en-US
search-icon

GMS 8.3 Admin Guide

Console

Configuring Workflow

This describes how to configure Workflow in the Console > Workflow tab. With Workflow enabled, any configuration or policy changes made to SonicWall™ Global Management System (GMS) screens must go through an approval process before being considered “live.” Only after the changes have been approved, are they pushed out to the appliances. Workflow also provides for scheduling changes to be processed or executed and allows for creating approval groups - the members of which being authorized to approve the changes.

The Workflow feature (Enable or Disable) is available at the Granular level for each individual domain. The feature can be enabled or disabled on a per domain basis.

This includes the following:

Introduction to Workflow and Change Management

To begin, start by defining the members of the various policy Approval Groups (see Approval Groups in the sections that follow). These members have the final word on whether a proposed change order is approved or denied. You can create Approval Groups for each module, and those groups can exist with one or more notification users.

The process by which change orders are approved, fully approved, partially approved, or denied begins at the submission level and progresses through the various levels defined by the change approval group. By default, until defined, the approval group.

After your Approval Groups have been established for each module, you can manage change orders for approving, scheduling, and executing (or processing) proposed changes through Change Order Management (see Change order management in the sections that follow).

Settings

On the Console > Workflow > Settings page, you can enable Workflow, configure default schedule settings, and delete GMS change order data.

This section contains the following Settings topics:

Enabling Workflow

To configure the Workflow settings, complete the following steps:
1
Click the Console tab.
2
Expand the Workflow tree and click Settings. The Settings page displays.
3
Select the appropriate Domain to view corresponding settings.
4
Click Enable Workflow to activate the Workflow functionality.
5
Click Update to accept the changes you have made.

Configuring Change Order Default Schedule Settings

To configure a regular schedule to manage change orders, complete the following steps:
1
Click the radio button next to the desired instance you would like change orders to go into effect. Choose between Execute Manually, Immediate on Approval, or to change at a time you select from the pull-down menu.
2
Click Update to accept the changes you have made.

Deleting GMS Change Order Data

You can manually delete Change Orders that are more than two years old and no longer necessary. This is a one-time action that is executed based on the date selected for deletion. The delete action in this screen only purges data, tasks, and logs related to Change Orders.

To delete GMS Change Order Data, complete the following steps:
1
Click the Console tab.
2
Expand the Workflow tree and click Settings. The Settings page displays.
3
In the Delete GMS Change Order Data section, choose a date older than two years at which point to delete the outdated Change Orders.
4
Select the Domain from which to delete the Change Orders.
5
Click Update to accept the changes you have made.

Approval Groups

The following sections detail the requirements of GMS transitioning to one of the states mentioned previously:

On the Console > Workflow > Approval Groups page, you can search for specific approval groups, add, modify, or delete approval groups, or select a default approval group.

Features of the Approval Groups section include:

You can delete all the group users from a Custom Approval group but not from the “Default Approval Group.” The “Default Approval Group” should have at least one approver.

This section contains the following Approval Groups topics:

Approval Groups Search

To search for specific approval groups, complete the following steps:
1
Click the Console tab.
2
Expand the Workflow tree and click Approval Groups. The Approval Groups page displays.

3
Use the Search drop-down menu to search for a specific Approval Group Name or Description.
4
Select Equals, Starts with, Ends with, or Contains from the drop-down menu.
5
Enter the Search terms in the box and click Search.

Configuring Approval Groups

The Add New/Edit Approval Group screen allows you to select users as Approvers. You can remove added approvers from the approval group. The GMS users are listed from the users table.

To Add or Edit an Approval Group, complete the following steps:
1
Enter or change the name of your Approval Group.
2
Select the domain under the jurisdiction of this Approval Group. Options include the LocalDomain or a TestDomain.

A Default Approval Group is created for every new domain that has the domain ‘admin’ user listed as the default approver. The “Default Approval Group (DAG)” is the default approval group applicable to the different modules. The DAG cannot be deleted, it can only be edited and new users can be added as approvers or Notification users and existing users can be deleted.

Each domain admin user is able to view the Approval Groups only for that domain. Only the super admin (admin@LocalDomain) can view all the Approval Groups for all domains. The super admin can see an additional column that reveals the domain names.

3
Enter an Approval Group description in the Description field.
4
Click Add New User. This adds additional approvers and their roles to the Approval Group. Options include: Administrators and End-Users.
5
Click Add Additional User to include more users that you would like to receive notifications on approvals and other actions performed by the approvers and any changes in the state of a Change Order that would be associated with this group.
If a user-created approval group that is already associated with a change order pending approval is deleted from the system, the default approval group applicable for that screen to which the change order belongs applies. The Delete confirmation screen clearly explains that the Approval Group being deleted is currently associated with one or more unapproved change orders and that on deletion of the approval group, the system associates the Default Approval Group for that module with those change orders to which the change orders belong.
The Approval Groups page has a section where the default approval group for each module can be selected. By default, the ‘Default Approval Group (DAG)’ is the default approval group for each module. You can also set a Custom Approval Group as the default for any module.
You can also create a custom approval group with no approvers in it. There could be none or more ‘Notification’ users. However, a warning/confirmation message is shown to confirm the creation of an approval group that has no approvers or users in it.
6
Click OK.

Default Approval Group for Each Module

To set the default approval group for each module, complete the following steps:
1
Select the domain under the jurisdiction of this Approval Group to view the corresponding Default Approval Group. Options include the LocalDomain or a TestDomain.

A Default Approval Group is created for every new domain that has the domain ‘admin’ user listed as the default approver. The “Default Approval Group (DAG)” is the default approval group applicable to the different modules. The DAG cannot be deleted, it can only be edited and new users can be added as approvers or Notification users and existing users can be deleted.

Each domain admin user is able to view the Approval Groups only for that domain. Only the super admin (admin@LocalDomain) can view all the Approval Groups for all domains. The super admin can see an additional column that reveals the domain names.

2
Click Update.

Change Orders

You can add changes on any screen to create a change order. The changes can be added to existing change orders or you can create new change orders on the fly.

From the Console tab, the Workflow > Change Orders screen provides the required functions for change order management. There, you can add, edit and delete change orders.

A change order should have at least one Approval Group associated with it. The approvers in that approval group would approve the change order.

You can configure a schedule for processing or executing change orders after their approval and then create tasks for the target appliances.

Change orders can also be scheduled at the Default, or with one of three options: a) Execute Manually b) Immediate on Approval c) On a given schedule. “At.” When change orders are executed manually, click Execute Manually under Schedule for the change order. The Execute option is enabled only after the change order has been fully approved. The change order reaches the fully approved state after it is accepted by all the members of the approval group associated with the change order.

When a change order is scheduled to execute Immediate on Approval, the change order is directly picked up for processing, task creation, or execution after the change order has reached the fully approved state.

When a change order is scheduled on a particular schedule, it is picked up for processing, task creation, or execution as soon as the schedule is met, provided the change order has reached the fully approved state at that point. If a change order has not been fully approved before the schedule is met or it has lapsed, the change order cannot be implemented. The change order has to be reopened and then resubmitted with a new schedule. However, if the change order has been scheduled on a recurring schedule, it will get picked up for processing at the next scheduled occurrence only after the change order has reached the fully approved state.

Select any one of the three scheduling options as a default selection on the Workflow > Settings screen.

You can view changes made to any change order. The view functionality shows the change objects on a per screen basis.

To schedule approvals at a specific time, complete the following steps:
1
Click the radio button for At and select a schedule from the pull-down.

2
Click Add Schedule.

You can also preview a change order. The preview functionality shows a preview of the changes to be applied to the Running Configuration after a change order is selected on the screen.

The Compare option shows the difference between two change orders.

Additional Workflow and Change Order information

This section discusses additional items related to Workflow and Change Order Management.

It describes the outcome of when a unit is removed from management, a user is no longer with the company, or when a domain is deleted altogether. Each of these actions would trigger the cleanup of data.

To delete a user, complete the following steps:
1
Remove the user from the system.
2
Remove references to the approval groups in which that user took part.
a
As an Approver
b
As a Notificant
3
History regarding this user is archived and still available.
To delete a unit:, complete the following steps:
1
Remove any active or pending changes from the change orders for this unit.
2
References to this unit in Archived Change Orders are replaced with the serial number of this unit, instead of the Unit ID, which is no longer present.
3
History regarding this unit is archived and still available.
To delete a domain, complete the following steps:
1
Delete all change orders (active, pending, and processed) from the system.
2
All approval groups (including defaults) are deleted.
3
Archived Tasks, Logs, and related information are removed and no longer available.

Managing Scheduled Tasks

This describes how to configure scheduled tasks and default tasks in the Console > Tasks page.

This includes the following:

Scheduled Tasks

As you complete multiple tasks through the SonicWall™ Global Management System (GMS) UI, GMS creates, queues, and applies them to the SonicWall appliances. As GMS processes tasks, some SonicWall appliances might be down or offline. When this occurs, GMS requeues the tasks and reattempts the changes.

To view and manage pending tasks, complete the following steps:
1
Click the Console tab, expand the Tasks tree and click Scheduled Tasks.
The Scheduled Tasks page displays.

2
Each task entry contains the following fields:
Number (#)—specifies the number of the task entry.
SonicWall—specifies the name of the SonicWall appliance to which the task applies.
Description—contains a description of the task.
Creation Time—specifies the date and time the task was generated.
Scheduled Time (Local)—time the task was scheduled in the local time zone of the appliance.
Scheduled Time (Agent)—time the task was scheduled in the time zone of the agent.
No. of Attempts—specifies the number of times GMS has attempted to execute the task.
Last Error—if the task was not successfully executed, specifies the error.
SGMS User—specifies the user who created the task.
Agent—specifies the IP address of the agent. This column can accept/display IPv6 and IPv4 addresses.
3
To narrow the search, enter one or more of the following search criteria and click Start Search:
* 
TIP: You can press Enter to navigate from one form element to the next in this section.
Calendar—select the period of time for which GMS displays tasks. The pull down menu to the right enables you to specify that the date range applies to the task creation time, the local scheduled time, and the agent scheduled time.
SonicWall Node—displays all tasks associated with the specified SonicWall appliance.
Description contains—displays all tasks that contain the specified text.
Owner—displays all tasks with the specified owner.
Task ID—displays the task with the specified task ID.
4
To execute one or more scheduled tasks immediately, select their check boxes and click Execute the tasks selected now. You can also select al l of the tasks on the page by checking Select Only the 10 Tasks Displayed Above, or select all tasks by checking Select All Pending Tasks.
5
To reschedule one or more pending tasks for another time, select their check boxes and click Re-schedule the tasks selected. The GMS Date Selector dialog box displays.

6
Select a new date when the task executes and click OK. The dialog box closes and the task executes at the selected time.
* 
NOTE: The task(s) executes based on the time setting of the SonicWall GMS agent server, UTC, or local browser's time.
7
To delete one or more tasks from the list of pending tasks, select their check boxes and click Delete the tasks selected. To delete all pending tasks, select Select all Tasks and click Delete the tasks selected.

Default Tasks

The Defaults Tasks page allows the Super Administrator to configure the default tasks that are executed when adding new units or on existing units in the GMS deployment. These tasks can also be manually executed on existing units on-demand.

Deployment Considerations

Consider the following before managing the default tasks:

Upgrading from older versions of GMS to GMS 8.0 migrates all the existing units according to the selected default tasks.
Enable the desired Name Resolution Method to match your current GMS setup.

Managing the Default Tasks

To view and manage default tasks, complete the following steps:
1
Navigate to the Console > Tasks > Default Tasks page.

2
Search for tasks by using the Default Tasks Search section. Select search criteria from the following:
Description
Equals
Starts with
Ends with
Contains
Type of Units
Firewalls
SMAs
Aventail SSL-VPNs
ESs
Task created during
Any Time
Add Unit
Enabled
Yes
No
3
Select the desired default tasks from the Default Tasks list, or click the check box at the top of the list to select all the tasks.
* 
NOTE: Certain tasks are grouped under one task, and only one of the sub-tasks can be selected from within this category. If the category is disabled, sub-tasks are all disabled as well.
4
Enable or disable configured tasks by selecting/deselecting the check boxes in the Enable column. Click Update after your changes are made.
5
To execute the selected tasks for the chosen units, click the Arrow icon in the Execute column. Or click the Execute link at the bottom of the page to configure multiple selected tasks.

The Select Units pop-up window displays.

6
Click Execute only if previously not applied or Execute even if previously applied.

The Execute method selects how you want to execute the tasks for the selected units. This is used to handle situations where a combination of tasks might or might not have run because of the state of the tasks selected after the units were added to the system. When a unit is added to the system, the default tasks are executed against the unit. Depending on the type of unit, firmware version, and the selected defaults at that point of time, some or all of tasks are executed. If a task did not run when a unit (considering the version, type, and so on) was added or at a later time after adding, the pending tasks are automatically applied when the unit properties change. It is also possible to complete a “force execute” on all units, regardless of whether or not they have been previously executed to ensure that the task changes the settings exactly as requested.

7
Click Execute the default tasks on all units in the system or Execute the default tasks on the following selected units.

Unit selection allows the user to pick either all units in the system or selective units from each of the appliance types supported.

Either way, the tasks selected are applied only on units that match the default tasks’ properties which are related to Model, Firmware Version, Appliance Type, and so on.

Tasks CANNOT be Edited or Deleted. The management interface only allows execution of selected tasks against the specified units.

Configuring Log Settings

This describes how to configure Log Settings. This includes adjusting settings on deleting log messages after a certain period of time, and setting criteria for viewing logs.

This includes the following:

Configuring Log Settings

In the Log > Configuration screen, you can delete or archive SonicWall™ Global Management System (GMS) log messages. The Archive process archives the data to the “archivedLogs” directory as per the Archive Log Schedule, before the data is deleted from the database.

* 
NOTE: For UMH deployments, to offload the archived log files to a local drive, login to the /appliance management interface, then navigate to the System > File Manager page.

To configure Log settings, select between the following options:

Delete Log Messages Older Than — Select the month, day, and year, and then click the Delete link.
Enable Archive — Select this check box to enable GMS log message archiving.
Archive GMS log messages for — Select the number of months to archive log messages.
Max Num of Log Message Files — Select the maximum number of monthly archive files kept in the achivedLogs folder.
Delete Data Every — Select a reoccurring day and time to delete data.
Archive Format — Select the type of format to archive the GMS log messages. Choose between CSV or HTML.
Update — Click Update after your settings are selected.
* 
NOTE: The archive process first archives the data to the archivedLogs directory as per “Archive Log Schedule” and then the data is deleted from the database.

Configuring Log View Search Criteria

The GMS log keeps track of changes made within the GMS UI, logins, failed logins, logouts, password changes, scheduled tasks, failed tasks, completed tasks, raw syslog database size, syslog message uploads, and time spent summarizing syslog data.

To view the GMS log, complete the following steps:
1
Click the Console tab, expand the Log tree, and click View Log. The View Log page displays.

2
Each log entry contains the following fields:

#—specifies the number of the log entry.
Date—specifies the date of the log entry.
Message—contains a description of the event.
Severity—displays the severity of the event (Alert, Warning, or FYI).
SonicWall—specifies the name of the SonicWall appliance that generated the event (if applicable).
User@IP—specifies the user name and IP address.
3
To narrow the search, configure some of the following criteria:
* 
TIP: You can press Enter to navigate from one form element to the next in this section.
Select Time of logs—displays all log entries for a specified range of dates.
SonicWall Node—displays all log entries associated with the specified SonicWall appliance.
GMS User—displays all log entries with the specified user.
Message contains—displays all log entries that contain the specified text. This input field provides an auto-suggest functionality that uses existing log message text to predict what you want to type. It fills in the field with the suggested text and you can either press Tab to accept it or keep typing. Different suggestions appear as you continue to type if log messages match your input.
Severity—displays log entries with the matching severity level:
All (Alert, Warning, and FYI)–where FYI mean “For Your Information”
Alert and Warning
Alert
Select Match case to make the SonicWall Node, GMS User, and Message contains search fields case sensitive.
Select one of Exact Phrase, All Words, or Any Word.
Exact Phrase matches a log entry that contains exactly what you typed in the Message contains field
All Words matches a log entry that contains all the words you typed in the Message contains field, but the words can be non-consecutive or in any order
Any Word matches a log entry that contains any of the words you typed in the Message contains field
4
To view the results of your search criteria, click Start Search. To clear all values from the input fields and start over, click Clear Search. To save the results as an HTML file on your system, click Export Logs and follow the on-screen instructions.
5
To configure how many messages are shown per screen, enter a new value between 10 and 100 in the Show Messages Per Screen field. (default: 10). Click Next to display the next page, or click Previous to display the preceding page.
6
To jump to a specific message, enter the message number in the Go to Message Number field.

Configuring Console Management Settings

This describes the settings available on the SonicWall™ Global Management System (GMS) Console tab in the Management section and describes the settings available on the Console tab in the Management section. The following is found:

Configuring Management Settings

On the Console > Management > Settings page, you can configure email settings, enable automatic preferences file backup, enable reporting, configure GMS to synchronize with managed units, configure Enhanced Security Access (ESA) settings, enable management of SMA and ES devices, configure GMS for manual signature uploads, download GMS CLI Client, and enable Data Privacy Settings for Reports

This section contains the following Settings topics:

GMS Settings

The GMS Settings allow you to show or hide the SMA and Email Security tabs. This section is only visible to administrators @LocalDomain, such as Super Admins.

Configuring Email Settings

An SMTP server and an email address are required for sending GMS reports.

If the Mail Server settings are not configured correctly, you will not receive important email notifications, such as:

System alerts for your GMS deployment performance
Availability of product updates, hot fixes, or patches
Availability of firmware upgrades for managed appliances
Alerts on your managed appliances’ status
Scheduled Reports
To configure these email settings, complete the following steps:
1
Click the Console tab.
2
Expand the Management tree and click Settings. The Settings page displays.

3
Click any additional management tabs for servers you would like to enable including tabs for Secure Mobile Access (SMA) or Email Security (ES). The servers should be restarted for this change to take effect.
4
Type the IP address or the FQDN of the Simple Mail Transfer Protocol (SMTP) server into the SMTP Server field. This server can be the same one that is normally used for email in your network. Type in the SMTP Port number to use for email service. This field can accept/display IPv4 and IPv6 addresses.
5
Click Use TLS if you would like to use Transport Layer Security (TLS) for your mail server connectivity, such as for Gmail or Office365. TLS ensures privacy between you and communicating applications on the Internet, and that no third-party can eavesdrop or tamper with your messages.
6
If the SMTP server in your deployment is set to use authentication, click Use Authentication. This option is necessary for all outgoing GMS emails to properly send to the intended recipients. Enter the username in the User field, and enter/confirm the password in the Password and Confirm Password fields. This is the username/password that is used to authenticate against the SMTP server.
7
Enter the email account name and domain that appears in messages sent from the GMS into the GMS Sender’s e-Mail Address field.
8
Enter the email account name and domain that appears in messages sent from the GMS into the GMS Administrator e-Mail Address field. You can use User Authentication for this user by checking the box.
9
When finished in the Settings page, click Update. To clear the screen settings and start over, click Reset.

Configuring Prefs Backup Settings

You can have the system automatically save your firewall preferences files on a regular basis. This includes the addunit.xml file that contains information about the units under GMS management.

To configure the prefs file settings:

1
Click the Console tab.
2
Expand the Management tree and click Settings. The Settings page displays.

3
Select Daily or Weekly in the Automatically save prefs file & addunit.xml field, and select a day of the week (if weekly) and a time. This determines how often GMS automatically saves the preferences and addUnit.xml files.
4
To automatically save the VPN Gateway Preferences files for SonicWall appliances, select Automatically save VPN Gateway Settings file.
* 
NOTE: The Enable Settings File Backup option must also be selected on the Firewall > Policies > System > Settings screen.
5
The Create AddUnit XML File link can be used to manually create an AddUnit XML file of the system that can then be imported into another GMS system if necessary, such as during GMS migration. To create an addUnit.xml file to track all units under management, click Create AddUnit XML File.
6
When finished in the Settings page, click Update. To clear the screen settings and start over, click Reset.

Enabling Reporting and Synchronization with Managed Units

By default, GMS Reporting is enabled.

To enable or disable GMS Reporting, complete the following steps:
1
Click the Console tab.
2
Expand the Management tree and click Settings. The Settings page displays.
3
To enable GMS Reporting, select Enable Reporting. To disable it, deselect Enable Reporting (default: Enabled).
4
To configure GMS to automatically synchronize with the local changes made to the SonicWall appliances, select Enable Auto Synchronization.

Managing Signature Uploads Manually

1
For SonicWall appliances that do not have direct access to the Internet, you can instruct GMS to download updates to security service signatures. To do so, in Console > Management > Settings, click Manage signature uploads, as shown in the following image.

2
Select one of the following radio buttons:
Manually upload latest signatures to firewalls
Automatically upload latest signatures to firewalls
(optional) Upload latest signatures on subscription status change. This option is available when Manage Signature Uploads is enabled.
* 
NOTE: When updated signatures have been downloaded to the GMS, you must then manually upload them to the SonicWall appliances. This action is completed on the Policies > System > Tools page. When there are new signatures to be uploaded, Upload Signatures Now appears on the Tools page. Click this button to manually upload the signatures.
3
When finished in the Settings page, click Update. To clear the screen settings and start over, click Reset.

Command Line Interface (CLI) Client

The CLI client can be downloaded to allow running scripts on a secure server. To download the CLI Client, in Console > Management > Settings, click Download CLI Client, as shown in the following image.

For more information on using the GMS CLI, see Using the SonicWall GMS CLI.

Enhanced Security Access Settings

SonicWall’s Enhanced Security Access (ESA) feature allows for greater granular control of user access across a GMS network, which is applicable for installations that must comply with stringent regulatory compliance and account management controls as found in such standards as Payment Card Industry (PCI), SOX, or HIPAA.

* 
NOTE: Enhanced security settings are also available in your browser. For information, refer to Browser Requirements.

GMS supports these data security standards by providing support for encryption of all passwords and any pre-shared secrets in the database. This includes VPN Security Association pre-shared secrets, encryption keys, authentication keys, and passwords. The following passwords are encrypted in GMS:

GMS gateway password
SonicWall firewall appliance passwords for managed units
Guest account password
LDAP and RADIUS passwords

Enhanced security compliance also requires a password rotation feature. GMS supports password rotation requirements, including several changes in the management interface. These changes occur on the Console tab, in the Management > Settings screen and in all screens accessed from the Management > Users screen.

To turn on password security enforcement in GMS:

1
In the Management > Settings screen, select Enforce Password Security.
2
In the Number of failed login attempts before user can be locked out field, enter a value. The default is 6.
3
In the User lockout minutes field, enter a value. The default is 30. This is the number of minutes that a user will not be able to log in to GMS after failing to log in correctly for the specified number of attempts.
4
In the Number of inactive days to mark user for deletion field, enter a value. The default is 90. The user’s account is deleted if it is not used for the specified number of days.
5
In the Number of days to force password change field, enter a value. The default is 90. GMS prompts the user to change his password after the specified number of days.
6
When finished in the Settings page, click Update. To clear the screen settings and start over, click Reset.

Enabling Data Privacy Settings

The Reports Privacy feature allows a GMS Super Admin to configure the GMS system to mask all IPs, user names, and host names in Reports.

Consider the following before enabling the Data Privacy settings:

The Data Privacy setting is a system wide setting, and cannot be granularly set for each unit or each domain separately.
This feature applies only to the Reports under the Reports tab and Live Monitor/Syslog Viewer pages in the Monitor tab. It does not apply to other places in the GMS UI that could have IPs, usernames, and so on. This means the following are not included:-
Policy Tab screens
Console Tab screens such as Console > Logs.
Requires a double-authentication mechanism to unmask identities.
Unmasking reports through double-authentication is only for on-demand management interface based reports. Other reports, such as Scheduled Reports or Webservices based reports, are sent masked if the global system setting is set for Reports Privacy. The only way to view actual IPs in the Scheduled Reports is by disabling the privacy feature at system level.
IPs, Hostnames and User Names are masked for any “private” IPs (such as subnets 192.168.255.255, 172.31.255.255, 10.255.255.255). This happens for both Initiators and Responders, in the Grids and Charts.
This feature is available only for firewall reports, and not for SMA reports
The masked entries do not allow the one-click mechanism to add it to the Filter bar.
Filter Bar does not allow adding Initiators and Responders filters.
Any Custom Report that has Initiators or Responders does not generate a report.
The User Activity report does not generate reports.
Scheduled Reports always has the above information masked;
Scheduled Reports containing Custom Reports that have Initiators or Responders will not generate any Customer Report data.
To enable the Data Privacy Settings, complete the following steps:
1
Navigate to the Console > Management > Settings page.
2
Click Enable Data Privacy, and then click Update.

The IPs, user names, and host names are now masked in the reports.

* 
NOTE: Privileges to unmask reports can be set for designated users if the Super Admin or User changes the Action Permissions to “Can Unmask Reports.” Those users can then click the Unmask icon while viewing a masked report, enter their credentials, and the report displays unmasked. See Configuring Action Permissions and Unmask Reports for more details.

Domains

A Domain in GMS is a logically bound collection of users, authentication servers, managed appliances, policies and reporting data, alerts and all other related data in manner such that the contents in a domain are only visible within the boundaries of the domain. Data from one domain is not visible to users in other domains. Only the SuperAdmin user can create new domains and can view and edit information from all the domains in the system. All other admin users of each domain have the privilege of managing their own domains in GMS.

This section describes the following GMS Settings topics:

About Domains

In addition to a built in LocalDomain with a LocalAuthServer for authentication of users, GMS is able to access and authenticate against popular third-party systems including Active Directory, RADIUS and LDAP in a transparent fashion. By default, GMS maintains its own locally stored database for authentication purposes. This is also referred to as the “LocalAuthServer.” GMS also allows simultaneous third-party database authentication that makes use of your existing (and separately maintained) database system(s).

* 
NOTE: Although GMS supports the use of multiple external authentication mechanisms for a single domain, only one instance of a local GMS authentication server — the default GMS “LocalAuthServer” — can exist for each domain.

The user hierarchy of your database (either GMS or third-party) determines what a user’s view consists of, and what data they are able to access and/or modify. In the case of Active Directory servers, GMS has the ability to limit access to only specified groups of users. If this functionality is desired, the target groups must be specified.

Creating a New Domain

By default, a GMS domain stores user account/passwords/permissions locally inside the GMS database. When users attempt to access resources in GMS, they are authenticated against this local database that determines what their view consists of and data they are able to access and/or modify.

The following procedures assist you in creating a new domain, including configuring that domain to use LDAP/AD/RADIUS for authentication, if required.

* 
NOTE: Every instance of GMS installs with a default domain, named “LocalDomain” even before a domain is created by the administrator. Users of new admin-created domains do not have the ability to view data in other domains.

To create a new domain:

1
Login as the Administrator of the LocalDomain on the SonicWall GMS Login Screen.
2
Navigate to the Console > Management > Domains page. You will see a default LocalDomain. To create a new domain in SonicWall GMS, click Add Domain to complete the configuration parameters for the new remote domain.

3
Under Name, type in the desired name for the remote domain. This name is visible on the Domain pull-down list on the SonicWall GMS Login screen.
4
For Default Admin User, specify a valid user account -- this is the default admin account created for the domain. Note that this username must exist in your third-party server, and has administrative privileges in GMS for the newly created domain.
5
Enter a friendly name, or Alias for this new Domain.
6
Check the Add an auth server option to enable third-party authentication for this domain.
* 
NOTE: If your new domain uses only local (GMS) database for user authentication, configuration is complete after this step.If you are planning to authenticate using an existing third-party database, continue to Configuring LDAP or AD Authentication.

Configuring LDAP or AD Authentication

If you are configuring this domain for use with external LDAP or AD authentication, complete the following steps:
1
Be sure to complete the basic setup procedures in Creating a New Domain before continuing.
2
Enter a descriptive name of the Auth Server that would be created. This name will be useful in manage the different authentication servers in the domain.
3
Select the Host Type. Choose between LDAP server, Windows Active Directory, or a RADIUS server.
4
The Host Name can either be specified as the IP Address of the remote server, or the fully-qualified domain name. This field can accept/display IPv4 and IPv6 addresses.
The authentication server’s Global Catalog can be set as a Host in case of a complex directory structure. If using the Global Catalog, SonicWall GMS is able to search through the directory and through all its children nodes.
5
In the Authentication Port field, specify the value of the port number on which the third-party server listens for authentication requests.
* 
NOTE: The default Authentication Port for LDAP or AD servers is 389. To reach an AD server’s global catalog, use port 3268.

6
Select which Protocol Version the remote server is running on.
7
The Base Distinguished Name (Base DN) is used to identify the root entry in the directory from which SonicWall GMS will execute searches. This should be the node in the authentication system under which all SonicWall GMS users are present. The value is specified as a distinguished name (for example, dc=gmseng,dc=com).
8
Click Use SSL to use SSL when connecting to the remote server. If you check this check box, you will need to specify the SSL Port on which the remote server is listening for bind requests. By default, this is 636. If connecting to an AD server’s global catalog, use port 3269.
* 
NOTE: SonicWall recommends using SSL with remote domains. The Certificate Authority (CA) or Root certificate of the LDAP server needs to be imported into GMS JRE using the keytool command.
9
Only select Anonymous Login if the authentication system is configured to allow anonymous binds. This option makes the Admin User ID irrelevant. This is not a recommended setting as it reduces security.
10
The Login User Distinguished Name is used to authenticate to the third-party server when completing the initial bind. This value is specified as a distinguished name. Type in the matching password for the Login Password field.
* 
NOTE: The Login User Distinguished Name need not correspond with the Admin User ID, but both must exist in the third-party server. The Login User Distinguished Name can be found using any LDAP Browser Tool.
11
In the Connection Timeout field, specify the connection timeout period (in milliseconds). After the Settings screen is completed, click the Schema screen to continue setup of the new remote domain.
12
Under LDAP Schema, select which LDAP Server you are using from the pull-down list. Each selection in this list fills in the remaining fields on the Schema screen with default values.
* 
NOTE: If the server you are using is not specified in the default list, click User Defined to configure your own values and settings.
13
Optional, for AD servers only: Select Allow Only AD Group Members. Then specify which groups are allowed to login to GMS from this remote domain. Multiple groups can be specified if they are separated by a semi-colon. All users that are members of the specified AD group must be present below the Base DN that was specified in the settings pane.

14
Click OK.
Configuring RADIUS Authentication

Configure a RADIUS server for authentication in your domain:

Be sure to complete the basic setup procedures in Creating a New Domain before continuing.

Configuring the Settings Tab

1
Check the Add an auth server option to enable authentication by a third-party server.
2
Enter a descriptive name of the Auth Server that would be created. This name will be useful in manage the different authentication servers in the domain.
3
Choose RADIUS as the Host Type.
4
Enter the Host Name (or IP address) of the RADIUS server you wish to use for authentication.
5
Enter the Authentication Port on which the RADIUS server listens for requests. The default Authentication Port is 1812.
6
Enter the Shared Secret to be used between GMS the RADIUS server.
7
Enter the Authentication Protocol used by your RADIUS installation.
* 
NOTE: SonicWall GMS supports PAP, CHAP, MSCHAP, and MSCHAPv2 protocols for RADIUS authentication.
8
Enter the RADIUS Timeout (Seconds), this specifies the amount of time GMS waits before giving up — or retrying — the authentication attempt. The number of retries is specified next. The default value is 10 seconds.
9
Enter the Max Retries, this specifies the number of times GMS attempts to authenticate with the RADIUS server before aborting the attempt. The default value is three tries.
10
Fill in the Host Name, Authentication Port, and Shared Secret values for your backup RADIUS server, if available.

Configuring the User Groups Tab

11
Check the Allow Only Radius Group Members option if you plan to limit GMS access to members of select groups. The specific groups are specified later in this tab.
12
If configured, select the Use SonicWall Vendor specific attribute on RADIUS Server option to use SonicWall-user-group, and SonicWall-user-groups as RADIUS user group identifiers for GMS authentication.
13
If the RADIUS server is configured to return the ‘Filter-ID’ attribute with each user ID, select the Use Filter-ID attribute on RADIUS Server option. Henceforth, this value is used as the RADIUS user group identifier.
14
Enter the Allowed RADIUS Group(s), separated by a semi-colon “;”. This field specifies groups, the members of which are allowed to access GMS resources.

Verifying Administrator Third-Party Authentication Configuration

Under the Test page, you are able to test and verify the remote domain configurations entered on the Settings screen. If there are any errors in your configurations, this screen alerts you and provides information on how to correct them.

To test the third-party authentication feature, specify the credentials of any user in the domain and click Test.

You will also see the new domain (local and remote) you have created under Console > Management > Domains of SonicWall GMS. To confirm the configurations for each domain, click the icon to view or change these settings.

Verifying Third-Party Authentication Server Configuration

If the login was successful, the user is automatically directed to the SonicWall GMS Dashboard default page. At the top of the page, SonicWall GMS no longer displays the user’s status as Guest.

Editing a Domain

Any admin-created domain can be edited after initial creation. To create a new domain:

1
Login as the Administrator of the LocalDomain on the SonicWall GMS Login Screen.
2
Navigate to the Console > Management > Domain page. To delete a domain in SonicWall GMS, select the check box corresponding to the domain you wish to delete and click Edit Domain.
* 
NOTE: The default LocalDomain which comes pre-installed with GMS systems cannot be edited or deleted.

Users

To operate in complex environments, GMS is designed to support multiple users, each with his or her own set of permissions and access rights. This section contains the following subsections:

* 
NOTE: If you do not want to restrict access to SonicWall appliances or SonicWall GMS functions, but want to divide SonicWall GMS responsibility among multiple users, use views to provide specific criteria to display groups of SonicWall appliances. Depending on the type of task they are trying to complete, users can switch between these views as often as necessary. For more information, refer to Configuring Action Permissions.
* 
NOTE: All of the user configuration options are available through the command-line interface. For more information, refer to the GMS Command-Line Interface Guide.

Creating User Groups

A user group (or user type) is a group of GMS users who complete similar tasks and have similar permissions.

GMS provides three pre-configured groups:

Administrators—Full view and update privileges.
End Users—No privileges.
Guest Users—No privileges.
Operators—View privileges only.
To create a new group, complete the following steps:
1
Click the Console tab, expand the Management tree and click Users. The General Page of the User screen displays.
2
In the middle pane, right-click End Users and select Add User from the pop-up menu. The Add User dialog box displays.
3
In the dialog box, enter the name of the new user, a password, confirm the password, and then click OK. The new user is added to the list under End Users.
4
In the right pane, enter any comments regarding the new user group in the Comments field.
5
Select a default view for the new user group from the Default View pull-down menu. This view is displayed for members of the user group when they first log in to GMS.
6
To force all users in the user group to change their passwords, select Change Password.
7
To delete the user when they become inactive, select Delete Inactive.
8
To set a date when the user type will become inactive, click in the Active Until field and then select a date from the popup calendar.
9
To keep the user type active at all times without an end date, select Always Active.
10
Select the schedule for when the user group is active from the pull-down list in the Schedule field.
11
Click Update. The new user group is added. By default, the new group has no privileges. To configure screen access settings, refer to Moving a User.

Adding Users

This section describes how to create a new user. Although the user inherits all group settings, individual user settings overrides the group settings.

To add a new user, complete the following steps:
1
Click the Console tab, expand the Management tree and click Users. The General Page of the User configuration screen displays.

2
In the middle pane, right-click Administrators, End Users, or Guest Users and select Add User from the pop-up menu. The Add User dialog box displays.
3
In the dialog box, enter the name of the new user, a password, confirm the password, and then click OK. The new user is added to the list under End Users.
4
In the right pane, enter any comments regarding the new user group in the Comments field.
5
Select a default view for the new user group from the Default View pull-down menu. This view is displayed for members of the user group when they first log in to GMS.
6
To force all users in the user group to change their passwords, select Change Password.
7
To delete the user when they become inactive, select Delete Inactive.
8
To set a date when the user type will become inactive, click in the Active Until field and then select a date from the popup calendar.
9
To keep the user type active at all times without an end date, select Always Active.
10
Select the schedule for when the user group is active from the pull-down list in the Schedule field.
11
Click Update. The new user group is added. By default, the new group has no privileges. To configure screen access settings, refer to Moving a User.
12
From the General tab, select the new user.
13
Enter the full name of the user in the Name field.
14
Enter contact information for the user in the Phone, Fax, Pager, and Email fields.
15
Select the default view for the user from the Default View list box.
16
Enter any comments regarding the new user in the Comments field.
17
Check SuperAdmin to enable privileges for this user across all domains.
* 
NOTE: By default, permissions for users exist only within the domain to which they belong. By checking the SuperAdmin option, permissions are extended across all domains.
18
Enter the number of minutes that the user can be inactive on his computer before the session times out in the Inactivity Timeout field. Enter -1 to never time out.
19
To change the password for the user, type in the password in the New Password field, and then type it again in Confirm Password.
20
To disable the user without deleting the entire entry, select Account Disabled.
21
To force the user to change his password, select Change Password.
22
To delete the user when the account becomes inactive, select Delete Inactive.
23
To set a date when the user becomes inactive, click in the Active Until field and select a date from the popup calendar.
24
To keep the user active without an end date, select Always Active. If this is selected, the date in the Active Until field is ignored.
25
Select a schedule when the user is active from the pull-down list in the Schedule field.
26
Do one of the following:
Click Inherit Permissions from Group. The user inherits the permissions from the group that you right-clicked to begin this procedure.
Click Update. The new user is added. You must configure the user’s permissions. See Moving a User and Configuring Appliance Access.
Click Reset to change all fields in this screen to their default values and start over.
* 
NOTE: To temporarily disable a user account, select Account Disabled and click Update.

Moving a User

When new users log in to SonicWall GMS for the first time, they are considered guest users and have only limited access.

To change a SonicWall GMS user’s group:

1
Log in as the remote domain’s administrator.
2
Navigate to the Console tab.
3
Navigate to the Management > Users page.
4
Select the user to be moved from the user list.
5
Right-click the user's name in the user list and select Move User from the context menu.
6
In the Move User dialog box, select the appropriate new level for the new user, and select Inherit permissions defined from the new user type permission.

7
Click OK.

Configuring Screen Access

The Screen Permissions page contains a hierarchical list of all screens that appear within GMS. From this screen, you can control access to individual screens or all screens within a section. This includes permissions for users or groups to view, or view and update reports.

* 
NOTE: By default, a new user group has no privileges.
To configure screen access settings for a user or user group, complete the following steps:
1
Navigate to the Console > Management > Users configuration screen.
2
Select a user or user group under All Users.
3
Click the Screen Permissions tab.
4
Under All Screens, select a panel, section, or screen. For example, for REPORTS_PANEL, you can select the whole panel, the unit type section such as Firewall, SMA, or Email Security (ES), the group of reports for that type of unit, or the individual report or screen for which you want to set permissions.

On the right side of the pane, select from the following:

To prevent any access to the object, select None.
To allow view only access, select View Only.
To allow the user or group to make updates only for unit-level screens and not for group-level screens, select Update At Unit Level Only. This option is only available for objects in the Policies and Reports panels.
To allow the user or group to make updates at the unit level screens as well as one level up, select Update At Unit and One Level Up.
To update all levels, click Update At All Levels.
5
Click Update to apply the permission changes.
6
You might see a warning screen if you are applying permission changes to a group, verify that you wish to apply these changes to the group and all users within that group and click OK.

The panel object is now preceded by a .
 
* 
NOTE: The more specific settings override the more general settings. For example, if you select View Only for the Status group of reports and select None for the Up-Time over Time report, then the selected user only sees the Up-Time Summary report in the Status reports and have View Only permission for that report.
7
To clear all screen settings and start over, click Reset.
8
When finished, click Update.

Configuring Appliance Access

The Appliance Permissions page contains a hierarchical list of all SonicWall appliances that appear within GMS. From this screen, you can control access to SonicWall groups or individual SonicWall appliances.

To configure appliance access settings for a user, complete the following steps:
1
Open the Users configuration screen.
2
Select a user.
3
Click the Unit Permissions tab.

4
Select a View from the Views pull-down menu.
5
To provide the user with access to a SonicWall group or appliance, select a SonicWall group or appliance in the left pane of the window and move it to the right pane using the arrow. The group or appliance displays in the right pane.
6
Repeat Step 5 for each group or appliance to add.
7
To prevent the user from accessing a SonicWall group or appliance, select the group or appliance in the right pane of the window and move it to the left pane. The group or appliance is deleted from the right pane.
8
Repeat Step 7 for each group or appliance to remove.

Configuring Action Permissions

The Action Permissions tab contains a list of action and view options that can be enabled/disabled for a group or user.

To configure the action permissions, complete the following steps:
1
Navigate to the Console > Management > Users page.
2
Select the user or group.
3
Click the Action Permissions tab.

4
Select the unit actions you wish to be available for the group or user in the Units section.
 

Available Units actions

Name

Description

Add Unit, Modify Unit, Delete Unit

Add, delete, or modify the GMS management specifications of managed units.

Rename Unit

Renames the unit.

Login to Unit

Gains access to the managed unit’s interface through the GMS.

Modify Properties

Modifies the properties of the managed units.

Re-assign Agents

Moves units between the agents.

5
Select the view options you wish to be available for the group or user in the Views section:
 

Available Views options

Name

Description

Manage View

Alters the properties of views.

Change View

Change between views.

6
Select the Dashboard options for the group or user.
 

Available Dashboard options

Name

Description

Show Universal Dashboard

Makes the Universal Dashboard visible to the selected user or group.

Change Geo View

Changes the Geo view of the Dashboard map.

Modify Geo Location

Changes the location of the view on the Dashboard map.

Show Universal Scheduled Reports

Makes the Universal Scheduled Reports available to the selected user or group.

7
Select any remaining options for the group or user in the Others section:
 

Other options

Name

Description

Enable CLI

Manage using the command line interface (CLI).

Use Web Services

Configure and use the Web Services feature.

Show ‘Switch’ link

 

Can unmask reports

 

8
Click Update.

Custom Groups

The GMS uses an innovative method for organizing SonicWall appliances.

SonicWall appliances are not forced into specific, limited, rigid hierarchies. Simply create a set of fields that define criteria (for example, country, city, state) that separate SonicWall appliances. Then, create and use views to display and sort appliances on the fly.

Creating Custom Fields

When first configuring GMS, you must create custom fields that are entered for each SonicWall appliance. GMS supports up to ten custom fields.

* 
NOTE: Although SonicWall GMS supports up to ten custom fields, only seven fields can be used to sort SonicWall appliances in any view.

GMS is pre-configured with four custom fields: Country, Company, Department, and State. These fields can be modified or deleted.

To add fields, complete the following steps:
1
Click the Console tab, expand the Management tree and click Custom Groups.

2
Right-click Custom Groupings in the right pane.
3
Select Add Category from the pop-up menu.
4
Enter the category name of the first field such as Department.
5
Enter a Default Value, such as Engineering.
6
Click OK.
7
Select the newly created field and select Add Group from the pop-up menu.
8
Enter the name of the new field.
9
Repeat Steps 6 through 8 for each field that you want to create. You can create up to ten fields.
* 
NOTE: Although the fields appear to be in a hierarchical form, this has no effect on how the fields will appear within a view. To define views, see Configuring Action Permissions.

To delete fields, right-click any of the existing fields and select Delete Category from the pop-up menu.

Configuring Management Sessions

The Sessions page of the Management section of the GMS Console allows you to view session statistics for currently logged in GMS users and to end selected sessions.

Managing Sessions

On occasion, it might be necessary to log off other user sessions.

To do this, complete the following steps:
1
Click the Console tab, expand the Management tree and click Sessions. The Sessions page displays.

 
2
When more than one session is active, a check box is displayed next to each row. Select the check box of each user to log off and click End selected sessions.The selected users are logged off.

* 
NOTE: This page can accept/display IPv4 and IPv6 addresses.

Schedules and Group Schedules

The Schedules page allows you to create and manage schedules and schedule groups for enforcing schedule times.

Managing Schedule Groups

The Group Schedules table displays all your predefined and custom schedules. In the Group Schedules table, there are four default group schedules from which to choose: Daily 24x7, Weekdays 24x7, 8x5 Work Hours, and Weekend Hours.

A group schedule can include multiple day and time increments for rule enforcement with a single schedule. If a schedule includes multiple day and time entries, a right-arrow button appears next to the schedule name. Clicking the Expand icon expands the schedule to display all the day and time entries for the schedule.

You can modify these group schedules by clicking the Edit icons in the Configure column to display the Edit Schedule Group window.

Adding Schedule Groups

To create a schedule group, complete the following steps:
1
On the Console > Management > Schedules page, click Add Schedule Group. The Add Schedule Group page is displayed.

2
Enter a descriptive name for the group schedule in the Name field.
3
Enter a group schedule description in the Description field.
4
Click Visible to Non-Administrators if you would like to make the schedule viewable by the public.
5
By clicking once on the desired Schedule time descriptions, use the arrow keys to move them into the right field. These are the parameter that will be used in your schedule group range.
6
Click Update to group the entries into one named schedule.

Deleting Schedule Groups

To delete a schedule group, complete the following steps:
1
Select the check box next to the name of the group you would like to delete.

All subordinate check boxes are selected when you click the Schedule Name. Expand the group arrow if you would like to delete individual entries from the group.

2
Click Delete Schedule Group(s)/Remove Schedule(s) from Group.
3
Confirm the deletion by clicking OK on the window that appears.

Managing Schedules

The Schedules table displays all your predefined and custom schedules. In the Schedules table, there are several default schedules you can use or modify.

You can modify these schedules by clicking the Edit icons in the Configure column to display the Edit Schedule window.

Adding Schedules

To create a schedule, complete the following steps:
1
On the Console > Management > Schedules page, click Add Schedule. The Add Schedule page is displayed.

2
Enter a descriptive name for the schedule in the Name field.
3
Enter a schedule description in the Description field.
4
Click Visible to Non-Administrators if you would like to make the schedule viewable by the public.
5
Click Disable to take the schedule offline but still available for use later when activated.
6
Click Invert to
7
Select one of the following radio buttons for Schedule:
One-time occurrence – For a one-time schedule at the configured Date and Time.
Recurrence – For schedules that occur repeatedly during the same configured hours and days of the week, with no start or end date. When selected, the fields under Recurring become active, and the fields under Once become inactive.
8
For a One-time Occurrence, configure the starting date and time by entering the Month, Day, and Year (mm/dd/yyyy) and the Hour, and Minute in the fields. The time is represented in 24-hour format.
9
If the fields under Recurrence, select the check boxes for the days of the week to apply to the schedule or select All.
10
Under Recurrence, type in the time of day for the schedule to begin in the Start Time field. The time must be in 24-hour format, for example, 17:00 for 5 p.m.
11
Under Recurrence, type in the time of day for the schedule to stop in the End Time field. The time must be in 24-hour format, for example, 17:00 for 5 p.m.
12
Click Add.
13
Click Update to add the schedule to the Schedule List.

Deleting Schedules

You can delete custom schedules, but you cannot delete the default Work Hours, After Hours, or Weekend Hours schedules.

To delete individual schedule objects that you created, perform the following steps:
1
To delete existing days and times from the Schedule List, select the row and click Delete Schedule(s). Or, to delete all existing schedules, click the check box next to Name and then click Delete Schedule(s).

Agents

The Agents page provides information for the GMS primary and backup agent servers that are managing the SonicWall appliances. Including a summary of the Agents, Agent configuration, gateway configuration, and appliances managed by the Agent. You can also schedule all the tasks for each agent server to be executed during a specified time period.

* 
NOTE: This page can be used to remove agents, but they cannot be managing any firewalls.

Managing Agent Configurations

To configure the Agents page, complete the following steps:
1
Navigate to the Console > Management > Agents page.

The Summary screen displays the number of installed and running agents.

2
In the Agent Configuration screen, select the IP address of the Agent you want to view from the Agent IP drop-down menu. This field can accept/display IPv4 and IPv6 addresses.

The Agent Name text-field populates the name of the selected Agent. The agent name can be modified by editing this text-field.

3
To specify when tasks run, access the Default Task Execution Schedule field and select one of the following radio buttons:
Immediately— Runs tasks immediately (selected by default).
Daily At— Provides Hour and Minute drop-down menus to select the start time. The time is based on the GMS appliance’s local time.
4
In the Gateway Configuration screen select on of the following radio buttons to configure the gateway for Agents:
None— No gateway is specified. The agent is facing the unit directly without any device between them. If you do not wish to configure a gateway for the Agent, click None.
NAT Device— Use this option when a NAT device is configured as the gateway. The GMS appliance does not have to login to the unit for any reason and all NAT configurations are taken care of by the network Administrator directly through the device’s management interface.
To configure the NAT device, complete the following steps:
a)
Select NAT Device.
b)
Enter the NAT Device WAN IP address. This is the external IP address of the device.
c)
Enter the NAT Device Syslog Port. This is the Syslog port used for Syslogs sent from the managed units.
GMS Gateway— Use this option when a SonicWall device is acting as a Gateway. The GMS appliance needs to be able to login to the unit and pull additional information such as the WAN IP of the device. This type of device is typically used when Units managed by the Agent are either on the management tunnel or an existing tunnel. In the case of SSL, a GMS gateway is really not necessary. Using a SonicWall is recommended, but can be setup as a NAT Device if all units are managed using SSL.
To configure the GMS Gateway, complete the following steps:
a)
Click GMS Gateway.
b)
Click the GMS Gateway IP text-field, then enter the internal IP address of the device.
If you change the GMS gateway IP address or password, you must also change the settings on this page.
c)
Click the GMS Gateway Port text-field, then enter the management port used to sign into the device.
d)
Click the GMS Gateway Username text-field, then enter the username used to sign into the device.
e)
Click the GMS Gateway Password text-field, then enter the password used to sign into the device.
f)
Click the GMS Gateway Syslog Port text-field, then enter the Syslog port used for syslogs sent from the managed units.
5
For each agent server, the Firewalls for Primary Management drop-down menu lists the SonicWall appliances that are assigned to the agent server for primary management. The total number is also displayed.
6
For each agent server, the Firewalls for Standby Management drop-down menu lists the SonicWall appliances that are assigned to the agent server for backup management. The total number is also displayed.
7
For each agent server, the Firewalls Under Active Management drop-down manu lists the SonicWall appliances that are actively being managed by the agent server. The total number is also displayed.
8
When you are finished, click Update. The settings are changed. To clear the settings and start over, click Reset.
* 
NOTE: This screen also allows you to hide an Agent from showing up if that Agent is not managing an Appliance that has a current state of Down.

Flow Server

The Flow Server page displays a summary of the flow servers and appliances managed by the flow server, and has flow server configuration options.

Summary

The flow server Summary includes the following:

Number of Flow Server Installed— Displays the number of Flow Servers installed in your deployment.
Number of Flow Server Up— Displays the number of Flow Servers that are running.
Flow Server Configuration

The following Flow Server Configuration options are available:

Flow Server IP— Displays the Flow Server IP address. Click the drop-down menu to select a different flow server.
Local Time on Flow Server— Displays the local time on the Flow Server.
Local Time in Browser— Displays the local time from the browser.
Current State— Displays the current state of the Flow Server.
Appliances Managed by this Flow Server

The Appliances managed by this Flow Server section provides the following option:

Appliances— Click the drop-down menu to display a list of appliances managed by the Flow Server.

SNMP Managers

The SNMP Managers page enables you to specify SNMP Managers to which GMS sends SNMP Traps.

Configuring SNMP Settings

To configure the SNMP Managers page, complete the following steps:
1
Click the Console tab, expand the Management tree and click SNMP Managers. The SNMP Managers page displays.

2
Select the IP address and port of the SNMP Manager from the SNMP Manager IP/Port fields. This field can accept/display IPv4 and IPv6 addresses.
3
Specify the IP addresses of SNMP Hosts to which traps are forwarded in the SNMP Host to forward traps to fields. These fields can accept/display IPv4 and IPv6 addresses.
4
To enable trap forwarding, select Enable SNMP Trap Forwarding.
5
To enable trap email, select Enable SNMP Trap Email.
6
When you are finished, click Update. The settings are changed. To clear the settings and start over, click Reset.

Inheritance Filters

The Inheritance Filters page specifies which settings are inherited from the group when adding a new SonicWall appliance. For more information about inheritance settings, see Managing Inheritance in GMS

To configure the SNMP Inheritance Filter page, complete the following steps:
1
Click the Console tab, expand the Management tree and click Inheritance Filters. The Inheritance Filter page displays.

2
To edit an existing filter, select the filter from the Select Filter list box. To specify a new filter, select New Filter from the Select Filter pull-down menu and type a name in the Filter name field.
3
Select which page settings are inherited in the Inheritance Filter Detail section.
4
Select the type of access that is available to each GMS user group from the Access for each UserType section.
5
When you are finished, click Add for a new filter or click Update for an existing filter. The settings are changed. To clear the settings and start over, click Reset.

Message of the Day

The Message of the Day page displays a message when GMS users log on to GMS.

To configure the Message of the Day page, complete the following steps:
1
Click the Console tab, expand the Management tree and click Message of the Day. The Message of the Day page displays.

2
Select all users, a user group, or an individual user.
3
Enter message text in the Message field.
4
Select whether the message text is displayed in plain text or HTML.
5
Select the start and end date of the message (default: current day).
6
When you are finished, click Update. The settings are changed.
7
Repeat this procedure for each group or user for which this message is displayed.

Managing Inheritance in GMS

Inheritance in SonicWall™ Global Management System (GMS) specifies the process by which a node’s settings can be inherited to and from unit, group and parent nodes. Previously, GMS could inherit settings down the hierarchy. This ability can be understood as “forward” inheritance. Starting in GMS 6.0, you can now also “reverse” inherit settings back up the hierarchy, from a unit or group node to its parent node. This contains the following:

Configuring Inheritance Filters

The “Inheritance Filters” screen, under Console > Management > Inheritance Filters, is used to create inheritance filters by selecting screens available under the “Inheritance Filter Detail” screen.

To create a new filter, enter a name for this filter in the “Name” field. Then check the boxes next to the screens, or screen groups, you wish to inherit. This screen is enhanced to automatically select or deselect dependent data screens, based upon the related screens chosen by you.

You must then select the appropriate “Access” for each user type: Administrators, Operators, End Users, and Guest users. These selections are made using the corresponding drop down menus.

After you have made the desired screen and access selections, click Add to finish creating the new inheritance filter. This new filter is now available in the Filter drop down menu on the Firewall > System > Tools screen.

Applying Inheritance Settings

Administrators often work to define and test policies at the appliance level, and then painstakingly attempt to replicate those policies on other appliances. Using this simple process for inheritance, you can capitalize on the valuable time spent building a unit’s well-configured firewall policies, by then seamlessly replicating those policies through the hierarchy.

1
To inherit some or all of an appliance’s settings, go to the Firewall > System > Tools screen within the GMS management interface.

2
In the left pane, click the appliance with the settings you wish to inherit.

3
Under the screen section heading, “Inherit Settings at Unit,” select either forward or reverse inheritance by clicking the respective radio button.

4
From the “Filter” drop down menu, select the inheritance filter to apply. If a desired filter is not listed and must be created, refer to Configuring Inheritance Filters

5
After the desired inheritance filter is selected, click Preview. A Preview screen opens to allow you to review the settings to be inherited. You might continue with all of the default screens selected for inheritance or select only specific screens for inheritance by checking boxes next to the desired settings.

* 
NOTE: The Preview screen footer states, “All referring objects should also be selected as part of the settings picked, to avoid any dependency errors while inheriting.” If you deselect dependent screen data, the settings will not inherit properly.
6
If you are attempting forward inheritance, you might click “Update” to proceed. If you are attempting to reverse inherit settings, an additional selection must be made at the bottom of the Preview screen. You must select either to update the chosen settings to only the target parent node, or to update the target parent node along with all unit nodes under it. After you make this selection, you can click “Update” to proceed, or “Reset” to edit previous selections.

7
If you select to update the target parent node and all unit nodes, a “Modify Task Description and Schedule” screen opens in place of the Preview screen. (This screen does not appear if you select “Update only target parent node”). If the “Modify Task Description and Schedule” screen opens, you can edit the task description in the “Description” field. You can also adjust the schedule for inheritance, or continue with the default scheduling. If you choose to edit the timing by clicking the arrow next to “Schedule,” a calendar expands allowing you to click a radio button for “Immediate” execution, or to select an alternate day and time for inheritance to occur. After completing any edits, select either “Accept” or “Cancel” to execute or cancel the scheduled inheritance, respectively.

After the inheritance operation begins, a progress bar appears, along with text stating the operation might take a few minutes, depending on the volume of data to be inherited, as shown in the following figure:

After the inheritance operation is complete, the desired settings from the unit or group node should now be updated and reflected in the parent node’s settings, as well as in the settings of all other units, if selected.

Managing Reports in the Console tab

This describes how to configure reporting settings on the SonicWall™ Global Management System (GMS) Console tab. These include how often the summary information is updated, the number of days that summary information is stored, and the number of days that raw data is stored.

The following is included in this:

Summarizer

This section contains the following subsections:

About Summary Data in Reports

These reports are constructed from the most current available summary data. In order to create summary data, the GMS Reporting Module must parse the raw data files.

When configuring GMS Reporting using the screens on the Console tab under Reports, you can select the amount of summary information to store. These settings affect the database size, be sure there is adequate disk space to accommodate the settings you choose.

Additionally, you can select the number of days that raw syslog data is stored. The raw data is made up of information for every connection. Depending on the amount of traffic, this can quickly consume an enormous amount of space in the database. Be very careful when selecting how much raw information to store.

Configuring the Data Deletion Schedule Settings

Syslog files sent from SonicWall appliances are stored on the GMS Summarizer system, and are consolidated into the syslog database. The Summarizer processes the syslog data and stores the processed data in the summary database. After the configured period of syslog storage, the syslog data can be periodically deleted from the system. This is necessary, as the syslog files and database can consume a lot of space on the file system.

This section of the Summarizer page also provides a way to delete summarized data for a certain date. For example, if summarized data is kept for a long time, such as 90 days, then you could use this option to remove some summarized data from a particular date within the 90 day period if the stored data was becoming too large.

* 
TIP: Run your database maintenance jobs soon after the completion of the scheduled tasks configured on this page for summarizing data and deleting old syslog data.
To configure the syslog and summarized data deletion settings, complete the following steps:
1
On the Console tab, navigate to Reports > Summarizer.

* 
NOTE: It is recommended that the Data Deletion Schedule be configured to run after the data has been backed up. Navigate to Appliance > System > Backup/Restore to review the current backup schedule.
2
Under Data Deletion Schedule, select the day and time for deletion in the hour and minute widget. Syslog data is deleted at this time only after being stored for the number of days configured. You specify how long to keep the date in Data Storage Configuration.
3
Click Update to the right of this field.

Configuring Data Storage

Sets the amount of time that reporting data and raw syslog data is stored.

1
Click the Summarizer at: drop-down menu, then select the desired summarizer IP address.
2
Click the Keep Reporting Data for drop-down menu, then select the number of months to archive the data. Reporting data can be archived for a minimum of one month and a maximum of 36 months.
3
Click the Keep Raw Syslog Data Files for drop-down menu, then select the number of months to archive the data files. To disable the archiving of raw syslog data files, set the value to zero. The maximum amount of time to store raw syslog data files is 36 months.
* 
TIP: If you would like to store data for longer than 36 months, you can create scheduled scripting to move data that has been processed and stored in “//syslog/ArchivedSyslog/*.zip …” to a mapped network share for long-term storage.

Configuring Private IP Hostname Resolution

Hostname Resolution is configured for source IP addresses with missing hostnames while inserting the data in the database. This means that the reports show both the initiator IP address and the initiator hostname in the reports whenever applicable.

Enable Reverse Hostname Resolution — Reverse Hostname Lookup is disabled by default, enable this option for GMS to lookup for missing hostnames.
* 
NOTE: Enabling hostname lookup increases the time taken to process syslogs. All syslogs that need resolution are processed separately in parallel to normal syslog processing. This might slow down summarizer and increase memory and consume more CPU cycle. Also the memory and CPU are impacted further by changing the default configurations of Lookup thread count, Scan every, and Refresh Resolved Hostname Cache every.Any changes to the Hostname Resolution Configuration takes effect during the next summarizer run.
Refresh Resolved Hostname Cache every — The hostname that is looked up for an IP address is cached. This time indicates how long the hostname is kept in the cache, after that it looks up the hostname again for that IP address.
Scan every — Signifies the time intervals at which the lookup is triggered.
Lookup thread count — Signifies how many threads are processing the lookup in parallel. The larger the number, the faster the processing.
* 
NOTE: Increasing this number also increases the load on the summarizer instance.
Update — Click this button when you are finished configuring the settings.
Enable Public IP Host-name Resolution — Public IP hostname resolution is disabled by default, enable this option for GMS to lookup for missing public IP hostnames.
Time out value for resolution — Select the timeout period (in milliseconds) if the hostname is not resolved.

NMM Configuration

When the NMM option is enabled, the GMS creates NMM files that are sent with the syslog messages.

Syslog Exclusion Filter

The Syslog Exclusion Filter allows you to select what fields and operators to use for filtering the syslog database. It is picked up by the Summarizer every 15 minutes and applied to the global syslog settings.

The Syslog Exclusion Filters function in a manner similar to applying an exclusion filter to a single Firewall or SMA appliance, but are applied to all GMS appliances, or all appliances in a Firewall or SMA group.

To add a filter, complete the following steps:
1
Click Reports > Syslog Filter.

2
Click Add a Filter. The Add Filter menu comes up.

3
Select the syslog field name, and an operator and value, for the field you wish to exclude. Then select the level of Deployment: Appliance, Agent, or full Deployment.

If you select Appliance, you are prompted for the type of appliance: Firewall or SMA. If you select Agent, you are prompted to select from a list of SGMS agents.
4
Click Update.

You can also click the pencil in the Configure column to edit an existing filter setting. If no values appear in the Configure column, the filter is a default system filter. These defaults cannot be configured or deleted.

Syslogs are stored in the database without filtering, so the filters in the Syslog Exclusion Filter apply only to values displayed in Reports.

Email/Archive

The Console > Reports > Email/Archive page provides global options for setting the time and interval for emailing/archiving scheduled reports, and global settings for the Web server, logo, and PDF sorting options.

Configuring Email/Archive Settings

To configure Email/Archive and Web server settings, complete the following steps:
1
Click the Console tab, expand the Reports tree and click Email/Archive. The Email/Archive page displays.
2
To set the next archive time, enter the date and time in the Next Scheduled Email/Archive Time fields and click Update.
3
To specify the day to send weekly reports, select the day from the Send Weekly Reports Every list box and click Update.
4
To specify the date to send monthly reports, select the date from the Send Monthly Reports Every list box and click Update.
5
If the Web server address, port, or protocol has changed because SonicWall GMS was installed, the new values automatically appear in the Email/Archive Configuration section. These settings can be modified on the System Interface, and cannot be modified here.
6
Under Logo Settings, you can select a logo to be used on reports. By default, the SonicWall logo is used. To select another logo, click Browse next to the Logo File field or type the path and filename into the field, and then click Update.
7
Under Storage Configuration, select how many days to store Universal Scheduled Reports (USR) then click Update.

USR schedules are managed under the Dashboard Tab. For more information on USR scheduling, refer to Using the Universal Scheduled Reports Application.

* 
NOTE: High-traffic systems can generate reports that consume large amounts of memory, disk space and CPU time. Set your Number of Days to Archive and Scheduled Archive Time accordingly.

Managing Legacy Reports

Reports generated by pre 7.0 releases of GMS are still available for viewing, but require careful management. GMS 7.0 Reporting is not compatible with earlier versions, but reports generated by earlier versions are still accessible under the current reporting structure.

Because it is not possible to view both 7.0 and pre-7.0 reports in the same session, we advise creating a separate Login for accessing Legacy reports. This allows switching back and forth, as you can only view 7.0 or pre 7.0 reports in a session. By creating a separate login, you can switch between viewing modes.

1
Create a new User or Administrator login. An Administrator login (with a name like Admin_Legacy) is recommended, as this login has full privileges. For more information on configuring Legacy reports for new user, refer to the Console Management section.
2
Log into the Management > Users > Action Permissions tab.
3
Set the flag in Show Legacy (pre GMS 7.0) Reports.
* 
NOTE: This check box is only available if GMS 6.0 Reports exist in the system.

4
Log out. Log back in using the new Login created in Step 1.

If Legacy Reports are no longer needed, you can delete them.

5
Go to Reports > Summarizer.
6
Under the Data Deletion Schedule, you will see a box for Delete 6.0 Reporting Data Immediately. Click Delete to delete the Legacy reports.

* 
NOTE: If you delete pre-7.0 reporting data, the Legacy data check boxes under the Action Permissions and Summarizer tabs are no longer available, going forward.

Using Diagnostics

This describes the diagnostic information that SonicWall™ Global Management System (GMS) provides, including log settings for debugging, system snapshots for troubleshooting, and summarizer status information.

This includes the following:

Debug Log Settings

Debug Log Settings are included with GMS to help you diagnose issues you might encounter with your log data.

* 
WARNING: The Debug Log Settings are intended for use only under the direction of SonicWall Tech Support.

Configuring Debug Log Settings

Setting debug levels allows for faster troubleshooting of potential application issues. This action creates debug log files on all the systems in this deployment and could hamper application performance and also fill up disk space. You should reset to “No Debug” for normal operation as soon as the potential issue has been resolved.

* 
NOTE: The debug level should only be set based on guidance from SonicWall Technical Support.The higher the debug level, the more the system resources that are used up to generate debug data and in turn lower the overall system performance.
To set the debug level when instructed by SonicWall Technical Support, complete the following steps:
1
Click the Console tab, expand the Diagnostics tree and click Debug Log Settings. The Debug Log Settings page displays.

2
Click the System Debug Level drop-down, then select one of the following:
Level 1 (Codepath)
Level 2 (Simple)
Level 3 (Logic)
Level 4 (Detailed)
Level 5 (Highly Detailed)
3
Click Update.

Request Snapshot

In order for a technical support representative to troubleshoot a problem, you might be asked to take a snapshot of GMS or you might want to view the configuration yourself.

Performing a System Snapshot

A system snapshot provides a detailed information about GMS, the GMS database, the system environment, licensing, and firewalls. This information includes:

Data from the sgmsConfig.xml file (Console or Agent only)
Debug state
Build number
Version
Product Code
Database type
Database driver string
Database dbuser
Database password
Database URL
Server state (Console or Agent only)—whether a database connection could be established
Environment information
CLASSPATH, PATH variables
Web server listening port (Console only)
Country
Language
Operating System
IP Address
MAC Address
Machine data (memory size and so on.)
Latte/Licensing (Console or Agent only)
Connectivity to Latte backend
Latte username/password
MS license information (Console only)
Agent specific data
Managed units
Units states (active or standby)
Gateway firmware version
Gateway state
Ports (syslog, syslog parsing, and so on)
Firewall data (Gateway or Unit only)
IP address
Data from status.xml
VPNs present (Gateway only)
Latte information (if registered)

Performing the Snapshot

To take a snapshot of the system, complete the following steps:
1
Click the Console tab, expand the Diagnostics tree and click Request Snapshot. The Request Snapshot page displays.

2
To take a snapshot of the GMS console, select GMS Console.
3
To take a snapshot of one or more GMS agents, select Agent. This field displays IPv4 and IPv6 addresses.
4
To take a snapshot of the GMS Gateway, select Gateway.
5
Click Submit Snapshot Request. GMS takes the snapshot.
6
To view the snapshot, see Viewing the Snapshot or Diagnostics.

Snapshot Status

Viewing the Snapshot or Diagnostics

To view a snapshot or SonicWall diagnostics, complete the following steps:
1
Click the Console tab, expand the Diagnostics tree and click Snapshot Status. The Snapshot Status page displays.

2
Select the snapshot or diagnostics that you want to view from the Diagnostics requested list box.
3
To view the information, click View Snapshot Data.
4
To save the information to a file that you can send to technical support, click Save Snapshot Data.
5
To delete the information, click Delete Snapshot Data.
6
To refresh the information, click Refresh Snapshot Data.

Summarizer Status

The Summarizer Status page displays overall summarizer utilization information for the deployment including database and syslog file statistics, and details on the current status of the summarizer.

The Summarizer Status screen provides performance metrics for your network administrator to plan, design, and expand your GMS server deployment. This feature has information on the Syslog Collector and Summarizer metrics. The metrics displayed are daily averages collected over the last 7 days.

You can receive alert emails when Summarizer Status shows any abnormalities.

To reach the Summarizer Status screen, navigate to the Console tab of GMS and then to Diagnostics > Summarizer Status.

The Summarizer Status page is divided into a section showing the overall deployment-wide summarizer status and sections with details for each summarizer. See the following sections:

Summarizer Status Over 7 Days

The Summarizer Status Over 7 Days section displays overall summarizer utilization information for the deployment including database and syslog file statistics. Results are calculated over the last seven days.

Summarizer Utilization

The top Summarizer Utilization section shows the average utilization of the summarizer over the applicable time period. The Dial Charts show the percent of total capacity used by the Summarizer. The following metrics are also displayed in the Summarizer Utilization section:

Summarizer: Displays the IP address of the Summarizer.
Estimated Capacity (million syslog/day): The estimated capacity of the system. This is calculated by taking the (average load per day) and dividing it by the (time spent), assuming that the Summarizer was to constantly summarize 24 hours (as in the case of a dedicated Summarizer).
Average Load (million syslog/day): The number of incoming syslogs per day.
Reporting Database Size: Displays the size of the reporting database in gigabytes.
Raw Data Directory Size: Displays the size of the raw syslog directory in gigabytes.
Estimated Cache Size: Displays the estimated size of the cache in gigabytes.
Backup Directory Size: Displays the size of the backup directory in gigabytes.
Status: Displays the status of the Summarizer. There are three different status notifications:
OK: The system is operating normally.
High Capacity: The average load is greater than 90 percent of capacity.
Low Disk Space: There is less that 5GB of space left on the disk.
Deployment Status

The Deployment Status tells the user how the deployment should be sized if it is not performing well. The user might need to reassign some units to a different agent, add another agent, or add more disk space

Details for Summarizer at <IP Address>

This sections details the Summarizer Utilization for the applicable IP address.

Summarizer Utilization

The Summarizer Utilization section for a specific summarizer shows not only the information at deployment level, but also provides granular details of the summarizer’s operation and current status for each individual summarizer.

Average Summarizer Utilization: The average percentage of Summarizer utilization.
Peak Summarizer Utilization: The percentage of peak Summarizer utilization.
Estimated Capacity (million syslog/day): The estimated capacity of the system. This is calculated by taking the (average load per day) and dividing it by the (time spent), assuming that the Summarizer was to constantly summarize 24 hours (as in the case of a dedicated Summarizer).
Average Load (million syslog/day): The number of incoming syslogs per day.
Average Run Time Per Day: The total amount of time spent generating summarization statistical data and results over the time period of one day.
Average Syslog Summarized (million/day): The total number of syslogs summarized, displayed in millions per day.
Average Syslog Summarized per minute: The average number of syslogs summarized per minute over the applicable time period.
* 
NOTE: Not all syslogs are summarized. Some syslogs are discarded based on criteria defined at the Console > Reports > Syslog Filter and Unit > Reports > Configuration > Syslog Filter pages.
Data File Information

This section displays syslog file details for the selected summarizer.

The Data File Information table is divided into three columns:

Data File Type: The type of files being reported on.
There are five main data file types:
Reporting Database Files: The files in the reporting database.
Backup Files: The backup snapshot.
Unprocessed Files: The data files in the summarizer’s processing queue.
Archived Files: The processed data files.
Bad Files: Data files with processing errors.
File Stats: The number of syslog files in the category and their size in Megabytes.
Oldest: The date and time on the oldest file in the category.
Summarizer Process Details

The Summarizer Process Details section shows what tasks the summarizer is performing at the moment the Console > Diagnostics > Summarizer Status page displays. Refresh your browser display or leave the page and return to it to update the information.

If the summarizer is currently running, the page displays the thread, appliance identifier, file being used, and state of the summarizer.

If the summarizer is currently idle, the page displays the last run time and next run time.

Syslogs sent by appliances that are not under Reporting and Management

Appliances that are no longer managed by GMS might still send syslog messages, impacting the performance of the summarizer. The syslogs from such appliances are dropped and not stored in archivedSyslogs or badSyslogs folders.

This feature displays a list (refreshed every 12 hours) of the appliances that are still sending syslogs messages even though they are no longer managed by GMS, as well as appliances that are incorrectly configured:

If your GMS has a list of appliances in these fields, try the following to correct the issue:

Login to the appliance and disable the syslogs.
If you do not have access to the appliance, use the rules to the gateway to block the serial numbers.
To fix the misconfigured appliances, login to the appliance and change the GMS settings.

Granular Event Management

This describes how to configure and use the Granular Event Management (GEM) feature in a SonicWall™ Global Management System (GMS) environment.

This contains the following:

Granular Event Management Overview

Granular Event Management (GEM) provides a customized and controlled manner in which events are managed and alerts are created. On the Console tab, GEM allows you to systematically configure each sub-component of your alert in order for the alert to best accommodate your needs.

The GEM alert has multiple sub-components, some of which have further subcomponents. It is not necessary to configure all sub-components prior to creating an alert.

Severities: Severity is used to tag an alert as Critical, Warning, Information, or a custom severity level. You can create your own preferred severities and assign the order of importance to them from lowest to highest. When using a custom severity, you must define it before creating a threshold that uses it.
Thresholds: A threshold defines the condition that must be matched to trigger an event and send an alert. Each threshold is associated with a Severity to tag the generated alert as critical, warning, or another value. You must define a threshold prior to creating an alert that uses it.

One or more threshold elements are defined within a threshold. Each threshold element includes an Operator, a Value, and a Severity. When a value is received for an alert type, the GEM framework examines threshold elements to find a match for the specified condition. If a match is found (one or more conditions match), the threshold with the highest severity containing a matching element is used to trigger an event.
Schedules: You can use Schedules to specify the day(s) and time (intervals) in which to send an alert. You can also invert a schedule, which means that the schedule is the opposite of the time specified in it. For example:
Send an alert during weekdays only, or weekends only, or only during business hours.
Do not send an alert during a time period when the unit, network, or database are down for maintenance.
Destinations: You can use Destinations to define where the alerts are sent. The destination(s) for an alert are specified in the Add Alert or Edit Alert screen. You can specify up to five destinations for an alert, such as multiple email addresses. For example:
Send an alert to the Unit owner all the time.
Send an alert to a GMS user during business hours.
Send an alert to the admin also during non-business hours for immediate attention.
Alert types: Alert Types are pre-defined, static parameters and are not customizable. Alert types are used with threshold elements that define conditions that can trigger an event. Some example alert types are:
Unit Up-Down Alert type
VPN SA is UP-Down, Enable-Disable

You must configure three of these components in order to create alerts:

Severities - You can use the pre-defined defaults or create your own Severities.
Thresholds - You can use the pre-defined defaults or create your own thresholds.
Schedules - You can use the pre-defined defaults or create your own Schedules.

These can be configured in the Console > Events screens. After you configure these elements in Console > Events, you can also create alerts in the Firewall, SMA, and Email Security (ES) tabs.

The Super Admin (admin@LocalDomain) user is able to add a new Severity, Threshold, Schedule, Schedule Group, or Alert into any domain. Other administrative users might only create/edit objects within their own domain.

The GEM process flow is illustrated below. As you can see, you begin by configuring Severities and end with creating Alerts.

GEM process

What is Granular Event Management?

The purpose of Granular Event Management is to provide all the event handling and alerting functionality for GMS. The GMS management interface provides screens for centralized event management on the Console tab, including screens for Events > Settings, Severity, Threshold, Schedule, and Alert Settings. The Firewall, SMA, and Email Security (ES) tabs also provide an Events > Alert Settings screen where you can add, delete, enable, or configure alerts that relate to either policies or reports.

You can create or update an alert at the global, group, or unit level in GMS. At the group or global level, the alert is then applied to all units in the group or globally. Whenever you add a new unit to GMS management, the alerts set at the global level are applied to the new unit. Group level alerts are not automatically applied to the new unit, but when you update an alert at the group level, the update applies the alert to the entire group including any new units.

Benefits

Granular Event Management offers a significant improvement in control over the way different events are handled. You now have more flexibility when deciding where and when to send alerts, and you can configure event thresholds, severities, schedules, and alerts from a centralized location in the management interface rather than configuring these on a per-unit basis.

How Does Granular Event Management Work?

The Granular Event Management framework provides customized event, including email alerting on the status of specific VPN tunnels, alerting based on schedules (such as 8am to 5pm, or 24 hours a day), and alerting to specific email destinations based on severity and functionality handling. You can also configure GEM to send an alert when changes are made to a managed appliance by a local administrator through the appliance management interface rather than through GMS. This is a predefined alert available on the Policies panel. For a list of the predefined alerts, see Using Granular Event Management.

Using Granular Event Management

For convenience and usability, a number of default settings are predefined for severities, schedules, thresholds, and alerts. You can edit the predefined values to customize these settings, or you can create your own at the global, group, or unit level. To create your own, start by examining the Events screens on the Console tab and adding custom components where needed. Then continue with the Events > Alerts Settings screens in the Firewall, SMA, and Email Security (ES) tabs. The predefined defaults for the Console tab are as follows:

 

GEM Predefined Default Objects

Tab

Screens

Predefined Default Objects

Console

Events > Severities

Information

 

 

Warning

 

 

Critical

Console

Events > Thresholds

Unit WAN Status

 

 

Unit HF Status

 

 

Unit Locally Changed

 

 

VPN Tunnel Status

 

 

Capacity in Percentage

 

 

Agent Quota Reached

 

 

Monitor Bandwidth

 

 

Monitor by Percentage

 

 

Monitor by Percentage (Anti)

 

 

Monitor CPU

Console

Events > Schedule

Schedule Groups:

 

 

24x7

 

 

Weekdays 24 hours

 

 

8x5

 

 

Weekend

 

 

Schedules:

 

 

Schedule: admin

 

 

Database Backup

 

 

Monday 24 hours

 

 

Monday business hours

 

 

Tuesday 24 hours

 

 

Tuesday business hours

 

 

Wednesday 24 hours

 

 

Wednesday business hours

 

 

Thursday 24 hours

 

 

Thursday business hours

Console

Events > Alert Settings

Unit Status Report

 

 

Database Information

 

 

New Firmware Availability

 

 

Database Size Status

 

 

System Files Backed-Up Status

 

 

Disk Space Utilization Status

About Alerts

The Events > Alert Settings screens are available in the Console, Firewall, SMA, and Email Security (ES) tabs. You can create and edit alerts on these screens. In the alert settings screens, you can combine all of the previous elements (severity, threshold, and schedule) that you have configured in the Console tab.

The GEM framework provides different types of alert types for the respective areas of the GMS application:

Policies panel: Alert settings for Management
Reports panel: Alert settings for Reporting
Console tab: Alert settings for the GMS application
 

GEM Alert Types

Tab location

Available Alert Types

Console

Backed up Syslog Files

Database Information

Disk Space Utilization Status

New Firmware Availability

Unit Status Report

Reports

Bandwidth Usage (Billing Cycle)

Bandwidth Usage (Daily)

Data Usage (Billing Cycle)

Data Usage (Daily)

Events/Hits Total (Daily)

Number of Attacks (Daily)

Number of Threats (Daily)

Policies

Unit HF Status

Unit Locally Changed

Unit Status

Unit WAN Status

VPN Tunnel Status

Agent Quota Reached

Agent Unsuccessful Backups

Appliance Capacity Status

CPU Status

Offsite Capacity Status

Duplicate Alerts

Duplicate alerts are allowed in GMS. A duplicate alert uses the same alert type that is already used in an existing alert. You do not need to create a duplicate alert if you want to add to or change an existing alert. Normally, you would avoid creating a duplicate alert by editing an existing alert to add another threshold element, destination, or other component. For example, you can have two or more threshold elements in the same alert to trigger under different conditions.

At times there are benefits to creating a duplicate alert. As an example, only five destinations are allowed per alert, so a duplicate alert could include additional destinations. Or, you could create a duplicate alert that sends SNMP traps while the original alert sends email notifications. Also, if a threshold is being shared and you do not want to modify it, you can create a separate threshold and use it in a duplicate alert.

GMS displays a warning when you try to create a duplicate alert. The warning serves as a reminder in case you forget that an alert already exists using the same alert type.

* 
NOTE: Duplicate alerts use more resources from the alerting agent, but do not have a large impact on performance. You will receive two alert emails instead of one if the destinations are identical.

Configuring Granular Event Management

To set up the GEM environment after installing GMS, start with the Events screens on the Console tab. You should examine each Events screens and make any necessary configuration changes. Then you can configure alerts in the Events screens on the Policies panel and Reports panel.

See the following sections:

Configuring Events on the Console tab

To experience the benefits of GEM, you must configure alerts for important events. In the Events screens on the Console tab, you can configure the frequency of subscription expiration and task failure notifications, as well as severities, thresholds, schedules, and alerts for handling events.

See the following sections:

Configuring Event Alert Settings

In Events > Settings, you can specify the following:

Email Alert Format, such as HTML (the default), text, or text for a pager
Email Alert Frequencies and Thresholds
Enable and Disable Alerts
To configure Event Settings, complete the following steps:
1
On the Console tab, navigate to the Events > Settings screen.
2
Under Email Alert Format Preferences, select whether the email alert will be sent as HTML, Plain Text, or Plain Text (Simple). The Simple setting sends a very short email to ensure that the email is not cut off by character limits.
* 
NOTE: To assist in your decision for choosing a type of alert format, refer to Email Alert Formats on page 1030 to view the appearance of the types of Email Alert Format Preferences.

3
Click Update.

Configuring Event Severities

In the Events > Severity screen, you can create your own severity levels or use predefined severity levels. You can delete severity levels in this screen as well. Defining the severity priority can also be performed in this screen. Users with permissions to the Severity screen can create and edit these severities.

GMS supplies the following three predefined severity levels:

Information: This is the lowest severity level
Warning: This is a mid-range severity level
Critical: This is the highest severity level
To configure Event Severities, complete the following steps:
1
On the Console tab, navigate to the Events > Severity screen. On this screen, you can resequence the severities in importance by entering a severity sequence number in each field.

2
Do one of the following:
To re-order existing severities with the new sequence numbers that you entered, click Update.
To add a new severity level, click Add Severity.
3
In the Add Severity dialog box, type a name for the new severity level in the Name field.The Domain pull-down list is only available for a Super Admin.
4
Choose the color associated with this severity level by selecting a color from the Color Chooser dialog. You can see a preview of the color you selected in the Preview field.

5
Click Update.
6
In the Console > Events > Severity screen, assign the level for the new severity you created by changing the numbering in the Sequence column of the Severity table.
7
Click Update.
To edit or delete a Severity, complete the following steps:
1
To edit a Severity, click the Edit icon.

The Edit Severity pop-up window displays.

2
Configure the Severity Settings, then click Update.
3
To delete a Severity(s), select the check box(es) for the severitie(s) you wish to delete, then click Update. You can also click Delete in the Edit column, to delete a single report.
* 
NOTE: Deleting a Severity that is in use is not permitted. A warning message displays when this action is performed.

Configuring Event Thresholds

In the Events > Threshold screen, you can view existing event thresholds, enable or disable them, and configure their elements. A threshold defines the condition for which an event is triggered. Predefined thresholds have names similar to predefined Alert Types. Each threshold can contain one or more threshold elements. An element consists of an Operator, a Value, and a Severity.

The following tasks are described in this section:

Adding a Custom Threshold

To add a custom threshold, complete the following steps:
1
On the Console tab, navigate to Events > Threshold.

2
Click Add Threshold to add a new threshold.
3
In the Add Threshold dialog box, provide a name for the threshold value in the Name field.
* 
NOTE: The Domain pull-down list is only available for a Super Admin.

4
Select Visible to Non-Administrators if you want the threshold to be visible to non-administrators. If this is selected, anyone can view the threshold elements and use the threshold in customized reports.
* 
NOTE: If the Visible to Non-Administrators is unchecked, only users from the Administrator group or the threshold creator is able to view, use, edit, and delete the threshold. Whether this is selected or not, only the users from the Administrator group and the threshold creator is able to edit or delete this object.
5
Click Update.

Adding a Threshold Element

Elements are components of a threshold. You must define a threshold by defining its elements.

1
To add a threshold element to the threshold, click plus in the Configure column of the Events > Threshold screen.
2
The Add Threshold window displays.

3
In the Operator pull-down menu, select from the list of operators.

4
In the Value field, enter a value.
5
In the Description field, enter a description to override the auto-generated description.
6
In the Severity field, select a severity.
7
Disable allows you to temporarily disable the threshold without deleting it. Select Disable if you want to disable the threshold. For more information about the enabling and disabling feature, see Enabling/Disabling Thresholds and Threshold Elements.
8
Click Update.

Editing a Custom or Existing Threshold

To edit your custom or existing threshold, complete the following steps:
1
On the Events > Threshold screen, click edit in the threshold row.
2
The Edit Threshold window displays. In this window, you can edit the name of your threshold as well as allow this threshold to be visible to non-administrators. For more information on the visible to non-administrators feature, see Adding a Custom Threshold.
3
Click Update.

Editing an Threshold Element

To edit an existing element of a Threshold, complete the following steps:
1
On the Events > Threshold screen, click the Edit icon located in the Configure column in the element row.
The Edit Threshold pop-up window displays:

Some alerts created by certain Alert Types contain predefined Thresholds that might not be edited. Alert Types: Unit HF Status, Unit WAN Status, Unit Locally Changed, and Thresholds with the same name in the Console tab.

2
In the Operator field, select from the drop down menu the type of operator to apply to your threshold element.

.

3
In the Value field, enter the value for your threshold element.
4
In the Description field, enter the description for your threshold element.
5
In the Severity field, select the severity priority from the drop down menu. These are color coded for your easy reference on the Events > Threshold screen.

6
To disable the threshold element, click Disable. See Enabling/Disabling Thresholds and Threshold Elements.
7
Click Update.

Enabling/Disabling Thresholds and Threshold Elements

The GEM feature provides a Disable check box that allows you to disable or enable thresholds or individual elements within that threshold. Disabling an element or threshold rather than deleting it is beneficial because of the time invested in creating it. If it is needed again, you can simply enable it.

You can disable a threshold by disabling all its elements. You can also disable individual elements within a threshold.

To enable or disable Thresholds and/or their elements, complete the following steps:
1
On the Console tab, navigate to the Events > Threshold screen. On this screen, you are able to view existing Thresholds. You can also view existing elements within those thresholds by clicking the expand button by a threshold. You have the following two options for the enabling/disabling feature:
You can enable or disable a Threshold by disabling/enabling all the elements that exist within it.
You can enable/disable the individual elements within a Threshold.
2
To enable or disable a threshold and/or elements, click edit that is on the element level.
3
Select Disable to disable the element or de-select Disable to enable the element.

4
Click Update.
Deleting a Threshold and Threshold Elements

On the Events > Threshold screen, you can delete Thresholds and Threshold Elements. This can be done by using Delete Threshold(s)/Element(s). To view the elements within a threshold, expand the threshold. You can select which threshold or elements within that threshold to delete. If you delete a threshold, the elements within that threshold are automatically deleted as well.

To delete thresholds and threshold elements, complete the following steps:
1
On the Events > Threshold screen, optionally expand the threshold to view the individual elements.
2
To delete a threshold, click the check box to the left of the threshold name. You will see that its elements are automatically selected as well.

3
To delete an element, select only the element check box.
* 
NOTE: Deleting a Threshold that is in use is not permitted. A warning message displays when this action is performed.
4
When you have finished with your selections, click Delete Threshold(s)/Element(s).

Configuring Event Schedules

The next component on the Console tab is Events > Schedule. In this screen, you can add, delete, or configure schedules and schedule groups.

Schedule groups are one or more schedules grouped within an object. Administrators and Owners can edit these objects. Other users should be able to view or use them only if Visible to Non-Administrators is selected.

The following tasks are described in this section:

Adding an Event Schedule

In Events > Schedules you can add, delete, or configure schedules. You will see your schedules and schedule groups, their descriptions, and whether they are enabled. You can also individually delete one schedule or schedule group at a time by selecting the trash-icon on the right hand side for each row. For quick reference, you can hover your mouse over the descriptions to quickly view the type of schedule and the days and times when it is active.

To add an event schedule, complete the following steps:
1
On the Events > Schedules screen, click Add Schedule.
2
In the Name field, enter a name for the schedule.
3
In the Domain field, click the pull-down list and select a name. This function is for Super Admins only.
4
In the Description field, add a description for the schedule.
5
Select Visible to Non-Administrators if you want the schedule to be visible and usable by non-administrators.
6
To temporarily disable a schedule, select Disable.
7
Click Invert to create a schedule that is “off” during the dates and times that you specify.
8
In the Schedule field, you can create one or more schedules. For each schedule, configure either:
One Time Occurrence
Fill in the Date and Time fields.
Recurrence
Fill in Days, Start Time, and End Time fields.
9
Click Add to add this schedule to the Schedule List text box.

10
To delete an entry from the Schedule List text box, select the entry that you want to delete, and then click Delete. Click Delete All to delete all entries.
11
Click Update when you are finished.
Editing an Event Schedule

To edit an existing schedule, click the Edit icon on the right side of the Events > Schedule screen. The screen and procedure for editing are the same as those for adding a schedule. See Adding an Event Schedule.

Adding an Event Schedule Group

You can combine several schedules into a schedule group on the Events > Schedule screen.

To add a schedule group, complete the following steps:
1
On the Events > Schedule screen, click Add Schedule Group.
2
Enter the name of your schedule group in the Name field.
3
Enter a description of your schedule group in the Description field.
4
Click Visible to Non-Administrators to allow this schedule group to be viewed and used by non administrators.
5
Click Disable to temporarily disable the schedule group.
6
In the Schedules field, select the schedule(s) to add to your schedule group, and then use the arrow buttons to move the selected schedule into or out of the group. To move multiple schedule groups and/or schedules all at once, hold the CTRL button on your keyboard while making your selections.

7
Click Update.
Editing an Event Schedule Group

To edit an existing schedule group, click the Edit icon on the right side of the Events > Schedule screen. The screen and procedure for editing are the same as those for adding a event schedule group. See Adding an Event Schedule Group.

Deleting a Schedule or Schedule Group

You can delete custom schedules or schedule groups, or you can remove schedules from schedule groups. You cannot delete predefined static schedules or schedule groups. Only Administrators and Owners can delete schedules or schedule groups.

* 
NOTE: Deleting a Schedule or Schedule Group that is in use is not permitted. A warning message displays when this action is performed.

To delete an event schedule, schedule group, or remove a schedule from a schedule group:

1
Navigate to the Events > Schedule screen.
2
Click the check boxes of the schedule groups or schedules that you want deleted. When you click Schedule Group, the schedules within that schedule group are deleted as well.
3
To remove a schedule from a schedule group, click the expand button on the schedule group, and select the schedules you wish to remove within that group.
4
To delete the selected schedule group(s) or remove the selected schedules from a group, click Delete Schedule Group(s)/Remove Schedules from Group.
5
To delete the selected schedule(s), click Delete Schedule(s).

Configuring Alerts on the Console tab

The Console > Events > Alert Settings screen provides predefined alerts that apply to GMS as a whole. These are status type alerts, and do not use thresholds. You can hover your mouse over these to display information about them. You can configure the predefined alerts to use different destinations and schedules.

Add Alert

In the Add Alert panel you can enter an alert name and description, select the options for visible to non-administrators and disable, and enter the polling interval.

To add an alert, complete the following steps:
1
Navigate to the Events > Alert Settings page.

2
Click the Add Alert link.

The Add Alert screen displays.

3
Enter a name and description for your alert.
4
Enable Visible to Non-Administrators if you want your Alert to be visible to non-administrators.
5
Enable Disable to disable this Alert.
6
Enter a Polling Interval value (in seconds: 60-86400)
Alert Type

In the Alert Type panel you can select an alert type from the provided list and view the definitions of each alert type.

To configure an Alert Type, complete the following steps:
1
Click the Alert Type pull-down list and select an alert type.
* 
NOTE: When an alert type is selected, a description for that alert is displayed in the Alert Type panel.

Most of the Alert Types require you to edit content. Editing Contents allows the user to pick additional information, in a granular fashion, on which the alerting has to be performed.

2
Click the Edit Content link. The Edit Contents for Alert Type Unit Status pop-up window displays.

3
Click the Threshold pull-down list and select a threshold.
* 
NOTE: You can create a new threshold on-the-fly by clicking the icon. Only one new threshold can be created in this feature.
* 
NOTE: If you select another Alert Type before you click Update in the Add Alert dialog box, or if you click Reset, you lose the on the fly Threshold that you created and the Edit Content status becomes Not Edited.
4
Click Update. To reset the settings, click Reset.
Destination / Schedule

In the Destination / Schedule panel you can add up to 5 destinations and set a schedule for each.

To add a destination and set a schedule, complete the following steps:
* 
NOTE: Every selected destination is required to have a schedule set.
1
Click the Add Destination link under the Destination/Schedule section. The Destination field designates where you want alerts to be sent. You have a maximum number of five destinations.

2
Click the Schedule pull-down list, then select a schedule type. The Schedule field designates the frequency of when you want alerts to be sent to the destination(s).

3
Click Update to finish adding an alert.
Enabling/Disabling Alerts
To enable and disable an alert, complete the following steps:
Enabling a Alert
1
Select Enabled of the alert(s) you wish to enable.
2
Click the Enable/Disable Alert(s) link. A confirmation window displays. Click OK to enable or disable.

Disabling an Alert
1
Deselect Enabled of the alert(s) you wish to disable.
2
Click the Enable/Disable Alert(s) link. A confirmation window displays. Click OK to enable or disable.

Deleting Alerts
To delete an alert, complete the following steps:
1
Select the check box(es) of the Alert(s) you wish to delete.
2
Click the Delete Alert link. A confirmation window displays.

3
Click OK to delete.
* 
NOTE: You can also delete an alert by clicking the Delete icon under the Configure section of the alert you wish the delete.
Editing Alerts

After an alert is created, you can go back and edit it at any time.

To edit an alert, complete the following steps:
1
Click the Configure icon of the alert you wish to edit.

The Edit Alert page displays.

2
Refer to Add Alert and follow the configuration procedures to edit your existing Alert.

Viewing Current Alerts

You can view a list of current alerts on the Events > Current Alerts page of the Firewall, SMA, or Email Security (ES) tabs. Select a global view, group, or unit to view current alerts for your selection.

Sample Event Alert Reports

Examples of alert emails you will receive are shown in the following figures:

Database Healthcheck

Critical: Unit Status

Critical [Recovered]: Unit Status

Email Alert Formats

The types of alert emails are available in the following formats:

HTML
Plain Text
Plain Text (simple)

HTML Email Alert Format

Plain Text

Plain Text (simple)

 

Managing Licenses

This provides information about SonicWall™ Global Management System (GMS) licensing, registration, upgrading to new versions, and applying software patches.

This includes the following:

GMS License

The following sections describe how to manage GMS licenses:

Upgrading a Demo License to a Retail License

The following sections describe how to upgrade a GMS demo license to a retail license.

Upgrading within the Demo Period

To upgrade a GMS demo license to a retail license within the demo period, complete the following steps:
1
Click the Console Panel tab, expand the Licenses tree and click Manage Licenses. The product License Summary page displays. If prompted to login, enter your mysonicwall.com User name and password before continuing.

2
Enter the activation code in the Activation Code field and click Upgrade.

The License Type changes to Retail License and the Current Nodes Allowed changes from 10 to 25.

Upgrading Outside the Demo Period

To upgrade a GMS demo license to a retail license after the demo period expires, complete the following steps:
1
Start GMS. The Registration page displays.
2
Enter the demo upgrade activation code and click Update. The Login displays and the license is upgraded.

Product Licenses

The Product Licences page allows the user to view, upload, and manage licenses and subscriptions for this GMS installation.

License Summary

View license details on the Licenses > Product Licences page, under the License section.

This section allows you to view the following information about security services and support services:

Status—Displays whether the product is licensed or not licensed

Count—Displays the remaining number of licenses for this service.

Expiration—Displays the expiration date of the service (if applicable).

Current Subscription Expirations

View current subscription expiration status on the Licenses > Product Licences page, under the Current Subscription Expirations section.

This section allows you to view a summary of information about any subscriptions which carry an expiration date.

Managing Licenses

This feature allows licenses to be managed through your MySonicWall.com account.

To manage licenses:

1
In the Console tab, navigate to the Licenses > Product Licenses page.
2
Click Manage Licenses. The MySonicWall login page displays.

3
Log in with your MySonicWall credentials to manage your licenses.

Refreshing Licenses

This feature allows the administrator to synchronize GMS with the MySonicWall license server. Synchronization is useful if you have recently purchased new licenses, and these licenses are not yet appearing in the summary page.

To refresh licenses:

1
In the Console tab, navigate to the Licenses > Product Licenses page.
2
Click Refresh Licenses. The License Summary page displays a message, and the date of last contact changes to reflect this.

Manually Uploading a License

Normally, MySonicWall communicates with your GMS installation to synchronize licenses automatically. The manual upload feature is useful if for some reason your GMS node is without Internet connectivity.

To manually upload a license:

1
In the Console tab, navigate to the Licenses > Product Licenses page.
2
Click Upload Licenses. The Upload Licenses page displays.

3
Click Browse... to search for your locally stored license file.
* 
NOTE: License files for manual updates are available for download through your MySonicWall account.
4
Click Upload to complete the license transfer.

SonicWall Upgrades

This section describes the procedures for upgrading SonicWall appliances. This functionality includes adding nodes, content filter subscriptions, VPN functionality, VPN clients, anti-virus licenses, and more.

When a GMS subscription service (such as warranty support, anti-virus, or content filtering) is about to expire, the GMS administrator receives expiration notifications through email prior to the expiration. The email notification is sent once a day (if applicable) and lists all managed SonicWall appliances with expiring subscription services.

To upgrade SonicWall appliances, complete the procedures listed in the following sections:

Upgrading the Node License

Depending on the number of licenses you have ordered, you might need to add GMS licenses to configure and support additional SonicWall appliances. This section describes how to perform a node license upgrade. To view the current node license, click on the Console tab, expand the Licenses tree, and click Product License. The current license is displayed under the License Summary section.

SonicWall offers unified support packages called Comprehensive GMS Support (CGS). CGS is an annual agreement that includes:

Technical support for the GMS application
Software updates and upgrades for GMS
Technical support, advanced-exchange hardware replacement and firmware updates for all of the units under GMS management

Comprehensive GMS Support is sold in increments of 25, 100, and 1,000 nodes and is available in both 8X5 and 24X7 versions. The nodes can be any combination of SonicWall firewall appliances or SMA nodes. Currently SonicWall Email Security is not included in CGS packets.

Purchasing Upgrades

To purchase upgrades, complete the following steps:
1
Contact your SonicWall sales representative through https://support.sonicwall.com/. You will receive an activation code for each upgrade that you purchase.
2
After receiving the activation codes for the SonicWall upgrades, continue to the next section.

Activating the Upgrades

To license upgrades, complete the following steps:
1
Click the Console tab, expand the Licenses tree and click Activation Codes. The SonicWall Activation Codes page displays.

2
To manually add one or more activation codes, in the Activation Code (manual) field, enter a list of activation codes separated by semi-colons.
3
Click Add Activation Code(s).
GMS validates the codes with the backend server and then adds them to the GMS license pool database if they are valid. The Console > Logs screen provides more information on success/failure of individual activation codes.
4
To delete activation codes, select one or more codes under the Delete Activation Codes section and click Delete Activation Code(s).
5
To add a large number of activation codes from a file, type the file name into the Activation Code (file-based) field, or click Browse to select the file. Then, click Add Activation Code(s) and follow the on-screen prompts.
The file can contain multiple activation codes - each line in the file has a single activation code. After the operation is completed, the Console > Logs screen has more detailed information on the success/failure of individual activation codes that were provided in the file. A sample file is as follows, which includes for activation codes (one per line):
SBRG4827
AGTRUY56
GFKJASLJ

Viewing Deployments

The Licenses > Deployments page displays the following information about your GMS deployments:

Name
Serial
Role
Status
Version
Host—This field accepts/displays IPv4 and IPv6 addresses.

Web Services

This provides information about the SonicWall™ Global Management System (GMS) Web Services feature. Web Services is a software function designed to support interoperability between GMS and other network appliances, servers, and devices through an application programming interface (API).

This includes the following:

URI Basics

The URI is a SSL string which is used to identify Web Services resources. Each URI is composed of both static and dynamic parts that differ based on each particular deployment.

The following provides a typical, though not comprehensive, URI example:

* 
NOTE: For more information on configuring and using GMS Web Services in your deployment, download the SonicWall GMS Web Services tech note at: https://support.sonicwall.com/search?k=5408090

Status

The status screen allows the administrator to view, enable, and disable individual Web Services across one or more GMS deployments.

To view and configure Web Services status:
1
Navigate to the Web Services > Status screen on the GMS Console tab.

2
Select or deselect Enabled for the following service(s):
Appliance Status—Provides a list of appliances currently under management by the SGMS deployment. It also includes unit statuses in the for of missed heartbeat messages (0 missed heartbeats means the unit is UP).
Appliance Detail—Retrieve detailed information about the specified appliances.
Appliance Licenses—Information about service licenses that apply to the specified appliance.
Scheduled Report List—Provides a list of XML Scheduled Reports available for download through Web Services.
Scheduled Report Retrieval—Retrieves the specified XML Scheduled Report.
License Alert List—Provides a list of appliance license alerts.
Console Logs—Provides the most recent log entries (up to 200) from the GMS console.
Appliance Alerts—Provides a list of appliance specific alerts.
System Alerts—Provides a list of alerts that apply to the GMS system.
All Appliance Licenses—Provides license information for all of the appliances.
Scheduled Report Retrieval—Retrieves the specified XML Scheduled Report.
3
Click Update to save your changes.
4
The Web Services table, in the Web Services > Status screen gives the following information about each Web Service:
 

Web services information

Feature

Description

­Enabled

If selected, this feature is currently enabled

Service

Indicates the name of the Web Service

URI

Indicates the full URI used to access this Web Service. This field can accept/display IPv4 and IPv6 addresses.

Description

Provides a description of the Web Service

Configuring User Settings

This chapter describes how to configure the user settings that are available in the Console tab on the User Settings > General page that provides a way to change the SonicWall™ Global Management System (GMS) administrator password, the GMS inactivity Timeout, and pagination settings.

To configure the user settings available in the Console tab of the User Settings > General page, complete the following steps:
1
Enter the existing GMS password in the Current GMS Password field.
2
Enter the new GMS password in the New GMS Password field.
3
Reenter the new password in the Confirm New Password field.
* 
NOTE: Password fields are grayed out for users on a Remote Domain.
4
The GMS Inactivity Timeout period specifies how long GMS waits before logging out an inactive user. To prevent someone from accessing the GMS UI when GMS users are away from their desks, enter an appropriate value in the GMS Inactivity Timeout field. You can disable automatic logout completely by entering a “-1” in this field. The minimum is five minutes and the maximum is 120 minutes.
5
Select a value between 10 and 100 in the Max Rows Per Screen field. This value applies only to non-reporting related paginated screens.
6
The Appliance Selection Panel options determine how devices are displayed in the far left panel. You can display only icons (the Icons option), only the name of the appliance (Text), or both icons and names (Icons and text), or use the default GMS display settings for this user (Use default). The default is Icons and Text.
7
To configure GMS to display an editable task description each time a task is generated, select Enable edit task description dialog when creating tasks.
8
To have GMS play an audio alert when an appliance goes up, check Enable Audio Alarm when a Managed Unit goes Up.
9
To have GMS play an audio alert when an appliance goes down, check Enable Audio Alarm when a Managed Unit goes Down.

To customize the audio alerts, place wav files in the following directory:

[SGMS2]\Tomcat\webapps\sgms\com\sonicwall\sgms\applets\common

The file names for an appliance going up and down must be up_custom.wav and down_custom.wav respectively.

10
To view the message of the day now, click View Message of the Day.
11
When you are finished, click Update. The settings are changed. To clear all screen settings and start over, click Reset.
* 
NOTE: The maximum size of the SonicWall GMS User ID is 24 alphanumeric characters. The password is one-way hashed and any password of any length can be hashed into a fixed 32 character long internal password.

Using GMS Help

To access the SonicWall™ Global Management System (GMS) online help, click the blue Help button in the top-right corner of the GMS user interface.

The GMS online help provides context-sensitive conceptual overviews, configuration examples, and trouble shooting tips.

This chapter contains the following sections:

About GMS

The Console > Help > About page displays the version of GMS being run, who the GMS is licensed to, database information, and the serial number of the GMS.

To access the GMS online help, click the blue Help button in the top-right corner of the GMS user interface.

Tips and Tutorials

Tips and tutorials are available in some pages of the user interface, and are denoted by a “Light bulb” icon:

To access tips and tutorials:
1
Navigate to the page where you need help.
2
If available, click the Light bulb icon in the upper right-hand corner of the window. Tips, tutorials, and online help are displayed for this topic.