. Perform the procedure for each of the applianc es while logged into it s[...]

  • Página 1157

    High Availability 1157 SonicOS 5.8.1 Administrator Guide Ste p 3 Click the Configure button. Ste p 4 In the Switch Port Settings dialog box, select Unassigned in the PortShield Interface drop- down list. Ste p 5 Click OK . The Network > Port Shield Group s p age displays the interfaces as unassigned. High Availability > Settings The configura[...]

  • Página 1158

    High Availability 1158 SonicOS 5.8.1 Administrator Guide T o configure the settings on the High A vailability > Settings p age: Ste p 1 Login as an administrator to the SonicOS user inter face on the Primary SonicW ALL. Ste p 2 In the left navigation pane, navigate to High A vailability > Settings . See “V erifying High Availability S tatus[...]

  • Página 1159

    High Availability 1159 SonicOS 5.8.1 Administrator Guide High Availability > Advanced Settings The configuration tasks on the High A vailability > Advanced p age are performed on the Primary unit and then are automatic ally synchronized to the Backup. T o configure the settings on the High A vailability > Advanced p age, perform the follow[...]

  • Página 1160

    High Availability 1160 SonicOS 5.8.1 Administrator Guide Note SonicW ALL High Availabili ty cannot be configured using the built-in wireless interface, nor can it be configured using Dynamic W AN interfaces. The selected interface must be the same o ne that you physically connected as described in “Initial Active/Active DPI Setup” on page 1 144[...]

  • Página 1161

    High Availability 1161 SonicOS 5.8.1 Administrator Guide the newly-Active appliance keep s the dynamic routes it had previous ly learned in its route table. During this time, the newly-Active appliance relearns the d ynamic routes in the network. When the Dynamic Route Hold-Down Time duration expires, it deletes the old routes and implements the ne[...]

  • Página 1162

    High Availability 1162 SonicOS 5.8.1 Administrator Guide When using logical monitoring, the HA Pair will ping the specified Logical Probe IP address target from the Primary as well as from the Backup SonicWALL. The IP address set in the Primary IP Address or Backup IP Address field is used as the source IP address for the ping. If both units can su[...]

  • Página 1163

    High Availability 1163 SonicOS 5.8.1 Administrator Guide Ste p 5 In the Primary IP Address field, enter the unique LAN managem ent IP address of the Primary unit. Ste p 6 In the Backup IP Address field, enter the unique LAN management IP address of the Backup unit. Ste p 7 Select the Allow Management on Primary/Backup IP Address checkbox. When this[...]

  • Página 1164

    High Availability 1164 SonicOS 5.8.1 Administrator Guide Tip A compromise between the convenience of synchronizing Certificates and the added security of not synchronizing Certif icates is to temporarily enable the Include Certificate/ Keys setting and manually synchroniz e the settings, and then disable Include Certificate/ Keys . T o verify that [...]

  • Página 1165

    High Availability 1165 SonicOS 5.8.1 Administrator Guide Applying Licenses to SonicWALL Security Appliances When your SonicW ALL security appliances hav e Internet access, each applia nce in a High Availability Pair must be individually regist ered from the SonicOS management interface while the administrator is logged into the individual managemen[...]

  • Página 1166

    High Availability 1166 SonicOS 5.8.1 Administrator Guide Ste p 4 Click Submit . Ste p 5 On the Systems > Licenses page under Manage Security Services Online , verify the services listed in the Security Services Summary table. Ste p 6 Repeat this procedure for the other appliance in the HA Pair .[...]

  • Página 1167

    High Availability 1167 SonicOS 5.8.1 Administrator Guide Copying the License Keyset from MySonicWALL Y ou can follow the procedure in this section to view the license keyset on MySonicW ALL and copy it to the SonicW ALL secu rity appliance. Perform the proc edure for each of the appliances in a High A vailability Pair while logged into it s individ[...]

  • Página 1168

    High Availability 1168 SonicOS 5.8.1 Administrator Guide This is the license keyset for the SonicW ALL security appliance that you selected in S tep 3 . Ste p 6 T o copy the license keyset to the clipboard, press Ctrl+C . Ste p 7 Log in to the SonicOS user interface by using the individual LAN management IP address. Ste p 8 On the Systems > Lice[...]

  • Página 1169

    High Availability 1169 SonicOS 5.8.1 Administrator Guide Verifying High Availability Status There are several ways to view High A vailabi lity status in the SonicOS Enhanced management interface. See the following sections: • “Viewing the High Availability S tatus T able” on page 1 169 • “Receiving Email Alerts About High A vailabi lity S[...]

  • Página 1170

    High Availability 1170 SonicOS 5.8.1 Administrator Guide instead of HA . When the HA interfaces are not connec ted or the link is down, the field displays the status in the form X5 No Link . When High Availability is not enabled, the field displays Disabled . • Found Backup - Indicates Ye s if the Primary appliance has detected the Backup applian[...]

  • Página 1171

    High Availability 1171 SonicOS 5.8.1 Administrator Guide – ERROR – Indicates that the Backup uni t has reached an error condition. – REBOOT – Indicates that the Ba ckup unit is rebooting. – NONE – When viewed on the Backup unit, NONE indicates that HA is not enabled on the Backup. When viewed on the Primary unit, NONE indicates that the[...]

  • Página 1172

    High Availability 1172 SonicOS 5.8.1 Administrator Guide • “Responses to DPI UTM Matches” on page 1 173 • “Logging” on p age 1 173 Comparing CPU Activity on Both Appliances As soon as Active/Active UTM is enabled on the S t ateful HA pair , you can observe a change in CPU utilization on both appliances. CPU activity goes down on t he ac[...]

  • Página 1173

    High Availability 1173 SonicOS 5.8.1 Administrator Guide Additional Parameters in TSR Y ou can tell that Acti ve/Active UTM is correct ly configured on your S tateful HA pair by generating a T ech Support Report on the S ystem > Diagnostics p age. The following configuration parameters should appear with thei r correct values in the T ech Suppor[...]

  • Página 1174

    High Availability 1174 SonicOS 5.8.1 Administrator Guide[...]

  • Página 1175

    SonicOS 5.8 . 1 A dm i ni st r at or Gu ide 1175 PART 18 Part 18: Security Services[...]

  • Página 1176

    1176 SonicOS 5.8.1 Administrator Guide[...]

  • Página 1177

    1177 SonicOS 5.8.1 Administrator Guide CHAPTER 70 Chapter 70: Managing SonicWALL Security Services SonicWALL Security Services SonicW ALL, Inc. of fers a variety of subscrip tion-based security services to provide layered security for your network. SonicW ALL security services are designed to integrate seamlessly into your network to provide comple[...]

  • Página 1178

    SonicWALL Security Services 1178 SonicOS 5.8.1 Administrator Guide Note For more information on SonicW ALL security services, please visit http:// www .sonicwall.com . Note Complete product documentation for SonicW ALL security services are available on the SonicW ALL document ation Web site http://www .sonicwall.com/us/Support.html . Security Serv[...]

  • Página 1179

    SonicWALL Security Services 1179 SonicOS 5.8.1 Administrator Guide At the top of the list, you can click the link to the System > Licenses page to view license st atus and the available SonicW ALL security servic es and upgrades for your SonicW ALL security appliance and access mysonicwall.com for ac tivating services using Activation Keys. A li[...]

  • Página 1180

    SonicWALL Security Services 1180 SonicOS 5.8.1 Administrator Guide • Purchase/Activate SonicW ALL security service licenses • Receive SonicW ALL firmware and security service updates and alert s • Manage your SonicW ALL security services • Access SonicW ALL T echnical Support Y our mysonicwall.com account is accessible from any Internet con[...]

  • Página 1181

    SonicWALL Security Services 1181 SonicOS 5.8.1 Administrator Guide If you are already connected to your mysonicwall.com account from the management interface, the Security Services Summary table is displayed. Click Synchronize to update the licensing and subscrip tion information on the SonicW ALL security appliance from your mysonicwall.com accoun[...]

  • Página 1182

    SonicWALL Security Services 1182 SonicOS 5.8.1 Administrator Guide • HTTP Clientless Notification Timeout fo r Gatewa y AntiVirus and AntiS pyware - Set the timeout duration after which the SonicW ALL security appliance notifies users when GA V or Anti-S pyware detect s an incoming thr eat from an HTTP server . The default timeout is one day (864[...]

  • Página 1183

    SonicWALL Security Services 1183 SonicOS 5.8.1 Administrator Guide 5. If the appliance has not been registered with mySonicW ALL.com, two additional fields are displayed: – MySonicW ALL Username - Enter the username for t he MySonicW ALL.com account that the appliance is to be registered to. – MySonicW ALL Password - Enter the MySonicWALL.com a[...]

  • Página 1184

    SonicWALL Security Services 1184 SonicOS 5.8.1 Administrator Guide Note The remaining steps can be performed while disconnected from the Internet. Ste p 6 Return to the Security Services > Summary page on the SonicW ALL security appliance GUI. Ste p 7 Click on the Import Signatures box. Ste p 8 In pop-up window that appears, click the browse but[...]

  • Página 1185

    1185 SonicOS 5.8.1 Administrator Guide CHAPTER 71 Chapter 71: Configuring SonicWALL Content Filtering Service Security Services > Content Filter The Security Services > Content Filter p age allows you to conf igure the Re strict Web Features and T rusted Domains settings, which are included with Son icOS Enh anced. Y ou can activate and confi[...]

  • Página 1186

    Security Services > Content Filter 1186 SonicOS 5.8.1 Administrator Guide For complete SonicW ALL Content Filtering Service documentation, see the SonicW ALL Content Filtering Service Admi nistrator ’s Guide available at http://www .sonicwal l.com/us/Support.html . This chapter contains the following sections: • “SonicW ALL CFS Implement a[...]

  • Página 1187

    Security Services > Content Filter 1187 SonicOS 5.8.1 Administrator Guide established by the administrator . Almost inst ant aneously , the W eb site request is either allowed through or a W eb page is generated by the Soni cW ALL security appliance informing the user that the site has been bloc ked according to policy . With SonicW ALL CFS, net[...]

  • Página 1188

    Security Services > Content Filter 1188 SonicOS 5.8.1 Administrator Guide The CFS App Control Po licy Settings Screen There are multiple changes/additions to th e CFS policy creation window when used in conjunction with Application Control. The table and image in this section provide information on Application Control interface for CFS.[...]

  • Página 1189

    Security Services > Content Filter 1189 SonicOS 5.8.1 Administrator Guide Feature Function Policy Name A friendly name for the policy . If applying a single policy to multiple groups, it is often a good idea to include the group name in this field. Policy T ype Select “CFS” to show the content filtering options. Address Address or address gr[...]

  • Página 1190

    Security Services > Content Filter 1190 SonicOS 5.8.1 Administrator Guide Choosing CFS Policy Management Type The choice of which policy management method to use – Via User and Zone Screens or Via Application Control – is made in the Security Services > Content Filter p age. Note While the new Application Control method of CFS management [...]

  • Página 1191

    Security Services > Content Filter 1191 SonicOS 5.8.1 Administrator Guide Bandwidth Management Methods Bandwidth Management feature can be im plemente d in two separate ways: • Per Policy Method – The bandwidth limit specified in a policy is applied individually to each policy – Example: two policies each have an independent limit of 500kb[...]

  • Página 1192

    Security Services > Content Filter 1192 SonicOS 5.8.1 Administrator Guide Policies and Precedence: How Policies are Enforced This section provides an overvi ew of policy enforcement mechanism in CFS 3.0 to help the policy administrator create a streamlined set of rules without unnecessary redundancy or conflicting rule logic enforcement. Policy [...]

  • Página 1193

    Security Services > Content Filter 1193 SonicOS 5.8.1 Administrator Guide Create an Applicat ion Object Create an application object containing forbidden content: Ste p 1 Navigate to the Firewall > Match Object s page in the SonicOS management interface. Ste p 2 Click the Add New Match Object button, the Add/Edit Match Object window displays.[...]

  • Página 1194

    Security Services > Content Filter 1194 SonicOS 5.8.1 Administrator Guide Create an Applicat ion Control Po licy to Block Forbidden Content Create an Application Control policy to block content defined in the Application Object: Ste p 1 Navigate to the Firewall > App Rules page in the SonicOS management interface. Ste p 2 Click the Add Policy[...]

  • Página 1195

    Security Services > Content Filter 1195 SonicOS 5.8.1 Administrator Guide Bandwidth Managing Content T o create a CFS Policy for applyi ng BWM to non-productive content: • Create an Application Object — p age 1 193 • Create a Bandwidth Management Action Object — page 1 195 • Create an Application Control Policy to Block Forbidden Conte[...]

  • Página 1196

    Security Services > Content Filter 1196 SonicOS 5.8.1 Administrator Guide T o create a new BWM action: Ste p 1 Navigate to the Firewall > Action Objects p age in the SonicOS management inte rface. Ste p 2 Click the Add New Action Object button, the Add/Edit Action Object window displays. Ste p 3 Enter a descriptive Action Name for this action[...]

  • Página 1197

    Security Services > Content Filter 1197 SonicOS 5.8.1 Administrator Guide Note If you chose not to create a custom BWM obj ect, you may use one of the pre-defined BWM objects (BWM high, BWM medium, or BWM low). Ste p 7 Optionally , select the Users/Group s who this policy is to be Included or Excluded on from the dropdown list. Our example uses [...]

  • Página 1198

    Security Services > Content Filter 1198 SonicOS 5.8.1 Administrator Guide Create a Group-Specific Ap plication Control Policy Create an Application Control policy to block content defined in the Application Object: Ste p 1 Navigate to the Firewall > App Rules page in the SonicOS management interface. Ste p 2 Click the Add Policy button, the A[...]

  • Página 1199

    Security Services > Content Filter 1199 SonicOS 5.8.1 Administrator Guide Creating a Custom CFS Category This section details creating a custom CFS ca tegory entry . CFS allows the administrator not only to create custom Policies, but also allows for custom domain name entries to the existing CFS rating categories. This allows for inse rtion of [...]

  • Página 1200

    Security Services > Content Filter 1200 SonicOS 5.8.1 Administrator Guide Note All subdomains of the domain entered are af fected. For example, entering “yahoo.com” applies to “mail.yahoo.com” and “my .yahoo.com”, hence it is not necessary to enter all FQDN entries for subdomai ns of a parent domain. Ste p 5 Click the OK button to ad[...]

  • Página 1201

    Security Services > Content Filter 1201 SonicOS 5.8.1 Administrator Guide Content Filter Status If SonicW ALL CFS is activated , the Content Filter S t atus section displays the st atus of the Content Filter Server , as well as the date and time that your subscription expires. The expiration date and time is displayed in Universal T ime Code (UT[...]

  • Página 1202

    Security Services > Content Filter 1202 SonicOS 5.8.1 Administrator Guide Content Filter Type There are three types of content filtering available on the Soni cW ALL security appliance. These options are available from the Content Filter T ype menu. • SonicW ALL CFS - Selecting SonicW ALL CFS as the Content Filter T ype allows you to access So[...]

  • Página 1203

    Security Services > Content Filter 1203 SonicOS 5.8.1 Administrator Guide If you trust content on specific domains and want them to be exempt from Restrict W eb Features , follow these steps to add them: Ste p 1 Select the Do not block Java/ActiveX/Cookies to T rusted Domains checkbox. Ste p 2 Click Add . The Add T rusted Domain Entry window is [...]

  • Página 1204

    Security Services > Content Filter 1204 SonicOS 5.8.1 Administrator Guide Modifying or Temporarily Disa bling the CFS Exclusion List T o modify or temporarily disable the CFS Exclusion List, perform these ta sks: Ste p 1 T o keep the CFS Exclusion List entries but temporarily allow c ontent filtering to be applied to these IP addresses, uncheck [...]

  • Página 1205

    Security Services > Content Filter 1205 SonicOS 5.8.1 Administrator Guide Note SonicWALL recommends that you make the Default CFS Premium policy the most restrictive policy . Custom CFS policies are subject to content filter inheritance. This means that all custom CFS policies inher it the filters from the Default CF S policy . T o ensure proper[...]

  • Página 1206

    Security Services > Content Filter 1206 SonicOS 5.8.1 Administrator Guide • Enable IP based HTTPS Content Filtering - Select this checkbox to enable HTTPS content filtering. HTTPS content filtering is IP-based, and will not inspect the URL. While HTTP content filtering can perform redirects to enforce authentication or provide a block page, HT[...]

  • Página 1207

    Security Services > Content Filter 1207 SonicOS 5.8.1 Administrator Guide Local Groups page. The Default CFS policy is always inherited by every user . A custom CFS policy allows you to modify the default CFS confi guration to tailor content filtering policies for particular user group s on your network. Note T o ensure proper content filtering,[...]

  • Página 1208

    Security Services > Content Filter 1208 SonicOS 5.8.1 Administrator Guide Ste p 5 Click the Settings tab. Ste p 6 Under Custom List Settings , select any of the following settings: – Disable Allowed Domains - select this set ting to disa ble the allowed domains that are listed on the Custom List tab in the SonicW ALL Filter Properties window .[...]

  • Página 1209

    Security Services > Content Filter 1209 SonicOS 5.8.1 Administrator Guide Tip Time of Day restrictions only apply to t he Content Filter List, Customized blocking and Keyword blocking. Consent and Restri ct W eb Features are not af fected. Custom List Y ou can customize your URL list to include Allowed Domains and Forbidden Domains . By customiz[...]

  • Página 1210

    Security Services > Content Filter 1210 SonicOS 5.8.1 Administrator Guide T o remove a trusted or forbidden domain, select it from the appropriate list, and click Delete . Once the domain has been deleted, the Statu s bar displays Ready . T o remove a keyword, select it from the list and click Delete . Once the keywo rd has been removed, the Sta[...]

  • Página 1211

    Security Services > Content Filter 1211 SonicOS 5.8.1 Administrator Guide – Enable Keyword Blocking - select this setting to enable keyword blocking for the URLs that are listed in the Keyword Blocking section on the Custom List tab. Ste p 2 Click OK . Disable all Web traffic ex cept for Allowed Dom ains Selecting the Disable Web traffic excep[...]

  • Página 1212

    Security Services > Content Filter 1212 SonicOS 5.8.1 Administrator Guide Consent The Consent tab allows you to enforce content filtering on designated computer s and provide optional filtering on other comput ers. Consent can be configured to require the user to agree to the terms outlined in an Accept able Use Policy window before Web browsing[...]

  • Página 1213

    Security Services > Content Filter 1213 SonicOS 5.8.1 Administrator Guide • Consent Accepted URL (filtering on) - When a user accepts the terms outlined in the Consent page and chooses to access the Inte rnet with the protection of Content Filtering, they are shown a W eb page confirming their sele ction. Enter the URL of this page in the Cons[...]

  • Página 1214

    Security Services > Content Filter 1214 SonicOS 5.8.1 Administrator Guide Settings • Server Host Name or IP Address - Enter the Server Host Name or the IP address of the Websense En terprise server used for the Content Filter List. • Server Port - Enter the UDP port number for the SonicW ALL to “listen” for the W ebsense Enterprise traf [...]

  • Página 1215

    1215 SonicOS 5.8.1 Administrator Guide CHAPTER 72 Chapter 72: Activating SonicWALL Client Anti-Virus Security Services > Client AV Enforcement By their nature, anti-virus products typically require regular , active maintenance on every PC. When a new virus is discovered, all anti-virus software deployed within an org anization must be updated wi[...]

  • Página 1216

    Security Services > Client AV Enforcement 1216 SonicOS 5.8.1 Administrator Guide SonicOS supports both McAfee and Kaspersky client anti-virus for client A V enforcement. These services are licensed sep arately , allo wing you to purchase the desired number of each license for your deployment. Activating SonicWALL Client Anti-Virus If Sonic W ALL[...]

  • Página 1217

    Security Services > Cl ient AV Enforcement 1217 SonicOS 5.8.1 Administrator Guide Y our SonicWALL Client Anti-V irus subscripti on is activated on your SonicW ALL security appliance. Ste p 4 When you activate SonicW ALL Client Anti-Virus at www .mysonicwall.com, the SonicW ALL Client Anti-Virus activation is automatically enabled on your S onicW[...]

  • Página 1218

    Security Services > Client AV Enforcement 1218 SonicOS 5.8.1 Administrator Guide Ste p 3 In the configuration window , select the Enable Client A V Enforcement Service checkbox. Ste p 4 Click OK . Configuring Client Anti-Virus Settings The Settings section provides basic po licy and enforcement configuration.[...]

  • Página 1219

    Security Services > Cl ient AV Enforcement 1219 SonicOS 5.8.1 Administrator Guide Configuring Client Anti-Virus Policies The following features are available in the Client Anti-V irus Policies section: • Disable policing from T rusted to Public - Unchecked, this option enforces anti-virus policies on computers located on T rusted zones. Choosi[...]

  • Página 1220

    Security Services > Client AV Enforcement 1220 SonicOS 5.8.1 Administrator Guide Ste p 2 In the Edit Address Object Group window , select the address groups for which McAfee should be enforced in the left box and click the right arrow to move them into the box on the right. Ste p 3 Click OK . Ste p 4 T o create another address group for McAfee e[...]

  • Página 1221

    Security Services > Cl ient AV Enforcement 1221 SonicOS 5.8.1 Administrator Guide Step 12 T o create another address group for enforcement exclusion, click the Add Entry (plus sign) button, and fill in the Name , Zone , St arting IP Address , and Ending IP Address for the range of clients in the Add Address Object window . Click OK . Step 13 For[...]

  • Página 1222

    Security Services > Client AV Enforcement 1222 SonicOS 5.8.1 Administrator Guide[...]

  • Página 1223

    1223 SonicOS 5.8.1 Administrator Guide CHAPTER 73 Chapter 73: Managing SonicWALL Gateway Anti- Virus Service Security Services > Gateway Anti-Virus SonicW ALL GA V delivers real-time virus protec tion directly on the SonicW ALL security appliance by using SonicW ALL ’s IPS-Deep Packet Inspection v2.0 engine to inspect all traf fic that travers[...]

  • Página 1224

    Security Services > Gateway Anti-Virus 1224 SonicOS 5.8.1 Administrator Guide desktops. New signatures are created and adde d to the dat abase by a combination of SonicW ALL ’s SonicAlert T eam, third-party vi rus analysts, op en source developers and other sources. SonicW ALL GA V can be configured to protect against internal threat s as well[...]

  • Página 1225

    Security Services > Gateway Anti-Virus 1225 SonicOS 5.8.1 Administrator Guide Remote Site Protection Ste p 1 Users send typical e-mail and files between remote sites and the corporate office. Ste p 2 SonicW ALL GA V scans and analyses files and e -mail messages on the SonicW ALL security appliance. Ste p 3 Viruses are found and blocked before in[...]

  • Página 1226

    Security Services > Gateway Anti-Virus 1226 SonicOS 5.8.1 Administrator Guide HTTP File Downloads Ste p 1 Client makes a request to download a file from the Web. Ste p 2 File is downloaded through the Internet. Ste p 3 File is analyzed the SonicW ALL GA V engine for malicious code and viruses. Ste p 4 If virus found, file discarded. Ste p 5 Viru[...]

  • Página 1227

    Security Services > Gateway Anti-Virus 1227 SonicOS 5.8.1 Administrator Guide single-pass, per-p acket basis. Reassembly free virus scanning functionality of the SonicW ALL GA V engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without ever buf fering any of the bytes within the str eam. Building on[...]

  • Página 1228

    Security Services > Gateway Anti-Virus 1228 SonicOS 5.8.1 Administrator Guide Note If you already have a mys onicW ALL.com account, go to “ Registering Y our SonicWALL Security Appliance” on page 1229 . Ste p 1 Log into the SonicW ALL security appliance management interface. Ste p 2 If the System > St atus p age is not displayed in the ma[...]

  • Página 1229

    Security Services > Gateway Anti-Virus 1229 SonicOS 5.8.1 Administrator Guide Registering Your SonicWALL Security Appliance Ste p 1 Log into the SonicW ALL security appliance management inte rface. Ste p 2 If the System > St atus pag e is not displaying in the m anagement interface, click System in the left-navigation menu, and then click St [...]

  • Página 1230

    Security Services > Gateway Anti-Virus 1230 SonicOS 5.8.1 Administrator Guide If you have an Activation Key for SonicW ALL Ga teway Anti-Vir us, Anti-S pyware, and Intrusion Prevention Service, perform these step s to activate the combined services: Ste p 1 On the Security Services > Gateway Anti--V irus page, click the SonicW ALL Gateway Ant[...]

  • Página 1231

    Security Services > Gateway Anti-Virus 1231 SonicOS 5.8.1 Administrator Guide Activating FREE TRIALs Y ou can try FREE TRIAL versions of Soni cW ALL Gateway Anti-Vir us, SonicW ALL Anti- S pyware, and SonicW ALL Intrusion Prevention Service. Y ou must activate each service separately from the Manage Services Online t able on the System > Lice[...]

  • Página 1232

    Security Services > Gateway Anti-Virus 1232 SonicOS 5.8.1 Administrator Guide The Security Services > Gateway Anti-V irus page provides the settings for configuring SonicW ALL GA V on your SonicW ALL security appliance. Enabling SonicWALL GAV Y ou must select Enable Gateway Anti-Vir us check box in the Gateway Ant i-Virus Gl obal Settings sec[...]

  • Página 1233

    Security Services > Gateway Anti-Virus 1233 SonicOS 5.8.1 Administrator Guide Applying SonicWALL GAV Protection on Zones Y ou can enforce SonicWALL GA V not only between eac h network zone and the W AN, but also between internal zones. For example, enab ling SonicW ALL GA V on the LAN zone enforces anti-virus protection on all in coming and outg[...]

  • Página 1234

    Security Services > Gateway Anti-Virus 1234 SonicOS 5.8.1 Administrator Guide • Signature Dat abase Timest amp displays the last update to the Son icW ALL GA V signature database, not the last update to your SonicW ALL security appliance. • Last Checked indicates the last time the SonicW ALL security ap pliance checked the signature database[...]

  • Página 1235

    Security Services > Gateway Anti-Virus 1235 SonicOS 5.8.1 Administrator Guide Application-level awareness of the type of protocol that is transpo rti ng the violation allows SonicW ALL GA V to perform specific actions within the context of the appl ication to gracefully handle the rejection of the payload. By default, SonicW ALL GA V inspects al[...]

  • Página 1236

    Security Services > Gateway Anti-Virus 1236 SonicOS 5.8.1 Administrator Guide Restricting File Transfers For each protocol you can restrict the transfer of files with s pecific attributes by clicking on the Settings button under the protocol in the Gateway Anti-Virus Global Settings section. These restrict transfer settings include: • Restrict[...]

  • Página 1237

    Security Services > Gateway Anti-Virus 1237 SonicOS 5.8.1 Administrator Guide Configuring Gateway AV Settings Clicking the Configure Gateway A V Settings button at the bottom of the Gateway Anti-Virus Global Settings secti on displays the Gateway A V Settings window , which allows you to configure clientless notifi cation aler ts and create a So[...]

  • Página 1238

    Security Services > Gateway Anti-Virus 1238 SonicOS 5.8.1 Administrator Guide Tip The HTTP Clientless Notification feature is also available for SonicWALL Anti-S pyware. Optionally , you can configure the timeout fo r the HTTP Clientle ss Notification on the Security Services > Summary page under the Security Services Summary head ing. Config[...]

  • Página 1239

    Security Services > Gateway Anti-Virus 1239 SonicOS 5.8.1 Administrator Guide Optionally , certain cloud-signatures can be excl uded from being enforced to alleviate false positive problems or to enable downloading specific virus files as necessary . T o configure the exclusion list, click Cloud A V DB Exclusion Settings . 1. Enter the Cloud A V[...]

  • Página 1240

    Security Services > Gateway Anti-Virus 1240 SonicOS 5.8.1 Administrator Guide gav_signatures Viewing SonicWALL GAV Signatures The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicW ALL GA V signature database. All the entries displayed in the Gateway Anti-Virus Signatures table are from the SonicW ALL GA V signat[...]

  • Página 1241

    Security Services > Gateway Anti-Virus 1241 SonicOS 5.8.1 Administrator Guide Navigating the Gateway An ti-Virus Signatures Table The SonicW ALL GA V signatures are displayed fifty to a page in the Gateway Anti-V irus Signatures table. The Items field displays the table number of the first signature. If you’re displaying the first page of a si[...]

  • Página 1242

    Security Services > Gateway Anti-Virus 1242 SonicOS 5.8.1 Administrator Guide[...]

  • Página 1243

    1243 SonicOS 5.8.1 Administrator Guide CHAPTER 74 Chapter 74: Activating Intrusion Prevention Service Security Services > Intrusion Prevention Service SonicW ALL Intrusion Prevention Service (Soni cW ALL IPS) delivers a configurable, high performance Deep Packet Inspection engine for extended protection of key network services such as Web, e-mai[...]

  • Página 1244

    Security Services > Intrusion Prevention Service 1244 SonicOS 5.8.1 Administrator Guide How SonicWALL’s Deep Packet Inspection Works Deep Packet Inspection technology enables the firewall to investigat e farther into the protocol to examine information at the application layer and defend against attacks t argeting application vulnerabilities. [...]

  • Página 1245

    Security Services > Intr usion Prevention Service 1245 SonicOS 5.8.1 Administrator Guide SonicWALL IPS Terminology • St ateful Pa cket Inspection - looking at the header of the packet to control access based on port, protocol, and IP address. • Deep Packet Inspection - looking at the data portion of th e packet. Enables th e firewall to inve[...]

  • Página 1246

    Security Services > Intrusion Prevention Service 1246 SonicOS 5.8.1 Administrator Guide Tip If your SonicWALL security appliance is connected to the Inter net and registered at mysonicwall.com, you can activate a 30-day FREE TRIAL of SonicW ALL Gateway Anti- Virus, SonicW ALL Anti-S pyware, and SonicW A LL Intrusion Prevention Service sep aratel[...]

  • Página 1247

    Security Services > Intr usion Prevention Service 1247 SonicOS 5.8.1 Administrator Guide Ste p 5 In the mysonicwall Account page, enter in your information in the Account Information , Personal Information and Preferences fields. All fields ma rked with an asterisk ( * ) are required fields. Note Remember your username and password to access you[...]

  • Página 1248

    Security Services > Intrusion Prevention Service 1248 SonicOS 5.8.1 Administrator Guide Ste p 7 Please complete the Product Survey . SonicW ALL us es this information to further t ailor services to fit your needs. Ste p 8 Click Submit . Ste p 9 When the mysonicwall.com server has finis hed processing your r egistration, a page is displayed infor[...]

  • Página 1249

    Security Services > Intr usion Prevention Service 1249 SonicOS 5.8.1 Administrator Guide Ste p 4 T ype in the Activation Key in the New License Key field and click Submit . SonicWALL Intrusion Prevention Serv ice is activated. The System > L icenses page is displayed with the Anti-S pyware and Gateway Anti-Virus links displayed at the bottom [...]

  • Página 1250

    Security Services > Intrusion Prevention Service 1250 SonicOS 5.8.1 Administrator Guide Note For complete instructions on setting up SonicW ALL Intrusion Prevention Service, r efer to the SonicW ALL Intrusion Prevention Service Admin istrator ’s Guide available on the SonicW ALL document ation Web site http://www .sonicwall.com/us/Support.html[...]

  • Página 1251

    Security Services > Intr usion Prevention Service 1251 SonicOS 5.8.1 Administrator Guide Applying SonicWALL IPS Protection on Zones Y ou apply SonicWALL IPS to zones on the Network > Zones p age to enforce SonicW ALL IPS not only between each network zone an d the W A N, but also between internal zones. For example, enabling SonicW ALL IPS on[...]

  • Página 1252

    Security Services > Intrusion Prevention Service 1252 SonicOS 5.8.1 Administrator Guide[...]

  • Página 1253

    1253 SonicOS 5.8.1 Administrator Guide CHAPTER 75 Chapter 75: Activating Anti-Spyware Service Security Services > Anti-Spyware Service SonicW ALL Anti-S pyware is part of the S onicW ALL Gateway Anti- Virus, Anti-V irus and Intrusion Prevention Service solution that prov ides comprehensive, real-time protection against viruses, worms, T rojans, [...]

  • Página 1254

    Security Services > Anti-Spyware Service 1254 SonicOS 5.8.1 Administrator Guide Note Refer to the SonicW ALL Anti-Spyware Administrator ’ s Guid e on the SonicW ALL W eb site: http://www .sonicwall.com/us/Supp ort.html for complete p roduct documentation . SonicWALL Gateway Anti-Virus, Anti-Spyware, and IPS Activation If you do not have SonicW[...]

  • Página 1255

    Security Servi ces > Anti-Spyware Serv ice 1255 SonicOS 5.8.1 Administrator Guide Creating a mysonicwall.com Account Creating a mysonicwall.com acc ount is fast, simple, and FREE . Simply complete an online registration form in the SonicW ALL se curity appliance management interface. Note If you already have a mys onicW ALL.com account, go to ?[...]

  • Página 1256

    Security Services > Anti-Spyware Service 1256 SonicOS 5.8.1 Administrator Guide Registering Your SonicWALL Security Appliance Ste p 1 Log into the SonicW ALL security appliance management inte rface. Ste p 2 If the System > St atus pa ge is not displaying in t he management interface, click System in the left-navigation menu, and then click S[...]

  • Página 1257

    Security Servi ces > Anti-Spyware Serv ice 1257 SonicOS 5.8.1 Administrator Guide T o try a FREE TRIAL of SonicW ALL Gatewa y Anti- Virus, SonicW ALL Anti-S pyware, or SonicW ALL Intrusion Prevention Service, perform these step s: Ste p 1 Click the FREE TRIAL link on the Security Services > Gateway Anti-Virus, Security Services > Anti-S py[...]

  • Página 1258

    Security Services > Anti-Spyware Service 1258 SonicOS 5.8.1 Administrator Guide Ste p 5 Click on the Gateway Anti-Virus link. The child Activation Key is automatically entered in the New License Key field. The child Activation Key is a di ffere nt key than the parent key for the SonicW ALL Gateway Anti-Viru s, Anti-S py ware, and Intrusion Preve[...]

  • Página 1259

    1259 SonicOS 5.8.1 Administrator Guide CHAPTER 76 Chapter 76: Configuring SonicWALL Real-Time Blacklist SMTP Real-Time Black List Filtering The Security Services > RBL Filter page has been moved to Anti-S p am > RBL Filter . Clicking the RBL Filter selection under Security Services in the lef t navigati on pane will open the Anti- S p am >[...]

  • Página 1260

    SMTP Real-Time Black List Filt ering 1260 SonicOS 5.8.1 Administrator Guide[...]

  • Página 1261

    1261 SonicOS 5.8.1 Administrator Guide CHAPTER 77 Chapter 77: Configuring Geo-IP and Botnet Filters This chapter contains the following sections: • “Security Services > Geo-IP Filter” on p age 1262 • “Security Services > Botnet Filter” on page 1264[...]

  • Página 1262

    Security Services > Geo-IP Filter 1262 SonicOS 5.8.1 Administrator Guide Security Services > Geo-IP Filter The Geo-IP Filter feature allo ws administrators to block c onnections to or fr om a geographic location based. The SonicW ALL appliance uses IP address to determine to the location of the connection. T o configure Geo-IP Filteri ng, per[...]

  • Página 1263

    Security Services > Geo-IP Filter 1263 SonicOS 5.8.1 Administrator Guide For this feature to work correctly , the country dat abase must be downloaded to the appliance. The Statu s indicator at the top right of the page turns yellow if this download fails. Green status indicates that the database has been successfully downloaded. Click the Statu[...]

  • Página 1264

    Security Services > Botnet Filter 1264 SonicOS 5.8.1 Administrator Guide Security Services > Botnet Filter The Botnet Filtering feature allows administrat ors to block connections to or fr om Botnet command and control servers. T o configure Botnet filtering, perform the following step s: 1. Enable Block connections to/from Botnet Command and[...]

  • Página 1265

    Security Services > Botnet Filter 1265 SonicOS 5.8.1 Administrator Guide Checking Geographic Location and Botnet Server Status The Botnet Filter also provides the ability to look up IP addr esses to determine the domain name, DNS server , the country of origin, and whether or not it is classified as a Botnet server . T o do so, perform the follo[...]

  • Página 1266

    Security Services > Botnet Filter 1266 SonicOS 5.8.1 Administrator Guide Note This Geo Location and Botnet Server stat us tool can also be accessed from the System > Diagnostics page.[...]

  • Página 1267

    SonicOS 5.8 Administrator Guide 1267 PART 19 Part 19: W AN Acceleration[...]

  • Página 1268

    1268 SonicOS 5.8 Administrator Guide[...]

  • Página 1269

    1269 SonicOS 5.8.1 Administrator Guide CHAPTER 78 Chapter 78: WAN Acceleration WAN Acceleration Overview This chapter provides an overview of the SonicW ALL WXA series appliance, basic and advanced deployment scenarios, and configurati on and verification examples. This chapter contains the following sections: • “W AN Acceleration > S tatus?[...]

  • Página 1270

    WAN Acceleration Overview 1270 SonicOS 5.8.1 Administrator Guide What is WAN Acceleration? The SonicW ALL WXA series appliances deploy ed in one-arm mode with SonicW ALL NSA/TZ series appliances allow network administrators to accelerate W AN traf fic using T ransmission Control Protocol (TCP) and Windows File Shari ng (WFS) between a dat a center [...]

  • Página 1271

    WAN Acceleration Overview 1271 SonicOS 5.8.1 Administrator Guide The three separate TCP connections are created between network devices that work together to accelerate traffic using TCP Acceleration. This reduces response time to p acket losses and increases throughput. The three TCP connections are created independently , with the remote site’s[...]

  • Página 1272

    WAN Acceleration Overview 1272 SonicOS 5.8.1 Administrator Guide Benefits The WFS Acceleration service pr ovides the following benefits: • Increased data transfer speeds • Low latency • Advanced data security How Does Windows File Sharing Acceleration Work? WFS Acceleration reduces overall network congestion with techniques such as dat a comp[...]

  • Página 1273

    WAN Acceleration Overview 1273 SonicOS 5.8.1 Administrator Guide Ste p 3 The SonicW ALL WXA at the dat a c enter is configured to share All Shares on the File Server . Ste p 4 The SonicW ALL WXA at the re mote site is configured to share All Shares on the WXA appliance located at the dat a center . S t eps 3 and 4 allow the domain users to access s[...]

  • Página 1274

    WAN Acceleration > Status 1274 SonicOS 5.8.1 Administrator Guide • It is recommended that the WXA appliance retrieve NTP updates from the Domain Controller . • It is recommended that the DNS server accept secure updates. • Configure the zone properties of an interface to which the WXA appliance is connected as a LAN zone. Configuration Tas[...]

  • Página 1275

    WAN Acceleration > Status 1275 SonicOS 5.8.1 Administrator Guide Figure 4 W AN Accelera tion > Status Page Name Description Action Items Provides the options to Refresh, Probe for WXA, Create static DHCP lease for WXA, and Apply Changes. See “Action Items” section on page 1276 for details. System Information Panel Displays system details [...]

  • Página 1276

    WAN Acceleration > Status 1276 SonicOS 5.8.1 Administrator Guide Action Items System Inform ation Panel Device Configuration Panel Name Description Refresh Refreshes the W AN Acceleration > St atus page. The refresh interval can be entered in the text field. The interval can be increased to a maximum of 600 seconds. Click the Refresh symbol t[...]

  • Página 1277

    WAN Acceleration > Status 1277 SonicOS 5.8.1 Administrator Guide TCP Accelerat ion Panel WXA Interface Displays the SonicW ALL NSA/TZ series appliance interface that the SonicW A LL WXA series appliance is connected to. WXA IP Address Displays the IP address of the SonicW ALL WXA series appliance. Note: this field is read-only . Name Description[...]

  • Página 1278

    WAN Acceleration > TCP Acceleration 1278 SonicOS 5.8.1 Administrator Guide WFS Acceleration Panel WAN Acceleration > TCP Acceleration The WAN Acceleration > TCP Acceleration page provides an overview of how to configure and monitor the TCP Acceleratio n service. The details of this page include configuration, sta tistics, and connections. [...]

  • Página 1279

    WAN Acceleration > TCP Acceleration 1279 SonicOS 5.8.1 Administrator Guide Name Description Configuration T ab En ab l e t he T C P Ac c e le r a ti o n se rvice and select s the mode, se rvice object, and exclude object s. The W AN Acceleration feature must be enabled before you can en able or con figure the TCP Accelera tion service. Enable WA[...]

  • Página 1280

    WAN Acceleration > TCP Acceleration 1280 SonicOS 5.8.1 Administrator Guide Configuration Tab Figure 6 TCP Acceleration > Configuration Name Description Enable TCP Acceleration Enables or disables the TCP Acceleration service. This is selected by default. TCP Acceleration Mode Selects excepti ons to the TCP Acceleration service. TCP Accelerati[...]

  • Página 1281

    WAN Acceleration > TCP Acceleration 1281 SonicOS 5.8.1 Administrator Guide Statistics Tab Figure 7 TC P Acceleration > Statistics Name Description Covering Period Click the Covering Period drop-down list and select the period of time the data displa ys on the S tatistics tab. Refresh Actions Refreshes the W AN Acceleration > St atistics ta[...]

  • Página 1282

    WAN Acceleration > TCP Acceleration 1282 SonicOS 5.8.1 Administrator Guide Connections Tab Figure 8 TCP Accelerat ion > Connections Name Description Remote Node Select the remote node that your SonicW ALL WXA ser ies appliance is associated with. # Entries Select the number of entries to display in the Connections t ab. Refresh Actions Refres[...]

  • Página 1283

    WAN Acceleration > WFS Acceleration 1283 SonicOS 5.8.1 Administrator Guide WAN Acceleration > WFS Acceleration This section describes the entities that are present on the W AN Acceleration > WFS Acceleration page. Figure 9 W AN Accelera tion > WFS Acceler ation Name Description Configuration Tab Enables WF S A cc e le r a ti o n and all[...]

  • Página 1284

    WAN Acceleration > WFS Acceleration 1284 SonicOS 5.8.1 Administrator Guide Configuration Tab The Configuration t ab allows you to enable t he WFS Acceleration service and select a public IP address for the WXA series appliance. Figure 10 WFS Acceleratio n > Configuration Note Y ou can verify the WFS Ac celeration st atus on the W A N Accelera[...]

  • Página 1285

    WAN Acceleration > WFS Acceleration 1285 SonicOS 5.8.1 Administrator Guide Domain Details Tab Th e D o m a in D et ai l s tab a ll o ws y o u t o configure the SonicWALL WXA series appliance to match th a t of t h e M i cr o s o f t W in d o ws D om a i n i t i s t o jo i n . The SonicWALL WXA series appliance may automatically discover the doma[...]

  • Página 1286

    WAN Acceleration > WFS Acceleration 1286 SonicOS 5.8.1 Administrator Guide Figure 12 WFS Acceler ation > Domain Details (Name A uto-discovered) Action Buttons Name Description Auto-discovered Domain Panel Fully Qualified Domain Name: The fu lly qualified domain name (FQDN) of your Windows domain that the SonicWALL WXA series applia nce will j[...]

  • Página 1287

    WAN Acceleration > WFS Acceleration 1287 SonicOS 5.8.1 Administrator Guide Hostname: Displays the hostname for the So nicWALL WXA ser i es appliance. If an account is created on the domain u sing the SonicWALL WXA series appli- ance hostname, the SonicWALL WXA series appliance attempts to join the domain. Click the Edit button to modify the host[...]

  • Página 1288

    WAN Acceleration > WFS Acceleration 1288 SonicOS 5.8.1 Administrator Guide Figure 13 Configure Domain Po p-up Window Join Domain The SonicWALL WXA series appliance joins the domain (be comes part of the domain) that is id entified in the FQDN. The Join Domain Pop-up Window is displayed, Figure 18 on page 1291 . If the SonicWALL WXA series applia[...]

  • Página 1289

    WAN Acceleration > WFS Acceleration 1289 SonicOS 5.8.1 Administrator Guide Figure 14 Configure Ho stname Pop-up Window Note If the device has already joined the domain, changing the host name requires the device to rejoin the domain. Figure 15 Configure Ker beros Server Pop-up Window Note The LDAP Server and the Kerberos Server are usually on th[...]

  • Página 1290

    WAN Acceleration > WFS Acceleration 1290 SonicOS 5.8.1 Administrator Guide Figure 16 Time Synchronizatio n Pop-up Win do w Name Description Use the Domain Controller for T ime Synchronization: Check- box When enabled (checked) the domain controlle r is used as the time synchronization source. NTP Server: T ext Field Overrides the domai n control[...]

  • Página 1291

    WAN Acceleration > WFS Acceleration 1291 SonicOS 5.8.1 Administrator Guide Figure 17 Advanced Options Pop-up Window Figure 18 Join Doma in Pop-up Window Enter the username and password of the domain administrator account. Name Description Client Signing: Drop-down Identifies the serv er message block (SMB) signing between the SonicW ALL WXA seri[...]

  • Página 1292

    WAN Acceleration > WFS Acceleration 1292 SonicOS 5.8.1 Administrator Guide Shares Tab The Shares tab configures the SonicW ALL WXA se ries appliance to accelerate specific shares and servers. Figure 19 WFS Acceleratio n > Shares Name Description Add New Server ... Link When clicked the Add Se rver pop-up is displayed, Figure 20 on page 1293 .[...]

  • Página 1293

    WAN Acceleration > WFS Acceleration 1293 SonicOS 5.8.1 Administrator Guide Figure 20 Add Server and Edit Ser ver Details Pop-up Windows Name Description Remote Server Name: Text Field and Drop-dow n The name of the remote server. If you do not remember the name, select a name from the dro p -dow n wh ich dis plays a list of the detecte d serv er[...]

  • Página 1294

    WAN Acceleration > WFS Acceleration 1294 SonicOS 5.8.1 Administrator Guide Figure 21 Add Share and Edit Share Details Pop-up Windows Default Cache Read Ahead: Te xt Field (Add Server Po p-up only) The default size (measured in bytes) for read-ahead sp eed in the cache. To calculate this value, multiply the link latency (i n milliseconds) by the [...]

  • Página 1295

    WAN Acceleration > WFS Acceleration 1295 SonicOS 5.8.1 Administrator Guide Statistics Tab The S t atistics t ab displays performance st at istics for the WFS Acceleration service. Figure 22 WFS Acceler ation > Statistics Covering Period: Drop-down Overview Table R ef re sh Action s Name Description Covering Period Drop-down The time interv al[...]

  • Página 1296

    WAN Acceleration > WFS Acceleration 1296 SonicOS 5.8.1 Administrator Guide Tools Tab The T ools tab provides diagnostic tools for the WFS Acceleration service. The Diagnostic T ools drop-down provi des the following selections: • DNS Name Lookup — Performs a search on a specific Name or IP address, Figure 23 . • Available Shares — Displa[...]

  • Página 1297

    WAN Acceleration > WFS Acceleration 1297 SonicOS 5.8.1 Administrator Guide Figure 23 DNS Name Lookup Pa nel The DNS Name Lookup Panel displays the following information: Name Description Primary DNS: (read-only) Displays the primar y DNS which was configured on SonicW ALL NSA/TZ security appliance using the Network > DNS p age or Network >[...]

  • Página 1298

    WAN Acceleration > WFS Acceleration 1298 SonicOS 5.8.1 Administrator Guide Figure 24 Availabl e Shares Panel The Available Shares Panel provides the following configuration options: Note If the SonicW ALL WXA series appliance has already joined the domai n, you can use the SonicW ALL WXA series applia nce credentials and the username/p assword d[...]

  • Página 1299

    WAN Acceleration > WFS Acceleration 1299 SonicOS 5.8.1 Administrator Guide Figure 25 Test WFS Configuration Option The T est WFS Configuration Panel provi des the following c onfiguration options: Figure 26 List Kerberos Servers Option The List Kerberos Server Panel provi des the following configuration o ptions: Name Description Us e rn a m e: [...]

  • Página 1300

    WAN Acceleration > System 1300 SonicOS 5.8.1 Administrator Guide WAN Acceleration > System This section describes the entities that ar e present in the WAN Acceleration > System tabs. Figure 27 W AN Acceleration > System Name Description System S t atus T ab Displays the system details about the Soni cW ALL WXA series appliance includin[...]

  • Página 1301

    WAN Acceleration > System 1301 SonicOS 5.8.1 Administrator Guide System Status Tab Figure 28 Advanced > Sy stem Status Name Description System Information Panel (Read-only) Displays the following information: • Model Number • Serial Number • Firmware V ersion. T ime Settings Panel Configure the time synchronization source Figure 29 , re[...]

  • Página 1302

    WAN Acceleration > System 1302 SonicOS 5.8.1 Administrator Guide Figure 29 Time Settings > Time Synchronization Pop -up Window • Use the Domain Controller for Time Synchronization: Checkbox — Select this checkbox to use the domain controller as the time synchronization source. • NTP Server: T ext Field — Override the domain controller[...]

  • Página 1303

    WAN Acceleration > System 1303 SonicOS 5.8.1 Administrator Guide Interface Status Tab Figure 30 System > Interfac e Status Name Description Refresh Refreshes the Interface S tatus tab. The refresh interval can be entered in the text field. The interval can be increased to a maximum of 600 seconds. Click the Refresh button to manually update t[...]

  • Página 1304

    WAN Acceleration > System 1304 SonicOS 5.8.1 Administrator Guide Figure 31 Maximum T ran sm ission U nit • MTU: T ext Field — The Maximum T ransmission Unit (MTU). • Apply Button — Applies all changes. • Cancel Button — Cancels the operation. S t atistics Panel Displays the following (Read-Only) information: • packet flow informati[...]

  • Página 1305

    WAN Acceleration > System 1305 SonicOS 5.8.1 Administrator Guide Management Tab Figure 32 System > Ma nagement Name Description SNMP Panel Enables the simple network monitoring protocol server . Add read-only and read-write communities for a specific client IP or subnet, see Figure 33 . Syslog Server Panel Sets the server IP address that send[...]

  • Página 1306

    WAN Acceleration > System 1306 SonicOS 5.8.1 Administrator Guide Figure 33 Add New Communi ty Pop-Up Window Settings Tab Figure 34 System > Settin gs Name Description Community Name Enter the community name being used to communicate with the SNMP feature. Access Select none, read-only , or read-write. Any Source Select the Any Source checkbox[...]

  • Página 1307

    WAN Acceleration > System 1307 SonicOS 5.8.1 Administrator Guide Firmware Tab Figure 35 System > Fi rmware Name Description Current Settings Panel Allows you to downl oad a copy of the current settings. Perform this before making any changes to the firmwa re. Firmware Upgrade Panel Configures the SonicW ALL WXA series appliance with the lates[...]

  • Página 1308

    WAN Acceleration > Logs 1308 SonicOS 5.8.1 Administrator Guide WAN Acceleration > Logs The W AN Acceleration > Log page provides a det ailed list of the log event messages. On this page, you can configure how the Logs are viewed. Figure 36 W AN Acceleration > Log Name Description Minimum Priority Displays the log entries by minimum prio[...]

  • Página 1309

    Configuring WAN Acceleration 1309 SonicOS 5.8.1 Administrator Guide Configuring WAN Acceleration This section includes procedures for configur ing the SonicWALL WXA series appliance. All configuration procedures are performed on t he SonicW ALL NSA/TZ series appliance’s management interface. Refer to “Configuration T ask List Overview” sectio[...]

  • Página 1310

    Configuring WAN Acceleration 1310 SonicOS 5.8.1 Administrator Guide The Interface Settings General T ab is displayed. Ste p 9 Enter and do the following: • Zone: Drop-down — LAN • Mode/IP Assignment: Drop-down — St atic IP Mode • IP Address: T ext Field — Enter the IP Address for the port. This example uses 10.203.30.162. • Subnet Mas[...]

  • Página 1311

    Configuring WAN Acceleration 1311 SonicOS 5.8.1 Administrator Guide Step 13 Under the DCHP Server Lease Scopes, click Add Dynamic . The Dynamic Range Configuration window is displayed. Step 14 Do the following: a. Select the Enable this DHCP Scope checkbox. b. Select the Interface Pre-Populate checkbox and then select port X5 in the drop-down. The [...]

  • Página 1312

    Configuring WAN Acceleration 1312 SonicOS 5.8.1 Administrator Guide Step 16 Confirm that the SonicW ALL NSA/TZ has a DCHP lease for the SonicW ALL WXA. Navigate to the Network > DHCP Server page.[...]

  • Página 1313

    Configuring WAN Acceleration 1313 SonicOS 5.8.1 Administrator Guide Step 17 Navigate to the W AN Acceleration > S t atus p age. Step 18 Click Create static DHCP leas e for WXA . A DHCP lease will be set for th e So nicW ALL WXA serie s appliance.[...]

  • Página 1314

    Configuring WAN Acceleration 1314 SonicOS 5.8.1 Administrator Guide Step 19 V erify that the lease wa s created. Navigate to the Network > DHCP Server page. A dynamic range is set for the WXA appliance.[...]

  • Página 1315

    Configuring WAN Acceleration 1315 SonicOS 5.8.1 Administrator Guide Configuring TCP Acceleration The TCP Acceleration service can be deployed in three different deployment scenarios including: site-to-site VPN, routed mode, and layer 2 bridge mode. This section explains how to configure these deployment scenar ios in the following subsections: • [...]

  • Página 1316

    Configuring WAN Acceleration 1316 SonicOS 5.8.1 Administrator Guide The Configure VPN Policy pop-up window displays. Figure 38 VPN Policy Advanced Configuration Ste p 3 Select the Advanced tab. Ste p 4 Select the checkbox for Permit TCP Acceleration . Ste p 5 Click the OK button. Y our SonicWALL WXA ser ies appliance is now configured to permit TCP[...]

  • Página 1317

    Configuring WAN Acceleration 1317 SonicOS 5.8.1 Administrator Guide Configuring TCP Acceleration on a Non-VPN (Routed Mode) If you do not have a VPN configured on your netwo rk and you are using a cu stom routing policy , you need to add two routing policies on each site : One for outgoing traffic, and one for incoming traffic. Both routing po lici[...]

  • Página 1318

    Configuring WAN Acceleration 1318 SonicOS 5.8.1 Administrator Guide Configuring a Routing Po licy for Outgoing Traffic The steps in this section are configured from the Remote Site. Follow the same step s for configuring the Data Center . Ste p 1 Navigate to the Network > Address Object s page. Figure 40 Network > Address Ob jects Ste p 2 Cli[...]

  • Página 1319

    Configuring WAN Acceleration 1319 SonicOS 5.8.1 Administrator Guide Ste p 9 Navigate to the Network > Routing page. Figure 42 Add Routing Pol icies Step 10 Click the Add button.[...]

  • Página 1320

    Configuring WAN Acceleration 1320 SonicOS 5.8.1 Administrator Guide The Route Policy Settings pop-up window displays. Figure 43 Route Policy Settings Ste p 11 Click the Source drop-down, select Any . Step 12 Click the Destination drop-down, select the address object you created ( Data Center .) Step 13 Click the Service drop-down, select Any . Step[...]

  • Página 1321

    Configuring WAN Acceleration 1321 SonicOS 5.8.1 Administrator Guide Configuring a Routing Po licy for Incoming Traffic The steps in this section are configured from the Remote Site. Follow the same steps f or configuring the Data Center . Ste p 1 Navigate to the Network > Address Object s page. Figure 44 Network > Address Ob jects Ste p 2 Cli[...]

  • Página 1322

    Configuring WAN Acceleration 1322 SonicOS 5.8.1 Administrator Guide Ste p 9 Navigate to the Network > Routing page. Figure 46 Add Routing Pol icies Step 10 Click the Add button. The Route Policy Settings pop-up window displays. Figure 47 Route Policy Settings Ste p 11 Click the Source drop-down, select Data Center . Step 12 Click the Destination[...]

  • Página 1323

    Configuring WAN Acceleration 1323 SonicOS 5.8.1 Administrator Guide Step 14 Click the Gateway drop-down, select ( 0.0.0.0 ). Step 15 Click the Interface drop-down, select the X0 interface. Step 16 Enter 1 in the Metric text field. This gives the route policy a high priority leve l. A larger metric nu mber would have a lower priority . Step 17 Selec[...]

  • Página 1324

    Configuring WAN Acceleration 1324 SonicOS 5.8.1 Administrator Guide Example 2 T o configure acceleration of only the HTTP web traffic. Follow the step s below: Ste p 1 Navigate to W A N Acceleration > TCP Acceleration. Ste p 2 Select the Configuration tab. Figure 49 Configuring TCP Acceleration Examp le 2 Ste p 3 Click the Enable TCP Acceleratio[...]

  • Página 1325

    Configuring WAN Acceleration 1325 SonicOS 5.8.1 Administrator Guide Example 3 T o configure acceleration of everything except Micr osoft SQL database traf fic or traf fic to the Guest Authentication Servers. Follow the step s below: Ste p 1 Navigate to W A N Acceleration > TCP Acceleration. Ste p 2 Select the Configuration tab. Figure 50 Configu[...]

  • Página 1326

    Configuring WAN Acceleration 1326 SonicOS 5.8.1 Administrator Guide Configuring WFS Acceleration This section provides details on configuring WFS Accelerati on. The SonicW ALL WXA series appliance must be connected to a SonicW ALL NSA or TZ series appliance on a port other than X0 and X1. In this example, X5 is used as the connection to the SonicW [...]

  • Página 1327

    Configuring WAN Acceleration 1327 SonicOS 5.8.1 Administrator Guide Enabling WFS Acceleration Once you have configured the network interf ace for the port you want to connect the SonicW ALL WXA series appliance to the Soni cW ALL NSA or TZ series appliance, you can configure WFS Acceleration. Before you chose how you want to join the S onicWALL WXA[...]

  • Página 1328

    Configuring WAN Acceleration 1328 SonicOS 5.8.1 Administrator Guide Joining the Domain After you have configured the network interface, enabled WF S Acceleration, and created a DHCP Scope, you can configure the lo cal and remote domains. Y ou can join the domain for WFS Accele ration using one of the following methods: • Manually Joining the Doma[...]

  • Página 1329

    Configuring WAN Acceleration 1329 SonicOS 5.8.1 Administrator Guide Ste p 3 Enter your settings, and then click Apply Changes . The page will be populated with the Co nfigured Domain settings. Ste p 4 Click Join D omain . The J oin Domain pop-up window displays. Ste p 5 Enter the username and password for the administr ator of the domain. It will b[...]

  • Página 1330

    Configuring WAN Acceleration 1330 SonicOS 5.8.1 Administrator Guide At the SonicW ALL NSA/TZ security appliance, nearest to the domain controller (dat a center site), perform the following step s: Ste p 1 Login to the SonicW ALL NSA/TZ securi ty appliance at the dat a center . Ste p 2 Navigate to the W AN Acceleration > WFS Acceleration p age. S[...]

  • Página 1331

    Configuring WAN Acceleration 1331 SonicOS 5.8.1 Administrator Guide At the SonicW ALL NSA/TZ security appliance, farthest from the domain controller (remote site), perform the following step s: Ste p 1 Login to the NSA/TZ security appl iance at your remote site. Ste p 2 Navigate to the W AN Acceleration > WFS Acceleration p age. Ste p 3 Click th[...]

  • Página 1332

    Configuring WAN Acceleration 1332 SonicOS 5.8.1 Administrator Guide Automatically Joining the Domain for WFS Acceleration T o auto-join the SonicW ALL WXA series appliances, perform the following steps: Ste p 1 Access the domain controller and create a comput er account. The computer account must use the default hostname or a hostname specified in [...]

  • Página 1333

    Configuring WAN Acceleration 1333 SonicOS 5.8.1 Administrator Guide Ste p 4 Right click on the computer account, go to Propertie s and select the setting T rusted for Delegation . Ste p 5 Open a cmd.exe window . Ste p 6 Set the password for the computer account, where ABCD -EFGH is the auth code. Note The password for the computer account must be t[...]

  • Página 1334

    Configuring WAN Acceleration 1334 SonicOS 5.8.1 Administrator Guide At the SonicW ALL NSA/TZ security appliance, nearest to the domain controller (dat a center site), perform the following step s: Ste p 1 Login to the SonicW ALL NSA/TZ securi ty appliance at the dat a center . Ste p 2 On the SonicW ALL NSA/TZ securi ty appliance, navigate to the W [...]

  • Página 1335

    Configuring WAN Acceleration 1335 SonicOS 5.8.1 Administrator Guide Ste p 6 Click Add New Server ... . The Add Server Pop-up window is displayed. • Remote Server Name: Te x t F i e l d — Enter the host name of the DC/Share server . • Local Device Name: T ext Field — Enter the domain name of the SonicWALL WXA series appliance on the local si[...]

  • Página 1336

    Configuring WAN Acceleration 1336 SonicOS 5.8.1 Administrator Guide Ste p 5 Make sure the Remote Server Name and the Local Device Name ( from step 4 for the dat a center site) text fields match. Ste p 6 Enter the information for this server , and then click Apply . Ste p 7 Explore the path fastbox on the PC located at the remote site. After the [...]

  • Página 1337

    Configuring WAN Acceleration 1337 SonicOS 5.8.1 Administrator Guide Configuring Reverse Lookup After both WXA appliances are added to the dom ain , corresponding Computer Account s for WXA appliances, DNS Host name, and PTR record s are automatically created on the DC and DNS servers. For PTR records to be updated, relevant Reverse Lookup Zones mus[...]

  • Página 1338

    Configuring WAN Acceleration 1338 SonicOS 5.8.1 Administrator Guide Note For WFS, you must assess the share name that is mapped to the WXA applia nce and not the actual file share. For example, //WXA-T est rather than //FileServer1. Note For adding/configuring shares for FileServer1, see “Joining the Domain” on p age 1328 . When adding subseque[...]

  • Página 1339

    Configuring WAN Acceleration 1339 SonicOS 5.8.1 Administrator Guide Ste p 1 Add WXA 4000-GMS hostname as the SPN for host WXA-4000. setspn -A CIFS/WXA-4000- GMS WXA-4000 Ste p 2 Add WXA-4000-GMS.utm.soniclab.us hostname as the SPN for host WXA-4000. setspn -A CIFS/WX A-4000-GMS. utm.soniclab.u s WXA-4000 Ste p 3 Confirm that the hostnames were adde[...]

  • Página 1340

    Configuring WAN Acceleration 1340 SonicOS 5.8.1 Administrator Guide Ste p 9 Configure FileServer2 on the dat a center as follows: On the NSA/TZ security appliance, navigate to the W AN Acceleration > WFS Acceleration > Click the Shares tab, expand Shares in the Configuration column, and then click the Add New Shares.... The Add Server window [...]

  • Página 1341

    Configuring WAN Acceleration 1341 SonicOS 5.8.1 Administrator Guide Note The newly created hostname for the data center and remote office should be updated with the NA T IP of the X0 interface on the NSA/TZ se curity appliance that is located at the data center and remote office, respectively . Ste p 6 Ping the IPs at the dat a center and remote of[...]

  • Página 1342

    Configuring WAN Acceleration 1342 SonicOS 5.8.1 Administrator Guide Figure 53 Remote Of fice[...]

  • Página 1343

    Configuring WAN Acceleration 1343 SonicOS 5.8.1 Administrator Guide Verifying WAN Acceleration Configurations This section details how to verify if t he TCP Acceleration and WFS Acceleration on your SonicW ALL WXA series appli ance is configured correctly . Verifying the TCP Acce leration Configuration After you complete the TCP Acceleration confi [...]

  • Página 1344

    Configuring WAN Acceleration 1344 SonicOS 5.8.1 Administrator Guide Verifying the WFS Accel eration Configuration After completing the step-by-step WFS Accele ration configur ation pr ocedures. V erify WFS Acceleration is working by two dif ferent methods: • Click the T est Configuration button in the WFS Acceleration > Domain Details t ab. ?[...]

  • Página 1345

    Configuring WAN Acceleration 1345 SonicOS 5.8.1 Administrator Guide Verify Using the WFS A cceleration > Tools Tab T o verify that the WFS Acceleration service was successful using the WFS Acceleration > T ools tab, perform the following steps: Ste p 1 Navigate to the W AN Acceleration > WFS Acceleration. Ste p 2 Click the T ools tab. Ste [...]

  • Página 1346

    Configuring WAN Acceleration 1346 SonicOS 5.8.1 Administrator Guide Troubleshooting WFS Acceleration Problem: The Joined Domains checkbox is not selected in the Domain Det ails tab. Solution: Click Join D omain at the bottom of the page. When the Join Domain pop-up window is displayed, leave the fiel ds empty , and then click Apply . This action wi[...]

  • Página 1347

    SonicOS 5.8 . 1 A dm i ni st r at or Gu ide 1347 PART 20 Part 20: Log[...]

  • Página 1348

    1348 SonicOS 5.8.1 Administrator Guide[...]

  • Página 1349

    1349 SonicOS 5.8.1 Administrator Guide CHAPTER 79 Chapter 79: Managing Log Events Log > View The SonicW ALL security appliance maintains an Event log for tracking potential security threats. This log can be vie wed in the Log > View p age, or it can be automatically sent to an e-mail address for convenience and archiving. The log is displayed[...]

  • Página 1350

    Log > View 1350 SonicOS 5.8.1 Administrator Guide Log View Table The log is displayed in a table and is sortable by column. The log table columns include: • Tim e - the date and time of the event. • Priority - the level of priority as sociated with your log event. Syslog uses eight categories to characterize messages – in descending order [...]

  • Página 1351

    Log > View 1351 SonicOS 5.8.1 Administrator Guide Clear Log T o delete the contents of the log, click the Clear Log button near the top right corner of the page. Export Log T o export the contents of the log to a defined destinat ion, click the Export Log button below the filter table.Y ou can expor t log content to two formats : • Plain text [...]

  • Página 1352

    Log > View 1352 SonicOS 5.8.1 Administrator Guide Ste p 3 Check the Group Filters box next to any two or more criteria to combine them with a logical OR . For example, if you enter values for Source IP , D estinati on IP , and Protocol , and check Group Filters next to Source IP and Destination IP , the search string will look for connections ma[...]

  • Página 1353

    Log > View 1353 SonicOS 5.8.1 Administrator Guide While data-recorder s are good at recording dat a, they lack the sort of deep-p acket inspection intelligence afforded by IPS/GA V/ASPY/AF . Cons ider the minimal requirements of effective data analysis: • Reliable storage of data • Effective indexing of dat a • Classification of interestin[...]

  • Página 1354

    Log > View 1354 SonicOS 5.8.1 Administrator Guide 6. The requested dat a will be presented to the cl ient as a .cap file, and can be saved or viewed on the local machine. Methods of Access The client and NPCS must be able to reach one another . Usually , this means the client and the NPCS will be in the same physical location, both connected to [...]

  • Página 1355

    1355 SonicOS 5.8.1 Administrator Guide CHAPTER 80 Chapter 80: Configuring Log Categories Log > Categories This chapter provides confi guration tasks to enable you to categorize and customize the logging functions on your SonicW ALL security appliance for troubleshooting and diagnostics. Note Y ou can extend your SonicW ALL security appl iance lo[...]

  • Página 1356

    Log > Categories 1356 SonicOS 5.8.1 Administrator Guide Log Severity/Priority This section provides information on configuring the level of pr iority log messages are captured and corresponding alert messages are sent through e-mail for notification. Logging Level The Logging Level control filters events by priority . Ev ents of equal of greater[...]

  • Página 1357

    Log > Categories 1357 SonicOS 5.8.1 Administrator Guide Log Categories SonicW ALL security appliances provide autom atic attack protection against well known exploits. The majority of these legacy attacks were identified by te llt ale IP or TCP/UDP characteristics, and recognition was limited to a se t of fixed layer 3 and layer 4 values. As the[...]

  • Página 1358

    Log > Categories 1358 SonicOS 5.8.1 Administrator Guide Dropped TCP Legacy Logs blocked incoming TCP connections Dropped UDP Legacy Logs blocked incoming UDP p ackets Dynamic Address Objects Extended Logs Dynamic Address Object (DAO) activity Firewall Event Extended Logs internal firewall activity Firewall Hardware Extended Logs firewall hardwar[...]

  • Página 1359

    Log > Categories 1359 SonicOS 5.8.1 Administrator Guide Managing Log Categories The Log Categories table displays log category information organized into the following columns: • Category - Displays log category name. • Description - Provides description of the log category activity type. • Log - Provides checkbox for enabling/disabli ng t[...]

  • Página 1360

    Log > Categories 1360 SonicOS 5.8.1 Administrator Guide[...]

  • Página 1361

    1361 SonicOS 5.8.1 Administrator Guide CHAPTER 81 Chapter 81: Configuring Syslog Settings Log > Syslog In addition to the standard event log, the SonicW ALL security appl iance can send a detailed log to an external Syslog server . The SonicW ALL Sy slog captures all log ac tivity and includes every connection source and destination IP address, [...]

  • Página 1362

    Log > Syslog 1362 SonicOS 5.8.1 Administrator Guide Syslog Settings Syslog Facility • Syslog Facility - Allows you to select the faciliti es and severities of the messages based on the syslog protocol. Note See RCF 3164 - The BSD Syslog Protocol for more information. • Override Syslog Settings with ViewPoint Settings - Check this box to over[...]

  • Página 1363

    Log > Syslog 1363 SonicOS 5.8.1 Administrator Guide Syslog Servers Adding a Syslog Server T o add syslog servers to the SonicW ALL security appliance Ste p 1 Click Add . The Add Syslog Server window is displayed. Ste p 2 T ype the Syslog server name or IP address in the Name or IP Address field. Messages from the SonicW ALL security appliance ar[...]

  • Página 1364

    Log > Syslog 1364 SonicOS 5.8.1 Administrator Guide[...]

  • Página 1365

    1365 SonicOS 5.8.1 Administrator Guide CHAPTER 82 Chapter 82: Configuring Log Automation Log > Automation The Log > Automation p age includ es settings for configur ing the SonicW ALL to send log files using e-mail and configuri ng mail server settings. E-mail Log Automation • Send Log to E-mail address - Enter your e-mail address (username[...]

  • Página 1366

    Log > Automation 1366 SonicOS 5.8.1 Administrator Guide • Send Log - Determines the frequency of s ending log files. The options ar e When Full , Weekly , or Daily . If the Weekly or Daily option is selected, then se lect the day of the week the log is sent in the every menu and the time of day in 24-hour format in the At field. • Email Form[...]

  • Página 1367

    Log > Automation 1367 SonicOS 5.8.1 Administrator Guide • Confirm Password - Confirm the password. – Mask Password - Leave this enabled to send the password as encrypted text. • DeepSee Base URL - Defines the format for the base URL for the DeepSee path. In the actual URL, the special tokens ar e replaced with the actual values. • PCAP B[...]

  • Página 1368

    Log > Automation 1368 SonicOS 5.8.1 Administrator Guide[...]

  • Página 1369

    1369 SonicOS 5.8.1 Administrator Guide CHAPTER 83 Chapter 83: Configuring Flow Reporting Log > Flow Reporting The Log > Flow Reporting page includes settings for confi guring the SonicW ALL to view statistics based on Flow Reporting and Internal Reporting. From this screen, you can also configure settings for internal and external flow report[...]

  • Página 1370

    Log > Flow Reporting 1370 SonicOS 5.8.1 Administrator Guide • “NetFlow T ables” on page 1381 External Flow Reporting Statistics The External Flow Reporting S t atistics apply to al l external flows. This section shows reports of the flows that are sent to the server , not collected, dropped, stored in and removed from the memory , reported[...]

  • Página 1371

    Log > Flow Reporting 1371 SonicOS 5.8.1 Administrator Guide Internal App Flow Reporting Statistics The App Flow Reporting S tatistics apply to all internal flows. Similar to the Flow Reporting S t atistics, this section shows r eport s of the flows that are sent to the server , not collected, dropped, stored in and removed from the memory , repo[...]

  • Página 1372

    Log > Flow Reporting 1372 SonicOS 5.8.1 Administrator Guide • T op Apps —Displays the Applications graph. • Bits per second —Displays the Bandwid th graph. • Packets per second —Displays the Packet Rate graph. • A verage p acket size —Displays the Packet Size graph. • Connections per second —Displays the Connection Rate graph[...]

  • Página 1373

    Log > Flow Reporting 1373 SonicOS 5.8.1 Administrator Guide • External Collector ’s IP address —T ype in the external collec tor IP address to which the appliance will generate flow r eports. This IP add ress must be reachable from the firewall. If this IP address is over a VPN tunnel, then the source IP must also be specified. • Source [...]

  • Página 1374

    Log > Flow Reporting 1374 SonicOS 5.8.1 Administrator Guide – URL ratings – VPNs – Devices – SP AMs – Locations – VOIPs • Include Following Additional Report s via IPFIX —Additional IPFIX report s can be generated from the firewall in IPFIX with extensions mode. Sele ct one or more report s from this drop-down list: – T op 10 A[...]

  • Página 1375

    Log > Flow Reporting 1375 SonicOS 5.8.1 Administrator Guide no rules have the flow reporting option enabl ed, no data will be reported to the AppFlow collector . This option is an additional way to control which flows are reported internally or externally . • Report On Connection OPEN —Select this checkbox to r eport flows when a connection [...]

  • Página 1376

    Log > Flow Reporting 1376 SonicOS 5.8.1 Administrator Guide • Include Following URL T ypes —Use this drop-down list to se lect the type of URLs to be reported. T o skip reporting for specific types of URLs, clear the asso ciated checkbox. This option applies to both App Flow (inter nal) and external reporting when using IPFI X with extension[...]

  • Página 1377

    Log > Flow Reporting 1377 SonicOS 5.8.1 Administrator Guide User Configuration Tasks Depending on the type of flows you are collecti ng, you will need to determine which type of reporting will work best with your setup and confi guration. This section includes configuration examples for each supported NetFlow solution, as well as a section on vi[...]

  • Página 1378

    Log > Flow Reporting 1378 SonicOS 5.8.1 Administrator Guide Ste p 3 Select Net flow version-9 from the External Flow Reporting Format drop-down list. Ste p 4 S pecify the External Collector ’s IP address in the pr ovided field. Ste p 5 For the Source IP to Use For Collector on a VPN tunnel , specify the source IP if the external collector must[...]

  • Página 1379

    Log > Flow Reporting 1379 SonicOS 5.8.1 Administrator Guide Note The above fields are the required fields for successful IPFIX conf iguration. All other configurable fields are optional. IPFIX with Extensions Configuration Procedures T o configure IPFIX with extensions flow reporting, follow the step s listed below . Ste p 1 In Settings, select [...]

  • Página 1380

    Log > Flow Reporting 1380 SonicOS 5.8.1 Administrator Guide Step 13 Select the tables for which to receive dynamic flows from the Send Dynamic AppFlow For Following T ables drop-down list. Step 14 Select any additional reports to be generated for a flow from the Include Following Additional Reports via IPFIX drop-down list. Viewing IPFIX with Ex[...]

  • Página 1381

    Log > Flow Reporting 1381 SonicOS 5.8.1 Administrator Guide Ste p 6 Select the tables for which to receive st atic flows from the Send St atic AppFlow For Following Ta b l e s drop-down list. Then, click Accept . . Note Currently , Scrutinizer supports Applications and Threats only . Future versions of Scrutinizer will support the following S ta[...]

  • Página 1382

    Log > Flow Reporting 1382 SonicOS 5.8.1 Administrator Guide Static Tables S t atic T ables are tables with data that does not change over time. However , this data is required to correlate with other t ables. S tatic t ables are usually repor ted at a specified interval, but may also be configured to send just once. The following is a list of S [...]

  • Página 1383

    Log > Flow Reporting 1383 SonicOS 5.8.1 Administrator Guide • Connected Devices— This table reports the list of all devices connected through the SonicW ALL appliance, incl uding the MAC addresses, IP addresses, Interface, and NETBIOS name of connected devices. • VPN T unnels— This table reports all VPN tunnels established through the So[...]

  • Página 1384

    Log > Flow Reporting 1384 SonicOS 5.8.1 Administrator Guide NetFlow version 5 Flow Record Format NetFlow version 9 An example of a NetFlow version 9 template is displayed below . Bytes Contents Description 0-3 srcaddr Source IP address 4-7 dstaddr Destination IP address 8-1 1 nexthop IP address of the next ho p router 12-13 input SNMP index of i[...]

  • Página 1385

    Log > Flow Reporting 1385 SonicOS 5.8.1 Administrator Guide The following table det ails the NetFlow vers ion 9 T emplate FlowSet Field Descriptions. IPFIX (NetFlow version 10) An example of an IPFIX (NetFlow version 10) template. The following table det ails the IPFIX T emplate FlowSet Field Descriptions. IPFIX with Extensions IPFIX with extens[...]

  • Página 1386

    Log > Flow Reporting 1386 SonicOS 5.8.1 Administrator Guide The following Name T emplate is a standard for the IPFIX with extensions templates. The values specified are static and correlate to the T able Name of all the NetFlow exportable templates. The following template is an example of an IPFIX with extensions template.[...]

  • Página 1387

    1387 SonicOS 5.8.1 Administrator Guide CHAPTER 84 Chapter 84: Configuring Name Resolution Log > Name Resolution The Log > Name Resolution p age includes settings for configuring the name server s used to resolve IP addresses and server names in the log r eports. The security appliance uses a DNS server or NetB IOS to resolve all IP addresses [...]

  • Página 1388

    Log > Name Resolution 1388 SonicOS 5.8.1 Administrator Guide • None : The security appliance will not attempt to resolve IP addresses and Names in the log reports. • DNS : The security appliance will use the DNS server you specify to resolve addresses and names. • NetBIOS : The security appliance will use NetBIO S to resolve addresses and [...]

  • Página 1389

    1389 SonicOS 5.8.1 Administrator Guide CHAPTER 85 Chapter 85: Generating Log Reports Log > Reports The SonicW ALL security appliance can perform a rolling analysis o f the event log to show the top 25 most frequently accessed Web sites, the top 25 users of bandwid th by IP addr ess, and the top 25 services consuming the most bandwid th. Y ou can[...]

  • Página 1390

    Log > Reports 1390 SonicOS 5.8.1 Administrator Guide Data Collection The Reports window includes the follow ing functions and commands: • Data Collection section Click S t art Dat a Collection to begin log analysis. When log analysis is enabl ed, the button label changes to S top Dat a Collection . • View Dat a Section Click Reset Dat a to c[...]

  • Página 1391

    1391 SonicOS 5.8.1 Administrator Guide CHAPTER 86 Chapter 86: Activating SonicWALL ViewPoint Log > ViewPoint SonicW ALL Vi ewPoint is a We b-based graphical reporting tool that provides unprecedented security awareness and control over your network environment through detailed and comprehensive reports of your security and net work activities. V[...]

  • Página 1392

    Log > ViewPoint 1392 SonicOS 5.8.1 Administrator Guide Activating ViewPoint The Log > ViewPoint p age allows you to activa te the Vi ewPoint license directly from the SonicW ALL Management Inte rface using two methods. If you received a license activation key , enter t he activation key in the Enter upgrade key field, and click Accept . Wa r [...]

  • Página 1393

    Log > ViewPoint 1393 SonicOS 5.8.1 Administrator Guide 2. Enter your mysonicwall.com acc ount username and password in the User Name and Password fields, then click Submit . The System > Licenses page is displayed. If your SonicW ALL security appliance is already connec ted to your mysonicwall.com account, the System > Licenses p age appea[...]

  • Página 1394

    Log > ViewPoint 1394 SonicOS 5.8.1 Administrator Guide Note The Override Syslog Settings with ViewPoint Sett ings control on the Log > Syslog pag e is automatically checked when you enable V iewPoint from the Log > V iewPoint p age. The IP address or FQDN you entered in the Add Syslog Server window is also displayed on the Log > Syslog [...]

  • Página 1395

    SonicOS 5.8 . 1 A dm i ni st r at or Gu ide 1395 PART 21 Part 21: Wi z a r d s[...]

  • Página 1396

    1396 SonicOS 5.8.1 Administrator Guide[...]

  • Página 1397

    1397 SonicOS 5.8.1 Administrator Guide CHAPTER 87 Chapter 87: Configuring Internet Connectivity on SonicWALL Appliances Wizards > Setup Wizard The first time you log into your SonicW ALL appliance, the Setup Wizard is launched automatically . T o launch the Setup Wizard at any time from the m anagement interface, click the Wizard s button in the[...]

  • Página 1398

    Wizards > Setup Wizard 1398 SonicOS 5.8.1 Administrator Guide Essentially , NA T translates the IP addresses in one network into those for a dif ferent network. As a form of p acket filtering for firewalls, it protect s a network from out side intrusion from hackers by replacing the internal (LAN) IP address on packet s passing through a SonicW [...]

  • Página 1399

    Wizards > Setup W izard 1399 SonicOS 5.8.1 Administrator Guide Change Password 4. T o set the p assword, enter a new passwor d in the New Password and Confirm New Password fields. Click Next . Tip It is very important to choose a p asswo rd which cannot be easi ly guessed by others. Change Time Zone 5. Select the appropriate Time Zone from the T[...]

  • Página 1400

    Wizards > Setup Wizard 1400 SonicOS 5.8.1 Administrator Guide Configure 3G/Modem 6. If you are setting up a SonicW ALL TZ series ap pliance that supports 3G devices for Wireless W AN connection over cellular network s, or sup ports analog modem devices for dial-up W AN connection, se lect the type of device: – 3G/mobile – Analog Modem Config[...]

  • Página 1401

    Wizards > Setup W izard 1401 SonicOS 5.8.1 Administrator Guide 10. Click Next . Configure Modem 11 . If you are setting up a SonicWALL TZ se ries app liance that supports analog mode m devices for dial-up W AN connection, select how you will use the modem. Y ou can choose to use the modem: – As a backup to your W AN – As your primary interne[...]

  • Página 1402

    Wizards > Setup Wizard 1402 SonicOS 5.8.1 Administrator Guide WAN Network Mode: NAT Enabled 17. Enter the public IP address pr ovided by your ISP in the SonicW ALL W AN IP Address , then fill in the rest of the fields: W AN Subnet Mask , W AN Gateway (Router) Address , and DNS Server Addresses . Click Next . 18. Proceed to “LAN Settings” on [...]

  • Página 1403

    Wizards > Setup W izard 1403 SonicOS 5.8.1 Administrator Guide WAN Network Mode: NAT with PPPoE Client NA T with PPPoE Client is a network protocol that uses Po int to Point Protocol over Ethernet to connect with a remote site using various Remo te Access Service products. This protocol is typically found when using a DSL modem with an ISP requi[...]

  • Página 1404

    Wizards > Setup Wizard 1404 SonicOS 5.8.1 Administrator Guide LAN Settings Note On a SonicW ALL TZ series appli ance, the LAN Settings and LAN DHCP Server settings are only displayed if you selected the Office Gateway deployment scenario. 27. The LAN page allows the configur ation of the SonicW ALL LAN IP Addresses and the LAN Subnet Mask .The S[...]

  • Página 1405

    Wizards > Setup W izard 1405 SonicOS 5.8.1 Administrator Guide WLAN Radio Settings (SonicW ALL wireless security appli ances only) Select whether or not you want to configure Wi- If Protected Access (WP A) security: • WP A/WP A2 Mode - WP A is the security wireless pr otocol based on 802.1 1i standard. It is the recommended protocol if your wi[...]

  • Página 1406

    Wizards > Setup Wizard 1406 SonicOS 5.8.1 Administrator Guide Ports Assignment 30. (SonicW ALL TZ series and NSA 240 appliances only) Option ally , you can configure the initial PortShield group assignment s for your appliance. See “Configuring PortShie ld Interfaces with the PortShield Wizard” on p a ge 272 f or more inf ormation on the Por[...]

  • Página 1407

    Wizards > Setup W izard 1407 SonicOS 5.8.1 Administrator Guide SonicWALL Configuration Summary 31. The Configuration Summary window displays the conf iguration defined using the Installation Wizard. T o modify any of the settings, click Back to return to the Connecting to the Internet window . If the configur ation is correct, click Next . 32. T[...]

  • Página 1408

    Wizards > Setup Wizard 1408 SonicOS 5.8.1 Administrator Guide[...]

  • Página 1409

    1409 SonicOS 5.8.1 Administrator Guide CHAPTER 88 Chapter 88: Using the Registration & License Wizard Wizards > Registration & License Wizard The SonicW ALL Registration and License Wiza rd simplifies the process of registering your SonicW ALL security appliance and obt aining licenses for additional securi ty services. T o use the Regis[...]

  • Página 1410

    Wizards > Registration & License Wiza rd 1410 SonicOS 5.8.1 Administrator Guide Ste p 6 The Registration and License W izard launches your mysonicwall.com shopping cart. Make sure that your pop-up blocker is turned of f. Ste p 7 V erify that the services you want to purc hase are listed in the shopping cart. When you are finished selecting s[...]

  • Página 1411

    Wizards > Registration & License Wizard 1411 SonicOS 5.8.1 Administrator Guide Ste p 11 Click Next to synchronize your newly purchased lic enses. The SonicW ALL security appliance synchronizes with mysonicwall.com. Step 12 Y our new security services are now availabl e on the SonicW ALL secu rity appliance. Click Close to close the wizard.[...]

  • Página 1412

    Wizards > Registration & License Wiza rd 1412 SonicOS 5.8.1 Administrator Guide[...]

  • Página 1413

    1413 SonicOS 5.8.1 Administrator Guide CHAPTER 89 Chapter 89: Configuring a Public Server with the Wizard Wizards > Public Server Wizard 1. S t art the wizard: In the navigator , click Wizar ds . 2. Select Public Server Wiza rd and click Next .[...]

  • Página 1414

    Wizards > Public Server Wizard 1414 SonicOS 5.8.1 Administrator Guide 3. Select the type of server from the Server T ype list. Depending on the type you select, the available services change. Check the box for the services you are enabling on this server . Click Next 4. Enter the name of the server . 5. Enter the private IP address of the server[...]

  • Página 1415

    Wizards > Public Server Wizard 1415 SonicOS 5.8.1 Administrator Guide 9. The Summary page displays a summary of the configuration you selected in the wizard. • Server Address Object s - The wizard creates the address object for the new server . Because the IP address of the server added in the example is in the IP ad dress range assigned to th[...]

  • Página 1416

    Wizards > Public Server Wizard 1416 SonicOS 5.8.1 Administrator Guide[...]

  • Página 1417

    1417 SonicOS 5.8.1 Administrator Guide CHAPTER 90 Chapter 90: Configuring VPN Policies with the VPN Policy Wizard Wizards > VPN Wizard The VPN Policy Wizard walks you step-by-step through the configuration of GroupVPN on the SonicW ALL. After the configuration is comple ted, the wizard creates the necessary VPN settings for the selected VPN poli[...]

  • Página 1418

    Wizards > VPN Wizard 1418 SonicOS 5.8.1 Administrator Guide Ste p 4 In the IKE Phase 1 Key Method p age, you select the authentica tion key to use for this VPN policy: – Default Key : If you choose the default key , al l your Global VPN Clients will automatically use the default key generated by the SonicW ALL to authenticate with the SonicW A[...]

  • Página 1419

    Wizards > VPN Wizard 1419 SonicOS 5.8.1 Administrator Guide – DH Group : The Diffie-Hellman (DH) group ar e the group of numbers used to create the key pair . Each subsequent group uses lar ger numbers to start with. Y ou can choose Group 1, Group 2, or Group 5. The VPN Uses this during IKE negotiatio n to create the key pair . – Encryption [...]

  • Página 1420

    Wizards > VPN Wizard 1420 SonicOS 5.8.1 Administrator Guide Note If you enable user authenticati on, the users must be entered in the SonicW ALL database for authentication. Users are entered in to the SonicW ALL database on the Users > Local Users page, and then added to group s in the Users > Local Group s page. Ste p 9 Click Next . Step[...]

  • Página 1421

    Wizards > VPN Wizard 1421 SonicOS 5.8.1 Administrator Guide Configuring a Site-to-Site VPN using the VPN Wizard Y ou use the VPN Po licy Wizard to create the site-to-site VPN po licy . Using the VPN Wizard to Configure Preshared Secret Ste p 1 On the System > St atus p age, click on Wizard s . Ste p 2 In the Welcome to the SonicW ALL Configur[...]

  • Página 1422

    Wizards > VPN Wizard 1422 SonicOS 5.8.1 Administrator Guide – Policy Name : Enter a name you can use to refer to the policy . For example, Boston Office. – Preshared Key : Enter a character string to use to authenticate traf fic during IKE Phase 1 negotiation. Y ou can use the default SonicWALL generated Preshared Key . – I know my Remote [...]

  • Página 1423

    Wizards > VPN Wizard 1423 SonicOS 5.8.1 Administrator Guide If the object or group you want has not been created yet, select Create Object or Create Group . Create the new object or gr oup in the dialog box that pops up. Then select the new object or group. For this example, select LAN Subnet s . – Destination Networks : Select the network res[...]

  • Página 1424

    Wizards > VPN Wizard 1424 SonicOS 5.8.1 Administrator Guide – Encryption : This is the method for encrypting data through the VPN T unnel. The methods are listed in order of security . DES is the least secure and the and takes the least amount of time to encrypt and decrypt . AES-256 is the most secure and takes the longest time to encrypt and[...]

  • Página 1425

    1425 SonicOS 5.8.1 Administrator Guide CHAPTER 91 Chapter 91: Using the Application Firewall Wizard Wizards > Application Firewall Wizard The Application Firewall wizard provides safe configuration for many common use cases, but not for everything. If at any time during the wizard you are unabl e to find the options that you need, you can click [...]

  • Página 1426

    Wizards > Application Firewall Wizard 1426 SonicOS 5.8.1 Administrator Guide Ste p 7 The screen displayed here will vary depending on your choice of policy rule in the previous step. For the following policy rules, the wizard displa ys the Set Application Firewall Object Content screen on which you can select the traffic direct ion to scan, and [...]

  • Página 1427

    Wizards > Application Firewall Wizard 1427 SonicOS 5.8.1 Administrator Guide • Blocking Action - reset connection (W eb Access, FTP) • Blocking Action - add block message (FTP) • Add Email Banner (append text at the end of email) (SMTP) • Log Only (SMTP , POP3, Web Access, FTP) Ste p 9 In the Application Firewall Acti on Settings screen [...]

  • Página 1428

    Wizards > Application Firewall Wizard 1428 SonicOS 5.8.1 Administrator Guide[...]

  • Página 1429

    SonicOS 5.8 . 1 A dm i ni st r at or Gu ide 1429 PART 22 Part 22: Appendices[...]

  • Página 1430

    1430 SonicOS 5.8.1 Administrator Guide[...]

  • Página 1431

    Appendix A: CLI Guide 1431 SonicOS Enhanced 5.6 Admini strator’s Guide Appendix A: CLI Guide Appendix A: CLI Guide This appendix contains a categorized listing of Command Lin e Interface (CLI) commands for SonicOS Enhanced firmware. Each command is described, and where appropriate, an example of usage is included. This appendix contains the follo[...]

  • Página 1432

    Appendix A: CLI Gu ide 1432 SonicOS Enhanced 5.6 Administrator’ s Guide Text Conventions Bold text indicates a command executed by interacting wi th the user interface. Courier bold text ind icates commands and text entered using the CLI. Italic text indica tes the fir st occurrence of a n ew term, as well as a book ti tle, and also emphasized te[...]

  • Página 1433

    Appendix A: CLI Guide 1433 SonicOS Enhanced 5.6 Admini strator’s Guide Most configuration commands require completing all fields in the command. For commands with several possible completing commands, the Ta b or ? key display all options. myDevice> show [TAB] The Ta b key can also be used to finish a comm and if the command is uniquely identi[...]

  • Página 1434

    Appendix A: CLI Gu ide 1434 SonicOS Enhanced 5.6 Administrator’ s Guide Configuration Security SonicW ALL Internet Security appliances a llow easy , flexible c onfiguration without compromising the security of thei r configuration or your network. Passwords The SonicW ALL CLI currently uses the administr ator ’s password to obtain access. Sonic[...]

  • Página 1435

    Appendix A: CLI Guide 1435 SonicOS Enhanced 5.6 Admini strator’s Guide Management Methods for the SonicWALL Network Security Appliance Y ou can configure the SonicWALL appl iance using one of three methods: • Using a serial connection and the configuration manager – An IP address assignment is not necessar y for appliance management. – A de[...]

  • Página 1436

    Appendix A: CLI Gu ide 1436 SonicOS Enhanced 5.6 Administrator’ s Guide Initiating an SSH Management Session via Ethernet Note This option works for customers administeri ng a device that does not have a cable for console access to the CLI. Follow the steps below to initiate an SSH management session through an Ethernet connection from a client t[...]

  • Página 1437

    Appendix A: CLI Guide 1437 SonicOS Enhanced 5.6 Admini strator’s Guide clear pp-stats Clears presentation protocol statistics clear screen Clears the console screen, lea v ing a sing le prompt line clear ssh Terminate s a se cure shell co nn ec tio n clear ssh < int | he x > Termin ate s a pa rt icular secure shell connection , specified by[...]

  • Página 1438

    Appendix A: CLI Gu ide 1438 SonicOS Enhanced 5.6 Administrator’ s Guide language-overrid e chinese Overrides current un it l ang uag e setting, rese ts to Chinese language-overrid e english Overrides current un it l ang uag e setting, rese ts to English language-overrid e french Overrides current unit languag e setting , rese ts to Frenc h langua[...]

  • Página 1439

    Appendix A: CLI Guide 1439 SonicOS Enhanced 5.6 Admini strator’s Guide show ars rip Displays all ARS paths using Routing Information Protocol (RIP) show baud Displays current baud rate show buf-memzone Displays curren t available space in b uffer memory zone show build-info Displays current OS build information show continuous core-wo rk Displays[...]

  • Página 1440

    Appendix A: CLI Gu ide 1440 SonicOS Enhanced 5.6 Administrator’ s Guide show mem-pools Displays unit’s current memory pool block allocation show memory Displays system memory on t he appliance show memzone Displays the status of virtual memory zones on the appliance show messages Displays all system messages show multicore Displays available mu[...]

  • Página 1441

    Appendix A: CLI Guide 1441 SonicOS Enhanced 5.6 Admini strator’s Guide show sslvpn client Settings Displays all current clie nt settings associated with SSL-VPN connections to the unit shown on the client settings GUI page show sslvpn connections Displays all current SSL -VPN connections to the unit show sslvpn portalSetti ngs Displays all curren[...]

  • Página 1442

    Appendix A: CLI Gu ide 1442 SonicOS Enhanced 5.6 Administrator’ s Guide show tsr dhcp-server Displays TSR data relating to DHCP serv er connections show tsr dhcp-server-st at D isplays TSR data relating DHCP server statist ics show tsr diag Displays TSR data relating to system diagnostics show tsr dynamic-dns Displays TSR data relating to dyna mi[...]

  • Página 1443

    Appendix A: CLI Guide 1443 SonicOS Enhanced 5.6 Admini strator’s Guide show tsr mirror-state Displays TSR data relating to database mirror state statistics show tsr msn Displays TSR data relating to the MSN messenger client show tsr nat-policies Displays TSR listing appliance’s current network address translation policies show tsr network Displ[...]

  • Página 1444

    Appendix A: CLI Gu ide 1444 SonicOS Enhanced 5.6 Administrator’ s Guide show tsr time Displays TSR data relating to appliance’s time policy configuration show tsr timers D isplays the timers section of the TSR show tsr update Displays updated TSR show tsr user-objects Displays TSR data relating to currently defined user objects show tsr users D[...]

  • Página 1445

    Appendix A: CLI Guide 1445 SonicOS Enhanced 5.6 Admini strator’s Guide show vpn sa < string > ike Displays Internet Key Exchange data for a VPN security association, specified by a particular string input show vpn sa < string > ike de tail Displays details for Internet Key Exchange data for a VPN security association, specified by a p[...]

  • Página 1446

    Appendix A: CLI Gu ide 1446 SonicOS Enhanced 5.6 Administrator’ s Guide show zones Displays configurable zones on the appliance and interfaces associated with each zo ne stacktrace Runs report of the cu rrently active s tack frames stacktrace < string | ident > R uns report for a specific active set of s tack frames, based on the particular[...]

  • Página 1447

    Appendix A: CLI Guide 1447 SonicOS Enhanced 5.6 Admini strator’s Guide T able 7 Configure Level Co mmands Command Description ACCESS RULES SUB -COMMANNDS access-rules < fr om-zone > < to-zone > Allows configuration of access rules between one zone and another < add > commands action < allow | deny | dis- card > Sets the ac[...]

  • Página 1448

    Appendix A: CLI Gu ide 1448 SonicOS Enhanced 5.6 Administrator’ s Guide < modify > commands < index > Modifies specific acc ess rules ind ex action < allow | deny | dis- card > Modifies an allow, de ny, or dis card action relating to a specific acc ess rule advanced Modifies an advanced access rule [ no ] allow-fragments Modifie[...]

  • Página 1449

    Appendix A: CLI Guide 1449 SonicOS Enhanced 5.6 Admini strator’s Guide ADDRESS GROUP/AD DRESS OBJEC T SUB-COMMANDS abort Exits to top-le vel me n u and ca nc els changes where ne eded [ no ] address-object < object name > C onfigures o r modifies an addres s object [ no ] address-group < group name > Configur es or modif ies an ad dre[...]

  • Página 1450

    Appendix A: CLI Gu ide 1450 SonicOS Enhanced 5.6 Administrator’ s Guide GMS SUB-COMMANDS < gms > algorithm < des-md5 | frd3- sha > Set s GMS encryption and authentica- tion algo rithm [ no ] authentication-key < hex key > Sets the 32-hex or 40- hex authentica- tion key to comm unicate with the GMS server [ no ] behind-nat Enable[...]

  • Página 1451

    Appendix A: CLI Guide 1451 SonicOS Enhanced 5.6 Admini strator’s Guide NAT SUB-COMMANDS nat Accesses sub-commands to configure NAT policies < add > commands orig-src < original source object > Sets the original source object for this policy trans-src < trans lated source object > Sets the translated source object for this policy[...]

  • Página 1452

    Appendix A: CLI Gu ide 1452 SonicOS Enhanced 5.6 Administrator’ s Guide < modify > commands < item-number > Allows modification of a specific NAT policy [ no ] enable Enables/Disables a specific NAT policy [ no ] comment < comments > Allows administrator to modify com- ments relating to a NAT policy orig-src < original source[...]

  • Página 1453

    Appendix A: CLI Guide 1453 SonicOS Enhanced 5.6 Admini strator’s Guide SERVICE SUB-COMM ANDS service Accesses sub-commands to configure individual services < add > commands < service name > Allows configuration of a new service type to be associated to the appliance < group name > Allows configuration of a new service group name[...]

  • Página 1454

    Appendix A: CLI Gu ide 1454 SonicOS Enhanced 5.6 Administrator’ s Guide SONICPOINT SUB-C OMMANDS < sonicpoint >< string > Configures a SonicPoint profile sync Synchronizes configured SonicPoints country-code < US | CA > Sets applicable country code for a SonicPoint [ no ] delete Deletes an operatio nal SonicPoint from a deployme[...]

  • Página 1455

    Appendix A: CLI Guide 1455 SonicOS Enhanced 5.6 Admini strator’s Guide radio-a authtype < both | open | psk | shared > Sets the method type for authentication to be both, open , WPA/PSK, or WEP- shared radio-a beacon-i nterval < uvalue > Sets the interval (in milliseconds) between broadcasts of the wireless beacon radio-a channel <[...]

  • Página 1456

    Appendix A: CLI Gu ide 1456 SonicOS Enhanced 5.6 Administrator’ s Guide radio-a wpa inte rval < uvalue > Sets the length of time between re-keying the WPA key radio-a wpa psk < string > Sets WiFi Protected Access Pre-shared key passphrase [ no ] radio-g enable Enables or disables 802.11g radio band wireless connections [ no ] radio-g [...]

  • Página 1457

    Appendix A: CLI Guide 1457 SonicOS Enhanced 5.6 Admini strator’s Guide radio-g ofdm-pow er < uvalue > Sets the difference in radio transmit power allowed between 802.11g and 802.11b mode s [ no ] radio-g preamble- long Sets the length of the initial wireless communication when associating with the host radio-g protecti on mode < always |[...]

  • Página 1458

    Appendix A: CLI Gu ide 1458 SonicOS Enhanced 5.6 Administrator’ s Guide SSH SUB-COMMANDS ssh enable <inte rface> Enables SSH management for the specified interface ssh genkey Cr eates a new key to use with SSH ssh port <port> Assigns the SSH port or resets to the default port ssh restore Restores SSH management settings to defaults ss[...]

  • Página 1459

    Appendix A: CLI Guide 1459 SonicOS Enhanced 5.6 Admini strator’s Guide [ no ] advanced multicast Enables IP multicasting traffic to pass through the VPN tunn el [ no ] advanced netbios Enables or disables Windows Networking (NetBIOS) Broadcast [ no ] advanced use-xauth < group-name > Configures or removes the specified user group for XAUTH [...]

  • Página 1460

    Appendix A: CLI Gu ide 1460 SonicOS Enhanced 5.6 Administrator’ s Guide proposal ipsec [< esp | ah >] [ encr < des | triple- des | aes-128 | aes-192 | aes- 256 >] [ auth < md5 | sha1 >] [ dh < 1 | 2 | 5 >] [ lifetime < seconds >] Sets encryption se ttings for IPSec pro- posal sec-gw domain-na me < domain name >[...]

  • Página 1461

    Appendix A: CLI Guide 1461 SonicOS Enhanced 5.6 Admini strator’s Guide VPN SUB-COMMANDS (MANUAL KE Y) abort Exits to top-le vel me n u and ca nc els changes where ne eded [ no ] advanced apply-nat < local | remote > < trans- lated address ob ject > Enable or disable translation of the local and/or remote networks communicating with th[...]

  • Página 1462

    Appendix A: CLI Gu ide 1462 SonicOS Enhanced 5.6 Administrator’ s Guide proposal ipsec [< esp | ah >] [ encr < des | triple- des | aes-128 | aes-192 | aes- 256 >] [ auth < md5 | sha1 >] [ dh < 1 | 2 | 5 >] [ lifetime < seconds >] Sets encryption settings for IPSec proposal sa [ in-spi < Incoming SPI >] [ out-sp[...]

  • Página 1463

    Appendix A: CLI Guide 1463 SonicOS Enhanced 5.6 Admini strator’s Guide cert < certname > Selects a certificate for the SonicWALL end Exits configuration mode exit Exits menu and app lies changes finished Exits to to p-level and applies ch anges where neede d gw domain-name < dom ain name > Sets the primary gateway domain name gw ip-ad[...]

  • Página 1464

    Appendix A: CLI Gu ide 1464 SonicOS Enhanced 5.6 Administrator’ s Guide SSL VPN CLIENT S UB-COMMANDS abort Exits to top-level menu without applying changes address < start i p address > < end i p address > < interface > Sets the global IP address pool from which NetExtender clients are assigned a n IP addr ess [ no ] auto-update[...]

  • Página 1465

    Appendix A: CLI Guide 1465 SonicOS Enhanced 5.6 Admini strator’s Guide SSL VPN PORTAL S UB-COMMANDS abort Exits to top-level menu without applying changes [ no ] auto-launch Enables/Disables auto matic launch of NetExtender after a user logs into the portal banner-title < p ortal banner title nam e > Sets the portal banner title that displa[...]

  • Página 1466

    Appendix A: CLI Gu ide 1466 SonicOS Enhanced 5.6 Administrator’ s Guide SSL VPN ROUTE SU B-COMMANDS abort Exits to top-level menu without applying changes add-routes < address object name > Adds an address object as a client route entry cancel Exits from menu without applying changes delete-routes < a ddress object name > Deletes spec[...]

  • Página 1467

    Appendix A: CLI Guide 1467 SonicOS Enhanced 5.6 Admini strator’s Guide T able 8 LAN Interface C onfigurat ion Command Description interface < x0 | x1 | x2 | x3 | x4 | x5 > [< lan | wan | dmz >] Assigns zone and enters the configura- tion mode for the interface auto Sets the interface to auto negotiate comment < string > Adds com[...]

  • Página 1468

    Appendix A: CLI Gu ide 1468 SonicOS Enhanced 5.6 Administrator’ s Guide T able 9 W AN Interface Configuration Command Description < wan > auto Sets the interface to auto-negotiate bandwidth-manage ment enable Enables bandwidth mana gement bandwidth-manage ment size < uvalue > Sets the bandwid th management size comment < string >[...]

  • Página 1469

    Appendix A: CLI Guide 1469 SonicOS Enhanced 5.6 Admini strator’s Guide Mode DHCP WAN Interface Configuration end Exits configuration mode finished Exits configur ation mode to top me nu help < command > Displays help for given command info Displays IP information about the inter- face [ no ] hostname < string > Sets the hostname for t[...]

  • Página 1470

    Appendix A: CLI Gu ide 1470 SonicOS Enhanced 5.6 Administrator’ s Guide info Displays IP information about the inter- face [ no ] ip < IP Address> Sets/Clears the IP address for the interface [ no ] password < quoted string > Sets/Clears the L2TP password [ no ] server ip < IP Address > Sets/Clears the L2TP server IP address sta[...]

  • Página 1471

    Appendix A: CLI Guide 1471 SonicOS Enhanced 5.6 Admini strator’s Guide info Displays IP information about the inter- face [no ] lan-icmp Assigns/clears LAN-ICMP logging cat- egory [ no ] lan-tcp Assigns/clears LAN-TCP logging cate- gory [ no ] lan-udp Assigns/clears LAN-UDP logging cate- gory [ no ] maintenance Assigns/clears maintenance logging [...]

  • Página 1472

    Appendix A: CLI Gu ide 1472 SonicOS Enhanced 5.6 Administrator’ s Guide zone <wan|lan|dmz> Enters the zone configuration menu end Exits configuration mode finished Exits configur ation mode to top me nu [ no ] intrazone-communic a- tions Enables/disables intra-zo ne communi- cations auto Sets the interface to autonegotiate bandwidth-manage [...]

  • Página 1473

    Appendix A: CLI Guide 1473 SonicOS Enhanced 5.6 Admini strator’s Guide < guest services > SUB-COMMANDS abort Exits to top-le vel me n u and ca nc els changes where ne eded bypass antivirus Configures the zone’s bypass set tings for anti-viru s bypass auth <string|iden- tifier Configures the zone’s bypass authentication based on strin[...]

  • Página 1474

    Appendix A: CLI Gu ide 1474 SonicOS Enhanced 5.6 Administrator’ s Guide Configuring Site-to-Site VPN Using CLI This section describes how to create a VPN po licy using the Command Line Interface. Y ou can configure all of the parameters using t he CL I, and enable the VPN without using the Web management interface. Note In this example, the VPN p[...]

  • Página 1475

    Appendix A: CLI Guide 1475 SonicOS Enhanced 5.6 Admini strator’s Guide Configuration In this example, a site-to- site VPN is configured between two TZ 200 appliance, with the following settings: Local TZ 200 (home): WAN IP: 10.50.31. 150 LAN subnet: 192.1 68.61.0 Mask 255.255.255. 0 Remote TZ 200 (of fice): WAN IP: 10.50.31. 104 LAN subnet: 192.1[...]

  • Página 1476

    Appendix A: CLI Gu ide 1476 SonicOS Enhanced 5.6 Administrator’ s Guide 4. Configure the Pre-Shared Key . In this ex ample, the Pr e-Shared Key is sonicwall: (config-vpn[Offic eVPN])> pre -shared-secret sonicwall 5. Configure the IPSec gateway: (config-vpn[Offic eVPN])> gw ip-address 10. 50.31.104 6. Define the local and the remote networ k[...]

  • Página 1477

    Appendix A: CLI Guide 1477 SonicOS Enhanced 5.6 Admini strator’s Guide Set Default Route OFF, Apply VPN Access Co ntrol List OFF Require GSC OFF Use Default Key O FF Policy: OfficeVPN (Enabled) Key Mode: Pre-sha red Primary GW: 10.50 .31.104 Secondary GW: 0.0.0.0 Pre Shared Secret : sonicwall IKE ID: Local: IP Address Peer: IP Address Network: Lo[...]

  • Página 1478

    Appendix A: CLI Gu ide 1478 SonicOS Enhanced 5.6 Administrator’ s Guide Lan Default GW: 0 .0.0.0 Require XAUTH: OF F Bound To: Zone WAN 3. T ype the command show vpn sa “name” to see the active SA: (config[TZ200])> show vpn sa "OfficeVPN" Policy: OfficeVPN IKE SAs GW: 10.50.31.150: 500 --> 10. 50.31.104:500 Main Mode, 3DES S H[...]

  • Página 1479

    Appendix A: CLI Guide 1479 SonicOS Enhanced 5.6 Admini strator’s Guide -t 1 automatic detect setting; 2 configura tion script; 3 proxy server -s proxy address/URL of automatic conf igurati on script - o port - u user name - p password - b bypass pr oxy - save queryprox y reconnect viewlog -p rofile servername: conne ct to serve r directly whe n p[...]

  • Página 1480

    Appendix A: CLI Gu ide 1480 SonicOS Enhanced 5.6 Administrator’ s Guide -r filena me Gene rate a diagnos tic report. -v Disp lay NetExtende r version i nformation . -h Disp lay this usage informatio n. server: Specify t he server e ither in FQDN or IP addre ss. The default port for server is 443 if not specifi ed. Example: netExtender -u u1 -p p1[...]

  • Página 1481

    1481 SonicOS 5.8.1 Administrator Guide Index Symbols 1409 , 1413 , 1417 – 1418 Numerics 802.11a 516 , 522 802.11b 467 802.11g 467 , 516 , 522 802.11n 467 , 516 – 517 A acceptable us e po licy 1024 access points SonicPoints 515 access rules advanced options 614 bandwidth man agement 605 , 722 Ethernet BWM tab 723 examples 614 public server wizar[...]

  • Página 1482

    1482 SonicOS 5.8.1 Administrator Guide application control action objects 642 , 668 application list objects 640 , 666 bandwidth man agement 621 , 669 BWM actions, predefined 642 BWM policy precedence 626 components 620 create rule from App Flow Monitor 627 data leakage preventi on 618 email address objects 646 , 672 filter by application 640 filte[...]

  • Página 1483

    1483 SonicOS 5.8.1 Administrator Guide diagnostics 165 active conne ctions monit or 169 check network settings 168 core monitor 172 CPU monitor 173 DNS name lookup 175 find network path 175 link monitor 174 multi-core monitor 171 packet size monitor 174 ping 175 reverse name resolution 177 tech support report 166 trace route 178 user monito r 179 w[...]

  • Página 1484

    1484 SonicOS 5.8.1 Administrator Guide high availability active/active UT M ov er vie w 1140 active/active UT M pr er e qu isite s 1154 applying licenses to each unit 11 65 associating appliances on MySo nicWALL 1145 configuring Active/Active UTM 1159 configuring advanced se ttings 1159 configuring in SonicOS 1154 configuring monitoring 1161 config[...]

  • Página 1485

    1485 SonicOS 5.8.1 Administrator Guide log automati on 57 , 1365 , 1369 DeepSee 1367 e-mail alert addresses 1365 e-mailing logs 1351 event messag e pr ior ity lev els 1352 exporting 1351 generating repor ts 1389 legacy attacks 1357 log categorie s 1359 mail server settings 1365 name resoluti on 1387 PCAP 1367 redundancy filter 1356 view table 1350 [...]

  • Página 1486

    1486 SonicOS 5.8.1 Administrator Guide P packet mon itor advanced f ilter settings 151 basic operation 87 , 154 benefits 140 configuring 143 display filter 147 export file t ypes 162 firewall rules based 144 FTP logging 151 hex dump 91 , 158 logging 149 mirror settings 153 mirroring status 160 monitor filter settings 145 overview 139 – 140 packet[...]

  • Página 1487

    1487 SonicOS 5.8.1 Administrator Guide security services licenses 102 managing online 1180 manual upgrade 103 manual upgrade for close d environments 104 manually update 1183 summary 1177 security services settings maximum security 1181 performance optim ized 1181 server protection 1226 service group public server wizard 1415 services 317 adding cu[...]

  • Página 1488

    1488 SonicOS 5.8.1 Administrator Guide syslog adding ser ver 1363 event redun dancy rat e 1362 server settings 1362 syslog server 1361 system alerts 97 information 96 network inte rfaces 100 status 95 T tap mode 262 Terminal Server 976 testing URL for user view in junk box summary 849 time NTP s ettings 128 setting 127 time zone setup wizard 1399 t[...]

  • Página 1489

    1489 SonicOS 5.8.1 Administrator Guide WAN Acceleration 1269 advanced page 1300 configuration task list 1274 configuring 1309 configuring WFS acceleration 1326 deployment considerations 1273 logs 1308 non-VPN configuration 1317 overview 1270 prerequisites 1273 status 1274 TCP acceleration 1278 verifying configuration 1343 VPN configuration 1315 WFS[...]

  • Página 1490

    PROTECTION A T THE SPEED OF BUSINESS ™ SonicWA LL, Inc. 11 4 3 Borregas Avenue T+ 1 40 8 .74 5. 96 00 www .so n i c wa ll . c om Sunnyva l eC A 9 40 89 - 1 30 6F + 1 40 8 .7 45 . 9 300 P/ N : 232-0007 3 8 -00 Rev E , 4/ 1 2 ©20 1 2 descriptions sub ject to change without notice. 0 7 / 07 SW 1 4 5[...]