A D M I N I S T RATOR`S GUIDE
Contents
1. Al Dors D AE nen List Status This section of the URL List tab indicates the status of the URL list If the Content Filter List is loaded a status message is displayed in this section List Updates It is important to note that Host names and not TCP IP addresses are used for all filtering Many blocked sites operate server pools where many computers service a single host name making it impractical and difficult to add and maintain the numerical addresses of every server in the pool Many sites included in the Content Filter List regularly change the IP address of the server to try to bypass Content Filter Lists For this reason maintaining a current list subscription is critical for effective content filtering Content Filtering and Blocking Page 101 Download Automatically every Selecting Download Automatically every allows you to configure a specific time to download your Content Filter List Select a day of the week and a time 24 hour format for example Sun at 22 00 hours Or you can click Download Now to immediately download your Content Filter List Tip It is recommended to download the URL List at a time when access to the Internet is at a minimum as downloading the URL List disrupts connectivity to the Internet Settings iv yy If you have enabled blocking by Filter Categories and the URL List becomes unavailable there are two options available e Block traffic to all Web sites except for Allowed Dom2. 2 PERSONAL INFORMATION First Name Company Title Street Address City State Province If in the United States Select One z Country Postal Code If outside the United States United States a Phone Number Fax Number URL tpw 3 PREFERENCES Time Zone MOS 00 Pacific Time US amp Canada Tjvana I Yes I would like to be ster T No I do not want to be contacted by SonicWALL via e mail rity Alerts from WALL receive Product Information from SonicWALL E Dore B Intemet allel Be sure to enter the correct e mail address as the subscription code for your SonicWALL user account is e mailed to you The subscription code is necessary to activate your account 6 Select your time zone from the Time Zone menu and then select any or all of the following options Yes would like to be a Beta Tester No do not want to be contacted by SonicWALL via e mail e would like to receive security alerts from SonicWALL e would like to receive product information from SonicWALL Click Submit Review your information carefully to ensure that it is accurate Click Back on your Web browser navigation bar to go back to the form and re enter any information Page 48 SonicWALL Internet Security Appliance Administrator s Guide A Confirm Mysonicwall com Subscription Microsoft Internet Explorer File
3. High Availability Delete DHCP Server i i a p 4 To delete DHCP servers click on the IP address of the DHCP server and click Delete DHCP Server The server is removed from the list of DHCP servers To complete the configuration go to VPN and click Configure Select Destination network obtains IP addresses using DHCP through this SA in the Destination Networks section Click Update Configuring the Remote Gateway for VPN over DHCP To configure the SonicWALL as a Remote Gateway use the following steps 1 Log into the Management interface click DHCP and then DHCP over VPN DHCP Server Page 169 2 Select Remote Gateway from the DHCP Relay Mode menu LAN IP Addresses 3 Select the VPN Security Association to be used for the VPN tunnel from the Obtain using DHCP through this SA menu Z ert Only VPN Security Associations using IKE can be used as VPN tunnels for DHCP 4 The Relay IP address is a static IP address from the pool of specific IP addresses on the Central Gateway It should not be available in the scope of DHCP addresses The SonicWALL can also be managed through the Relay IP address 5 If you enable Block traffic through tunnel when IP spoof detected the SonicWALL blocks any traffic across the VPN tunnel that is spoofing an authenticated user s IP address If you have any static devices however you must ensure that the correct Ethernet address is entered f
4. Java Java is used to download and run small programs called applets on Web sites It is safer than ActiveX since it has built in security mechanisms Select the Java check box to block Java applets from the network Cookies Cookies are used by Web servers to track Web usage and remember user identity Cookies can also compromise users privacy by tracking Web activities Select the Cookies check box to disable Cookies Known Fraudulent Certificates Digital certificates help verify that Web content and files originated from an authorized party Enabling this feature protects users on the LAN from downloading malicious programs Content Filtering and Blocking Page 107 warranted by these fraudulent certificates If digital certificates are proven fraudulent then the SonicWALL blocks the Web content and the files that use these fraudulent certificates Known fraudulent certificates blocked by SonicWALL include two certificates issued on J anuary 29 and 30 2001 by VeriSign to an impostor masquerading as a Microsoft employee e Access to HTTP Proxy Servers When a proxy server is located on the WAN LAN users can circumvent content filtering by pointing their computer to the proxy server Check this box to prevent LAN users from accessing proxy servers on the WAN Don t Block J ava ActiveX Cookies to Trusted Domains Select this option if you have trusted domains using J ava ActiveX and Cookies To add a trusted domain e
5. Activity Lights up when the SonicWALL transmits or receives a packet through the Twisted Pair port onto the network Hardware Descriptions Page 239 SonicWALL PRO 200 and PRO 300 Back Panel The SonicWALL PRO 200 back panel is shown below followed by a description of each item The SonicWALL PRO 300 back panel is identical to the SonicWALL PRO 200 RS 232 Reset Serial Port Switch Cooling Vents N 10Mbps 100Mbps A fo LAN Ethernet Port WAN Ethernet Port 5VDC 2A 10Mbps 100Mbps Power Input DMZ Ethernet Port 10Mbps 100Mbps SonicWALL PRO 200 and PRO 300 Back Panel Description e 3 Twisted Pair 10Base T 100Base T Ethernet Ports 3 Auto switching 10M bps 100M bps Ethernet ports provide connectivity for both Ethernet and Fast Ethernet networks The Ethernet ports connect the SonicWALL to the LAN DMZ and WAN using Twisted Pair cable with RJ45 connectors e Serial Port DB 9 RS 232 Serial port for Command Line Interface support e Reset Switch Resets the SonicWALL PRO 200 or the SonicWALL PRO 300 to its factory clean state This can be required if you forget the administrator password or the SonicWALL firmware has become corrupt Power Input Connects the SonicWALL to power input The use of an Uninterruptible Power Supply UPS is strongly recommended to protect the SonicWALL against damage or loss of data due to electrical storms power failures or power surges Power Switch Powers the SonicWALL on
6. Administrator Inactivity Timeout Time out administrator after 90 minutes of inact Adminstrator and User Login Failure Handling Enable user lockout on login failure I Lock out user after failed login attempts in a 1 minute period Lock out user for minutes Update Reset Logout E internet 7 Administrator Name The Administrator Name can be changed from the default setting of admin to any word using alphanumeric characters up to 30 characters in length To create an new administrator name enter the new name in the Administrator Name field Click Update for the changes to take effect on the SonicWALL Change the Administrator Password To set the password enter the old password in the Old Password field and the new password in the New Password field Enter the new password again in the Confirm New Password field and click Update Once the SonicWALL has been updated a message confirming the update is displayed at the bottom of the browser window aye Tip When setting the password for the first time remember that the SonicWALL default password is password If the password is not entered exactly the same in both New Password fields the password is not changed If you mistype the password you are not locked out of the SonicWALL N Alert The password cannot be recovered if it is lost or forgotten If the password is lost you must to reset the SonicWALL to its factory default state
7. OG seach Favores Meda J B8OrR E hte 77132 168 168 11 management hind Links RadioPatadise Customize Links FieeHotmsl Windows Meda Windows ReaPlayer Mail Server 67 115 118 12 jai Name or IP Address E Mail Address Send alerts to fla E Mail Address Firewall Name 0040100F 1429 Name baraenn Email Log Now Clear Log Now DHCP Filter Send log to Tools Access VPN Anti Virus Nans or IP Address Port Number Add Syslog Server fis 10 0 93 25 514 Delete Syslog Server High Availability Send Log Daily When log overflows Sun H Pax Overwrite log C Deactivate SonicWALL ap o0 Syslog Individual Event Rate 0 secondstevent Syslog Format Default Log Alerts SNMP Traps System Maintenance 7 Attacks 7 Attacks 7 Dropped TCP 7 System Enors 7 Blocked Web Sites 7 Dropped UDP Blocked Web Sites F7 M Dropped ICMP 7 VPN Tunnel Status F7 User Activity I7 Network Debug F VPN TCP Stats T Denied LAN IP T logout STATUS Ready l inene 7 Configure the following settings 1 Mail Server To e mail log or alert messages enter the name or IP address of your mail server in the Mail Server field If this field is left blank log and alert messages are not e mailed 2 Send Log To Enter your full e mail address username mydomain com in the Send log to field to
8. Selecting Enable NAT Traversal in the Global VPN Settings section of the Summary tab allows VPN tunnels to support this protocol and log messages are generated by the SonicWALL when a IPSec Security Gateway is detected behind a NAT NAPT device The following log messages are found on the View Log tab e Peer IPSec Gateway behind a NAT NAPT device Local IPSec Security Gateway behind a NAT NAPT device No NAT NAPT device detected between IPSec Security Peer IPSec Security Gateway doesn t support VPN NAT Traversal AES Advanced Encryption Standard Support AES is an encryption algorithm for securings sensitive but unclassified material by U S Government agencies It may become the official encryption standard for commercial transactions in the private sector As a symmetric algorithm same key for encryption and decryption it uses block encryption of 128 bits in size supporting key sizes of 128 192 and 256 AES support is only available on the PRO 230 PRO 330 and GX series Support is limited to 128 and 256 bit keys for IKE Phase One tunnels and 128 bit keys for Phase Two tunnels for both IKE and Manual key Page 180 SonicWALL Internet Security Appliance Administrator s Guide Configure Tab Add Modify IPSec Security Associations The Configure tab settings change depending on the Security Association SA and IPSec Keying options you choose in the Add Modify IPSec Security Associations You can choose either Group VPN
9. www sonicwall com support gt There you will find resources to resolve most technical issues and a Web request form to contact one of the SonicWALL Technical Support engineers Firmware Version This manual is updated and released with firmware version 6 4 0 0 Always check lt http www sonciwall com products documentation htmI gt for the latest version of this manual and other upgrade manuals as well Icons Used in this Manual Alert Important information about features that can affect firewall performance security features or cause potential problems with your SonicWALL ae TIP Useful information about security features and configurations on your SonicWALL Page 13 1 Introduction Your SonicWALL Internet Security Appliance The SonicWALL Internet Security Appliance provides a complete security solution that protects your network from attacks intrusions and malicious tampering In addition the SonicWALL filters objectionable Web content and logs security threats SonicWALL VPN provides secure encrypted communications to business partners and branch offices The SonicWALL Internet Security Appliance uses stateful packet inspection to ensure secure firewall filtering Stateful packet inspection is widely considered to be the most effective method of filtering IP traffic MD5 authentication is used to encrypt communications between your Management Station and the SonicWALL Web Management Interface MD5 Authentication preve
10. Click Tools on the left side of the browser window and then click the Preferences tab Logout STATUS Ready Fisa Bocument Bane 7 You can save the SonicWALL settings and then retrieve them later for backup purposes SonicWALL recommends saving the SonicWALL settings when upgrading the firmware The Preferences window also provides options to restore the SonicWALL factory default settings and launch the SonicWALL Installation Wizard These functions are described in detail in the following pages Exporting the Settings File It is possible to save the SonicWALL configuration information as a file on your computer and retrieve it for later use Click Export in the Preferences tab Bs save it on your loc name 0 sonicwall exp by default this can be changed if needed Logout STATUS Ready 1 Click Export again to download the settings file Then choose the location to save the settings file The file is named sonicwall exp by default but it can be renamed 2 Click Save to save the file This process can take up to a minute Web Management Tools Page 115 Importing the Settings File After exporting a settings file you can import it back to the SonicWALL 1 Click Import in the Preferences tab Z iE Bookmarks Go to hitp 182 168 168 1 management himl General Please select a file to import Browse Log
11. Customize Links FieeHoimal Windows Meds Windows dP RealPlayer Log Choose a diagnostic tool TraceRoute this host or IP address Go Anti Virus High Availability Enter the IP address or domain name of the destination host For example enter yahoo com and click Go A second window is displayed with each hop to the destination host 66 218 71 112 from 192 168 168 1 30 hops max 36 byte packets 16 6 ms 0 0 ms 0 0 ms 10 0 0 253 100 0 ms 100 0 ms 100 0 ms 66 218 71 112 Trace complete By following the route you can diagnose where the connection fails between the SonicWALL and the destination Page 126 SonicWALL Internet Security Appliance Administrator s Guide 10 A Network Access Rules Network Access Rules are management tools that allow you to define inbound and outbound access policy configure user authentication and enable remote management of the SonicWALL By default the SonicWALL s stateful packet inspection allows all communication from the LAN to the Internet and blocks all traffic to the LAN from the Internet The following behaviors are defined by the Default stateful inspection packet rule enabled in the SonicWALL e Allow all sessions originating from the LAN to the WAN and DMZ e Allow all sessions originating from the DMZ to the WAN e Allow all sessions originating from the WAN to the DMZ e Deny all sessions ori
12. Export s N The SonicWALL VPN tab defaults to a Group VPN setting This feature facilitates the set up and deployment of multiple VPN clients by the administrator of the SonicWALL appliance Security settings can now be exported to the remote client and imported into the remote VPN client settings Group VPN allows for easy deployment of multiple VPN clients making it unnecessary to individually configure remote VPN clients Group VPN is only available for VPN clients and it is recommended to use Authentication Service or XAUTH RADIUS in conjunction with the Group VPN for added security To enable Group VPN follow the instructions below Li 2 3 an UW A Click VPN on the left side of the Management Station interface Click on Group VPN The Security Association default setting is Group VPN Configure the Group VPN to use either IKE using Pre shared Secrets or IKE using Certificates To use certificates an Authentication Service upgrade must be purchased Select Group 2 from the Phase 1 DH Group menu Enter the SA Life Time value in minutes A value of 28800 seconds 8 hours is recommended Select 3DES amp SHA1 from the Phase 1 Encryption Authentication menu Select Encrypt and Authenticate ESP 3DES HMAC MD5 from the Phase 2 Encryption Authentication menu SonicWALL VPN Page 193 8 Create and enter a Shared Secret in the Shared Secret field or use the Shared Secret automatically generated by the So
13. Note that the device connected to the SonicWALL must support the standard Link Integrity test Activity Lights up when the SonicWALL transmits or receives a packet through the Twisted Pair port onto the network 3 Twisted Pair 10Base T 100Base T Ethernet Ports 3 Auto switching 10Mbps 100Mbps Ethernet ports provide connectivity for both Ethernet and Fast Ethernet networks The Ethernet ports connect the SonicWALL to the LAN DMZ and WAN using Twisted Pair cable with RJ 45 connectors Serial Port DB 9 RS 232 Serial port for Command Line Interface support Hardware Descriptions Page 237 Reset Switch Resets the SonicWALL PRO 200 or the SonicWALL PRO 300 to its factory clean state This can be required if you forget the administrator password or the SonicWALL firmware has become corrupt SonicWALL PRO 230 and PRO 330 Rear Panel Description Power Input aoe PRO 330 Only SSOSSSSSHOSSOSSOSOSSEOOSSO SOSSSOSSSSSSSSSSOSSESCOSESO dhe tbAL EAN ped ASA SILA gt l Power bon B PRO 330 only Cooling Vents Power Switch es Powers the SonicWALL on and off e Power Input s Connects the SonicWALL to power input The use of an Uninterruptible Power Supply UPS is strongly recommended to protect the SonicWALL against damage or loss of data due to electrical storms power failures or power surges The PRO 330 has dual supply inputs Cooling Vents The SonicWALL is convection cooled an internal fan is not neces
14. Page 196 SonicWALL Internet Security Appliance Administrator s Guide 6 Click File then Save Changes to save the settings to the security policy Group VPN can also be configured using digital certificates in the Security Association settings For more information on Group VPN configuration using digital certificates refer to the Authentication Service User s Guide on the SonicWALL Website lt http www sonicwall com vpn center vpn setup htmI gt SonicWALL VPN Page 197 Verifying the VPN Tunnel as Active After the Group VPN Policy is active on the VPN Client you can verify that a secure tunnel is active and sending data securely across the connection You can verify the connection by verifying the type of icon displayed in the system tray near the system clock The SonicWALL VPN Client icon is displayed in the System Tray if you are running a Windows operating system The icon changes to reflect the current status of your communication over the VPN tunnel Icon Explanation One of these explanations applies e The Windows operating system did not start the IREIKE service properly To start this service restart your PC If this icon SI continues to display you may need to reinstall SoftRemote Your security policy is deactivated that is disabled To reactivate it go to Reactivate the security policy Your computer is ready to establish connections or transmit data Your computer has
15. SonicWALL ships a fully functional appliance The replacement appliance is equivalent to a new appliance SonicWALL does not accept failed appliances without a valid RMA number Software Firmware Updates All software and firmware maintenance releases and updates are included for 90 days after the date of purchase SonicWALL notifies administrators via electronic mail of new updates The updates are delivered exclusively via the Web Support Tools Warranty Support provides access to SonicWALL s Web based support tools including FAQs documentation and Knowledge Base systems Availability This warranty applied to products sold in Europe the Middle East Africa Asia Central and South America Page 260 SonicWALL Internet Security Appliance Administrator s Guide SonicWALL Support 24X7 Available for all SonicWALL products SonicWALL Support 24X7 includes software firmware technical support and factory replacement of defective hardware Coverage is provided 24 hours a day seven days a week Coverage Hours Support is provided during standard business hours 24 hours per day local time seven days per week including locally recognized SonicWALL holidays Telephone and Web based Support SonicWALL provides technical assistance during standard coverage hours by telephone or through Web based support tools ASonicWALL technical specialist works with you to remotely diagnose and identify firmware and hardware not performing to docume
16. cove Click Enter Key to define the encryption and authentication keys Enter the SonicWALL Outgoing SPI in the Security Parameter Index field Select Binary in the Choose key format options Enter the SonicWALL 16 character Encryption Key in the ESP Encryption Key field Enter the SonicWALL 32 character Authentication Key in the ESP Authentication Key field then click OK Configuring Outbound VPN Client Keys 1 Click Outbound Keys An Outbound Keying Material box is displayed Hn UF WwW N Qutbound Keying Material Encryption Security Parameters Index Ox 200 Choose key format ASCII fie abcdef Binary ie Oxf012 ESP Encryption Key Ds 1234567830abcdef ESP Authentication Key Ox 1234567890abedef1 234567890abcdef 4H Authentication Key Ox Click Enter Key to define the encryption and authentication keys Enter the SonicWALL Incoming SPI in the Security Parameter Index field Select Binary in the Choose key format menu Enter the SonicWALL appliance 16 character Encryption Key in the ESP Encryption Key field Enter the SonicWALL appliance 32 character Authentication Key in the ESP Authentication Key field and then click OK Saving SonicWALL VPN Client Settings Select Save Changes in the File menu in the top left corner of the Security Policy Editor window Hn UF WwW N Page 204 SonicWALL Internet Security Appliance Administrator s Guide Verifying the VPN Tunnel as Active
17. 3 TCP received on WAN SYN ACK From 204 71 200 74 80 02 00 cf 58 d3 6a To 207 88 211 116 1937 00 40 10 0c 01 4e The SonicWALL receives SYN ACK from remote host 4 TCP sent on LAN SYN ACK From 204 71 200 74 80 02 00 cf 58 d3 6a To 192 168 168 158 1282 00 a0 4b 05 96 4a The SonicWALL forwards SYN ACK to LAN client 5 TCP received on LAN ACK From 192 168 168 158 1282 00 a0 4b 05 96 4a To 204 71 200 74 80 02 00 cf 58 d3 6a Client sends a final ACK and waits for start of data transfer 6 TCP sent on WAN ACK From 207 88 211 116 1937 00 40 10 0c 01 4e To 204 71 200 74 80 02 00 cf 58 d3 6a The SonicWALL forwards the client ACK to the remote host and waits for the data transfer to begin When using packet traces to isolate network connectivity problems look for the location where the three way handshake is breaking down This helps to determine if the problem resides with the SonicWALL configuration or if there is a problem on the Internet Web Management Tools Page 123 1 Select Packet Trace from the Choose a diagnostic tool menu X SonicWALL Administration Netscape Fie Edt p High Availability Logout STATUS Ready Pisa Document Done Ye Tip Packet Trace requires an IP address The SonicWALL DNS Name Lookup tool can be used to find i IP address of a host Enter the IP address of the remote host in the Trace on IP address field and click Start Yo
18. After configuring the VPN Client you can verify that a secure tunnel is active and sending data securely across the connection You can verify the connection by verifying the type of icon displayed in the system tray near the system clock Open a command prompt window and ping an address on the remote network The icon should turn green indicating an active connection Verifying the VPN Client Icon in the System Tray The SonicWALL VPN Client icon is displayed in the System Tray if you are running a Windows operating system The icon changes to reflect the current status of your communication over the VPN tunnel Icon Explanation One of these explanations applies e The Windows operating system did not start the IREIKE service properly To start this service restart your PC If this icon continues to display you may need to reinstall SoftRemote disabled To reactivate it go to Reactivate the security policy Your security policy is deactivated that is Your computer is ready to establish connections _or transmit data Your computer has established no secure connections and is transmitting unsecured data Your computer has established at least one secure connection but is not transmitting any data Your computer has established at least one secure connection and is transmitting only unsecured data Your computer has established at least one secure connection and is tran
19. Configuring the Network Mode on the SonicWALL Page 25 Restarting 4 SonicWALL Installation Wizard Microsoft Internet Explorer SonicWALL is restarting Ty Since you have activated SonicWALL s DHCP server you should now configure all the PC s and other network devices on your LAN to Obtain an IP address automatically Note that it may be necessary to restart a PC or network device after changing its network configuration Note This includes the computer you are currently using to configure SonicWALL You will not be able to re contact SonicWALL until you have reconfigured your PC Once you have reconfigured your PC and SonicWALL has finished restarting you should be able to access the Internet Note that the restarting process will take approximately 90 seconds to complete Remember from now on you will contact SonicWALL s Web Management Interface at http 192 168 168 1 Thank you for selecting SonicWALL Print This Page Alert The final page provides important information to help configure the computers on the LAN Click Print this Page to print the window information 12 The SonicWALL takes 90 seconds to restart During this time the yellow Test LED is lit Click Close to exit the SonicWALL Wizard Configuring NAT with PPPoE Client The SonicWALL Installation Wizard simplifies the initial installation and configuration of the SonicWALL The Wizard provides a series of menu driven instructions for setting the administr
20. Enter a valid IP address assigned by your ISP in the SonicWALL WAN IP NAT Public Address field Because NAT is enabled all network activity appears to originate from this address 6 Enter your WAN subnet mask in the WAN LAN Subnet Mask field This subnet mask should be assigned by your ISP 7 Enter your DNS server IP address es in the DNS Servers field The SonicWALL uses these DNS servers for diagnostic tests and for upgrade and registration functionality 8 Click Update Once the SonicWALL has been updated a message confirming the update is displayed at the bottom of the browser window Restart the SonicWALL for these changes to take effect If you enable Network Address Translation designate the SonicWALL LAN IP Address as the gateway address for computers on your LAN Consider the following example e The SonicWALL WAN Gateway Router Address is 10 1 1 1 Page 80 SonicWALL Internet Security Appliance Administrator s Guide e The SonicWALL WAN IP NAT Public Address is 10 1 1 25 e The private SonicWALL LAN IP Address is 192 168 168 1 e Computers on the LAN have private IP addresses ranging from 192 168 168 2 to 192 168 168 255 In this example 192 168 168 1 the SonicWALL LAN IP Address is used as the gateway or router address for all computers on the LAN NAT with DHCP Client Configuration The SonicWALL can receive an IP address from a DHCP server on the Internet If your ISP did not provide you with a
21. General and Network Settings Page 89 Setting the Administrator Inactivity Timeout The Administrator Inactivity Timeout setting allows you to configure the length of inactivity that can elapse before you are automatically logged out of the Web Management Interface The SonicWALL is preconfigured to log out the administrator after 5 minutes of inactivity gt Tip If the Administrator Inactivity Timeout is extended beyond 5 minutes you should end every management session by clicking Logout to prevent unauthorized access to the SonicWALL Web Management Interface Enter the desired number of minutes in the Administrator Inactivity Timeout section and click Update The Inactivity Timeout can range from 1 to 99 minutes Click Update and a message confirming the update is displayed at the bottom of the browser window Login Failure Handling You can configure the SonicWALL to lockout an administrator or a user if the login credentials are incorrect Select Enable User Lockout on login failure to prevent users from attempting to log into the SonicWALL without proper authentication credentials Enter the number of failed attempts before the user is locked out in the Lock out user after__ failed login attempts in a 1 minute period field Enter the length of time that must elapse before the user attempts to log into the SonicWALL again in the Lockout Period minutes field Pe If the administrator and a user are logging into the SonicWALL using the sa
22. High Availability Status Prmary SonicWALL Staza Active Prmary SonicWALL Sen Numre 00401D0EF0AF LAK IP Adirese 192 168 168 1 WAR IF Adress 216 217 36 151 I Enahl Tigh Awa lability Daria Sane WALL Serial Numer uugu uc 36 gt Lar IP Address WAY JF adess 192 FA 15A F Pizengl Mode Heartzext Irtewa 5 secon s Failover Tripper Level niszed zeartbeats Ugdete Reset Logout STATUS Realy Fial Eocmet ti Dene The top half of the window displays the primary SonicWALL serial number and network settings The bottom half of the window displays the backup SonicWALL information boxes To configure High Availability follow the steps below 1 Connectthe primary SonicWALL and the backup SonicWALL to the network but leave the power turned off on both units 2 Turn on the primary SonicWALL unit and wait for the diagnostics cycle to complete Configure all of the settings in the primary SonicWALL before configuring High Availability 3 Click High Availability on the left and begin configuring the following settings for the primary SonicWALL e LAN IP Address This is a unique IP address for accessing the primary SonicWALL from the LAN whether it is Active or Idle Aert This IP address is different from the IP address used to contact the SonicWALL in the General Network settings e WAN IP Address Optional This is a unique WAN IP address used to remotely manage the primary SonicWALL whether it is
23. It is recommended to reserve a block of IP address to use as Relay IP addresses Select LAN Devices not allowed to obtain IP through SA if there are devices on the LAN that you do not want to obtain IP addresses through the VPN tunnel such as children s computers You must know the Ethernet address of the device to configure this setting The Ethernet address of a device can be determined by typing ipconfig all into a Command Prompt window rt You must configure the local DHCP server on the remote SonicWALL to assign IP leases to these computers Z ne rt If a remote site has trouble connecting to a central gateway and obtaining a lease verify that Deterministic Network Enhancer DNE is not enabled on the remote computer If a static LAN IP address is outside of the DHCP scope routing is possible to this IP i e two LANS DHCP Server Page 171 DHCP Status A Status page is now available to review DHCP Server Status and DHCP over VPN Status The DHCP Server Status section reports the number of Current Available Dynamic Available Static leases as well as the Total leases The DHCP over VPN Status section reports the number of Current Dynamic Current Static and the Total leases Click the Status tab Eile Edt ees gt OAA Ose dese E rp 77192 160168 Vnanagement nt DHCP Server Status Lot STATUS The configuration has been updated A mnt alr The scrolling window shows the details on t
24. Log back into the SonicWALL at the default IP address http 192 168 168 168 Make sure that the Management Station s IP address is in the same subnet as the SonicWALL for example 192 168 168 200 5 The SonicWALL Management Interface displays a message stating that the firmware has been erased Click the Browse button to locate the SonicWALL firmware file on the Management Station hard drive Or upload the firmware file that is located on the SonicWALL Companion CD 6 Reconfigure the SonicWALL as described in Chapter 2 Page 278 SonicWALL Internet Security Appliance Administrator s Guide Appendix H Mounting the SonicWALL PRO 200 and PRO 300 The SonicWALL PRO 200 and SonicWALL PRO 300 are designed to be mounted in a standard 19 inch rack mount cabinet The following conditions are required for proper installation Use the mounting hardware recommended by the rack manufacturer and ensure that the rack is adequate for the application Four mounting screws compatible with the rack design must be used and hand tightened to ensure secure installation Choose a mounting location where all four mounting holes line up with those of the mounting bars of the 19 inch rack mount cabinet Mount in a location away from direct sunlight and sources of heat Amaximum ambient temper ature of 1042 F 402 C is recommended Route cables away from power lines fluorescent lighting fixtures and sources of noise such as radios transmitters and br
25. Valid hexadecimal characters are 0 to 9 and a to f inclusive 0 1 2 3 4 5 6 7 8 9 a b c d e f For example a valid key would be 123456789 0abcdef ARCFour ARCFour is used for communications with secure Web sites using the SSL protocol Many banks use a 40 bit key ARCFour for online banking while others use a 128 bit key SonicWALL VPN uses a 56 bit key for ARCFour ARCFour is faster than DES for several reasons First it is a newer encryption mechanism than DES As a result it benefits from advances in encryption technology Second unlike DES it is designed to encrypt data streams rather than static storage The SonicWALL VPN ARCFour key must be exactly 16 characters long and is comprised of hexadecimal characters Valid hexadecimal characters are 0 to 9 and a to f inclusive 0 1 2 3 4 5 6 7 8 9 a b c d e f For example a valid key would be 123456789 0abcdef Strong Encryption Triple DES Strong Encryption or Triple DES 3DES is a variation on DES that uses a 168 bit key As a result 3DES is dramatically more secure than DES and is considered to be virtually unbreakable by security experts It also requires a great deal more processing power resulting in increased latency and decreased throughput The SonicWALL 3DES Key must be exactly 24 characters long and is comprised of hexadecimal characters Valid hexadecimal characters are 0 to 9 and a to f inclusive 0 1 2 3 4 5 6 7 8 9 a
26. address of your computer or server in the Ethernet Address field Then click Update When the SonicWALL has been updated a message confirming the update is displayed at the bottom of your Web browser window Continue this process until you have added all the desired static entries AE Tip The SonicWALL DHCP server can assign a total of 254 dynamic and static IP addresses Deleting Dynamic Ranges and Static Entries To remove a range of addresses from the dynamic pool select it from the list of dynamic ranges and click Delete Range When the range has been deleted a message confirming the update is displayed at the bottom of the browser window To remove a Static address select it from the list of static entries and click Delete Static When the static entry has been deleted a message confirming the update is displayed at the bottom of the browser window DHCP Server Page 175 DHCP Status A Status page is available to review DHCP Server Status and DHCP over VPN Status The DHCP Server Status section reports the number of Current Available Dynamic Available Static leases as well as the Total leases The DHCP over VPN Status section reports the number of Current Dynamic Current Static and the Total leases Click the Status tab obo gt OR Addiess E 77192 16831 vance DHCP over VPN Status Logout STATUS Ready l The scrolling window shows the details on the curre
27. default or Add New SA from the Security Association list If you select Add New SA a Name field is displayed that allows you to create a name for the SA such as Boston Office Corporate Site etc Select the type of security policy for the SA from the IPSec Keying Mode menu You can select IKE using Preshared Secret Manual Key or IKE using Certificates The IPSec Gateway Address field is used to configure the gateway for the security association Disabling Security Associations You can choose to disable certain security associations and still allow access by remote VPN clients The feature is useful if it is suspected that a remote VPN user connection has become unstable or insecure It can also temporarily block access to the SonicWALL appliance if necessary Disable the Security Association by checking the Disable this SA check box Click Update to enable the change to take place lode IKE using Preshared Secret F r IPSec Gateway Name or Address Exchange Main Mode Phase 1 DH Group Group 2 SA Life time secs 28800 Phase Encryption Authentication DES amp MD5 z Phase 2 Encryption Authentication Encrypt and Authenticate ESP DES HMAC MD5 Shared Secret High Availability C Use this SA as default route for all Intenet traffic C Destination network obtains IP addresses using DHCP through this SA G Specify destination networks below Network Subnet Mask Add New Network Advan
28. e IKE Info saves current information about active IKE configurations Page 124 SonicWALL Internet Security Appliance Administrator s Guide Generating a Tech Support Report 1 Select Tech Support Report from the Choose a diagnostic tool menu Tech Support Repon x Tech Support Report This will save a special file to your local disk This file can be emailed to SonicWALL technical support to help us assist you with your problem Save Report Logout STATUS Ready Cisa Document Done A Select the Report Options to be included with your e mail Click Save Report to save the file to your system When you click Save Report a warning message is displayed Microsoft Internet Explorer x Q You are about to export sensitive information in plaintext format N Continue Cancel 4 Click OK to save the file Attach the report to your Tech Support Request e mail Web Management Tools Page 125 Trace Route Trace Route is a diagnostic utility to assist in diagnosing and troubleshooting router connections on the Internet By using Internet Connect Message Protocol ICMP echo packets similar to Ping packets Trace Route can test interconnectivity with routers and other hosts that are farther and farther along the network path until the connection fails or until the remote host responds A Qseach Favores FMeda J D aM HADIR Aeres 2 ftes27182 168168 management mt Links Rado Paradise
29. inappropriate usage without blocking Web access Filter Protocols In addition to filtering access to Web sites the SonicWALL can also block Newsgroups Activex Java Cookies and Web Proxies Logging and Reporting Log Categories You can select the information you wish to display in the SonicWALL event log You can view the event log from the SonicWALL Web Management Interface or receive the log as an e mail file Syslog Server Support In addition to the standard screen log the SonicWALL can write detailed event log information to an external Syslog server Syslog is the industry standard method to capture information about network activity ViewPoint Reporting optional Monitoring critical network events and activity such as security threats inappropriate Web use and bandwidth levels is an essential component of network security SonicWALL ViewPoint complements the SonicWALL security features by providing detailed and comprehensive reports of network activity SonicWALL ViewPoint is a software application that creates dynamic Web based network reports ViewPoint reporting generates both real time and historical reports to offer a complete view of all activity through your SonicWALL Internet Security Appliance E mail Alerts The SonicWALL can be configured to send alerts of high priority events such as attacks system errors and blocked Web sites When these events occur alerts can be immediately sent to an e mail address or
30. ip h Favores GMeda D M AAIR thil JFreeHomal Windows Meda E Windows ReaPlayer NAT with L2TP Client Z Connect SonicWALL LAN IP Address 192 168 168 11 LAN Subnet Mask 255 255 255 0 Network Gateway Subnet Mask Delete Subnet Add LAN Subnet High Availability C Obtain an IP address using DHCP Use the specified IP address WAN Gateway Router Addhess Sonic WALL WAN IP NAT Public Address 10 0 0 254 10 0 202 228 00 WAN Subnet Mask 255 255 DNS Server 1 10 50 128 52 L2TP DNS Server 2 00 00 i ut STATUS Ready 2 Done DOT i Irtemet Z 2 Entera unique IP address from your LAN address range in the SonicWALL LAN IP Address field The SonicWALL LAN IP Address is the address assigned to the SonicWALL LAN port and is used for management of the SonicWALL 3 Enter your network subnet mask in the LAN Subnet Mask field The LAN Subnet Mask tells your SonicWALL which IP addresses are on your LAN Use the default value 255 255 255 0 if there are less than 254 computers on your LAN 4 Ifyou obtain a WAN IP address from the L2TP server select Obtain an IP address using DHCP If you have WAN IP address information select Use the specified IP address and enter your WAN information in the WAN Gateway Router Address SonicWALL WAN IP NAT Public Address and WAN Subnet Mask fields Ent
31. keep overall network traffic more manageable it also introduces another level of complexity To communicate with a device on another network one must go through a gateway that connects the two networks Therefore users must Know the default gateway IP address If there is no gateway in the network use an IP address of 0 0 0 0 in fields that apply to a default gateway Network Address Translation NAT NAT hides internal IP addresses by converting all internal host IP addresses to the IP address of the firewall as packets are routed through the firewall The firewall then retransmits the data payload of the internal host from its own address using a translation table to keep track of which sockets on the exterior interface equate to which sockets on the interior interface To the Internet all of the traffic on the network appears to come from the same computer Nodes A node is a device such as a PC or a printer on a network with an IP address The feature chart shows how many node licenses for PCs or printers are included with a SonicWALL Internet Security appliance The TELE3 has a non upgradeable 5 node license but the SOHO3 is upgradeable up to have 10 50 or an unlimited number of node licenses The PRO 100 PRO 200 and PRO 300 have an unlimited number of node licenses The TELE3 SOHO3 10 and SOHO3 50 allow a maximum of 5 10 or 50 LAN IP addresses respectively to exist on the LAN Local Area Network The licenses for the node
32. reports and enhancement requests for software support for a period of 90 days after the date of purchase Software Firmware Updates All software and firmware maintenance releases and updates are included for 90 days after the date of purchase SonicWALL notifies administrators via electronic mail of new updates The updates are delivered exclusively via the Web Support Tools Warranty Support provides access to SonicWALL s Web based support tools including FAQs documentation and Knowledge Base systems Availability This warranty is available only in the United States and Canada Appendices Page 259 Warranty Support nternational Included with all SonicWALL products SonicWALL warranty support includes return to factory hardware replacement for one year Warranty Support also includes technical support and software firmware updates for 90 days Coverage is provided during normal business hours Coverage Hours Support is provided during standard business hours 24 hours per day local time seven days per week including locally recognized SonicWALL holidays Hardware Service Warranty Support includes the repair or replacement of failing hardware returned to the SonicWALL factory for a period of year following the date of purchase Upon diagnosis of a hardware failure a SonicWALL technical specialist issues an RMA number and provides instructions for returning the hardware to SonicWALL Upon receipt of the failed appliance
33. try pinging devices outside the ISP This shows if the problem lies with the ISP connection 1 Select Ping from the Choose a diagnostic tool menu Ping the IP address Go Logout STATUS Ready ae Document Dane Z 2 Enter the IP address of the target device to ping and click Go The test takes a few seconds to complete Once completed a message showing the results is displayed in the browser window ae Tip Ping requires an IP address The SonicWALL DNS Name Lookup tool can be used to find the IP W address of a host Page 122 SonicWALL Internet Security Appliance Administrator s Guide Packet Trace The Packet Trace tool tracks the status of a communications stream as it moves from source to destination This is a useful tool to determine if a communications stream is being stopped at the SonicWALL or is lost on the Internet To interpret this tool it is necessary to understand the three way handshake that occurs for every TCP connection The following displays a typical three way handshake initiated by a host on the SonicWALL LAN to a remote host on the WAN 1 TCP received on LAN SYN From 192 168 168 158 1282 00 a0 4b 05 96 4a To 204 71 200 74 80 02 00 cf 58 d3 6a The SonicWALL receives SYN from LAN client 2 TCP sent on WAN SYN From 207 88 211 116 1937 00 40 10 0c 01 4e To 204 71 200 74 80 02 00 cf 58 d3 6a The SonicWALL forwards SYN from LAN client to remote host
34. which forces the currently Idle unit to become Active Page 232 SonicWALL Internet Security Appliance Administrator s Guide To restart the active SonicWALL log into the primary SonicWALL LAN IP Address and click Tools on the left side of the browser window and then click Restart at the top of the window X SonicWALL Administration Netscape File Edit View Go Communicator Help Z ma Bookmarks Go to http 7 192 168 168 1 management tht Restart SonicWALL Logout STATUS Ready Fiaa Document Done F Click Restart SonicWALL then Yes to confirm the restart Once the active SonicWALL restarts the other SonicWALL in the High Availability pair takes over operation Alert If the Preempt Mode checkbox has been checked for the primary SonicWALL the primary unit takes over operation from the backup unit after the restart is complete Configuration Notes Changing Password Do not change the password on the Backup firewall when it is in Idle con dition Changing the password prevents communication between the firewalls e Ifyou are configuring the SonicWALL in Standard mode on the network an additional IP address is necessary for the High Availability configuration e Auto Update If Auto Update is enabled for firmware upgrades the Primary SonicWALL should be upgraded first And during the upgrade the backup SonicWALL should be disconnected from the LAN or turned off When the firmware upgrade is
35. 192 168 168 200 SubnetMask 255 255 255 0 Defauk Gateway 192 168 168 1 Page 270 SonicWALL Internet Security Appliance Administrator s Guide Windows 2000 1 In Windows 2000 click Start then Settings 2 Click Network and Dial up Connections Double click the network connection name to open the Status window S Status a General Connection Status Connected Duration 1 day 18 54 11 Speed 100 0 Mbps p Activity Sent P Received Packets 85 525 105 503 Disable SV Properties x General Sharing Connect using F2 SCom 30920 Integrated Fast Ethemet Controler 303056 Components checked are used by this connection MI E Client for Microsoft Networks M B File and Printer Sharing for Microsoft Networks MIY 3Com BCAITDI DMI TDI MI Y Intemet Protocol TCP IP Install Uninstall Properties Description Transmission Control Protocol Intemet Protocol The default wide area network protocol that provides communication across diverse interconnected networks OK Cancel Internet Protocol TCP IP Properties HE General You can get IP settings assigned automatically if your network supports this capability Otherwise you need to ask your network administrator for the appropriate IP settings Obtain an IP address automatically Use the following IP address IP address 192 168 168 200 Subnet mask A 2 a 0 Default gate
36. 509 supported by the certificate a certificate serial number information information about the user s public key the Distinguished Name DN validation period for the certificate optional information such as the target use of the certificate The signature section includes the cryptographic algorithm used by the issuing CA and the CA digital signature To implement the use of certificates for VPN SAs you must locate a source for a valid CA certificate from a third party CA service Once you have a valid CA certificate you can import it into the SonicWALL to validate your Local Certificates Importing CA Certificates into the SonicWALL After your CA service has validated your CA Certificate you can import it into the SonicWALL and use it to validate Local Certificates for VPN Security Associations To import your CA Certificate into the SonicWALL use the following steps 1 Click VPN then CA Certificates 2 Click Browse and locate the PKCS 7 or DER encoded file sent by the CA service 3 Click Open to set the directory path to the certificate and then click Import to import the certificate into the SonicWALL Once it is imported you can view the Certificate Details Certificate Details The Certificate Details section lists the following information e Certificate Authority Subject Distinguished Name Certificate Issuer e Certificate Serial Number e Expiration Date e No CRL loaded CRL Expires on The Certificate Iss
37. 51 User Name and Password Functions ceescsescescssesecscsssecsesesssseseesssasersaeeaes 51 Registering Your SonicWALL Internet Security Appliance occ 51 Click Here Registration iscncwviastudtirnwnii ten matin aniidoal halla hidden 51 QUICK Registrati Neisse tues Sedna hatin aie aana toast lace a a Ea 52 St tus AMG CO PUO NGS s sesess soacte irahan rianan anaita ataebi ta daaa teas area vaceate nave 53 Managing Your SonicWALL 5 20 isch sect ot Sea ets en Shas ures Cael Ciena aba cse Vanes daeges 54 Renaming Your SOMGW ALG ccs scct se tatetsaetertescsatact Seauenuics encarta nbrreaderiaasae ts 54 Transferring a SONICWALL Product uo cececeecseeescssesecesesteesesessesessssasersateaes 55 Delete PROGUCE ic ee e ae AE EA E tatiana R anes 56 Managing Services for SonicWALL Internet Security Appliances nsee 57 Activating Services Using mySonicWALL COM sseseereeeeeerereerrnnes 58 4 Configuring the TELE3 SP Modem Connection s ssssssss1s 60 Configuring the TELE3 SP WAN Failover Feature ssssessessesssrsrrerererersrsses 60 Configuring Modem Profiles sssssssssesesesssssssssssrsrsrsrsrsrsrsrsrnnnnnnnnnnsnnrnrsrnrnrnrnrnenens 61 Dial Up Configuration wwict Sect rnccacias Wiis eleachens hada ides pacatt hanna aiaa ii 61 PSPS GLUING aiiin panaan diated caves a e a vole Subd Qld aslia cemeale 62 Location SettiNgS menrnainnninini anaanatae iaa aA Eaa a E aa Te 62 TELE3 SP Modem Configuration ssscccccccreerrrrrenrrrrirre 64 Modemi S
38. Appendix B SonicWALL Support Solutions esseere 257 Appendix C Introduction to Networking essees 263 Appendix D IP Port NWUMDONSviscvsss extieteniinnietinscendiantu ncaa 268 Appendix E Configuring TCP IP Settings eeeeeseeeeererrrerennn 269 Appendix F Basic VPN Terms and Concepts sssccccccccccccccree 274 Appendix G Erasing the Firmware essssssssssisrrerrsrreeesrnnnrrirrrnrn 278 Appendix H Mounting the SonicWALL PRO 200 and PRO 300 asss 279 Appendix Configuring RADIUS and ACE Servers esssccccccccereee 280 Page 8 SonicWALL Internet Security Appliance Administrator s Guide Copyright Notice 2002 SonicWALL Inc All rights reserved Under the copyright laws this manual or the software described within can not be copied in whole or part without the written consent of the manufacturer except in the normal use of the software to make a backup copy The same proprietary and copyright notices must be affixed to any permitted copies as were affixed to the original This exception does not allow copies to be made for others whether or not sold but all of the material purchased with all backup copies can be sold given or loaned to another person Under the law copying includes translating into another language or format SonicWALL is a registered trademark of SonicWALL Inc Other product and company names mentioned herein can be trademarks and or registered trademarks of their respective companies Specifica
39. Cum CO8 C Other G Obtain Automatically C Specify 1 Dial Retries per Phone Number DNS Servers F Delay Between Retries seconds 5 Obtain Automatically Specify Chat Script Delete This Dialup Profile yut STATUS Ready al i Dial Up Configuration The current profile is displayed in the Current Profile field You can select a profile from the menu to edit the configuration or create a new profile To create a new profile select Add New Profile from the menu and enter a name for the profile in the Name field You can use names such as Home Office or Traveling to distinguish different profiles from each other After you have created a name for your dial up configuration you must configure the ISP settings in the dial up ISP Settings section and the Location Settings section Configuring the TELE3 SP Modem Connection Page 61 ISP Settings To configure your ISP settings you must obtain your Internet information from your dial up Internet Service Provider Use the information to configure the following dial up ISP Settings 1 0A Tip If a specific prefix is used to access an outside line such as 9 amp or enter the number as part of the primary phone number 2 Enter the primary number used to dial your ISP in the Primary Phone Number field Enter the secondary number used to dial your ISP in the Secondary Phone Number field optional Enter your dial up ISP user name in
40. Debug Logs NetBIOS broadcasts ARP resolution problems and NAT resolution problems Also detailed messages for VPN connections are displayed to assist the network administrator with troubleshooting problems with active VPN tunnels Network Debug information is intended for experienced network administrators Logging and Alerts Page 95 Alerts SNMP Traps Alerts are events such as attacks which warrant immediate attention When events generate alerts messages are immediately sent to the e mail address defined in the Send alerts to field Attacks and System Errors are enabled by default Blocked Web Sites is disabled Attacks Log entries categorized as Attacks generate alert messages System Errors Log entries categorized as System Errors generate alert messages Blocked Web Sites Log entries categorized as Blocked Web Sites generate alert messages VPN Tunnel Status Log entries categorized as VPN Tunnel Status generate alert messages Once you have configured the Log Settings window click Update Once the SonicWALL is updated a message confirming the update is displayed at the bottom of the browser window Reports The SonicWALL can perform a rolling analysis of the event log to show the top 25 most frequently accessed Web sites the top 25 users of bandwidth by IP address and the top 25 services consuming the most bandwidth Click Log on the left side of the browser window and then click the Reports tab Help
41. Edt View Favorites Tools Help Ea Hanks 7 Ol N As Gini Gs G F Ow R Address https mww mysonicwal com Registration asp z 60 7wall gt COMPREHENSIVE HOME I NEWS I WHERE TO BUY I CONTACT US SONICWALL INTERNET SECURITY SOLUTIONS Products Solution Center Channel Partners Technical Support Download Center Company CONFIRM MYSONICWALL COM SUBSCRIPTION _ Please confirm the information provided If you would like to modify any nformation use the browser s Back button Please note that ssword is not information displayed for security reasons User Name SonicWALL_User Personal Information Contact Information Jane Doe Time Zone GMT 08 00 Pacific Time US amp 1234 Any Street Anytown CA 94588 United States Canada Tijuana Phone 925 555 1212 ail anyone anycompany com Secret Question World Series Answer Winning Team t i aD fe era 2 9 Ifallthe information is correct click OK A confirmation message appears notifying you that your account must be activated within 72 hours of creating it You also receive an e mail with your subscription code in it Write your subscription code below Subscription code ic Eden ar SES ea Sent Mon 12 3 2001 10 54 AM j Note For security reasons the subscriber name and part of the subscription code are masked 10 Return to the mySonicWALL com login screen or alternatively click on the link in the e
42. IP address Enter 0 0 0 0 to accept all remote SonicWALLs with matching encryption and authentication keys Enter the remote network subnet mask in the Destination Subnet Mask for NetBIOS broadcast field if Enable Windows Networking NetBIOS Broadcast is selected Otherwise enter 0 0 0 0 in the field Click Update to add the remote network and close the VPN Destination Network window Once the SonicWALL has been updated a message confirming the update is displayed at the bottom of the browser window Click Advanced Settings and check the boxes that apply to your SA Enable Windows Networking NetBIOS broadcast if the remote clients use Windows Network Neighborhood to browse remote networks Apply NAT and firewall rules to apply NAT and firewall rules to the SA or just firewall rules if in Standard mode Route all internet traffic through this SA if forcing internet traffic from the WAN to use this SA to access a remote site SonicWALL VPN Page 207 Default LAN Gateway if specifying the IP address of the default LAN route for incoming IPSec packets for this SA This is used in conjunction with the Route all internet traffic through this SA check box VPN Terminated at LAN DMZ or LAN DMZ select one of the three terminating points for the VPN tunnel 15 Click OK to close the Advanced Settings window Then click Update to update the SonicWALL Configuring the Second SonicWALL Appliance To configure the second Son
43. IP addresses to assign to the network devices on your LAN The address range must be in the same subnet as the SonicWALL Web management address currently set to 192 168 168 1 The range below has already been set up You may change it here if you wish If you dont want to use the DHCP server uncheck the Enable DHCP Server checkbox and click Next Enable DHCP Server M Beginning of LAN client address range 192 168 168 2 End of LAN client address range 192 168 168 254 lt Back TEN eS 9 The Optional SonicWALL DHCP Server page configures the SonicWALL DHCP Server If enabled the SonicWALL automatically configures the IP settings of computers on the LAN To enable the DHCP server select the Enable DHCP Server check box and specify the range of IP addresses that are assigned to computers on the LAN If the Enable DHCP Server check box is not selected the DHCP Server is disabled Click Next to continue Configuring the Network Mode on the SonicWALL Page 35 Configuration Summary A SonicWALL Installation Wizard Microsoft Internet Explorer provided by SonicWALL INC Configuration Summary The DHCP client will be used to obtain a dynamic Internet address e NATis enabled e The SonicWALL LAN IP Address is 192 168 168 1 Print This Page Ifthis is OK click Next If you would like to make a change click Back lt Back Next gt Cancel 10 The Configuration Sum
44. If you plan to manage your SonicWALL remotely using the SonicWALL Global Management System check the following checkbox F Use Global Management System lt Back Next gt Cancel Aert It is very important to choose a password which cannot be easily guessed by others 1 To set the password enter a new password in the New Password and Confirm New Password fields This window also displays the Use SonicWALL Global Management System check box 2 Donotselect the Use Global Management System check box unless your SonicWALL is remotely managed by SonicWALL GMS Click Next to continue Setting the Time and Date A SonicWALL Installation Wizard Microsoft Internet Explorer a Set your Time Zone SonicWALL s intemal clock will be automatically configured by accessing a Network Time server on the Internet Please select your Time Zone from the pull down menu Pacific Time US amp Canada GMT 8 00 zl lt Back Net gt __ Cancel 3 Select the appropriate Time Zone from the Time Zone menu The SonicWALL internal clock is set automatically by a Network Time Server on the Internet Click Next to continue Configuring the Network Mode on the SonicWALL Page 27 Connecting to the Internet A SonicWALL Installation Wizard Microsoft Internet Explorer Connecting to the Internet To complete the SonicWALL Installation Wizard you must have the following information available e
45. Import Cancel Filter Tesis This will load a configuration from a previously exported file Your SonicWALL will need to be restarted if TCP IP settings are changed Access Advanced DHCP VPN Anti Virus High Availability Logout STATUS Ready Disa Document Done 2 Click Browse to locate a settings file which was saved using Export 3 Select the file and click Import 4 Restart the SonicWALL for the settings to take effect Aett The Web browser used to Import Settings must support HTTP uploads Microsoft Internet Explorer 5 0 and higher as well as Netscape Navigator 4 0 and higher are recommended Restoring Factory Default Settings You can erase the SonicWALL configuration settings and restore the SonicWALL to its factory default state 1 Click Restore on the Preferences tab to restore factory default settings SonicWALL Administration Netscape r Help rttp 7192 168 168 1 manac Are you sure you want to erase all settings Erasing all settings will set the SonicWALL configuration back to factory defaults All settings except the password and IP address mask will be reset Tools Advanced DHCP ven Anti Virus High Availability STATUS Ready 4 Document Done 2 Click Yes and then restart the SonicWALL for the change to take effect Page 116 SonicWALL Internet Security Appliance Administrator s Guide Alert The SonicWALL LAN IP Address LAN Subnet Ma
46. Individual Event Rate 94 Syslog Server 94 Syslog Server 1 94 Syslog Server Support 16 System Errors 95 96 System Maintenance 95 T Tech Support Report 124 Tech Support Request Form 124 Temporary Lease Time 170 Third Party Digital Certificate 216 Time 88 Time of Day 104 Time users out 139 Trace Route 126 Tunnel 203 Twisted Pair 243 U Unique Firewall Identifier 178 Updating Firmware 117 Upgrade Key 119 URL List 101 Use Aggressive Mode 187 User Activity 95 Users 139 V View Data 97 View Log 91 232 ViewPoint 236 VPN 17 VPN Client 17 234 VPN Client Configuration File 194 VPN Destination Network 200 VPN Interface 178 VPN Logging 177 VPN Tunnel 177 274 Vulnerability Scanning Service 235 W WAN Gateway Router Address 24 WAN IP Address 24 WAN Settings 78 WAN DMZ Subnet Mask 24 Web Proxy Relay 149 Web Site Hits 97 Websense Enterprise 99 Websense Server Status 112 Windows Networking 129 222 WINS Server 167 174 WorkPort Default Gateway 167 174 X X 509 217 Index Page 293 SonicWALL Inc 1143 Borregas Avenue T 408 745 9600 www sonicwall com Sunnyvale CA 94089 1306 F 408 745 9300 2002 SonicWALL Inc SonicWALL is a registered trademark of SonicWALL Inc Other product and company names mentioned herein may be trademarks and or registered trademarks of their respective companies Specifications and descriptions subject to change with out notice eae SONICWALL
47. Instructions to obtain a dynamic IP address automatically or e Static IP address es subnet mask gateway and DNS server addresses This information is provided by your Internet Service Provider ISP If you are missing any of the information above please contact your ISP The Connecting to the Internet page lists the information required to complete the installation Tip Confirm that you have the necessary network information from your ISP before proceeding with the Connecting to the Internet pages lt Back Next gt _ Cancel 4 Click the hyperlinks for definitions of the networking terms Click Next to continue Selecting Your Internet Connection E x Connecting to the Internet Select one of the following Network Addressing Modes To connect to the Internet your Interet Service Provider ISP Assigned you a single static IP address C Assigned you two or more IP addresses Provided you with desktop software a user name and password PPPoE Automatically assigns you a dynamic IP address DHCP Please note When the SonicWALL was powered on it did not detect the presence of a PPPoE or a DHCP server on the Internet Select Provided you with desktop software a user name and password PPPoE if your ISP has provided you with desktop software a user name and password information lt Back Next gt Cancel 5 Page 28 SonicWALL Internet Secu
48. Internet at the corresponding public IP addresses One to One Network Address Translation Ranges Enable One to One NATC Private Range Begin Add Range You can create a relationship between internal and external addresses by defining internal and external address ranges Once the relationship is defined the computer with the first IP address of the private address range is accessible at the first IP address of the external address range the second computer at the second external IP address etc To configure One to One NAT complete the following instructions 1 Select the Enable One to One NAT check box 2 Enterthe beginning IP address of the private address range being mapped in the Private Range Begin field This is the IP address of the first machine that is accessible from the Internet 3 Enter the beginning IP address of the valid address range being mapped in the Public Range Begin field This address should be assigned by your ISP Alert Do not include the SonicWALL WAN IP NAT Public Address or the WAN Gateway Router Address in this range 4 Enter the number of public IP addresses that should be mapped to private addresses in the Range Length field The range length can not exceed the number of valid IP addresses Up to 64 ranges can be added To map a single address enter a Range Length of 1 5 Click Update Once the SonicWALL has been updated a message confirming the update is dis
49. Select Client for Microsoft Networks from the list and then click Properties Page 222 SonicWALL Internet Security Appliance Administrator s Guide Hetwork ae Contigustion idertificatioa Access Corna The lolowing meioik components are irnialed Chard koe Micsoanft Natracek Dial Up Adapter GFC2205 PCI Fast Ethernet Adagia E TCPAP gt Dial Up Adag I9 TCPAP gt GFC2206 PCI Fact Ethernet Adapte J Fie arai perie thaing lor Micsoautt Netmerhs Primary Netrecek Logon Ele and Prk Sharing Select the Logon to Windows NT Domain check box and enter the domain name provided by your administrator into the Windows NT domain text box Select Quick Logon under Network logon options section Chent for Microsoft Networks Properties Genaral p Logon validation j When you log on your password wil be verted on a Windows NT domain Windows NT domain r Network logon options F Quick logon Windows logs you onto the network but network chives are not reconnected until you use them F Logon and restore network connections When you log onto the network Windows veres that each network drive is ready for usa Cox J ca Click on the Identification tab and enter the domain name provided by your administrator in the Workgroup text box TCP IP Properties BE Bndrgs Advanced NetBIOS DNS Configuration Gateney WINS Configuration IP Address Cont
50. Server 1 e DNS Server 2 e DNS Server 3 e Current Active Dial Up Profile id e Current Connection Speed If the modem is inactive the Status page displays a list of possible reasons that your modem is inactive When the modem is active the network settings from the ISP are used for WAN access If you click General then Network a message is displayed reminding you that the modem is active and the current network settings are displayed on the Modem Status page Configuring the TELE3 SP Modem Connection Page 69 Chat Scripts Some legacy servers can require company specific chat scripts for logging onto the dial up servers Achat script like other types of scripts automates the act of typing commands using a keyboard It consists of commands and responses made up of groups of expect response pairs as well as additional control commands used by the chat script interpreter on the TELE3 SP The TELE3 SP uses a default chat script that works with most ISPs but your ISP may require a chat script with specific commands to chat with their server If an ISP requires a specific chat script it is typically provided to you with your dial up access information The default chat script for the TELE3 SP has the following commands ABORT NO DIALTONE ABORT BUSY ABOR NO CARRIER ATQO ATEO ATM 1 ATLO ATV1 OK ATDT T CONNECT D C The first three commands direct the chat script interpreter to abort i
51. Setup window click DHCP on the left side of the browser window There are three tabs in the DHCP section Setup DHCP over VPN e Status Setup Disable DHCP Server is the default setting in the SonicWALL Allow DHCP Pass Through Network administrators can have a DHCP server located outside the SonicWALL Internet Security in Standard Mode appliance To enable this feature in the SonicWALL appliance follow these steps 1 Click DHCP on the management interface On the Setup tab select Disable DHCP Server 2 Select the Allow DHCP Pass Through check box gt gt QO A Aseach Favores Meda J D SM AHOSQ him Address 27 hitp 192 168 168 11 manager ment Urks Ejha E R e i yut STATUS Ready Disable DHCP Server I Allow DHCP Pass Through C Enable DHCP Server Lease Time LAN Default Gateway 255 255 255 0 Domain Name Set DNS Servers using g Sonic WALL s Network settings or f10 50 128 52 10 50 128 53 10 50 128 29 DNS Server 3 WINS Server 1 0 0 0 0 0 0 0 0 WINS Server 2 Range Start Range End I Allow BootP cliente to use rangs Delete Range BootP capable ranges are shown with E Static IP Address Ethemet Address example Ethemet Address 00 40 2b 123456 Delete Static temet Page 166 SonicWALL Internet Security Appliance Administrator s Guide C
52. Strong Encrypt ESP 3DES as the Encryption Method Write the Encryption Key down or use cut and paste to copy it to a Notepad window Page 208 SonicWALL Internet Security Appliance Administrator s Guide 10 11 12 Click Add New Network Enter the IP address 192 168 22 1 in the Range Start field Enter the IP address 192 168 22 254 in the Range End field This Range End value is appropriate even if NetBIOS broadcast support is enabled Leave the subnet mask field blank Click Update Click Advanced Settings and select the features that apply to the SA Enable Windows Networking NetBIOS broadcast if the remote clients use Windows Network Neighborhood to browse remote networks Apply NAT and firewall rules to apply NAT and firewall rules to the SA or just firewall rules if in Standard mode Route all internet traffic through this SA if forcing Internet traffic from the WAN to use this SA to access a remote site Default LAN Gateway if specifying the IP address of the default LAN route for incoming IPSec packets for this SA This is used in conjunction with the Route all internet traffic through this SA check box VPN Terminated at LAN DMZ or LAN DMZ select one of the three terminating points for the VPN tunnel Click OK and then click Update Configuring the Remote SonicWALL To configure the remote SonicWALL use the following steps 1 O o N oun BW N m 11 Configure the network settings
53. TZX to the WorkPort HomePort and WAN using Twisted Pair cable with RJ 45 connectors Power Input Connects to the external power supply that is provided with the SonicWALL TZX The use of an Uninterruptible Power Supply UPS is recommended to protect the SonicWALL TZX against damage or loss of data due to electrical storms power failures or power surges Page 248 SonicWALL Internet Security Appliance Administrator s Guide SonicWALL SOHO3 and TELE3 Front Panel The SonicWALL SOHO3 front panel is shown below followed by a description of each item The SonicWALL TELE3 is identical to the SonicWALL SOHO3 except for the TELE3 label on the front panel and the inclusion of SonicWALL VPN Test LED LAN Port LEDs Link 100 Activity WAN Port LEDs Power LED Link 100 Activity SonicWALL SOHO3 and TELE3 Front Panel Description Power Lights up when power is applied to the SonicWALL SOHO3 or SonicWALL TELE3 e Test Lights up when the SonicWALL is first powered up and performing diagnostic tests to check for proper operation These tests take about 90 seconds If the Test LED remains lit after this time the software is corrupt and must be reinstalled There are two Ethernet ports one of the following for the LAN and WAN ports Link Lights up when the Twisted Pair port is connected to a 10Mbps or 100Mbps hub or switch or directly connected to a computer Note that the connected Ethernet device must support the standard Link Inte
54. WorkPort computers to access the Internet in the WorkPort Default Gateway field Enter the SonicWALL WorkPort IP Address if NAT is enabled If configuring DHCP server for the HomePort enter the gateway address used by HomePort computers to access the Internet in the HomePort Default Gateway field Enter the SonicWALL HomePort IP Address if NAT is enabled Enter the domain name registered for your network in the Domain Name field An example of a domain name is your domain com If you do not have a domain name leave this field blank Select Set DNS Servers using the SonicWALL Network settings to use the DNS servers that you specified in the SonicWALL Network section If you want to use different DNS servers than the ones specified in the SonicWALL Network section then select Specify Manually Enter your DNS Server addresses in the DNS Server 1 DNS Server 2 and DNS Server 3 fields The DNS servers are used by computers on your WorkPort to resolve domain names to IP addresses You only enter one DNS Server address but multiple DNS entries improve performance and reliability 7 10 Enter your WINS Server address es in the WINS Server 1 and WINS Server 2 fields WINS Servers resolve Windows based computer names to IP addresses If you do not have a WINS server leave these fields blank Dynamic Ranges are the ranges of IP addresses dynamically assigned by the DHCP server The Dynamic Ranges should be in the same subnet as the SonicWAL
55. a single static IP address Assigned you two or more IP addresses Provided you with desktop software a user name and password PPPoE Automatically assigns you a dynamic IP address DHCP Please note When the SonicWALL was powered on it did not detect the presence of a PPPoE or a DHCP server on the Internet 6 Select the option Automatically assigns you a dynamic IP address DHCP 7 The Obtain an IP address automatically page is displayed lt Back Next gt _ Cancel Z SonicWALL Installation Wizard Microsoft Internet Explorer Obtain an IP address automatically If your ISP has not provided you with any static IP addresses then they probably told you that you will obtain an IP address automatically SonicWALL can do this using its DHCP client Ifthis sounds correct to you then click Next Otherwise click Back to choose another option If you re not sure please contact your ISP for clarification Note If you select this option the Wizard will enable Network Address Translation NAT to share the IP address among the PC s and other network devices on your Local Area Network LAN If you want to continue and use NAT click Next Otherwise click Back to select another option The Obtain an IP address automatically page states that the ISP dynamically assigns an IP address to the SonicWALL To confirm this click Next lt Back Next gt Cancel _ Pa
56. a value for the Route Tag This value is implementation dependent and provides a mechanism for routers to classify the originators of RIPv2 advertisements This field is optional RIPv2 Authentication You can enable RIPv2 Authentication by selecting the type of authentication from the menu e User defined Enter 4 hex digits in the Authentication Type 4 hex digits field Enter 32 hex digits in the Authentication Data 32 Hex Digits field e Cleartext Password Enter a password in the Authentication Password Max 16 Chars field A maximum of 16 characters can be used to define a password MD5 Digest Enter a numerical value from 0 255 in the Authentication Key4d 0 255 field En ter a 32 hex digit value for the Authentication Key 32 hexdigits field or use the generated key DM Z Route Advertisement All of the information and configuration instructions for LAN Route Advertisement apply to DMZ Route Advertisement configuration DM Z Addresses Note For the SonicWALL PRO 100 PRO 200 PRO 300 PRO 230 PRO 330 and GX series only The SonicWALL provides security by preventing Internet users from accessing machines on the LAN This security however also prevents users from reaching public servers such as Web or e mail servers The SonicWALL offers a special DMZ Demilitarized Zone port that provides Internet access to network servers The DMZ sits between the local network and the Internet Servers on the DMZ are publicly
57. accessible but they are protected from attacks such as SYN Flood and Ping of Death Use of the DMZ port is optional 3X 3e Tip If you are configuring the SonicWALL SOHO3 or the SonicWALL TELE3 please go to Chapter 8 Network Access Rules for information about setting up publicly accessible servers Using the DMZis a strongly recommended alternative to placing servers on the WAN port where they are not protected or established Public LAN servers Page 156 SonicWALL Internet Security Appliance Administrator s Guide Click Advanced on the left side of the browser window and then click DMZ Addresses iien Logout STATUS Ready misal http 10 0 92 5fintranet himl 4 Servers on the DMZ must have unique valid IP addresses in the same subnet as the SonicWALL WAN IP Address Your ISP should be able to provide these IP addresses as well as information on setting up public servers DM Zin Standard Mode To configure DMZ Addresses complete the following instructions 1 Enter the starting IP address of your valid IP address range in the From Address field 2 Enter the ending IP address of your valid IP address range in the To Address field Alert You can enter an individual IP address in the From Address field only 3 Click Update Once the SonicWALL has been updated a message confirming the update is displayed at the bottom of the browser window If you receive an error when you click Update confirm tha
58. appliance SonicWALL ships a fully functional replacement appliance to you The replacement appliance is equivalent to a new appliance SonicWALL does not accept failed appliances without a valid RMA number Software Firmware Support SonicWALL logs tracks prioritizes and resolves software firmware and or documentation bug reports and enhancement requests for software support under this agreement SonicWALL Support 8X5 includes priority escalation based on problem severity Support for software firmware and documentation is limited to the most current version and the immediate prior revision Software Firmware Updates All software and firmware maintenance releases and updates are included with this agreement SonicWALL notifies administrators via electronic mail of new updates The updates are delivered exclusively via the Web Support Tools SonicWALL Support 8X5 provides access to SonicWALL s Web based support tools including FAQs documentation and Knowledge Base systems Availability SonicWALL Support 8X5 is an annual service available for sale at the time of product purchase or anytime before warranty expiration Page 262 SonicWALL Internet Security Appliance Administrator s Guide Appendix C Introduction to Networking This appendix provides a non technical overview of the network protocols supported by the SonicWALL and includes a discussion of Internet Protocol IP addressing It can be helpful to review a b
59. as a range Intranet Settings Select one of the following four options SonicWALL WAN link is connected directly to the Internet router Select this option if the Son icwall is protecting your entire network This is the default setting Specified address ranges are attached to the LAN link Select this option if it is easier to specify the devices on your LAN Then enter your LAN IP address range s If you do not include all com puters on your LAN the computers not included will be unable to send or receive data through the SonicWALL Specified address ranges are attached to the WAN link Select this option if itis easier to specify the devices on your WAN Then enter your WAN IP address range s Computers connected to the WAN port that are not included are inaccessible to users on your LAN Add Range To add a range of addresses such as 199 2 23 50 to 199 2 23 54 enter the starting address in the From Address field and the ending address in the To Address field An individual IP address should be entered in the From Address field only 3 JE Tip Up to 64 address ranges can be entered Click Update Once the SonicWALL has been updated a message confirming the update is displayed at the bottom of the browser window Advanced Features Page 151 VPN Single Armed M ode stand alone VPN gateway Note This feature is available only on the PRO 100 200 300 230 330 and GX series VPN Single Armed Mode allows you to depl
60. at a central site in conjunction with a remote site using the Route all intemet traffic through this SA check box The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL Since packets can have any IP address destination it is impossible to configure enough static routes to handle the traffic For packets received via an IPSec tunnel the SonicWALL looks up SonicWALL VPN Page 189 a route for the LAN If no route is found the SonicWALL checks for a Default LAN Gateway If a Default LAN Gateway is detected the packet is routed through the gateway Otherwise the packet is dropped VPN Terminated at the LAN DMZ or LAN DMZ Selecting this option allows you to terminate a VPN tunnel on a specific destination instead of allowing the VPN tunnel to terminate on the SonicWALL network By terminating the VPN tunnel to a specific destination the VPN tunnel has access to a specific portion of the destination LAN or DMZ network Page 190 SonicWALL Internet Security Appliance Administrator s Guide Advanced Settings for VPN Configurations The following table lists the available settings for each VPN configuration The boxes checked are applicable to the given configuration mode Group VPN Group VPN i us
61. b c d e f For example a valid key would be 123456789 0abcdef12345678 Security Parameter Index SPI The SPI is used to establish a VPN tunnel The SPI is transmitted from the remote VPN gateway to the local VPN gateway The local VPN gateway then uses the network encryption and keys associated with the SPI to establish the tunnel The SPI must be unique is from one to eight characters long and is comprised of hexadecimal characters Valid hexadecimal characters are 0 to 9 and a to f inclusive 0 1 2 3 4 5 6 7 8 9 a b c d e f For example valid SPIs would be 999 or 1234 abcd Appendices Page 277 Appendix G Erasing the Firmware There can be instances when it is necessary to reset the SonicWALL to its factory clean state if the following events happen to the appliance e Administrator password is forgotten The firmware has become corrupt and you cannot contact the Management Interface e The test light comes on and stays on for more than a few minutes During the troubleshooting process you must start from a known state Once the firmware is erased new firmware must be loaded and the SonicWALL must be reconfigured The following procedure erases all settings and reverts the unit to the factory default state It is necessary to follow the initial configuration procedures detailed in this manual s QuickStart section to reconfigure the SonicWALL If you need the firmware download it from lt http firmwar
62. bandwidth use by IP address and service e Identifies inappropriate Web use e Presents detailed reports of attacks e Collects and aggregates system and network errors Page 98 SonicWALL Internet Security Appliance Administrator s Guide 8 Content Filtering and Blocking Internet content filtering allows you to create and enforce Internet access policies tailored to the needs of your organization You can block harmful Web applications from entering your network and select Web content categories to block or monitor such as pornography or racial intolerance from a pre defined Content Filter List There are three Content Filter Lists available for use with your SonicWALL SonicWALL Selecting SonicWALL for the Content Filter List Type allows you use the SonicWALL Content Filter List optional upgrade and completely customize your Content Filter features in as cluding allowed and forbidden domains as well as content filtering using keywords ae Tip When you register your SonicWALL at lt http www mysonicwall com gt you can download a one month subscription to the SonicWALL Content Filter List updates e N2H2 N2H2 is a third party content filter software package supported by SonicWALL You can obtain more information on N2H2 at http www n2h2 com If you select N2H2 from the list an N2H2 tab is available to configure the location of the N2H2 server and other settings e Websense Enterprise Websense Enterprise is also a third
63. browser window Network Access Rules Page 137 Understanding the Access Rule Hierarchy The rule hierarchy has two basic concepts 1 Specific rules override general rules An individual service is more specific than the Default service Asingle Ethernet link such as LAN or WAN is more specific than all Asingle IP address is more specific than an IP address range 2 Equally specific Denyrules override Allow rules Rules are displayed in the Current Network Access Rules list from the most specific to the least specific and rules at the top override rules listed below For example consider the section of the Rules window shown below Current Network Access Rules Action Service Source Destination Time Day Enable 1 Deny Chat IRC 192 168 168 5 LAN 145 178 90 55 WAN 9 00to 17 00 MontoFi 7 jij 2 Allow Web HTTP 10 0 0 2 10 0404 WAN 10 200 0 1 LAN KH zp 3 Allow Lotus Notes LAN WAN K 7 4 Allow Default LAN WAN M y f 5 Allow Default WAN 145 178 90 55 WAN 7 00to 18 00 MontoFi 7 jij 6 Deny Default z LAN KH zi 7 Allow Default LAN K zal 8 Allow Default z k KH z The Default Allow Rule 7 at the bottom of the page allows all traffic from the LAN to the WAN However Rule 1 blocks IRC Chat traffic from a computer on the LAN to a server on the WAN The Default Deny Rule 6 blocks all traffic from the WAN to the LAN however Rule 2 overrides this rule by allowing Web traffic from the WAN to the
64. computer Now that you have generated the Certificate Request you can send it to your CA service for validation Importing a Signed Local Certificate When the CA service returns the signed certificate request generated locally import it into the SonicWALL using the following steps 1 In the Current Certificates section of Local Certificates select the corresponding request from the Certificates menu Click Browse and select the der from the Choose File dialogue box Click Import Certificate The certificate is now updated to Verified and you can now use it for a VPN SA using a third party certificate SonicWALL VPN Page 219 Configuring a VPN Security Association using IKE and a Third Party Certificate To create a VPN SA using IKE and third party certificates follow these steps 1 Oo oo N oun AUN 10 11 Click VPN then Configure In the Add Modify IPSec Associations section Select IKE using 3rd Party Certificates from the IPSec Keying Mode menu Enter a Name for the Security Association in the Name field Select a certificate from the Select Certificate list Enter the Gateway address in the IPSec Gateway Address field In the Security Policy section select the type of DH group from the Phase 1 DH Group menu The SA Lifetime secs automatically defaults to 28800 seconds 8 hours Select the type of Phase 1 Encryption Authentication from the menu Select the type of Phase 2 Encryption Authenticati
65. detected the packet is then routed to the appropriate destination If no match is detected the SonicWALL checks for the presence of a SA using this configuration If an SA is detected the packet is sent using that SA If there is no SA with this option enabled and if the destination does not match any other SA the packet goes unencrypted to the WAN Enable Perfect Forward Secrecy The Enable Perfect Forward Secrecy check box increases the renegotiation time of the VPN tunnel By enabling Perfect Forward Secrecy a hacker using brute force to break encryption keys is not able to obtain other or future IPSec keys During the phase 2 renegotiation between two SonicWALL appliances or a Group VPN SA an additional Diffie Hellman key exchange is performed Enable Perfect Forward Secrecy adds incremental security between gateways Phase 2 DH Group If Enable Perfect Forward Secrecy is enabled select the type of Diffie Hellman DH Key Exchange a key agreement protocol to be used during phase 2 of the authentication process to establish pre shared keys Groups 1 2 and 5 use Modular Exponentiation with different prime lengths as listed below Group Descriptor Prime Size bits 1 768 2 1024 5 1536 If network connection speed is an issue select Group 1 If network security is an issue select Group 5 To compromise between speed and security select Group 2 Default LAN Gateway A Default LAN Gateway is used
66. established no secure connections and is transmitting unsecured data Your computer has established at least one secure connection but is not transmitting any data Your computer has established at least one secure connection and is transmitting only unsecured data Your computer has established at least one secure connection and is transmitting only secured data Your computer has established at least one secure connection and is transmitting both secured and unsecured data An anj agar Page 198 SonicWALL Internet Security Appliance Administrator s Guide M anual Key Configuration for the SonicWALL and VPN Client Configuring the SonicWALL To configure the SonicWALL appliance click VPN on the left side of the browser window and select Enable VPN to allow the VPN connection A A seach Favores Meda J r 188 168 11 management him e E CustomizeLirks E FreeHomsl E WindowsMeda E Windows ReaPlayer Unique Firewall Identifier 0040100F 1429 Filter Enable VPN F Disable all VPN Windows Networking NetBIOS broadcast I Enable Fragmented Packet Handling Advanced Enable NAT Traversal Keep Alive interval seconds 240 even M Enable IKE Dead Peer Detection Dead Peer Detection Interval seconds 60 Failure Trigger Level missed heartbeats 3 High Availability Settings below will not take effect until enable
67. for example 192 168 168 Multiple LAN Subnet Mask Support N Alert This feature does not replace or substitute configuring routes with the Routes tab in the Advanced section of the SonicWALL If you have to define a subnet on the other side of a router you must define a static route using the Routes tab in the Advanced section Multiple LAN Subnet Mask Support facilitates the support of legacy networks incorporating the SonicWALL and makes it easier to add additional nodes if the original subnet is full Before you can configure multiple local LAN subnets in the SonicWALL you must have the following information Network Gateway Address This is an IP address assigned to the SonicWALL in addition to the existing LAN IP address If you have configured your SonicWALL in Standard mode the IP address should be the Default Gateway IP address assigned to your Internet router on the same subnet All users on the subnet you are configuring must use this IP address as their default router gateway address Subnet Mask This value defines the size and based upon the Network Gateway entry the scope of the subnet If you are configuring a subnet mask that currently exists on the LAN enter the existing subnet mask address into the Subnet Mask field If you are configuring a new subnet mask use a Subnet mask that does not overlap any previously defined subnet masks AN Alert The SonicWALL cannot be managed from any of the additional Network Gatewa
68. for the firewall using the Network tab located in the General section Click Update and restart the SonicWALL if necessary Click VPN then the Configure tab Create a name for the remote office SA for example Remote Office Enter the main office WAN IP address for the IPSec Gateway Address Enter the Outgoing SPI of the main office in the Incoming SPI field Enter the Incoming SPI of the main office in the Outgoing SPI field Select Strong Encrypt ESP 3DES as the Encryption Method Enter the Encryption Key from the Main Office configuration Click Add New Network Enter the IP address 192 168 11 1 in the Range Start field Enter the IP address 192 168 11 254 in the Range End field This Range End value is appropriate even if NetBIOS broadcast support is enabled Leave the subnet mask field blank Click Update Click Advanced Settings and select the features that apply to the SA Enable Windows Networking NetBIOS broadcast if the remote clients use Windows Network Neighborhood to browse remote networks Apply NAT and firewall rules to apply NAT and firewall rules to the SA or just firewall rules if in Standard mode Forward packets to remote VPNs if creating a hub and spoke network configuration SonicWALL VPN Page 209 Route all internet traffic through this SA if forcing internet traffic from the WAN to use this SA to access a remote site Default LAN Gateway if specifying the IP address of th
69. from McAfee com with SonicWALL Internet Security Appliances Complete Anti Virus ensures that all the computers on your network have a secure defense against viruses SonicWALL Network Anti Virus provides constant uninterrupted protection by monitoring computers for outdated virus software and automatically triggering the installation of new virus software In addition the SonicWALL restricts access to the Internet if virus software is not detected on the client enforcing virus protection This strategy ensures that current virus software is installed and active on every computer on the network preventing a rogue user from disabling virus protection and exposing the entire organization to an outbreak SonicWALL Network Anti Virus provides centrally managed and enforced virus installation transparent software updates and comprehensive Web based reports SonicWALL Network Anti Virus is a Subscription based solution that can be purchased in 5 10 50 and 100 license annual subscriptions For more information on the SonicWALL Network Anti Virus visit http www sonicwall com anti virus index html Page 234 SonicWALL Internet Security Appliance Administrator s Guide Content Filter List Subscription Inappropriate online content can create an uncomfortable work environment lead to harassment lawsuits or expose children to pornography or racially intolerant sites The SonicWALL Content Filter List subscription allows your organization
70. gt COMPREHENSIVE INTERNET SECURITY SonicWALL Internet Security Appliances ADMINISTRATOR S GUIDE SONICWALL gt gt o Contents COPIONE NOLICE sininu a santas tn aa a a a 11 Abut this GUide saian iaai ia a ai eee eee ee ee 12 SonicWALL Technical Support aisiv wid vonsGieielanw tise taal tates elias 13 AlGEAV gems act 0 terre eerste cn eran ner ener a nee nn nt a aaa 13 DL EEFOGUCEON saiisiccsastpincavadsoatantisesetascdacadadaasbiwhandcdeaseiaatadinasinaindeasaauieNis 14 SonicWALL Internet Security Appliance Features oo cece 15 2 Configuring the Network Mode on the SonicWALL seeseeseeee 18 Configuring the SONICWALL in Standard Mode uu csessseesseserssssecesseseseees 19 Configuring the SonicWALL in NAT Enabled Mode ou cessseceseseeceseeerceees 20 Configuring NAT with PPPoE Client usses 26 Configuring NAT with DHCP Client ssesessssssssssssssrsrsrsrsrsrsrsnsnsnsnnnnisnsrnrnrnrnrnrnrnrnens 32 Configuring NAT with L2TP Client ssesssssssssssssssrsrsrsrsrsrsrsnninnnnnnsisnnsrsrsrnrnrnrnrnnns 37 Configuring NAT with PPTP Client ssssssssssssssssssssssesssssssesrsrsrsraninnsnnrsrnnnrnrnrnrnens 38 Logging into the SonicWALL Management Interface oo 44 3 Registering at MySONICWALL COM s cceseeeeeeeeeeeeeeeeeeeaeeeeeeeeeeeeaeeeaeees 46 Creating a New User ACCOUNt sensei sviacanead arin ctracnancasearedetsiiternisgeeta dude uate 46 Problems Creating a MysonicWALL com User ACCOUNK c ccccetesseeeseeereeees
71. hexadecimal encryption key in the Encryption Key field or use the default value This encryption key is used to configure the remote SonicWALL client s encryption key therefore write it down to use when configuring the client 8 Entera 32 character hexadecimal authentication key in the Authentication Key field or use the default value Write down the key to use while configuring the client settings 3c Tip Valid hexadecimal characters include 0 1 2 3 4 5 6 7 8 9 a b c d e and f 1234567890abcdef is an example of a valid DES or ARCFour encryption key If you enter an incorrect encryption key an error message is displayed at the bottom of the browser window 9 Click Add New Network to enter the destination network addresses Clicking Add New Network automatically updates the VPN configuration and opens the VPN Destination Network window 10 Enter 0 0 0 0 in the Range Start Range End and Destination Subnet Mask for NetBIOS broadcast fields 11 Click Update to add the remote network and close the VPN Destination Network window Once the SonicWALL has been updated a message confirming the update is displayed at the bottom of the browser window Configuring the VPN Client Installing the VPN Client Software 1 When you register your SonicWALL VPN Upgrade at lt http www mysonicwall com gt a unique VPN client serial number and link to download the SonicWALL VPN Client zip file is displayed Alert SonicWALL PRO 3
72. if Stealth Mode is enabled on the SonicWALL Configuring the Network Mode on the SonicWALL Page 45 3 Registering at mySonicWALL com After you complete the initial installation and configuration of your SonicWALL you should register your SonicWALL Internet Security Appliance at lt http www mysonicwall com gt MySonicWALL com delivers a convenient centralized way to register all your SonicWALL Internet Security appliances and Security Services It eliminates the need to individually register SonicWALL appliances and upgrades to streamline the management of all your SonicWALL security services You can do the following with MySonicWALL com e Centrally register all your SonicWALL appliances and services e Access firmware and security service updates e Get SonicWALL alerts on services firmware and products e Check status of your SonicWALL services and upgrades linked to each registered SonicWALL Internet security appliance e Manage activate change or delete your SonicWALL security services online Alert You must register your SonicWALL on mySonicWALL com to access technical support By registering your SonicWALL you provide the initial information necessary for technical support if any problems arise during installation Creating a New User Account If you currently have a MySonicWALL com user account you can skip this section and proceed to Adding New Appliances or Services 1 Enter lt http www mysonicwall com g
73. inspection the most effective method of packet filtering to protect your LAN from hackers and vandals on the Internet Hacker Attack Prevention The SonicWALL automatically detects and thwarts Denial of Service DoS attacks such as Ping of Death SYN Flood LAND Attack and IP Spoofing Network Address Translation NAT Network Address Translation NAT translates the IP addresses used on your private LAN to a single public IP address that is used on the Internet NAT allows multiple computers to access the Internet even if only one IP address has been provided by your ISP Network Access Rules The default Network Access Rules allow traffic from the LAN to the Internet and block traffic from the Internet to the LAN You can create additional Network Access Rules that allow inbound traffic to network servers such as Web and e mail servers or that restrict outbound traffic to certain destinations on the Internet Autoupdate The SonicWALL maintains the highest level of security by automatically notifying you when new firmware is released When new firmware is available the SonicWALL Web Management Interface displays a link to download and install the latest firmware DMZ Port The SonicWALL PRO 100 PRO 200 PRO 300 PRO 230 and the SonicWALL PRO 330 include a DMZ port allowing users to access public servers such as Web and FTP servers While Internet users have unlimited access to the DMZ the servers on the DMZ are still protected again
74. interface Appendices Page 281 ACS Server Cisco The ACS server version 2 6 from Cisco does not support the configuration of vendor specific privileges Therefore if a ACS Server is deployed user privileges cannot be configured on the server The ACS server can still be used for authentication if the RADIUS users are configured globally on the SonicWALL to have the same privileges Also the ACS server supports CHAP so it can be used if HTTPS is not available when logging into the SonicWALL management interface Internet Authentication Service Windows NT 2000 Server The RADIUS server used on Microsoft Windows NT and Windows 2000 servers is known as the Internet Authentication Service IAS The RADIUS attributes are configured using policies and does not support pre configuration of vendor specific attributes The RADIUS attributes are entered manually into the service by using the following instructions 1 Open IAS and select Remote Access Policies 2 Select the policy to be configured for user privileges and right click Select Properties from the list Click Edit Profile and then click Advanced Click Add Select Vendor Specific from the list and click Add The Multivalued Attribute Information box appears 5 Click Add The Vendor Specific Attribute Information box appears Click Enter Vendor Code and enter 8741 as the vendor code Click Yes It conforms and then click Configure Attribute The Configure VSA
75. ioj x or View Log Log Settings Time 10 12 2000 13 13 31 320 Message Destination Notes Rule SonicWALL activated 10 12 2000 Backup firewall has 13 13 39 528 transitioned to Idle 10 12 2000 Successful administrator e ssa 192 168 168 3 LAN 192 168 168 1 onee ioriazoog Backop missed heartbeats 13 48 25 240 from Active Primary vPN Backup going Active 10 12 2000 Backup firewall has EA E E E High Availability 10 12 2000 Administrator login failed 216 217 36 130 492 168 1681 13 49 36 240 incorrect password WAN 10 12 2000 Successful administrator 216 217 36 130 13 49 41 624 login WAN 192 168 168 1 Logout STATUS Ready Cisal Document Done A Forcing Transitions In some cases it may be necessary to force a transition from one active SonicWALL to another for example to force the primary SonicWALL to become active again after a failure when Preempt Mode has not been enabled or to force the backup SonicWALL to become active in order to do preventive maintenance on the primary SonicWALL To force such a transition it is necessary to interrupt the heartbeat from the currently active SonicWALL This may be accomplished by disconnecting the active SonicWALL s LAN port by shutting off power on the currently active unit or by restarting it from the Web Management Interface In all of these cases heartbeats from the active SonicWALL are interrupted
76. ks Goto fis 168168 management hiri Log Data Collection Fitar Current Sample Period 0 Days 1 Hour 41 Minutes 19 Seconds Tools Stop Data Collection Reset Data View Data Report to view Bandwidth Usage by Serice x _ Refresh Data High Availability Name Service DNS UDP Port 123 Logout STATUS Ready BE Document Done A 5 Page 96 SonicWALL Internet Security Appliance Administrator s Guide The Reports window includes the following functions and commands Start Data Collection Click Start Data Collection to begin log analysis When log analysis is enabled the button label changes to Stop Data Collection Reset Data Click Reset to clear the report statistics and begin a new sample period The sample period is also reset when data collection is stopped or started and when the SonicWALL is restarted e View Data Select the desired report from the Report to view menu The options are Web Site Hits Bandwidth Usage by IP Address and Bandwidth Usage by Service These reports are explained below Click Refresh Data to update the report The length of time analyzed by the report is displayed in the Current Sample Period Web Site Hits Selecting Web Site Hits from the Display Report menu displays a table showing the URLs for the 25 most frequently accessed Web sites and the number of hits to a site during the current sample period The Web Site Hi
77. most networks If you do not use the default settings enter the SonicWALL LAN settings and click Next to continue lt Back Next gt Cancel Configuring the Network Mode on the SonicWALL Page 29 Configuring the SonicWALL DHCP Server A SonicWALL Installation Wizard Microsoft Internet Explorer Optional SonicWALL s DHCP Server SonicWALL contains a Dynamic Host Configuration Protocol DHCP server to automatically configure the IP settings for the PC s and other network devices on your LAN If you wish to use SonicWALL s DHCP Serer check the Enable DHCP Server checkbox below and enter a range of IP addresses to assign to the network devices on your LAN The address range must be in the same subnet as the SonicWALL Web management address currently set to 192 168 168 1 The range below has already been set up You may change it here if you wish If you dont want to use the DHCP server uncheck the Enable DHCP Server checkbox and click Next Enable DHCP Server M Beginning of LAN client address range 192 168 168 2 End of LAN client address range 192 168 168 254 lt Back Next gt cancel_ 9 The Optional SonicWALL DHCP Server page configures the SonicWALL DHCP Server If enabled the SonicWALL automatically configures the IP settings of computers on the LAN To enable the DHCP server select the Enable DHCP Server check box and specify the range of IP addresses that ar
78. mySonicWALL com user at any time Transferring a SonicWALL is necessary if you sell the appliance to another user or if you want to transfer it to another person in your company For example the sales manager for the East Coast has left and you were managing the services for his SonicWALL However another manager may have an immediate need for the SonicWALL and requests that you transfer the appliance to him To transfer a SonicWALL to another user click Transfer in the Manage Product section Back gt gt OA A Qseach Favores PMedia A Dr SEI JOR dees E nto nycricna con Prafie TrancteiProduct asp ec SONICWALL gt MySoniewaut COMPREHENSIVE INTERNET SECURITY SOLUTIONS TRANSFER PRODUCT PRO VX Logged in LAP_Wente ername and E mail address An E mail confirmation will be For Status and Options lick here E Dore i B 1 meret Z Enter the User Name of the new owner and the e mail address ID in the appropriate fields Click Submit A page is returned with the message that you ve successfully transferred the SonicWALL to the new user inten Heb A Qseach iFavoites GPMeda D SS OBR Aadiess E htps nm mysoricwall com Profie ProductManegement asp 5TATUS TRANSFER eco SONICWALL gt MySoniewau COMPREHENSIVE INTERNET SECURITY SOLUTIONS My PRODUCTS Logged in LAP_Wente en successfully transferred the s
79. only if your Ethernet card also forces these settings You must force from both sides of your connection to enable this setting Proxy Management workstation ethernet address on WAN If you are managing the Ethernet connection from the LAN side of your network this check box can be selected The SonicWALL appliance takes the Ethernet address of the computer managing the SonicWALL appliance and proxies that address onto the WAN port of the SonicWALL If you are not managing the SonicWALL appliance from the LAN side the firmware looks for a random computer on the LAN creating a lengthy search process MTU Settings A network administrator may set the MTU Maximum Transmission Unit allowed over a packet or frame based network such as TCP IP If the MTU size is too large it may require more transmissions if the packet encounters a router unable to handle a larger packet If the packet size is too small this could result in more packet header overhead and more acknowledgements that have to sent and processed The default value is 1500 octets based on the Ethernet standard MTU The minimum value that can be set is 68 Decreasing the packet size may improve the performance of the network h RE W 7 Advanced Features Page 163 SonicWALL Bandwidth Management A Bandwidth management is a means of allocating bandwidth resources to critical applications on a network By controlling the amount of bandwidth to an application or user the ne
80. party content filter list package supported by SonicWALL You can obtain more information on Websense Enterprise at http www Websense com If you select Websense Enterprise from the list a Websense tab is available to configure the location of the Websense server and other settings There are four tabs in the Filter section if the SonicWALL Content Filter is selected e Configure e URL List e Customize Consent es abaw ANPR anal E Wie Hede E Widows dRea T Don t Hock JavalActweX Cookies to Trusted Domains Add Trusted Domain Message to display when a site is blocked lt STATUS The configuration has been updated a Content Filtering and Blocking Page 99 Configuring SonicWALL Content Filtering The Configure tab is common between the three types of Content Filtering Click Filter on the left side of the browser window and then click on the Configure tab Select the type of Content Filter from the Content Filter Type menu To enforce Content Filtering on the LAN select Apply Content Filter Content filtering can also be enforced on the LAN DMZ or both Select LAN DMZ or both Both LAN and DMZare selected by default Restrict Web Features Restrict Web Features enhances your network security by blocking potentially harmful Web applications from entering your network Select any of the following applications to block Block Activex ActiveX is a programming language that embeds sc
81. performed on the backup SonicWALL the Primary SonicWALL should be disconnected from the network or turned off e Changes made to the backup SonicWALL do not get updated on the Primary SonicWALL until synchronization takes place between the two units High Availability Page 233 15 SonicWALL Options and Upgrades SonicWALL Inc offers a variety of options and upgrades to enhance the functionality of your SonicWALL Internet security appliance SonicWALL options and upgrades include the following SonicWALL VPN Client SonicWALL Network Anti Virus Subscription e Content Filter List Subscription e Vulnerability Scanning Service Authentication Service ViewPoint Reporting SonicWALL Global Management SonicWALL VPN Client The SonicWALL VPN Client allows remote users to securely access resources on your private LAN from a broadband or dial up Internet connection It establishes a private encrypted VPN tunnel to the SonicWALL allowing users to contact your network servers from any location The SonicWALL VPN Client is perfect for business travelers and remote users who require access to private resources on your network For more information on the SonicWALL VPN Client visit http www sonicwall com vpn index html SonicWALL Network Anti Virus SonicWALL Network Anti Virus offers a new approach to virus protection by delivering managed anti virus protection over the Internet By combining leading edge anti virus technology
82. prevents unauthorized outside access theft deletion or modification of information stored on a local network Typically unauthorized access would be via an organization s Internet connection Gateways A gateway can be a computer that acts as a connector between a private internal network and another network such as the Internet A gateway used as a firewall can transmit information from an internal network to the Internet Also gateways can examine incoming information and determine if the information is allowed access to the network Appendices Page 263 Network Protocols The method that used to regulate a workstation s access to a computer network to prevent data collisions The SonicWALL uses the TCP IP protocol TCP IP Internet Protocol or IP provides connectionless data transfer over a TCP IP network Since IP alone does not provide end to end data reliability as well as some other services other protocols such as TCP Transmission Control Protocol can be added to provide these services In TCP IP TCP works with IP to ensure the integrity of the data traveling over the network TCP IP is the protocol of the Internet FTP File Transfer Protocol FTP is used to transfer documents between different types of com puters on a TCP IP network HTTP HyperText Transfer Protocol HTTP is a widely used protocol to transfer information over the Internet Typically it is used to transfer information from Web servers to Web b
83. printer file server or router must have a unique IP address Unlike phone numbers an IP address requires the entire number when communicating with other devices There are three classes of IP addresses A B and C Like a main business phone number that one can call and then be transferred through interchange numbers to an individual s extension number the different classes of IP addresses provide for varying levels of interchanges or subnetworks and extensions or device numbers The classes are based on estimated network size e Class A used for very large networks with hundreds of subnetworks and thousands of devices Class Anetworks use IP addresses between 0 0 0 0 and 127 0 0 0 e Class B used for medium to large networks with 10 100 subnetworks and hundreds of de vices Class B networks use IP addresses between 128 0 0 0 and 191 0 0 0 e Class C used for small to medium networks usually with only a few subnetworks and less than 250 devices Class C networks use IP addresses between 192 0 0 0 and 223 0 0 0 Just as one would go to the phone company for a phone number there are controlling bodies for IP addresses The overall controlling body for IP addresses worldwide is InterNIC Businesses or individuals can request one or many IP addresses from InterNIC It s a good idea to estimate the network s future growth when requesting the class and number of IP addresses requested Appendices Page 265 Subne
84. receive the event log via e mail Once sent the log is cleared from the SonicWALL memory If this field is left blank the log is not e mailed 3 Send Alerts To Enter your full e mail address username mydomain com in the Send alerts to field to be immediately e mailed when attacks or system errors occur Enter a standard e mail address or an e mail paging service If this field is left blank e mail alert messages are not sent 4 Firewall Name The Firewall Name appears in the subject of e mails sent by the SonicWALL The Firewall Name is helpful if you are managing multiple SonicWALLs because it specifies the individual SonicWALL sending a log or an alert e mail By default the Firewall Name is set to the SonicWALL serial number Logging and Alerts Page 93 5 Syslog Server In addition to the standard event log the SonicWALL can send a detailed log to an external Syslog server The SonicWALL Syslog captures all log activity and includes every connection source and destination IP address IP service and number of bytes transferred The SonicWALL Syslog support requires an external server running a Syslog daemon on UDP Port 514 Syslog Analyzers such as WebTrends Firewall Suite can be used to sort analyze and graph the Syslog data Enter the Syslog server name or IP address in the Add Syslog Server field Messages from the SonicWALL are then sent to the servers Up to three Syslog Server IP addresses can be added If the SonicWAL
85. remote VPN client Also the SA must be enabled to export the configuration file Z N nert You must use the Group VPN Security Association even if you have only one VPN client to deploy and you want to use IKE using Pre shared Secret for your SA The Group VPN Security Association defaults to the Simple Configuration previously available in firmware version 5 1 1 Page 194 SonicWALL Internet Security Appliance Administrator s Guide Group VPN Client Setup Installing the VPN Client Software 1 When you register your SonicWALL or SonicWALL VPN Upgrade a unique VPN client serial number and link to download the SonicWALL VPN Client zip file is displayed Unzip the SonicWALL VPN Client zip file Double click setup exe and follow the VPN client setup program step by step instructions Enter the VPN client serial number when prompted 4 Restart your computer after you have installed the VPN client software For detailed instructions on installing the client software download the Client Installation Guide available at lt http www sonicwall com documentation html gt Group VPN Client Configuration To import the Group VPN security policy into the VPN Client use the following steps 1 Open the VPN Client Click File and then Import Security Policy SI Security Policy Editor SonicWALL VPN Client Eile Edit Options Help Export Security Policy 2 Afile location box appears which allows you to search for the locatio
86. resources on remote computers you must know the private IP address of the remote computer and use the Find tool in the Start menu Type in the IP address into the Computer Named text box and click Find Now To access the computer remotely double click on the computer icon in the box Page 224 SonicWALL Internet Security Appliance Administrator s Guide 14 High Availability Given the critical nature of Internet connections SonicWALL High Availability is standard on the SonicWALL product line SonicWALL High Availability eliminates network downtime by allowing the configuration of two SonicWALLs one primary and one backup as a High Availability pair In this configuration the backup SonicWALL monitors the primary SonicWALL and takes over operation in the event of a failure This ensures a secure and reliable connection between the protected network and the Internet Before Configuring High Availability Before attempting to configure two SonicWALLs as a High Availability pair check the following requirements e You have two 2 SonicWALL Internet Security Appliances The High Availability pair must consist of two identical SonicWALL models e You have at least one 1 valid static IP address available from your Internet Service Provider ISP Two 2 valid static IP addresses are required to remotely manage both the primary Son icWALL and the backup SonicWALL A Alert SonicWALL High Availability does not support dynamic IP address a
87. rule at different times depending on the day of the week make additional rules for each time period 8 If you would like for the rule to timeout after a period of inactivity set the amount of time in minutes in the Inactivity Timeout in Minutes field The default value is 5 minutes Page 134 SonicWALL Internet Security Appliance Administrator s Guide 9 10 11 12 Do not select the Allow Fragmented Packets check box Large IP packets are often divided into fragments before they are routed over the Internet and then reassembled ata destination host Because hackers exploit IP fragmentation in Denial of Service attacks the SonicWALL blocks fragmented packets by default You can override the default configuration to allow fragmented packets over PPTP or IPSec Enable Bandwidth Management and enter the Guaranteed Bandwidth in Kbps Enter the maximum amount of bandwidth available to the Rule at any time in the Maximum Bandwidth field Assign a priority from 0 highest to 7 lowest Click Update Once the SonicWALL has been updated the new rule appears in the list of Current Network Access Rules 3 Tip Although custom rules can be created that allow inbound IP traffic the SonicWALL does not disable protection from Denial of Service attacks such as the SYN Flood and Ping of Death attacks For example to configure the SonicWALL to allow Internet traffic to your Web server with an IP address of 208 5 5 5 Standard mode c
88. serial number to search for the related information COMPREHENSIVE INTERNET SECURITY SOLUTIONS of the product to view the status of related options XXXXXX 12 digit number on bottom of unit El Done By internet Hak gt OA A Osean Hires Quen G B So EOw EEEE hp oe nyorcwolcon ServerStun sache asp so STATUS OF OPTIONS AND UPGRADES This product is registered PRO VX Unlimited APPLICABLE SERVICES VPN Enabled Upgrade Key Warranty Enabled Expires 27 Feb 2002 Premium Support Enabled Expires Content Filter Subscription Enabled High Availability Enabled Upgrade Key View Point Enabled Upgrade Key fonicWALL Authentication Activated s Service ala El Done L B meret Information displayed includes Serial Number Product e Registration Code Node Support Upgrade Key There is also a list of applicable services with their activation keys as well as expiration dates for subscriptions Registering at mySonicWALL com Page 53 M anaging Your SonicWALL You can rename your SonicWALL transfer your SonicWALL or delete your SonicWALL in this section of Services Management Renaming Your SonicWALL You can rename your SonicWALL at any time in order to manage your SonicWALLs To rename your SonicWALL click Rename in the Manage Products section Enter the new name in the Fr
89. server IP address a user name and password PETE Please note When the SonicWALL was powered on it did not detect the presence of a PPPoE or a DHCP server on the Internet ge lt Back ne gt Cancel 5 Select Provided you with server IP address a user name and password PPTP if your ISP has provided you with a server IP address a user name and a password information Page 40 SonicWALL Internet Security Appliance Administrator s Guide Setting the User Name and Password for PP TP SonicWALL s ISP Settings PPTP Please enter the user name and password that you use to connect to the Internet Note that your password is case sensitive Server IP 66 120 118 11 User Name johnd SS 6 The SonicWALL ISP Settings PPTP page is displayed Enter the server IP address in the Server IP field and your user name and password in the User Name and Password fields Configuring LAN Network Settings Password r lt Back Next gt Cancel SonicWALL Installation Wizard Microsoft Internet Explorer Fill in information about your LAN Since you are using NAT you will need to specify information about your LAN You can choose this information arbitrarily but it s a good idea to use private addresses such as 10 0 0 1 or 192 168 168 1 Note that the default values below will work well for most networks SonicWALL LAN IP Address 192 163 168 1 LAN Subnet Mask
90. sonicwall com E mail sales sonicwall com Phone 888 557 6642 or 408 745 9600 Fax 408 745 9300 Page 236 SonicWALL Internet Security Appliance Administrator s Guide 16 Hardware Descriptions This chapter provides detailed illustrations and descriptions of the SonicWALL Internet Security Appliances front and back panels by model Refer to this chapter to learn about the location of LEDs switches and connectors More information is provided in Appendix A Technical Specifications SonicWALL PRO 230 and PRO 330 Front Panel DMZ Power Alarm LAN WAN Serial Port Test a a Ps fa OS ee a aa SONICWALL PRO 230 LAN Port LEDs DMZPortLEDs WAN Port LEDs Link Activity Link Activity Link Activity SonicWALL PRO 230 and PRO 330 Front Panel Description Power Lights up when power is applied to SonicWALL PRO 230 or SonicWALL PRO 330 Test Lights up when the SonicWALL is powered up and performing diagnostic tests to check for proper operation These tests take about 90 seconds If the Test LED remains lit after this time the software is corrupt and must be reinstalled Alarm Lights up and flashes for 10 seconds when an event generates an alert Alarm LED flashes for 10 seconds Alert events are defined in the Log Settings section in Chapter 5 There are three Ethernet ports one for each of the LAN DMZ and WAN ports Link Lights up when a Twisted Pair connection is made to another Ethernet device usually a hub on the port
91. the Maximum Web usage field When the default value of zero 0 is entered this feature is disabled e User Idle Timeout is 5 minutes configure here After a period of Web browser inactivity the SonicWALL requires the user to agree to the terms outlined in the Consent page before accessing the Internet again To configure the value follow the link to the Users window and enter the desired value in the User Idle Timeout section e Consent page URL Optional Filtering When a user opens a Web browser on a computer requiring consent they are shown a consent page and given the option to access the Internet with or without content filtering You must create this Web HTML page It can contain the text from or links to an Acceptable Use Policy AUP This page must contain links to two pages contained in the SonicWALL which when selected tell the SonicWALL if the user wishes to have filtered or unfiltered access The link for unfiltered access must be lt 192 168 168 168 iAccept html gt and the link for filtered access must be lt 192 168 168 168 iAcceptFilter html gt where the SonicWALL LAN IP Address is used instead of 192 168 168 168 Content Filtering and Blocking Page 105 Consent Accepted URL Filtering Off When a user accepts the terms outlined in the Consent page and chooses to access the Internet without the protection of Content Filtering they are shown a Web page confirming their selection Enter the URL of this p
92. the N2H2 Internet Filtering Protocol IFP server used to receive IFP requests Listen Port Enter the UDP port number for the N2H2 Internet Filtering Protocol IFP server to listen for the N2H2 traffic The default port is 4005 Reply Port Enter the UCP port number for the N2H2 server to send packets from the N2H2 client to the SonicWALL The default port is 4005 User Name The User Name refers to a configuration of users a group of users or network defined within the N2H2 software If Server is unavailable for 5 secs The default value for timeout of the server is 5 seconds but you can enter a value between 1 and 10 seconds If the N2H2 server becomes unavailable select from the following two options Block traffic to all Web sites Allow traffic to all Web sites URL Cache Configure the size of the URL Cache in KB Model Cache Size XPRS PRO SOHO2 TELE2 SOHO3 128 TELE3 and PRO VX PRO 100 PRO 200 PRO 300 PRO2 256 PRO VX2 GX250 GX 2500 GxX650 GX 6500 1024 ay Tip A larger URL Cache size can increase in noticeable improvements in Internet browsing response times en Y r Content Filtering and Blocking Page 109 Configuring the Websense Enterprise Content Filter Websense is a third party software package that allows you to use Internet content filtering through the SonicWALL Select Websense Enterprise from the Content Filter Type menu Customization of the Co
93. the SonicWALL LAN IP address Click Modem and configure the dial up connection settings by creating a Modem Profile TELE3 SP Refer to the Modem configuration steps in the section Configuring Modem Profiles on page 61 Tested Internet Service Providers The following Internet Service Providers ISPs have successfully tested with the TELE3 SP ISP Additional Chat Script Required AT amp T No MSN No Earthlink No High Stream No UUnet No Page 68 SonicWALL Internet Security Appliance Administrator s Guide Status The Status tab displays dial up connection information when the modem is active Beck gt O A Reach Faves Media J SH GOs Adhess E htp 7 182 168 168 10 management hin z eso Links JRadoPaadse Customize Links Fiee Hoimal EJWindows Meda Windows dP RealPlayer The modem is currently the active WAN interface WAN Gateway Route Address 68 130 64 14 WAN IP NAT Public Address 68 13093 129 WAN Subnet Mask 255 255 2550 198 6 100 150 198 6 1 150 0000 Current Active Dial up Profile Ge Failover 1 Current Connection Speed 48000 bps High Availability Modem Logout STATUS Ready E inene Z Modem Status In the Modem Status section the current active network information from your ISP is displayed when the modem is active WAN Gateway Router Address e WAN IP NAT Public Address e WAN Subnet Mask DNS
94. the User field Enter the password provided by your dial up ISP in the Password field Confirm your dial up ISP password in the Confirm field In the IP address section select Obtain Automatically if you do not have a permanent dial up IP address from your ISP If you have a permanent dial up IP address from your ISP select Specify and enter the IP address in the IP Address field Alert Do not enter your broadband high speed ISP information here Enter only your dial up Internet access information 7 If you obtain an IP address automatically for your DNS server s select Obtain Automatically If your ISP has a specific IP address for the DNS server s select Specifyand enter the IP address in the field Alternatively you can use your internal DNS server IP address or a specific DNS server IP address on the Internet If your ISP has given you a script that runs when you access your ISP connection cut and paste the script text in the Chat Script field See the Information on Chat Scripts section at the end of this chapter for more information on using chat scripts Location Settings Use this section to configure modem behavior on the TELE3 SP for WAN failover The TELE3 SP has an autodetect feature that detects when the WAN Ethernet cable is physically disconnected from the TELE3 SP and automatically dials the ISP whether or not Enable WAN Failover is selected You can override this feature by selecting Manual Dial for the modem beha
95. this keyas itis required when configuring the San Francisco Office SonicWALL TELE3 Click Add New Network to open the VPN Destination Network window and enter the destination network addresses Enter the IP address and subnet mask of the destination network the San Francisco office in the Network and Subnet Mask fields Since NAT is enabled at the San Francisco office enter a private LAN IP address In this example enter 192 168 1 1 and subnet mask 255 255 255 0 Click OK to add the destination network address Z nert The Destination Network Address must NOT be in the local network address range Therefore the San Francisco and Chicago offices must have different LAN IP address ranges 14 15 Click Advanced Settings Select the following boxes that apply to your SA Enable Keep Alive if you want to maintain the current connection by listening for traffic on the network segment between the two connections Enable Windows Networking NetBIOS broadcast if remote clients use Windows Network Neighborhood to browse remote networks Apply NAT and firewall rules to apply NAT and firewall rules to the SA or just firewall rules if in Standard mode Forward packets to remote VPNs if creating a hub and spoke network configuration Enable Perfect Forward Secrecy if you want to add another layer of security by adding an ad ditional Diffie Hellman key exchange Phase 2 DH Group select the type of DH key exchange in
96. valid IP address and instructed you to set your network settings to obtain an IP address automatically enable NAT with DHCP Client This mode is typically used with Cable and DSL connections To obtain IP settings dynamically complete the following instructions 1 Select NAT with DHCP Client from the Network Addressing Mode menu we 3 Sy GH SD OER lot STATUS Ready a OOl wma 2 Entera unique IP address from your LAN address range in the SonicWALL LAN IP Address field The SonicWALL LAN IP Address is the address assigned to the SonicWALL LAN and is used for management of the SonicWALL 3 Enter your network subnet mask in the LAN Subnet Mask field The LAN Subnet Mask tells your SonicWALL which IP addresses are on your LAN The default value 255 255 255 0 supports up to 254 IP addresses 4 Click Update Once the SonicWALL has been updated a message confirming the update is displayed at the bottom of the browser window Restart the SonicWALL for these changes to take effect Z nert When NAT is enabled designate the SonicWALL LAN IP Address as the gateway address for computers on the LAN General and Network Settings Page 81 When your SonicWALL has successfully received a DHCP lease the Network window displays the SonicWALL WAN IP settings e The Lease Expires value shows when your DHCP lease expires e The WAN Gateway Router Address SonicWALL WAN IP NAT Public Address WAN LAN Sub
97. will be encrypted when sent over your network Your password should be a combination of letters numbers and punctuation You should nat use a password which can easily be guessed by others such as the name of your spouse or your birthday Note also that your password is case sensitive New Password Confirm New Password If you plan to manage your SonicWALL remotely using the SonicWALL Global Management System check the following checkbox I F Use Global Management System lt Back Next gt Cancel Z nert It is very important to choose a password which cannot be easily guessed by others 2 To set the password enter a new password in the New Password and Confirm New Password fields This page also displays the Use SonicWALL Global Management System check box 3 Donotselect the Use Global Management System check box unless your SonicWALL is remotely managed by SonicWALL GMS Click Next to continue Page 32 SonicWALL Internet Security Appliance Administrator s Guide Setting the Time and Date J SonicWALL Installation Wizard Microsoft Internet Explorer Set your Time Zone SonicWALL s intemal clock will be automatically configured by accessing a Network Time server on the Internet Please select your Time Zone from the pull down menu Pacific Time US amp Canada GMT 8 00 z lt Back Next gt Cance 4 Select the appropriate Time Zone from the Time Zone me
98. 0 PRO2 256 PRO VX2 GX250 GX 2500 GX650 GX 6500 1024 Tip A larger URL Cache size can result in noticeable improvements in Internet browsing response times Content Filtering and Blocking Page 113 9 Web Management Tools This chapter describes the SonicWALL Management Tools available in the Tools section of the SonicWALL Web Management Interface The Web Management Tools section allows you to restart the SonicWALL import and export configuration settings update the SonicWALL firmware and perform several diagnostic tests There are four tabs in the Tools section Restart e Preferences e Firmware Diagnostic Restarting the SonicWALL Click Tools on the left side of the browser window and then click the Restart tab X SonicWALL Administration Netscape E x File Edit View Go Communicator Help 3 Bookmarks A Go to http 7192 168 168 1 management html 7 y SONICWALL gt General Restart SonicWALL DHCP VPN Anti Virus High Availability Logout STATUS Ready Document Done The SonicWALL can be restarted from the Web Management Interface Click Restart SonicWALL and then click Yes to confirm the restart The SonicWALL takes up to 90 seconds to restart and the yellow Test LED is lit During the restart time Internet access for all users on the LAN is momentarily interrupted Page 114 SonicWALL Internet Security Appliance Administrator s Guide Preferences
99. 00 lists an additional 50 serial numbers on the back of the SonicWALL VPN Client certificate 2 Unzip the SonicWALL VPN Client zip file 3 Double click setup exe and follow the VPN client setup program step by step instructions Enter the VPN client serial number when prompted 4 Restart your computer after installing the VPN client software et Page 200 SonicWALL Internet Security Appliance Administrator s Guide Launching the SonicWALL VPN Client To launch the VPN client select SonicWALL VPN Client Security Policy Editor from the Windows Start menu or double click the icon in the Windows Task Bar Click My Connections and right click to select Add gt Connection at the top of the Security Policy Editor window Security Policy Editor SonicWALL VPN Client File Edt Options Help alexa tlel Network Security Policy a TIP The security policy is renamed to match the SA name created in the SonicWALL You can rename the W security policy by highlighting New Connection in the Network Security Policy box and entering the security policy name Configuring VPN Security and Remote Identity SI Security Policy Editor SonicWALL VPN Client File Edt Options Help 2 8a Pc x a 1 Network Security Policy EL My Connect tions amp VPN Client G My Identity J Security Policy Remote Party Identity and Addressing ID Type IP Subnet x Subnet 192 168 168 1 Ma
100. 1 Ibs 0 48 kg 6 0 Ibs 2 7 kg 7 3 Ibs 3 32 kg 6 0 Ibs 2 7 kg 7 8 Ibs 3 54 kg Power 100V to 240V AC 100V to 240V AC 100V to 240V AC 100V to 240V AC 100V to 240V AC 100V to 240V AC 100V to 240V AC TELE3 SP TELE3 TZ TELE3 TZX GX250 GX650 Processor 133 MHz 133 MHz Toshiba 133 MHz 866 MHz Intel 866 MHz Intel Toshiba TX3927 with Toshiba Pentium with CS Pentium with CS TX3927 with security ASIC TX3927 with 1 1 security ASIC security ASIC Security Asic Security Asic RAM 16 MB 16 MB 16 MB 128 MB 256 MB Flash Memory 4MB 4MB 4 MB 16 MB 16 MB Concurrent 6 000 6 000 6 000 250 000 500 000 Connections Firewall Users 10 5 5 Unlimited Unlimited Firewall 75 Mbps 75 Mbps 75 Mbps 200 Mbps 1 6 Gbps Performance 3DES 168 bit 20 Mbps 20 Mbps 20 Mbps 192 Mbps 285 Gbps VPN Tunnels 10 5 5 5 000 20 000 Dimensions 6 50 x4 66 x 8 25 x6 5 x2 9 07 x6 62 x 19 x19 x 19 x19 x 133 1 63 5 25 5 25 Welght 8 oz 0 23 kg 1 1 lbs 0 48 kg 1 1 Ibs 0 48 kg 30 Ibs 30 Ibs 13 5 kg 13 5 kg Power 100V to 240V AC 100V to 240VAC 100V to 240V AC 100V to 240V 100V to 240V Note Specifications for the SonicWALL Internet security appliances are subject to change Please verify the above specifications with product datasheets Standards Certifications Environment PPPoE TCP IP UDP ICMP HTTP IPSec IKE SNMP FTP DHCP FCC UL BSMI VCCI CSA ISCA Fire wall ICSA IPSec
101. 168 254 lt Back Next gt Cancel 8 The Optional SonicWALL DHCP Server page configures the SonicWALL DHCP Server If enabled the SonicWALL automatically configures the IP settings of computers on the LAN To enable the DHCP server select the Enable DHCP Server check box and specify the range of IP addresses that are assigned to computers on the LAN If the Enable DHCP Server check box is not selected the DHCP Server is disabled Click Next to continue Configuration Summary A SonicWALL Installation Wizard Microsoft Internet Explorer provided by SonicWALL INC Configuration Summary e The PPTP client will be used to obtain a dynamic Internet address e NAT is enabled e The SonicWALL LAN IP Address is 192 168 168 1 Print This Page If this is OK click Next If you would like to make a change click Back Se 9 The Configuration Summary page displays the configuration defined using the Installation Wizard To modify any of the settings click Back to return to the Connecting to the Internet page If the configuration is correct click Next to proceed to the Congratulations page lt Back Next gt Cancel Page 42 SonicWALL Internet Security Appliance Administrator s Guide Congratulations 4 SonicWALL Installation Wizard Microsoft Internet Explorer Congratulations You have completed the initial configuration of your SonicWALL It is now necessary to restart the unit Remember from now on y
102. 2 168 168 1 Access is encrypted using SSL technology for a secure connection Page 72 SonicWALL Internet Security Appliance User s Guide The first time you access the SonicWALL Management interface using HTTPS you may see the following information message Security Alert x iC Information you exchange with this site cannot be viewed or T changed by others However there is a problem with the site s security certificate A The security certificate was issued by a company you have not chosen to trust View the certificate to determine whether you want to trust the certifying authority The security certificate date is valid iv The security certificate has a valid name matching the name of the page you are trying to view Do you want to proceed Yes View Certificate Click Yes to continue the login process SSL is supported by Netscape 4 7 and higher as well as Internet Explorer 5 5 and higher HTTPS management supports the following versions of SSL SSLv2 SSLv3 and TLSv1 Also the following encryption ciphers are supported RC4 MD5 EXP RC4 MD5 DES CBC3 SHA DES CBC SHA RC4 SHA EXP RC2 CBC MD5 NULL SHA and NULL MD5 The RSA key used is 1024 bit Status The Status window displays the status of your SonicWALL It contains an overview of the SonicWALL configuration as well as any important messages Check the Status window after making changes to ensure that the SonicWALL is configured properly To v
103. 255 255 255 0 eS lt Back Next gt Cancel 7 The Fill in information about your LAN page allows the configuration of the SonicWALL LAN IP Address and the LAN Subnet Mask The SonicWALL LAN IP Address is the private IP address assigned to the LAN port of the SonicWALL The LAN Subnet Mask defines the range of IP addresses on the LAN The default values provided by the SonicWALL work for most networks If you do not use the default settings enter the SonicWALL LAN settings and click Next to continue Configuring the Network Mode on the SonicWALL Page 41 Configuring the SonicWALL DHCP Server A SonicWALL Installation Wizard Microsoft Internet Explorer Optional SonicWALL s DHCP Server SonicWALL contains a Dynamic Host Configuration Protocol DHCP server to automatically configure the IP settings for the PC s and other network devices on your LAN If you wish to use SonicWALL s DHCP Serer check the Enable DHCP Server checkbox below and enter a range of IP addresses to assign to the network devices on your LAN The address range must be in the same subnet as the SonicWALL Web management address currently set to 192 168 168 1 The range below has already been set up You may change it here if you wish If you dont want to use the DHCP server uncheck the Enable DHCP Server checkbox and click Next Enable DHCP Server M Beginning of LAN client address range 192 168 168 2 End of LAN client address range 192 168
104. 32 1 WAN 192 168 168 1 login 10 06 2000 TCP connection 10 0 32 1 2494 10 0 32 5 13 0840 29 544 dr WAN LAN Anti U to o6 2000 Ping of death 10 032 1 8 10 0 32 5 8 High Availability f 08 46 15 912 blocked WAN LAN 10 06 2000 Possible Port 10 0 32 1 106 10 0 32 5 106 08 46 15 912 Scan WAN LAN 10 06 2000 Probable Port 10 0 32 1 100 10 0 32 5 100 08 46 15 912 Scan WAN LAN 10 06 2000 TCP connection 10 0 6 254 2082 10 0 32 5 110 08 49 04 208 dropped Source Destination Retrieve Email POP3 0 10 06 2000 Web site 192 163 163 2 208 185 5 93 08 51 13 064 blocked 10 80 WAN Code 00 06 29 15 A0 14 www sapictures com i Logout STATUS Ready Cisal Document Done z Logging and Alerts Page 91 SonicWALL Log Messages Each log entry contains the date and time of the event and a brief message describing the event It is also possible to copy the log entries from the management interface and paste into a report e TCP UDP or ICMP packets dropped When IP packets are blocked by the SonicWALL dropped TCP UDP and ICMP messages are displayed The messages include the source and destination IP addresses of the packet The TCP or UDP port number or the ICMP code follows the IP address Log messages usually include the name of the service in quotation marks Web FTP Gopher or Newsgroup blocked When a computer attempts to connect to the blocked site or newsgroup a log event is display
105. 39 Connecting to the Internet E Connecting to the Internet To complete the SonicWALL Installation Wizard you must have the following information available e Instructions to obtain a dynamic IP address automatically or Static IP address es subnet mask gateway and DNS server addresses This information is provided by your Internet Service Provider ISP If you are missing any ofthe information above please contact your ISP lt Back Next gt Cancel The Connecting to the Internet page lists the information required to complete the installation Tip Confirm that you have the necessary network information from your ISP before proceeding with the Connecting to the Internet pages 4 Confirm that you have the proper network information necessary to configure the SonicWALL to access the Internet Click the hyperlinks for definitions of the networking terms Click Next to proceed to the next step Selecting Your Internet Connection A SonicWALL Installation Wizard Microsoft Internet Explorer vided by SonicWALL INC Connecting to the Internet Select one of the following Network Addressing Modes To connect to the Internet your Internet Service Provider ISP C Assigned you a single static IP address C Assigned you two or more IP addresses Provided you with desktop software a user name and password PPPoE Automatically assigns you a dynamic IP address DHCP Provided you with
106. 60 128 29 optiona optiona puters on the LAN you must enable the DHCP Server on the DHCP Setup page Update Reset i ut STATUS Ready Done oi Standard Mode Configuring the SonicWALL in Standard mode requires a static IP address from your ISP In this mode you must have separate static IP addresses for all computers on your network Instructions for configuring a SonicWALL in Standard mode begin on page 19 Network Address Translation NAT Enabled Using NAT to set up your SonicWALL eliminates the need for separate IP addresses for all computers on your LAN It is a way to conserve IP addresses available from the pool of IPv4 addresses for the Internet If you do not have enough individual IP addresses for all computers on your network you can use NAT for your network configuration Instructions for configuring NAT Enabled mode begin on page 20 NAT with PPPoE Client NAT with PPPoE Client is a network protocol that uses Point to Point Protocol over Ethernet PPPoE to connect with a remote site using various Remote Access Service products This protocol is typically found when using a DSL modem with an ISP requiring a user name and password to log into the remote server The ISP may then allow you to obtain an IP address automatically or give you a specific IP address Instructions for configuring NAT with PPPoE Client mode begin on page 26 Page 18 SonicWALL Internet Security Appliance Administ
107. 784SerialNumber 0040100F 1566 SONICWALL MySoniewau Logged in LAP_Wente fios our gt Activation Status Enabled gt Expiration Date 8 6 2002 6 52 00 PM COMPREHENSIVE HOME NEWS WHERE TO BUY I CONTACT US INTERNET SECURITY SOLUTIONS STATUS CONTENT FILTER RENEW SERVICE iseme E oE NK E Dore CE BD nere Registering at mySonicWALL com Page 57 Activating Services Using mySonicWALL com To activate a service such as Content Filter use the following steps 1 Log into mySonicWALL com using your username and password Select the appliance to be upgraded with the Content Filter List subscription and click the name 2 Click Activate next to Content Filter The following screen appears with an Activation Key field and a Terms and Conditions message 3 Enter the Activation Key into the Activation Keyfield and select have read and agreed to all of the above terms and conditions Click Submit 4 The Content Filter List subscription is now active and you can download the Content Filter List through your SonicWALL appliance Page 58 SonicWALL Internet Security Appliance Administrator s Guide Registering at mySonicWALL com Page 59 4 Configuring the TELE3 SP Modem Connection To improve the operational availability of networks and ensure fast recovery from network failures the SonicWALL has the capability of using a modem to dial a secondary network connectio
108. 89F2EB53C0A2AAS5SAF129307526 Authentication Key 096A59C618A758058F3DCEB118DB3FEA Range Start Range End Subnet Mask Add New Network Determines broadcast addresses for NetBIOS support Delete This SA Update Reset fu 6 3 Enter a descriptive name for the Security Association such as Chicago Office or Remote Management in the Name field 4 Enter the IP address of the remote VPN gateway in the IPSec Gateway Address field This must be a valid IP address and is the remote VPN gateway NAT Public Address if NAT is enabled Enter 0 0 0 0 if the remote VPN gateway has a dynamic IP address 5 Define an SPI Security Parameter Index that the remote SonicWALL uses to identify the Security Association in the Incoming SPI field Page 206 SonicWALL Internet Security Appliance Administrator s Guide 6 Define an SPI that the local SonicWALL uses to identify the Security Association in the Outgoing SPI field SPls should range from 3 to 8 characters in length and include only hexadecimal characters Aett Each Security Association must have unique SPIs no two Security Associations can share the same SPls However each Security Association Incoming SPI can be the same as the Outgoing SPI 7 10 11 12 13 14 Select an encryption algorithm from the Encryption Method menu Enter a 16 character hexadecimal key in the Encryption Key field if you are using DES or ARCFour encrypti
109. ALL Internet Security appliance To enable this feature in the SonicWALL appliance follow these steps 1 Click DHCP on the management interface On the Setup tab select Disable DHCP Server 2 Select the Allow DHCP Pass Through check box Disable DHCP Server I Allow DHCP Pass Through Enable DHCP Server 60 minutes Lease Time WorkPort Default Gateway 0000 WorkP ort SubnetMask 255 255 2550 pooo 255 255 2540 HomePort Default Gateway HomePort SubnetMask High Availability onic WALL s Network settings or DNS Server3 WINS Server 1 WINS Server 2 T Allow BootP clients to use range BootP capable ranges are shown with B Static IP Address i ut STATUS Ready DHCP Server Page 173 Configuring the SonicWALL DHCP Server To configure the SonicWALL DHCP server for the WorkPort the HomePort or both complete the following instructions 1 Select the Enable DHCP Server A Alert Make sure there are no other DHCP servers on the WorkPort or HomePort before you enable the DHCP server 2 Enter the maximum length of the DHCP lease in the Lease Time field The Lease Time determines how often the DHCP Server renews IP leases The default Lease Time is 60 minutes The length of time can range from 1 to 9999 minutes If configuring DHCP server for the WorkPort enter the gateway address used by
110. ALL for changes to take effect Restart the SonicWALL by clicking Restart Then click Yes to confirm the restart and send the restart command to the SonicWALL The restart can take up to 90 seconds during which time the SonicWALL is inaccessible and all network traffic through the SonicWALL is halted Alert If you change the SonicWALL LAN IP Address you must to change the Management Station IP address to be in the same subnet as the new LAN IP address General and Network Settings Page 85 NAT with PPTP Client Configuration The SonicWALL can use Point to Point Tunneling Protocol over Ethernet to connect to a PPTP server This option supports older network implementations requiring tunneling support To configure NAT with PPTP Client complete the following instructions 1 Select NAT with PPTP Client from the Network Addressing Mode menu O A A Qseach Favores Meda 71392188168 T1 management him Links Rado Paradise E CustomzeLinks E FieeHomal B Windows Media Windows RealPlayer 50 SONICWALL gt General og Filter NAT with PPTP Client Connect Tools SonisWALLLANTP Ad ess 152 165 16517 Advanced LAN Subnet Mask 255 255 2550 Network Gateway Subnet Mask VPN Add LAN Subnet High Availability Delete Subnet C Obtain an IP address using DHCP Use the specified IP address WAN Gateway Router Address 10 0 0 254 SonicWALL WAN IP NAT Public Add
111. AT and click Update 3 Type in the IP address 192 168 1 10 in the Private Range Begin field 4 Type in the IP address 208 1 2 4 in the Public Range Begin field 5 Type in 3 in the Range length field gt Tip You can configure the IP addresses individually but it is easier to configure them in a range W However the IP addresses on both the private and public sides must be consecutive to configure a range of addresses 6 Click Update 7 Click Access then the Rules tab 8 Click Add New Rule and configure the following settings Allow e Service HTTP Source WAN Destination LAN 192 168 1 10 192 168 1 12 e Apply this rule always 9 Click Update and restart the SonicWALL The server configurations take effect after the SonicWALL restarts and the configuration is updated Requests for http 208 1 2 4 are answered by the server at 192 168 1 10 Requests for http 208 1 2 5 are answered by the server at 192 168 1 11 and requests for http 208 1 2 6 are answered by the server at 192 168 1 12 From the LAN the servers can only be accessed using the private IP addresses 192 168 1 x not the public IP addresses or domain names For example from the LAN you must use URLs like http 192 168 1 10 to reach the web servers An IP address such as 192 168 1 10 on the LAN cannot be used in both public LAN server configurations and in public LAN server One to One NAT configurations Advanced Features Page 161 Et
112. Active or Idle Xe Tip The Synchronize Now button is used for diagnostics and troubleshooting purposes and is not required for initial configuration Page 226 SonicWALL Internet Security Appliance Administrator s Guide In the Web Management interface for the primary SonicWALL configure the backup SonicWALL settings as follows e Serial Number Enter the serial number of the backup SonicWALL e LAN IP Address The unique LAN IP address used to access and manage the backup Son icWALL whether it is Active or Idle A N Nert This IP address is different from the IP address used to contact the SonicWALL in the General Network settings e WAN IP Address Optional This is a unique WAN IP address used to remotely manage the primary SonicWALL whether it is Active or Idle Check the Preempt mode checkbox if you want the primary to SonicWALL to takeover from the backup SonicWALL whenever the primary becomes available for example after recovering from a failure and restarting If this option is not used the backup SonicWALL remains the active SonicWALL XE Tip The primary and backup SonicWALLs use a heartbeat signal to communicate with one another This heartbeat is sent between the SonicWALLs over the network segment connected to the LAN ports of the two SonicWALLs The interruption of this heartbeat signal triggers the backup SonicWALL to take over operation from the active unit of the High Availability pair The time required fo
113. All SonicWALLs include a Management Security Association SA for secure remote management The Management SA does not permit access to remote network resources Tip If you have enabled VPN on your SonicWALL the SonicWALL can be managed remotely using a Management SA or with a VPN SA Page 146 SonicWALL Internet Security Appliance Administrator s Guide To enable secure remote management click Access on the left side of the browser window and click the Management tab Then select Enable Management Using VPN Client to enable secure remote management using Manual Key When remote management is enabled a Management SA is automatically generated The Management SA uses Manual Keying to set up a VPN tunnel between the SonicWALL and the VPN client The Management SA also defines Inbound and Outbound Security Parameter Indices SPIs which match the last eight digits of the SonicWALL serial number The preset SPIs are displayed in the Security Association Information section It is not necessary to configure a VPN connection for Remote Management as the Management SA is automatically configured in this section 1 Entera 16 character hexadecimal encryption key in the Encryption Key field Valid hexadecimal characters include 0 1 2 3 4 5 6 7 8 9 A B C D E and F An example of a valid encryption key is 1234567890A BCDEF Or you can use the randomly generated key that appears in the Encryption Key field 2 E
114. Availability on the Primary SonicWALL seese 226 Configuration Changes ssssssssssssrsrsrsrsrsrsrsrsrsrntnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnennnnnann 228 Synchronizing Changes between the Primary and Backup SonicWALLs 229 High Availability Status sticctornccrai nen ereenamenrtens saat ania 229 High Availability Status WINGOW ou ccccccssecscseseesersrersstsaesestesrseteesersansaes 230 E mail Alerts Indicating Status Change ccccessseseeesercsessecsesessssesersaseaes 231 VIEW LOO eae ara A tsa cea acne Ra tc ie betaine etic ae A AE O cacee 232 Forcing Trasos A a aa aha Gaetan Canetti a E aaa aE aR 232 Configuration Notes s sssssssssssssssssesssesesenenenentnnnnnnnnnnnnnnnnnnntutututnnnnrtrnrernrsrnnnnnnnt 233 Contents Page 7 15 SonicWALL Options and Upgrades ssssssssss 234 SONICWALL VP Ni CIENT coniate esa sates hatin eh teid estan tess aac us 234 SonicWALL Network Anti Virus otis snsuacenwses diasecniiceruas estaheuscodislosensieanscedenitennisted 234 Content Filter List Subscription wieder tieaies ds tnanl wera tain issues delaeastt 235 Vulnerability Scanning Service i625 9 26i stevecsenstdess ih Ieiceshd aalaahvadsvinnainpearanes 235 SonicWALL Authentication Service secutive ascrmmuccinhivoniianwiiandsane 235 SonicWALL ViewPoint Reporting cnacsnnitdanidinead diknawnataialen 236 SonicWALL Global Management System seeen 236 Contact Your Reseller or SonicWALL sssssssssssssssrsrsrsrsrs
115. Close Configuring the Network Mode on the SonicWALL Page 31 Configuring NAT with DHCP Client Accessing the Installation Wizard The SonicWALL Installation Wizard simplifies the initial installation and configuration of the SonicWALL The Wizard provides a series of menu driven instructions for setting the administrator password and configuring the settings necessary to access the Internet ae Tip To bypass the Wizard click Cancel Then log into the SonicWALL Management Interface by entering the User Name admin and the Password password The first time you access the SonicWALL Management interface the SonicWALL Installation Wizard automatically launches and begins the installation process Welcome to SonicWALL Internet Security Appliance Wizard This Wizard will help you quickly configure the SonicWALL to secure your Interet connection Once completed you can use the SonicWALL Web Management Interface for additional configuration options Please see the User s Guide for mare details To bypass this Wizard click Cancel Next gt Cancel 1 To configure your SonicWALL appliance read the instructions on the Wizard Welcome page and click Next to continue Setting the Password A SonicWALL Installation Wizard Microsoft Internet Explorer Set Your Password First you will need to choose a good administrator password in order to protect the security of your SonicWALL Note that this password
116. Coverage Hours Support is provided during standard business hours 24 hours per day local time seven days per week including locally recognized SonicWALL holidays Telephone and Web based Support SonicWALL provides technical assistance during standard coverage hours by telephone or through Web based support tools for 90 days after the date of purchase A SonicWALL technical specialist works with you to remotely diagnose and identify firmware and hardware not performing to documented specifications Web based support includes interactive communication with a SonicWALL technical specialist SonicWALL also provides general assistance regarding usage and documentation on a limited basis Hardware Service Warranty Support includes the repair or replacement of failing hardware returned to the SonicWALL factory for a period of year following the date of purchase Upon diagnosis of a hardware failure a SonicWALL technical specialist issues an RMA number and provides instructions for returning the hardware to SonicWALL SonicWALL ships a replacement appliance to you based upon the RMA information Upon receipt of the failed appliance SonicWALL Ships a fully functional replacement appliance to you The replacement appliance is equivalent to a new appliance SonicWALL does not accept failed appliances without a valid RMA number Software Firmware Support SonicWALL logs tracks prioritizes and resolves software firmware and or documentation bug
117. E a anne Se A 126 10 Network Access Rules sssssssssnsnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nnna 127 Viewing Network Access Rules ssssssisisisisisisrsrsrrrrrrrerrrnsrsesesnnnnnsnininnnnninrnrnns 127 Service S inei a a a a a a a a a i Na 128 ENEON E E A E E A 128 DM Zip Optional ecran a a snes 128 LAN IN ssi sie act Bae ala a ee eso i neh aac eh at a atic le a 128 PUBIC LAN SETVE croen a E a Wash eects 129 Windows Networking NetBIOS Broadcast Pass Through c cseeeeeeeeees 129 Windows Messenger SUpport sssssssssessssssssssssrsrrsrrrsrsrnnnnnnnnnnnnnnnnnnnrnrnrnnnnnnnnt 129 Detection Preventio M ienien aei A E E a ae 129 Network Connection Inactivity Timeout sssssssessrererererereseseresererererererererersrsns 129 Add SEVICE ener arene ie rea Pc ene EA eres ea eee ee eee 130 Adda KNOWN SEVICE voice son rected ata lununcaten telah tutee plein oeanunndian ines 130 Add a Custom Service i117 asenmnien hn nan aeraiientadnnrtaation 130 Enable Pogo O a a aa aseosh a aaa ia aa 131 Delete d SeNViGE erinnern aaa a aaan aaan iia Mediu iaaa Taia bi 131 RUTES eea ata cease a a a e a a a S 131 Maximum Number of Rules by Product sssssssssssrersrsrerereseseresereresererererersrsrsns 132 Network Access Rule LOGIC LISt s s ssssssssseserererererererereresesrseseseinsnrnrnrnrnrnrnrnns 133 Bandwidth Management s s s s sssssisisisisrsrsrsrsrsrrrrernnninininininsnnnnnnnnnnnnnnnnnnnnnn nnan 133 BOCA NEW RUIG reiron tesirdarana ara a a
118. Erases the firmware and resets SonicWALL TZ to its factory clean state This can be necessary if the administrator password is forgotten or the firmware has become corrupt Serial Port DB 9 RS 232 Serial port for Command Line Interface support 3 Twisted Pair 10Base T 100Base T Ethernet Ports 3 Auto switching 10M bps 100M bps Ethernet ports provide connectivity for both Ethernet and Fast Ethernet networks The Ethernet ports connect the SonicWALL TZ to the LAN DMZ and WAN using Twisted Pair cable with RJ45 connectors Power Input Connects to the external power supply that is provided with the SonicWALL TZ The use of an Uninterruptible Power Supply UPS is recommended to protect the SonicWALL TZ against damage or loss of data due to electrical storms power failures or power surges Cooling Vents The SonicWALL TZ is convection cooled an internal fan is not necessary Do not block the cooling vents Page 246 SonicWALL Internet Security Appliance Administrator s Guide SonicWALL TELE3 TZX Front Panel The SonicWALL TELE3 TZX front panel is shown below followed by a description of each item TEL ef Tex Power LED WAN Port LEDs HomePort LEDs WorkPort LEDs Link 100 Activity Link Link 100 Activity Test LED SonicWALL TELE3 TZX Front Panel Description Power Lights up when power is applied to the SonicWALL TZX Test Lights up when the SonicWALL TZX is first powered up and performing diagnostic tests to check fo
119. Internet you must configure the Intranet settings on the SonicWALL Creating an Intranet firewall is achieved by connecting the SonicWALL between an unprotected and a protected segment Unprotected Public Servers INTERNET jag a ROUTER WAN Protected Network Installation 1 Connect the LAN Ethernet port on the back of the SonicWALL to the network segment to be protected against unauthorized access A Alert Devices connected to the WAN port do not have firewall protection Itis recommended that you use another SonicWALL Internet security appliance to protect computers on the WAN 2 Connect the SonicWALL to a power outlet For SonicWALL PRO 200 PRO 300 PRO 230 and PRO 330 press the Power Switch to the ON position Page 150 SonicWALL Internet Security Appliance Administrator s Guide Intranet Configuration Click Advanced on the left side of the browser window and then click the Intranet tab wd J EY SH AAO R Gre L inowet To enable an Intranet firewall you must specify which machines are located on the LAN or you must specify which machines are located on the WAN It is best to select the network area with the least number of machines For example if only one or two machines are connected to the WAN select Specified address ranges are attached to the WAN link That way you only have to enter one or two IP addresses in the Add Range section Specify the IP addresses individually or
120. L WorkPort IP Address Enter the beginning IP address of your WorkPort IP address range in the Range Start field Enter the ending IP address in the Range End field Select the Allow BootP clients to use range check box if you want BootP clients to receive IP leases Then click Update When the SonicWALL has been updated a message confirming the update is displayed at the bottom of the browser window Continue this process until you have added all the desired dynamic ranges Enter the beginning IP address of your HomePort IP address range in the Range Start field Enter the ending IP address in the Range End field Select the Allow BootP clients to use range check box if you want BootP clients to receive IP leases Then click Update When the SonicWALL has been updated a message confirming the update is displayed at the bottom of the browser window Continue this process until you have added all the desired dynamic ranges Page 174 SonicWALL Internet Security Appliance Administrator s Guide 12 Tip The DHCP Server does not assign an IP address from the dynamic range if the address is already being used by a computer on your WorkPort 11 The DHCP Server can also assign Static Entries or static IP addresses to computers on the LAN Static IP addresses should be assigned to servers that require permanent IP settings Enter the IP address assigned to your computer or server in the Static IP Address field Enter the Ethernet MAC
121. L blocks these broadcasts If you select From LAN to WAN your SonicWALL allows NetBIOS broadcasts from LAN to DMZ or from LAN to WAN Then LAN users are able to view machines on the DMZ and the WAN in their Windows Network Neighborhood Windows Messenger Support Select Enable Support if you are having problems using Windows Messenger through the SonicWALL If Enable Support is selected it may affect the performance of the SonicWALL Detection Prevention Enable Stealth Mode By default the SonicWALL responds to incoming connection requests as either blocked or open If you enable Stealth Mode your SonicWALL does not respond to blocked inbound connection requests Stealth Mode makes your SonicWALL essentially invisible to hackers Randomize IP ID A Randomize IP ID check box is available to prevent hackers using various detection tools from detecting the presence of a SonicWALL appliance IP packets are given random IP IDs which makes it more difficult for hackers to fingerprint the SonicWALL appliance Use this check box for additional security from hackers Network Connection Inactivity Timeout If a connection to a remote server remains idle for more than five minutes the SonicWALL closes the connection Without this timeout Internet connections could stay open indefinitely creating potential security holes You can increase the Inactivity Timeout if applications such as Telnet and FTP are frequently disconnected Net
122. L is managed by SGMS however the Syslog Server fields cannot be configured by the administrator of the SonicWALL 6 E mail Log Now Clicking E mail Log Now immediately sends the log to the address in the Send Log To field and then clears the log Clear Log Now Clicking Clear Log Now deletes the contents of the log Send Log Every At The Send Log menu determines the frequency of log e mail messages Daily Weekly or When Full If the Weekly option is selected then enter the day of the week the e mail is sent in the Every menu If the Weekly or the Daily option is selected enter the time of day when the e mail is sent in the At field If the When Full option is selected and the log fills up it is e mailed automatically 9 When log overflows The log buffer fills up if the SonicWALL cannot e mail the log file The default behavior is to overwrite the log and discard its contents However you can configure the SonicWALL to shut down and prevent traffic from traveling through the SonicWALL if the log is full 10 Syslog Individual Event Rate seconds event The Syslog Individual Event Rate setting prevents repetitive messages from being written to Syslog If duplicate events occur during the period specified in the Syslog Individual Event Rate field they are not written to Syslog as unique events Instead the additional events are counted and then at the end of the period a message is written to the Syslog that includes the numbe
123. LAN Page 138 SonicWALL Internet Security Appliance Administrator s Guide Users Extensive features are available on the Users tab in the Access section of the Management interface User level access can be configured for authentication and access to the network Authentication can be performed using a local user database RADIUS or a combination of the two applications For instructions on configuring individual users on RADIUS servers see Appendix I Currently when a VPN tunnel is established between two SonicWALL appliances any users residing on the local LAN of each SonicWALL can send data across the VPN In some cases complete user access could be a security risk and only authenticated users access the VPN tunnel and send data across the network Globa rtp 719 168 168 manogement inl User Idle Timeout Time users out after 5 minutes of inactivity _Update High Availability Logout STATUS Ready BAE Doument Bar ne 4 User Settings Time users out after 5 minutes of inactivity Enter the number of allowable inactivity minutes before a user is automatically logged out of the network via the SonicWALL Limit login session time to Limit the length of time in minutes that a user is allowed to be logged into the network via the SonicWALL When a user logs into the SonicWALL using a username and password the user can also set the maximum login session time but LAN it cannot be lon
124. LL e Restore restores the factory default settings for all saved parameters with the exception of the password the LAN IP address and the subnet mask Status displays the information typically seen on the Web management interface tab labeled General TSR retrieves a copy of the tech support report using Z modem file transfer protocol Managing Your SonicWALL Internet Security Appliance Page 75 6 General and Network Settings This chapter describes the tabs in the General section and the configuration of the SonicWALL SonicWALL Internet Security appliance Network Settings The Network Settings include the SonicWALL IP settings the administrator password and the time and date There are three tabs other than Status in the General section Network Time Administrator Network Settings To configure the SonicWALL Network Settings click General and then click the Network tab Loge status Resty Biter TT leet Network Addressing Mode The Network Addressing Mode menu determines the network address scheme of your SonicWALL It includes six options Standard NAT Enabled NAT with DHCP Client NAT with PPPoE NAT with L2TP Client and NAT with PPTP Client Standard mode requires valid IP addresses for all computers on your network but allows re mote access to authenticated users NAT Enabled mode translates the private IP addresses on the network to the single valid IP address o
125. PRO 330 and GX series These are listed in order from least secure to most secure If network speed is preferred then select DES amp MD5 If network security is preferred select 3DES amp SHA1 To compromise between network speed and network security select DES amp SHA1 AES Advanced Encryption Standard is an encryption method for securing sensitive but unclassified material by U S Government agencies These are listed in order from least secure to most secure If network speed is preferred then select DES amp MD5 If network security is preferred select 3DES amp SHA1 To compromise between network speed and network security select DES amp SHAL Phase 2 Encryption Authentication Phase 2 Encryption Authentication is different for the Group VPN SA The VPN Client does not support ARCFour encryption methods and you cannot disable authentication in the VPN client The following encryption methods are available for Group VPN and are listed in order from most secure to least secure Page 182 SonicWALL Internet Security Appliance Administrator s Guide Strong Encrypt and Authenticate ESP 3DES HMAC SHA1 uses 168 bit 3DES encryption and HMAC SHA1 authentication 3DES is an extremely secure encryption method and HMAC SHA1 is used to verify integrity This method significantly impacts the data throughput of the SonicWALL Strong Encrypt and Authenticate ESP 3DES HMAC MDS uses 168 bit 3DES encryption and HMAC MD5 authenti
126. Phase 2 for Perfect Forward Secrecy Default LAN Gateway if specifying the IP address of the default LAN route for incoming IPSec packets for this SA This is used in conjunction with the Route all internet traffic through this SA check box VPN Terminated at LAN DMZ or LAN DMZ select one of the three terminating points for the VPN tunnel Click Update to add the Security Association Once the SonicWALL PRO 200 is updated a message confirming the update is displayed at the bottom of the browser window Configuring a SonicWALL TELE3 in San Francisco 1 Enter the SonicWALL TELE3 Unique Firewall Identifier in the VPN Summary window in this example San Francisco Office Click Update Click Configure and select Add New SA from the Security Association menu Select IKE using pre shared secret from the IPSec Keying Mode menu Enter the SonicWALL PRO 200 Unique Firewall Identifier in the SonicWALL TELE3 Name field in this example Chicago Office Enter the SonicWALL PRO 200 WAN IP Address in the IPSec Gateway Address field This address must be valid and is the SonicWALL PRO 200 NAT Public Address or 216 0 0 20 Page 214 SonicWALL Internet Security Appliance Administrator s Guide Select Group 2 from the Phase 1 DH Group menu Enter 28800 in the SA Life time secs field to renegotiate keys daily Select 3DES amp SHA1 from the Phase 1 Encryption Authentication menu Select the encryption algorithm from the Phase 2 Encr
127. RFC compliant window appears 8 Enter 1 as the Vendor assigned attribute number Select Decimal as the Attribute format 10 Enter one of the following values as the Attribute value Each value defines a privilege for users within the policy 1 Remote Access 2 Bypass Filters 3 Access from VPN Client 4 Access to VPNs 11 Click OK and then OK again to return to the Multivalued Attribute Information window Repeat Steps 5 through 11 for each privilege configured for a policy For further information refer to To configure vendor specific attributes for a remote access policy in the IAS help file With IAS the user database is located on the domain controller Therefore IAS only supports CHAP with RADIUS if the domain controller is configured to store passwords using reversible encryption for all users If the domain controller is not configured in this manner it is necessary to use HTTPS to log into the SonicWALL management interface Page 282 SonicWALL Internet Security Appliance Administrator s Guide RADIUS Attributes Dictionary The following is the RADIUS dictionary in the format used with Funk Software s Steel Belted RADIUS server PSSST SS SS SSS SSS SSS SSS EE E E E E EE SS SSS SSS EE E E E EEEE EEEE eS eS EE E E E E E d SonicWALL det This is the Radius dictionary File for the SonicWALL Firewall Products Notes NRHH Not Required to Honor the Hint applies to request attributes This language the ex
128. Security Policy ECL My Connections aC eaa EG VPN Client Seconds _ KBytes G My Identity SA Life Unspecified F B Security Policy C B E Authentication Phase 1 aaa None Proposal 1 F Encapsulation Protocol ESP Encwptalg DES E Hash Alg SHA 1 x Encapsulation Tune T Authentication Protocol AH HeshAlg SHA Z ER Key Exchange Phase 2 Proposal 1 g opo Other Connections G My Identity E Security Policy E Authentication Phase 1 amp 8 lt Key Exchange Phase 2 Encep Tunnel 7 Inbound Keys Qutbound Keys 1 Select Key Exchange Phase 2 in the Network Security Policy box Then select Proposal 1 below Key Exchange Phase 2 Select Unspecified in the SA Life menu Select None from the Compression menu Select the Encapsulation Protocol ESP check box Select DES from the Encryption Alg menu Select MD5 from the Hash Alg menu Select Tunnel from the Encapsulation menu Leave the Authentication Protocol AH check box unselected o N A UW BW N SonicWALL VPN Page 203 Configuring Inbound VPN Client Keys 1 Click Inbound Keys The Inbound Keying Material box appears Inbound Keying Material Decryption Security Parameters Index Ox 100 EntarKey keys Choose key format ASCII fie ahedet Binary fie OMi 2 ESP Encryption Kew Ox 1204557000abedef ESP Authentication Key Ox 12245570Mabe def1 2345670903bz def AH Authentication Key Or
129. Three types of network cards are available in the GX series Fast Ethernet 10 100Base T Gigabit over Fiber 1000Base SX Gigabit over Copper 1000Base T Power Hardware Descriptions Page 251 SonicWALL GX250 Front Panel Three Fast Ethernet interfaces provide connectivity for either Ethernet and Fast Ethernet networks The Ethernet ports connect the SonicWALL to the LAN DMZ and WAN using category 5 twisted pair cable with RJ 45 connectors The standard NIC has two LEDs e Link Activity The Link light is green when a twisted pair connection is made to another Ethernet device usually a switch or a hub on the port Note that the device connected to the SonicWALL must support the standard link integrity test The Link LED blinks indicating Activity when the SonicWALL transmits or receives a packet through the Twisted Pair port onto the network Network Speed The Network Speed LED is not lit if the network speed is 10 Mbps and the LED is green if the network speed is 100 Mbps SonicWALL GX 650 Front Panel Three Gigabit over Fiber or Copper ports provide connectivity for Gigabit networks Before inserting the cables into the network ports on the fiber optics card remove the plug from the ports The 1000Base SX interface has the following LED lights Transmit TX The TX light is lit when the network is transmitting data over the network connection e Receive RX The RX light is lit when data is received over the n
130. VPN Temperature 40 105 F 5 40 C Humidity 5 90 non condensing Page 256 SonicWALL Internet Security Appliance Administrator s Guide Appendix B SonicWALL Support Solutions SonicWALL s powerful security solutions give unprecedented protection from the risks of Internet attacks SonicWALL s comprehensive support services protect your network security investment and offer the support you need when you need it Knowledge Base All SonicWALL customers have immediate 24X7 access to our state of the art electronic support tools Power searching technologies on our Web site allow customers to locate information quickly and easily from our robust collection of technical information including manuals product specifications operating instructions FAQs Web pages and known solutions to common customer questions and challenges Internet Security Expertise Technical Support is only as good as the people providing it to you SonicWALL support professionals are Certified Internet Security Administrators with years of experience in networking and Internet security They are also supported by the best in class tools and processes that ensure a quick and accurate solution to your problem SonicWALL Support Offers Warranty Support North America and International SonicWALL products are recognized as extremely reliable as well as easy to configure install and manage SonicWALL Warranty Support enhances these features wit
131. WALL returns to its primary connection you can prevent the SonicWALL from returning to the primary connection before the primary connection becomes stable Enter the number of missed probes required for the WAN failover to occur in the Failover Trigger Level missed probes field Enable Preempt Mode if you want the primary WAN Ethernet interface to take over from the secondary modem WAN interface when it becomes active after a failure If you do not enable Preempt Mode the secondary WAN modem interface remains active as the WAN interface until you click Disconnect Click Update for the settings to take effect on the SonicWALL Configuring a Modem Profile for M anual Dial Up You can also use the modem to dial your ISP for Internet access without a broadband connection If you re traveling with your TELE3 SP you can create profiles for each ISP configuration necessary for dial up Internet access To configure your modem for manual dial up access follow these steps 1 Log onto your Management station and click Modem then Profiles 2 Create a name for your profile and enter it in the Name field ISP Settings 1 Enter the primary number used to dial up the ISP in the Primary Phone Number field y Tip If a specific prefix is used to access an outside line such as 9 enter the number as part of the phone number 2 Enter the secondary number used to dial your ISP in the Secondary Phone Number field optional Enter your ISP use
132. Wizard simplifies the initial installation and configuration of the SonicWALL The Wizard provides a series of menu driven instructions for setting the administrator password and configuring the settings necessary to access the Internet A Tip Be sure to have your network information including your PPTP Server IP address user name and password ready This information is obtained from your ISP The first time you access the SonicWALL Management interface the SonicWALL Installation Wizard automatically launches and begins the installation process 24 SonicWALL Installation Wizard Microsoft Internet Explorer Welcome to SonicWALL Internet Security Appliance Wizard This Wizard will help you quickly configure the SonicWALL to secure your Internet connection Once completed you can use the SonicWALL Web Management Interface for additional configuration options Please see the User s Guide for more details To bypass this Wizard click Cancel Next gt Cancel 1 To configure your SonicWALL appliance read the instructions on the Wizard Welcome page and click Next to continue Setting the Password Page 38 SonicWALL Internet Security Appliance Administrator s Guide A Alert It is very important to choose a password which cannot be easily guessed by others A SonicWALL Installation Wizard Microsoft Internet Explorer Set Your Password 9 First you will need to choose a good administrator password in order
133. Z front panel is shown below followed by a description of each item homeport activi wi P ctivity link 100 activity Power LED WAN Port LEDs HomePort Port LEDs WorkPort LEDs Test LED Link 100 Activity Link 100 Activity Link 100 Activity SonicWALL TELE3 TZ Front Panel Description Power Lights up when power is applied to the SonicWALL TZ Test Lights up when the SonicWALL TZ is first powered up and performing diagnostic tests to check for proper operation These tests take about 90 seconds If the Test LED remains lit after this time the software is corrupt and must be reinstalled There are three Ethernet ports one for each of the WorkPort HomePort and WAN ports Link Lights up when the Twisted Pair port is connected to a 10Mbps or 100Mbps hub or switch or directly connected to a computer Note that the connected Ethernet device must support the standard Link Integrity test 100 Lights up when the Twisted Pair port is connected to a 100Mbps hub or switch or directly connected to a computer with a 100Mbps network interface Activity Flashes when the SonicWALL TZX transmits or receives a packet through the Twisted Pair port Hardware Descriptions Page 245 SonicWALL TELE3 TZ Back Panel Cooling Vents 5VDC 2A Power input Reset Switch 10Mbps 100Mbps 10Mbps 100Mbps 10Mbps 100Mpbs WorkPort Ethernet Port HomePort Ethernet Port WAN Ethernet Port SonicWALL TELE3 TZ Back Panel Description Reset Switch
134. a n 134 Add New Rule Examples siutisvtaicetuivetaatiteiunnareatad om ntvalaueian s 136 Current Network Access Rules Table sssssssssssssssssrsrsrsrsrsrsrersisisrsnsrsrnrnrersrernrsnns 137 MSS a a a a tet niga a a a 139 Global User Settings orisii aa e a aiia ia 139 OENE AEE E A E tania do vencies 142 RADIUS E A A E aeauee ie umannalearGnla ta tealuaiseeteal 143 M nagemMent wunmi raianta iie ida a a ante 145 SonicWALL SNMP Support sessssssssssssssssssssssssssrsnsnsrsnnnnrnnnnnninnnnnnnnnnnrnrnnnrnnnnnnnt 145 SonicWALL Management Protocol ssssssssssseseseseseseseieisrsririririririrrrrerererenns 146 Additional Management sssssssssssssssssesssessssssstnrasntnsnnnnnnnninunnnnnntntitinnrnrnnnnnnnnt 146 Page 4 SonicWALL Internet Security Appliance Administrator s Guide 11 Advanced Features isis vivssiieewcaicicii casas cainie sence vedeiinenciadddccwstuueeiisensvanes 148 Proxy Relay sates ascetic bese pease rae tc en ashlee sate sein teary 148 Web Proxy Forwarding sata actaersatiescscansiconanncta cous iecoamaace oraundiiadenacreust tubes 148 Configuring Web Proxy Relay vids cs casi sines dia euetatsannte tunel asiniatataweeseliiia ee 149 Bypass Proxy Servers Upon Proxy Failure wc ccsccsesescssescsssssecsesessssesersaseaes 149 Mianet orietan ii tidaosth vider aseibensenlastua itech datieaanicneinunreldannnnitanunad 150 HAS TANALION crenn anaa a entertain A E EE AA 150 Intranet COMPQUIAL OWiiceasectacetaecr ter sureetontace woseta tacerc
135. ability can not be limited under applicable law the SonicWALL liability shall be limited to the amount you paid for the Product This warranty gives you specific legal rights and you can have other rights which vary from state to state By using this Product you agree to these limitations of liability THIS WARRANTY AND THE REMEDIES SET FORTH ABOVE ARE EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES ORAL OR WRITTEN EXPRESS OR IMPLIED No dealer agent or employee of SonicWALL is authorized to make any extension or addition to this warranty Page 11 About this Guide Thank you for purchasing the SonicWALL Internet Security appliance The SonicWALL protects your PC from attacks and intrusions filters objectional Web sites provides private VPN connections to business partners and remote offices and offers a centrally managed defense against software viruses This manual covers the configuration of the SonicWALL Internet Security appliance installation and features Organization of this Guide Chapter 1 Introduction describes the features and applications of the SonicWALL Chapter 2 Configuring the Network Mode on the SonicWALL describes the installation of the SonicWALL and configuring network settings for the SonicWALL Chapter 3 Registering at mySonicWALL com provides details on registering your SonicWALL appliance in the product registration database Chapter 4 Configuring the TELE3 SP Modem contains detailed instr
136. act pout network administator to find out you need to configure your computer for WINS Disable WINS Resosion Enable WINS Rezaition f WINS Server Search Order a Cl 10 0032 Rene Scope ID C Use DHCP for WINS Resolution SonicWALL VPN Page 223 5 Click on TCP IP or Dial Up Adapter and then Properties Click the WINS Configuration tab and select Enable WINS Resolution Enter the WINS server IP address given to you by the administrator and click Add The WINS server address now appears in the text box below the address entry box 6 If your administrator has given you an internal DNS address click the DNS Configuration tab and enter the DNS IP address TCP IP Properties BE Bindrgs Advanced NetBios DNS Configuration Gateway WINS Configuration IP Address Corkact pour network administator to find out you need to configure pour computer for WINS C Disable WINS Resohsion Enable WINS Keraian R WINS Server Search Order C 10 00 32 Scope ID Eoo E C Use DHCP for WINS Resolution 7 Windows 98 users must restart their computer for the settings to take effect and then log into the remote domain Windows 2000 users should consult their network administrators for instructions to set up the remote domain access If your remote network does not have a network domain server you cannot set up a WINS server and browse the network using Network Neighborhood To access shared
137. add the rule to the SonicWALL Tip The source part WAN or LAN can be limited to certain parts of the Internet using a range of IP addresses on the WAN or LAN For example the following rule can be used to configure the same Web server to be only visible from a single C class subnet on the Internet Allow HTTP Source WAN 216 77 88 1 216 77 88 254 Destination LAN 208 5 5 5 Add New Rule Examples The following examples illustrate methods for creating Network Access Rules Blocking LAN Access for Specific Services This example shows how to block LAN access to NNTP servers on the Internet during business ly hours 1 Click Add New Rule in the Rules window to launch the Add Network Access Rule Web browser window 2 Select Deny from the Action menu 3 Select NNTP from the Service menu If the service is not listed in the list you must to add it in the Add Service window Select LAN from the Source Ethernet menu Since all computers on the LAN are to be affected enter in the Source Addr Range Begin field Select WAN from the Destination Ethernet menu Enter in the Destination Addr Range Begin field to block access to all NNTP servers Select Apply this rule from to configure the time of enforcement Enter 8 30 and 17 30 in the hour fields 10 Select Mon to Fri from the menu 11 Click Update to add your new Rule Enabling Ping By default your SonicWALL does not respond to ping requests from the Internet Thi
138. address General and Network Settings Page 87 Setting the Time and Date The SonicWALL uses the time and date settings to time stamp log events to automatically update the Content Filter List and for other internal purposes 1 Click the Time tab QSeach Favorites Meda 168 1 1 management bin dio Paradise Customize Links Free Hotmail Windowe Meda Windows RealPlayer Pacific Time US amp Canada GMT 8 00 a F Display time in International format Automatically adjust clock for daylight saving changes I Display UTC in log instead of local time fo 2002 53 ji Hows Minutes 20 VPN Year Month Anti Virus High Availability F Use NTP to set time automaticaly Update Interval minutes E0 Add NTP Server Delete NTP Server The shove NTP list is optional intemal NTP list is used by default Update Reset Logout STATUS Ready a Internet A 2 Select your time zone from the Time Zone menu 3 Click Update to add the information to the SonicWALL You can also enable automatic adjustments for daylight savings time use universal time UTC rather than local time and display the date in International format with the day preceding the month To set the time and date manually clear the check boxes and enter the time in 24 hour format and the date NTP Settings Network Time Protocol NTP i
139. ae an 5 Enter 192 168 168 200 in the IP Address field your network administrator for an address and then typ 6 Enter 255 255 255 0 in the Subnet Mask field the space below Obtain an IP address automatically eee Gee 7 Click DNS Configuration Paddess 192 168 168 200 8 Enter the DNS IP address in the Preferred DNS Server field Subrot Mok 255 255 255 0 If you have more than one address enter the second one in the Alternate DNS server field 9 Click OK and then click OK again crew 10 Restart the computer for changes to take effect Appendices Page 269 Windows NT 1 From the Start list highlight Settings and then select Control Panel Network AE a a 2 Double click the Network icon in the Control Panel window 3 Double click TCP IP in the TCP IP Properties window 4 Select the Specify an IP Address radio button 5 Enter 192 168 168 200 in the IP Address field ee 6 Enter 255 255 255 0 in the Subnet Mask field a st 7 Click DNS at the top of the window 8 Enter the DNS IP address in the Preferred DNS Server field If you have more than one address enter the second one in the o cca Alternate DNS server field 9 Click OK and then click OK again Microsoft TCP IP Properties KE IP Addess DNS WINS Address DHCP Relay Routing ae iEn caron aCA FEE oe ERE Adapter 1 Inte PAG 100 Management Adapter A C Obtain anIP address from a DHCP server Specily an IP address IP Adcress
140. age 38 Configuring the SonicWALL in Standard Mode This section describes configuring the SonicWALL in Standard mode You must have a single static IP address to begin configuration Follow the instructions below X Je TIP Be sure to have your network information including your WAN IP address subnet mask and DNS settings ready This information is obtained from your ISP 1 Open a Web browser and enter the default SonicWALL IP address 192 168 168 168 in the Location or Address field The Login window appears Enter admin in the User Name field and password in the Password field Click Cancel on the initial Installation Wizard page to cancel the wizard Click Network in the General section Select Standard from the Network Addressing Mode menu Enter 192 168 168 1 in the SonicWALL LAN IP Address field Enter 255 255 255 0 in the LAN Subnet Mask field Enter your WAN router or default gateway IP address in the WAN Gateway Router Address field If you have DSL or cable your WAN router is typically located at your ISP 9 Enter your DNS IP address es in the DNS Server fields 10 Click Update Once the SonicWALL is updated you must restart the SonicWALL for the changes to take effect N oOo N OUUU RA W Configuring the Network Mode on the SonicWALL Page 19 Configuring the SonicWALL in NAT Enabled Mode This section describes configuring the SonicWALL appliance in the NAT mode Essentially NAT translates the IP addre
141. age and remember user identity Cookies can also compromise users privacy by tracking Web activities Select the Cookies check box to disable Cookies Page 110 SonicWALL Internet Security Appliance Administrator s Guide Known Fraudulent Certificates Digital certificates help verify that Web content and files originated from an authorized party Enabling this feature protects users on the LAN from downloading malicious programs warranted by these fraudulent certificates If digital certificates are proven fraudulent then the SonicWALL blocks the Web content and the files that use these fraudulent certificates Known fraudulent certificates blocked by SonicWALL include two certificates issued on J anuary 29 and 30 2001 by VeriSign to an impostor masquerading as a Microsoft employee e Access to HTTP Proxy Servers When a proxy server is located on the WAN LAN users can circumvent content filtering by pointing their computer to the proxy server Check this box to prevent LAN users from accessing proxy servers on the WAN Don t Block J ava ActiveX Cookies to Trusted Domains Select this option if you have trusted domains using J ava ActiveX and Cookies To add a trusted domain enter the domain name into the Add Trusted Domain field Click Update to add the domain to the list of trusted domains To delete a domain select it from the list and then click Delete Trusted Domains Trusted Domains can be added in the Restrict Web Feat
142. age in the Consent Accepted Filtering Off field This page must reside on a Web server and be accessible as a URL by users on the LAN Consent Accepted URL Filtering On When a user accepts the terms outlined in the Consent page and chooses to access the Internet with the protection of Content Filtering they are shown a Web page confirming their selection Enter the URL of this page in the Consent Accepted Filtering On field This page must reside on a Web Server and be accessible as a URL by users on the LAN Mandatory Filtered IP Addresses e Consent page URL Mandatory Filtering When a user opens a Web browser on a computer using mandatory content filtering a consent page is displayed You must create the Web page that appears when the Web browser is opened It can contain text from an Acceptable Use Policy and notification that violations are logged or blocked This Web page must reside on a Web server and be accessible as a URL by users on the LAN This page must also contain a link to a page contained in the SonicWALL that tells the SonicWALL that the user agrees to have filtering enabled The link must be lt 192 168 168 168 iAcceptFilter html gt where the SonicWALL LAN IP Address is used instead of 192 168 168 168 Enter the URL of this page in the Consent page URL Mandatory Filtering field and click Update Once the SonicWALL has been updated a message confirming the update is displayed at the bottom of t
143. ailable e Instructions to obtain a dynamic IP address automatically or e Static IP address es subnet mask gateway and DNS server addresses This information is provided by your Internet Service Provider ISP If you are missing any of the information above please contact your ISP Se The Connecting to the Internet screen lists the information required to complete the installation You need instructions for obtaining an IP address automatically or IP addresses from your ISP 5 Confirm that you have the proper network information necessary to configure the SonicWALL to access the Internet Click the hyperlinks for definitions of the networking terms Click Next to proceed to the next step Selecting Your Internet Connection 44 SonicWALL Installation Wizard Microsoft Internet Explorer lt Back Next gt Cancel Connecting to the Internet Select one of the following Network Addressing Modes 19 connect to the Internet your Internet Service Provider ISP _ Assigned you a single static IP address C Assigned you two or more IP addresses C Provided you with desktop software a user name and password PPPoE C Automatically assigns you a dynamic IP address DHCP Please note When the SonicWALL was powered on it did not detect the presence of a PPPoE or a DHCP server on the Internet 6 Select Assigned you a single static IP address if your ISP has provided you with a single valid IP address Yo
144. ains Selecting this option blocks traffic to all Web sites except Allowed Domains until the URL List is available Allow traffic to all Web sites Selecting this option allows traffic to all Web sites without the URL List However Forbidden Domains and Keywords if enabled are still blocked Tip If you enable Block traffic to all Web sites except for Allowed Domains and you have a 30 day subscription to the Content Filter List you may not be able to access the Internet when the subscription expires Select Categories to Block hi W yy Block all categories The SonicWALL uses a Content Filter List generated by CyberPatrol to block access to objectional Web sites CyberPatrol classifies objectional Web sites based upon input from a wide range of social political and civic organizations Select the Block all categories check box to block all of these categories Alternatively you can select categories individually by selecting the appropriate check box Tip When you register your SonicWALL at lt http www mysonicwall com gt you can download a one month subscription to Content Filter List updates The following is a list of the Content Filter List categories Violence Profanity Satanic Cult Partial Nudity Drugs Drug Culture Full Nudity Militant Extremist Sexual Acts Sex Education Gross Depictions Questionable Illegal Gambling Intolerance Alcohol amp Tobacco Visit lt http www sonicwall com Content Filter c
145. al Appendices Page 267 Appendix D IP Port Numbers The port numbers are divided into three ranges Well Known Ports Registered Ports and Dynamic and or Private Ports Well Known Ports range from 0 through 1023 Registered Ports range from 1024 through 49151 Dynamic and or Private Ports range from 49152 through 65535 Well Known Port Numbers Well Known Ports are controlled and assigned by the Internet Assigned Numbers Authority IANA lt http www iana org gt and on most systems can only be used by system processes or by programs executed by privileged users Many popular services such as Web FTP SMTP POP3 e mail DNS etc operate in this port range The assigned ports use a small portion of the possible port numbers For many years the assigned ports were in the range 0 255 Recently the range for assigned ports managed by the IANA has been expanded to the range 0 1023 Registered Port Numbers Registered Ports are not controlled by the IANA and on most systems can be used by ordinary user processes or programs executed by ordinary users While the IANA can not control uses of these ports it does list uses of these ports as a convenience The Registered Ports are in the range 1024 65535 Visit lt http www ietf org rfc rfc1 700 txt gt for a list of IP port numbers Page 268 SonicWALL Internet Security Appliance Administrator s Guide Appendix E Configuring TCP IP Settings The following steps describe how to config
146. and off Cooling Vents The SonicWALL is convection cooled an internal fan is not necessary Do not block the cooling vents on the SonicWALL side panels Page 240 SonicWALL Internet Security Appliance Administrator s Guide SonicWALL PRO 100 Front Panel The SonicWALL PRO 100 front panel is shown below followed by a description of each item k in Test LED DMZ Port LEDs LAN Port LEDs WAN Port LEDs Link 100 Activity Link 100 Activity Link 100 Activity SonicWALL PRO 100 Front Panel Description Power Lights up when power is applied to the SonicWALL PRO 100 Test Lights up when the SonicWALL PRO 100 is first powered up and performing diagnostic tests to check for proper operation These tests take about 90 seconds If the Test LED remains lit after this time the software is corrupt and must be reinstalled There are three Ethernet ports one for each of the LAN DMZ and WAN ports Link Lights up when the Twisted Pair port is connected to a 1OMbps or 100Mbps hub or switch or directly connected to a computer Note that the connected Ethernet device must support the standard Link Integrity test 100 Lights up when the Twisted Pair port is connected to a 100Mbps hub or switch or directly connected to a computer with a 100M bps network interface Activity Flashes when the SonicWALL PRO 100 transmits or receives a packet through the Twisted Pair port Hardware Descriptions Page 241 SonicWALL PRO 100 Back P
147. anel The SonicWALL PRO 100 back panel is shown below followed by a description of each item Cooling Vents Reset Switch 5VDC 2A Power input Serial Port 10Mbps 100Mbps 10Mbps 100Mbps LAN Ethernet Port DMZ Ethernet Port 10Mbps 100Mpbs WAN Ethernet Port SonicWALL PRO 100 Back Panel Description Reset Switch Erases the firmware and resets SonicWALL PRO 100 to its factory clean state This can be necessary if the administrator password is forgotten or the firmware has become corrupt Serial Port DB 9 RS 232 Serial port for Command Line Interface support 3 Twisted Pair 10Base T 100Base T Ethernet Ports 3 Auto switching 10M bps 100M bps Ethernet ports provide connectivity for both Ethernet and Fast Ethernet networks The Ethernet ports connect the SonicWALL PRO 100 to the LAN DMZ and WAN using Twisted Pair cable with RJ 45 connectors Power Input Connects to the external power supply that is provided with the SonicWALL PRO 100 The use of an Uninterruptible Power Supply UPS is recommended to protect the SonicWALL PRO 100 against damage or loss of data due to electrical storms power failures or power surges Cooling Vents The SonicWALL PRO 100 is convection cooled an internal fan is not necessary Do not block the cooling vents Page 242 SonicWALL Internet Security Appliance Administrator s Guide SonicWALL TELE3 SP Front Panel The SonicWALL TELE3 SP front panel is shown below followed by a description o
148. annot be sent because you have not specified an outbound SMTP server address The log will be overwritten if it fills up tat STATUS Ready E COOS e The Status tab displays the following information SonicWALL Serial Number the serial number of the SonicWALL unit Number of LAN IP addresses allowed with this license number of IP addresses managed by the SonicWALL Registration code the registration code generated when the SonicWALL is registered at lt http www mysonicwall com gt SonicWALL Active time the length of time in days hours and minutes that the SonicWALL is active Firmware version shows the current version number of the firmware installed on the SonicWALL ROM version the version number of the ROM CPU the type and speed of the SonicWALL processor VPN Hardware Accelerator Detected indicates the presence of a VPN Hardware Accelerator in the firewall This allows better throughput for VPN connections RAM the amount of Random Access Memory on the board Flash the size of the flash on the board Ethernet Speeds network speeds of the network card Current Connections number of computers connected to the SonicWALL Page 44 SonicWALL Internet Security Appliance Administrator s Guide Other SonicWALL general status information is displayed in this section relating to other features in the SonicWALL such as the type of network settings in use log settings content filter use and
149. another NAT device Phase 1 DH Group Diffie Hellman DH key exchange a key agreement protocol is used during phase 1 of the authentication process to establish pre shared keys Groups 1 2 5 use Modular Exponential with different prime lengths as listed below Group Descriptor Py Group 1 768 Group 2 1024 Group 5 1536 If network speed is preferred select Group 1 If network security is preferred select Group 5 To compromise between network speed and network security select Group 2 SA Life time Secs allows you to configure the length of time a VPN tunnel is active The default value is 28800 seconds eight hours You can configure up to 2 500 000 seconds 28 9 days SonicWALL VPN Page 183 e Phase 1 Encryption Authentication select an encryption method from the Encryption Authen tication for the VPN tunnel If you select IKE using Pre Shared Secret for your SA you can select from one of eight encryption methods DES amp MD5 AES 128 amp MD5 DES amp SHA1 AES 128 amp SHA1 3DES amp MDS AES 256 amp MD5 3DES amp SHA1 AES 256 amp SHA1 AES support is available only on the PRO 230 and PRO 330 The encryption methods are listed in order from least secure to most secure If network speed is preferred then select DES amp MD5 If network security is preferred select 3DES amp SHAI1 To compromise between network speed and network security select DES amp SHAL AES Advance
150. appears in the details If a certificate is valid and ready to be used with a VPN Security Association the Status is Verified If the certificate is not signed by the CA the Status is Request Generated You can also import the corresponding Signed Certificate in this section Additionally Certificate Signing Requests can be exported and deleted in the Certificate Details section of a Request Generated certificate Certificate Revocation List CRL A Certificate Revocation List CRL is a way to check the validity of an existing certificate A certificate may be invalid for several reasons e Itis no longer needed e Acertificate was stolen or compromised e Anew certificate was issued that takes precedence over the old certificate If a certificate is invalid the CA may publish the certificate on a Certificate Revocation List at a given interval or on an online server in a X 509 v3 database using Online Certificate Status Protocol OCSP Consult your CA provider for specific details on locating a CRL file or URL 3 Tip The SonicWALL supports obtaining the CRL via HTTP or manually downloading the list You can import the CRL by locating the URL and then importing it into the SonicWALL Certificates are checked against the CRL by the SonicWALL for validity when they are used You can also enter a URL location of the CRL by entering the address in the Enter CRL s location for this CA URL field The CRL is downloaded automatically at intervals det
151. ate Address field enter the private internal IP address assigned to the DMZ interface The default address of 172 0 16 1 is appropriate for most networks 2 Assign a subnet mask in the HomePort Subnet Mask field The WorkPort and the HomePort can have the same subnet mask but the subnets private IP addresses must be different For instance the WorkPort subnet can be 192 168 0 1 with a subnet mask of 255 255 255 0 and the HomePort subnet can be 172 16 18 1 with a subnet mask of 255 255 255 0 3 If you choose to use HomePort NAT Manyto One Public Address Optional enter the HomePort public IP address which is on the same subnet as the WAN for access to devices on the HomePort interface HomePort NAT Many to One Public Address is only available if your SonicWALL is configured in NAT Enabled networking mode on the WorkPort Configure your computers connected to the HomePort to reside on the same subnet i e have an IP address from the HomePort IP address range and enter the HomePort IP address as the default gateway IP address Delete a HomePort Address Range To delete an address or range select it in the Address Range list and click Delete Once the SonicWALL has been updated a message confirming the update is displayed at the bottom of the browser window Advanced Features Page 159 One to One NAT One to One NAT maps valid external addresses to private addresses hidden by NAT Computers on your private LAN are accessed on the
152. ategories html gt for a detailed description of the criteria used to define Content Filter List categories Page 102 SonicWALL Internet Security Appliance Administrator s Guide Customizing the Content Filtering List The Customize tab allows you to customize your URL List by manually entering domain names or keywords to be blocked or allowed VPN Delete Domain Delete Domain Anti Virus High Availability Enable Filter List Customization 7 Disable all web traffic except for Trusted Domains Don t block Java ActiveX Cookies to Trusted Domain sites C Message to display when a site is blocked veb Site Blocked by Soi LL Fiter a Ei wf Update Reset Logout STATUS Ready GE Beeament Ba re 4 Custom Filter You can customize your URL list to include Allowed Domains Forbidden Domains and Keywords By customizing your URL list you can include specific domains to be allowed accessed forbidden blocked and include specific keywords to be used to block sites Select the checkbox Enable Allowed Forbidden Domains to activate this feature To allow access to a Web site that is blocked by the Content Filter List enter the host name such as www ok site com into the Allowed Domains fields 256 entries can be added to the Allowed Domains list To block a Web site that is not blocked by the Content Filter List enter the host name such as www ba
153. ator password and configuring the settings necessary to access the Internet Aett Be sure to have your network information including your user name and password ready This information is obtained from your ISP To configure your SonicWALL appliance read the instructions on the Wizard Welcome page and click Next to continue Close 7 Z SonicWALL Installation Wizard Microsoft Internet Explorer Welcome to SonicWALL Internet Security Appliance Wizard This Wizard will help you quickly configure the SonicWALL to secure your Internet connection Once completed you can use the SonicWALL Web Management Interface for additional configuration options Please see the User s Guide for more details To bypass this Wizard click Cancel eS Next gt Cancel Page 26 SonicWALL Internet Security Appliance Administrator s Guide Setting the Password A SonicWALL Installation Wizard Microsoft Internet Explorer Set Your Password Sy First you will need to choose a good administrator password in order to protect the security of your SonicWALL Note that this password will be encrypted when sent over your network Your password should be a combination of letters numbers and punctuation You should not use a password which can easily be guessed by others such as the name of your spouse or your birthday Note also that your password is case sensitive New Password Confirm New Password
154. auiuiaonaeasanee naacinwateres 151 Intranet Settings risinenria dintii E hl E i 151 VPN Single Armed Mode stand alone VPN gateway esssssssrerseese 152 Configuring a SonicWALL for VPN Single Armed Mode sesser 153 POLEK E E E NG adi deen ewa haateatoes 154 LAN Route Advertisement sicisseaduiccinceis bts aulnainnlend lena wleacoul i ativlnatseetes 155 RIPy2 Authentication innar Sari aloasttnss castes a at ai 156 DMZ Route Advertisement uu cccccccssssssssessscssessssssseessseecsessesessesesassasersateaes 156 DMZAddre5SES mirariaren teea ede dees fash ascents wean a 156 DMZ in Staneard M C06 vate cscrer tirana unentencvernti named 157 DMZ in NATM Od Ee aa aa a a atA 157 Delete a DMZ Address Range sss ssssssssssssrsrsrrrrrrrrrrnirinrnisnsnnnsnsnnnnnnnnnnrnnnrnns 158 HomePort Configuration Ssaccsscssceceds vecantehivenatesbteagre ute nectatagastetin asad taceat elect 158 HomePort in Standard Mode valet ceiinds tentacles asm eatey maine caiman teaiadei alma 158 HomePort in NAT Mode iicsa scat winiesrruiciat rina aiteiticsuea cecilia tested 159 Delete a HomePort Address Range cscsccsscscsssssssssessssercsssssessesessssasersassaes 159 One to One NAT crannan anna a ia E a a 160 One to One NAT Configuration Example ss ssssssssssrsrsrsrsrsrersisiersrsrsrsrnrnrnrnrnennns 161 EEN TINGLE priii aani i i aces Pat on a a Maids 162 WAN EINK Settings ois eaa eet natant Se Wasa dean A RE 162 Enable Bandwidth Management s sssssssssssserererererrrrrris
155. bal VPN Settings section displays the following information Unique Firewall Identifier the default value is the serial number of the SonicWALL appliance You can change the Identifier and use it for configuring VPN tunnels Enable VPN must be selected to allow VPN security associations Disable all VPN Windows Networking NetBIOS broadcast also selected This check box disa bles NetBIOS broadcasts for every Security Association configuration Enable Fragmented Packet Handling if the VPN log report shows the log message Fragmented IPSec packet dropped select this feature Do not select it until the VPN tunnel is established and in operation Enable NAT Traversal select if a NAT device is located between your VPN endpoints See page 177 for more information on SonicWALL NAT Traversal Support Keep Alive Interval seconds the default value is 240 seconds 4 minutes If Enable Keep Alive is selected on the Advanced Settings window this is the interval of time between heart beats Enable IKE Dead peer detection select if you want inactive VPN tunnels to be dropped by the SonicWALL Enter the number of seconds between heartbeats in the Dead peer detection In terval seconds field The default value is 60 seconds Enter the number of missed heartbeats Page 178 SonicWALL Internet Security Appliance Administrator s Guide in the Failure Trigger Level missed heartbeats field The default value is 3 If the trigger l
156. bandwidth in Kbps Click Page 162 SonicWALL Internet Security Appliance Administrator s Guide Update to apply the changes to the SonicWALL Now that you have enabled Bandwidth Management you can begin configuring Rules to use bandwidth management See Bandwidth Managementat the end in this section for more information SonicWALL s Bandwidth Management features TIP Traffic inbound from the WAN to the LAN DMZ based on a Rule using bandwidth management is allowed as if there is no bandwidth management in place However outbound traffic reply packets for traffic associated with an inbound Rule is managed based on the configuration for that Rule DM Z WorkPort Link Settings Specifies the speed and duplex mode of the Ethernet connection to the DMZ WorkPort link The default selection is Auto Negotiate because the Ethernet links automatically negotiate the speed and duplex mode of the Ethernet connection The other choice Force with lists for speed and duplex should be used only if your Ethernet card also forces these settings You must force from both sides of your connection to enable this setting LAN HomePort Link Settings Specifies the speed and duplex mode of the Ethernet connection to the LAN or HomePort link The default selection is Auto Negotiate because the Ethernet links automatically negotiate the speed and duplex mode of the Ethernet connection The other choice Force with lists for speed and duplex should be used
157. cal storms power failures or power surges Cooling Vents The SonicWALL is convection cooled an internal fan is not necessary Do not block the cooling vents on the SonicWALL SOHO3 or the TELE3 side panels Page 250 SonicWALL Internet Security Appliance Administrator s Guide SonicWALL GX 250 and GX 650 Front Panel The SonicWALL GX 250 front panel is shown below followed by a description of each item The SonicWALL GX 650 is identical to the SonicWALL GX250 except for the GX 650 label on the front panel and the types of network interfaces installed DMZ LAN Test Serial Port WAN SonicWALL GX250 and GX 650 Front Panel Description Power Lights up green if both power supplies are functioning on the SonicWALL GX250 or SonicWALL GX 650 If itis red one of the power supplies has failed and an audible alarm also sounds e Test Lights up when the SonicWALL is powered up and performing diagnostic tests for proper operation These tests take up to 5 minutes If the Test LED remains lit after this time the firmware is corrupt and must be reinstalled Serial Port DB 9 RS 232 Serial port for a modem or null modem cable to support Command Line Interface Management There are three network interfaces on the GX 250 and GX 650 from left to right WAN LAN DMZ The GX250 includes three Fast Ethernet network interfaces The GX 650 includes either 1000Base SX over Fiber or Gigabit Ethernet over Copper network interfaces
158. cation 3DES is an extremely secure encryption method and HMAC MD5 is used to verify integrity This method significantly impacts the data throughput of the SonicWALL Strong Encrypt and Authenticate ESP DES HMAC SHA1 uses 56 bit DES encryption and HMAC SHA1 authentication Strong Encrypt and Authenticate ESP DES HMAC MDS uses 56 bit DES encryption and HMAC MD5 authentication This method impacts the data throughput of VPN communications SonicWALL VPN client supports this method Strong Encrypt and Authenticate ESP AES 128 HMAC MD5 uses 128 bit AES encryption and HMAC MD5 authentication Strong Encrypt and Authenticate ESP AES 128 HMAC SHA1 uses 128 bit AES encryption and HMAC SHA1 authentication Shared Secret an alphanumeric key is automatically generated as the Shared Secret The Shared Secret is not exported with the VPN Client Configuration File The Shared Secret must be distributed by the SonicWALL administrator Security Policy Settings for IKE using Pre shared Secret Exchange select Main Mode or Aggressive Mode Main Mode requires six one way messages between the peers and Aggressive Mode requires only three one way messages making Aggressive Mode a little faster when establishing the connection Selecting Aggressive Mode forces the SonicWALL appliance to use Aggressive Mode to establish the VPN tunnel even if the SonicWALL has a static IP address Aggressive Mode is useful when the SonicWALL is located behind
159. ced Settings Delete This SA Update Reset i Qu STATUS Ready 21 Done 15 fw mere zy SonicWALL VPN Page 181 Security Policy Settings The following sections describe the Security Policy settings for Group VPN IKE using Pre shared Secret and Manual Key Security Policy Settings for Group VPN Phase 1 DH Group Diffie Hellman DH key exchange a key agreement protocol is used during phase 1 of the authentication process to establish pre shared keys Groups 1 2 5 use Modular Exponential with different prime lengths as listed below If network speed is preferred select Group 1 If network security is preferred select Group 5 To compromise between network speed and network security select Group 2 Group Descriptor Prime Size bits Group 1 768 Group 2 1024 Group 5 1536 SALife time secs allows you to configure the length of time a VPN tunnel is active The default value is 28800 seconds eight hours You can configure up to 2 500 000 seconds 28 9 days Phase 1 Encryption Authentication select an encryption method from the Encryption Authen tication for the VPN tunnel If you select IKE using Pre Shared Secret for your SA you can select from one of eight encryption methods DES amp MD5 AES 128 amp MD5 DES amp SHA1 AES 128 amp SHA1 3DES amp MD5 AES 256 amp MD5 3DES amp SHAL AES 256 amp SHA1 AES support is available only on the PRO 230
160. cesses LAN resources through the firewall from a remote location on the Internet Aert By enabling Remote Access you allow unencrypted traffic over the Internet Bypass Filters Enable Bypass Filters if the user has unlimited access to the Internet from the LAN bypassing Web News J ava and ActiveX blocking Access to VPNs Enable the check box if the user can send information over the VPN Security Associations with authentication enforcement Access from the VPN Client with XAUTH Enable the check box if the user requires XAUTH for authentication and accesses the firewall via a VPN client Limited Management Capabilities By enabling this check box the user has limited local management access to the SonicWALL Management interface The access is limited to the following pages General Status Network Time Log View Log Log Settings Log Reports Tools Restart Diagnostics minus Tech Support Report ie Tip The SonicWALL supports up to 100 users requiring RADIUS authentication in the local database Adding and Removing a User Alert You must add a user to the Local Database to enforce access privileges To add a new user complete the following steps 1 Log into the Management interface click Access then Users 2 Highlight Add New User in the Current User list box 3 Enter the name of a user into the User Name field 4 Enter the user password in the Password and Confirm Password field The password is case sens
161. cover the SonicWALL appliance on the network Otherwise you must add the SonicWALL appliance to the list of SNMP manageable devices on the SNMP management system SonicWALL Management Protocol The SonicWALL can be managed using HTTP or HTTPS and a Web browser Both HTTP and HTTPS are enabled by default The default port for HTTP is port 80 but you can configure access through another port Enter the number of the desired port in the Port field and click Update However if you configure another port for HTTP management you must include the port number when you use the IP address to log into the SonicWALL For example if you configure the port to be 76 then you must enter lt LAN IP Address gt 76 into the Web browser The default port for HTTPS management is 443 the standard port You can add another layer of security for logging into the SonicWALL by changing the default port To configure another port for HTTPS management enter the preferred port number into the Port field and click Update For example if you configure the HTTPS Management Port to be 700 then you must log into the SonicWALL using the port number as well as the IP address for example lt https 192 168 168 1 700 gt to access the SonicWALL The HTTPS Management Certificate Common Name field defaults to the SonicWALL LAN Address This allows you to continue using a certificate without downloading a new one each time you log into the SonicWALL Additional Management
162. crecy Default LAN Gateway if specifying the IP address of the default LAN route for incoming IPSec packets for this SA This is used in conjunction with the Route all traffic through this SA check box VPN Terminated at LAN DMZ or LAN DMZ select one of the three terminating points for the VPN tunnel 14 Click Update to add the remote network and close the VPN Destination Network window Once the SonicWALL TELE3 has been updated a message confirming the update is displayed at the bottom of the browser window Tip Since Window Networking NetBIOS has been enabled users can view remote computers in their Windows Network Neighborhood Users can also access resources on the remote LAN by entering servers or workstations remote IP addresses Oo ON D SonicWALL VPN Page 215 SonicWALL Third Party Digital Certificate Support 2e Tip This section assumes that you are familiar with Public Key Infrastructure PKI and the implementation of digital certificates with VPN A digital certificate is an electronic means to verify identity by a trusted third party known as a Certificate Authority CA SonicWALL now supports third party certificates in addition to the existing Authentication Service The difference between third party certificates and the SonicWALL Authentication Service is the ability to select the source for your CA certificate Using Certificate Authority Certificates and Local Certificates is a more manual process than us
163. ctivity problems Confirm that the computer without Internet access is assigned an IP address in the correct subnet Make sure that the SonicWALL is powered on and responsive If a computer can access the SonicWALL Management Interface but cannot view Web sites then check DNS configuration of the computer Try restarting your Internet router and the computer The Internet connection can be down Disconnect the SonicWALL and try to access the Internet If there are any host devices other than the Internet router connected to the WAN port they are inaccessible to users on the LAN unless you have configured the SonicWALL Intranet settings The SonicWALL does not establish authenticated sessions During initial configuration make sure to change the Management Station s IP address to one in the same subnet as the SonicWALL s such as 192 168 168 200 Check to make sure the Web browser has J ava JavaScript or ActiveX enabled Make sure the users are attempting to log into the correct IP address The correct address is the SonicWALL LAN IP Address and not the NAT Public Address if NAT is enabled Make sure that users are attempting to log in with a valid user name and password Remember that passwords are case sensitive make sure the Caps Lock key is off Page 254 SonicWALL Internet Security Appliance Administrator s Guide e Ifyou are using an Internet Explorer browser you can want to click the Refresh button several times to ful
164. d Encryption Standard is an encryption method for securing sensitive but unclassified material by U S Government agencies Phase 2 Encryption Authentication The following encryption methods are available for IKE using Preshared Secret Tunnel Only ESP Null does not provide encryption or authentication This option offers access to computers at private addresses behind NAT and allows unsupported services through the SonicWALL Encrypt ESP DES uses 56 bit DES to encrypt data DES is an extremely secure encryption method supporting over 72 quadrillion possible encryption keys to encrypt data Fast Encrypt ESP ARCFour uses 56 bit ARCFour to encrypt data ARCFour is a secure encryption method and has little impact on the throughput of the SonicWALL Strong Encrypt ESP 3DES uses 168 bit 3DES Triple DES to encrypt data 3DES is considered to be an almost unbreakable encryption method applying three DES keys in succession but it significantly impacts the data throughput of the SonicWALL Strong Encrypt and Authenticate ESP 3DES HMAC MDS uses 168 bit 3DES encryption and HMAC MD5 authentication 3DES is an extremely secure encryption method and HMAC MD5 is used to verify integrity This method significantly impacts the data throughput of the SonicWALL Strong Encrypt for Checkpoint ESP 3DES interoperable with CheckPoint Firewall 1 In manual key mode Encrypt for CheckPoint uses 168 bit DES to encrypt data Str
165. d mode Configure a VPN SA using IKE and Pre shared Secret on the VPN SonicWALL to securely connect to the Remote SonicWALL Enter the Remote SonicWALL WAN IP address as the IPSec Gateway and the Remote SonicWALL LAN IP Address range as the Destination Network if configuring Many to One NAT Click Advanced and then Routes Enter the Corporate SonicWALL WAN IP address in the Dest Network field Enter the subnet mask in the Subnet Mask field Enter the Local SonicWALL WAN IP address as the Gateway and select WAN from the Link menu Click Update Now that all SonicWALLs are configured network traffic on the corporate SonicWALL destined for the remote office is routed to the VPN SonicWALL encrypted and sent to the remote SonicWALL Advanced Features Page 153 Routes If you have routers on your Local Area Network LAN Demilitarized Zone DMZ or Wide Area Network WAN you can configu e Static Routes on the SonicWALL _ Buona A EREEF a g WrdonsNeda wndome ap ReaPiger Routes General ve Tip On the TELE3 TZ and TELE3 TZX the LAN is labeled WorkPort and the DMZ is labeled HomePort Click Advanced on the left side of the browser window and then click the Routes tab Static routes must be defined if the LAN DMZ or WAN are segmented into subnets either for size or practical considerations For example a subnet can be created to isolate a section of a company such as financ
166. d on Advanced Ethemet page T Enable VPN Bandwidth Management VPN guaranteed bandwidth Kops VPN maximum bandwidth Kops VPN bandwidth priority Gateway Destinations ESP DES HMAC MDS KE 192 168 168 12 192 168 1 1 192 168 1254 ESP DES HMAC SHAI KE SAs enabled 2 SAs defined 2 SAs Allowed 1001 ut STATUS Ready i i 1 Select Disable VPN Windows Networking NetBIOS broadcast Leave the Enable Fragmented Packet Handling unselected until the SonicWALL logs show many fragmented packets transmitted 2 Click the Configure tab and select Add New SA from the Security Association menu Then select Manual Key from the IPSec Keying Mode menu 3 Enter a descriptive name that identifies the VPN client in the Name field such as the client s location or name Enter 0 0 0 0 in the IPSec Gateway Address field Define an Incoming SPI and an Outgoing SPI The SPIs are hexadecimal 0123456789abcedf and can range from 3 to 8 characters in length Aett Each Security Association must have unique SPIs no two Security Associations can share the same SPIs However each Security Association Incoming SPI can be the same as the Outgoing SPI 6 Select Encrypt and Authenticate ESP 3DES HMAC MD5 from the Encryption Method menu Alert It is important to remember the Encryption Method selected as you need to select the same parameters in the VPN Client configuration SonicWALL VPN Page 199 7 Entera 16 character
167. d site com into the Forbidden Domains field 256 entries can be added to the Forbidden Domains list N Alert Do not include the prefix http in either the Allowed Domains or Forbidden Domains the fields All subdomains are affected For example entering yahoo com applies to mail yahoo com and my yahoo com To remove a trusted or forbidden domain select it from the appropriate list and click Delete Domain Once the domain has been deleted a message is displayed at the bottom of the Web browser window To enable blocking using Keywords select the Enable Keyword Blocking check box Enter the keyword to block in the Add Keyword field and click Update Once the keyword has been added a message confirming the update is displayed at the bottom of the browser window To remove a keyword select it from the list and click Delete Keyword Once the keyword has been removed a message confirming the update is displayed at the bottom of the browser window Content Filtering and Blocking Page 103 Tip Customized domains do not have to be re entered when the Content Filter List is updated each week and do not require a URL list subscription e Enable Allowed Forbidden Domains To deactivate Custom Filter customization clear the Enable Allowed Forbidden Domains and click Update This option allows you to enable and disable customization without removing and re entering custom domains Enable Keyword Blocking Selec
168. date to enable the Network Debug setting eb raone med a nR ren EFH Winowe Medic E wrdons RedPlaye i logat STATUS Ready Testing a VPN Tunnel Connection Using PING To verify that your VPN tunnel is working properly it is necessary to ping the IP address of a computer on the remote network By pinging the remote network you send data packets to the remote network and the remote network replies that it has received the data packets Your administrator supplies the remote IP address that you can use for testing The following steps explain how to ping a remote IP address 1 Locate the Windows Start button in the lower left hand corner of the desktop operating system Click Start then Run and then type Command in the Open filepath box A DOS window opens to the C gt prompt 2 Type ping then the IP address of the host computer Press Enter to begin the data communication 3 Asuccessful ping communication returns data packet information to you An unsuccessful ping returns a message of Request Timed Out SonicWALL VPN Page 221 gt command prompt Microsoft Windows 2666 Version 5 00 2195 lt C gt Copyright 1985 2888 Microsoft Corp iC WINNT SYSTEM32 gt ping 16 6 6 252 Pinging 10 8 6 252 with 32 bytes of data Request timed out Request timed out Request timed out Request timed out Ping statistics for 10 0 6 252 Packets Sent 4 Received Lost 4 100 los
169. do not have the information please contact your ISP SonicWALL WAN IP Address WAN Subnet Mask Optional Second DNS Server Address 66 120 111 15 255 255 255 0 66 120 111 1 216 197 2520 Optional Third DNS Server Address Next gt Cancel 8 Enterthe IP address provided by your ISP in the SonicWALL WAN IP Address WAN DMZ Subnet Mask WAN Gateway Router Address and DNS Server Addresses Click Next to continue Configuring LAN Network Settings SonicWALL Installation Wizard Microsoft Internet Explorer Fill in information about your LAN below will work well for most networks SonicWALL LAN IP Address 192 168 168 1 LAN Subnet Mask 255 255 255 0 lt Back Next gt Since you are using NAT you will need to specify information about your LAN You can choose this information arbitrarily but it s a good idea to use private addresses such as 10 0 0 1 or 192 168 168 1 Note that the default values Cancel 9 The Fill in information about your LAN page allows the configuration of the SonicWALL LAN IP Address and the LAN Subnet Mask The SonicWALL LAN IP Address is the private IP address assigned to the LAN port of the SonicWALL The LAN Subnet Mask defines the range of IP addresses on the LAN The default values provided by the SonicWALL work for most networks If you do not use the default settings enter the SonicWALL LAN settings and clic
170. dress and the service type when determining whether to allow or deny traffic Custom rules take precedence and override the SonicWALL default rules By default the SonicWALL blocks all traffic from the Internet to the LAN and allows all traffic from the LAN to the Internet Custom rules can be created to modify the default rules For example rules can be created for the following purposes Allow traffic from the Internet to a mail server on the LAN e Restrict users on the LAN from using a specified service such as QuickTime Allow specified IP addresses on the Internet to access a sensitive server on the LAN e Configure bandwidth management for individual services Network Access Rules Page 131 Maximum Number of Rules by Product Rules Available for Product Maximum Rules Bandwidth Management GX Series 300 100 PRO 300 PRO 330 200 100 PRO 100 PRO 200 100 50 PRO 230 TELE3 SOHO3 100 50 TELE2 SOHO2 XPRS2 100 20 XPRS PRO PRO Vx To create custom Network Access Rules click Access on the left side of the browser window and then click the Rules tab Current Network Access Rules Action Service Source Destination Time Day Enable 1 Allow Web HTTP 192 168 168 1 LAN AA Default DMZ WAN Default WAN DMZ Default Default 2 Allow 3 Allow LAN LAN 4 Deny 5 Allow Add New Rule Restore Rules to Defaults High Avai
171. e Ping the other protected network from using Ping on the Tools page If ping works then the prob lem is on the LAN e Reset the VPN to basic configuration using Manual key and DES HMAC MDS If that works then upgrade to IKE and pre shared secret Troubleshooting Guide Page 255 18 Appendices Appendix A Technical Specifications SonicWALL Hardware and Performance TELE3 SOHO3 PRO100 PRO200 PRO230 PRO300 PRO330 Processor 133 MHz 133 MHz Toshiba 133 MHz 233 MHz 233 MHz 233 MHz 233 MHz Toshiba TX3927 with Toshiba Toshiba Toshiba Toshiba Toshiba TX3927 with security ASIC TX3927 with StrongARM RISC StrongARM RISC StrongARM RISC StrongARM RISC security ASIC security ASIC with security with security with security with security ASIC ASIC ASIC ASIC RAM 16 MB 16 MB 16 MB 16 MB 64 MB 64 MB 64 MB RAM Flash Memory 4MB 4MB 4MB 4MB 4MB 4MB 4MB Concurrent 6 000 6 000 6 000 30 000 30 000 128 000 128 000 Connections Firewall Users 5 10 25 50 Unlimited Unlimited Unlimited Unlimited Unlimited Firewall 75 Mbps 75 Mbps 75 Mbps 190 Mbps 190 Mbps 190 Mbps 190 Mbps Performance 3DES 168 bit 20 Mbps 20 Mbps 20 Mbps 25 Mbps 25 Mbps 45 Mbps 45 Mbps VPN Tunnels 5 10 50 500 500 1 000 1 000 Dimensions 8 25 x6 5 x2 18 25 x6 5 x2 8 25 x6 5 x2 19 x8 875 x 17 x10 36 x 19 x8 875 x 17 x10 36 x 1 75 1 75 1 75 1 75 Weight 1 1 Ibs 0 48 kg 1 1 Ibs 0 48 kg 1
172. e from traffic on the rest of the LAN DMZ or WAN The SonicWALL LAN IP Address LAN Subnet WAN IP Address and WAN DMZ Subnet are displayed in the Current Network Settings section Refer to these settings when configuring your Static Routes The SonicWALL LAN IP Address LAN Subnet Mask WAN IP Address and WAN DMZ Subnet Mask are displayed in the Current Network Settings section To add Static Route entries complete the following instructions 1 Enter the destination network of the static route in the Dest Network field The destination network is the IP address subnet of the remote network segment x Tip If the destination network uses IP addresses ranging from 192 168 1 1 to 192 168 1 255 AS enter 192 168 1 0 in the Dest Network field 2 Enter the subnet mask of the remote network segment in the Subnet mask field 3 Enter the IP address of your router in the Gateway field This IP address should be in the same subnet as the SonicWALL If your router is located on the SonicWALL LAN the Gateway address should be in the same subnet as the SonicWALL LAN IP Address 4 Select the port on the SonicWALL that the router is connected to either the LAN the WAN or the DMZ from the Link list 5 Click Update Once the SonicWALL has been updated a message confirming the update is displayed at the bottom of the Web browser window Restart the SonicWALL for the change to take effect ave Tip The SonicWALL can support up to 128 static
173. e 229 High Availability Status Window One method to determine which SonicWALL is active is to check the High Availability Status page for the High Availability pair To view the High Availability Status window you can log into the primary or backup SonicWALL LAN IP Address Click High Availability on the left side of the browser window and then click Configure at the top of the window If the primary SonicWALL is active the first line in the status window above indicates that the primary SonicWALL is currently Active SonicWALL Administration Microsoft Internet Explorer Elle w Favorites Tools Help Back gt O A A Qsearch Favorites Gristory Ay 3 A gt EO Y Address http 192 168 168 1 management html eco HIGH AVAILABILITY Log High Availability Status Filter s Tak Primary SonicWALL State Active pen Primary SonicWALL Serial Number 0040100F1566 Advanced LAN IP Address 192 168 168 10 DHCP WAN IP Address 00 0 0 VPN Anti Virus Syichranize Now High Availability Topai inte High Availability Settings Primary Enable High Availability Backup Sonic WALL Serial Number 00401 00F1557 LAN PP Address 192 168 168 168 WAN IP Address 0 0 0 0 F Preempt Mode Heartbeat Interval 5 secon ds Failover Trigger Level 3 missed heartbeats Loge STATUS HA Peer firewall has been updated Elon Bren y If the backup SonicWALL is active th
174. e assigned to computers on the LAN If the Enable DHCP Server check box is not selected the DHCP Server is disabled Click Next to continue Configuration Summary A SonicWALL Installation Wizard Microsoft Internet Explorer Configuration Summary The PPPoE client will be used to obtain a dynamic Internet address e NATis enabled The DHCP server has been activated on the LAN The SonicWALL LAN IP Address is 192 168 168 1 Print This Page if this is OK click Next If you would like to make a change click Back 10 The Configuration Summary page displays the configuration defined using the Installation Wizard To modify any of the settings click Back to return to the Connecting to the Internet window If the configuration is correct click Next to proceed to the Congratulations page j Ee Naa ea Page 30 SonicWALL Internet Security Appliance Administrator s Guide Congratulations AW SonicWALL Installation Wizard Microsoft Internet Explorer MEE Congratulations E You have completed the initial configuration of your SonicWALL It is now necessary to restart the unit Remember from now on you will contact the Web Management Interface at URL http 192 168 168 1 User Name admin Password lt set as previously gt Once the SonicWALL is up you should register it at SonicWALL s Web Site This will be necessary before you can take advantage of firmware updates and CyberNOT conten
175. e default LAN route for incoming IPSec packets for this SA This is used in conjunction with the Route all internet traffic through this SA check box VPN Terminated at LAN DMZ or LAN DMZ select one of the three terminating points for the VPN tunnel 12 Click OK and then click Update Page 210 SonicWALL Internet Security Appliance Administrator s Guide IKE Configuration for Two SonicWALLs An alternative to Manual Key configuration is Internet Key Exchange IKE IKE transparently negotiates encryption and authentication keys The two SonicWALL appliances authenticate the IKE VPN session by matching preshared keys and IP addresses or Unique Firewall Identifiers To create an IKE Security Association click VPN on the left side of the browser window and then click the Configure tab Add Modify IPSec Security Associations Security Association IPSec Keying Mode Name las Disable This SA IPSec Gateway Address High Availability SA Life time secs 28800 Encryption Method Encrypt and Authenticate ESP DES HMAC SHA1 x Shared Secret monkeytoes 2001 Destination Networks Network Subnet Mask 192 168 168 1 192 168 168 254 Dy D Add New Network Advanced Settings Delete This SA Update Reset iot STATUS The configuration has been updated Done D Internet A 1 Select IKE using pre shared secret from the IPSec Keying Mode menu i 2 Select Add New SA f
176. e first line changes to reflect the active status of the backup as shown below GFavorites Guistory D St BO yw Address http 192 168 168 168 management html HIGH AVAILABILITY High Availability Status Backup SonicWALL State Active Primary Sonic WALL Serial Number 0040100F1566 Advanced LAN IP Address 192 168 168 10 Dee WAN IP Address 10 2 4 52 VPN Anti Virus Synchronize Now High Availability High Availability Setti Logged Into i Backup F Enable High Availability Backup SonicWALL Serial Number 0040100F1557 192 168 168 168 onds Failover Trigger Level 3 missed heartbeats Election Delay Time 0 seconds Logout STATUS The configuration has been updated fu Done internet 7 Page 230 SonicWALL Internet Security Appliance Administrator s Guide The first line in the status window indicates that the backup SonicWALL is currently Active It is also possible to check the status of the backup SonicWALL by logging into the LAN IP Address of the backup SonicWALL If the primary SonicWALL is operating normally the status window indicates that the backup SonicWALL is currently Idle If the backup has taken over for the primary this window indicates that the backup is currently Active Tip In the event of a failure in the primary SonicWALL you can access the Web Management Interface of the backup SonicWALL at the primary S
177. e mail pager Page 16 SonicWALL Internet Security Appliance Administrator s Guide Dynamic Host Configuration Protocol DHCP DHCP Server The DHCP Server offers centralized management of TCP IP client configurations including IP addresses gateway addresses and DNS addresses Upon startup each network client receives its TCP IP settings automatically from the SonicWALL DHCP Server DHCP Client The DHCP Client allows the SonicWALL to acquire TCP IP settings such as IP address gateway address DNS address from your ISP This is necessary if your ISP assigns you a dynamic IP address DHCP over VPN DHCP over VPN allows a Host DHCP Client behind a SonicWALL obtain an IP address lease from a DHCP server at the end of a VPN tunnel In some network deployments it is desirable to have all VPN networks residing in one IP subnet address space This facilitates address administration for the networks using VPN tunnels Easy Installation and Configuration Installation Wizard The SonicWALL Installation Wizard helps you quickly install and configure the SonicWALL Online help SonicWALL help documentation is built into the SonicWALL Web Management Interface for easy access during installation and management IPSec VPN SonicWALL VPN SonicWALL VPN provides a simple secure tool that enables corporate offices and business partners to connect securely over the Internet By encrypting data SonicWALL VPN provides private communications bet
178. e oie se a eC or ni tae i ie after changing its network configuration Note This includes the computer you are currently using t SonicWALL You will not be able to re contact So MONAL u Aniyan ou have reconfigured your Pi Once you have reconfigured your PC and SonicWALL has finished restarting you should be able to access the Internet Note iit tis restarting process will take approximately 90 seconds to complete Remember from now on you will contact Sonic WALL s Web Management Interface a http 192 168 168 1 Thank you for selecting SonicWALL Print This Page Close The SonicWALL takes 90 seconds to restart During this time the yellow Test LED is lit Click Close to exit the SonicWALL Wizard Configuring NAT with L2TP Client This section describes configuring the SonicWALL in NAT with L2TP Client mode You must have a single static IP address to begin configuration Follow the instructions below Mily pe Tip Be sure to have your network information including your WAN IP address subnet mask and DNS settings ready This information is obtained from your ISP 1 N o Ny oun A W 9 10 11 12 Open a Web browser and enter the default SonicWALL IP address 192 168 168 168 in the Location or Address fields The Login window appears Enter admin in the User Name field and password in the Password field Click Cancel on the initial Installation Wizard page to cancel the wizard Click N
179. e sonicwall com gt or load it from the CD included with the appliance You can also download firmware by logging into lt http www mysonicwall com gt as a registered user Locating the Reset button on your SonicWALL SonicWALL SOHO3 PRO 100 TELE3 SOHO 10 SOHO 50 XPRS SOHO Telecommuter PRO 200 PRO 300 and newer SonicWALL DMZ models use the small recessed button on the back of the unit for this procedure If your SonicWALL DMZ unit has a square reset button that is not recessed on the back of the unit follow the procedure below to locate the blue reset button If your SonicWALL DMZ unit has a circular reset button that is recessed in the back of the unit then it s an older DMZ model and you should follow the procedure for locating the reset button inside the unit Erasing the Firmware for all Models 1 Turn off the SonicWALL and disconnect all cables to the network 2 Locate the recessed Reset Switch on the back panel of the SonicWALL 3 Press and hold the Reset Switch and then apply power to the SonicWALL Once the Test LED starts to flash let go of the Reset Switch The Test LED flashes for approximately 90 seconds while the firmware is erased After completing the diagnostic sequence the Test LED stays lit indicating that the firmware has been erased It is normal for the Test LED to stay lit after erasing the firmware It does not go off until the firmware is installed and loaded into memory by the automatic restart 4
180. e the following instructions 1 Locate the directory that Steel Belted RADIUS is installed CA RADIUS by default and copy the SonicWALL dct file into C RADIUS Service folder 2 Edit the vendor ini file located in the Service folder using Notepad Add the following lines so that they are in alphabetical order with the other vendor products in the file Table 1 vendor product SonicWALL Firewall dictionary SonicWALL ignore ports no port number usage per port type help id 2000 3 Edit the dictiona dcm file using Notepad and add the entry sonicwall dct to it keeping the entry in alphabetical order with the existing entries 4 Restart the Windows service called Steel Belted RADIUS Service 5 Run the Steel Belted RADIUS Administrator 6 Click RAS Clients and select SonicWALL Firewall from the Make Model list Click Save If there is no entry for SonicWALL Firewall be sure that steps 2 and 3 were performed correctly Page 280 SonicWALL Internet Security Appliance Administrator s Guide Configuring User Privileges To configure user privileges follow these steps 1 With Steel Belted RADIUS Administrator open click Users and select the User to configure Or select a profile to be configured from the Profile Name menu 2 Click Ins and select SonicWALL User Privilege from the Available Attributes list 3 Select the privilege to be set and click Add Repeat until all of the privileges a
181. ecks for attacks but not NAT Alert You cannot use this feature if you have Route all internet traffic through this SA enabled Alert Offices can have overlapping LAN IP ranges if the Apply NAT and firewall rules option is selected Forward Packets to Remote VPNs Selecting the Forward Packets to Remote VPNs check box for a Security Association allows the remote VPN tunnel to participate in the SonicWALL routing table Inbound traffic is decrypted and can now be forwarded to a remote site via another VPN tunnel Normally inbound traffic is decrypted and only forwarded to the SonicWALL LAN or a specific route on the LAN specified on the Routes tab located under the Advanced section Enabling this feature allows a network administrator to create a hub and spoke network configuration by forwarding inbound traffic to a remote site via a VPN security association To create a hub and spoke network enable the Forward Packets to Remote VPNs check box for each Page 188 SonicWALL Internet Security Appliance Administrator s Guide Security Association in your SonicWALL Traffic can travel from a branch office to a branch office via the corporate office Route all internet traffic through this SA Selecting this box allows a network administrator to force all WAN destined traffic to go through a VPN tunnel to a central site Outgoing packets are checked against the remote network definitions for all Security Associations SA If a match is
182. ect Disable VPN when Dialed if VPN Security Associations SAs are disabled when the modem connects to the ISP Terminating the dial up connection re enables the VPN SAs This is useful if you want to deploy your own point to point RAS network and want packets to be sent in the clear to your intranets If you have call waiting on your telephone line you should disable it or another call can interrupt your connection to your ISP Select Disable Call Waiting and then select command from the list If you do not see your command listed select Other and enter the command in the field If the phone number for your ISP is busy you can configure the number of times that the SonicWALL modem attempts to connect in the Dial Retries per Phone Number field The default value is zero 0 Enter the number of seconds between attempts to redial in the Delay Between Retries seconds field The default value is five 5 seconds 10 Click Update to add the dial up profile to the SonicWALL Configuring the TELE3 SP Modem Connection Page 63 TELE3 SP Modem Configuration The Configure tab allows you to enable the modem to provide secondary dial up ISP connection support and configure the modem settings There are two sections available Modem Settings and Failover Settings Ama Gy GB SOR E wincbws G ReaPiser Modem Settings The Modem Settings section lets you select from a list of modem profiles select the volume of the mod
183. ect Use the following IP address and enter 192 168 168 200 in the IP address field 4 Enter 255 255 255 0 in the Subnet Mask field You can get IP settings assigned automatically if your network supports this capability Otherwise you need to ask your network administrator for the appropriate IP settings Obtain an IP address automatically Use the following IP address 5 Enter the DNS IP address in the Preferred DNS Server IP address 132 168 168 200 field If you have more than one address enter the second Subnet mask 255 255 255 0 one in the Alternate DNS server field Default gateway 192 168 168 1 Obt Use the following DNS server addresses Preferred DNS server 10 0 Altemate DNS server Page 272 SonicWALL Internet Security Appliance Administrator s Guide Macintosh OS 10 From a Macintosh computer do the following 1 U A Ww N From the Apple list choose Control Panel and then choose TCP IP to open the TCP IP Control Panel From the Configure list choose Manually Enter 192 168 168 200 in the IP address field Enter the Subnet Mask address in the Subnet Mask field Click OK Follow the SonicWALL Installation Wizard instructions to perform the initial setup of the SonicWALL Appendices Page 273 Appendix F Basic VPN Terms and Concepts VPN Tunnel AVPN Tunnel is a term that describes a connection between two or more private nodes or LANs over a public network typically the I
184. ect this option if you have trusted domains using J ava ActiveX and Cookies To add a trusted domain enter the domain name into the Add Trusted Domain field Click Update to add the domain to the list of trusted domains To delete a domain select it from the list and then click Delete Page 100 SonicWALL Internet Security Appliance Administrator s Guide Trusted Domains Trusted Domains can be added in the Restrict Web Features section of the Configure tab If you trust content on specific domains you can select Don t block J ava ActiveX Cookies to Trusted Domains and then add the Trusted Domains to the SonicWALL using the Add Trusted Domain field J ava scripts Activex and cookies are not blocked from Trusted Domains if the checkbox is selected Message to display when a site is blocked Enter your customized text to display to the user when access to a blocked site is attempted The default message is Web Site blocked by SonicWALL Filter Any message including embedded HTML up to 255 characters long can be entered in this field URL List The URL List page allows you to see the status of the Content Filter List as well as configure a specific time to download the list You can also determine how the SonicWALL responds when a Content Filter List is unavailable Selecting categories to block is also configured on this page Tae URL List bas not been loaded I Download Automancaly every eds ar R Br 24 How Format
185. ed The computer s IP address Ethernet address the name of the blocked Web site and the Content Filter List Code is displayed Code definitions for the 12 Content Filter List categories are shown below a Violence Profanity g Satanic Cult b Partial Nudity h Drug Culture c Full Nudity i Militant Extremist d Sexual Acts j Sex Education e Gross Depictions k Gambling Illegal f Intolerance Alcohol Tobacco Descriptions of the categories are available at lt http www sonicwall com Content Filter categories htmI gt e ActiveX Java Cookie or Code Archive blocked When Activex Java or Web cookies are blocked messages with the source and destination IP addresses of the connection attempt is displayed e Ping of Death IP Spoof and SYN Flood Attacks The IP address of the machine under attack and the source of the attack is displayed In most attacks the source address shown is fake and does not reflect the real source of the attack TIP Some network conditions can produce network traffic that appears to be an attack even when no one is deliberately attacking the LAN To follow up on a possible attack contact your ISP to determine the source of the attack Regardless of the nature of the attack your LAN is protected and no further steps are needed Page 92 SonicWALL Internet Security Appliance Administrator s Guide Log Settings Click Log on the left side of the browser window and then click the Log Settings tab
186. ed to get up and running in one easy to install product including a Web server syslog server database and reporting software ViewPoint uses a Web based interface and easily installs on any Windows NT or Windows 2000 computer on the network For more information on the SonicWALL ViewPoint visit http www sonicwall com products viewpoint SonicWALL Global Management System SonicWALL Global Management System GMS is a scalable cost effective solution that extends the SonicWALL s ease of administration giving you the tools to manage the security policies of remote distributed networks SonicWALL GMS lets you administer SonicWALLs at your corporate headquarters branch offices and telecommuters from a central location SonicWALL GMS reduces staffing requirements speeds up deployment and lowers delivery costs by centralizing the management and monitoring of security policies SonicWALL GMS uses a hierarchical structure to simplify the management of SonicWALLs with similar security profiles This gives you the flexibility to manage the security policies of remote SonicWALLs on an individual group or global level For more information on the SonicWALL Global Management System visit http www sonicwall com products sgms index html Contact Your Reseller or SonicWALL Contact your local reseller to purchase SonicWALL upgrades A SonicWALL sales representative can help locate a SonicWALL authorized reseller near you Web http www
187. ee your command listed select Other and enter the command in the field 5 Configure the number of times that the SonicWALL modem attempts to connect if the dial up connection is busy in the Dial Retries per Phone Number field The default value is zero 0 6 Enter the number of seconds between attempts to redial in the Delay Between Retries seconds field The default value is five 5 seconds 7 Click Update to add the dial up profile to the SonicWALL Configure Modem Settings 8 Select your manual dial up profile as the Primary Profile 9 Select None as the Secondary Profile 10 Select the modem speaker volume from the Speaker Volume menu 11 Click Connect to dial your ISP When the modem has connected to the ISP the button text changes to Disconnect To end the connection click Disconnect To dial up manually log onto the Management station and click Modem Click Configure and then click Connect If you attempt to dial up your ISP while the WAN Ethernet connection is active a warning message is displayed Microsoft Internet Explorer xj gt Ethernet is currently the active interface 2 Connecting the modem will deactivate the ethernet WAN connection Preempt Mode is selected The WAN connection will return to ethernet if possible Cancel Click OK to begin dialing the ISP or Cancel to return to the current status Configuring the TELE3 SP Modem Connection Page 67 Configuring Your TELE3 SP in Modem Onl
188. em and also configure AT commands for modem initialization To configure the SonicWALL modem settings follow these steps 1 Select the PrimaryProfile from the list of profiles that the SonicWALL uses to access the modem and dial the secondary connection If you have enabled Manual Dial for the Primary Profile the Secondary Profile is not used Select the Secondary Profile from the list of profiles If the Primary Profile cannot establish a connection the SonicWALL uses the Secondary Profile to access the modem and establish a connection Select the volume of the modem from the Speaker Volume menu The default value is Medium Select Initialize Modem For Use In and select the country from the drop down menu United States is selected by default If the modem uses AT commands to initialize select Initialize Modem Using AT Commands Enter any AT commands used for the modem in the AT Commands for modem initialization field AT commands are instructions used to control a modem such as ATS7 30 allow up to 30 seconds to wait for dialtone ATS8 2 set the amount of time the modem pauses when it encounters a in the string i Tip The default settings for the modem are generally sufficient for normal operation The AT Commands for modem initialization box is provided for nonstandard situations Page 64 SonicWALL Internet Security Appliance Administrator s Guide Primary Interface The SonicWALL TELE3 SP automatically de
189. ence over rules at the bottom of the list Edit a Rule To edit a rule click the Note Pad icon to the right of the rule in the Rules window A new Web browser window appears displaying the current configuration of the rule Make the desired changes and click Update to update the rule The modified rule is displayed in the list of Current Network Access Rules Delete a Rule To delete a rule click the Trash Can icon to the right of the rule in the Rules window A dialog box appears with the message Do you want to remove this rule Click OK Once the SonicWALL has been updated a message confirming the update is displayed at the bottom of the browser window Enable Disable a Rule To disable a rule without permanently removing it clear the Enable check box to the right of the rule in the Rules window To enable a disabled rule select the Enable check box The configuration is updated automatically and a message confirming the update is displayed at the bottom of the browser window Restore the Default Network Access Rules If the SonicWALL Network Access Rules have been modified or deleted you can restore the Default Rules The Default Rules prevent malicious intrusions and attacks block all inbound IP traffic and allow all outbound IP traffic Click Restore Rules to Defaults in the Rules window to reset the Network Access Rules Once the SonicWALL has been updated a message confirming the update is displayed at the bottom of the
190. ent mode the WAN LAN Subnet Mask is assigned automatically If you select Standard mode the WAN LAN Subnet Mask is the same as the LAN Subnet Mask DNS Settings DNS Servers DNS Servers or Domain Name System Servers are used by the SonicWALL for diagnostic tests with the DNS Lookup Tool and for upgrade and registration functionality DNS Server addresses should be assigned by your ISP If you select NAT with DHCP Client NAT with PPPoE NAT with L2TP Client or NAT with PPTP Client mode the DNS Server addresses is assigned automatically Alert Enable and configure the SonicWALL DHCP server or manually configure client DNS settings to obtain DNS name resolution Page 78 SonicWALL Internet Security Appliance Administrator s Guide Standard Configuration If your ISP provided you with enough IP addresses for all the computers and network devices on your LAN enable Standard mode To configure Standard addressing mode complete the following instructions 1 Select Standard from the Network Addressing Mode menu Because NAT is disabled you must assign valid IP addresses to all computers and network devices on your LAN Enter a unique valid IP address from your LAN address range in the SonicWALL LAN IP Address field The SonicWALL LAN IP Address is the address assigned to the SonicWALL LAN and is used for management of the SonicWALL Enter your network subnet mask in the LAN Subnet Mask field The LAN Subnet Mask tells your S
191. entication Service delivers strong authentication of VPN users across the Internet to protect your organization s valuable and confidential resources Implemented in collaboration with VeriSign the leading provider of trusted services SonicWALL Authentication Service is an affordable easy to administer end to end digital certificate solution for your organization When combined with SonicWALL VPN the SonicWALL Authentication Service guarantees that the right people access the right resources With SonicWALL Authentication Service organizations can take advantage of the power of public key infrastructure PKI and digital certificates without incurring the high cost and complexity of creating the infrastructure themselves Network administrators manage the SonicWALL Authentication Service directly from the SonicWALL Internet security appliance and VPN user certificates are conveniently distributed on a secure Web based server For more information on the SonicWALL Authentication Service visit http www sonicwall com authentication service index html SonicWALL Options and Upgrades Page 235 SonicWALL ViewPoint Reporting SonicWALL ViewPoint a Web based graphical reporting tool enables administrators to understand and manage their network ViewPoint compliments and extends SonicWALL s complete security platform by delivering comprehensive high level historical reports and real time monitoring SonicWALL ViewPoint includes everything you ne
192. entication menu 9 Select Strong Encrypt and Authenticate ESP 3DES HMAC SHA1 from the Phase 2 Encryption Authentication menu Enter an alphanumeric secret in the Shared Secret field The Shared Secret must match the corresponding field in the remote SonicWALL This field can range from 4 to 128 characters in length and is case sensitive 10 Click Add New Network to define the destination network addresses Clicking Add New Network updates the VPN configuration and opens the VPN Destination Network window 11 Enter the IP address of the remote network in the Network field This address is a private address if the remote LAN has enabled NAT 12 Enter the subnet mask of the remote network in the Subnet mask field 13 Click Update to add the remote network and close the VPN Destination Network window Once the SonicWALL has been updated a message confirming the update is displayed at the bottom of the browser window 14 Click Advanced Settings and select the boxes that apply to your SA Enable Keep Alive if you want to maintain the current connection by listening for traffic on the network segment between the two connections Enable Windows Networking NetBIOS broadcast if remote clients use Windows Network Neighborhood to browse remote networks Apply NAT and firewall rules to apply NAT and firewall rules to the SA or just firewall rules if in Standard mode Forward packets to remote VPNs if creating a hub and spoke
193. entication window with a Password dialogue box is displayed User Name l Password SONICWALL gt 3 Type admin in the User Name field and the password previously defined in the Installation Wizard in the Password field Passwords are case sensitive Enter the password exactly as defined and click Login X Tip All SonicWALLs are configured with the default User Name admin and the default Password password If you cannot log into the SonicWALL a cached copy of the page is displayed instead of the correct page Click Reload or Refresh on the Web browser and try again Also be sure to wait until the J ava applet has finished loading before attempting to log in Once the password is entered an authenticated management session is established This session times out after 5 minutes of inactivity The default time out can be increased on the Password window in the General section HTTPS Management The SonicWALL family of Internet Security Appliances supports HTTPS Management using Secure Socket Layer SSL HTTPS Management allows secure access to the SonicWALL without a VPN Client It is a simple and secure way to manage your SonicWALL from both the LAN and the WAN You log into the SonicWALL Management interface using https IP Address where the IP address is the SonicWALL LAN IP address For example if the LAN IP address of your SonicWALL appliance is 192 168 168 1 you can log into it by typing https 19
194. er network devices on your Local Area Network LAN Dont use NAT Select this only if your ISP has given you a non private IP address for every PC and network device on your LAN as well as a non private IP address for the SonicWALL C Use NAT Select this if you have more PC s and network devices than non private IP addresses Later you may use SonicWALL s Web Management Interface to set up your public servers with the extra IP addresses lt Back Next gt Cancel 7 The Optional Network Address Translation NAT page offers the ability to enable NAT Select Don t Use NAT if there are enough static IP addresses for your SonicWALL all PCs and all network devices on your LAN Selecting Don t Use NAT enables the Standard mode Select Use NAT if valid IP addresses are in short supply or to hide all devices on your LAN behind the SonicWALL valid IP address Click Next to continue Configuring the Network Mode on the SonicWALL Page 23 Configuring WAN Network Settings If you selected either NAT or Standard mode the Getting to the Internet page is displayed A SonicWALL Installation Wizard Microsoft Internet Explorer provided by SonicWALL INC Getting to the Internet WAN Gateway Router Address DNS Server Address lt Back You will need to fil in the following fields to connect to the Internet All these values must be entered as numerical IP addresses such as 1 2 3 4 If you
195. er the DNS server IP address in the DNS Server 1 field Enter the L2TP server host name in the L2TP Host Name field Enter the IP address of the L2TP server in the L2TP Server IP Address field Enter your user name and password in the User Name and User Password fields o N n Ww Page 84 SonicWALL Internet Security Appliance Administrator s Guide A A 9 Select the Disconnect after __ Minutes of Inactivity check box to automatically disconnect the L2TP connection after a specified period of inactivity Define a maximum number of minutes of inactivity in the Minutes field This value can range from 1 to 99 minutes 10 Click Update Once the SonicWALL has been updated a message confirming the update is displayed at the bottom of the browser window Restart the SonicWALL for these changes to take effect Alert When NAT is enabled the SonicWALL LAN IP Address is used as the gateway address for computers on the LAN When your SonicWALL has successfully established a L2TP connection the Network page displays the SonicWALL WAN IP settings The WAN Gateway Router Address SonicWALL WAN IP NAT Public Address WAN LAN Subnet Mask and DNS Servers are displayed Alert Enable and configure the SonicWALL DHCP server or manually configure client DNS settings to obtain DNS name resolution Restarting the SonicWALL A Once the network settings have been updated the Status bar at the bottom of the browser window displays Restart SonicW
196. ermined by the CA service Page 218 SonicWALL Internet Security Appliance Administrator s Guide Creating a Certificate Signing Request To create a certificate for use with a VPN SA follow these steps 3 Tip You should create a Certificate Policy to used in conjunction with local certificates A Certificate Policy determines the authentication requirements and the authority limits required for the validation of a certificate 1 2 Click VPN then Local Certificates In the Generate Certificate Signing Request section enter a name for the certificate in the Certificate Name field Using the drop down menus enter information for the certificate request As you enter information in the Request fields the Distinguished Name DN is created You may also attach an optional Subject Altemative Name to the certificate such as the Domain Name or E mail Address The Subject Key type is preset as an RSA algorithm RSA is a public key cryptographic algorithm used for encrypting data Select a Subject Key size from the from the Subject Key Size menu Not all key sizes are supported by a Certificate Authority therefore you should check with your Certificate Authority for supported key sizes Click Generate to create a certificate file Once the Certificate Signing Request is generated a message describing the result is displayed Click Export to download the file to your computer and then click Save to save it to a directory on your
197. ervice affected by the Rule from the Service list If the service is not listed you must define the service in the Add Service window The Default service encompasses all IP services 4 Select the source of the traffic affected by the rule either LAN or WAN both from the Source Ethernet menu If you want to define the source IP addresses that are affected by the rule such as restricting certain users from accessing the Internet enter the starting IP addresses of the address range in the Addr Range Begin field and the ending IP address in the Addr Range End field To include all IP addresses enter in the Addr Range Begin field 5 Select the destination of the traffic affected by the rule either LAN or WAN or from the Destination Ethernet menu If you want to define the destination IP addresses that are affected by the rule for example to allow inbound Web access to several Web servers on your LAN enter the starting IP addresses of the address range in the Addr Range Begin field and the ending IP address in the Addr Range End field To include all IP addresses enter in the Addr Range Begin field Select always from the Apply this rule menu if the rule is always in effect Select from the Apply this rule to define the specific time and day of week to enforce the rule Enter the time of day in 24 hour format to begin and end enforcement Then select the day of the week to begin and end enforcement y Tip If you want to enable the
198. ervices of a product please click on the appropriate product link SERIAL NUMBER REGISTRATION CODE 80000000034 umber of the new product to be registered You may also e name for the product 0040XXXXXXXX 12 digit number on bottom of unit Friendly Name Ex San Jose Branch Office May be up to 30 characters Registering at mySonicWALL com Page 55 Also an e mail message is sent to both the old and new user as a notification that the appliance was transferred SonicWALL Transfer Product Message Plain Text oi x Eile Edit View Insert Format Tools Actions Help 80 Beny Wre Al Foma S B XK e e A pa a From Registration To Laura Phillips Laura Phillips Ce Subject SonicWALL Transfer Product Sent Mon 12 3 2001 3 49 PM Dear Customer This is to confirm that the device with Serial Number 0040100F1566 has been transferred from User LAP_Wente to MaryMoon 2001 Thank you SonicWALL Support Team Pe Delete Product You can also delete a SonicWALL from your mySonicWALL com user account Click on the Friendly Name for the appliance and then click Delete A confirmation message appears in the next window and you have successfully deleted a SonicWALL from your user account You can add the SonicWALL back to your account at any time Tip You can only transfer a SonicWALL to another registered user of mySonicWALL com Page 56 SonicWALL Internet Securi
199. es General Status Network Time Log View Log Log Settings Log Reports Tools Restart Diagnostics minus Tech Support Report RADIUS Client Test You can test your RADIUS Client user name and password by typing in a valid User name in the User field and the Password in the Password field If the validation is successful the Status messages changes to Success If the validation fails the Status message changes to Failure Once the SonicWALL has been configured a VPN Security Association requiring RADIUS authentication prompts incoming VPN clients to enter a User Name and Password into a dialogue box Page 144 SonicWALL Internet Security Appliance Administrator s Guide Management SonicWALL SNMP Support SNMP Simple Network Management Protocol is a network protocol used over User Datagram Protocol UDP that allows network administrators to monitor the status of the SonicWALL Internet security appliances and receive notification of any critical events as they occur on the network SonicWALL Internet security appliances support SNMP v1 v2c and all relevant Management Information Base Il MIBII groups except egp and at The SonicWALL replies to SNMP Get commands for MIBII via any interface and supports a custom SonicWALL MIB for generating trap messages The custom SonicWALL MIB is available for download from the SonicWALL Website and can be loaded into third party SNMP management software such as HP Openview Tivoli or SNMPC T
200. et Port WAN Ethernet Port The SonicWALL TELE3 SP Back Panel Description Power Input Connects to the external power supply that is provided with the SonicWALL TELE3 SP The use of an Uninterruptible Power Supply UPS is recommended to protect the SonicWALL TELE3 SP against damage or loss of data due to electrical storms power failures or power surges Reset Switch Erases the firmware and resets SonicWALL TELE3 SP to its factory clean state CLI Command Line Interface Port DB 9 RS 232 Serial port allows out of band management of the SonicWALL TELE3 SP using a v 90 v 92 US Robotics external modem or a null modem cable 2 Twisted Pair 10Base T 100Base T Ethernet Ports 2 Auto switching 10M bps 100M bps Ethernet ports provide connectivity for both Ethernet and Fast Ethernet networks The Ethernet ports connect the SonicWALL TELE3 SP to the LAN and WAN using Twisted Pair cable with RJ45 connectors TELE3 SP Modem Port AV 90 internal modem provides dial up access to establish connectivity to the Internet It uses a standard RJ 11 telephone cord Cooling Vents The SonicWALL TELE3 SP is convection cooled an internal fan is not necessary Do not block the cooling vents Test Lights up when the SonicWALL is powered up and performing diagnostic tests for proper oper ation These tests take up to 5 minutes Page 244 SonicWALL Internet Security Appliance Administrator s Guide SonicWALL TELE3 TZ Front Panel The SonicWALL TELE3 T
201. ettings siiin ieina iii aa i da vd eaat 64 Contents Page 1 Primary WALT PaC Oss vrei a a aa a a a titel aaa na aG 65 Failover Settings psrarensiiaiionreiiiii a iini iei 65 Configuring a Modem Profile for Manual Dial Up ssssssssssssrsiersrsrsrsrsrsrsrsrsesesess 66 Status fie sda aos arate A T tei iaaa aa lala inate nee ae 69 Modemi StatUS ninna niiina aaa a aT A TAA a PA a aaa aah 69 CHES CHPES oirne aeaiia a ER E e EEEa E a iE a e ea 70 C stom Chat SCriptS ie wewasscat is Ganswndisi Gunn a EE TE elas 71 5 Managing Your SonicWALL I nternet Security Appliance 0 00008 72 REGUS asta atta dan tasks ire tv a utah Satall i e aai 73 CLI Support and Remote Management cccccssccsesssssessseseeessssesesteseseees 75 6 General and Network SettingS c sscsssesseeeeeeeeeeeeeeeneeeeeeeeeeeeneeeneneeeee 76 Network SetiNgS snimiti ian ani nnise aeara iaaa ata kanaa iiaa 76 Network Addressing Mode sssssssssssisisrsrsisisisrsrsrsrsrsrsesnsnsnsrsrsrsrnrnrnrnrnrnrnrnrnrnr nenna 76 LAN SENOS nirien sneha alt a aaa aata easier ca aa a a a aaa nen 77 Multiple LAN Subnet Mask Support sessssssssssssrsrererersrrrsrresesnsnnennnnnnnnrnrnrsrernrnns 77 WAN Settings esirin iaiia tn e ea aa 78 DNS Settings inienn nnna a a a a Ea a a e 78 Standard Configur ti N erani naaa a a aa aaa tai 79 NAT Enabled Configuration s s s sssssssssisisrsrsrsrrrrrrernnnnnrnininnnnnsnnnnnnnnnnnnnnnnnnnnnrnnnn 79 NAT with DHCP Client Configuration s s sss
202. etwork connection e Link The Link LED indicates that the interface is connected to a valid link partner and is receiving link pulses The 1000Base T network interface has the following LEDs e Link The Link light is green when a network connection is made to another Ethernet device usually a hub on the port Activity The Activity LED blinks indicating Activity when the SonicWALL transmits or receives a frame e Network Speed The Network Speed light remains off if there is no connection or if a 1OMbps connection is made If a 100 Mbps connection is made the LED is green If a 1000 Mbps connection is obtained the LED is yellow e Reset Switch Resets the SonicWALL GX250 or the SonicWALL GX 650 to its factory clean state This may be required if you forget the administrator password or the SonicWALL firmware has become corrupt Page 252 SonicWALL Internet Security Appliance Administrator s Guide SonicWALL GX 250 and GX 650 Back Panel Description Power Inputs Za N Power Switches Alarm Reset Cooling Vents Power Inputs There are two power input receptacles to connect the SonicWALL to the AC power input The unit comes standard with redundant hot swappable power supplies with active power function correction 100 240 VAC 50 60 Hz Power Switches One power switch for each hot swappable power supply module The audible alarm sounds if only one power supply is functioning Alarm Reset Button The Alarm Reset but
203. etwork in the General section Select NAT with L2TP Client from the Network Addressing Mode menu Enter 192 168 168 1 in the SonicWALL LAN IP Address field Enter 255 255 255 0 in the LAN Subnet Mask field If you obtain an IP address dynamically from the L2TP server select Obtain an IP address using DHCP The other fields in the WAN Settings are greyed out and are filled in when a connection is made to the L2TP server If you have WAN IP address information select Use the specified IP address Enter the WAN IP address for the gateway in the WAN Gateway Router Address field Enter the WAN IP address for the SonicWALL in the SonicWALL WAN IP NAT Public Address field Enter your DNS IP address in the DNS Server field Configuring the Network Mode on the SonicWALL Page 37 13 Enter the host name in the L2TP Host Name field 14 Enter the server IP address in the L2TP Server IP Address field 15 Enter your user name and password in the User Name and User Password fields 16 Select Disconnect after ___ minutes of inactivity if you want to end an inactive connection Enter the number of minutes of inactivity before the connection is dropped The default value is 10 minutes 17 The L2TP settings are filled in once a connection is made to the L2TP settings 18 Click Update Once the SonicWALL is updated you must restart the SonicWALL for the changes to take effect Configuring NAT with PPTP Client The SonicWALL Installation
204. evel is reached the VPN connection is dropped by the SonicWALL The SonicWALL uses a UDP pack et protected by Phase 1 Encryption as the heartbeat VPN Bandwidth Management You can allocate bandwidth to all outbound VPN traffic To enable VPN Bandwidth Management select Enable VPN Bandwidth Management and enter the amount of bandwidth in Kbps for VPN guaranteed bandwidth and VPN maximum bandwidth Select VPN bandwidth priority from the VPN bandwidth priority menu 0 highest to 7 lowest le Tip Bandwidth management is available only on outbound VPN traffic You cannot configure individual Security Associations to use bandwidth management VPN Policies This section displays all of the VPN configurations in the SonicWALL appliance If you click the name of the security association the security association settings are displayed The Security Association Group VPN is a default setting Currently Active VPN Tunnels A list of currently active VPN tunnels is displayed in this section The table lists the name of the SA the local LAN IP addresses and the remote destination network IP addresses as well as the Peer Gateway IP address SonicWALL VPN Page 179 SonicWALL NAT Traversal Support VPN NAT Traversal is an Internet Draft proposed to IETF Internet Engineering Task Force to overcome problems faced when IPSec traffic is intended to pass through a NAT device NAT Traversal addresses the issue of UDP User Datagram Protocol e
205. ewall com Profie HomePage aspit O A Intemet Z After you register the SonicWALL the Friendly Name appears as a hyperlink under Registered SonicWALL Products Click on the Friendly Name to view the services activated on the appliance File Edt View Favorites Tools Help e ag Seach Foes Quads BS a AS VP clle Service anagenent2 lt p PRODUCTID 16 SERIALNUMBER OD4DTOOFIS66 eco us HOME SONICWALL gt ff INTERNET SECURITY SOLUTIONS SERVICE MANAGEMENT Logged in LAP_Wente Serial Number Node Support Unlimited Product PRO VX Registration Code Platform ARM mySonicWALL 1 6 24 You can manage this product by clicking the appropriate button MANAGE PRODUCT PRO 300 o MD APPLICABLE SERVICES Service Name Status Expiry Key nstaco 06 Aug 2002 2 Ty R gt 3 4 27 Feb 2002 5 E 27 Feb 2002 i 5 7 a 9 10 Anti virus Uparade 06 Aug 2002 12 Support 8x5 13 Support 24x7 14 Inti Support i 7 E CBD nere Note Services may vary from model to model and may not have the same activated fields as the above appliance Also the serial number registration code and activation keys are masked for security reasons Page 52 SonicWALL Internet Security Appliance Administrator s Guide Status and Options Click Status and Options underneath the login information to search for the status and options relating to a particular SonicWALL appliance Enter the SonicWALL
206. f any of the strings NO CARRIER NO DIALTONE or BUSY are received from the modem The next five commands are AT commands that tell the chat interpreter to wait for nothing as defines an empty string and configure the following on the modem return command responses don t echo characters report the connecting baud rate when connected and return verbose responses The next line has OK as the expected string and the interpreters waits for OK to be returned in response to the previous command ATV1 before continuing the script If OK is not returned within the default time period of 50 seconds the chat interpreter aborts the script and the connection fails If OK is received the prefix and phone number of the selected dial up account is dialed The T command is replaced by chat script interpreter with the prefix and phone number of the dial up account In the last line of the script Connect is the expected response from the remote modem If the modems successfully connect Connectis returned from the TELE3 SP modem The D adds a pause of one second to allow the server to start the PPP authentication The C command ends the chat script end without sending a carriage return to the modem The TELE3 SP then attempts to establish a PPP Point to Point Protocol connection over the serial link The PPP connection usually includes authentication of the user by using PAP Password Authentication Protocol or CHAP Challenge Hands
207. f each item TELE SP JO mn hk 100 od Ink 100 d Q z Modem LED WAN Port LEDs LAN Port LEDs Test LED Power LED Link 100 Activity Link 100 Activity SonicWALL TELE3 SP Front Panel Description Power Lights up when power is applied to the SonicWALL TELE3 SP Modem Lights up when the modem has established a dial up connection There is are two Ethernet ports for the LAN and WAN connections Link Lights up when the Twisted Pair port is connected to a 10Mbps or 100Mbps hub or switch or directly connected to a computer Note that the connected Ethernet device must support the standard Link Integrity test 100 Lights up when the Twisted Pair port is connected to a 100Mbps hub or switch or directly connected to a computer with a 100Mbps network interface Activity Flashes when the SonicWALLTELE3 SP transmits or receives a packet through the Twisted Pair port Test Lights up when the SonicWALL TELE3 SP is first powered up and performing diagnostic tests to check for proper operation These tests take about 90 seconds If the Test LED remains lit after this time the software is corrupt and must be reinstalled Hardware Descriptions Page 243 SonicWALL TELE3 SP Back Panel The SonicWALL TELE3 SP back panel is shown below followed by a description of each item Cooling Vents P AAA Fra 7 5VDC 2A Power input Reset Switch 10Mbps 100Mbps 10Mbps 100Mpbs WAN Modem Port CLI Port LAN Ethern
208. f the SonicWALL Select NAT Enabled if your ISP assigned you only one or two valid IP addresses NAT with DHCP Client mode configures the SonicWALL to request IP settings from a DHCP serv er on the Internet NAT with DHCP Clientis a typical network addressing mode for cable and DSL customers NAT with PPPoE mode uses PPPoE to connect to the Internet If desktop software and a user name and password is required by your ISP select NAT with PPPoE Page 76 SonicWALL Internet Security Appliance Administrator s Guide NAT with L2TP Client mode uses IPSec to connect a L2TP server and encrypts all data transmitted from the client to the server However it does not encrypt network traffic to other destinations NAT with PPTP Client mode uses Point to Point Tunneling Protocol PPTP to connect to a remote server It supports older Microsoft implementations requiring tunneling connectivity LAN Settings SonicWALL LAN IP Address The SonicWALL LAN IP Address is the IP address assigned to the SonicWALL LAN port It is used for managing the SonicWALL This IP address should be a unique address from the LAN address range LAN Subnet Mask The LAN Subnet Mask defines which IP addresses are on the LAN The default Class C subnet mask of 255 255 255 0 supports up to 254 IP addresses on the LAN If the Class C subnet mask is used all local area network addresses should contain the same first three numbers as the SonicWALL LAN IP Address
209. figuring VPN Client Security Policy 3 Select Security Policy in the Network Security Policy window S Security Policy Editor SonicWALL VPN Client File Edt Options Help ajx 14 Network Securty Policy E C My Connections Securty Policy 18 GMa Select Phase 1 Negotiation Mode a Main Mode a Secutity Policy wuthentication Phase 1 2a og Key Exchange Phase 2 TE Enetle Replay Detection 4 Select Use Manual Keys in the Select Phase 1 Negotiation Mode menu 5 Click the next to Security Policy and select Key Exchange Phase 2 Click the next to Key Exchange Phase 2 ang select Proposal 1 Security Policy Editor SonicWALL VPN Client x Options Help ae a TTS Network Security Policy EC My Connections IPSec Protocos E VPN Client Seconds KBytes G My Identity SA Life Unspecified E E Authentication Phase 1 Compression None zi 3 Proposal 1 EnewptAlg DES exe 2 F Encapsulation Protocol ESP i Hesh lg SHa 58 Sec sty Pol licy Encapsulation Tunnel x E E Authentication Phase 1 1 6 Key Exchange Phase 2 T Authentication Protocol AH Best Alg HAA E eE r T Inbound Keys Qutbound Keys Page 202 SonicWALL Internet Security Appliance Administrator s Guide Configuring VPN Client Key Exchange Proposal Security Policy Editor SonicWALL YPN Client Cix File Edit Options Help aS x 14 Network
210. for additional information about privacy When new firmware is available a message is e mailed to the address specified in the Log Settings window In addition the Status window includes notification of new firmware availability This notification provides links to firmware release notes and to a Firmware Update Wizard The Web Management Tools Page 117 Firmware Update Wizard simplifies and automates the upgrade process Follow the instructions in the Firmware Update Wizard to update the firmware Updating Firmware Manually You can also upload firmware from the local hard drive Click Upload Firmware zox File Edt View Go Communicator Help T m Bookmarks Go tor hitp 192 168 168 1 management him J g When you upload new firmware your settings may be erased For this Too reason it is necessary to save your preferences to your local disk so that they can be restored later Have you saved your preferences already ANTI VIRUS tocout STATUS Ready aq m Document Done y Alert The Web browser used to import settings must support HTTP uploads Microsoft Internet Explorer 5 0 and higher as well as Netscape Navigator 4 0 and higher are recommended When firmware is uploaded the SonicWALL settings can be erased Before uploading new firmware export and save the SonicWALL settings so that they can be restored later Once the settings have been saved cl
211. g Security Associations To delete an SA select it from the list and click the Delete This SA button To modify an SA select it from the list make the desired changes and click Update Once the SonicWALL has been updated a message confirming the update is displayed at the bottom of the Web browser window Click Update to enable the changes Accessing Remote Resources across a Virtual Private Network SonicWALL VPN Clients which cannot transmit NetBIOS broadcasts can access resources across a VPN by locating a remote computer by IP address For example if a remote office has a Microsoft SQL server users at the local office can access the SQL server by using the server private IP address There are several ways to facilitate connecting to a computer across a SonicWALL VPN e Use the Find Computer tool e Create a LMHOSTS file in a local computer registry e Configure a WINS Server to resolve a name to a remote IP address For more information on accessing remote resources over a VPN lt http www sonicwall com products documentation vpnremotehostswp html gt Page 186 SonicWALL Internet Security Appliance Administrator s Guide Advanced Settings All of the Advanced Settings for VPN connections are accessed by clicking the Advanced Settings button located on the Configure tab The following settings are available in the Edit Advanced Settings window Enable Keep Alive Try to bring up all possible SAs Require authentication of loca
212. ge 34 SonicWALL Internet Security Appliance Administrator s Guide Configuring LAN Network Settings g E x Fill in information about your LAN Since you are using NAT you will need to specify information about your LAN You can choose this information arbitrarily but it s a good idea to use private addresses such as 10 0 0 1 or 192 168 168 1 Note that the default values below will work well for most networks SonicWALL LAN IP Address 192 168 168 1 LAN Subnet Mask 255 255 255 0 lt Back Next gt Cancel 8 The Fill in information about your LAN page allows the configuration of the SonicWALL LAN IP Address and the LAN Subnet Mask The SonicWALL LAN IP Address is the private IP address assigned to the LAN port of the SonicWALL The LAN Subnet Mask defines the range of IP addresses on the LAN The default values provided by the SonicWALL work for most networks If you do not use the default settings enter the SonicWALL LAN settings and click Next to continue Configuring the SonicWALL DHCP Server 4 SonicWALL Installation Wizard Microsoft Internet Explorer Se Optional SonicWALL s DHCP Server SonicWALL contains a Dynamic Host Configuration Protocol DHCP server to automatically configure the IP settings for the PC s and other network devices on your LAN If you wish to use SonicWALL s DHCP Server check the Enable DHCP Server checkbox below and enter a range of
213. ger than the time configured by the administrator If Limit login session time to is not selected then the user has unlimited login session time on the SonicWALL Allow DNS access for unauthenticated VPN users Enabling this check box allows unauthenticated DNS traffic to access the DNS server over a VPN tunnel with authentication enforcement Use this checkbox if you allow unauthenticated users to access the DNS server on your LAN Network Access Rules Page 139 Users e Use RADIUS Select Use Radius if you have configured RADIUS to authenticate users accessing the network through the SonicWALL If you have more than 100 users requiring authentication you must use a RADIUS server If you select Use RADIUS users must log into the SonicWALL using HTTPS in order to encrypt the password sent to the SonicWALL If a user attempts to log into the SonicWALL using HTTP the browser is automatically redirected to HTTPS Allow only users listed below Enable this setting if you have a subset of RADIUS users accessing the SonicWALL The user names must be added to the internal SonicWALL user database before they can be authenticated using RADIUS e Authenticate users listed below Selecting this option allows you to configure users in the local database To add new users fill out the User Name Password and Confirm Password fields then select from the list of privileges allowed for the user Remote Access Enable this check box if the user ac
214. ginating from the WAN and DMZ to the LAN Additional Network Access Rules can be defined to extend or override the default rules For example rules can be created that block certain types of traffic such as IRC from the LAN to the WAN or allow certain types of traffic such as Lotus Notes database synchronization from specific hosts on the Internet to specific hosts on the LAN or restrict use of certain protocols such as Telnet to authorized users on the LAN The custom rules evaluate network traffic source IP address destination IP address IP protocol type and compare the information to rules created on the SonicWALL Network Access Rules take precedence and can override the SonicWALL s stateful packet inspection For example a rule that blocks IRC traffic takes precedence over the SonicWALL default setting of allowing this type of traffic Alert The ability to define Network Access Rules is a very powerful tool Using custom rules can disable firewall protection or block all access to the Internet Use caution when creating or deleting Network Access Rules Viewing Network Access Rules The Services window displays a table of defined Network Access Rules Rules are sorted from the most specific at the top to less specific at the bottom of the table At the bottom of the table is the Default rule The Default rule is all IP services except those listed in the Services window Rules can be created to override the behavior of the Default ru
215. grity test e 100 Lights up when the Twisted Pair port is connected to a 100Mbps hub or switch or directly connected to a computer with a 100M bps network interface Activity Flashes when the SonicWALL transmits or receives a packet through the Twisted Pair port Hardware Descriptions Page 249 SonicWALL SOHO3 and TELE3 Back Panel The SonicWALL SOHO3 back panel is shown below followed by a description of each item The SonicWALL TELE3 back panel is identical to the SonicWALL SOHO3 Cooling Vents Reset Swit 5VDC 2A Serial Port 10Mbps 100Mbps 10Mbps 100Mbps Power Input LAN Ethernet Port WAN Ethernet Port SonicWALL SOHO3 and TELE3 Back Panel Description Reset Switch Erases the firmware and resets the SonicWALL to its factory clean state This can be necessary if you forget the administrator password or the firmware has become corrupt Serial Port DB 9 RS 232 Serial port for Command Line Interface support 2 Twisted Pair 10Base T 100Base T Ethernet Ports 2 Auto switching 10M bps 100M bps Ethernet ports provide connectivity for both Ethernet and Fast Ethernet networks The Ethernet ports connect the SonicWALL to the LAN and WAN using Twisted Pair cable with RJ45 connectors Power Input Connects to the external power supply which is provided with the SonicWALL SOHO3 and the SonicWALL TELE3 The use of an Uninterruptible Power Supply UPS is recommended to protect against damage or loss of data due to electri
216. gs Server Host Name or IP Address Enter the Server Host Name or the IP address of the Websense Enterprise server used for the Content Filter List Server Port Enter the UDP port number for the SonicWALL to listen for the Websense Enterprise traffic The default port number is 15686 User Name To enable reporting of users and groups defined on the Websense Enterprise server leave this field blank To enable reporting by a specific user or group behind the SonicWALL enter the User Name configured on the Websense Enterprise Server for the user or group If using NT based directories on the Websense Enterprise Server the User Name is in this format for example NTLM domainname username If using LDAP based directories on the Websense Enterprise server the User Name is in this format for example LDAP o domain ou sales username If you are not sure about the entering a user name in this section leave the field blank and consult your Websense documentation for more information Page 112 SonicWALL Internet Security Appliance Administrator s Guide If Server is unavailable for 5 secs If the Websense Enterprise server becomes unavailable select from the following two options Block traffic to all Web sites Allow traffic to all Web sites URL Cache Configure the size of the URL Cache in KB Model Cache Size XPRS PRO SOHO2 TELE2 SOHO3 128 TELE3 and PRO Vx PRO 100 PRO 200 PRO 30
217. h e 1 year factory replacement for defective hardware e 90 days of advisory support for installation and configuration assistance during local business hours 90 days of software and firmware updates e Access to SonicWALL s electronic support and Knowledge Base system SonicWALL Support 8X5 Designed for customers who need advanced technical support and the additional benefits of ongoing software and firmware updates SonicWALL Support 8X5 is an annual service that includes e Factory replacement for defective hardware e Telephone or electronic technical support during local business hours e Access to SonicWALL s electronic support and Knowledge Base systems All software and firmware updates and upgrades Appendices Page 257 SonicWALL Support 24X7 For customers with mission critical network requirements who cannot afford downtime SonicWALL Support 24X7 is an annual subscription service that offers e Advanced exchanged replacement of defective hardware Telephone or electronic support 24 hours seven days a week Enhanced escalation for high priority problems e Access to SonicWALL s electronic support and Knowledge Base systems All of SonicWALL Support Services offer a variety of support services to meet your unique needs including fast responsive service instant access to electronic support tools and high quality technical support SonicWALL Support Services Features and Benefits Telephone or Web based Tec
218. hake Authentication Protocol from the PPP suite Once a PPP connection is established it looks like any other network interface Page 70 SonicWALL Internet Security Appliance Administrator s Guide Custom Chat Scripts Mily r Custom chat scripts can be used when the ISP dial up server does not use PAP or CHAP as an authentication protocol to control access Instead the ISP requires a user to log onto the dial up server by prompting for a user name and password before establishing the PPP connection For the most part this type of server is part of the legacy systems rooted in the dumb terminal login architecture Because these types of servers can prompt for a user name and password in a variety of ways or require subsequent commands to initiate the PPP connection a Chat Script field is provided for you to enter a custom script If a custom chat script is required by an ISP for establishing a connection it is commonly found on their web site or provided with their dial up access information Sometimes the scripts can be found by using a search engine on the Internet and using the keywords chat script ppp Linux lt ISP name gt Acustom chat script can look like the following script ABORT NO CARRIER ABORT NO DIALTONE ABORT BUSY ATQO ATEO ATM1 ATW2 ATVI OK ATDT T CONNECT sername L assword P Tip The first character of username and password are ignored during PPP authe
219. he DHCP Server on the DHCP Setup page Update Reset f Logout STATUS Ready 2 Entera unique IP address from your LAN address range in the SonicWALL LAN IP Address field The SonicWALL LAN IP Address is the address assigned to the SonicWALL LAN port and is used for management of the SonicWALL Page 82 SonicWALL Internet Security Appliance Administrator s Guide A A 3 Enter your network subnet mask in the LAN Subnet Mask field The LAN Subnet Mask tells your SonicWALL which IP addresses are on your LAN Use the default value 255 255 255 0 if there are less than 254 computers on your LAN 4 Enter the user name provided by your ISP in the User Name field The user name identifies the PPPoE client 5 Enter the password provided by your ISP in the Password field The password authenticates the PPPoE session This field is case sensitive 6 Select the Disconnect after__ Minutes of Inactivity check box to automatically disconnect the PPPoE connection after a specified period of inactivity Define a maximum number of minutes of inactivity in the Minutes field This value can range from 1 to 99 minutes 7 In the WAN LAN section select Obtain an IP Address Automatically if your ISP does not provide a Static IP address Select Use the following IP Address if your ISP assigns a specific IP address to you 8 Click Update Once the SonicWALL has been updated a message confirming the update is displayed at the bottom of the bro
220. he Web browser window Add New Address The SonicWALL can be configured to enforce content filtering for certain computers on the LAN Enter the IP addresses of these computers in the Add New Address field and click Submit button Up to 128 IP addresses can be entered To remove a computer from the list of computers to be filtered highlight the IP address in the Mandatory Filtered IP Addresses list and click Delete Address Page 106 SonicWALL Internet Security Appliance Administrator s Guide Configuring N2H2 Internet Filtering N2H2 is a third party Internet filtering package that allows you to use Internet content filtering through the SonicWALL When you select N2H2 as your Content Filter List the N2H2 tab is available Content Filter Type Restrict WEB Features I Known Fraudulent Certificates I Access to HTTP Proxy Servers F Don t block Java ActiveX Cookies to Trusted Domains Add Trusted Domain Delete Domain Message to display when a site is blocked feb Site Blocked by SonicWALL Filter a i Websense Enterprise displays its own site blocked messages unless itis unavailable Update Reset Restrict Web Features Select any of the following applications to block Block ActiveX ActiveX is a programming language that embeds scripts in Web pages Malicious programmers can use ActiveX to delete files or compromise security Select the ActiveX check box to block ActiveX controls
221. he check box and the SonicWALL blocks access to sites on the Content Filter custom and keyword lists The SonicWALL also logs attempts to access these sites Page 104 SonicWALL Internet Security Appliance Administrator s Guide Consent The Consent tab allows you to enforce content filtering on designated computers and provide optional filtering on other computers Consent can be configured to require the user to agree to the terms outlined in an Acceptable Use Policy window before Web browsing is allowed Click Filter on the left side of the browser window and then click the Consent tab x SonicW nistration Fie Edt View Go Communicator He elp T a Bookmarks Goto hitp 7792 168 168 1 management htm Web Usage Consent Page Require Consent C Maximum web usage is User Idle Timeout is Consent page URL Optional Filtering Consent Accepted URL Filtering Off Consent Accepted URL Filtering On Mandatory Filtered IP Addresses Consent page URL Mandatory Filtering Add New Address 5 Delete Address Update Reset Logout STATUS Ready at Document t Done Maximum Web usage In an environment where there are more users than computers such as a classroom or library time limits are often imposed The SonicWALL can be used to remind users when their time has expired by displaying the page defined in the Consent page URL field Enter the time limit in minutes in
222. he current bindings IP and MAC address of the bindings along with the type of binding Dynamic Dynamic BootP or Static BootP To delete a binding which frees the IP address in the DHCP server select the binding from the list and then click Delete Binding The operation takes a few seconds to complete Once completed a message confirming the update is displayed at the bottom of the Web browser window Click Refresh to reload the list of bindings This can be necessary because Web pages are not automatically refreshed and new bindings can have been issued since the page was first loaded Page 172 SonicWALL Internet Security Appliance Administrator s Guide DHCP Server on the SonicWALL TELE3 TZ and TZX This section explains the configuration of the SonicWALL DHCP Server on the SonicWALL TELE3 TZ and TZX DHCP Dynamic Host Configuration Protocol is a method to distribute TCP IP settings from a centralized server to computers on a network The SonicWALL DHCP Server distributes IP addresses gateway addresses and DNS server addresses to the computers on your WorkPort or your HomePort To access the SonicWALL DHCP Setup window click DHCP on the left side of the browser window There are three tabs in the DHCP section Setup DHCP over VPN e Status Setup Disable DHCP Server is the default setting in the SonicWALL Allow DHCP Pass Through in Standard Mode Network administrators can have a DHCP server located outside the SonicW
223. hernet The Ethemet tab allows the management of Ethernet settings using the SonicWALL Management interface The tab has the following settings e WAN Link Settings Enable Bandwidth Management DMZ WorkPort Link Settings LAN HomePort Link Settings Proxy Management workstation Ethernet Address on WAN MTU Settings ET Done COO Don 7 The default selection for all of the link settings is Auto Negotiate because the Ethernet links automatically negotiate the speed and duplex mode of the Ethernet connection The other choice Force with lists for speed and duplex should be used only if your Ethernet card also forces these settings You must force from both sides of your connection to enable this setting WAN Link Settings Specifies the speed and duplex mode of the Ethernet connection to the WAN link The default selection is Auto Negotiate because the Ethernet links automatically negotiate the speed and duplex mode of the Ethernet connection The other choice Force with lists for speed and duplex should be used only if your Ethernet card also forces these settings You must force from both sides of your connection to enable this setting Enable Bandwidth Management To enable Bandwidth Management on the SonicWALL you must know the current bandwidth of your connection Once you have this figure you can select Enable Bandwidth Management on the Advanced Ethemet page and then enter the amount of available WAN
224. hnical Support SonicWALL s technical support experts help solve your problems or answer your questions quickly reducing your risk of Internet attack Knowledge Base Instant access to solutions and documentation provides answers to questions and solves problems electronically Firmware Software Upgrades Automatic firmware and software upgrades give instant access to new features and capabilities allowing you to extend your Internet security investment Annual Support Agreement Low fixed prices for support services allow you to budget accurately and protect you from unexpected technical support expenses SonicWALL SonicWALL Super SonicWALL Warranty Support 8X5 Support Telephone Web based 90 days T year T year technical support 8 00 a m 5 00 p m 18 00 a m 5 00 p m 24 hours by 7 days a local time Monday local time Monday week Friday Friday Hardware Replacement 1 year return to 1 year return to 1 year advanced factory factory exchange Software Firmware 90 days 1 year 1 year Updates Enhanced Escalation Yes Page 258 SonicWALL Internet Security Appliance Administrator s Guide Warranty Support North America Included with all SonicWALL products SonicWALL warranty support includes return to factory hardware replacement for one year Warranty Support also includes technical support and software firmware updates for 90 days Coverage is provided during normal business hours
225. icWALL appliance follow the same configuration steps as the first SonicWALL You must enter the same SPIs and Encryption keys as the first SonicWALL appliance into the settings of the second SonicWALL appliance Example of Manual Key Configuration for Two SonicWALLs Widgit Inc wants to connect their main office with a branch office on the East Coast Using a SonicWALL PRO 300 and a TELE3 they can configure a secure VPN tunnel between the two sites The main office has the following network settings SonicWALL LAN IP address 192 168 11 1 LAN subnet mask 255 255 255 0 WAN router address 209 33 22 1 SonicWALL WAN IP address 209 33 22 2 WAN subnet mask 255 255 255 224 The remote office has the following network settings SonicWALL LAN IP address 192 168 22 222 LAN subnet mask 255 255 255 0 WAN router address 207 66 55 129 SonicWALL WAN IP address 207 66 55 130 WAN subnet mask 255 255 255 248 To configure the main office PRO 300 use the following steps 1 O o N AD UV HB W N Configure the network settings for the firewall using the Network tab located in the General section Click Update and restart the SonicWALL if necessary Click VPN then the Configure tab Create a name for the main office SA for example Main Office Enter the remote office WAN IP address for the IPSec Gateway Address Create an Incoming SPI using alphanumeric characters Create an Outgoing SPI using alphanumeric characters Select
226. ick Yes oix File Edt View Go Communicator Help 3 Bookmarks Goto fhitp 192 168 168 1 management html 7 g Filter When you upload new firmware your settings may be erased For this reason it is necessary to save your preferences to your local disk so that they can be Tools restored later Have you saved your preferences already Advanced DHCP Anti Virus j High Availability Logout STATUS Ready a D Document Done Z Click Browse and select the firmware file from your local hard drive or from the SonicWALL Companion CD Click Upload and then restart the SonicWALL N Alert When uploading firmware to the SonicWALL you must not interrupt the Web browser by closing the window clicking a link or loading a new page If the browser is interrupted it can corrupt the SonicWALL firmware Page 118 SonicWALL Internet Security Appliance Administrator s Guide Upgrade Features SonicWALL Internet Security Appliances can be upgraded to support new or optional features Chapter 15 SonicWALL Options and Upgrades provides a summary of the SonicWALL firmware upgrades subscription services and support offerings You can contact SonicWALL or your local reseller for more information about SonicWALL options and upgrades You can also purchase upgrades by registering your SonicWALL at lt http www mysonicwall com gt and using the Buy Now option Web http www sonicwall com E mai
227. ide Notes Appendices Page 287 Notes Page 288 SonicWALL Internet Security Appliance Administrator s Guide Notes Appendices Page 289 Index A Activation Key 119 ActiveX 100 107 110 Add New Network 200 Add Service 130 Add Modify IPSec Security Associations 182 Alert Categories 96 Alert Traps 145 Allow BootP clients to use range 167 174 Allow DNS access 139 Allow Fragmented Packets 135 Allowed Domains 103 Anti Virus 234 Apply NAT and firewall rules 188 ARCFour 277 Asymmetric vs Symmetric Cryptography 274 Attacks 95 96 Authentication 72 Authentication Header AH 275 Authentication Key 200 Authentication Protocol AH 203 Authentication Service 193 235 Auto Update 15 B Bandwidth Management 133 Bandwidth Usage by IP Address 97 Bandwidth Usage by Service 97 Basic VPN Terms and Concepts 274 Block all categories 102 Blocked J ava ActiveX and Cookies 95 Blocked Web Sites 95 96 C Certificate Authority Certificates 216 Certificate Revocation List 218 Choose a diagnostic tool 120 Clear Log Now 94 Client Default Gateway 174 Cold Start Trap 145 Configuration 151 Configuration Changes 228 Configuring High Availability 226 Configuring N2H2 Internet Filtering 107 Configuring Websense Enterprise Content Filter 110 Connect using Secure Gateway Tunnel 201 Consent 105 Consent page URL 105 Content Filter List 16 88 Content Filter List Subscription 235 Content Filtering 16 Coo
228. ides access to SonicWALL s Web based support tools including FAQs documentation and Knowledge Base systems Availability SonicWALL Support 24X7 is an annual service available for sale at the time of product purchase or anytime before warranty expiration Appendices Page 261 SonicWALL Support 8X5 Available for all products SonicWALL Support 8X5 includes software firmware technical support and factory hardware replacement Coverage is provided during standard business hours Coverage Hours Support is provided during standard business hours 8 00 a m 5 00 p m local time Monday through Friday excluding locally recognized SonicWALL holidays Telephone and Web based Support SonicWALL provides technical assistance during standard coverage hours by telephone or through Web based support tools ASonicWALL technical specialist works with you to remotely diagnose and identify firmware and hardware not performing to documented specifications Web based support includes interactive communication with a SonicWALL technical specialist SonicWALL also provides general assistance regarding usage and documentation on a limited basis Hardware Service SonicWALL Support 8X5 includes the repair or replacement of failing hardware returned to the SonicWALL factory Upon diagnosis of a hardware failure a SonicWALL technical specialist issues an RMA number and provides instructions for returning the hardware to SonicWALL Upon receipt of the failed
229. iendly Name field and click Submit A A Qseach iFavoites GMedo G D 5 OR hits waw mysonicwallcom Profie RenameProduct asp SONICWALL COMPREHENSIVE Msoma INTERNET SECURITY SOLUTIONS RENAME PRODUCT PRO VX Logged in LAP_Wente Please enter the new friendly name for the product Seri er 0040100F1566 Friendly Name PRO VxX Ex San Jose Branch Office May be up to 30 characters fai 5 8 Internet 4 After clicking Submit a new page appears with the message that you have successfully renamed your SonicWALL gt Seach ajFavoites Meda J D 3A AIER Adhess E hos mycoriowal com Protie ProduciManagement asp STATUS RENAME SONICWALL gt MySoniewau COMPREHENSIVE INTERNET SECURITY SOLUTIONS MY PRODUCTS Logged in LAP_Wente r REGISTERED PRODUCTS To manage the services of a product please click on the appropriate product link For Status and Options NAME SERIAL NUMBER REGISTRATION CODE disk here PRO 300 0040100F1566 01425436 BB0000000034 umber of the new product to be registered You may also e name for the product 0040XXXXXXXX 12 digit number on bottom of unit Ex San Jose Branch Office May be up to 30 characters 5 8 Internet 7 Page 54 SonicWALL Internet Security Appliance Administrator s Guide Transferring a SonicWALL Product You can transfer a SonicWALL to another
230. iew the Status tab log into your SonicWALL using your Web browser Click General and then click the Status tab to display the Status window oY SH AaBOeR Sonic WALL Serial Number 00401007 1429 e Mo VX CPU StrongARM 233 Mha 0 Mbps Half Duplex DMZ Ie Link LAN 100 Mbps Full Duplex 0 Hours 43 Minutes 50 Seconds reconfigure the machines on your LAN Set their Inernet Gateway address ro 192 168 168 11 ong attacks Syn flood Ping of death IP Spoofing Land attack Suf ampliicaton sequence number Content Fiter Type Sonic WALL Web Blocking is not enabled Tee URL List has not been loaded Automatic URL List downloading has not been activated Managing Your SonicWALL Internet Security Appliance Page 73 Note The Status window displays the unique characteristics of the SonicWALL Internet Security Appliance such as the presence of VPN acceleration hardware or a different amount of memory Your Status window will be different from the window displayed above depending on your settings The Status tab displays the following information SonicWALL Serial Number the serial number of the SonicWALL unit Number of LAN IP addresses allowed with this license number of IP addresses that can be managed by the SonicWALL e Registration code the registration code generated when the SonicWALL is registered at lt http www mysonicwall com g
231. iguring and managing VPN on SonicWALL Internet Security Appliances Group VPN Configuration for the SonicWALL and VPN Client Demonstrates the configuration of SonicWALL Group VPN settings on the SonicWALL Internet Security Appliance and VPN Client using the Group VPN Security Association Manual Key Configuration for the SonicWALL and VPN Client Explains the configuration of a SonicWALL appliance and a VPN client using the Manual Key Security Association IKE and Manual Key Configuration for Two SonicWALLs Describes VPN configuration between two SonicWALL VPN gateways in Manual Key and IKE modes SonicWALL Third Party Digital Certificate Support Explains setting up SonicWALLs for digital certificates from VeriSign and Entrust SonicWALL Enhanced VPN Logging Describes logging settings for both the SonicWALL appli ance and the VPN client for troubleshooting VPN problems Testing a VPN Tunnel Connection Provides directions for testing a VPN tunnel configuration by using ping to send data packets to a remote computer Configuring Windows Networking Explains how to configure computers for Windows Network ing to enable VPN users to browse the remote network using Network Neighborhood SonicWALL VPN Page 177 VPN Management Interface Summary Tab The Summary tab has four sections Global VPN Settings VPN Bandwidth Management VPN Policies and Currently Active VPN tunnels Global VPN Settings The Glo
232. increment of time in seconds to look for another SonicWALL configured for High Availability on the network You may enter a value between 0 and 300 seconds but the default value of 0 seconds is sufficient in most cases Click Update Once the SonicWALL has been updated a message confirming the update is displayed at the bottom of the browser window High Availability Page 227 A Alert It is important during initial configuration that the backup SonicWALL has not been previously configured for use If the backup SonicWALL has previous network settings it is recommended to reset the SonicWALL to the factory default settings using Restore Factory Default Settings located in the Tools section Additionally the password must be changed back to the default password of password using the Password tab in the General section 10 Power on the backup SonicWALL used for High Availability After completing the diagnostic cycle the primary SonicWALL auto detects the presence of the backup SonicWALL and synchronizes the settings 11 To confirm that the synchronization is successful check the primary SonicWALL log for a High Availability confirmation message Alternatively you can log into the backup SonicWALL using its unique LAN IP address and confirm that it is the backup SonicWALL If the primary SonicWALL fails to synchronize with the backup an error message is displayed at the bottom of the screen An error message also appears on the S
233. ing IKE Pre usingIKE Manual Key Paea Kara shared Secret Certificates Enable Keep Alive v4 Try to bring up all possible v V SAs Require authentication of vA vA VPN clients using XAUTH Require authentication of v v V local users Require authentication of v v V remote users Enable Windows v y v V v Networking NetBIOS broadcast Apply NAT and Firewall v v v V v Settings Forward Packets to Remote v v vA v V VPNs Enable Perfect Forward x va v V Secrecy Phase 2 DH Group v V v V Default LAN Gateway vA va v V v Terminate VPN on the LAN vA vA v vA v DMZ or LAN DMZ Default LAN Gateway and Forward Packets to Remote VPN are not configured for VPN Client to SonicWALL appliance connections using Manual Key Exchange 1 These parameters apply to both SonicWALL Certificates and Third Party Certificates SonicWALL VPN Page 191 Configuring SonicWALL VPN This section covers the configuration of SonicWALL VPN for the SonicWALL Internet Security Appliance as well as the installation and configuration of the SonicWALL VPN client software Group Configuration Manual Key Configuration and IKE Configuration SonicWALL to SonicWALL are described in this chapter You can create a VPN client Security Association by using Manual Key Configuration Group Configuration or Advanced Configuration Before choosing your SonicWALL VPN client configuration evaluate the differences between the three methods e G
234. ing the SonicWALL Authentication Service therefore experience with implementing Public Key Infrastructure PKI is necessary to understand the key components of digital certificates Internet Key Exchange IKE is an important part of IPSec VPN solutions and it can use digital signatures to authenticate peer devices before setting up security associations Without digital signatures VPN users must authenticate by manually exchanging shared secrets or symmetric keys Devices using digital signatures do not require configuration changes every time a new device is added to the network SonicWALL has implemented X 509v3 as its certificate form and CRLv2 for its certificate revocation list SonicWALL supports the following two vendors of Certificate Authority Certificates e VeriSign Entrust Page 216 SonicWALL Internet Security Appliance Administrator s Guide Overview of Third Party Digital Certificate Support X 509 Version 3 Certificate Standard X 509 v3 certificate standard is a specification to be used with cryptographic certificates and allows you to define extensions which you can include with your certificate SonicWALL has implemented this standard in its third party certificate support You can use a certificate signed and verified bya third party CA to use with a VPN SA Atypical certificate consists of two sections a data section and a signature section The data section typically contains information such as the version of X
235. ions to configure the Failover Settings 1 Select Enable WAN Failover 2 Select Enable Probing 3 Select an option from the Probe Through menu Select Ethernet Only to probe the Ethernet WAN connection and failover to the modem when the connection is lost Select Modem Onlyto probe a dial up connection and have the modem redial when the dial up connection is lost Select Modem and Ethernet to enable both types of probing on the SP 4 Enter the IP address for the probe target in the Probe Target IP Address field The Probe IP address is a static IP address on the WAN If this field is left blank or 0 0 0 0 is entered as the address the Probe Target is the WAN Gateway IP address 3 Tip The probe is a ping sent to the IP address and is used along with the response as a method of determining Internet connectivity 5 In the Probe Interval seconds field enter the amount of time between probes to the Probe Target Five 5 seconds is the default value To deactivate the Probe Detection feature enter zero 0 as the value In this case the WAN Failover only occurs when loss of the physical WAN Ethernet connection occurs on the TELE3 SP Configuring the TELE3 SP Modem Connection Page 65 6 Gi Enter a value for the number of successful probes required to reactivate the primary connection in the Successful Probes to Reactivate Primary field The default value is five 5 By requiring a number of successful probes before the Sonic
236. is used only to send e mail while another protocol POP3 is used to receive e mail messages POP3 Post Office Protocol 3 POP3 is used to receive e mail messages and storing messages on a server referred to as a POP server ICMP Internet Control Messages Protocol ICMP reports errors and controls messages on a TCP IP network PING uses ICMP protocol to test if a network device is available Page 264 SonicWALL Internet Security Appliance Administrator s Guide IP Addressing To become part of an IP network a network device must have an IP address An IP address is a unique number that differentiates one device from another on the network to avoid confusion during communication To help illustrate IP addresses the following sections compare an IP address to the telephone numbering system a system that is used every day Like a phone number with its long distance 1 and area code an IP address contains a set of four numbers While we separate phone number components with dashes for example 1 408 555 1212 IP address number components are separated by decimal points or dots called dotted decimal notation for example 123 45 67 89 Because computers use a binary number system each number in the set must be less than 255 There are three components of IP addressing e IP address Subnet mask e Default gateway IP Address Justas each household or business requires a unique phone number a networked device such as a computer
237. itive 5 Choose the privileges to be enabled for the user by selecting the appropriate check boxes 6 Click Update to add the user to the SonicWALL database 7 To remove a user highlight the User Name and click Remove User Page 140 SonicWALL Internet Security Appliance Administrator s Guide Current Users A list of all current users is displayed in a table at the bottom of the page The Current Users table lists the User Name the IP Address of the user the Session Time Time Remaining of the session and the Inactivity Remaining time Update Current Users User Name IP Address Session Time Time Remaining Inactivity Remaining admin 192 168 168 20 6 mins 90 mins Users Currently Locked Out After Login Failures A list of current users locked after failing to log into the SonicWALL correctly is displayed in this section The table lists the User Name Tried the IP Address Lockout Time Remaining and an Unlock icon The Unlock icon is used by the Administrator to allow the user access to the SonicWALL Click the icon to enable access for the user Users Currently Locked Out After Login Failures UserName Tned IP Address Lockout Time Remaining Unlock bob 192 168 1682 5 mins 3 Network Access Rules Page 141 User Login When a user other than the administrator logs into the SonicWALL Management interface a page is displayed with the user s privileges listed The user can set the maximum time for a login session bu
238. k Next to continue Page 24 SonicWALL Internet Security Appliance Administrator s Guide Configuration Summary 4 SonicWALL Installation Wizard Microsoft Internet Explorer Configuration Summary e NAT is enabled e The SonicWALL LAN IP Address is 192 168 168 1 Print This Page If this is OK click Next If you would like to make a change click Back 10 The Configuration Summary page displays the configuration defined using the Installation Wizard To modify any of the settings click Back to return to the Connecting to the Internet page If the configuration is correct click Next to proceed to the Congratulations page Congratulations AW SonicWALL Installation Wizard Microsoft Internet Explorer Congratulations aan You have completed the initial configuration of your SonicWALL It is now necessary to restart the unit Remember from now on you will contact the Web Management Interface at URL http 192 168 168 1 User Name admin Password lt set as previously gt Once the SonicWALL is up you should register it at SonicWALL s Web Site This will be necessary before you can take advantage of firmware updates and CyberNOT content filtering features A Alert The new SonicWALL LAN IP address displayed in the URL field of the Congratulations page is used to log in and manage the SonicWALL 11 Click Restart to restart the SonicWALL lt Back Restart __ Cance
239. kies 100 107 110 D Data Encryption Standard DES 277 Default Allow Rule 138 Default Deny Rule 138 Default Rules 137 Delete a Rule 137 Delete Binding 172 176 Delete Keyword 103 Denial of Service 15 DES 203 Destination Ethernet 136 DHCP Client 17 DHCP over VPN 166 168 DHCP over VPN Status 172 DHCP Relay Mode 168 DHCP Server 17 166 173 DHCP Server Status 172 DHCP Setup 166 DHCP Status 172 176 Diagnostic Tools 120 Diagram of SonicWALL PRO s functions 14 Display Report 97 DMZ Address Range 157 DMZ Addresses 156 DMZ Port 15 DNS Name Lookup 120 DNS Server 167 174 DNS Server Addresses 24 Domain Name 167 174 Dropped ICMP 95 Dropped TCP 95 Dropped UDP 95 Page 290 SonicWALL Internet Security Appliance Administrator s Guide Dynamic Host Configuration Protocol DHCP 17 Dynamic Ranges 167 174 E Edit a Rule 137 E mail Alerts 16 231 E mail Log Now 94 Enable Allowed Forbidden Domains 103 Enable Bandwidth Management 133 Enable DHCP Server 30 35 42 167 174 Enable Fragmented Packet Handling 178 Enable Keep Alive 187 Enable VPN 178 Enable Disable a Rule 137 Enabling Ping 136 Encapsulating Security Payload ESP 275 Encapsulation 203 Encapsulation Protocol ESP 203 Encryption 274 Encryption Alg 203 Encryption Key 200 Encryption Method 193 Enhanced VPN Logging 220 Event 91 Exporting the Settings File 115 F Factory Default 116 Failover Trigger 227 Failover Trigger Level 227 Filte
240. l sales sonicwall com Phone 408 745 9600 Fax 408 745 9300 When an upgrade is purchased an Activation Key and instructions for registering the upgrade are included Once you have registered the upgrade an Upgrade Key is issued Enter this key in the Enter upgrade key field and click Update Follow the instructions included with the upgrade for configuration Web Management Tools Page 119 Diagnostic Tools DNS Name Lookup the left side of the browser window and then click the Diagnostic tab 1 The SonicWALL has several built in tools which help troubleshoot network problems Click Tools on if you enter an IP address it returns the domain name The SonicWALL has a DNS lookup tool that returns the numerical IP address of a domain name or Select DNS Name Lookup from the Choose a diagnostic tool menu DNS Name Lookup agnostic DNS Name Lookup er Current DNS server address is 24 0 0 7 Look up the name Go i Logout STATUS Ready Document Dane the screen Mily PO DNS Name Lookup Enter the host name to lookup in the Look up the name field and click Go Do not add the prefix http The SonicWALL then queries the DNS server and displays the result at the bottom of Tip You must define a DNS server IP address in the Network tab of the General section to perform Page 120 SonicWALL Internet Security Appliance Administrator s Guide Find Network Path The Find Network Path tool sh
241. l users Require authentication of remote users Remote users behind VPN gateway Remote VPN clients with XAUTH Enable Windows Networking NetBIOS broadcast Apply NAT and firewall rules Forward packets to remote VPNs Enable Perfect Forward Secrecy Phase 2 DH Group Default LAN Gateway VPN Terminated at LAN DMZ or LAN DMZ Edit Advanced Settings Enable Keep Alive Require XAUTH RADIUS r only allows VPN clients Enable Perfect Forward Secrecy IM Enable Windows Networking NetBIOS broadcast Apply NAT and firewall rules Forward packets to remote VPNs M Route all internet traffic through this SA T Default LAN Gateway 0 0 0 0 OK Cancel Enable Keep Alive Selecting the Enable Keep Alive check box allows the VPN tunnel to remain active or maintain its current connection by listening for traffic on the network segment between the two connections Interruption of the signal forces the tunnel to renegotiate the connection Try to bring up all possible SAS If multiple SAs are configured on the SonicWALL select this feature to have the SonicWALL renegotiate the tunnels if they lose communication with the SonicWALL SonicWALL VPN Page 187 Require authentication of local users Selecting this check box requires that all outbound VPN traffic on this SA is from an authenticated user Unauthenticated traffic is not allowed on the VPN tunnel Require authentication of remote users Enabling this feature re
242. lability Logout STATUS Ready fe N Alert Use extreme caution when creating or deleting Network Access Rules as you an accidentally disable firewall protection or block access to the Internet Page 132 SonicWALL Internet Security Appliance Administrator s Guide Network Access Rule Logic List It is important to fully consider the logic behind the new rule before it is added to the list Use the following guidelines to help you evaluate the impact of a rule before adding it to the list 1 Hn UF WwW NY 7 8 9 State the intent of the rule For example This rule restricts all IRC access from the LAN to the Internet Is the intent of the rule to allow or deny traffic What is the direction of the traffic From the LAN to the WAN or from the WAN to the LAN List IP services affected by the rules List the computers on the LAN affected by the rule List the computers on the WAN affected by the rule If allowing traffic from the WAN to the LAN it is better to allow WAN traffic only to certain computers on the LAN Does the rule prevent users from accessing critical resources on the Internet Does the rule create any security vulnerabilities Does the rule conflict with any existing rules Bandwidth Management The SonicWALL can be configured for bandwidth management of outbound WAN network traffic via bandwidth management It allows network administrators to prioritize traffic Each Service added
243. le for example the Default rule allows users on the LAN to access all Internet services including NNTP News However LAN access to NNTP can be unblocked by deselecting LAN Out corresponding to the NNTP News service Network Access Rules Page 127 Services Click Access on the left side of the browser window and then click the Services tab Adie hep 1921661561 margenen teri H em Lrks RedPardbe CusoniveLnks ElFeeHonel B WibwsMede Z Windons A ResPlwer 5 Network Access Rules By Service Fitter LANO DMZIn Public LAN Server Tools WHT m 000 Access File Transfer FTP ooo Advanced Send Emal SMTP doo 000 ooo 000 ooo 192 165 168 171 Key Exchange KE Daft m m m mm a mC K K A m pi K K m Windows Networking NetBIOS Breadcast Pass Though I FromLAN to DMZ I From LAN to WAN PORRER mE tye Detection Prevention I Enable stect Mode T Randomize PID Networks Connection Inactivity Timeout F niste i Logot STATUS Ready E Done 1 l irora 7 Note The LAN In column is not displayed if NAT is enabled The Services window allows you to customize Network Access Rules by service Services displayed in the Services window relate to the rules in the Rules window so any changes on the Services window appear in the Rules window The Default rule at the bottom of the table encompasses all Services LAN Out If the LAN Out check box i
244. led 76 NAT Enabled Configuration 79 NAT Traversal Support 178 NAT with DHCP 76 NAT with DHCP Client 81 NAT with PPPoE 76 82 84 86 Network 225 Network Access Rules 15 Network Address Translation NAT 15 Network Anti Virus 234 Network Configuration for High Availability Pair 225 Network Debug 95 220 Network Security Policy 203 Network Settings 76 0 Online help 17 Outbound Keys 204 Outgoing SPI 185 199 204 P Packet Trace 123 Phase 1 DH Group 182 183 Ping 122 Ping of Death 15 Preempt mode 227 Preferences 115 Pre Shared Key 196 Pre Shared Secret 196 private key 218 Protocol 201 Proxy Web Server Port 149 Public LAN Server 129 R RADIUS Client Test 144 RADIUS Servers 143 RADIUS Users 144 Randomize IP ID 129 Relay IP address 170 Remote Management 145 Reports 96 Reset Data 97 Routes 154 Rule Hierarchy 138 S SA Life Time 193 Security Association 193 Security Association SA 274 Security Parameter Index 204 Security Parameter Index SPI 277 Security Policy 196 Security Policy Editor 201 Send Alerts To 93 Send Log Every At94 Send Log To 93 Shared Secret 275 SNMP 145 SonicWALL GMS 147 Standard 76 Standard Configuration 79 Start Data Collection 97 Static Devices on the LAN 171 Static Entries 167 175 Static Routes 154 Status 73 Stealth Mode 129 Strong Encryption TripleDES 277 Subnet 201 Page 292 SonicWALL Internet Security Appliance Administrator s Guide Syslog
245. less there is no other traffic with higher priority on the network The packet classifier analyzes a packet when it arrives for its packet protocol source information and destination information It then allocates the packet to a class queue where it waits to be processed If the queue is full the packet is dropped Normal retransmission of data ensures that the packet is sent again Class queues are processed based on the amount of bandwidth allocated guaranteed and maximum and the priority assigned to the class queue Within the class queue packets are processed on a first in first out basis When network traffic reaches the maximum allocated to the class packets from the next class in priority order are processed Typically each class is allocated a portion of the available bandwidth and when that limit is reached no more traffic for that particular class is forwarded But if there is available bandwidth on the network that is not in use by a particular class a class can temporarily borrow bandwidth and send traffic until the maximum bandwidth allocated to the class is reached Spare bandwidth is allocated among the highest priority classes until no more bandwidth is available or until all of those classes have reached their maximum bandwidth If this happens the remainder of the bandwidth is divided among the next priority classes This process is repeated until all of the available bandwidth is consumed 164 SonicWALL Internet Secu
246. ll contact SonicWALL s Web Management Interface at http 192 168 168 1 Thank you for selecting SonicWALL Print This Page Close The SonicWALL takes 90 seconds to restart During this time the yellow Test LED is lit Click Close to exit the SonicWALL Wizard Configuring the Network Mode on the SonicWALL Page 43 Logging into the SonicWALL Management Interface Once the SonicWALL restarts contact the SonicWALL Management interface at the new SonicWALL LAN IP address Enter the User Name admin and enter the new administrator password to log into the SonicWALL The Status page is di BOE SonicWALL Serial Number 00401 00F1I Number of LAN IP addresses allowed with this license Unlimited ode 15584796 s been up O Days 0 Hours 56 Minutes 13 Seconds 6 2 5 0b5 ion 5 0 nQARM 233 Mhz PRO VX VPN Hardware Accelerator Detected RAM 16 M ROI CPU Stra Flash 4M Ethernet Speeds WAN 100 Mbps Half Duplex DMZ No Link LAN 100 Mbps Full Duplex Current connections 8 igure the machines on your LAN Set their Internet Gateway lawing attacks Syn flood Ping of death IP Spoofing Land attack mber prediction ist Stealth Mode is not enabled Network Address Translation Is activated ink is your Internet router There are no routers other than an Internet router anywhere on your network There a your DMZ Log messages c
247. ll Identifier in the VPN Summary window In this example it is Chicago Office 2 Create a new Security Association by selecting Add New SA from the Security Association menu in the VPN Configure window Select IKE using pre shared secret from the IPSec Keying Mode menu Because the SonicWALL TELE3 does not have a permanent WAN IP address the SonicWALL PRO 200 must authenticate the VPN session by matching the Name of the SA with the TELE3 Unique Firewall Identifier Enter the TELE3 Unique Firewall Identifier in the Name field in this example San Francisco Office 5 Enter the WAN IP address of the remote SonicWALL in the IPSec Gateway Address field In this example the San Francisco SonicWALL TELE3 has a dynamic IP address therefore enter A 0 0 0 0 in the IPSec Gateway Address field Alert Only one of the two IPSec gateways can have a dynamic IP address when using SonicWALL VPN 6 Select Main Mode from the Exchange menu 7 Select Group 1 from the Phase 1 DH Group menu 8 Enter 28800 in the SA Life time secs field to renegotiate IKE encryption and authentication keys every 8 hours 9 Select 3DES amp SHA1 from the Phase 1 DH Group menu SonicWALL VPN Page 213 10 11 12 13 Select a VPN encryption method from the Phase 2 Encryption Authentication menu Since data throughput and security are the primary concern select Encrypt and Authenticate ESP 3DES HMAC SHA1 Define a Shared Secret Write down
248. ly load the Java and Java script programs Also wait until Java applet has completely loaded before attempting to log in The SonicWALL does not save changes that you have made e When configuring the SonicWALL be sure to click Update before moving to another window or tab or all changes will be lost e Click Refresh or Reload in the Web browser The changes can have occurred but the Web browser can be caching the old configuration Duplicate IP address errors Duplicate IP address errors occur when the SonicWALL is installed e Try restarting the router or restarting LAN computers e Make sure the LAN is not connected to the WAN port of the SonicWALL Machines on the WAN are not reachable e Make sure the Intranet settings in the Advanced section are correct If these suggestions don t help please take a look at the current FAQ Frequently Asked Questions and Troubleshooting Guide on the SonicWALL Web site lt http www sonicwall com support gt VPN tunnel problems e Document your VPN layout Did you draw out the design before setting it up e VPNs are a routed network Trace a packet s path through the devices on your network and see if there is any reason for it to be blocked e Re check your entries for typographical errors e Check the basic network configuration on the LAN PCs Make sure the correct default router in formation is entered Enable Network Debug and VPN Tunnel Status on the Log Settings pag
249. mail message to provide your subscription code to activate your account Registering at mySonicWALL com Page 49 Help A Asah Fws Gee JS SA IIR Adress rte mysorinal con ogin arp COMPREHENSIVE INTERNET SECURITY SOLUTIONS Channel Partners USER LOGIN PLEASE LOGIN TO REGISTER AND UPGRADE YOUR SONICWALL PRODUCT To complete the subscription process please enter the Subscription Code which has been emailed to VIRUS ALERT W32 NIMDA MM Subscription cnet Is Your ANTI VIRUS EW ce SOFTWARE UP To DATE VET T tem remain 36 Downloading picture hes ww mpsoricwall co images download ofi g i mee nera Z 11 Enter the subscription code you received via e mail into the Subscription Code field and click Submit 12 Your Account Management interface appears and you can now register SonicWALL Internet Security Appliances or Services You can also delete or transfer appliances from your user account jew Favorites Tools Help Adress hips 2 0 SONICWALL gt A Qsseach Fs Gee Gb G I Ow 1m Profle HomePage asp COMPREHENSIVE INTERNET SECURITY SOLUTIONS REGISTERED SONICWALL PRODUCTS Logged in LAP_Wente Status and Options mySonicWALL 1 6 24 Summ oducts View imbers amp Registration Codes QUICK REGISTER Enter the Activation Key of a Service or the S N of a Product to quickly activate or regis
250. mary page displays the configuration defined using the Installation Wizard To modify any of the settings click Back to return to the Connecting to the Internet window If the configuration is correct click Next to proceed to the Congratulations page Congratulations A SonicWALL Installation Wizard Microsoft Internet Explorer Congratulations T You have completed the initial configuration of your SonicWALL It is now necessary to restart the unit Remember from now on you will contact the Web Management Interface at URL http 192 168 168 1 User Name admin Password lt set as previously gt Once the SonicWALL is up you should register it at SonicWALL s Web Site This will be necessary before you can take advantage of firmware updates and CyberNOT content filtering features Alert The new SonicWALL LAN IP address displayed in the URL field of the Congratulations window is used to log in and manage the SonicWALL 11 Click Restart to restart the SonicWALL lt Back Restart _ Cancel Page 36 SonicWALL Internet Security Appliance Administrator s Guide Restarting ae Tip The final window provides important information to help configure the computers on the LAN Click Print this Page to print this information 4 SonicWALL Installation Wizard Microsoft Internet Explorer SonicWALL is restarting Wy Since e ea Barre au eo all the PC s and other automaticaly Noe that aay Dat
251. me or IP Address Prony Web Server Ponto Bypass Prozy Servers Upon Proxy Server Failure I ArtiVins Logout E Proxy Relay Web Proxy Forwarding A Web proxy server intercepts HTTP requests and determines if it has stored copies of the requested Web pages If it does not the proxy completes the request to the server on the Internet returning the requested information to the user and also saving it locally for future requests Setting up a Web proxy server on a network can be cumbersome because each computer on the network must be configured to direct Web requests to the server If you have a proxy server on your network instead of configuring each computer to point to the proxy server you can move the server to the WAN and enable Web Proxy Forwarding The SonicWALL automatically forwards all Web proxy requests to the proxy server without requiring all the computers on the network to be configured Page 148 SonicWALL Internet Security Appliance Administrator s Guide Configuring Web Proxy Relay 1 Connect your Web proxy server to a hub and connect the hub to the SonicWALL WAN port Z nett The proxy server must be located on the WAN or the DMZ it can not be located on the LAN 2 Log into the SonicWALL Web Management Interface Click Advanced at the left side of the browser window and then click the Proxy Relay tab at the top of the window Enter the name or IP address of the pro
252. me source IP address the administrator is also locked out of the SonicWALL The lockout is based on the source IP address of the user or administrator Page 90 SonicWALL Internet Security Appliance Administrator s Guide 7 Logging and Alerts This chapter describes the SonicWALL Internet security appliance logging alerting and reporting features which can be viewed in the Log section of the SonicWALL Web Management Interface There are four tabs in the Log section View Log Log Settings e Reports e ViewPoint requires a purchased upgrade View Log The SonicWALL maintains an Event log which displays potential security threats This log can be viewed with a browser using the SonicWALL Web Management Interface or it can be automatically sent to an e mail address for convenience and archiving The log is displayed in a table and is sortable by column The SonicWALL can alert you of important events such as an attack to the SonicWALL Alerts are immediately e mailed either to an e mail address or to an e mail pager Each log entry contains the date and time of the event and a brief message describing the event Click Log on the left side of the browser window and then click View Log rt 77192 168 168 1 management Fini View Log Time Message 10 05 2000 SonicWALL 16 06 58 144 activated Successful 10 05 2000 16073196 anit 10 0321 WAN 192 168 1681 login Successful 10 06 2000 administrator 100
253. n for the WAN In the event that the WAN Ethernet connection is lost or failing the modem dials an ISP using a preconfigured profile preventing a lengthy interruption in active network connectivity Alert Using the WAN failover feature may cause disruption of some features such as One to One NAT See the SonicWALL TELE3 SP Administrator s Manual for affected features After configuring your computer on the LAN you can configure the TELE3 SP modem connection for ISP failover or as a primary dial up access port N Alert You cannot use the WAN failover feature if you have configured the TELE3 SP to use Standard mode in the Network section of the Management interface Configuring the TELE3 SP WAN Failover Feature The TELE3 SP modem can be used as a failover option when your always on DSL or cable connection fails The SonicWALL automatically detects the failure of the WAN connection and uses the parameters configured for the modem to establish another active connection N Alert The TELE3 SP modem can only dial out Dialing into the internal modem is not supported However an external modem can be connected to the CLI port for remotely accessing the SonicWALL for out of band support To access the modem configuration section of your SonicWALL log onto the Management interface and click Modem There are two tabs used for modem configuration Profiles and Configure onic ministration Microsoft Internet Explorer 3 File Edt View Favo
254. n of the saved security file Select the file and click Open Import policy from 2 xj Look in a Downloads 7 c Group PN_0040100F1B9E2 spdi History Desktop I 3com drivers C firmware My Documents Group PN_0040100F1566 spd Group PN_0040100F1B9 spd My Computer EJ HE File name GroupVPN_0040100F1B9E 2 spd x My Network P Files of type Security Policy Database File spd E Cancel zA SonicWALL VPN Page 195 3 Adialogue box confirming the request to import the security file appears Security Policy Editor Are you sure you want to import the policy in C Downloads GroupV PN_00401 00F1B9E2 spd Click Yes and another box appears confirming that the file is successfully imported into the client The client application now has an imported Group VPN policy Security Policy Editor x The policy in C Downloads Group PN_00401 00F1B9E2 spd has been successfully imported 4 Click the sign next to Group VPN to reveal two sections My Identity and Security Policy Select My Identity to view the settings 5 Click Pre Shared Key to enter the Pre Shared Secret created in the Group VPN settings in the SonicWALL appliance Click Enter Key and enter the pre shared secret Then click OK xi Enter Pre Shared Key at least 8 characters This key is used during Authentication Phase if the Authentication Method Proposal is Pre Shared key oo OK Cancel
255. n one entry to the list Add a Custom Service 1 Select Custom Service from the Add a known service list 2 Type a unique name such as CC mail or Quake in the Name field 3 Enter the beginning number of the IP port range and ending number of the IP port range in the Port Range fields If the service only requires one IP port enter the single port number in both Port Range fields ae Tip Visit lt http www ietf org rfc rfc1700 txt gt for a list of IP port numbers Page 130 SonicWALL Internet Security Appliance Administrator s Guide 4 Select the IP protocol type TCP UDP or ICMP from the Protocol list 5 Click Add The new service appears in the list on the right side of the browser window Tip If multiple entries with the same name are created they are grouped together as a single service and can not function as expected Enable Logging You can enable and disable logging of events in the SonicWALL Event Log For example if Linux authentication messages are filling up your log you can disable logging of Linux authentication 1 Highlight the name of the desired service in the list 2 Clear the Enable Logging check box 3 Click Modify Delete a Service To delete a service highlight the name in the list and click Delete Service If multiple entries with the same name exist delete all entries to remove the service Rules The SonicWALL evaluates the source IP address the destination IP ad
256. namic Ranges and Static Entries oo cccsceccseseeeseeeserseeees 175 DHCP Stat s iw Secs carseat aii Asan at a chic ak ant OEA udder ctr ae as 176 13 SONICWALL VPN sisiisciisnsssssccssnriennietiniidveacarscarsanessieiidswsaneaniseeanenvien 177 VPN Management Interface sicis ucses on verretatceiehratantcat aetetitiaehtnsereehanatecens 178 Summary Ta D xacdesccsreis wrciys svace pele nites anaa i Bi cast vcugessessian AREE Paaa AEAEE Mi 178 Global VPN Settings sssssssssssssssssesssesesessnensnsnsnnnsnnnnnnnsnnnnnnnnntnnnnnnnrnrnrnrsrnnnnnnnt 178 VPN Bandwidth Management jiccecassictasiesacussiatnudh aiesaneras tae ta aisilalanaeases linet 179 VPN PONCIGS set cede dca catt sasectseersisa a AEA TEETAN LAA 179 Currently Active VPN Tunnels scent naberciiten iaced lak iathiieadvniabeee tanner 179 SonicWALL NAT Traversal SUpport id itecivisatnnnid dimanenshudeaisin 180 AES Advanced Encryption Standard Support ou eeeneeeeetesesecteseeseees 180 Contig re Te x8 acer ten srrerdraaa ee a a latent eis a a ia 181 Add Modify IPSec Security Associations nnn 181 Security Policy Settings a nitasi raria ea iata daia ia 182 Destination NetWorksS s s sssssssssrsrsisisiisisisisrsrsrnrnrsnsnsnnnansnsnsrsrsrsrarararnrnrntnnnnn nnana 186 Advanced Seting S rnaniorasiiignanii aa A A Aaa 187 Enable Keep E E E 187 Try to bring up all possible SAS s sssssssisssisissssrerersrsrsrsrsrsrsrsrsrsrsrsrsrsrsrrrrrrrrnrrrns 187 Require authentication of local USFS ss
257. ncapsulation by wrapping an IPSec packet inside a UDP packet when a NAT or NAPT Network Address Port Translator device is detected between peers Encapsulation of the IPSec packet requires decapsulation of the IPSec packet Since ESP protected packets are exchanged between IKE peers using one of three methods gateway to gateway client to gateway and client to client the IKE peers must support the same method of UDP encapsulation IKE peers exchange a known value to determine if they both support NAT Traversal If the IKE peers agree IKE probes or discovery payloads are used to determine if a NAT or NAPT device is present Only if a NAT or NAPT device is detected is UDP encapsulation is used for IPSec packets NAT NAT Traversal devices use dynamic mappings where a private IP address and source port 192 168 168 168 X are temporarily bound to a shared public IP address and an unused port 207 126 101 100 Y This binding is dissolved after a period of inactivity minutes or seconds enabling pool reuse IPSec VPNs protect traffic exchanged between authenticated endpoints but authenticated endpoints cannot be dynamically re mapped mid session for NAT traversal to work Therefore to preserve a dynamic NAT binding for the life of an IPSec session a 1 byte UDP is designated as a NAT Traversal keepalive and acts as a heartbeat sent by the VPN device behind the NAT or NAPT device The keepalive is silently discarded by the IPSec peer
258. net Mask and DNS Servers are obtained from a DHCP server on the Internet Alert Enable and configure the SonicWALL DHCP server or manually configure client DNS settings to obtain DNS name resolution In the WAN LAN Settings section of Network you can Renew and Release the SonicWALL WAN IP NAT Public Address lease When you click on Renew the SonicWALL renews the IP address used for the WAN IP address Click Release and the lease is released with the DHCP server NAT with PPPoE Configuration The SonicWALL can use Point to Point Protocol over Ethernet PPPoE to connect to the Internet If your ISP requires the installation of desktop software and user name and password authentication to access the Internet enable NAT with PPPoE To configure NAT with PPPoE complete the following instructions 1 Select NAT with PPPoE from the Network Addressing Mode menu Network Addressing Mode NAT with DHCP Client 3 LAN Settings SonicWALL LAN IP Address 192 168 168 11 LAN Subnet Mask 255 255 255 0 Network Gateway Subnet Mask Add LAN Subnet Delete Subnet Lease expires 2002 11 18 13 40 14 000 WAN Gateway Router Address 10 0 0 254 SonicWALL WAN IP NAT Public Address 10 0 202 228 Renew Release WAN Subnet Mask 255 255 0 0 DNS Server 1 10 50 128 52 DNS Server 2 10 50 128 53 DNS Server 3 10 50 128 29 Host Name To pass these DNS settings to computers on the LAN you must enable t
259. network configuration Enable Perfect Forward Secrecy if you want to add another layer of security by adding an additional Diffie Hellman key exchange Phase 2 DH Group select the level of Phase 2 DH key exchange if Perfect Forward Secrecy is enabled Default LAN Gateway if specifying the IP address of the default LAN route for incoming IPSec packets for this SA This is used in conjunction with the Route all internet traffic through this SA check box VPN Terminated at LAN DMZ or LAN DMZ select one of the three terminating points for the VPN tunnel 15 Click OK to close the Advanced Settings window Click Update to apply the changes to the SonicWALL Page 212 SonicWALL Internet Security Appliance Administrator s Guide Example of IKE Configuration for Two SonicWALLs The following example illustrates the steps necessary to create an IKE VPN tunnel between a SonicWALL PRO 200 and a SonicWALL TELE3 f Dynamic WAN IP Address m e Chicago SonicWALL Web Address 192 168 1 1 a B PP SonicWALL PRO a SE a J y San Frandi NAT Public Address 216 0 0 20 a SonicWALL Web Address 192 168 2 1 SonicWALL DMZ F A company wants to use VPN to link two offices together one in Chicago and the other in San Francisco To do this the SonicWALL PRO 200 in Chicago and the SonicWALL TELE3 in San Francisco must have corresponding Security Associations Configuring a SonicWALL PRO 200 in Chicago 1 Enter the SonicWALL PRO 200 Unique Firewa
260. ng Encrypt and Authenticate ESP AES 128 HMAC SHA1 uses 128 bit AES encryption and HMAC SHA1 authentication AES support is available only on the PRO 230 and PRO 330 If IKE using Pre shared Secret is selected for the IPSec Keying Mode the Shared Secret field is displayed and you can enter your shared secret Security Policy Settings using Manual Key Manual Key is configured differently than IKE using Pre shared Secret or Group VPN It requires an Incoming and Outgoing Security Parameter Index SPI as well as an Encryption Key and Authentication Key Incoming SPI Enter the Security Parameter Index SPI that the remote location transmits to identify the Security Association used for the VPN Tunnel The SPI may be up to eight characters long and is comprised of hexadecimal characters Valid hexadecimal characters are 0 to 9 and a to f inclusive 0 1 2 3 4 5 6 7 8 9 a b c d e f Outgoing SPI Enter the Security Parameter Index SPI that the local SonicWALL transmits to identify the Security Association used for the VPN Tunnel The SPI may be up to eight characters long and is comprised of hexadecimal characters ve Tip A Security Association s SPI must be unique when compared to SPls used in other Security Associations However a Security Association s Incoming SPI may be the same as the Outgoing SPI SonicWALL VPN Page 185 Destination Networks In this section enter the network settings for the remote VPN si
261. nicWALL The Shared Secret should consist of a combination of letters and numbers rather than the name of a family member pet etc It is also case sensitive 9 Click Advanced Settings to open the window Select any of the following boxes that apply to your SA Require authentication of VPN clients via XAUTH requires VPN client authentication via a RADIUS server Apply NAT and firewall rules to apply NAT and firewall rules to the SA or just firewall rules if in Standard mode Forward packets to remote VPNs if creating a hub and spoke network Enable Perfect Forward Secrecy if adding an additional layer of security using a second Diffie Hellman key exchange Phase 2 DH Group generates a additional key exchange Default LAN Gateway The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA A JE Tip It is not necessary to configure the Advanced Settings to get the VPN connection working between the SonicWALL and the VPN client You can configure the Advanced Settings later and then re import the SA into the VPN Client 10 Click Update to enable the changes To export the Group VPN settings to remote VPN clients click on Export next to VPN Client Configuration File The security file can be saved to a floppy disk or e mailed to a remote VPN client The Shared Secret however is not exported and must be entered manually by the
262. nsnnnsnnnnnnnnnnnrernrnrnns 162 DM Z WorkPort Link Settings s s s sssssssssssssssrsrrerrrrrrrnrnrrrnresnsnnnsnnnnnnnnnnnnrnrnrnrnns 163 LAN HomePort Link Settings ss s sssssssesesssesssersrsrrnrnnnnnnnnnesnnnnnnenenennnnnenerensnsnans 163 Proxy Management workstation ethernet address on WAN ssssssssieieeesen 163 MTU SOCEM INS tae stan gt ata ica E E AAEN 163 SONICWALL Bandwidth Management ccccseeececssesssssecsseseeseeeesersaneaes 164 Contents Page 5 12 DHCP SOrvei a aaa aaa a aK Aa a aaae O E aHa Aaaa 166 SetU ca ascetic ena coat bat la aati dan 166 Allow DHCP Pass Through in Standard Mode c cccescssceseecrssereesssrseees 166 Configuring the SONICWALL DHCP Server w ccsssssicsassisncssstaesevsnsineseaneiwerssentavensds 167 Deleting Dynamic Ranges and Static Entries sesser 168 DHCP OVER VPN ca cccasccigt ott tacts lh dent readtianeti twee nibdateia bean lvaarentluicouetduces 168 DHEP Relay Mod munninn arena reier sud a A a 168 Configuring the Central Gateway for VPN over DHCP ccsscsssessersssesserssreaeees 169 Configuring the Remote Gateway for VPN over DHCP seisseen 169 DS eS CS ae eect Sa Aah cat ons E Penile testa soe 172 DHCP Server on the SonicWALL TELE3 TZ and TZX sses 173 SS OTD nesses seh Gab cng pu dest sat E deta nein aasa teat yas 173 Allow DHCP Pass Through in Standard Mode sasssssssscccccccreeer 173 Configuring the SonicWALL DHCP Server ceic ssscisusiscsniswnsvsceiatiieeariviedanntis 174 Deleting Dy
263. nt bindings IP and MAC address of the bindings along with the type of binding Dynamic Dynamic BootP or Static BootP To delete a binding which frees the IP address in the DHCP server select the binding from the list and then click Delete Binding The operation takes a few seconds to complete Once completed a message confirming the update is displayed at the bottom of the Web browser window Click Refresh to reload the list of bindings This can be necessary because Web pages are not automatically refreshed and new bindings can have been issued since the page was first loaded Page 176 SonicWALL Internet Security Appliance Administrator s Guide 13 SonicWALL VPN SonicWALL VPN provides secure encrypted communication to business partners and remote offices at a fraction of the cost of dedicated leased lines Using the SonicWALL intuitive Web Management Interface you can quickly create a VPN Security Association to a remote site Whenever data is intended for the remote site the SonicWALL automatically encrypts the data and sends it over the Internet to the remote site where it is decrypted and forwarded to the intended destination SonicWALL VPN is based on the industry standard IPSec VPN implementation so it is interoperable with other VPN products such as Check Point FireWall 1 and Axent Raptor This chapter is organized into the following sections SonicWALL VPN Management Interface Describes the available settings for conf
264. nted specifications Web based support includes interactive communication with a SonicWALL technical specialist SonicWALL also provides general assistance regarding usage and documentation on a limited basis Hardware Service SonicWALL Support 24X7 includes the repair or replacement of failing hardware returned to the SonicWALL factory Upon diagnosis of a hardware failure a SonicWALL technical specialist issues an RMA number and provides instructions for returning the hardware to SonicWALL SonicWALL ships a replacement appliance to you based upon the RMA information You are responsible for returning the failed appliance to SonicWALL with 30 days or be charged for the full replacement cost SonicWALL does not accept failed appliances without a valid RMA number Software Firmware Support SonicWALL logs tracks prioritizes and resolves software firmware and or documentation bug reports and enhancement requests for software support under this agreement SonicWALL Support 24X7 includes priority escalation based on problem severity Support for software firmware and documentation is limited to the most current version and the immediate prior revision Software Firmware Updates All software and firmware maintenance releases and updates are included with this agreement SonicWALL notifies administrators via electronic mail of new updates The updates are delivered exclusively via the Web Support Tools SonicWALL Support 24X7 prov
265. ntent Filter List is not available if you select Websense as your source for content filtering SonicWALL Administration Microsoft Internet Explorer gt Mi Ja Hr Log Content Filter Type Filter Websense Enterprise Z Tools Access Apply Content Filter on M WorkPort M HomePort Advanced DHCP VPN Pes ock F ActiveX F Java T Cookies High Availability I Known Fraudulent Certificates I Access to HTTP Prozy Servers I Don t block JavalActiveX Cookies to Trusted Domains Add Trusted Domain Delete Domain Message to display when a site is blocked Web Site Blocked by SonicWALL Filter E a Websense Enterprise displays its own site blocked messages unless it is unavailable Update Reset logat STATUS The configuration has been updated Done E Intenet Restrict Web Features Select any of the following applications to block Block ActiveX ActiveX is a programming language that embeds scripts in Web pages Malicious programmers can use ActiveX to delete files or compromise security Select the ActiveX check box to block ActiveX controls e Java Java is used to download and run small programs called applets on Web sites It is safer than ActiveX since it has built in security mechanisms Select the Java check box to block Java applets from the network e Cookies Cookies are used by Web servers to track Web us
266. nter a 32 character hexadecimal authentication key in the Authentication Key field An example of a valid authentication key is 1234567 890ABCDEF1234567890ABCDEF Or you can use the randomly generated key that appears in the Authentication Key field 3 Click Update Restart the SonicWALL for the change to take effect s Tip When a Management SA is created the remote SonicWALL is managed at the SonicWALL WAN IP Address 4 Click Help in the upper right corner of the SonicWALL Management Interface to access detailed instructions for configuring the VPN client Additional instructions are available at lt http www sonicwall com products documentation VPN_documentation htmlI gt 4 Tip The Management Method list also includes the option for management by SonicWALL Global Management System SonicWALL GMS Select this option if the SonicWALL is managed remotely by SonicWALL GMS Network Access Rules Page 147 11 Advanced Features This chapter describes the SonicWALL Advanced Features such as Web Proxy Forwarding DMZ Address settings and One to One NAT The Advanced Features can be accessed in the Advanced section of the SonicWALL Web Management Interface There are six tabs in the Advanced section Proxy Relay intranet Routes DMZ Addresses One to One NAT Ethernet gme B E GH ANPR tits ice toinal E Winhvs Meds E Wriows saPaye Lon Automatic Proxy Forwarding Web Only Prony Web Served Na
267. nter the domain name into the Add Trusted Domain field Click Update to add the domain to the list of trusted domains To delete a domain select it from the list and then click Delete Trusted Domains Trusted Domains can be added in the Restrict Web Features section of the Configure tab If you trust content on specific domains you can select Don t block J ava ActiveX Cookies to Trusted Domains and then add the Trusted Domains to the SonicWALL Java scripts ActiveX and cookies are not blocked from Trusted Domains if the checkbox is selected Message to display when a site is blocked Enter your customized text to display to the user when access to a blocked site is attempted The default message is Web Site blocked by SonicWALL Filter Any message including embedded HTML up to 255 characters long can be entered in this field Customization of Content Filtering is not available if you select N2H2 as your source for your Content Filter List Refer to your N2H2 documentation for details on configuring N2H2 Internet Filtering for your network o PMi B S a aSa s own site blocked messages unless it is unas Page 108 SonicWALL Internet Security Appliance Administrator s Guide N2H2 Server Status This section displays the status of the N2H2 Internet Filtering Protocol IFP server you are using for Internet filtering Settings Server Host Name or IP Address Enter the Server Host Name or the IP address of
268. nternet Encryption is often used to maintain the confidentiality of private data when traveling over the Internet Encryption Encryption is a mathematical operation that transforms data from clear text something that a human or a program can interpret to cipher text something that cannot be interpreted Usually the mathematical operation requires that an alphanumeric key be supplied along with the clear text The key and clear text are processed by the encryption operation which leads to data scrambling that makes encryption secure Decryption is the opposite of encryption it is a mathematical operation that transforms cipher text to clear text Key A key is an alphanumeric string used by the encryption operation to transform clear text into cipher text A key is comprised of hexadecimal characters 0 1 2 3 4 5 6 7 8 9 a b c d e f A valid key would be 1234567890 abcdef Keys used in VPN communications can range in length but typically consist of 16 or 32 characters The longer the key the more difficult it is to break the encryption Asymmetric vs Symmetric Cryptography Asymmetric and symmetric cryptography refer to the keys used to authenticate or encrypt and decrypt the data Asymmetric cryptography or public key cryptography uses two keys for verification Organizations such as RSA Data Security and Verisign support asymmetric cryptography With symmetric cryptography the same key is used to authentica
269. ntication The script looks a lot like the previous script with the exception of the commands at the end There is an empty string after Connect which sends a carriage return command to the server The chat interpreter then waits for sername substring When a response is returned the current PPP account user name substituting the L command control string is sent Then the chat interpreter waits for the substring assword and sends the password substituting P with the PPP account password If either the semame or assword substring are not received within the timeout period the chat interpreter aborts the dial up process resulting in a dial up failure Configuring the TELE3 SP Modem Connection Page 71 5 Managing Your SonicWALL Internet Security Appliance This chapter contains a brief overview of SonicWALL management commands and functions The commands and functions are accessed through the SonicWALL Web Management Interface You can manage the SonicWALL from any computer connected to the LAN port of the SonicWALL using a Web browser The computer used for management is referred to as the Management Station 1 Log into the SonicWALL using a Web Browser A N Nert To manage the SonicWALL your Web browser must have Java and Java applets enabled and support HTTP uploads 2 Open a Web browser and type the SonicWALL IP address initially 192 168 168 168 into the Location or Address field at the top of the browser An Auth
270. nts unauthorized users from detecting and stealing the SonicWALL password as it is sent over your network SonicWALL Internet Security Appliance Functional Diagram The following figure illustrates the SonicWALL Internet security appliance functions SONICWALL DMZ Publicly Accessible Servers LA Intranet Secure Local Area Network vA Private e Server er Say Qu Public LAN Server Web Mail etc Machines on the LAN can access the Internet Workstation Private Server Authorized computers onl nt access protected LAN resources vi By default the SonicWALL Internet security appliance allows outbound access from the LAN to the Internet and blocks inbound access from the Internet to the LAN Users on the Internet are restricted from accessing resources on the LAN unless they are authorized remote users or Network Access Rules were created to allow inbound access If the SonicWALL includes a DMZ port users on the LAN and the Internet have access to the devices on the DMZ Page 14 SonicWALL Internet Security Appliance Administrator s Guide SonicWALL Internet Security Appliance Features Internet Security ICSA Certified Firewall After undergoing a rigorous suite of tests to expose security vulnerabilities SonicWALL Internet security appliances have received Firewall Certification from ICSA the internationally accepted authority on network security The SonicWALL uses stateful packet
271. nu The SonicWALL internal clock is set automatically by a Network Time Server on the Internet Click Next to continue Connecting to the Internet 4 SonicWALL Installation Wizard Microsoft Internet Explorer Connecting to the Internet To complete the SonicWALL Installation Wizard you must have the following information available e Instructions to obtain a dynamic IP address automatically or e Static IP address es subnet mask gateway and DNS server addresses This information is provided by your Internet Service Provider ISP If you are missing any of the information above please contact your ISP lt Back Next gt Cancel The Connecting to the Internet page lists the information required to complete the installation Tip Confirm that you have the necessary network information from your ISP before proceeding with the Connecting to the Internet pages 5 Confirm that you have the proper network information necessary to configure the SonicWALL to access the Internet Click the hyperlinks for definitions of the networking terms Click Next to proceed to the next step Configuring the Network Mode on the SonicWALL Page 33 Selecting Your Internet Connection AW SonicWALL Installation Wizard Microsoft Internet Explorer Connecting to the Internet Select one of the following Network Addressing Modes To connect to the Internet your Internet Service Provider ISP F Assigned you
272. nual Key SA allows you to specify the Encryption and Authentication keys as well as Incoming and Outgoing Security Parameter Indices SPI SonicWALL VPN supports Manual Key VPN Security Associations Shared Secret A Shared Secret is a predefined field that the two endpoints of a VPN tunnel use to set up an IKE SA This field can be any combination of alphanumeric characters with a minimum length of 4 characters and a maximum of 128 characters Precautions should be taken when delivering exchanging this shared secret to assure that a third party cannot compromise the security of a VPN tunnel Advanced Encryption Standard AES AES is an encryption algorithm for securing sensitive but unclassified materials by U S Government agencies It may eventually become the standard encryption method for commercial transactions in the private sector As a potential replacement for DES and possible 3DES AES is a symmetric algorithm which means it uses the same key for encryption and decryption and block encryption 128 bits in size The algorithm supports key sizes of 128 192 and 256 bits as a minimum Encapsulating Security Payload ESP ESP provides confidentiality and integrity of data by encrypting the data and encapsulating it into IP packets Encryption can be in the form of ARCFour similar to the popular RC4 encryption method DES etc The use of ESP increases the processing requirements in SonicWALL VPN and also increases the communicati
273. o configure SNMP in the SonicWALL Internet Security appliance log into the SonicWALL management interface Click Access then Management X SonicWALL Administration Netscape lol x Fie Edt View Go Communicator Help T 6 Bookmarks A Go to fhttp 192168 168 1 management html Jj y ACCESS Help SONICWAL gt Log Management Method Managed from the LAN interface and remotely from the WAN interface gt Security Association Information Advanced Inbound Outbound SPI 100C8D6E DHCP Encryption Key 8e542626f1ce3aa8 VPN Authentication Key 1891a59d96c5cee45397a71e84428264 Anti Virus The encryption key must be 16 hex characters The authentication key mast be 32 hex characters Chick on Help for detailed VPN client inouction High Availability Update Reset Logout STATUS Ready Pisal hittp 10 0 32 5 ruleTbl html The SonicWALL SNMP agent generates two traps Cold Start Trap and Alert Traps Cold Start Traps indicates the SonicWALL appliance is re initializing itself so that the agent configuration or the appliance can be altered Alert Traps are based on the existing SonicWALL alert messages which allows the trap messages to share a common message String with the alerts Accordingly no trap message can exist without a corresponding alert message To configure SNMP enter the necessary information in the following fields 1 To enable the SNMP agen
274. oadband amplifiers Ensure that no water or excessive moisture can enter the unit Allow unrestricted airflow around the unit and through the vents on the side of the unit A mini mum of 1 inch 25 44mm clearance is recommended Appendices Page 279 Appendix Configuring RADIUS and ACE Servers Individual users must have their privileges defined on the RADIUS server used for authenticating the users Global user privileges can be configured on the RADIUS tab of the SonicWALL management interface but SonicWALL specific privileges must be configured on the RADIUS server Different vendors also have different methods of configuring the privileges on their servers In some cases it can be complex but most allow for the configuration of group profiles or policies which means you can configure the attributes once per group This Appendix describes the configuration of user privileges on various vendors of RADIUS servers and also notes the particular RADIUS servers which support CHAP Challenge Handshake Authentication Protocol mode CHAP support is required if HTTPS is not available for logging into the SonicWALL Steel Belted RADIUS Funk Software Steel Belted RADIUS server version 3 0 from Funk Software supports pre configuration of vendor specific attributes in a vendor specific dictionary file SonicWALL dct is the new dictionary file for the SonicWALL To configure the Steel Belted RADIUS server to include the SonicWALL dct file us
275. oadcasting a single data packet to all nodes on the network Multicast destination IP address sends the packet to a specific group of nodes on the network listening for the RIPv2 multicast address of 224 0 0 9 Broadcast destination IP address sends packets to all nodes on the network e Advertise Static Routes If you have static routes configured on the SonicWALL enable this fea ture to exclude them from Route Advertisement Route Change Damp Time seconds is the delay between the time a VPN tunnel changes state up or down and the time the change is advertised with RIP The delay in seconds prevents ambiguous route advertisements sent as a result of a temporary change in a VPN tunnel status Enter a value in seconds between advertisements broadcasted over the network in the Route Advanced Features Page 155 Change Damp Time seconds field The default value is 30 seconds A lower value corresponds with a higher volume of broadcast traffic over the network Deleted Route Advertisements enter the number of advertisements that a deleted route broadcasts until it stops in the Deleted Route Advertisements field The default value is 5 e Route Metric 1 15 Enter a value from 1 to 15 in the Route Metric field This is the number of times a packet touches a router from the source IP address to the destination IP address RIPv2 Route Tag 4 Hex Digits If RIPv2 is selected from the Route Advertisements menu you can enter
276. og High Availability Status Filter Primary SonicWALL State Active Tii Primary SonicWALL Serial Number 0040100F1566 Advanced LAN IP Address 1192 168 168 10 DHCP WAN IP Address oo00 VPN Anti Virus High Availability Logged into High Availability Settings Primary F Enable High Availability Backup SonicWALL Serial Number o040100F1557 LAN IP Address 192 168 168 168 WAN IP Address ooon F Preempt Mode Heartbeat Interval 5 seconds Failover Trigger Level 3 missed heartbeats toget STATUS HA Peer firewall has been updated Dore fu internet A Nert If you change the IP address of either SonicWALL synchronization cannot occur between the two SonicWALLs without updating the changes manually in the High Availability configuration Synchronizing Changes between the Primary and Backup SonicWALLs Changes made to the Primary or Backup firewall are synchronized automatically between the two firewalls If you click Synchronize Now the Backup SonicWall restarts and becomes temporarily unavailable for use as a backup firewall High Availability Status If failure of the primary SonicWALL occurs the backup SonicWALL assumes the primary SonicWALL LAN and WAN IP Addresses There are three primary methods to check the status of the High Availability pair the High Availability Status window E mail Alerts and View Log These methods are described in the following sections High Availability Pag
277. omePort Addresses complete the following instructions 1 Enter the starting IP address of your valid IP address range in the From Address field 2 Enter the ending IP address of your valid IP address range in the To Address field Alert You can enter an individual IP address in the From Address field only Page 158 SonicWALL Internet Security Appliance Administrator s Guide 3 Click Update Once the SonicWALL has been updated a message confirming the update is displayed at the bottom of the browser window If you receive an error when you click Update confirm that the HomePort Address Range does not include the SonicWALL WAN IP Address the WAN Gateway Router Address or any IP addresses _ assigned on the One to One NAT or Intranet windows AE Tip The SonicWALL supports up to 64 HomePort address ranges Configure the computers on the HomePort with the IP addresses provided by your ISP Remember to enter HomePort IP address as the default gateway IP address HomePort in NAT Mode The SonicWALL HomePort now has the ability to use private internal IP addresses rather than public IP addresses on the network Since NAT hides the true IP addresses in use on the network NAT on the HomePort is an additional security feature for the SonicWALL The outside world only sees the outside public IP address of the DMZ and not the internal private addresses To configure the HomePort in NAT Mode use the following instructions 1 Inthe HomePort Priv
278. on Enter a 48 character hexadecimal key if you are using Triple DES encryption This encryption key must match the remote SonicWALL s encryption key When a new SA is created a 48 character key is automatically generated in the Encryption Key field This can be used as a valid key for Triple DES If this key is used it must also be entered in the Encryption Key field in the remote SonicWALL If Tunnel Only ESP NULL or Authenticate AH MD5 is used the Encryption Key field is ignored Enter a 32 character hexadecimal key in the Authentication Key field When a new SA is created a 32 character key is automatically generated in the Authentication Key field This key can be used as a valid key If this key is used it must also be entered in the Authentication Key field in the remote SonicWALL If authentication is not used this field is ignored Click Add New Network to enter the destination network addresses Clicking Add New Network automatically updates the VPN configuration and opens the VPN Destination Network window Enter the beginning IP address of the remote network address range in the Range Start field If NAT is enabled on the remote SonicWALL enter a private LAN IP address Enter 0 0 0 0 to accept all remote SonicWALLs with matching encryption and authentication keys Enter the ending IP address of the remote network s address range in the Range End field If NAT is enabled on the remote SonicWALL enter a private LAN
279. on from the menu In the Peer Certificate s ID section you must select the ID Type from the ID Type menu You can select Distinguished Name E mail ID or Domain Name from the menu Then cut and paste the information from the Local Certificate into the text field In the Destination Networks section select the type of destination for the VPN tunnel Use this SA as default route for all Intemet traffic can be used for only one SA and routes all VPN traffic destined for the WAN through the SA Destination network obtains IP addresses using DHCP through this SA to allow computers at the VPN destination to obtain IP addresses using DHCP over VPN Specify destination network below If the VPN destination is a specific IP address Click Add New Network Enter the network IP address and subnet mask in the fields and click OK SonicWALL Enhanced VPN Logging If Network Debug is selected in the Log Settings tab panel detailed logs are kept of the VPN negotiations with the SonicWALL appliance Enhanced VPN Logging is useful for evaluating VPN connections when problems can occur with the connections To use the enhanced VPN Logging feature perform the following steps 1 2 Click Log on the left side of the management interface Click on the Logging Settings tab and locate the Network Debug check box Page 220 SonicWALL Internet Security Appliance Administrator s Guide 3 Select the Network Debug check box and then click Up
280. on services firmware upgrades and other options Page 12 SonicWALL Internet Security Appliance User s Guide Chapter 16 Hardware Descriptions provides a description of the front and back of SonicWALL Internet security appliances including LED lights and ports Chapter 17 Troubleshooting Guide shows solutions to commonly encountered problems Appendix A Technical Specifications lists the SonicWALL specifications Appendix B SonicWALL Support Solutions describes available support packages from SonicWALL Appendix C Introduction to Networking provides an overview of the Internet TCP IP settings IP security and other general networking topics Appendix D IP Port Numbers offers information about IP port numbering Appendix E Configuring TCP IP Settings provides instructions for configuring your Management Station s IP address Appendix F Basic VPN Terms and Concepts covers VPN terminology and configuration concepts Appendix G Erasing the Firmware describes the firmware erase procedure Appendix H Mounting the SonicWALL PRO 200 and PRO 300 describes how to rack mount the SonicWALL appliance Appendix Configuring RADIUS and ACE Servers provides vendor specific configuration instructions for RADIUS and ACE servers The appendix also includes a RADIUS Attributes Dictionary SonicWALL Technical Support For fast resolution of technical questions please visit the SonicWALL Tech Support Web site at lt http
281. onfiguring the SonicWALL DHCP Server To configure the SonicWALL DHCP server for the LAN complete the following instructions Li Select the Enable DHCP Server Alert Make sure there are no other DHCP servers on the LAN before you enable the DHCP server 2 Enter the maximum length of the DHCP lease in the Lease Time field The Lease Time determines how often the DHCP Server renews IP leases The default Lease Time is 60 minutes The length of time can range from 1 to 9999 minutes If configuring DHCP server for the LAN enter the gateway address used by LAN computers to access the Internet in the LAN Default Gateway field Enter the SonicWALL LAN IP Address if NAT is enabled Enter the domain name registered for your network in the Domain Name field An example of a domain name is your domain com If you do not have a domain name leave this field blank Select Set DNS Servers using the SonicWALL Network settings to use the DNS servers that you specified in the SonicWALL Network section If you want to use different DNS servers than the ones specified in the SonicWALL Network section then select Specify Manually Enter your DNS Server addresses in the DNS Server 1 DNS Server 2 and DNS Server 3 fields The DNS servers are used by computers on your LAN to resolve domain names to IP addresses You can enter only one DNS Server address but multiple DNS entries improve performance and reliability 6 Enter your WINS Server addres
282. ong Encrypt and Authenticate ESP 3DES HMAC SHA1 uses 168 bit 3DES encryption and HMAC SHA1 authentication 3DES is an extremely secure encryption method and HMAC SHA1 is used to verify integrity This method significantly impacts the data throughput of the SonicWALL Encrypt for Checkpoint ESP DES HMAC MDS uses 56 bit DES encryption and HMAC MD5 authentication This method is compatible with CheckPoint Firewall 1 Page 184 SonicWALL Internet Security Appliance Administrator s Guide Encrypt and Authenticate ESP DES HMAC MD5 uses 56 bit DES encryption and HMAC MD5 authentication This method impacts the data throughput of VPN communications SonicWALL VPN client supports this method Authenticate AH MD5 uses AH to authenticate and MD5 to generate a 128 bit message digest Authenticate AH SHA1 uses AH to authenticate and SHA1 to generate a 160 bit message digest Authenticate ESP MD5 authenticates using ESP as the security protocol and MD5 to generate a 128 bit message digest Authenticate ESP SHA1 authenticates using ESP as the security protocol and SHA1 to generate a 160 bit message digest Encrypt and Authenticate ESP DES HMAC SHA1 uses 56 bit DES encryption and HMAC SHA1 authentication Strong Encrypt ESP AES 128 uses ESP to authenticate and 128 bit AES to encrypt Strong Encrypt and Authenticate ESP AES 128 HMAC MD5 uses 128 bit AES encryption and HMAC MD5 authentication Stro
283. onicWALL LAN IP Address or at the backup SonicWALL LAN IP Address When the primary SonicWALL restarts after a failure it is accessible using the third IP address created during configuration If preempt mode is enabled the primary SonicWALL becomes the active firewall and the backup firewall returns to idle status E mail Alerts Indicating Status Change If you have configured the primary SonicWALL to send E mail alerts you receive alert E mails when there is a change in the status of the High Availability pair For example when the backup SonicWALL takes over for the primary after a failure an E mail alert is sent indicating that the backup has transitioned from Idle to Active If the primary SonicWALL subsequently resumes operation after that failure and Preempt Mode has been enabled the primary SonicWALL takes over and another E mail alert is sent to the administrator indicating that the primary has pre empted the backup High Availability Page 231 View Log The SonicWALL also maintains an event log that displays these High Availability events in addition to other status messages and possible security threats This log may be viewed with a browser using the SonicWALL Web Management Interface or it may be automatically sent to the administrator s E mail address To view the SonicWALL log click Log on the left side of the browser window and then click on View Log at the top of the window X SonicWALL Administration Netscape E
284. onicWALL for VPN Single Armed Mode You can use the following example information to configure the IP addresses on a SonicWALL for VPN Single Armed Mode Remote SonicWALL Corporate SonicWALL WAN IP Address 66 120 118 11 WAN IP Address 66 120 118 25 Subnet Mask 255 255 255 0 Subnet Mask 255 255 255 0 LAN IP Address 192 168 1 1 LAN IP Address 192 168 3 1 Subnet Mask 255 255 255 0 Subnet Mask 255 255 255 0 VPN Single Armed Mode SonicWALL WAN IP Address 66 120 118 13 Subnet Mask 255 255 255 0 LAN IP Address 192 168 2 1 Subnet Mask 255 255 255 0 To configure a SonicWALL in VPN Single Armed Mode in front of an existing SonicWALL follow these steps a 2 Configure the Remote and Corporate SonicWALLs in your preferred networking mode Configure a VPN SA using IKE and Pre shared Secret on the Remote SonicWALL using the VPN SonicWALL WAN IP address 66 120 118 13 as the IPSec Gateway and the Corporate SonicWALL WAN IP address 66 120 118 25 as the Destination Network Configure a Static Route on the Local SonicWALL to send network traffic destined for the Remote SonicWALL to the VPN SonicWALL Configure the VPN SonicWALL in Standard networking mode Click Advanced then Intranet Select the VPN Single Armed Mode stand alone VPN gateway checkbox and click Update A rule is automatically added to the VPN SonicWALL for HTTPS management from the WAN The LAN port is disabled when you configure a SonicWALL for VPN Single Arme
285. onicWALL which IP addresses are on your LAN The default value 255 255 255 0 supports up to 254 IP addresses Enter your WAN router or default gateway address in the WAN Gateway Router Address field Your router is the device that connects your network to the Internet If you use Cable or DSL your WAN router is typically located at your ISP If you use a router located at your site use the IP address assigned to it Enter your DNS server IP address es in the DNS Servers field The SonicWALL uses the DNS servers for diagnostic tests and for upgrade and registration functionality Click Update Once the SonicWALL has been updated a message confirming the update is displayed at the bottom of the browser window Restart the SonicWALL for these changes to take effect NAT Enabled Configuration Network Address Translation NAT connects your entire network to the Internet using a single IP address Network Address Translation offers the following Internet access to additional computers on the LAN Multiple computers can access the Internet even if your ISP only assigned one or two valid IP addresses to your network Additional security and anonymity because your LAN IP addresses are invisible to the outside world If your ISP hasn t provided enough IP addresses for all machines on your LAN enable NAT and assign your network a private IP address range You should use addresses from one of the following address ranges on your private netw
286. ons latency The increased latency is due to the encryption and decryption required for each IP packet containing an Encapsulating Security Payload ESP typically involves encryption of the packet payload using standard encryption mechanisms such as RC4 ARCFour DES or 3DES The SonicWALL supports 56 bit ARCFour and 56 bit DES and 168 bit 3DES Authentication Header AH The Authentication Header provides strong integrity and authentication by adding authentication information to IP packets This authentication information is calculated using header and payload data in the IP packet which provides an additional level of security Appendices Page 275 Using AH increases the processing requirements of VPN and also increases the communications latency The increased latency is primarily due to the calculation of the authentication data by the sender and the calculation and comparison of the authentication data by the receiver for each IP packet containing an Authentication Header Page 276 SonicWALL Internet Security Appliance Administrator s Guide Data Encryption Standard DES When DES is used for data communications both sender and receiver must know the same secret key which can be used to encrypt and decrypt the message or to generate and verify a message authentication code SonicWALL DES encryption algorithm uses a 56 bit key The SonicWALL VPN DES Key must be exactly 16 characters long and is comprised of hexadecimal characters
287. ook on TCP IP for an overview of protocols such as TCP Transmission Control Protocol UDP User Datagram Protocol and ICMP Internet Control Message Protocol The following book is recommended for beginner and intermediate network administrators Teach Yourself TCP IP in 14 Days Second Edition Timothy Parker Ph D SAMS Publishing ISBN 0 672 30885 1 Network Hardware Components e Computers IBM compatible MAC notebooks and PDAs e Resources printers fax machines tape backup units and file storage devices Cables crossover ethernet Connectors bridges routers e Network Interface Card NIC a card installed inside a computer that physically connects a computer to a network and controls the flow of data from the network to the computer The NIC has a port where the network cable is connected Network Types e LAN stands for Local Area Network Local area refers to a network in one location Local Area Networks connect computers and devices close to each other such as on one floor of a building one building or a campus LANs can connect as few as two computers or as many as 100 computers WAN Wide Area Network connects LANs together The networks that make up a WAN can be located throughout a country or even around the world If a single company owns a WAN it is often referred to as an enterprise network The Internet is currently the largest WAN Firewalls A firewall is a software or hardware system that
288. or the device The Ethernet address is used as part of the identification process and an incorrect Ethernet address can cause the SonicWALL to respond to IP spoofs 6 If the VPN tunnel is disrupted temporary DHCP leases can be obtained from the local DHCP server Once the tunnel is again active the local DHCP server stops issuing leases Enable the Obtain temporary lease from local DHCP server if tunnel is down check box By enabling this check box you have a failover option in case the tunnel ceases to function If you want to allow temporary leases for a certain time period enter the number of minutes for the temporary lease in the Temporary Lease Time box The default value is two 2 minutes Page 170 SonicWALL Internet Security Appliance Administrator s Guide LAN Device Configuration 7 Z ne To configure Static Devices on the LAN enter the IP address of the device in the IP Address field and then enter the Ethernet Address of the device in the Ethernet Address field An example of a static device is a printer as it cannot obtain an IP lease dynamically If you do not have Block traffic through tunnel when IP spoof detected enabled it is not necessary to enter the Ethernet address of a device You must exclude the Static IP addresses from the pool of available IP addresses on the DHCP server so that the DHCP server does not assign these addresses to DHCP clients You should also exclude the IP address used as the Relay IP Address
289. ork 10 0 0 0 10 255 255 255 172 16 0 0 172 31 255 255 192 168 0 0 192 168 255 255 gt Tip If your network address range uses valid TCP IP addresses Internet sites within that range are not accessible from the LAN For example if you assign the address range 199 2 23 1 199 2 23 255 to your LAN a Web server on the Internet with the address of 199 2 23 20 is not accessible General and Network Settings Page 79 When NAT is enabled users on the Internet cannot access machines on the LAN unless they have been designated as Public LAN Servers To enable Network Address Translation NAT complete the following instructions DNS Soutings Lagat Sitar Onim 2 Entera unique IP address from your LAN address range in the SonicWALL LAN IP Address field The SonicWALL LAN IP Address is the address assigned to the SonicWALL LAN and is used for management of the SonicWALL 3 Enter your network subnet mask in the LAN Subnet Mask field The LAN Subnet Mask tells the SonicWALL which IP addresses are on your LAN Use the default value 255 255 255 0 if there are less than 254 computers on your LAN 4 Enter your WAN router or default gateway address in the WAN Gateway Router Address field This is the device that connects your network to the Internet If you use Cable or DSL your WAN router is probably located at your ISP If you use a router located at your site use the IP address assigned to it 5
290. osoft Internet Explorer _ Welcome to SonicWALL Internet Security Appliance Wizard This Wizard will help you quickly configure the SonicWALL to secure your Internet connection Once completed you can use the SonicWALL Web Management Interface for additional configuration options Please see the User s Guide for more details To bypass this Wizard click Cancel Next gt Cancel ae Tip To bypass the Wizard click Cancel Then log into the SonicWALL Management Interface by entering the User Name admin and the Password password Page 20 SonicWALL Internet Security Appliance Administrator s Guide Setting the Password A SonicWALL Installation Wizard Microsoft Internet Explorer Set Your Password First you will need to choose a good administrator password in order to protect the security of your SonicWALL Note that this password will be encrypted when sent over your network Your password should be a combination of letters numbers and punctuation You should not use a password which can easily be guessed by others such as the name of your spouse or your birthday Note also that your password is case sensitive New Password Confirm New Password If you plan ta manage your SonicWALL remotely using the SonicWALL Global Management System check the following checkbox F Use Global Management System lt Back Next gt Cancel 2 To set the password enter a new password in the New Password and Confi
291. ou will contact the Web Management Interface at URL http 192 168 168 1 User Name admin Password lt set as previousiy gt Once the SonicWALL is up you should register it at SonicWALL s Web Site This will be necessary before you can take advantage of firmware updates and CyberNOT content filtering features lt Back Restart Cancel Alert The new SonicWALL LAN IP address displayed in the URL field of the Congratulations page is used to log in and manage the SonicWALL 10 Click Restart to restart the SonicWALL Restarting Tip The final window provides important information to help configure the computers on the LAN Click Print this Page to print this information 4 SonicWALL Installation Wizard Microsoft Internet Explorer SonicWALL is restarting Since you have activated SonicWALL s DHCP server you should now configure all the PC s and other network devices on your LAN to Obtain an IP address automatically Note that it may be necessary to restart a PC or network device after changing its network configuration Note This includes the computer you are currently using to configure SonicWALL You will not be able to re contact SonicWALL until you have reconfigured your PC Once you have reconfigured your PC and SonicWALL has finished restarting you should be able to access the Internet Note that the restarting process will take approximately 90 seconds to complete Remember from now on you wi
292. ows whether an IP host is located on the LAN or the WAN This is helpful in determining if the SonicWALL is properly configured For example if the SonicWALL thinks that a computer on the Internet is located on the LAN then the SonicWALL Network or Intranet settings can be misconfigured Find Network Path shows if the target device is behind a router and the Ethernet address of the target device Find Network Path also shows the gateway the device is using and helps isolate configuration problems 1 Select Find Network Path from the Choose a diagnostic tool menu Find Network Path xl Find location of this IP address Gol Logout STATUS Ready A Enter the IP address of the device and click Go The test takes a few seconds to complete Once completed a message showing the results is displayed in the browser window If the network path is incorrect select the SonicWALL Intranet and Static Routes settings ae Tip Find Network Path requires an IP address The SonicWALL DNS Name Lookup tool can be used to find the IP address of a host 2 Web Management Tools Page 121 Ping The Ping test bounces a packet off a machine on the Internet and returns it to the sender This test shows if the SonicWALL is able to contact the remote host If users on the LAN are having problems accessing services on the Internet try pinging the DNS server or another machine at the ISP location If this test is successful
293. oy a SonicWALL with single port WAN utilized as a VPN tunnel termination point Clear text traffic is routed to the single interface and the data is encapsulated to the appropriate IPSec gateway An example of a deployment is to place the SonicWALL between the existing firewall and the router connected to the Internet Traffic is sent in clear text to the SonicWALL then encrypted and sent to the appropriate VPN Gateway j 192 168 2 2 l a Tl 192 168 2 4 792 169 2 3 Q ____ethemet 192 168 2 0 24 192 168 2 1 HeadEnd Gateway 10 0 qe tov WAN por One Arm tms mt connected 10 0 79 102 10 0 79 103 192 168 1 2 B aopean Firewall 192 168 1 1 ia 192 168 1 4 j Ethemet 192 168 1 0 24 192 168 1 3 A Alert VPN Single Armed Mode can only be enabled if the SonicWALL is in Standard mode on the Network tab If you are not using Standard for your Network mode a warning message is displayed If VPN Single Armed Mode stand alone VPN gateway is enabled a warning message appears as follows Microsoft Internet Explorer xj CA Selecting VPN Single Armed mode will make this device accessable only from the WAN interface 2 This option will modify the intranet mode and add a HTTPS Management rule Do you want to continue H Cancel Click OK to enable the SonicWALL in VPN Single Armed Mode Page 152 SonicWALL Internet Security Appliance Administrator s Guide Configuring a S
294. pansion of NRHH is taken directly from the RADIUS spec HHHHHHH updated 11 30 01 Ian Puleston EEEE EEE EEEE EEEE EEEE E E E E E E E EE E EEEE EEEE E E E E E E EE AA AA AAA E E E E E E E ESEESE a a E E E E E E E E Sd Start with the Standard RADIUS specification attributes radius dct Macro SU SA type syntax 26 vid8741 typel type lenl 2 data syntax ATTRIBUTE SonicWALL User Privilege SW SA 1 integer R VALUE SonicWALL User Privilege Remote Access 1 VALUE SonicWALL User Privilege Bypass Filters 2 VALUE SonicWALL User Privilege PN Client Access 3 VALUE SonicWALL User Privilege Access To PN 4 VALUE SonicWALL User Privilege Limited Management 5 ATTRIBUTE SonicWALL User Privileges SW VSA 2 string R This is 4 text string giving 4 comma separated list of one or more privileges each corresponds to a value of the SonicWALL User Privilege attribute above RA BF VC VN LH EEEE EEEE SLL SSS SSS EEE E E E E E EE SS SSS SSS SS E E E STS SS SS SSS LSS E E EE E E E E E EEE EEEE E E E E E E d End of SonicWALL dct This is the Radius dictionary file for SonicWALL Firewall products HHH HAAHHA HAAR RR RAHA AAA AHHH HARA EAR EEE E E E EEEE EEE SHAH HEAR REE EEEE EEEE ae EE E E E E d Appendices Page 283 Notes Page 284 SonicWALL Internet Security Appliance Administrator s Guide Notes Appendices Page 285 Notes Page 286 SonicWALL Internet Security Appliance Administrator s Gu
295. played at the bottom of the browser window Restart the SonicWALL for changes to take effect Alert The One to One NAT window maps valid public IP addresses to private LAN IP addresses It does not allow traffic from the Internet to the private LAN sy Tip A rule must be created in the Rules section to allow access to LAN servers After One to One NAT is configured create an Allow rule to permit traffic from the Internet to the private IP address es on the LAN Mh Page 160 SonicWALL Internet Security Appliance Administrator s Guide One to One NAT Configuration Example This example assumes that you have a SonicWALL running in the NAT enabled mode with IP addresses on the LAN in the range 192 168 1 1 192 168 1 254 and a WAN IP address of 208 1 2 2 Also you own the IP addresses in the range 208 1 2 1 208 1 2 6 Alert If you have only one IP address from your ISP you cannot use One to One NAT You have three web servers on the LAN with the IP addresses of 192 168 1 10 192 168 1 11 and 192 168 1 12 Each of the servers must have a default gateway pointing to 192 168 1 1 the SonicWALL LAN IP address You also have three additional IP addresses from your ISP 208 1 2 4 208 1 2 5 and 208 1 2 6 that you want to use for three additional web servers Use the following steps to configure One to One NAT 1 Log into the Management Interface and click Advanced Then click the One to One NAT tab 2 Select Enable One to One N
296. quires that all inbound traffic on this SA is from an authenticated user Unauthenticated traffic is not allowed on the VPN tunnel Select Remote users behind VPN gateway if remote users have a VPN tunnel terminating on the VPN gateway Select Remote VPN clients behind VPN gateway if remote users require authentication using XAUTH and are accessing the SonicWALL via a VPN client Enable Windows Networking NetBIOS broadcast Computers running Microsoft Windows communicate with one another through NetBIOS broadcast packets Select the Enable Windows Networking NetBIOS broadcast check box to access remote network resources by browsing the Windows Network Neighborhood Apply NAT and firewall rules A This feature allows a remote site s LAN subnet to be hidden from the corporate site and is most useful when a remote office s network traffic is initiated to the corporate office The IPSec tunnel is located between the SonicWALL WAN interface and the LAN segment of the corporation To protect the traffic NAT Network Address Translation is performed on the outbound packet before it is sent through the tunnel and in turn NAT is performed on inbound packets when they are received By using NAT for a VPN connection computers on the remote LAN are viewed as one address the SonicWALL public address from the corporate LAN If the SonicWALL uses the Standard network configuration using this check box applies the firewall access rules and ch
297. r 100 Filter Block Action 104 Filter Protocols 16 Find Network Path 121 Firewall Name 93 Forbidden Domains 103 Forcing Transitions 232 Front Panel 243 Functional Diagram 14 G General 76 Global IPSec Settings 178 Global Management System 236 Global User Settings 139 Group VPN 177 193 Guaranteed Bandwidth 133 H Hash Alg 203 heartbeat 227 Heartbeat Interval 227 heartbeats 225 High Availability 225 High Availability Status 229 ICSA15 IKE Configuration between Two SonicWALLs 211 IKE using Certificates 193 IKE using pre shared secret 211 IKE using Preshared Secrets 193 Import Security Policy 195 Importing the Settings File 116 Incoming SPI 185 199 Installation and Configuration 17 Installation Wizard 17 Internet Key Exchange IKE 211 275 Intranet 150 IPSec Gateway Address 181 199 IPSec Keying Mode 199 IPSec VPN 17 J Java 100 107 110 K Key 274 Key Exchange 203 Keywords 103 Known Fraudulent Certificates 100 107 110 L LAN IP address 167 174 LAN Out 128 LAN Settings 77 LAN Subnet Mask 24 29 35 41 Lease Time 167 174 Link 243 Local Certificates 216 Log 91 Index Page 291 Log and Block Access 104 Log Categories 16 Log Only 104 Log Settings 93 Logout 74 M Management SA 146 Management Tools 114 Mandatory Filtering 106 Manual Key177 Manual Key Configuration 199 Manual Keying 275 Mask 201 MD5 203 Modem Port 244 My Identity 196 N N2H2 99 NAT Enab
298. r name in the User field Enter your ISP password in the Password field Confirm your ISP password in the Confirm field Select Obtain Automatically if you do not have a permanent IP address from your ISP If you have a permanent IP address from your ISP select Specify and enter the IP address in the IP Address field If you obtain an IP address automatically for your DNS Server s select Obtain Automatically If your dial up ISP has a specific IP address for the DNS Server s select Specify and enter the IP address in the field If your dial up ISP has given you a script that runs when you access your dial up ISP connection cut and paste the script text in the Chat Script field See the Information on Chat Scripts section at the end of this chapter for more information on using chat scripts Page 66 SonicWALL Internet Security Appliance Administrator s Guide Location Settings 1 Select Manual Dial to have the modem dial only when you click Connect on the Configure page 2 Enter the number of minutes the connection is allowed to be inactive in the Inactivity Timeout minutes field The default value is five 5 minutes 3 Select the connection speed from the Max Connection Speed bps menu Auto is the default setting 4 If you have call waiting on your telephone line you should disable it or another call can interrupt your connection to your ISP Select Disable Call Waiting and then select the command from the list If you do not s
299. r of times the event occurred The Syslog Individual Event Rate default value is 60 seconds and the maximum value is 86 400 seconds 24 hours Setting this value to 0 seconds sends all Syslog messages without filtering 11 Syslog Format You can choose the format of the Syslog to be Default or WebTrends If you select WebTrends however you must have WebTrends software installed on your system Page 94 SonicWALL Internet Security Appliance Administrator s Guide Log Categories You can define which log messages appear in the SonicWALL Event Log All Log Categories are enabled by default except Network Debug System Maintenance Logs general system activity such as administrator log ins automatic downloads of the Content Filter Lists and system activations System Errors Logs problems with DNS e mail and automatic downloads of the Content Filter List Blocked Web Sites Logs Web sites or newsgroups blocked by the Content Filter List or by customized filtering Blocked J ava etc Logs J ava ActiveX and Cookies blocked by the SonicWALL User Activity Logs successful and unsuccessful log in attempts VPN TCP Stats Logs TCP connections over VPN tunnels Attacks Logs messages showing Denial of Service attacks such as SYN Flood Ping of Death and IP spoofing Dropped TCP Logs blocked incoming TCP connections Dropped UDP Logs blocked incoming UDP packets Dropped ICMP Logs blocked incoming ICMP packets Network
300. r proper operation These tests take about 90 seconds If the Test LED remains lit after this time the software is corrupt and must be reinstalled There are three Ethernet ports one for each of the LAN DMZ and WAN ports Link Lights up when the Twisted Pair port is connected to a 1OMbps or 100Mbps hub or switch or directly connected to a computer Note that the connected Ethernet device must support the standard Link Integrity test 100 Lights up when the Twisted Pair port is connected to a 100Mbps hub or switch or directly connected to a computer with a 100Mbps network interface Activity Flashes when the SonicWALL PRO 100 transmits or receives a packet through the Twisted Pair port Hardware Descriptions Page 247 SonicWALL TELE3 TZX Back Panel 5VDC 2A Reset Switch Serial Port 10Mbps 100Mbps 10Mbps 100Mbps 10Mbps 100Mpbs Power input WorkPort Ethernet Port HomePort Ethernet PortWAN Ethernet Port SonicWALL TELE3 TZX Back Panel Description Reset Switch Erases the firmware and resets SonicWALL TZX to its factory clean state This can be necessary if the administrator password is forgotten or the firmware has become corrupt Serial Port DB 9 RS 232 Serial port for Command Line Interface support 6 Twisted Pair 10Base T 100Base T Ethernet Ports 6 Auto switching 10M bps 100M bps Ethernet ports provide connectivity for both Ethernet and Fast Ethernet networks The Ethernet ports connect the SonicWALL
301. r the backup SonicWALL to take over from the active unit depends on the Heartbeat Interval and the Failover Trigger Level 6 Enter the Heartbeat Interval time in seconds Use a value between 3 seconds and 255 seconds This interval is the amount of time in seconds that elapses between heartbeats passed between the two SonicWALLs in the High Availability pair Enter the Failover Trigger Level in terms of the number of missed heartbeats Use a value between 2 and 99 missed heartbeats When the backup unit detects this number of consecutive missed heartbeats the backup SonicWALL takes over operation from the active unit Example Assume that the Heartbeat Interval and the Failover Trigger Level are 5 seconds and 2 missed heartbeats respectively Based on these values the backup SonicWALL takes over from the active unit after 10 seconds in the event of a failure in the active unit 8 Enter the Active SonicWALL Detection Time in seconds using a value between 0 and 300 The default value of 0 is correct in most cases When any SonicWALL primary or backup becomes active after bootup it looks for an active SonicWALL configured for High Availability on the network If another SonicWALL is active the SonicWALL that is booting up transitions to the Idle mode In some cases there may be a delay in locating another SonicWALL due to network delays or problems with hubs or switches You can configure either the primary or backup SonicWALL to allow an
302. rator s Guide NAT with DHCP Client NAT with DHCP Client is a networking mode that allows you to obtain an IP address for a specific length of time from a DHCP server The length of time is called a lease which is renewed by the DHCP server typically after a few days When the lease is ready to expire the client contacts the server to renew the lease This is a common network configuration for customers with cable or DSL modems You are not assigned a specific IP address by your ISP Instructions for configuring NAT with DHCP Client mode begin on page 32 NAT with L2TP Client NAT with L2TP Client is a networking mode that allows you to connect to a remote L2TP server to obtain IP address settings L2TP Layer 2 Tunneling Protocol is a network protocol using IPSec to encrypt transmitted data and is only supported by Windows 2000 If you are running other versions of Windows you must use PPTP as your tunneling protocol Instructions for configuring NAT with L2TP Client mode begin on page 37 NAT with PPTP Client NAT with PPTP Client is a networking mode supporting PPTP Point to Point Tunneling Protocol to connect to a remote server It uses Microsoft Point to Point Encryption MPPE to provide encryption of transmitted data PPTP typically supports older Microsoft clients that require tunneling connectivity or situations in which a tunnel passes through a firewall performing NAT Instructions for configuring NAT with PPTP Client begin on p
303. re added for the user Steel Belted RADIUS does support CHAP so authentication takes place even if HTTPS is not available when logging into the SonicWALL management interface Select Allow PAP or CHAP when setting user passwords ACE Server RSA The ACE Server version 4 1 from RSA configures RADIUS attributes into the profiles It does not support pre configuration of vendor specific attributes on the server It also only allows one vendor specific attribute to be set per profile and only support vendor specific attributes containing ASCII text User privileges are added manually using the following instructions 1 Open the ACE Server Database Administrator program 2 Select Edit Profiles from the menu and select the profile to be configured with user privileges Click OK 3 From the Available Attributes menu select Vendor Specific and then click Add Attribute 4 Set the value to 8741 2 privilegesist where privileges list is a comma separated list of 2 letter privileges as follows RA Remote Access BF Bypass Filters VC Access from VPN Client VA Access to VPNs LM Limited Management For example to configure a profile with Access to VPN privileges and allow Access from VPN Client the value is set as follows 8714 2 VA VC The ACE Server from RSA does not support CHAP with RADIUS therefore it is necessary to configure the SonicWALL to use HTTPS when logging into the SonicWALL management
304. reate the following rule 1 2 Verify that HTTP has been added as a Service as outlined previously Click the Rules tab and click Add New Rule Action C Allow Deny Service Default Ethemet Addr Range Begin Addr Range End Source F f Destination Apply this rule always tof 24 Hour Format un to Sun Tnactvity Timeout in Minutes 5 Allow Fragmented Packets Settings below will not take effect until enabled on Advanced Ethemet page I Enable Outbound Bandwidth Management Guaranteed Bandwidth Kbps Maximum Bandwidth Kbps Bandwidth Priority Update Reset Select Allow then Web HTTP from the Service menu Select WAN from the Ethernet Source menu and leave the Addr Range Begin and Addr Range End as they appear Select LAN from the Ethemet Destination menu and enter in the IP address of the Web server 208 5 5 5 in the Addr Range Begin field No IP address is added in the Addr Range End since the destination is not a range of IP addresses Select always from the Apply this rule menu Enter a value in minutes in the Activity Timeout in Minutes field Do not select the Allow Fragmented Packets check box Network Access Rules Page 135 9 If you want the Rule to have guaranteed bandwidth select Enable Outbound Bandwidth Management and enter values for Guaranteed Bandwidth Maximum Bandwidth and Bandwidth Priority 10 Click Update to
305. ress 10 0 93 15 WAN DMZ Subnet Mask 255 255 0 0 DNS Server 1 10 50 128 52 PPTP Client Host Name PPTP Server IP Address UserName PPTP DNS Server 1 0 0 0 0 PPTP DNS Server2 0 000 Update Reset Logout STATUS Ready jl Intemet Vy 2 Entera unique IP address from your LAN address range in the SonicWALL LAN IP Address field The SonicWALL LAN IP Address is the address assigned to the SonicWALL LAN port and is used for management of the SonicWALL 3 Enter your network subnet mask in the LAN Subnet Mask field The LAN Subnet Mask tells your SonicWALL which IP addresses are on your LAN Use the default value 255 255 255 0 if there are less than 254 computers on your LAN 4 Ifyou obtain a WAN IP address from the PPTP server select Obtain an IP address using DHCP If you have WAN IP address information select Use the specified IP address and enter your WAN information in the WAN Gateway Router Address SonicWALL WAN IP NAT Public Address and WAN Subnet Mask fields 5 Enter the DNS server IP address in the DNS Server 1 field 6 Enter the PPTP server host name in the PPTP Host Name field Page 86 SonicWALL Internet Security Appliance Administrator s Guide 7 Enter the IP address of the PPTP server in the PPTP Server IP Address field 8 Enter your user name and password in the User Name and User Password fields 9 Select the Disconnect after__ Minutes of Inactivity check box to automatically di
306. ripts in Web pages Malicious programmers can use ActiveX to delete files or compromise security Select the ActiveX check box to block ActiveX controls Java Java is used to download and run small programs called applets on Web sites It is safer than ActiveX since it has built in security mechanisms Select the Java check box to block Java applets from the network Cookies Cookies are used by Web servers to track Web usage and remember user identity Cookies can also compromise users privacy by tracking Web activities Select the Cookies check box to disable Cookies Known Fraudulent Certificates Digital certificates help verify that Web content and files originated from an authorized party Enabling this feature protects users on the LAN from downloading malicious programs warranted by these fraudulent certificates If digital certificates are proven fraudulent then the SonicWALL blocks the Web content and the files that use these fraudulent certificates Known fraudulent certificates blocked by SonicWALL include two certificates issued on J anuary 29 and 30 2001 by VeriSign to an impostor masquerading as a Microsoft employee e Access to HTTP Proxy Servers When a proxy server is located on the WAN LAN users can circumvent content filtering by pointing their computer to the proxy server Check this box to prevent LAN users from accessing proxy servers on the WAN e Don t Block J ava ActiveX Cookies to Trusted Domains Sel
307. rites Tools Help Back gt OA a Qseach Eifavoites Media Bb M HOR Adiess E tn 182 168 16810 managenent nl H eco Links Rado Paradise Customize Links FreeHoimal E Windows Meda Windows A RealPlayer qualifying traffic has occurre 4 TE Maral Dalia in cpt the ConnectDisconnecs button bs not bee pe eae Bere acta A E S aa Logout STATUS Ready fi 6 A Page 60 SonicWALL Internet Security Appliance Administrator s Guide Configuring Modem Profiles You can configure modem profiles on the SonicWALL using your dial up ISP information for the connection Multiple modem profiles can be used when you have a different profile for individual ISPs Click Profiles and follow the instructions below to configure your Dial up Configuration Tip The SonicWALL supports a maximum of ten 10 configuration profiles ites Tools Help AA as Gitmo Gin G B SE DOS Address hitp 192 168 168 1 management html Add New Profile gt Advanced DHCP VPN ISP Settings Primary Phone Number Persistent Connection C Dial on Date Location Settings Secondary Phone Number Manual Dial Anti Virus High Availability Modem T Inactivity Timeout minutes User Password Max Connection Speed bps Auto z Confim I Disable Call Waiting IP Address G
308. rity Appliance Administrator s Guide SMTP 300Kbps Priority 1 Telnet 200 Kbps Priority 2 FTP 100 Kbps Priority 3 HTTP 100 Kbps Priority 4 Bandwidth Management Schema Traffic on the Network No Traffic on the Network NO Traffic on the Network NO Traffic on the Network Packet assigned to Class Queue Packet assigned to Class Queue Packet assigned to Class Queue Packet assigned to Class Queue Assigned first in Class Queue Examples of Bandwidth Management Rules Class Queue HTTP 100 Kbps Priority 4 HTTP 100 Kbps 100 Kbps Priority 3 Priority 4 HTTP Telnet FTP Hanis 200 Kbps 100 Kbps pied Priority 2 Priority 3 ely FTP 300 Kbps gale 100 Kbps aa 200 Kbps 10 K ai Priority 2 Priority 3 Rule Service Priority Guaranteed Maximum Allow SMTP 300 Kbps 1000 Kbps Allow FTP 100 Kbps 200 Kbps Allow HTTP 100 Kbps 200 Kbps Advanced Features Page 165 12 DHCP Server This chapter describes the configuration of the SonicWALL DHCP Server DHCP Dynamic Host Configuration Protocol is a method to distribute TCP IP settings from a centralized server to computers on a network The SonicWALL DHCP Server distributes IP addresses gateway addresses and DNS server addresses to the computers on your LAN To access the SonicWALL DHCP
309. rity Appliance Administrator s Guide Setting the User Name and Password for PPPoE 6 If you selected Provided you with desktop software a user name and password PPPoE the SonicWALL ISP Settings PPPoE page is displayed A SonicWALL Installation Wizard Microsoft Internet Explorer SonicWALL s ISP Settings PPPoE Please enter the user name and password that you use to connect to the Internet Note that your password is case sensitive User Name lt Back Next gt Cancel 7 Enter the User Name and Password provided by your ISP into the User Name and Password fields Configuring LAN Network Settings SonicWALL Installation Wizard Microsoft Internet Explorer Fill in information about your LAN Since you are using NAT you will need to specify information about your LAN You can choose this information arbitrarily but it s a good idea to use private addresses such as 10 0 0 1 or 192 168 168 1 Note that the default values below will work well for mast networks SonicWALL LAN IP Address 192 168 168 1 LAN Subnet Mask 255 255 255 0 ad 8 The Fill in information about your LAN page allows the configuration of the SonicWALL LAN IP Address and the LAN Subnet Mask The SonicWALL LAN IP Address is the private IP address assigned to the LAN port of the SonicWALL The LAN Subnet Mask defines the range of IP addresses on the LAN The default values provided by the SonicWALL work for
310. rm New Password fields Aett It is very important to choose a password which cannot be easily guessed by others This page also displays the Use SonicWALL Global Management System check box SonicWALL Global Management System SonicWALL GMS is a Web browser based security management system SonicWALL GMS allows enterprises and service providers to monitor and manage hundreds of remote SonicWALLs from a central location For more information about SonicWALL GMS contact SonicWALL Sales at 408 745 9600 3 Donotselect the Use Global Management System check box unless your SonicWALL is remotely managed by SonicWALL GMS Click Next to continue Setting the Time and Date 74 SonicWALL Installation Wizard Microsoft Internet Explorer Set your Time Zone SonicWALL s internal clock will be automatically configured by accessing a Network Time server on the Internet Please select your Time Zone from the pull down menu Pacific Time US amp Canada GMT 8 00 X g lt Back Next gt Cancel Configuring the Network Mode on the SonicWALL Page 21 4 Select the appropriate Time Zone from the Time Zone menu The SonicWALL internal clock is set automatically by a Network Time Server on the Internet Click Next to continue Connecting to the Internet A SonicWALL Installation Wizard Microsoft Internet Explorer Connecting to the Internet To complete the SonicWALL Installation Wizard you must have the following information av
311. rom the Security Association menu 3 Enter a descriptive name for the Security Association such as Palo Alto Office or NY Headquarters in the Name field 4 Enterthe IP address of the remote SonicWALL in the IPSec Gateway Address field This address must be valid and should be the NAT Public IP Address if the remote SonicWALL uses Network Address Translation NAT L nett If the remote SonicWALL has a dynamic IP address enter 0 0 0 0 in the IPSec Gateway Address field The remote SonicWALL initiates IKE negotiation in Aggressive Mode because it has a dynamic IP address and authenticates using the SA Names and Unique Firewall Identifiers rather than the IP addresses Therefore the SA Name for the SonicWALL must match the opposite SonicWALL Unique Firewall Identifier 5 Select Main Mode from the Exchange menu 6 Select Group 1 from the Phase 1 DH Group menu SonicWALL VPN Page 211 7 Define the length of time before an IKE Security Association automatically renegotiates in the SA Life Time secs field The SA Life Time can range from 120 to 2 500 000 seconds W Tip A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys However every time the VPN tunnel renegotiates users accessing remote resources are disconnected Therefore the default SA Life Time of 28 800 seconds 8 hours is recommended 8 Select 3DES amp SHA1 from the Phase 1 Encryption Auth
312. roup Configuration uses IKE Internet Key Exchange and requires fewer settings on the VPN client enabling a quicker setup Simple configuration allows multiple clients to connect to a sin gle Security Association SA creating a group VPN tunnel The SonicWALL only supports one Group Configuration SA You can use the Group VPN SA for your single VPN client e Manual Key Configuration requires matching encryption and authentication keys Because Manual Key Configuration supports multiple SAs it enables individual control over remote us ers e Advanced Configuration requires a complex setup and is therefore not recommended for most SonicWALL administrators Advanced Configuration instructions are available on the Web at the following address lt http www sonicwall com products documentation VPN_documentation htmI gt Page 192 SonicWALL Internet Security Appliance Administrator s Guide Group VPN Configuration for the SonicWALL and VPN Client Configuring Group VPN on the SonicWALL Click VPN on the left side of the SonicWALL browser window and then click Configure avottes BHistoy hy SA DV R Add Modify IPSec Security Associations Security Association IPSec Keying Mode IKE using pre shared secret Z Disable This SA SA Life time secs 28800 Encryption Method Encrypt and Authenticate ESP DES HMAC MD5 ea Shared Secret 1811180004121500 Advanced Settings VPN Client Configuration File
313. route entries Page 154 SonicWALL Internet Security Appliance Administrator s Guide LAN Route Advertisement Yahi re Note This feature is only available on the PRO 100 PRO 200 PRO 230 PRO 300 and PRO 330 ive Ink E 4 The SonicWALL uses RIPv1 or RIPv2 to advertise its static and dynamic routes to other routers on the network Changes in the status of VPN tunnels between the SonicWALL and remote VPN gateways are also reflected in the RIPv2 advertisements Choose between RIPv1 or RIPv2 based on your router s capabilities or configuration RIPv1 is an earlier version of the protocol that has fewer features and it also sends packets via broadcast instead of multicast RIPv2 packets are backwards compatible and can be accepted bysome RIPv1 implementations that provide an option of listening for multicast packets The RIPv2 Enabled broadcast selection broadcasts packets instead of multicasting packets is for heterogeneous networks with a mixture of RIPv1 and RIPv2 routers Tip There is no route advertisement on the WAN To enable Route Advertisement on the LAN select one of the following types of RIP Advertisements e RIPv1 Enabled RIPv1 is the first version of Routing Information Protocol e RIPv2 Enabled multicast to send route advertisements using multicasting a single data packet to specific notes on the network e RIPv2 Enabled broadcast to send route advertisements using br
314. rowsers UDP User Datagram Protocol UDP transfers information using virtual ports between two ap plications on a TCP IP network Slightly faster than TCP it is not as reliable DNS Domain Name System DNS is a protocol that matches Internet computer names to their corresponding IP addresses By using DNS a user can type in a computer name such as www sonicwall com instead of an IP address such as 192 168 168 168 to access a computer DHCP Dynamic Host Configuration Protocol DHCP allows communication between network devices and a server that administers IP numbers A DHCP server leases IP addresses and other TCP IP information to DHCP client that requests them Typically a DHCP client leases an IP address for a period of time from a DHCP server which allows a larger number of clients to use a set pool of IP addresses WINS Windows Internet Naming System WINS used on Microsoft TCP IP Networks matches Microsoft network computer names to IP addresses Using this protocol allows computers on the Microsoft network to communicate with other networks and computers that use the TCP IP suite HTTPS Secure HyperText Transfer Protocol HTTPS is a protocol to transfer information securely over the Internet HTTPS encrypts and decrypts information exchanged between a Web server and a Web browser using Secure Socket Layer SSL SMTP Simple Mail Transfer Protocol SMTP is used to send and receive e mail messages Typically SMTP
315. rsrsisisisnsnsrnrnrnrnrnrnrnrsnns 236 16 Hardware Descriptions sssssssnsnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnmnnnnn nnna 237 SonicWALL PRO 230 and PRO 330 sssssssssssssssrersrsiiisrsressssnnesenerererersrsrens 237 SonicWALL PRO 200 and PRO 300 ssssssssssssssssrsrsrerniirrnsrsesrsnssnrnrnnrnrerernrsrns 239 SonicWAEL PRO LOO cinin iati wari a E T E En 241 SONICWALL VE RE Ss SP saceits cs cites aserealatslal aaa tila a a aa a taai atat 243 SonicWALL TELES TZ crea gataes ceacarasuastatectu A a E Mortars aia 245 SonicWALL TELES TZX naai toe vine ai atat natu a a e 247 SonicWALL SOHO3 and TEVES s tsathsraisrensnerdinnedionniacnw enna 249 SonicWALL GX 250 and GX 650 cieh eet acieccas lav Oa veritdehas ets laageushabhauelaeieties 251 17 Troubleshooting Guide 1 c seceeeeeseeeeseeeeeeeeeeeeeeeeaeeeseeeneeenaeeeaneeees 254 TVS EIMKAVED IS OM ctino a EA aE E 254 A computer on the LAN cannot access the Internet 00 254 The SonicWALL does not establish authenticated sessions se 254 The SonicWALL does not save changes that you have made e 255 Duplicate IP address errors vessstiscaniieai nian danse inne waenaeei ns 255 Machines on the WAN are not reachable uu ceescecctsenssesessesessssesersaeeaes 255 VPN tunnel problems frye ysdiesiinecvatuncaramnadrotedn nih ath wtivatinarh lane 255 18 Appendices coscsizcssncateasusaceanccstanssetsuenuzeskecs sunseutcaunedadaeskaswssacwneneeaiid 256 Appendix A Technical Specifications eeen 256
316. s Approximate round trip times in milli seconds Minimum Gms Maximum ms Average Bms IC WINNT SYSTEM32 gt ping yahoo com Pinging yahoo com 216 115 188 245 with 32 bytes of data Reply from 216 115 188 245 by Reply from 216 115 188 245 by 2 Ping statistics for 216 115 108 245 Packets Sent 4 Received 4 Lost lt loss Approximate round trip times in milli seconds Minimum 1 ms Maximum 2 ms Average 12ms iC WINNT SYSTEM32 gt If you are unable to ping the remote network wait a few minutes for the VPN tunnel to become established and try pinging the network again If you are still unable to ping the remote network contact your network administrator Configuring Windows Networking After you have successfully pinged the remote host and confirmed that your VPN tunnel is working your administrator can ask you to configure your computer for Windows Networking By configuring your computer for Windows Networking you are able to browse the remote network using Network Neighborhood Before logging into the remote network you must get the following information from your administrator e Server Account information including your username and password Domain Name WINS Server IP Address e Internal DNS optional Use the following steps to configure Windows Networking on your computer Windows98 1 Click Start then Control Panel Locate the Network icon and double click it 2
317. s Rule allows ping requests from your ISP servers to your SonicWALL 1 Click Add New Rule in the Rules window to launch the Add Network Access Rule window Select Allow from the Action menu Select Ping from the Service menu Select WAN from the Source Ethernet menu Enter the starting IP address of the ISP network in the Source Addr Range Begin field and the ending IP address of the ISP network in the Source Addr Range End field 6 Select LAN from the Destination Ethernet menu O ON A MN A uke WN Page 136 SonicWALL Internet Security Appliance Administrator s Guide 7 Since the intent is to allow a ping only to the SonicWALL enter the SonicWALL LAN IP Address in the Destination Addr Range Begin field Select Always from the Apply this rule menu to ensure continuous enforcement 9 Click Update to add your new Rule Action Allow Deny Service Ping 7 Ethemet Addr Range Begin Addr Range End Ws rce WAN Destination LAN 208 130 105 1 216 128 100 1 216 128 100 99 Apply this rule always tof 24 Hour Format f Sun E to Sun T Inactivity Timeout in Minutes 5 Allow Fragmented Packets I Update Reset Current Network Access Rules Table All Network Access Rules are listed in the Current Network Access Rules table in the Rules window The rules are listed from most to least specific The rules at the top of Current Network Access Rules list take preced
318. s a protocol used to synchronize computer clock times in a network of computers NTP uses Coordinated Universal Time UTC to synchronize computer clock times to a millisecond and sometimes to a fraction of a millisecond Select Use NTP to set time automatically if you want to use your local server to set the SonicWALL clock You can also set the Update Interval for the NTP server to synchronize the time in the SonicWALL The default value is 60 minutes You can add NTP servers to the SonicWALL for time synchronization by entering in the IP address of an NTP server in the Add NTP Server field If there are no NTP Servers in the list the internal NTP list is used by default To remove an NTP server highlight the IP address and click Delete NTP Server When you have configured the Time window click Update Once the SonicWALL has been updated a message confirming the update is displayed at the bottom of the browser window Page 88 SonicWALL Internet Security Appliance Administrator s Guide Configuring the Administrator Settings The Password tab is now the Administrator tab In this section you can configure a new administrator name an administrator password inactivity timeout and login failure handling Address hitp 192 168 168 168 management html eGo Links iRadio Paradise Customize Links lFree Hotmail Windows Media Windows RealPlayer High Availability
319. s are counted cumulatively not simultaneously When the SonicWALL is turned on and configured the SonicWALL Page 266 SonicWALL Internet Security Appliance Administrator s Guide begins to count IP addresses against the license and continues to count new LAN IP addresses accessing the Internet until the appliance is rebooted When a computer or other device connects to the LAN port of the SonicWALL it is detected via broadcast and stores the computer or other device IP address in memory If 5 10 or 50 IP addresses have been stored in the SonicWALL the SonicWALL does not permit any additional machines to access the Internet Therefore the SonicWALL restricts the number of IP addresses on the LAN not the number of simultaneous connections to the Internet If you have fewer than the maximum number of computers or other devices on your LAN but it appears that the IP license limit is exceeded download a Tech Support Report and review the devices with IP addresses Rogue devices such as printers are filling up the SonicWALL IP address limit Tech Support Reports are explained in the Tools chapter of this manual Additionally computers with two 2 Network Interface Cards NIC can take up two IP addresses You must reconfigure your network to avoid these problems by turning off IP forwarding on Windows NT or Windows2000 servers using two NICs If devices on the LAN receive IP addresses from a DHCP server see the DHCP chapter of this manu
320. s es in the WINS Server 1 and WINS Server 2 fields WINS Servers resolve Windows based computer names to IP addresses If you do not have a WINS server leave these fields blank Dynamic Ranges are the ranges of IP addresses dynamically assigned by the DHCP server The Dynamic Ranges should be in the same subnet as the SonicWALL LAN IP Address Enter the beginning IP address of your LAN IP address range in the Range Start field Enter the ending IP address in the Range End field Select the Allow BootP clients to use range check box if you want BootP clients to receive IP leases Then click Update When the SonicWALL has been updated a message confirming the update is displayed at the bottom of the browser window Continue this process until you have added all the desired dynamic ranges AN Nert The DHCP Server does not assign an IP address from the dynamic range if the address is already being used by a computer on your LAN 9 10 The DHCP Server can also assign Static Entries or static IP addresses to computers on the LAN Static IP addresses should be assigned to servers that require permanent IP settings Enter the IP address assigned to your computer or server in the Static IP Address field Enter the Ethernet MAC address of your computer or server in the Ethernet Address field Then click Update When the SonicWALL has been updated a message confirming the update is displayed at the bottom of your Web browser window Continue thi
321. s process until you have added all the desired static entries 1 Tip The SonicWALL DHCP server can assign a total of 254 dynamic and static IP addresses DHCP Server Page 167 Deleting Dynamic Ranges and Static Entries displayed at the bottom of the browser window of the browser window DHCP over VPN DHCP over VPN allows a Host DHCP Client behind a SonicWALL obtain an IP address lease from a DHCP server at the other end of a VPN tunnel In some network deployments it is desirable to have all VPN networks on one logical IP subnet and create the appearance of all VPN networks residing in one IP subnet address space This facilitates IP address administration for the networks using VPN tunnels DHCP Relay Mode The SonicWALL appliance at the remote and central site are configured for VPN tunnels for initial DHCP traffic as well as subsequent IP traffic between the sites The SonicWALL at the remote site Remote Gateway passes DHCP broadcast packets through its VPN tunnel The SonicWALL at the central site Central Gateway relays DHCP packets from the client on the remote network to the DHCP server on the central site inter ote LANT DHCP over a VPN Tunnel ay 216 XXXXXX XXX VPN Tunnel TELE3 TZ Ag Sas Y X FS of SS SS Ba 61 XXX XXX XXX Central Gateway Ne 7 N PA r t a Internet Le e s F k Gx 500 AN jf Remote Gate
322. s selected you can access that service from your LAN on the Internet Otherwise you are blocked from accessing that service By default the LAN Out check boxes are selected DMZ In Optional If the DMZ in is selected users on the Internet can access the service on the DMZ Otherwise they are blocked from accessing the service on the DMZ By default DMZ In is selected The DMZ In column does not appear in the Web Management Interface for the SonicWALL SOHO3 and TELE3 which do not have a separate DMZ port LAN In If a LAN In checkbox is enabled users on the Internet can access all computers on your network for that service By default LAN In checkboxes are not enabled Use caution when enabling a LAN In service Z nert If an Alert Icon appears next to a LAN Out LAN In or DMZ In check box a rule in the Rules window modifies that service Page 128 SonicWALL Internet Security Appliance Administrator s Guide Public LAN Server A Public LAN Server is a LAN server designated to receive inbound traffic for a specific service such as Web or e mail You can define a Public LAN Server by entering the server s IP address in the Public LAN Server field for the appropriate service If you do not have a Public LAN Server for a service enter 0 0 0 0 in the field Windows Networking NetBIOS Broadcast Pass Through Computers running Microsoft Windows communicate with one another through NetBIOS broadcast packets By default the SonicWAL
323. sary Do not block the cooling vents on the SonicWALL side panels Page 238 SonicWALL Internet Security Appliance Administrator s Guide SonicWALL PRO 200 and PRO 300 Front Panel The SonicWALL PRO 200 front panel is shown below followed by a description of each item The SonicWALL PRO 300 is identical to the SonicWALL PRO 200 except for the PRO 300 label on the front panel and the inclusion of VPN accelerator hardware and an additional 8MB of RAM INTERNET SECURITY APPLIANCE e Pa t SS Port LEDs Power Test and WAN Port LEDs Link Activity Alarm LEDs Link Activity DMZ Port LEDs Link Activity SonicWALL PRO 200 and PRO 300 Front Panel Description Power Lights up when power is applied to SonicWALL PRO or SonicWALL PRO 300 Test Lights up when the SonicWALL is powered up and performing diagnostic tests to check for proper operation These tests take about 90 seconds If the Test LED remains lit after this time the software is corrupt and must be reinstalled Alarm Lights up and flashes for 10 seconds when an event generates an alert Alarm LED flashes for 10 seconds Alert events are defined in the Log Settings section in Chapter 5 There are three Ethernet ports one for each of the LAN DMZ and WAN ports Link Lights up when a Twisted Pair connection is made to another Ethernet device usually a hub on the port Note that the device connected to the SonicWALL must support the standard Link Integrity test
324. sconnect the L2TP connection after a specified period of inactivity Define a maximum number of minutes of inactivity in the Minutes field This value can range from 1 to 99 minutes 10 Click Update Once the SonicWALL has been updated a message confirming the update is displayed at the bottom of the browser window Restart the SonicWALL for these changes to take effect N Alert When NAT is enabled the SonicWALL LAN IP Address is used as the gateway address for computers on the LAN When your SonicWALL has successfully established a PPTP connection the Network page displays the SonicWALL WAN IP settings The WAN Gateway Router Address SonicWALL WAN IP NAT Public Address WAN LAN Subnet Mask and DNS Servers are displayed N Alert Enable and configure the SonicWALL DHCP server or manually configure client DNS settings to obtain DNS name resolution Restarting the SonicWALL Once the network settings have been updated the Status bar at the bottom of the browser window displays Restart SonicWALL for changes to take effect Restart the SonicWALL by clicking Restart Then click Yes to confirm the restart and send the restart command to the SonicWALL The restart can take up to 90 seconds during which time the SonicWALL is inaccessible and all network traffic through the SonicWALL is halted N Alert If you change the SonicWALL LAN IP Address you must to change the Management Station IP address to be in the same subnet as the new LAN IP
325. se Enterprise Content Filter sssr 110 Restrict Web Features nonaminiratiiarni iiaa AEE A E 110 Configuring the Websense Content Filter List sssssssisisrsrsrersrsrsrersrsrsrsesess 112 Websense Server StatuS ssssssssssssssesesesesessrestntnsrnsnsnsnnntntitutrtntrinrernrsrnrnnnnt 112 Settings ainne taii i a i ak aay e i i aa 112 WBE ACIS AE cee ae EA A ad Mn cal 113 9 Web Management Tools cscccseeeesseeeeeeneeeeeeeeeeeaseeaeeeneseneneoaeeeaenens 114 Restarting the SonicWALL ofccs sesisacSlvs vacetvat cach Weeies puaveat devel vadice io ceust waa eeecanes 114 Preferences mureni ators etme ieie aid A l E A 115 Exporting the Settings File ssssssssssssssssssssssssssrerrnnnrnnnnnnnnnesennnnnennnennnnnenenennnnn 115 Importing the Settings File a ecciei cats Gattis stare eceds entastata dt aneeateehiasmecntns 116 Restoring Factory Default Settings vciisssssciveineisvinai cornet evivecustieieaseeeuves 116 Updating FMT PII A ee esheets Nt a tc naa EEEE E 117 Updating Firmware Manually ssc siccesthatcscccetshatosadonessttlaet ait aeeeaeiatvialanscchees 118 Upgrade FEARUNGS oidean aaar aaa a denna pid 119 Diagnostic DONS s neres ccceanssecclescieaa cviaaaeeieiabaeiuinata ea A N 120 DNS Name LookUp Ariaan aa a aulsalaniar dati aa aa inate 120 Contents Page 3 PUR VGlr A Sica cat A E vt Ooted bain esttiit alana euaceant outa eau Oceans siutanatemnee 122 Packet race ect lcassady te dec ile tte cleared ide fest 123 WAS OUT eaii riisiin a ia a
326. sisisisisisisrersrsrsrsrsrsrsrsnnrnrnrnrirnrirnrnrnnrnrrrn renna 92 OSS UUIINSs 5 6 arises cee A E E T E 93 Configure the following settings 2 ce Avan uan Avan Micstvalasiatn aida auanin 93 Log Categori eS annigaia a A A N AAE RA destits 95 Al rts SNMP Traps rnini iniesta annnm na a aaan eari 96 REDONS Area a A ata nnimeenns 96 WebSite Hits ianari i ia are a aa Sada a elena aa ad ia 97 Bandwidth Usage by IP Address s s ssssssssssssersrsrererersrirresrsnsennnnnnnnnnnnnnrnrsrernrnns 97 Bandwidth Usage by Service ssssssssssssssissssssserrirrrrrinrrrnrnnnstnnsnntnnnnnnnnnnnnnnnrnrnrnn 97 SONICWALL VieWPOINt mrii isitin akarna ai eaer desusrpavdeug Eitasid aai 98 8 Content Filtering and Blocking ssssssssnsennnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nnna 99 Configuring SonicWALL Content Filtering ssssssssssesssesesesisrsrsrsrssrsrsrersrsrsrsesess 100 Restrict Web Features ssssssssisisrsisisisisisrsrnrnrntnnnnnnnnnnnnnnnnnnnnnnntntnnnnnnnnnnnnnan 100 URL NG Ee seas yeh ts cena eS Pacts Aah nee Dai Nau eh 101 Customizing the Content Filtering LiStssesccsisicsvecsidiidiieli sidwrieeesrdasves 103 Consett snin a a a a alaa 105 Mandatory Filtered IP Addresses ss sssssssssssssrerersrererrirrisesesnsnnnnnnrnrernrsrnrnns 106 Configuring N2H2 Internet Filtering sssssssssssssssssssrsrsrsrsrsrsrsnsnsnsnsnnrsrsrernrnrnrnrsnns 107 Restrict Web Features ssssssssisisrsrsisisrsrsrsrnrnrnnnnnnnnnnnnnnnnnnnentnnntnenennnnnenennnnn 107 Configuring the Websen
327. sk 255 255 255 0 Pot A ol Protocol an zl 1D Type IP Address 7 10 50 16 81 Click here to find out about program add ons 1 Select Secure in the Network Security Policy box on the right side of the Security Policy Editor window Select IP Subnet in the ID Type menu Enter the SonicWALL LAN IP Address in the Subnet field Enter the LAN Subnet Mask in the Mask field Select All in the Protocol menu to permit all IP traffic through the VPN tunnel Select the Connect using Secure Gateway Tunnel check box Select IP Address in the ID Type menu at the bottom of the Security Policy Editor window Enter the SonicWALL WAN IP Address in the field below the ID Type menu Enter the NAT Public Address if NAT is enabled oOo Nyy on HW N SonicWALL VPN Page 201 Configuring VPN Client Identity To configure the VPN Client Identity click My Identity in the Network Security Policy window 1 Select None from the Select Certificate menu 2 Select the method used to access the Internet from the Internet Interface menu Select PPP Adapter from the Name menu if you have a dial up Internet connection Select the Ethernet adapter if you have a dedicated cable ISDN or DSL line SonicWALL VPN Client a a a EE Select Certificate Pre SharedKey iD fios0 16 206 Virtual Adapter Disabled 7 Intenet Interface Nane 11 3Com 20820 integr IP Adar ffO5076 206 Con
328. sk and the Administrator Password are not reset Updating Firmware The SonicWALL has flash memory and can be easily upgraded with new firmware Current firmware can be downloaded from SonicWALL Inc Web site directly into the SonicWALL N Alert Firmware updates are only available to registered users You can register your SonicWALL online at lt http www mysonicwall com gt Click Tools on the left side of the browser window and then click the Firmware tab Upload Firmware Now Notify me when new firmware is available Upgrade Features You may be able to activate additional features Check with SonicWALL for details on upgrading High Availability Ethemet Address 0 Maximum LAN IP addre Enter upgrade key Update Reset i Logout STATUS Ready Pisal Document Done Z To be automatically notified when new firmware is available select the Notify me when new firmware is available check box Then click Update If you enable firmware notification your SonicWALL sends a status message to SonicWALL Inc Firmware Server on a daily basis The status message includes the following information SonicWALL Serial Number e Unit Type Current Firmware Version e Language e Curent Available memory ROM version e Options and Upgrades SonicWALL VPN Network Anti Virus ie Tip The SonicWALL Privacy Policy is available at lt http www sonicwall com corporate_info privacy html gt
329. smitting only secured data An nj agn Your computer has established at least one secure connection and is transmitting both secured and unsecured data SonicWALL VPN Page 205 IKE and Manual Key Configuration for Two SonicWALLs VPN between two SonicWALLs allows users to securely access files and applications at remote locations The first step to set up a VPN between two SonicWALLs is creating corresponding Security Associations SAs The instructions below describe how to create an SA using Manual Keying and Internet Key Exchange IKE These instructions are followed by an example illustrating a VPN tunnel between two SonicWALLs Either Manual Key or IKE using Preshared Secret can be used to configure a VPN tunnel between two SonicWALLs Manual Key for Two SonicWALLs Click VPN on the left side of the SonicWALL browser window and then click the Configure tab 1 Select Manual Key from the IPSec Keying Mode menu 2 Select Add New SA from the Security Association menu Add Modify IPSec Security Associations Security Association Add New SA IPSec Keying Mode Manusikey zl NameffEST O Disable This SA I IPSec Gateway Address 0 0 0 0 Security policy Enable Windows Networking NetBIOS broadcast I Incoming SPI 12345678 Outgoing SPI 87654321 Encryption Method Encrypt and Authenticate ESP DES HMAC MD5 fea Encryption Key F2268
330. ss or range select it in the Address Range list and click Delete Once the SonicWALL has been updated a message confirming the update is displayed at the bottom of the browser window HomePort Configuration Note For SonicWALL TELE3 TZ and TELE3 TZX Only Computers connected to your HomePort must be configured to access the Internet through the HomePort IP address The SonicWALL provides security by preventing home users from accessing computers on the WorkPort This security however also prevents home users from reaching the Internet unless the computers connected to the HomePort are configured to be in the same network as the HomePort First you must configure the HomePort to use NAT or Standard mode as the networking configuration Click Advanced on the left side of the browser window and then click HomePort eae aa ere eA e es t single addresses or E sess siii Add feet High Availability Delete Range C HomePort in NAT Mode HomePort Private Address 0 0 0 0 HomePort Subnet Mask 255 255 2550 Update Reset t logout STATUS Ready E tps 77132168 168 1 agouti reret 7 Computers on the HomePort must have unique valid IP addresses in the same subnet as the SonicWALL WAN IP Address if you select HomePort in Standard mode Your ISP should be able to provide these IP addresses as well as information on setting up public servers HomePort in Standard Mode To configure the H
331. sses in one network into those for a different network As a form of packet filtering for firewalls it protects a network from outside intrusion from hackers by replacing the internal LAN IP address on packets passing through a SonicWALL with a fake one from a fixed pool of addresses The actual IP addresses of computers on the LAN are hidden from outside view If you are assigned a single IP address by your ISP follow the instructions below Tip Be sure to have your network information including your WAN IP address subnet mask and DNS settings ready This information is obtained from your ISP The SonicWALL Installation Wizard simplifies the initial installation and configuration of the SonicWALL The Wizard provides a series of menu driven instructions for setting the administrator password and configuring the settings necessary to access the Internet Accessing the Wizard Alert Your Web browser must be Java enabled and support HTTP uploads in order to fully manage A SonicWALL Internet Explorer 5 0 and above as well as Netscape Navigator 4 0 and above are recommended 1 Open a Web Browser Then enter the default SonicWALL IP address 192 168 168 168 into the Location or Address field in the Web browser Mih PO The first time you access the SonicWALL Management interface the SonicWALL Installation Wizard automatically launches and begins the installation process Click Next to continue 44 SonicWALL Installation Wizard Micr
332. ssignment from your ISP e Each SonicWALL in the High Availability pair must have the same firmware version installed e Each SonicWALL in the High Availability pair must have the same upgrades and subscriptions enabled If the backup unit does not have the same upgrades and subscriptions enabled these functions are not supported in the event of a failure of the primary SonicWALL Network Configuration for High Availability Pair The following diagram illustrates the network configuration for a High Availability pair Primary SonicWALL im S s a SS amp INTERNET py E Backup SonicWALL SP LAN Network Segment E e a Eo Ei DMZ Network Segment All SonicWALL ports being used must be connected together with a hub or switch Each SonicWALL must have a unique LAN IP Address on the same LAN subnet If each SonicWALL has a unique WAN IP Address for remote management the WAN IP Addresses must be in the same subnet Alert The two SonicWALLs in the High Availability pair sends heartbeats over the LAN network segment The High Availability feature does not function if the LAN ports are not connected High Availability Page 225 Configuring High Availability on the Primary SonicWALL Click High Availability on the left side of the SonicWALL browser window and then click Configure at the top of the window FE Simin WALL Bahia cal im Nel stem Tle Yen ASLIGRT Inenagenont hrl HIGH AVAILABILITY
333. ssisisssesrsererrresrsesrsensnrsrnnrnrersrernrns 81 NAT with PPPoE Configuration ssssssssssssssssssserersrerererrrsiinsesnsnsnnrnnnnnnnnnnnrnrernrnns 82 Restarting the SonicWALL sssssssssssssssisisisrsrsrsrrrrnnrrninrnrnininsnnnsnnnnnnnnnnnnnnnnnrnrnrnns 83 NAT with L2TP Client Configuration sixcisterecteictatedeteaied cel ehindeninabereladeniastts 84 Restarting the SonicWALL sssssssssssssssisisisrsrsrsrrrrnrnrnrnnnrnininstnnnnnnnnsnnnnnnnnnnnnnrnn nn 85 NAT with PPTP Client Configuration s ssssssisisissssrsrrrrrresesrsrsrsrsnnnsenernrnrnrernrnns 86 Restarting the SonicWALL sssssssssssssssisisisrsrsrsrrrrnirnnrnnnrnnnnnnnnnsnsnnnsnnnnnnnnnnnnnnrnnnn 87 Setting the Time and Date ssssssssesssesesesssesssersnsrsrsnsnsnnsntntntntnnrtnerrersrernrsnsnnnnt 88 NTP SCV airin teineiti iniiai a aa aaa ia aa aaa TE sae tnes 88 Configuring the Administrator Settings eeen 89 Administr tor NaM Einni na a a a a daies 89 Change the Administrator Password ssssssssssssssssesesesesesesisrsrisriririrsrrrrrrrrererenns 89 Setting the Administrator Inactivity Timeout ssec 90 Login Failure Handling s s ssssssssssssrsrsisrsrsrsrsrsrnnnnnnnnnnnnnnnnnnnenennnnnnnnnennnnnenennnnnannnnno 90 Page 2 SonicWALL Internet Security Appliance Administrator s Guide 7 Logging and Alerts 1 cccccesseeseeeeeeeeeeeeaseeaeeeneseneeeaaseeaeeeneeeaeeeeeeeaeesaenes 91 VIEW Logn sascha ed ut tte ate ui sta aa aaa Sail al eat sc el 91 SonicWALL Log Messages essssisi
334. ssscsstoieastsSt cescrbenstecd hatte taaieateyueterinanseueden 199 Configuring the VPN Client 5 ies Geicoteveeccgcesdstian dr actendadedhcarasnursacdna uate tagiemtendats 200 IKE and Manual Key Configuration for Two SONICWALLS esseere 206 Manual Key for Two Sonic WALLS 4 i ocegsrstenuedds tia Gomiarvusinede abatieriueterieweantins 206 Configuring the Second SONICWALL Appliance ccecseseteeseeseesesesersersaeees 208 Example of Manual Key Configuration for Two SOnicWALLs cceseeeee 208 IKE Configuration for Two SONICWALLS ccccseseesscecessececseesessesrseseesersaneaes 211 Example of IKE Configuration for Two Sonic WALLS sesers 213 SonicWALL Third Party Digital Certificate Support sesssscccccccrerrien 216 Overview of Third Party Digital Certificate Support oo eeseesestrsseeeseesteeaeees 217 Creating a Certificate Signing Request ccccscctesctsssessersseseersessseeeseeees 219 SONICWALL Enhanced VPN Logging cscesscssscsserssesscrsssssssrsesessesersseeesersatsens 220 Testing a VPN Tunnel Connection Using PING ccscescsscsssectseeresesrseees 221 Configuring Windows Networking s sessssssssssssrsrsrsrsrsrsrsrsnnnninnnnsnnrnnnrnrnrnrnnnrnnne 222 14 High Availability sssssssnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nnna 225 Before Configuring High Availability s ssssssssssssrersrrsrersesesessenenerererersrersrsns 225 Network Configuration for High Availability Pair sesser 225 Configuring High
335. ssssssersrsrererersreresesesssnrnenerernrnrnrsrns 188 Require authentication of remote USerS sssererererereeseseieresererererernrererernns 188 Enable Windows Networking NetBIOS broadcast essssssessseeres 188 Apply NAT and firewall rules sssssssssisisisisisrsrsrsrsrsrsrsrsrsrsrsrsrsrsrsrsrsrsrsrrnrrrererenns 188 Forward Packets to Remote VPNS ssssssssssssssrereiririiriiriessnssnnnnnnernrnrnrnrns 188 Route all internet traffic through this SA ssssseerersrereseseresrsererererereeesn 189 Page 6 SonicWALL Internet Security Appliance Administrator s Guide Enable Perfect Forward SCChe Cyc ccs cutiesttuetadenoss des nalaathdvest attrenien tialaainecee 189 Phase 2 DA GrOUD sn scat encase eens tts teat cease anniv icin aside twsale hah vac es 189 Default LAN Gateway steeds ciate cresbosec step Vira cneatic oe arieuaet ute ccc loscantaenlyo ds esieess 189 VPN Terminated at the LAN DMZ or LAN DMZ cccesesesseeseeserssteaeerssreaeees 190 Advanced Settings for VPN Configurations esssssscccccccccrrerr 191 Configuring SonicWALL VEN suctiatiacetianentictoniauareinalnehaundurrmeenaiiharuets 192 Group VPN Configuration for the SonicWALL and VPN Client s s s 193 Configuring Group VPN on the SonicWALL ceccsceesssseeseessersesasersrserees 193 Group VPN Client Setup sxc adtivn da da katens pcan vadanuten vine qetvakiacevdinsn aa eaees 195 Manual Key Configuration for the SonicWALL and VPN Client sassen 199 Configuring the SonicWALL cuss ccsc
336. st DoS attacks HomePort The TELE3 TZ and TELE3 TZX include a HomePort that allows you to separate company computers from home computers on your home network yet share the same Internet connection WorkPort The TELE3 TZ and TELE3 TZX include a WorkPort that allows you to isolate your IPSec VPN and secures your corporate connections with a stateful packet inspection firewall SNMP Simple Network Management Protocol Support SNMP is a network protocol used over User Datagram Protocol UDP that allows network administrators to monitor the status of the SonicWALL Internet Security Appliances and receive notification of any critical events as they occur on the network Introduction Page 15 Content Filtering SonicWALL Content Filtering You can use the SonicWALL Web content filtering to enforce your company s Internet access policies The SonicWALL blocks specified categories such as violence or nudity using an optional Content Filter List Users on your network can bypass the Content Filter List by authenticating with a unique user name and password Content Filter List Updates optional Since content on the Internet is constantly changing the SonicWALL automatically updates the optional Content Filter List every week to ensure that access restrictions to new and relocated Websites and newsgroups are properly enforced Log and Block or Log Only You can configure the SonicWALL to log and block access to objectional Web sites or to log
337. t SonicWALL Active time the length of time in days hours and minutes that the SonicWALL is active Firmware version shows the current version number of the firmware installed on the Son icWALL ROM version indicates the version number of the ROM e CPU displays the type and speed of the SonicWALL processor VPN Hardware Accelerator Detected indicates the presence of a VPN Hardware Accelerator in the firewall This allows better throughput for VPN connections e RAM shows the amount of Random Access Memory on the board Flash indicates the size of the flash on the board e Ethernet Speeds displays network speeds of the network card Curent Connections number of computers connected to the SonicWALL Other SonicWALL general status information is displayed in this section relating to other features in the SonicWALL such as the type of network settings in use log settings content filter use and if Stealth Mode is enabled on the SonicWALL The General Log Filter Tools Access Advanced DHCP VPN Anti Virus and High Availability buttons appear on the left side of the window When one of the buttons is clicked related management functions are selected by clicking the tabs at the top of the window ALogout button at the bottom of the screen terminates the management session and redisplays the Authentication window If Logout is clicked you must log in again to manage the SonicWALL online help is also a
338. t into your Web browser ei bore JA i mere 2 Asa new user locate the statement If you are not a registered user click here Click the link and an information form appears Page 46 SonicWALL Internet Security Appliance Administrator s Guide Account Information MYSONICWALL COM SUBSCRIPTION Fields marked by are Required 2 PERSONAL INFORMATION mySonicWALL 1 6 24 Miner Last Name Company Title Street Address 3 All field marked with an are required fields Be sure to fill out the form completely before submitting to the user database Create a User Name and password for your mySonicWALL account Confirm the password by typing it in the Confirm Password field For your convenience you can record the information below User Name Password you forget your password before your user account is active you have to create a new user account Tip If your security policy doesn t allow you to write down passwords write down a hint or a prompt for your password 4 Create a Secret Question and Answer to prompt you for your password if you forget it 5 Registering at mySonicWALL com Page 47 Personal Information 5 Complete the Personal Information section of the Registration form Ele Edt View Favorites Toos Help eek gt O Qsan Fis Ge G ya deers E ripsz mySonieWALL 1 6 24
339. t select Enable SNMP 2 Enter the System Name This is the hostname of the SonicWALL appliance 3 In the System Contact field type in the name of the network administrator for the SonicWALL appliance 4 Enter an e mail address telephone number or pager number in the System Location field Network Access Rules Page 145 5 Create a name fora group or community of administrators who can view SNMP data and enter it in the Get Community Name field 6 Create aname fora group or community of administrators who can view SNMP traps and enter it in the Trap Community Name field 7 Enter the IP address or hostname of the SNMP management system receiving the SNMP traps in the Host 1 through 4 fields Up to 4 addresses or hostnames can be specified Configuration of the Log Log Settings for SNMP Trap messages are generated only for the categories that alert messages are normally sent i e attacks system errors blocked Web sites If none of the categories are selected on the Log Settings page then none of the trap messages are sent out Configuration of the Service and Rules Pages By default the SonicWALL appliance responds only to SNMP Get messages received on its LAN interface Appropriate rules must be set up in the SonicWALL to allow SNMP traffic to and from the WAN SNMP trap messages can be sent via the LAN WAN or LAN interface If your SNMP management system supports discovery the SNMP agent should automatically dis
340. t Mask The IP addressing system allows subnetworks or interchanges to be created and device numbers or extensions to be established within these subnetworks These numbers are created using a mathematical device called a subnet mask A subnet mask like the IP address is a set of four numbers in dotted decimal notation Subnet masks typically take three forms e 255 0 0 0 e 255 255 0 0 e 255 255 255 0 The number 255 masks out the corresponding number of the IP address resulting in IP address numbers that are valid for the network For example an IP address of 123 45 67 89 and a subnet mask of 255 255 255 0 results in a sub network number of 123 45 67 0 and a device number of 89 The IP address numbers that are actually valid to use are those assigned by InterNIC Otherwise anyone could set up IP addresses that are duplicates of those at another company The subnet mask used for the network typically corresponds to the class of IP address assigned If the IP address is Class A it uses a Subnet mask of 255 0 0 0 Class B addresses use a Subnet mask of 255 255 0 0 and Class C IP addresses use a subnet mask of 255 255 255 0 Default Gateway A default gateway is like a long distance operator Users can dial the operator to get assistance connecting to the end party In complex networks with many subnetworks gateways keep traffic from traveling between different subnetworks unless addressed to travel there While this helps to
341. t filtering features eS Alert The new SonicWALL LAN IP address displayed in the URL field of the Congratulations page is used to log in and manage the SonicWALL 11 Click Restart to restart the SonicWALL Restarting lt Back Restart __Cancel_ J SonicWALL Installation Wizard Microsoft Internet Explorer BBE SonicWALL is restarting Since you have activated SonicWALL s DHCP server you should now configure all the PC s and other network devices on your LAN to Obtain an IP address automatically Note that it may be necessary to restart a PC or network device after changing its network configuration Note This includes the computer you are currently using to configure SonicWALL You will not be able to re contact SonicWALL until you have reconfigured your PC Once you have reconfigured your PC and SonicWALL has finished restarting you should be able to access the Internet Note that the restarting process will take approximately 90 seconds to complete Remember from now on you will contact SonicWALL s Web Management Interface at http 192 168 168 1 Thank you for selecting SonicWALL Print This Page Alett The final window provides important information to help configure the computers on the LAN 12 Click Print this Page to print the window information The SonicWALL takes 90 seconds to restart During this time the yellow Test LED is lit Click Close to exit the SonicWALL Wizard
342. t in Seconds The allowable range is 1 60 seconds with a default value of 5 RADIUS Servers 3 Specify the settings of the primary RADIUS server in the RADIUS servers section An optional secondary RADIUS server can be defined if a backup RADIUS server exists on the network Enter the IP address of the RADIUS server in the IP Address field Enter the Port Number for the RADIUS server If there is a secondary RADIUS server enter the appropriate information in the Secondary Server section 7 Enter the RADIUS server administrative password or shared secret in the Shared Secret field The alphanumeric Shared Secret can range from 1 to 31 characters in length The is case sensitive Network Access Rules Page 143 RADIUS Users You can select the default privileges for all RADIUS users in this section Remote Access Enable this check box if the user accesses the SonicWALL from a remote com puter This option is only available in Standard mode Bypass Filters Enable Bypass Filters if the user can bypass Content Filter settings e Access to VPNs Enable the check box if the user can send information over VPN Security As sociations Access from the VPN Client with XAUTH Enable the check boxif a VPN client is using XAUTH for authentication Limited Management Capabilities By enabling this check box the user has limited local man agement access to the SonicWALL Management interface The access is limited to the following pag
343. t it cannot be longer than the session time set by the administrator The connection closes when the user exceeds the inactivity time out period or the maximum session time is exceeded If the connection is closed the user must re authenticate to regain their access through the SonicWALL Logging into the SonicWALL as the administrator automatically gives the user access to all VPN tunnels requiring authentication ae Tip Authentication sessions create a log entry in the SonicWALL but user activity is not logged oats Gu G a ADB i LI Ble remt Page 142 SonicWALL Internet Security Appliance Administrator s Guide RADIUS RADIUS can provide control over user access and VPN access RADIUS configuration is located in the Access window RADIUS Global Settings RADIUS Server Retnes 3 RADIUS Server Timeout in Seconds f RADIUS Servers Lanited Management Capabiities I Teer Vaid RADIUS user name to test Password Vaid RADIUS user password to test ee STATUS Ready a To configure RADIUS settings complete the following instructions Click the RADIUS tab 1 Define the number of times the SonicWALL attempts to contact the RADIUS server in the RADIUS Server Retries field If the RADIUS server does not respond within the specified number of retries the connection is dropped This field can range between 1 and 10 however 3 RADIUS server retries is recommended 2 Define the RADIUS Server Timeou
344. t the DMZ Address Range does not include the SonicWALL WAN IP Address the WAN Gateway Router Address or any IP addresses assigned on the One to One NAT or Intranet windows Se Tip The SonicWALL supports up to 64 DMZ address ranges UM Zin NATMode The SonicWALL DMZ now has the ability to use private internal IP addresses rather than public IP addresses on the network Since NAT hides the true IP addresses in use on the network NAT on the DMZ is an additional security feature for the SonicWALL The outside world only sees the outside public IP address of the DMZ and not the internal private addresses To configure the DMZ in NAT Mode use the following instructions 1 In the DMZ Private Address field enter the private internal IP address assigned to the DMZ interface 2 Assign a subnet mask in the DMZ Subnet Mask field The LAN and DMZ can have the same subnet mask but the subnets must be different For instance the LAN subnet can be 192 168 0 1 with a subnet mask of 255 255 255 0 and the DMZ subnet can be 172 16 18 1 with a subnet mask of 255 255 255 0 Advanced Features Page 157 3 If you choose to use DMZ NAT Many to One Public Address Optional enter the DMZ public IP address which is on the same subnet as the WAN for access to devices on the DMZ interface DMZ NAT Many to One Public Address is only available if your SonicWALL is configured in NAT Enabled networking mode Delete a DM Z Address Range To delete an addre
345. t the Enable Keyword Blocking if you want to block Web traffic based on your list of customized keywords e Disable all Web traffic except for Allowed Domains When the Disable Web traffic except for Allowed Domains check boxis selected the SonicWALL only allows Web access to sites on the Allowed Domains list With careful screening this can be nearly 100 effective at blocking pornography and other objectional material Time of Day The Time of Day feature allows you to define specific times when Content Filtering is enforced For example you could configure the SonicWALL to filter employee Internet access during normal business hours but allow unrestricted access at night and on weekends 3 Tip Time of Day restrictions only apply to the Content Filter List Customized blocking and Keyword blocking Consent and Restrict Web Features are not affected Always Block When selected Content Filtering is enforced at all times Block Between When selected Content Filtering is enforced during the time and days specified Enter the time period in 24 hour format and select the starting and ending day of the week that Content Filtering is enforced Filter Block Action Log Only If this check box is selected the SonicWALL logs and then allows access to all sites on the Content Filter custom and keyword lists The Log Only check box allows you to monitor inappropriate usage without restricting access e Log and Block Access Select t
346. tatus tab To view the error message on the Status tab click General on the left side of the browser and then Status at the top of the window To check the backup SonicWALL firmware version or serial number log into the backup SonicWALL click General on the left side of the browser window and then click Status at the top of the window Both the firmware version and the SonicWALL serial number are displayed at the top of the window If the backup SonicWALL serial number was incorrectly specified in the primary SonicWALL Web Management Interface log into the primary SonicWALL and correct the backup SonicWALL Serial Number field At this point you have successfully configured your two SonicWALLs as a High Availability pair In the event of a failure in the primary unit the backup unit takes over operation and maintains the connection between the protected network and the Internet Configuration Changes Configuration changes for the High Availability pair can be made on the primary or the backup SonicWALL The primary and backup SonicWALL appliances are accessible from their unique IP addresses A label indicates which SonicWALL appliance is accessed Page 228 SonicWALL Internet Security Appliance Administrator s Guide Elle Edit View Favorites Tools Help Sak OD A Ah Favorites BHs By SE B Ow Address http 192 168 168 1 management html HIGH AVAILABILITY t
347. te the Destination Network Include the subnet mask which determines broadcast addresses for NetBIOS support e Use this SAas the default route for all Intemet traffic Security Associations using IKE with Pre shared Secret and Manual Key Enable this check box if all remote VPN connections access the Internet through this SA You can only configure one SA to use this setting Destination network obtains IP addresses using DHCP through this SA Security Associations using IKE and Pre shared Secret but not Group VPN or Manual Key Enable this check box if you are managing your IP address allocation from a central location Specify destination networks below Configure the destination networks for your VPN Security Association Click Destination Networks to enter the IP address and subnet mask Adding Destination Networks To add a second destination network click Add New Network and define the Network and Subnet Mask fields of the second network segment To modify a destination network click the Notepad icon to the right of the appropriate destination network entry Then modify the appropriate fields and click Update to update the configuration To delete a destination network click the Trash Can icon to the far right of the appropriate destination network entry and then click OK to confirm the removal Modifying and Deleting Existing Security Associations The Security Association menu also allows you to modify and delete existin
348. te on both ends of the VPN Symmetric cryptography or secret key cryptography is usually faster than asymmetric cryptography Therefore symmetric algorithms are often used when large quantities of data have to be exchanged SonicWALL VPN uses Symmetric Cryptography As a result the key on both ends of the VPN tunnel must match exactly Security Association SA A Security Association SA is a group of security settings related to a specific VPN tunnel A Security Association groups together all of the settings necessary to create a VPN tunnel Different SAs can be created to connect branch offices allow secure remote management and pass unsupported traffic All Security Associations require a specified Encryption Method IPSec Gateway Address and Destination Network Address IKE includes a Shared Secret Manual Keying includes two SPIs and an Encryption and Authentication Key Page 274 SonicWALL Internet Security Appliance Administrator s Guide Internet Key Exchange IKE IKE is a negotiation and key exchange protocol specified by the Internet Engineering Task Force IETF An IKE SA automatically negotiates Phase 1 Encryption Authentication Keys With IKE an initial exchange authenticates the VPN session and automatically negotiates keys that is used to pass IP traffic The initial exchange occurs on UDP port 500 so when an IKE SA is created the SonicWALL automatically opens port 500 to allow the IKE key exchange Manual Key The Ma
349. tects if a WAN Ethernet connection exists when the SonicWALL is powered on Because it can automatically detect the Ethernet connection the Primary Interface is Ethemet Failover Settings You can enable WAN failover for the SonicWALL by configuring settings in this section Select Enable WAN Failover to use this feature on the SonicWALL The Secondary Interface Setting defaults to Modem Preempt Mode Select Preempt Mode if you want the TELE3 SP to re establish the connection to the WAN Ethernet interface after a connection failure on the WAN Ethernet port Probing on the TELE3 SP Probing for WAN connectivity occurs over the Ethernet connection the dial up connection or both When probing is disabled on the Ethernet link the SP only performs link detection If the Ethernet connection is lost for a duration of 5 9 seconds the SP considers the Ethernet connection to be unavailable If the Ethernet link is lost for 0 4 seconds the SP does not consider the connection to be lost If you are swapping cables quickly unnecessary WAN failover does not occur on the SP If probing is enabled and the cable is unplugged the 5 9 seconds link detection does not occur Instead the probing rules apply to the connection using the parameters configured for Probe Interval Time and number of Missed Probes If probing is enabled on Dial up the dial up connection is terminated and re established when probing fails over the modem Use the following instruct
350. ter the service or product ee Zp 7 mpcoricwal com Profle HomePage acpi Tl A nenet 7 Page 50 SonicWALL Internet Security Appliance Administrator s Guide Problems Creating a M ysonicWALL com User Account If you re having trouble creating a user account on the mySonicWALL com Web site be sure to check the following items in your browser e Accept Cookies e Internet Explorer 5 0 or higher e Netscape 4 5 or higher e Allow Java scripts e Correct Password for MysonicWALL com User Name and Password Functions If you forget your user name you must send an e mail message to Tech Support requesting your user name Be sure to include the e mail address used to create the MysonicWALL com account If you forget your password use the Forget Password Click here link to use your Secret Question and Answer to remember your password If you did not set up a Secret Question and Answer for your password a link appears allowing you to reset your password Be sure to use the same user name and e mail address as your MysonicWALL com user account Registering Your SonicWALL Internet Security Appliance To register your SonicWALL Internet Security Appliance click the hyperlink Click Here in the Registered SonicWALL Products section Or to quickly register your appliance enter the Activation Key of a service or a SonicWALL Internet Security Appliance serial number into the field in the Quick Register sec
351. tion Click Here Registration If you use the hyperlink Click Here a My Products page appears and you can register your appliance by entering the Serial Number in the Add New Product field You can also create a Friendly Name such as San Francisco Office to identify the SonicWALL Using Friendly Names can assist you with managing multiple SonicWALLs z SONICWALL gt fies MySoniewau a 1 Alg mera Registering at mySonicWALL com Page 51 Quick Registration To quickly register a SonicWALL Internet Security Appliance enter the serial number in the field under the Quick Register section and click Go The serial number automatically appears in the Serial Number field You can then create a FriendlyName for the appliance If you enter the incorrect serial number into the Serial Number field a message stating that the appliance is previously registered may be returned Write your SonicWALL serial number below SonicWALL Serial Number He Edt View Favortes Tool Help fe S Back gt QSeach Faves Meda G B SS DOG EE rips n mysorional comPree HomePage ap Hee COMPREHENSIVE TUS SONICWALL gt INTERNET SECURITY SOLUTIONS REGISTERED SONICWALL PRODUCTS Logged in LAP_Wente pro 300 Status and Options XPRS for testing mySonleWALL 1 6 24 Summary of Products View Serial Numbers amp Registration Codes https mysoni
352. tions and descriptions subject to change without notice LIMITED WARRANTY SonicWALL Inc warrants the SonicWALL Internet Security Appliance the Product for one 1 year from the date of purchase against defects in materials and workmanship If there is a defect in the hardware SonicWALL will replace the product at no charge provided that it is returned to SonicWALL with transportation charges prepaid A Return Materials Authorization RMA number must be displayed on the outside of the package for the product being returned for replacement or the product will be refused The RMA number can be obtained by calling SonicWALL Customer Service between the hours of 8 30 AM and 5 30 PM Pacific Standard Time Monday through Friday Phone 408 752 7819 Fax 408 745 9300 Web lt http www sonicwall com support gt This warranty does not apply if the Product has been damaged by accident abuse misuse or misapplication or has been modified without the written permission of SonicWALL In no event shall SonicWALL Inc or its suppliers be liable for any damages whatsoever including without limitation damages for loss of profits business interruption loss of information or other pecuniary loss arising out of the use of or inability to use the Product Some states do not allow the exclusion or limitation of implied warranties or liability for incidental or consequential damages so the above limitation or exclusion can not apply to you Where li
353. tive until the WAN Ethernet connection is reactivated If you want the modem to dial the ISP only when there is data to transmit select Dial on Data Select Manual Dial to dial up the connection only when you want to dial the ISP as in the case of traveling with the SP N Alert If you enable Persistent Connection for the modem the modem connection remains active until the WAN Ethernet connection is reactivated or you force disconnection by clicking Disconnect on the Configure page 2 Enter the number of minutes a dial up connection is allowed to be inactive in the Inactivity Timeout minutes field The default value is five 5 minutes Select the connection speed from the Max Connection Speed bps menu Auto is the default setting as the TELE3 SP automatically detects the connection speed when it connects to the ISP Select Maximum Connection Time minutes if the connection is terminated after the specified time Enter the number of minutes for the connection to be active The value can range from 0 to 1440 minutes This feature does not conflict with Inactivity Timeout If both features are configured the connection is terminated based on the shortest configured time If you select Maximum Connection Time minutes enter the number of minutes to delay before redialing the ISP in the Delay Before Reconnect The value can range from 0 to 1440 and the default value is 0 which means there is no delay before reconnecting to the ISP Sel
354. to create and enforce Internet access policies tailored to the requirements of the organization An annual subscription to the Content Filter List provided by CyberPatrol allows you to block or monitor access to undesirable Internet sites such as pornography or violence Automatic weekly updates of the customizable Content Filter List ensure proper enforcement of access restrictions to new and relocated sites For more information on the SonicWALL Content Filtering visit http www sonicwall com content filter index html Vulnerability Scanning Service SonicWALL Vulnerability Scanning Service is an automated subscription that provides network administrators a hacker s eye view of a company s network perimeter including public servers routers and gateways and integrates with SonicWALL s industry leading Internet security appliances SonicWALL Vulnerability Scanning Service examines a network perimeter for security weaknesses on an ongoing basis It reports all vulnerabilities detected and provides administrators with in depth expert guidance to quickly close up any security holes in a network This subscription based service offers vulnerability assessment scans that can scheduled on a regular basis or run on demand when policies change or new equipment is deployed For more information on the SonicWALL Vulnerability Scanning Service visit http www sonicwall com products vss SonicWALL Authentication Service SonicWALL Auth
355. to protect the security of your SonicWALL Note that this password will be encrypted when sent over your network Your password should be a combination of letters numbers and punctuation You should not use a password which can easily be guessed by others such as the name of your spouse or your birthday Note also that your password is case sensitive New Password Confirm New Password If you plan to manage your SonicWALL remotely using the SonicWALL Global Management System check the following checkbox I Use Global Management System lt Back Next gt _ Cancel 1 To set the password enter a new password in the New Password and Confirm New Password fields 2 Donotselect the Use Global Management System check box unless your SonicWALL is remotely managed by SonicWALL GMS Click Next to continue Setting the Time and Date 2 SonicWALL Installation Wizard Microsoft Internet Explorer hk Set your Time Zone SonicWALL s intemal clock will be automatically configured by accessing a Network Time server on the Internet Please select your Time Zone from the pull down menu Pacific Time US amp Canada GMT 8 00 z lt Back Next gt __ Cancel 3 Select the appropriate Time Zone from the Time Zone menu The SonicWALL internal clock is set automatically by a Network Time Server on the Internet Click Next to continue Configuring the Network Mode on the SonicWALL Page
356. ton resets the audible alarm Cooling Vents The SonicWALL is convection cooled and has an internal fan that is not crucial to the function of the GX but provides additional cooling to the unit Do not block the cooling vents on the SonicWALL front and back panels Hardware Descriptions Page 253 17 Troubleshooting Guide The This chapter provides solutions for problems that you might encounter when using the SonicWALL If you are unable to solve your problem please visit the SonicWALL Tech Support Web site at lt http www sonicwall com support gt There you will find resources to help you resolve most technical issues as well as a means to contact one of the SonicWALL Technical Support engineers Link LED is off Make sure the SonicWALL is powered on Make sure the cable connections are secure Gently moving the cable back and forth should not make the Link LED turn on and off Try replacing the cable with a known good cable Is it the correct cable Try using a standard Ethernet or crossover cable instead A computer on the LAN cannot access the Internet If NAT is enabled make sure the default router address of the LAN computer is set to the SonicWALL LAN IP Address All computers on the LAN should be able to log into the SonicWALL Management Interface by typing the SonicWALL LAN IP Address into the Location or Go to field from a Web browser If the SonicWALL authentication screen does not appear check for Ethernet conne
357. ts report ensures that the majority of Web access is to appropriate Web sites If leisure sports or other inappropriate sites appear in the Web Site Hits Report you can choose to block the sites Bandwidth Usage by IP Address Selecting Bandwidth Usage by IP Address from the Display Report menu displays a table showing the IP Address of the 25 top users of Internet bandwidth and the number of megabytes transmitted during the current sample period Bandwidth Usage by Service Selecting Bandwidth Usage by Service from the Display Report menu displays a table showing the name of the 25 top Internet services such as HTTP FTP RealAudio etc and the number of megabytes received from the service during the current sample period The Bandwidth Usage by Service report shows whether the services being used are appropriate for your organization If services such as video or push broadcasts are consuming a large portion of the available bandwidth you can choose to block these services Logging and Alerts Page 97 SonicWALL ViewPoint SonicWALL ViewPoint is a software solution that creates dynamic Web based reports of network activity ViewPoint generates both real time and historical reports to provide a complete view of all activity through your SonicWALL Internet Security Appliance With SonicWALL ViewPoint you are able to monitor network access enhance network security and anticipate future bandwidth needs SonicWALL ViewPoint e Displays
358. twork administrator can reduce network traffic congestion prevent a small number of users from consuming all available bandwidth or allow priority applications to run smoothly Bandwidth management works by allocating traffic to a class based upon application type source or destination addresses or a combination of both Traffic is then scheduled according to minimum and maximum bandwidth configured for each traffic type Bandwidth Management is controlled by the SonicWALL Internet Security Appliance on outbound traffic only Itis activated in the Ethernet tab Configuring Bandwidth Management is handled in the Rules tab of the Access section which allows you to manage outgoing traffic according to TCP IP or UDP ports services FTP HTTP E mail SIP etc and source and destination IP addresses VPN traffic can also be managed by enabling bandwidth management on the VPN Configure tab and then specifying the Guaranteed Maximum and priority of all VPN traffic through the SonicWALL Alert Bandwidth management cannot be configured for individual VPN Security Associations It can only be configured for all VPN traffic How SonicWALL Bandwidth M anagement Works Page SonicWALL Bandwidth Management can assign a portion of the available bandwidth and a priority to each class of network traffic Priorities rank from 0 zero highest to 7 lowest Defining a class of traffic that has 0 bandwidth allocated to it effectively blocks the traffic un
359. ty Appliance Administrator s Guide Managing Services for SonicWALL Internet Security Appliances In the Applicable Services section of mySonicWALL com a list of installed and inactivated services for your SonicWALL is displayed File Edt View Favores Tools Help e emr gt 0A A Asah r Oued G B ara Astes E tos mysoricmal com Frofe ServiceManagerentaop PRODUCT D 162SERIALNUMBER O04010F 1566 Z eco SONICWALL gt COMPREHENSIVE INTERNET SECURITY SOLUTIONS SERVICE MANAGEMENT Logged in LAP_Wente Serial Number Node Support Unlimited Product PRO VX Registration Code Platform ARM mySonicWALL 1 6 24 ju can manage this product by clicking the appropriate button MANAGE PRODUCT PRO 300 es E APPLICABLE SERVICES Expiry Key 06 Aug 2002 27 Feb 2002 27 Feb 2002 06 Aug 2002 13 Support 24x7 14 Inti Support g Activated services are indicated by the Installed icon with a green check mark Inactive services are indicated by the Activate icon with a red arrow Activated service names are also hyperlinked to an information page with Activation Status and the Expiration Date of the service Services can also be renewed by clicking on the name and entering the activation key into the Activation Key field Bak gt OA Al Assah Fates Guede I by Ia JV ER Address hitps www mysonicwall com Si iceStatus asp ProductiD 184ServicelD
360. u must enter an IP address in the Trace on IP address field do not enter a host name such as www yahoo com Contact the remote host using an IP application such as Web FTP or Telnet Click Refresh and the packet trace information is displayed Click Stop to terminate the packet trace and Reset to clear the results Tech Support Report The Tech Support Report generates a detailed report of the SonicWALL configuration and status and saves it to the local hard disk This file can then be e mailed to SonicWALL Technical Support to help assist with a problem Alert You must register your SonicWALL on mySonicWALL com to receive technical support Before e mailing the Tech Support Report to the SonicWALL Technical Support team complete a Tech Support Request Form at lt http techsupport sonicwall com swtech html gt After the form is submitted a unique case number is returned Include this case number in all correspondence as it allows SonicWALL Technical Support to provide you with better service In the Tools section click the Diagnostic tab and then select Tech Support Report from the Choose a diagnostic tool menu Four Report Options are available in the Tech Support Report section VPN Keys saves shared secrets encryption and authentication keys to the report e ARP Cache saves a table relating IP addresses to the corresponding MAC or physical addresses DHCP Bindings saves entries from the SonicWALL DHCP server
361. u can configure the SonicWALL to use NAT with a single static IP address The advantages of Network Address Translation NAT are IP address conservation and hiding your IP address from a public WAN such as the Internet lt Back Next gt Cancel Page 22 SonicWALL Internet Security Appliance Administrator s Guide Confirming Network Address Translation NAT Mode If you select Assigned you a single static IP address in the Connecting to the Internet page the Use Network Address Translation NAT page is displayed Z SonicWALL Installation Wizard Microsoft Internet Explorer Use Network Address Translation NAT Since your ISP has given you only one static IP address the Wizard will enable NAT to share that IP address among the PC s and other network devices on your Local Area Network LAN If you want to continue and use NAT click Next Otherwise click Back to select another option lt Back Next gt Cancel The Use Network Address Translation NAT page verifies that the SonicWALL has a registered IP address Selecting NAT Enabled Mode If you selected Assigned you two or more static IP Addresses the Optional Network Address Translation page is displayed A SonicWALL Installation Wizard Microsoft Internet Explorer Optional Network Address Translation NAT You can enable Network Address Translation NAT to share a limited number of IP addresses among the PC s and oth
362. uctions on modem configuration for the TELE3 SP Chapter 5 Managing Your SonicWALL Internet Security Appliance provides a brief overview of the SonicWALL Web Management Interface Chapter 6 General and Network Settings describes the configuration of the SonicWALL IP settings time and password Chapter 7 Logging and Alerts illustrates the SonicWALL logging alerting and reporting features Chapter 8 Content Filtering and Blocking describes SonicWALL Web content filtering including subscription updates and customized Web blocking Chapter 9 Web Management Tools provides directions to restart the SonicWALL import and export settings upload new firmware and perform diagnostic tests Chapter 10 Network Access Rules explains how to permit and block traffic through the SonicWALL set up Servers and enable remote management Chapter 11 Advanced Features describes advanced SonicWALL settings such as One to One NAT and Automatic Web Proxying Chapter 12 DHCP Server describes the configuration and setup of the SonicWALL DHCP server Chapter 13 SonicWALL VPN explains how to create a VPN tunnel between two SonicWALLs and creating a VPN tunnel from the VPN client to the SonicWALL Chapter 14 High Availability describes the configuration of two SonicWALLs one primary and one backup as a High Availability pair Chapter 15 SonicWALL Options and Upgrades presents a brief summary of the SonicWALL s subscripti
363. uer Certificate Serial Number and the Expiration Date are generated by the CA service The information is used when a Generate Certificate Signing Request is created and sent to your CA service for validation To delete the certificate click Delete This Certificate You can delete a certificate if it has expired or if you decide not to use Third Party Certificates for VPN authentication Click Export This CA Certificate to export the file to your hard drive or a floppy disk SonicWALL VPN Page 217 Importing Certificate with private key After a certificate is signed by the CA and returned to you you can import the certificate into the SonicWALL to be used as a Local Certificate for a VPN Security Association Use the following steps to import the certificate into the SonicWALL 1 In the Import Certificate with private key section of Local Certificates enter the Certificate Name 2 Enter the Certificate Management Password This password was created when you exported your signed certificate 3 Use Browse to locate the certificate file 4 Click Import and the certificate appears in the list of Current Certificates 5 To view details about the certificate select it from the list of Current Certificates Certificate Details Both Certificate Requests and validated Certificates appear in the list of Current Certificates The Certificate Details section lists the same information as the CA Certificate Details section but a Status entry now
364. ure the Management Station TCP IP settings in order to initially contact the SonicWALL It is assumed that the Management Station can access the Internet through an existing connection The SonicWALL is pre configured with the IP address 192 168 168 168 During the initial configuration it is necessary to temporarily change the IP address of the Management Station to one in the same subnet as the SonicWALL For initial configuration set the IP address of the Management Station to 192 168 168 200 Make a note of the Management Station s current TCP IP settings If the Management Station accesses the Internet through an existing broadband connection then the TCP IP settings can be helpful when configuring the IP settings of the SonicWALL Windows 98 1 From the Start list highlight Settings and then select Control Panel 2 Double click the Network icon in the Control Panel window Configuration Identification Access Contra PA ETERA 3 Double click TCP IP in the TCP IP Properties window Ecin i iosolt Networks Y TCPAP gt InteR PRO 100 Management Adapter US Fie and printer sharing for Microsoft Networks Add Remove Properties Primary Network Logorr Chent tor Microsoft Networks X Bile and Print Sharing Description TCP IP is the peotocol pou use to connect to the Intenet and vade area networks Ca oe ONS ae es SS 4 Select the Specify an IP Address radio button Haaren de cea
365. ures section of the Configure tab If you trust content on specific domains you can select Don t block J ava ActiveX Cookies to Trusted Domains and then add the Trusted Domains to the SonicWALL Java scripts ActiveX and cookies are not blocked from Trusted Domains if the checkbox is selected Message to display when a site is blocked When a user attempts to access a site blocked by the Websense Enterprise Content Filter List only Websense Enterprise messages are displayed in the browser If the Websense Enterprise Content Filter List server is unavailable the default SonicWALL message is displayed Content Filtering and Blocking Page 111 Configuring the Websense Content Filter List Configure the Websense Enterprise settings on this page Apply Content Filter on F WorkPort F HomePort VPN Restrict WEB Features Anti Virus ial Ses Java TF Cookies I Known Fraudulent Certificates T Access to HTTP Proxy Servers High Availability F Don t block Java ActiveX Cookies to Trusted Domains Add Trusted Domain Delete Domain Message to display when a site is blocked Neb Site Blocked by SonicWALL Filter 4 Websense Enterprise displays its own site blocked messages unless it is unavailable Update Reset STATUS The configuration has been updated Websense Server Status This section displays the status of the Websense Enterprise server used for content filtering Settin
366. vailable Click Help at the top of any browser window to view the help files stored in the SonicWALL Page 74 SonicWALL Internet Security Appliance User s Guide CLI Support and Remote Management Out of band management is available on SonicWALL Internet Security Appliances using the CLI Command Line Interface feature SonicWALL Internet Security Appliances can be managed from a console using typed commands and a modem or null modem cable that is connected to the serial port located on the back of the SonicWALL appliance The only modem currently supported is the US Robotics v 90 v 92 modem CLI communication requires the following modem settings e 9600 bps e 8 bits no parity e no hand shaking After the modem is accessed a terminal emulator window such as a hyper terminal window is used to manage the SonicWALL Internet Security Appliance Once the SonicWALL is accessed type in the User Name and password admin for User Name and then the password used for the management interface The following CLI commands are available for the SonicWALL e 2 or Help displays a listing of the top level commands available e Export exports preferences from the SonicWALL using Z modem file transfer protocol e Import imports preferences from the SonicWALL using Z modem file transfer protocol e Logout logout of the SonicWALL appliance e Ping pings either an IP address or domain name for a specified host e Restart restart the SonicWA
367. via a Rule has a checkbox to enable bandwidth management for the Service Select Enable Bandwidth Management in the Add Rule window then enter the Guaranteed Bandwidth in Kbps for the Service and enter the Maximum Bandwidth in number of Kbps for the Service Before you can enable and configure bandwidth management for Rules you must enable it on the Ethemet page in the Advanced section Alert Bandwidth management is very complex and requires extensive knowledge of networks and networking protocols Incorrect bandwidth management may cause network problems or degradation of network performance See Bandwidth Management in Chapter 10 Advanced for more information A Network Access Rules Page 133 Add A New Rule 1 Click Add New Rule in the Rules window to open the Add Rule window Add Network Access Rule Action C Allow Deny Service Defaut Echemet Addr Range Begin Addr Range End Source I Destination E mg Apply this rule aways to 24 Hour Format Sun Z to Sun Z Inactivity Timeout in Minutes E Allow Fragmented Packets I Settings below will not talce effect until enabled on Advanced Etkemet page I Enable Outbound Bandwidth Management Guaranteed Bandwidth 100 ip Maximum Bandwidth Poo Kbps Bandwidth Priority C rigest E Update Reset 2 Select Allow or Deny in the Action list depending upon whether the rule is intended to permit or block IP traffic 3 Select the name of the s
368. vior There are three types of dial up behavior e Persistent Connection By selecting Persistent Connection the modem dials automatically when a WAN connection fails If the Primary Profile cannot connect the modem uses the Secondary Profile to dial an ISP Dial on Data Using Dial on Data requires that outbound data is detected before the modem dials the ISP Outbound data does not need to originate from computers on the LAN but can also be packets generated by the SonicWALLTELE3 SP internal applications such as AutoUpdate and Anti Virus Also if Enable WAN Failover is selected the pings generated by the Probe can trigger the modem to dial when no WAN Ethernet connection is detected If the Primary Profile cannot connect the modem uses the Secondary Profile to dial an ISP Page 62 SonicWALL Internet Security Appliance Administrator s Guide e Manual Dial Selecting Manual Dial for a Primary Profile means that WAN Failover does not automatically occur Manual Dial requires you to log into the SonicWALL click Modem then Configure Click Connect and the modem uses the Primary Profile information to dial an ISP N Alert If you are configuring two dial up profiles for WAN failover the modem behavior should be the same for each profile For example if your Primary Profile uses Persistent Connection your Secondary Profile should also use Persistent Connection 1 Select Persistent Connection if you want the modem connection to stay ac
369. way Gbtein DNG sewe address automatically Use the following DNS server addresses Preferred DNS server 10 50 128 52 Advanced Alternate DNS server Cancel 3 Click Status to open the Properties window 4 Double click Internet Protocol TCP IP to open the TCP IP properties window 5 Select Use the following IP address and enter 192 168 168 200 in the IP address field 6 Enter 255 255 255 0 in the Subnet mask field 7 Enter the DNS IP address in the Preferred DNS Server field If you have more than one address enter the second one in the Alternate DNS server field 8 Click OK then OK again 9 Click Close to finish the network configuration Appendices Page 271 Windows XP 1 Open the Local Area Connection Properties window 4 Local Area Connection Properties 2 Double click Internet Protocol TCP IP to open the WE Internet Protocol TCP IP Properties window EP Intel R PRO 100 Management Adapter This connection uses the following items Cent for Microsoft Networks M BF Fie and Printer Sharing for Microsoft Networks 8 QoS Packet Scheduler E Internet Protocol TCP IP Description Transmission Control Protocol Intemet Protocol The default wide area network protocol that provides communication across diverse interconnected networks Show icon in notification area when connected Internet Protocol TCP IP Properties PR General 3 Sel
370. way vis oT NXXX co vi a foo for VPN Tunnel 61 XXXXXX XXX 28 ji DI PRO 309 Remote DMZ2 Z E Web Mail FTP fas Server Server Server E To remove a range of addresses from the dynamic pool select it from the list of dynamic ranges and click Delete Range When the range has been deleted a message confirming the update is To remove a static address select it from the list of static entries and click Delete Static When the static entry has been deleted a message confirming the update is displayed at the bottom Page 168 SonicWALL Internet Security Appliance Administrator s Guide Workstation DHCP Client VPN User Configuring the Central Gateway for VPN over DHCP To configure DHCP over VPN for the Central Gateway use the following steps 1 Log into the Management interface click DHCP and then DHCP over VPN 2 Select Central Gateway from the DHCP Relay Mode menu 3 If you want to send DHCP requests to specific servers enable the Send DHCP requests to the server addresses listed below check box Enter the IP addresses of DHCP servers in the Add DHCP Server field and click Update The SonicWALL now directs DHCP requests to the specified servers Central Gateway gt F Send DHCP requests to the server addresses listed below vance Add DHCP Server
371. ween two or more sites without the expense of leased site to site lines VPN Client Software for Windows Mobile users with dial up Internet accounts can securely access remote network resources with the SonicWALL VPN Client The SonicWALL VPN Client establishes a private encrypted VPN tunnel to the SonicWALL allowing users to transparently access network servers from any location Contact SonicWALL Inc for information about the Content Filter List Network Anti Virus subscriptions and other upgrades Web _http www sonicwall com E mail sales sonicwall com Phone 408 745 9600 Fax 408 745 9300 Introduction Page 17 2 Configuring the Network Mode on the SonicWALL The SonicWALL Internet security appliance allows the following common network configurations Standard NAT Enabled NAT with PPPoE Client NAT with DHCP Client NAT with L2TP Client and NAT icrosoft Inte fe Ea Tools Heb T OLEE Ades E itp 77192 168168 11 managemeni hir eae A e Trae E T E EA ream SonicWALL LAN IP Address 192 168 168 11 a LAN Subnet Mask 255 255 255 0 Subnet Mask Network Gateway I VPN Add LAN Subnet Delete Subnet WAN Gateway Router Address 10 0 0 254 SonicWALL WAN IP Address 192 168 168 11 WAN DMZ Subnet Mask 255 255 255 0 DNS Server 1 DNS Server 2 DNS Server 3 To pass these DNS settings to comy f10 60 128 52 f10 60 128 63 f10
372. work Access Rules Page 129 Add Service To add a service not listed in the Services window click Access on the left side of the browser window and then click the Add Service tab Services added here will appear in the Services page Add a known service Custom Service 7 ik Or add a custom service jer Name Port Range ing 8 1 xchange IKE 500 17 Protocol l TePe z Enable Logging C Modify Delete auj TCP Port UDP Port or ICMP Type Logout STATUS Ready Pisal Document Done 7 The list on the right side of the window displays the services that are currently defined These services also appear in the Services window Two numbers appear in brackets next to each service The first number indicates the service s IP port number The second number indicates the IP protocol type 6 for TCP 17 for UDP or 1 for ICMP x Tip There can be multiple entries with the same name For example the default configuration has AVS two entries labeled Name Service DNS for UDP port 53 and TCP port 53 Multiple entries with the same name are grouped together and are treated as a single service Up to 128 entries are supported Add a Known Service 1 Select the name of the service you want to add from the Add a known service list 2 Click Add The new service appears in the list box on the right side of the browser window Note that some services add more tha
373. wser window Restart the SonicWALL for these changes to take effect Alert When NAT is enabled the SonicWALL LAN IP Address is used as the gateway address for computers on the LAN When your SonicWALL has successfully established a PPPoE connection the Network page displays the SonicWALL WAN IP settings The WAN Gateway Router Address SonicWALL WAN IP NAT Public Address WAN LAN Subnet Mask and DNS Servers are displayed Alert Enable and configure the SonicWALL DHCP server or manually configure client DNS settings to obtain DNS name resolution Restarting the SonicWALL A Once the network settings have been updated the Status bar at the bottom of the browser window displays Restart SonicWALL for changes to take effect Restart the SonicWALL by clicking Restart Then click Yes to confirm the restart and send the restart command to the SonicWALL The restart can take up to 90 seconds during which time the SonicWALL is inaccessible and all network traffic through the SonicWALL is halted Alert If you change the SonicWALL LAN IP Address you must to change the Management Station IP address to be in the same subnet as the new LAN IP address General and Network Settings Page 83 NAT with L2TP Client Configuration The SonicWALL can use L2TP over Ethernet to connect to a L2TP server To configure NAT with L2TP Client complete the following instructions 1 Select NAT with L2TP Client from the Network Addressing Mode menu
374. xy server in the Proxy Web Server field and the proxy IP port in the Proxy Web Server Port field Click Update If the Web proxy server is located on the WAN between the SonicWALL and the Internet router add the Web proxy server address in the SonicWALL Intranet tab Click the Intranet tab at the top of the window To bypass the Proxy Servers if a failure occurs select the Bypass Proxy Servers Upon Proxy Server Failure check box In the Intranet tab enter the proxy server s IP address in the Add Range field Select Specified address ranges are attached to the WAN link and click Update Once the SonicWALL has been updated a message confirming the update is displayed at the bottom of the browser window Bypass Proxy Servers Upon Proxy Failure If a Web proxy server is specified in the Proxy Relay tab of the Advanced section selecting the Bypass Proxy Servers Upon Proxy Server Failure check box allows clients behind the SonicWALL to bypass the Web proxy server in the event it becomes unavailable Instead the client s browser accesses the Internet directly as if a Web proxy server is not specified Advanced Features Page 149 Intranet The SonicWALL can be configured as an Intranet firewall to prevent network users from accessing sensitive servers By default users on your LAN can access the Internet router but not devices connected to the WAN port of the SonicWALL To enable access to the area between the SonicWALL WAN port and the
375. y Mode Configuring the Network Settings Follow these steps to configure your TELE3 SP to use only the modem for Internet access 1 When the Installation Wizard launches follow the steps in your Quick Start Guide until the Set Your Password page appears Enter and confirm your new password lye Tip If you do not set a new password the Installation Wizard relaunches when the SonicWALL is rebooted 2 Continue with the Installation Wizard A warning message appears alerting you that no WAN connection was detected Select Assigned you a single static IP address and click Next The Use Network Address Translation window is displayed Click Next Leave the default values of 0 0 0 0 in the SonicWALL WAN IP Address field and the WAN Gateway Router Address field Leave the default setting of 255 255 255 0 in the Subnet Mask field If your dial up ISP has given you DNS Server IP address es enter the address es in the DNS Server Address fields If not then leave the DNS Server Address fields blank Leave the default values in the SonicWALL LAN IP address field and Subnet Mask field If your TELE3 SP acts as the DHCP server on your network select Enable DHCP Server and click Next If not click Next 8 Click Print this Page to print out the network settings of the TELE3 SP Click Next 9 Click Restart to enable the network settings on the TELE3 SP Configuring the Modem Settings After your TELE3 SP has restarted log into it using
376. y addresses You must use the IP address set as the LAN IP address of the SonicWALL Also you cannot mix Standard and NAT subnets behind the SonicWALL General and Network Settings Page 77 WAN Settings WAN Gateway Router Address The WAN Gateway Router Address is the IP address of the WAN router or default gateway that connects your network to the Internet If you use Cable or DSL your WAN router is typically located at your ISP If you use a router located at your site use the IP address assigned to it If you select NAT with DHCP Client or NAT with PPPoE mode the WAN Gateway Router Address is assigned automatically SonicWALL WAN IP Address The SonicWALL WAN IP Address is a valid IP address assigned to the WAN port of the SonicWALL This address should be assigned by your ISP If you select NAT Enabled mode this is the only address seen by users on the Internet and all activity appears to originate from this address If you select NAT with DHCP Client NAT with PPPoE NAT with L2TP Client or NAT with PPTP Client mode the SonicWALL WAN IP address is assigned automatically If you select Standard mode the SonicWALL WAN IP Address is the same as the SonicWALL LAN IP Address WAN LAN Subnet Mask The WAN LAN Subnet Mask determines which IP addresses are located on the WAN This subnet mask should be assigned by your ISP If you select NAT with DHCP Client NAT with PPPoE NAT with L2TP Client or NAT with PPTP Cli
377. yption Authentication menu The San Francisco office Phase 2 Encryption Authentication must match Chicago so Encrypt and Authenticate ESP 3DES HMAC SHA1 must be selected 10 Enter the same Shared Secret used in the Chicago Office SonicWALL PRO 200 into the SonicWALL TELE3 Shared Secret field 11 Click Add New Network to open the VPN Destination Network window and define the destination network addresses 12 Enter the IP address and subnet mask of the destination network the Chicago office in the Network and Subnet Mask fields Since NAT is enabled at the Chicago office enter a private LAN IP address In this example enter 192 168 2 1 and subnet mask 255 255 255 0 13 Click Advanced Settings Select the following boxes that apply to your SA Enable Keep Alive if you want to maintain the current connection by listening for traffic on the network segment between the two connections Enable Windows Networking NetBIOS broadcast if remote clients use Windows Network Neighborhood to browse remote networks Apply NAT and firewall rules to apply NAT and firewall rules to the SA or just firewall rules if in Standard mode Forward packets to remote VPNs if creating a hub and spoke network configuration Enable Perfect Forward Secrecy if you want to add another layer of security by adding an additional Diffie Hellman key exchange Phase 2 DH Group select the type of DH key exchange in Phase 2 for Perfect Forward Se
Download Pdf Manuals
Related Search