en-US
search-icon

Cloud GMS Admin Guide

Introduction

Introduction to the SonicWall Inc. SonicWall Cloud GMS

This introduces the SonicWall™ Cloud Global Management System (Cloud GMS) User Interface (UI) navigation and management views. Cloud GMS can be used in a variety of roles in a wide range of networks. Network administrators can use Cloud GMS as a Management Console role in an Enterprise network containing a single SonicWall E-Class NSA or SuperMassive appliance and also as a Remote Management System role for managing multiple unit deployments for Enterprise and Service Provider networks consisting of hundreds and thousands of firewalls, Secure Mobile Access (SMA), and Email Security (ES) appliances.

Topics:

Overview of Cloud GMS

This section contains the following subsections:

What Is Cloud GMS?

SonicWall™ Cloud Global Management System (Cloud GMS) is a Web-based application that can configure and manage thousands of SonicWall firewall appliances and NetMonitor non-SonicWall appliances from a central location.

Cloud GMS can be used as a Management Console in an Enterprise network containing a single SonicWall E-Class NSA or SuperMassive. Cloud GMS can also be used as a Remote Management System for managing multiple unit deployments for Enterprise and Service Provider networks consisting of hundreds and thousands of firewalls, Email Security appliances, and Secure Mobile Access (SMA) appliances. This dramatically lowers the cost of managing a secure distributed network. Cloud GMS does this by enabling administrators to monitor the status of and apply configurations to all managed SonicWall appliances, groups of SonicWall appliances, or individual SonicWall appliances. Cloud GMS also provides centralized management of scheduling and pushing firmware updates to multiple appliances and to apply configuration backups of appliances at regular intervals.

Cloud GMS provides monitoring features that enable you to view the current status of SonicWall appliances and non-SonicWall appliances, pending tasks, and log messages. It also provides graphical reporting of Firewall, SMA, and Email Security (ES) appliance and network activities for the SonicWall appliances. A wide range of informative real-time and historical reports can be generated to provide insight into usage trends and security events.

Network administrators can also configure multiple site VPNs for SonicWall appliances. From the Cloud GMS user interface (UI), you can add VPN licenses to SonicWall appliances, configure VPN settings, and enable or disable remote-client access for each network.

Overview of IPv6 in Cloud GMS

Cloud GMS supports the use of IPv6, allowing the user to Install Cloud GMS products in an IPv6 network environment. This means that Cloud GMS can now access various Network Elements using IPv6 addresses, such as: Firewalls, SMTP servers, RADIUS/LDAP Authentication Servers, SNMP Managers, WebServices, and so on.

IPv6 Deployment Considerations

Consider the following when using IPv6 with Cloud GMS:

In the case of a Virtual Appliance, you can use SonicWall Command Line Interface to specify the IPv6 address of the appliance.
For Cloud GMS to take advantage of the IPv6 network, dual-stack (IPv4, IPv6) configuration on the underlying platforms is required. This means that these appliances/servers will need to have IPv4 addresses assigned no matter what.
The Cloud GMS Scheduler continues to be displayed as an IPv4 address. This does not mean that the Cloud GMS Scheduler can access only IPv4 addresses. The IPv4 address in this context is rather used to uniquely identify the Cloud GMS Scheduler/Agent instead.

Browser Requirements

SonicWall Cloud GMS uses advanced browser technologies such as HTML5, which are supported in most recent browsers. SonicWall recommends using the latest Chrome, Firefox, Internet Explorer, or Safari browsers for administration of the SonicWall Cloud GMS.

This release supports the following Web browsers:

Chrome 42.0 and higher (recommended browser for dashboard real-time graphics display)
Firefox 37.0 and higher
Internet Explorer 10.0 and higher (do not use compatibility mode)
* 
NOTE: Internet Explorer version 10.0 in Metro interfaces of Windows 8 and the Edge browser in Windows 10 are currently not supported.
* 
NOTE: Turn off Compatibility Mode when accessing the Cloud GMS management interface with Internet Explorer. For more information, see the Knowledge Base article located at: https://support.sonicwall.com/sonicwall-gms/kb/sw14003

SonicWall Appliance and Firmware Support

Cloud GMS supports SonicWall firewall App Control policy management and reporting. Refer to the SonicOS documentation for information on which SonicOS firmware versions support these features.

* 
NOTE: Cloud GMS 1.0 does not support legacy SonicWall Inc. appliances, including:
• Firewall appliances running firmware earlier than SonicOS 5.0
• CSM Series
• CDP Series

SonicWall Cloud GMS supports the following SonicWall appliances and firmware versions:

 

Component requirements

SonicWall platforms

SonicWall firmware version

Network security appliance

SuperMassive 10000 series

SonicOS 6.0 or newer

NOTE: Only partial policy management and reporting support is currently available. The following SuperMassive specific features are not supported for centralized policy management in Cloud GMS:
Multi-blade Comprehensive Anti-Spam Service (CASS)
High Availability/Clustering
Support for Management Interface
Flow Reporting Configurations
Multi-blade VPN
Advanced Switching

Contact your SonicWall Sales representative through https://support.sonicwall.com/ for more information.

SuperMassive 9000 series

SonicOS 6.1 or newer

NSA series

SonicOS 5.0 or newer

TZ series and TZ Wireless

SonicOS 5.0 or newer

SonicWall SOHO and SOHO Wireless

SonicOS 6.2.5 or newer

Secure Mobile Access

SRA/SSL-VPN Series

SSL-VPN 2.0 or newer (management)
SSL-VPN 2.1 or newer (management and reporting)

E-Class SRA Series

E-Class SRA 9.0 or newer

SMA 6200/7200

SMA 10.7.2 or newer

Email Security/Anti-Spam

 

Email Security Series

Email Security 7.2 or newer (management only)

Notes:

Cloud GMS supports SonicWall firewall App Control policy management and App Control reporting support. Refer to the SonicOS documentation for information on the supported SonicOS firmware versions.
Appliances running firmware newer than this Cloud GMS release can still be managed and reports can still be generated. However, the new features in the firmware will be supported in an upcoming release of Cloud GMS.

Non-SonicWall Appliance Support

SonicWall Cloud GMS provides monitoring support for non-SonicWall TCP/IP and SNMP-enabled devices and applications.

Logging into Cloud GMS

After registering your SonicWall Cloud GMS product, to log into the SonicWall Cloud GMS management interface, either double-click on the SonicWall Cloud GMS icon on your desktop, or from a remote system, access the following URL from a web browser:

http://<sgms_ipaddress>:<portnumber>

The SonicWall Cloud GMS login page appears by default in English. To change the language setting, click your language of choice at the bottom of the login page. The available language choices for SonicWall Cloud GMS include English, Japanese, Simplified Chinese, Traditional Chinese, Korean, and Portuguese.

1
Enter the SonicWall user ID (default: admin) and password (default: password). Select Local Domain as the domain (default).
2
Click Submit. The Cloud GMS management interface displays.
* 
NOTE: For more information on installation, login procedures, and registration of your SonicWall Cloud GMS installation, refer to the appropriate Getting Started Guide, available at: https://support.sonicwall.com/sonicwall-gms/software/technical-documents

Navigating the Cloud GMS Management Interface

The following sections describe the four major tabs of the Cloud GMS management interface:

Policies panel

The Policies panel is used to configure SonicWall appliances. From the screens on this panel, you can apply settings to all SonicWall appliances being managed by the Cloud GMS, all SonicWall appliances within a group, or individual SonicWall appliances.

To open the Policies panel, click the appropriate Appliance at the top of the SonicWall Cloud GMS management interface and then click the Policies panel. The appropriate Appliance Policies panel appears:

Reports panel

The Reports panel is an essential component of network security that is used to view and schedule reports about critical network events and activity, such as security threats, inappropriate Web use, and bandwidth levels.

To open the Reports panel, click the Firewall, Email Security, or SMA tabs at the top of the SonicWall Cloud GMS UI and then click the Reports panel.

Monitor tab

The Monitor tab is the administrator’s central tool for monitoring the status of any managed TCP/IP and SNMP capable devices and applications. The SonicWall Cloud GMS Monitor tab provides power and flexibility to help you manage availability of network devices, creating custom threshold-based realtime monitor alerts and emailing or archiving network status reports based on your specifications.

To access the Monitoring features, click the Monitor tab at the top of the Cloud GMS management interface.

Console tab

The Console tab is used to configure the Cloud GMS settings, view pending tasks, manage licenses, and configure system wide granular event management settings.

To open the Console tab, click the Console tab at the top of the Cloud GMS management interface.

Understanding Cloud GMS Icons

This section describes the meaning of icons that appear next to managed appliances listed in the left pane of the SonicWall Cloud GMS management interface.

 

Status icon descriptions 

Status Icon

Description

One blue box indicates that the appliance is live and communicating with Cloud GMS. The appliance is accessible from the SonicWall Cloud GMS, and no tasks are pending or scheduled.

Two blue boxes indicate that appliances in a group are live and communicating with Cloud GMS. All appliances in the group are accessible from SonicWall Cloud GMS and no tasks are pending or scheduled.

Three blue boxes indicate that all appliances in the global node of this type (Firewall/SMA) are live and communicating with Cloud GMS. All appliances of this type are accessible from SonicWall Cloud GMS and no tasks are pending or scheduled.

One blue box with a lightning flash indicates that one or more tasks are pending or running on the appliance.

Two blue boxes with a lightning flash indicate that tasks are currently pending or running on two or more appliances within the group.

Three blue boxes with a lightning flash indicate that tasks are currently pending or running on three or more appliances within the group.

One blue box with a clock indicates that one or more tasks are scheduled on the appliance.

Two blue boxes with a clock indicate that tasks are currently scheduled to execute at a future time on two or more appliances within the group.

Three blue boxes with a clock indicate that tasks are currently scheduled to execute at a future time on three or more appliances within the group.

One yellow box indicates that the appliance has been added to SonicWall Cloud GMS management (provisioned), but not yet acquired.

Two yellow boxes indicate that two or more appliances in the group have been added to SonicWall Cloud GMS management, but not acquired.

Three yellow boxes indicate that one or more of the appliances of this type (Firewall/SMA) have been added to SonicWall Cloud GMS management, but not acquired.

One yellow box with a lightning flash indicates that one or more tasks are pending on the provisioned appliance.

Two yellow boxes with a lightning flash indicates that tasks are pending on two or more provisioned appliances within the group.

Three yellow boxes with a lightning flash indicates that tasks are pending on three or more provisioned appliances within the group.

A green circle with the number 1 in the middle indicates that the unit is in an HA pair and is currently the Primary unit.

A yellow circle with the number 2 in the middle indicates that the unit is in an HA pair and is currently on backup.

One red box indicates that the appliance is no longer sending heartbeats to SonicWall Cloud GMS.

Two red boxes indicate that two or more appliances in the group are no longer sending heartbeats to SonicWall Cloud GMS.

Three red boxes indicate that three or more of the global group of appliances of this type (Firewall/SMA) are no longer sending heartbeats to SonicWall Cloud GMS.

One red box with a lightning flash indicates that the appliance is no longer sending heartbeats to SonicWall Cloud GMS and has one or more tasks pending.

Two red boxes with a lightning flash indicate that two or more appliance in the group are no longer sending heartbeats to SonicWall Cloud GMS and have one or more tasks pending.

Three red boxes with a lightning flash indicates that the appliances are no longer sending heartbeats to SonicWall Cloud GMS and have three or more tasks pending.

A box with a dot in the top-left corner indicates that the appliance is being managed by Cloud GMS using a static IP address.

This icon indicates a fail over to a secondary Ethernet port.

This icon indicates the a modem is connected using a dialup.

This icon indicates the wireless is connected using WWAN.

This icon indicates the unit’s Task Pending status is “Immediate.”

This icon indicates the unit’s Task Pending status is “Scheduled.”

Using the Cloud GMS TreeControl Menu

This section describes the content of the TreeControl menu within the Cloud GMS management interface. The TreeControl menu view and update permissions can be configured for multiple SonicWall Cloud GMS user types. For more information on configuring SonicWall Cloud GMS user screen, unit, or action permissions, refer to Configuring Action Permissions.

You can control the display of the TreeControl pane by selecting one of the appliance tabs at the top. For example, when you click the Firewall tab, the TreeControl pane displays all the managed firewall units. You can display any of the following appliance types when SonicWall Cloud GMS is managing all of these device types:

Firewall
SMA
Email Security (ES)

You can hide the entire TreeControl pane by clicking the sideways arrow icon, and re-display the pane by clicking it again. This is helpful when viewing some reports or other extra-wide screens, especially on the Monitor or Console tabs.

To open a TreeControl menu, right-click the View All icon, a Group icon, or a Unit icon.

The following options are available in the right-click menu (if you have the permissions set as described in Using the Cloud GMS TreeControl Menu to perform them). See Configuring Action Permissions for more information:

Expand—Makes subbranches to the root visible.
Collapse—Compresses the view of the hierarchy so that only the root of the branch is visible.
Expand All—Makes the entire branch visible.
Collapse All—Compresses the entire view of all expanded hierarchies so that only the roots of the branches are visible.
Find—Opens a Find dialog box that allows you to search for groups or units.
Find Next—Finds the next search match.
Find Previous—Finds previous search matches.
Refresh—Refreshes the SonicWall Cloud GMS UI display.
Add Unit—Add a new unit to the SonicWall Cloud GMS management view. Requires unit IP and login information.
Rename Unit—(unit node only) Renames the selected SonicWall appliance.
Delete—Delete the selected unit or all units in the selected Group or Global Node, with option to delete interconnected SAs or to delete from NetMonitor.
Import XML—Import an edited XML file to replace the current TreeControl navigation view.
Modify Unit—(unit node only) Change basic settings for the selected unit, including unit name, IP and Login information, serial number, management port and encryption/authentication keys.
Login to Unit—(unit node only) Login to the selected unit using SSL protocols.
Modify Properties—Displays the properties for the selected SonicWall appliance, or all managed appliances in the selected group or global node.
Manage Views—Opens a dialog box where you can create, delete, or modify a view.
Change View—Select pre-set or user created views. Views are created in the Manage View window (see above).
Reassign Agents—Opens a dialog box where you can change the IP address of the primary and standby schedulers and the type of management mode used between Cloud GMS and the managed SonicWall appliances.

Configuring Cloud GMS View Options

The Cloud GMS management interface is a robust and powerful tool you can use to apply settings to all SonicWall appliances being managed by Cloud GMS, all appliances or devices within a group, or individual appliances or devices simply by selecting the Global, Group, or Unit node within the Cloud GMS management interface. The Cloud GMS management interface supports up to seven levels of hierarchal depths per view.

* 
NOTE: Views are only available in the Policies and Reports panels. Changing views does not affect the Console or Monitor tabs.

This section describes each view and what to consider when making changes:

Group Node

From the Group node of the Policies panel, changes you make are applied to all SonicWall appliances within the group. The Global node is the top view that contains all appliances.

To open the Group node, click a group icon in the left pane of the Cloud GMS management interface. The Group Status page appears. The Group Node Status page contains a list of statistics for all SonicWall appliances within the group.

As you move through the Cloud GMS management interface with the Group node selected and make changes, those changes are broken down into configuration tasks and applied to each subgroup and each SonicWall appliance within the group.

As Cloud GMS processes the tasks, some SonicWall appliances might be down or offline. When this occurs, Cloud GMS spools the tasks and reattempts the update later.

Depending on the page that you are configuring, the SonicWall appliance(s) might automatically restart. We recommend scheduling the tasks to run when network activity is low. To determine if a change requires restarting, refer to the configuration instructions for that task.

Making group changes through the Cloud GMS management interface enables you to save time by instituting changes that affect all SonicWall appliances within the group through a single operation. Although this is very convenient, some changes can have unintended consequences. Be careful when making changes on a group or global level.

Unit Node

From the Unit node of the Policies panel, changes you make are only applied to the selected SonicWall appliance. To open the Unit node, click a SonicWall appliance in the left pane of the Cloud GMS management interface. The Status page for the SonicWall appliance appears.

From the Unit node on the Reports panel, you can generate real-time and historical reports for the selected SonicWall appliance.

As you navigate the Cloud GMS management interface, you can generate graphical reports and view detailed log data for the selected SonicWall appliance. For more information, refer to Reports panel.

As you navigate the Cloud GMS management interface with a single SonicWall appliance selected and make changes, those changes are broken down into configuration tasks and sent to the selected SonicWall appliance.

As Cloud GMS processes the tasks, the SonicWall appliance might be down or offline. When this occurs, Cloud GMS spools the task and reattempts the update later.

* 
NOTE: Depending on the page that you are configuring, the SonicWall appliance might automatically restart. We recommend scheduling the tasks to run when network activity is low. To determine if a change requires restarting, refer to the configuration instructions for that task.

Unit Node Status Page

The Unit Node Status page contains a list of statistics for the selected SonicWall appliance:

Firewall Model—specifies the model of the SonicWall appliance. If the unit is not registered, “Not Registered” appears instead of a model number.
Serial Number—specifies the serial number of the SonicWall appliance.
Number of LAN IPs allowed—specifies the number of IP addresses that are allowed on the LAN.
CPU—specifies the CPU used in the SonicWall appliance.
VPN Upgrade—specifies whether the SonicWall is licensed for a VPN upgrade.
VPN Clients—specifies whether the SonicWall is licensed for VPN Clients.
Firmware Version—specifies the version of the firmware installed on the SonicWall appliance.
Content Filter Subscription List/Service—specifies whether the SonicWall appliance is licensed for a Content Filter List subscription.
Anti-Virus Subscription—specifies whether the SonicWall appliance has an anti-virus subscription.
Extended Warranty—specifies whether the SonicWall appliance has an extended warranty.
SonicWall Status—specifies the operational status of the SonicWall appliance.
Tasks Pending—specifies whether the SonicWall appliance has any pending tasks.
Agent Assigned—specifies the IP address of the Cloud GMS agent server that is the primary agent managing the SonicWall appliance.
Standby Agent—specifies the IP address of the peer Cloud GMS that acts as the backup agent for this SonicWall appliance. If the primary agent fails, this Cloud GMS server begins managing the appliance.
Managed using Management Tunnel—specifies if the SonicWall appliance is being managed by SonicWall Cloud GMS using the management VPN tunnel.
Fetch Uptime—the Uptime parameter indicates how long the SonicWall has been running since the last time it was powered up or restarted. To display the current uptime setting at the unit level for the selected SonicWall, click Fetch Uptime.

Creating SonicWall Cloud GMS Fields and Dynamic Views

The Cloud GMS uses an innovative method for organizing SonicWall appliances. SonicWall appliances are not forced into specific, limited, rigid hierarchies. You can simply create a set of fields that define criteria (such as, country, city, state) that separate SonicWall appliances. Then, create and use dynamic views to display and sort appliances on the fly. For information about organizing SonicWall appliances, see the following sections:

About Default SonicWall Fields

The Cloud GMS includes standard fields that can be used to sort SonicWall appliances based on their model, their firmware version, and other criteria. Default Cloud GMS fields include the following:

AV Status—places the SonicWall appliances into different groups based on their status.
CFS Status—places the SonicWall appliances into two groups: appliances that have content filtering service (CFS) subscriptions and appliances that do not.
Dialup Mode—does grouping based on whether an appliance has switched to dialup mode for Internet access.
Firmware—creates a group for each Firmware version and places each SonicWall appliance into its corresponding group.
Management—does grouping based on whether appliances are managed by SSL Management mode, SonicWall Cloud GMS Management Tunnel mode, or Existing/LAN mode.
Model—creates a group for each SonicWall model and places each SonicWall appliance into its corresponding group.
Nodes—creates a group for each node range and places each SonicWall appliance into its corresponding group.
Registered—places the SonicWall appliances into two groups: appliances that are registered and appliances that are not.
Scheduler—creates a group for each scheduler agent and places each SonicWall appliance into its corresponding group.
UnitStatus—does grouping based on the Up/Down/Provisioned status of appliances.
Warranty Status—places the SonicWall appliances into two groups: appliances that have current warranties and appliances that do not.

Creating Custom Fields

When first configuring Cloud GMS, you can create custom fields that you can use to organize managed appliances. Cloud GMS supports up to ten custom fields.

* 
NOTE: Although Cloud GMS supports up to ten custom fields, only seven fields can be used to sort SonicWall appliances in a single view.

The following are examples of custom fields that you can use:

Geographic—useful for organizing SonicWall appliances by location. Especially useful when used in combination with other grouping methods. Geographic fields might include:
Country
Time Zone
Region
City
Customer-based—useful for organizations that are providing managed security services for multiple customers. Customer-based fields might include:
Company
Division
Department
Configuration-based—useful when SonicWall appliances have very different configurations. (such as, Filtering, No Filtering, Pornography Filtering, Violence Filtering, or VPN).
User-type—different service offerings can be made available to different user types. For example, engineering, sales, and customer service users can have very different configuration requirements. Or, if offered as a service to end users, you can allow or disallow network address translation (NAT) depending on the number of IP addresses that you want to make available.

Cloud GMS is pre-configured with four custom fields: Country, Company, Department, and State. These fields can be modified or deleted.

To add new fields, complete the following steps:
1
Click the Console tab, expand the Management tab and click Custom Groups.

2
Right-click Custom Groupings in the right pane.
3
Select Add Category from the pop-up menu.

4
Enter the name of the group in the Category Name field.
* 
NOTE: Category names can only contain alpha-numeric characters. Special characters and/or spaces are not accepted.
5
Enter the default value for the group in the Default Value field.
6
Click Ok. You can create up to ten fields.
* 
NOTE: Although the fields appear to be in a hierarchical form, this has no effect on how the fields appears within a view.

To modify or delete fields, right-click any of the existing fields and select Properties or Delete Category, respectively from the pop-up menu.

Understanding Dynamic Views

After creating custom fields and reviewing the Cloud GMS fields, administrators can set up views to dynamically filter the SonicWall security appliances that are displayed in the SonicWall Cloud GMS user interface based on fields.

* 
NOTE: Each view can filter for a maximum of seven fields.

Some views can include the following:

Standard Geographic Views—When the number of SonicWall appliances managed by the Cloud GMS becomes large, you can divide the appliances geographically among SonicWall administrators.

For example, if one administrator is responsible for each time zone in the United States, you can choose the following grouping methods:
Administrator 1: Country: USA, Time Zone: Pacific, State, City.
Administrator 2: Country: USA, Time Zone: Mountain, State, City.
Administrator 3: Country: USA, Time Zone: Central, State, City.
Administrator 4: Country: USA, Time Zone: Eastern, State, City.
Firmware Views—To ensure that all SonicWall appliances are using the current firmware, you can create a view to check and update firmware versions and batch process firmware upgrades when network activity is low.

For example, if you want to update all SonicWall appliances to the latest firmware at 2:00 A.M., you can use the following grouping method:
Firmware Version, Time Zone

If you want to update SonicWall appliances only for companies that have agreed to the upgrade and you want the upgrades to take place at 2:00 A.M., you can use the following grouping method:
Company, Firmware Version, Time Zone
Registration Views—To ensure that all SonicWall appliances are registered, you can create a registration view and check it periodically. To create a registration view, you can use the following grouping method:
Registration Status, any other grouping fields
Upgrade Views—You can create views that contain information on which upgrades customers do not have and forward this information to the Sales Department.

For example, you can choose the following grouping methods:
Content Filter List, Company, Division, Department
Anti-Virus, Company, Division, Department
Warranty Status, Company, Division, Department

Configuring Dynamic Views

To create a view, follow these steps:
1
Right-click anywhere in the left pane of the Cloud GMS window and select Manage Views from the pop-up menu. The Manage Views page appears.

2
Type a descriptive name for the new view in the View Name field.
3
To make this view available to non-administrators, select Visible to Non-Administrators.
4
To add a view category, click Add Level. View categories are used to filter SonicWall appliances in your view. The Group Categories column contains categories that are a combination of custom fields and SonicWall Cloud GMS fields.
5
To change the Group Category field, select the desired field from the pull-down list. For a list of SonicWall Cloud GMS fields and their meanings, refer to About Default SonicWall Fields.
6
Choose an Operator to apply to apply to the value for this view:
equals (default value)
starts with
ends with
contains
does not equal
does not contain
7
Type a value for the category in the Value column.
8
You can add up to seven categories or levels.
9
To delete a view category, select the level and click Delete Level(s).
10
When you are finished configuring this view, click Modify View.
11
When you are finished, click Close.

Changing Views

To change views from within the Cloud GMS management interface, follow these steps:

1
Right-click anywhere in the left pane of the Cloud GMS window and select Change View from the pop-up menu. The Change View dialog box appears.

2
Select a view and click OK. The SonicWall Cloud GMS management interface displays only the SonicWall appliances that meet the requirements of the filters defined in the view.

Getting Help

In addition to this manual, Cloud GMS provides on-line help resources.

To get help, complete the following steps:
1
Navigate to the page where you need help.
2
Click the Question Mark (?) in the upper right-hand corner of the window. Help for the selected page appears.

Adding SonicWall Appliances and Completing Basic Management Tasks

This describes how to add SonicWall appliances to SonicWall™ Cloud Global Management System (Cloud GMS), register appliances, and modify management properties. It also provides an introduction to basic appliance management tasks that can be executed through SonicWall Cloud GMS. This contains the following:

Preparing SonicWall Appliances for Cloud GMS Management

Local configuration steps are required on the individual appliance before adding it to Cloud GMS. Refer to the desired section for the provisioning procedures:

Preparing a SonicWall Firewall

To prepare a SonicWall firewall appliance for Cloud GMS management, complete the following steps:
1
Log in to the firewall appliance. Navigate to the Log > Settings page.
2
In Syslog Servers, click Add.
3
Select a Name or IP Address object to start sending syslogs. The Cloud GMS service should be activated. Set the log in UTC format and log category.
4
Navigate to the System > Time page, and enable Display UTC in logs (instead of local time).

Adding SonicWall Appliances to Cloud GMS

Cloud GMS can communicate with SonicWall appliances through VPN tunnels, SSL, or directly over VPN tunnels that already exist between the SonicWall appliances and the Cloud GMS gateway. Cloud GMS should connect to the Aventail SMA appliance on the LAN port of the Aventail appliance. When Cloud GMS is deployed outside of the Aventail LAN subnet, management traffic must be routed from Cloud GMS to a gateway that allows access into the LAN network, and from there be routed to the Aventail LAN port.

* 
NOTE: A SonicWall appliance might already be registered to a different MySonicWall account, in this case the “Register to MySonicWall.com” task cannot be executed, and will remain in the scheduled tasks queue. To take full advantage of Cloud GMS managed appliances, it is important that either the managed appliance is not registered when it is added into Cloud GMS, or it is registered to the same MySonicWall.com account as the Cloud GMS system that is managing the appliance. Active/Active clusters of SonicWall appliances can be added to Cloud GMS simply by adding the Master cluster node. Each individual cluster node sends syslogs directly to the Master cluster node’s serial number, Cloud GMS ends up aggregating the reports.

The following sections describe two methods for adding SonicWall appliances to Cloud GMS:

Adding SonicWall Appliances Manually

To manually add a SonicWall appliance using the Cloud GMS management interface, follow these steps:
1
Click the appliance tab that corresponds to the type of appliance that you want to add: Firewall, SMA, or Email Security (ES).

2
Expand the Cloud GMS tree and select the group to which you will add the SonicWall appliance. Then, right-click the group and select Add Unit from the pop-up menu. To not specify a group, right-click an open area in the left pane (TreeControl pane) of the Cloud GMS management interface and select Add Unit or click the Add Unit icon in the tool bar.
The Add Unit dialog box appears:

3
Enter a descriptive name for the SonicWall appliance in the Unit Name field.
Do not enter the single quote character (‘) in the Unit Name field.
4
If applicable, choose a Domain to add this appliance to from the Domain pull-down list.
* 
NOTE: Domain selection is only available to the administrator of the LocalDomain. Individual domain administrators are only able to add an appliance to their respective domains.
5
Enter the serial number of the SonicWall appliance in the Serial Number field.
6
For the Managed Address, choose whether to Determine automatically, or Specify manually. Most deployments are able to determine the IP address automatically. If you choose to specify the IP address manually, an option to Make manual address sticky is available. This retains the Manual Mode and the specified IP address is not overwritten.
7
Enter the Administrator login name for the SonicWall appliance in the Login Name field. The Administrator of the appliance can also enter a Local User or a Remote User name (as configured on the Firewall) for Cloud GMS Management. If using Local User or Remote User names, they must be included in the user list created on the Firewall.
8
Enter the password used to access the SonicWall appliance in the Password field.
9
For Management Mode, select from the following:
If the SonicWall appliance is managed through an existing VPN tunnel or over a private network, select Using Existing Tunnel or LAN.
If the SonicWall appliance is managed through a dedicated management VPN tunnel, select Using Management Tunnel.
If the SonicWall appliance is managed using SSL, select Using SSL (default).
10
Enter the IP address of the managed appliance in the Management Port field.
11
For VPN tunnel management, enter a 16-character encryption key in the SA Encryption Key field. The key must be exactly 16 characters long and composed of hexadecimal characters. Valid hexadecimal characters are “0” to “9”, and “a” to “f” (such as 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). For example, a valid key would be “1234567890abcdef.”
* 
NOTE: This key must match the encryption key of the SonicWall appliance. You can set the key on the appliance by logging directly into it.
12
For VPN tunnel management, enter a 32-character authentication key in the SA Authentication Key field. The key must be exactly 32 characters long and composed of hexadecimal characters. For example, a valid key would be “1234567890abcdef1234567890abcdef.”
* 
NOTE: This key must match the authentication key of the SonicWall appliance.
13
Select the IP address of the Cloud GMS agent server that manages the SonicWall appliance from the Agent IP Address list box:
If Cloud GMS is configured in a multi-tier distributed environment, you must select the Cloud GMS Agent whose IP address matches the IP address that you specified when configuring the SonicWall appliance for Cloud GMS management.
If Cloud GMS is in a single-server environment, the IP address of the Cloud GMS agent server already appears in the field.
14
If Cloud GMS is configured in a multi-tier distributed environment, enter the IP address of the backup Cloud GMS server in the Standby Agent IP field. The backup server automatically manages the SonicWall appliance in the event of a primary server failure. Any Agent can be configured as the backup.
* 
NOTE: If Cloud GMS is deployed in a single server environment, leave this field blank.
15
To add the appliance to Net Monitor, select Add this unit to Net Monitor.
16
Click Properties. The Unit Properties dialog box appears.

17
This dialog box displays the category fields to which the SonicWall appliance belongs. To change any of the values, select a new value from the pull-down list. When you are finished, click OK. You are returned to the Add Unit dialog box.
18
Click OK. The User Privileges dialog box displays.

19
Select the user group or individual users to which read-write privileges should be assigned. Keep in mind that admins always maintain read-write privileges, regardless of your selection here.
20
Click OK. The new SonicWall appliance appears in the Cloud GMS management interface. It will have a yellow icon that indicates it has not yet been successfully acquired.
Cloud GMS then attempts to establish a management VPN tunnel, set up an SSL connection, or use the existing site-to-site VPN tunnel to access the appliance. Cloud GMS then reads the appliance configuration and acquires the SonicWall appliance for management. This might take a few minutes.
* 
NOTE: After the SonicWall appliance is successfully acquired, its icon turns blue, its configuration settings are displayed at the unit level, and its settings are saved to the database. A text version of this configuration file is also saved in the file: <gms_directory>/etc/Prefs.In a multi-tier distributed environment, both the primary and secondary Cloud GMS Agents must be configured to use the same management method.

Importing SonicWall Appliances

To reduce the amount of information that you have to manually enter when adding SonicWall appliances, Cloud GMS enables you to import the saved prefs file of a SonicWall appliance.

To add a SonicWall appliance to the Cloud GMS management interface using the import option, follow these steps:
1
Right-click in the left pane of the Cloud GMS interface and select Add Unit from the pop-up menu. The Add Unit dialog box appears.
2
Enter a descriptive name for the SonicWall appliance in the Unit Name field. Do not enter the single quote character (') in the SonicWall Name field.
3
Enter the password to access the SonicWall appliance in the Password field.
4
Click Properties. The Unit Properties dialog box appears.
5
This dialog box displays fields to which the SonicWall appliance belongs. To change any of the values, enter a new value. When you are finished, click OK.
6
After you are returned to the Add Unit dialog box, click OK again.
7
Select the user group or individual users to which read-write privileges should be assigned. Keep in mind that admins always maintain read-write privileges, regardless of your selection here.
8
The new SonicWall appliance populates in the left pane. It will have a yellow icon that indicates it has not yet been successfully acquired.

Cloud GMS then attempts to establish a management VPN tunnel to the appliance, read its configuration, and acquire it for management. This takes a few minutes.

After the SonicWall appliance is successfully acquired, its icon turns blue, its configuration settings are displayed at the unit level, and its settings are saved to the database. A text version of this configuration file is also saved in:
<gms_directory>/etc/Prefs.

Managing Multiple Appliances

Cloud GMS can handle multiple appliances depending on you much SYSLOG traffic your firewalls are generating. That data determines how busy each firewall would become. Other considerations would be the number of SYSLOG categories enabled and how much reporting you might want to generate.

If the firewalls sent only heartbeats, with no additional SYSLOG reporting required, you could probably operate a single all-in-one instance of Cloud GMS and still manage up to 200 appliances. However, that scenario is not usually the case. So, a good starting place should offer some redundancy and scalability without immediately needing to add more components. That starting point might be:

1 database
3 agents
1 dedicated console

Run all of these components as Windows servers, not virtual machines. You should be sure the agents are running on servers with very fast disk IO. However, a fast disk IO is not necessary for the dedicated console and database. For the RAM and CPU, it is best to have 16GB and quad Xeon available. It’s the agents that need the power and focus.

Cloud GMS can be expanded with no other cost than the hardware to run it on. So when you see that agents are seeming loaded up, reports are taking a long to mail out, and so on, additional components can be added.

Registering SonicWall Appliances

After successfully adding one or more SonicWall appliances to Cloud GMS, the next step is to register them. Registration is required for firmware upgrades, technical support, and more.

* 
NOTE: Registering SonicWall Aventail SMA appliances from Cloud GMS is not supported.
To register one or more SonicWall appliances, follow these steps:
1
Select the global icon, a group, or a SonicWall appliance.
2
Expand the Register/Upgrades tree and click Register SonicWalls. The Register SonicWalls page appears.

3
Click Register. The Modify Task Description and Schedule page displays. Cloud GMS creates a task for each SonicWall appliance registration. The Modify Task Description and Schedule page allows you to customize the task description and set the task execution time. During the task execution, Cloud GMS registers each selected SonicWall appliance using the information that you used to register with the SonicWall registration site. After registration is complete, the task is removed from the Scheduled Tasks page and the status of the task execution is logged. To view these logs, click the Console tab. Then, expand the Log tree and click View Log.
4
If the appliance is already registered, the “Register SonicWalls” page states This appliance is registered.

Modifying Management Properties

The following sections describe how to modify management properties:

Modifying SonicWall Appliance Management Options

If you make a mistake or need to change the settings of an added SonicWall appliance, you can manually modify its settings or how it is managed.

* 
NOTE: If a unit has not been acquired (yellow icon), you can change its management mode using this procedure. After it has been acquired (red or blue icon), you cannot change its management mode using this procedure and must reassign it.
To modify a SonicWall appliance, complete the following steps:
1
Right-click in the left pane of the Cloud GMS management interface and select Modify Unit from the pop-up menu. The Modify Unit dialog box appears.
2
The Modify Unit dialog box contains the same options as the Add Unit dialog box. For descriptions of the fields, refer to Adding SonicWall Appliances to Cloud GMS.
3
When you have finished modifying options, click OK. The SonicWall appliance settings are modified.

Moving SonicWall Appliances Between Groups

To move SonicWall appliances between groups, simply change the properties of their custom fields.

To change these properties, follow these steps.
1
Right-click on a SonicWall appliance or group in the left pane of the Cloud GMS Management interface and select Modify Properties from the pop-up menu. The Properties dialog box appears.
2
Make any changes to the categories to which the SonicWall appliance or group of appliances belongs. For information on creating categories, refer to Creating SonicWall Cloud GMS Fields and Dynamic Views.
* 
NOTE: If you are completing this procedure at the group or global level, all parameters are changed for all selected SonicWall appliances. For example, if you were attempting to only change the Country attribute, all other parameters would be changed as well.
3
Click OK. The SonicWall appliance(s) are moved to the new group.

Deleting SonicWall Appliances from Cloud GMS

To delete a SonicWall appliance or a group of appliances from SonicWall Cloud GMS, complete the following steps:
1
Right-click on a SonicWall appliance or group in the left pane and select Delete from the pop-up menu.
2
In the warning message that displays, click Yes. The SonicWall appliance or group is deleted from SonicWall Cloud GMS.
* 
NOTE: After the deleting the SonicWall appliance from SonicWall Cloud GMS, unprovision the unit as a best practice. To unprovision the unit, log in to the SonicWall appliance and disable SonicWall Cloud GMS management to avoid sending unnecessary syslogs to the SonicWall Cloud GMS host.

Executing Basic Appliance Management

This section provides links to locations in this guide that describe the most common appliance management tasks.

 

Common appliance management tasks 

Management Task

Location

Inheriting Group Settings

Configuring Inheritance Filters

Upgrading Firmware

Upgrading Firmware

Managing Subscription Services

Configuring Security Services Settings

Manually Uploading Signatures

Manually Uploading Signature Updates

Managing Certificates

Configuring Certificates

Generating a Certificate Signing Request

Backing up the Prefs File

Configuring System Settings

Understanding Heartbeat Messages

Configuring System Settings

Configuring Log Settings