en-US
search-icon

GMS 8.3 Admin Guide

Policy Configuration

Introduction to Policy Management

This describes how to use SonicWall™ Global Management System (GMS) to configure policies on the full range of SonicWall platforms and includes the following:

SonicWall GMS Policy Configuration Overview

The appliance panels enable administrators to add, delete, configure and view various SonicWall appliance types managed by SonicWall GMS.

The policy panels include:

Firewall — For management and reporting on compatible firewall appliances.
SMA — For management and reporting on SonicWall SMA and Aventail appliances.
ES — For management of SonicWall Email Security appliances.

The policy panels are used to configure SonicWall appliances. From these pages, you can apply settings to all SonicWall appliances being managed by SonicWall GMS, all SonicWall appliances within a group, or individual SonicWall appliances.

Introduction to Firewall Policies

To open the Policies panel, click the Firewall tab at the top of the SonicWall GMS UI and then click Policies > System > Status. The SonicWall appropriate appliance Policies panel appears:

System

This covers a variety SonicWall firewall appliance controls for managing system status information, registering the SonicWall firewall appliance, activating and managing SonicWall Security Services licenses, configuring SonicWall firewall appliance local and remote management options, managing firmware versions and preferences, and using included diagnostics tools for troubleshooting. It also describes how to use GMS to configure general System Policy settings on managed SonicWall appliances. The following describe how to configure the system settings:

Status—Provides a comprehensive collection of information to help you manage your SonicWall security appliances and SonicWall Security Services licenses. It includes GMS status information on Firewall, Management, Subscription, and Firewall Models. Refer to Viewing System Status.
Administrator—Describes how to change the administrator and password options for one or more SonicWall appliances. Refer to Configuring Administrator Settings.
Management—Describes how to edit the remote management settings on SonicWall security appliances for management by GMS or VPN client. Refer to Editing Management Settings.
SNMP—Describes how to configure Simple Network Management Protocol. Refer to Configuring SNMP.
Certificates (Unit-level view only)—Describes how to configure both third-party Certificate Authority (CA) certificates and local certificates. Refer to Navigating the System > Certificates Page.
Time—Describes how to change the time and time options for one or more SonicWall appliances. Refer to Configuring Time Settings.
Schedules—Describes how to create and configure schedule groups, which are used to apply firewall rules for specify days and hours of the week. Refer to Configuring Schedules.
Tools—Provides a set of common system configuration tasks for restarting an appliance, requesting diagnostic information, inheriting settings, system synchronization, and synchronizing the appliance to mysonicwall.com. Also includes options to generate a Tech Support Report (TSR) and the ability to email the TSR. Refer to Using Configuration Tools.
Info—Describes how to change contact information for one or more SonicWall appliances. Refer to Configuring Contact Information.
Settings—Describes how to backup and save SonicWall appliance settings as well as restore them from preferences files. Refer to Configuring System Settings.
Licensed Nodes (Unit-level view only)—Provides a Node License Status table listing the number of nodes your SonicWall security appliance is licensed to have connected at any one time, how many nodes are currently connected, and how many nodes you have in your Node license Exclusion List. Refer to Configuring Contact Information.
Network

This covers configuring the SonicWall firewall appliance for your network environment. Describing how to configure network settings for SonicWall appliances. It is divided into sections for SonicWall security appliances running SonicOS Enhanced and SonicOS Standard.

DHCP

This describes how to use the Global Management System (GMS) to configure SonicWall appliances as DHCP servers. Dynamic Host Configuration Protocol (DHCP) enables network administrators to automate the assignment of IP addresses from a centralized DHCP server. This conserves IP addresses and make it easy for mobile users to move among different segments of the network without having to manually enter new IP addresses.

This includes the following:

Switching

This describes how to configure switching on a SonicWall appliance. For GMS, switching is supported only on appliances running SonicOS 5.9 or higher. For an overview of switching and configuration procedures, refer to the following:

Diagnostics

SonicWall appliances store information about all devices with which they have communicated. When you generate diagnostic information, only one report can be generated at a time and the information is only maintained during the current session. For example, if you run a firewall log report and then log off or generate another report, the firewall log report data is lost until you run the report again.

This includes the following:

3G/4G/Modem
* 
NOTE: For information on configuring wireless WAN (WWAN) settings, see Configuring WWAN Settings.

This describes how to configure the dialup settings for SonicWall SmartPath (SP) and SmartPath ISDN (SPi) appliances. SonicWall SP appliances have a WAN Failover feature that enables automatic use of a built-in modem to establish Internet connectivity when the primary broadband connection becomes unavailable. This is ideal when the SonicWall appliance must remain connected to the Internet, regardless of network speed.

This contains the following:

WWAN

This describes how to configure the Wireless Wide Area Network (WWAN) settings for SonicWall security appliances that use 3G and other Wireless WAN functionality to utilize data connections over cellular networks.

This contains the following:

SonicPoint

This describes how to configure SonicPoint managed secure wireless access points. This includes the following:

Wireless

This describes how to configure wireless connectivity options for wireless SonicWall appliances. Included in this are the following:

WGS

This describes how to configure Wireless Guest Services (WGS) enabled appliances running SonicOS Standard. For appliances running SonicOS Standard, these configuration options are available at the unit level. Wireless Guest Services allows the administrator to configure wireless access points for guest access. Wireless Guest Services is configured with optional custom login pages, user accounts and is compatible with several different authentication methods including those which require external authentication.

Firewall

This describes how to configure Access Rules and App Control policies for SonicWall firewalls from the GMS management interface. This includes the following sections:

Firewall Settings

The Firewall settings in SonicWall GMS are different for SonicWall security appliances running SonicOS Enhanced and Standard. The following describe how to configure Firewall settings for each of the operating systems:

DPI-SSL

This describes the Deep Packet Inspection Secure Socket Layer (DPI-SSL) feature to allow for the inspection of encrypted HTTPS traffic and other SSL-based traffic. Client DPI-SSL is used to inspect HTTPS traffic when clients on the SonicWall firewall appliance’s LAN access content located on the WAN. Server DPI-SSL is used to inspect HTTPS traffic when remote clients connect over the WAN to access content located on the SonicWall firewall appliance’s LAN.

This contains the following:

Capture ATP

Capture Advanced Threat Protection (ATP) is sold as an add-on security service to the firewall, similar to Gateway Anti-Virus (GAV).

Capture ATP helps a firewall identify whether a file is malicious or not by transmitting the file to the cloud where the SonicWall Capture ATP service analyzes the file to determine if it contains a virus or other malicious elements. Capture ATP then sends the results to the firewall. This is done in real time while the file is being processed by the firewall.

This contains the following:

VoIP

This describes the Voice over IP (VoIP) feature.

This contains the following:

Anti-Spam

This provides a quick, efficient, and effective way to add anti-spam, anti-phishing, and anti-virus capabilities to your SonicWall firewall appliance. There are two primary ways inbound messages are analyzed by the Anti-Spam feature - Advanced IP Reputation Management and Cloud-based Advanced Content Management. IP Address Reputation uses the GRID Network to identify the IP addresses of known spammers, and reject any mail from those senders without even allowing a connection. GRID Network Sender IP Reputation Management checks the IP address of incoming connecting requests against a series of lists and statistics to ensure that the connection has a probability of delivering valuable email. The lists are compiled using the collaborative intelligence of the SonicWall GRID Network. Known spammers are prevented from connecting to the SonicWall firewall appliance, and their junk email payloads never consume system resources on the targeted systems.

This includes the following:

VPN
This covers how to create VPN policies on the SonicWall firewall appliance to support SonicWall Global VPN Clients as well as creating site-to-site VPN policies for connecting remote offices running SonicWall firewall appliances. A VPN is a private data network that uses encryption technologies to operate over public networks.

This contains the following:

SSL VPN

This provides information on how to configure the SMA features on the SonicWall SMA appliances. SonicWall’s SMA features provide secure, seamless, remote access to resources on your local network using the NetExtender client.

This contains the following:

Virtual Assist

Virtual Assist allows users to support customer technical issues without having to be on-site with the customer. This capability serves as an immense time-saver for support personnel, while adding flexibility in how they can respond to support needs.

This contains the following:

Users

This covers how to configure the SonicWall firewall appliances for user level authentication as well as manage guest services. Describing how to use the GMS to configure user and user access settings. Included in this are the following:

Web Filters

SonicWall Content Security Manager (CSM) CF provides appliance-based Internet filtering that enhances security and employee productivity, optimizes network utilization, and mitigates legal liabilities by managing access to objectionable and unproductive Web content. This provides configuration tasks for deploying these services.

High Availability

This describes how to use GMS to configure High Availability that allows the administrator to specify a primary and secondary SonicWall appliance. In the case that the connection to the primary device fails, connectivity will transfer to the backup device.

In addition, SonicWall GMS can utilize the same device pairing technology to implement different forms of load balancing. Load balancing helps regulate the flow of network traffic by splitting that traffic between primary and secondary SonicWall devices. This includes the following:

Security Services

This includes an overview of available SonicWall Security Services as well as instructions for activating the service, including FREE trials. These subscription-based services include SonicWall Gateway Anti-Virus, SonicWall Intrusion Prevention Service, SonicWall Content Filtering Service, SonicWall Client Anti-Virus, and well as other services.

SonicWall firewall appliances offer several services for protecting networks against viruses and attacks. This provides concept overviews and configuration tasks for deploying these services.

This contains the following:

Content Filter

This describes how to use GMS to configure content filtering options for one or more SonicWall appliances. This functionality can be used to deny access to material supplied by the active content filtering subscription, specific domains, domains by keyword, and Web features such as ActiveX, Java, and cookies.

This includes the following:

WAN Acceleration

This describes how to view and configure the WAN Acceleration service.

Flow Activity

This describes how to configure the Flow Activity feature and contains the following:

* 
NOTE: This feature is only available for SonicWall security appliances running SonicOS 6.1 and higher firmware.
Log

This covers managing the SonicWall firewall appliance’s logging, alerting, and reporting features. The SonicWall firewall appliance’s logging features provide a comprehensive set of log categories for monitoring security and network activities. This describes how to use GMS to configure where the SonicWall appliance(s) send their logs, how often the logs are sent, and what information is included.

This includes the following:

Register/Upgrades

This describes how to register and upgrade your SonicWall firewall appliances. This contains the following:

Events

This provides an introduction to the SonicOS Event Alerts feature. This contains the following:

Introduction to SMA Policies

This provides instructions for modifying the general status and tools for SonicWall SMA platforms. To modify the general status and tools of a SMA appliance using SonicWall GMS, click the SMA tab the at the top of the screen, then select the Policies subtab. In the center pane, select General. You will see the options Status, Tools, and Info.

System
The System > Status section provides the current status of the SMA appliance and allows for an instant update of appliance information using Fetch Information.
The System > Tools section provides the following options: Restart Appliance, Synchronize Now, Synchronize the Appliance with mysonicwall.com.
* 
NOTE: The Restart Appliance option is not available for SonicWall Aventail SMA appliances.
The System > Info section provides the ability to update the contact information for the SMA appliance.
Register/Upgrades
The Register/Upgrades > Register SonicWalls screen provides the ability to register SMA appliances with your mysonicwall.com account.
* 
NOTE: Registering SonicWall Aventail SMA appliances from GMS is not supported.
Events
The Events > Alert Settings screen allows you to add, edit, or delete a Unit Status alert for managed SMA appliances.
The Events > Current Alerts screen displays all active alerts for this appliance.

Introduction to Email Security Policies

After a SonicWall Email Security appliance has been added to SonicWall GMS, the unit can be managed through the ES Policies panel.

System

The System > Status windows displays both general deployment status, as well as individual appliance status for Email Security appliances.

The System > Tools section provides options to force your SonicWall ES appliance to synchronize its license and subscription information with MySonicWall.com immediately.

The System > Info screen allows you to edit Email Security appliance information on a global or unit level.

Register/Upgrades

The Register/Upgrades > Register ESA screen provides the ability to register ESA appliances with your mysonicwall.com account.

Events
The Events > Alert Settings screen allows you to add, edit, or delete a Unit Status alert for managed ES appliances.
The Events > Current Alerts screen displays all active alerts for this appliance.

Configuring Firewall System Settings

This details the SonicWall™ Global Management System (GMS) management interface and configuration procedures for the Policies > System pages and includes the following:

Viewing System Status

The System Status page provides a comprehensive collection of information to help you manage your SonicWall security appliances and SonicWall Security Services licenses. In the global view mode, it provides a summary of all of the devices that are managed by the SonicWall GMS, including the number of appliances, whether the appliances are up or down, and the number of security services subscriptions.

To view a summary of all devices managed by the GMS, click the Change View icon at the top left and select GlobalView. Expand the System tree in the middle panel, and click on Status. The Status page displays.

At the individual appliance level, the Status page provides more details such as the serial number, firmware version, and information on management, reporting, and security service subscriptions.

To view a summary of the status of an individual appliance, select the appliance in the left pane, and then click System > Status in the navigation pane. The Status page displays.

If tasks are pending for the selected unit, GMS provides a hyperlink that takes the user to the Tasks Screen for that unit. Also in System > Status, GMS displays the Last Log Entry for the unit with a hyperlink that takes the user to the unit Logs screen. The links are only provided if the user actually has permissions to access those screens on the Console tab.

In the Subscription section header, GMS provides a click here for details link that displays your current subscription details on the Register/Upgrades > Search screen. The search parameters are pre-populated for retrieving the subscription services that are currently active on the appliance(s) and the search is executed and the results are sorted by Expiry Date for your convenience.

This page provides a PDF icon that you can click to get a PDF file containing the same content as the Web page.

At the bottom of the status screen, GMS provides a way to retrieve dynamic information about the selected appliance, and also provides a link to the GMS Getting Started Guide.

You can click the Fetch Information link to view the following dynamic information:

Firewall UpTime because Last Reboot
Last Modified Time and the user who last modified the appliance
Modem speed and active profile used (only for dial-up appliances)

You can retrieved this information by clicking Fetch Information at the global, group, or unit level. The actual results, however, are displayed only at the unit level.

To view the SonicWall GMS Getting Started Guide, click Open Getting Started Instructions In New Window.

Configuring Administrator Settings

System > Administrator

The System > Administration page provides settings for the configuration of the SonicWall Security Appliance for secure and remote management. The Administrator page configures administrator settings for the SonicWall appliance. These settings affect both GMS and other administrators.

To change administrator settings on one or more SonicWall appliances, complete the following steps:
1
Expand the System tree and click Administrator. The Administrator page displays.

Firewall Name

2
The firewall name is displayed. This field is read-only and cannot be configured from GMS.
3
An option is available to Auto-Append HA/Clustering suffix to Firewall Name. To facilitate recognition of the primary/secondary firewalls in the Log Monitor log, appends an appropriate suffix automatically to the firewall name in the Dashboard > Log Monitor:
Primary
Secondary
Primary Node <n>
Secondary Node <n>

This option is not selected by default.

4
Enter the Firewall’s Domain Name. Can be private, for internal users, or an externally registered domain name. This domain name is used in conjunction with User Web Login Settings on the Users > Settings page for user-authentication redirects.
Administrator Name

5
Enter the login name for the administrator in the Administrator Login Name field.
Login Security

6
Specify the maximum number of days after which the a password expires and must be updated in the Password must be changed every (days) field.
7
Specify the number of previous passwords that are remembered and that a new password cannot match in the Bar repeated passwords for this many changes field.
8
Select New password must contain 4 characters different from the old password to make the user create a password that has four different characters than the old one if they are changing the password.
9
Specify the minimum password length in the Enforce a minimum password length of field.
10
Select the level of password complexity from the Enforce Password Complexity pull-down list. You can select one of the following:
None
Require both alphanumeric and numeric characters
Require alphabetic, numeric and symbolic characters

After the password complexity is chosen, enter the complexity requirements:

Upper Case Characters
Lower Case Characters
Numeric Characters
Symbolic Characters

The appliance password should be in compliance with selected password complexity. Otherwise the appliance password has to be set manually from its web interface.

11
Select Administrators to apply these password constraints only to full and read-only administrators.
12
Select Other full administrators to apply these password constraints to all administrators with local passwords.
13
Select Limited administrators to apply these password constraints to all local users with limited administrator privileges.
14
Select Other local users to apply these password constraints only to non-administrator users.
15
Specify how long the SonicWall appliance(s) wait (in minutes) before logging out inactive administrators in the Log out the Administrator after inactivity of field.
16
To lockout the SonicWall appliance after user login failure, select Enable administrator/user lockout. Then, specify the number of login failure attempts that must occur before the user is locked out in the Failed login attempts per minute before lockout field and how long the user will be locked out in the Lockout Period field.
17
Indicate the Max login attempts through CLI. Specifies the number of incorrect login attempts from the command line interface (CLI) within a one-minute time frame that triggers a lockout. The minimum number is 1, the maximum number is 9999, and the default is 5.
Multiple Administrators

18
Under the Multiple Administrators section, the On preemption by another administrator setting configures what happens when one administrator preempts another administrator using the Multiple Administrators feature. The preempted administrator can either be converted to non-config mode or logged out. Configure the following options:
Drop to non-config mode - move the preempted administrator to non-configuration mode
Log out - log out the preempted administrator.
* 
NOTE: Selecting Log Out disables Non-Config mode and prevents entering Non-Config mode manually.
Allow preemption by a lower priority administrator after inactivity of (minutes) - Enter the number of minutes of inactivity by the current administrator that allows a lower-priority administrator to preempt. The default is 10 minutes.
Enable inter-administrator messaging - Select to allow administrators to send text messages through the management interface to other administrators logged into the appliance. The message will appear in the browser’s status bar.
Enable Multiple Administrator Roles – Enables access by System Administrators, Cryptographic (Crypto) Administrators, and Audit Administrators. This option is disabled by default. When this option is disabled, the three administrators cannot access the system and all related user groups and information about them are hidden.
Messaging polling interval (seconds) - Sets how often the administrator’s browser will check for inter-administrator messages. If there are likely to be multiple administrators who need to access the appliance, this should be set to a reasonably short interval to ensure timely delivery of messages. The default is 10 minutes.
Enhanced Audit Logging Support

In the Enhanced Audit Logging Support section:

Enable Enhanced Audit Logging – Enables logging of all configuration changes in the Log > Log Monitor page. The log entry contains the parameter changed and user name.
Web Management Settings

In the Web Management Settings section:

19
If you wish to use HTTP management, Allow management via HTTP is available to allow the administrator to enable/disable HTTP management globally.
Managing Tooltips

GMS introduced embedded tool tips for many elements in the GMS UI. These Tooltips are small pop-up windows that are displayed when you hover your mouse over a UI element. They provide brief information describing the element. Tooltips are displayed for many forms, buttons, table headings and entries.

* 
NOTE: Not all UI elements have Tooltips. If a Tooltip does not display after hovering your mouse over an element for a couple of seconds, you can safely conclude that it does not have an associated Tooltip.

When applicable, Tooltips display the minimum, maximum, and default values for form entries. These entries are generated directly from the GMS firmware, so the values will be correct for the specific platform and firmware combination you are using.

Tooltips are enabled by default. To disable Tooltips, clear Enable Tooltip. You can configure the duration of time before Tooltips display:

Form Tooltip Delay - Duration in milliseconds before Tooltips display for forms (boxes where you enter text). The default is 2000 ms.
Button Tooltip Delay - Duration in milliseconds before Tooltips display for radio buttons and checkboxes. The default is 3000 ms.
Text Tooltip Delay - Duration in milliseconds before Tooltips display for UI text. The default is 500 ms.
Enforcing TSL

GMS supports versions 1.1 and 1.2 of the Transport Layer Security (TLS) protocol. To enforce use of TLS versions 1.1 and above, select Enforce TLS 1.1 and Above.

Client Certificate Check

20
On the System > Administration page, the Client Certificate Check section enables you to configure certificate verification with or without a Common Access Card (CAC).
About Common Access Card

A Common Access Card (CAC) is a United States Department of Defense (DoD) smart card used by military personnel and other government and non-government personnel who require highly secure access over the internet. A CAC uses PKI authentication and encryption.

* 
NOTE: Using a CAC requires an external card reader connected on a USB port.

The Client Certificate Check was developed for use with a CAC; however, it is useful in any scenario that requires a client certificate on an HTTPS/SSL connection. CAC support is available for client certification only on HTTPS connections.

* 
NOTE: CACs may not work with browsers other than Microsoft Internet Explorer.
Options
* 
NOTE: By default, all options are disabled and unavailable.
Enable Client Certificate Check – Enables or disables client certificate checking and CAC support on the SonicWall security appliance. If you enable this option, all other options become available.
Enable Client Certificate Cache – Activates the certification cache, which expires in 24 hours after being enabled.
User Name Field – Specifies from which certificate field the user name is obtained:
Subject: Common Name (default)
Sub Alt: Email
Sub Alt: Microsoft Universal Principal Name
Client Certificate Issuer – Lists the Certification Authority (CA) certificate issuers available to sign the client certificate. The default is ComSign CA.
* 
NOTE: If the appropriate CA is not listed, you need to import that CA into the SonicWall security appliance.
CAC user group memberships retrieve method – Select how to obtain the CAC user group membership and, thus, determine the correct user privilege:
Local Configured (default) – If selected, you should create local user groups with proper memberships.
From LDAP – If selected, you need to configure the LDAP server on the Users > Settings page.
Enable OCSP Checking – Enables or disables the Online Certificate Status Protocol (OCSP) check for the client certificate to verify the certificate is still valid and has not been revoked. When this option is enabled, the OCSP Responder URL field displays.
OCSP Responder URL – Enter the URL of the OSCP server that verifies the status of the client certificate.

The OCSP Responder URL is usually embedded inside the client certificate and does not need to be entered. If the client certificate does not have an OCSP link, you can enter the URL link. The link should point to the Common Gateway Interface (CGI) on the server side, which processes the OCSP checking. For example: http://10.103.63.251/ocsp.

Enable periodic OCSP Check – Enables or disables a periodic OCSP check for the client certificate to verify that the certificate is still valid and has not been revoked.
OCSP check interval 1~72 (in hours) – Enter the interval between OCSP checks, in hours. The minimum interval is 1 hour, the maximum is 72 hours, and the default is 24 hours.
Using the Client Certificate Check

If you use the client certificate check without a CAC, you must manually import the client certificate into the browser.

If you use the Client Certificate Check with a CAC, the client certificate is automatically installed on the browser by middleware. When you begin a management session through HTTPS, the certificate selection window is displayed asking you to confirm the certificate.

After you select the client certificate from the drop-down menu, the HTTPS/SSL connection is resumed, and the SonicWall security appliance checks the Client Certificate Issuer to verify that the client certificate is signed by the CA. If a match is found, the administrator login page is displayed. If no match is found, the browser displays a standard browser connection fail message, such as:

.....cannot display web page!

If OCSP is enabled, before the administrator login page is displayed, the browser performs an OCSP check and displays the following message while it is checking.

Client Certificate OCSP Checking.....

If a match is found, the administrator login page is displayed, and you can use your administrator credentials to continue managing the SonicWall security appliance.

If no match is found, the browser displays the following message:

OCSP Checking fail! Please contact system administrator!

Troubleshooting User Lock Out

When using the client certificate feature, these situations can lock the user out of the SonicWall security appliance:

Enable Client Certificate Check is checked, but no client certificate is installed on the browser.
Enable Client Certificate Check is checked and a client certificate is installed on the browser, but either no Client Certificate Issuer is selected or the wrong Client Certificate Issuer is selected.
Enable OSCP Checking is enabled, but either the OSCP server is not available or a network problem is preventing the SonicWall security appliance from accessing the OSCP server.

To restore access to a user who is locked out, the following CLI commands are provided:

web-management client-cert disable
web-management ocsp disable
Certificate expire checking settings

Enable periodic certificate expiration check – Activates periodic checks of certificate’s expiration. When enabled, the Certificate expiration alert interval option becomes available.
Certificate expiration alert interval: 1 - 168 (in hours) – Sets the interval between certificate checks, in hours. The minimum time is 1 hour, the maximum is 168 hours, and the default is 168.
Download URL

21
The Download URL section provides fields for specifying the URL address of a site for downloading the SonicPoint images. SonicOS Enhanced 5.0 and higher does not contain an image of the SonicPoint firmware. If your SonicWall appliance has Internet connectivity, it will automatically download the correct version of the SonicPoint image from the SonicWall server when you connect a SonicPoint device. If your SonicWall appliance does not have Internet access, or has access only through a proxy server, you must manually specify a URL for the SonicPoint firmware. You do not need to include the http:// prefix, but you do need to include the filename at the end of the URL. The filename should have a .bin extension.
* 
CAUTION: It is imperative that you download the corresponding SonicPoint image for the SonicOS firmware version that is running on your SonicWall network security appliance. The MySonicWall.com Web site provides information about the corresponding versions. When upgrading your SonicOS firmware, be sure to upgrade to the correct SonicPoint image.
22
Select the type of image or images to download by clicking on the appropriate checkbox and entering the image download location in the associated field:
Manually specify SonicPoint-N image URL (http://)
Manually specify SonicPoint-Ni/Ne image URL (http://)
Manually specify SonicPoint-NDR image URL (http://)
Manually specify SonicPoint-ACe/ACi/N2 image URL (http://)
Change the Administrator Password

23
Select from the following options to change the SonicWall appliance password(s):
If you are configuring a SonicWall appliance at the unit level, enter and reenter the new SonicWall password. Then, enter the GMS password and click Change Password. The password is changed.
If you are configuring a SonicWall appliance at the group or global level, enter the GMS password and click Change Password. Each SonicWall appliance will receive a unique randomly generated password. This unique password is encrypted and recorded in the GMS database.

At the non-unit level, passwords can be configured in two ways:
GMS can assign random passwords to the appliances (recommended for security purposes).
The user can specify a specific password which will be assigned to all the appliances in the node (not recommended).

To have GMS assign random passwords, leave the
New SonicWall Password and Confirm New SonicWall Passwords fields empty.
* 
NOTE: The unique encrypted password is also written into a file in <gms_directory>/etc/. The filename format is Prefs<serialnumber>.pwd; each file contains the old and the new password for the SonicWall appliance. The file gets overwritten every time the password for the SonicWall appliance is changed. The encryption is base64.
24
When you are finished, click Update. A task gets spooled and after it is executed successfully, the settings are updated for the selected SonicWall appliances.
25
To clear all screen settings and start over, click Reset.

Editing Management Settings

To edit the remote management settings for a SonicWall security appliance, complete the following steps:
1
Expand the System tree and click System > Management. The Management page displays.

* 
CAUTION: Changing the management parameters can cause units to be disconnected from GMS.
2
Enter the port number for HTTP connections in the HTTP Port field.
3
To enable HTTPS access to the appliance, select Enable HTTPS Access to the unit and enter the port number in the HTTPS Port field. For the SonicWall Aventail appliance, use port 8443 for HTTPS access.
4
The Certificate Common Name field defaults to the SonicWall LAN Address. This allows you to continue using a certificate without downloading a new one each time you log into the appliance.
* 
NOTE: To change the HTTP or HTTPS ports for SonicOS Enhanced units, go to the Firewalls > Service Objects screen and edit the corresponding service object.
5
Specify whether the appliance is to be managed by GMS or a VPN client in the Enable Management Using pull-down menu.
6
Enter the IP address or host name of the GMS server in the GMS HostName or IPAddress field.
7
Enter the syslog server port (default: 514) in the GMS Syslog Server Port field.
8
If the GMS is behind a device doing Network Address Translation (NAT), select GMS behind NAT Device and enter the IP address in the NAT Device IP Address field.
9
If the appliance is managed over an existing VPN tunnel, select GMS on VPN (No SA Required).
10
Enable Out of Band Management on the management port to enable the automatic creation of a management interface address object for the MGMT interface, which works as an out-of-band interface, and configures a route policy for the newly created address object.
* 
NOTE: To avoid confliction for delete/create route policies, updating this option to create a management interface address object and configure route policy causes system reboot.

This management interface provides a trusted interface to the management appliance. Network connections to this interface is very limited. If the NTP, DNS, and SYSLOG servers are configured in the MGMT subnet, the appliance uses the MGMT IP as the source IP and creates MGMT address object and route policies automatically. All traffic from the management interface is routed by this policy. Created routes display on the Network > Routing page.

The MGMT address object and route policies are create/update IPv4 management IP. As the IPv6 management IP address object is created by default, this feature doesn't work on IPv6 management IP address object creation.

11
To minimize the amount of syslog between the GMS and the SonicWall security appliance, select Send Heartbeat Status Messages Only. This option should be used if you do not need the data to generate reports in GMS. When you check this setting, the unit will only send heartbeat (m=96) messages that tell GMS that the unit is alive. Click Change.
12
To allow users on the LAN interface to ping the appliance to verify that it is online, select Enable Ping from LAN/WorkPort to management interface. Click Change.
13
To allow GMS administrators to preempt users who are logged in directly to the SonicWall security appliance, select Allow GMS to preempt a logged in administrator.
14
If you have configured security associations on the appliance the Security Association Information section displays at the bottom of the Management page. Enter the SA keys in the Encryption Key and Authentication Key fields and click Change Only SA Keys.

One-Touch Configuration Overrides

The One-Touch Configuration Overrides feature is configured on the System > Management page. It can be thought of us as a quick tune-up for your SonicWall network security appliance’s security settings. With a single click, One-Touch Configuration Override applies over sixty configuration settings to implement SonicWall’s recommended best practices. These settings ensure that your appliance is taking advantage of SonicWall’s security features.

* 
NOTE: A system restart is required for the updates to take full effect.

There is a set of One-Touch Configuration Overrides buttons:

DPI and Stateful Firewall Security – For network environments with Deep Packet Inspection (DPI) security services enabled, such as Gateway Anti-Virus, Intrusion Prevention, Anti-Spyware, and App Rules.
Stateful Firewall Security – For network environments that do not have DPI security services enabled, but still want to employ SonicWall’s stateful firewall security best practices.

Both of the One-Touch Configuration Override deployments implement the following configurations:

Configure Administrator security best practices
Enforce HTTPS login and disables ping
Configure DNS Rebinding
Configure Access Rules best practices
Configure Firewall Settings best practices
Configure Firewall Flood Protection best practices
Configure VPN Advanced settings best practices
Configure Log levels
Enable Flow Reporting and Visualization

The DPI and Stateful Firewall Security deployment also configures the following DPI-related configurations:

Enable DPI services on all applicable zones
Enable App Rules
Configure Gateway Anti-Virus best practices
Configure Intrusion Prevention best practices
Configure Anti-Spyware best practices

To see exactly which settings are reconfigured, click on the Preview applicable changes link next to each button. A page displays with a list of each setting and the value to which it will be set.

* 
CAUTION: Be aware that the One-Touch Configuration Override may change the behavior of your SonicWall security appliance. Review the list of configurations before applying One-Touch Configuration Override. In particular, the following configurations may affect your experience:
Administrator password requirements on the System > Administration page
Requiring HTTPS management
Disabling HTTP to HTTPS redirect
Disabling Ping management

To apply One-Touch Configuration, complete the following steps:
1
Apply one-touch configuration overrides by clicking the DPI and Stateful Firewall Security or Stateful Firewall Security links. To view the changes that will be made for each link, click the Preview applicable changes link and a list of configuration changes is displayed. If you are currently connected using HTTP, you will have to manually reconnect through HTTPS after the reboot.
2
When you have finished configuring remote management settings, click OK.

FIPS

When operating in FIPS (Federal Information Processing Standard) Mode, the SonicWall Security Appliance supports FIPS 140-2 Compliant security. Among the FIPS-compliant features of the SonicWall Security Appliance include PRNG-based on SHA-1 and only FIPS-approved algorithms are supported (DES, 3DES, and AES with SHA-1).

* 
NOTE: FIPS in SonicOS 6.2.5.1 supports FIPS 2K certificate signing support (112 bits of security strength; 2048-bit key) while maintaining backward compatibility with previous signature modes.
To enable FIPs and see a list of which of your current configurations are not allowed or are not present:
* 
NOTE: The Enable FIPS Mode checkbox cannot be enabled at the same time as the Enable NDPP Mode checkbox, which is also on the Settings page.
1
Go to the Systems > Management page.
2
Scroll to the bottom to the FIPS section.

3
Select Enable FIPS Mode. The FIPS Mode Verification dialog appears with a list of your required and not allowed configurations.

4
If your SonicWall appliance:
Complies with the checklist, go to Step 5.
Does not comply with the checklist, manually change or disable settings to be compliant with FIPS mode requirement.
* 
TIP: Leave the checklist window open while you make the configuration changes. If you click OK before all required changes are complete, Enable FIPS Mode is cleared automatically upon closing the verification window. Select the checkbox again to see what configuration changes are still needed for FIPS compliance.
5
Click OK to reboot the security appliance in FIPS mode. A second warning displays.
6
Click Yes to continue rebooting. To return to normal operation, clear Enable FIPS Mode and reboot the firewall in non-FIPS mode.
* 
CAUTION: When using the SonicWall Security Appliance for FIPS-compliant operation, the tamper-evident sticker that is affixed to the SonicWall Security Appliance must remain in place and untouched.

NDPP

A SonicWall network security appliance can be enabled to be compliant with Network Device Protection Profile (NDPP), but certain firewall configurations are not allowed or are required.

* 
NOTE: NDPP is a part of Common Criteria (CC) certification. However, NDPP in GMS is not currently certified.

The security objectives for a device that claims compliance to a Protection Profile are defined as follows:

Compliant TOEs (Targets Of Evaluation) will provide security functionality that address threats to the TOE and implement policies that are imposed by law or regulation. The security functionality provided includes protected communications to and between elements of the TOE; administrative access to the TOE and its configuration capabilities; system monitoring for detection of security relevant events; control of resource availability; and the ability to verify the source of updates to the TOE.

You enable NDPP by selecting Enable NDPP Mode on the System > Settings page. Once you do this, a popup message displays with the NDPP mode setting compliance checklist. The checklist displays every setting in your current GMS configuration that violates NDPP compliance so that you can change these settings. You need to navigate around the GMS management interface to make the changes. The checklist for an appliance with factory default settings is shown in the following procedure.

To enable NDPP and see a list of which of your current configurations are not allowed or are not present:
* 
NOTE: Enable NDPP Mode cannot be enabled at the same time as Enable FIPS Mode, which is also on the System > Settings page.
1
Go to the Systems > Management page.
2
Scroll to the bottom to the NDPP section.

3
Select Enable NDPP Mode. The NDPP Mode Setting Verification message appears with a list of your required and not allowed configurations.

4
If your SonicWall appliance:
Complies with the checklist, go to Step 5.
Does not comply with the checklist, manually change or disable settings to be compliant with NDPP mode requirement.
* 
TIP: Leave the checklist dialog open while you make the configuration changes. If you click OK before all required changes are complete, Enable NDPP Mode is cleared automatically upon closing the checklist dialog. Select the checkbox again to see what configuration changes are still needed for NDPP compliance.
5
Click OK or Cancel.

Configuring SNMP

This describes how to configure Simple Network Management Protocol (SNMP) settings for one or more SonicWall appliances. This images in this section display the SonicOS 6.2.7 management interface.

To configure the SNMP feature, refer to the following:

SNMP

To configure SNMP, complete the following steps:
1
Expand the System tree and click SNMP. The SNMP page displays.
2
Select Enable SNMP.
3
Click the Configure link.

4
Enter a name for the System Name field.
5
Enter the name of the administrator responsible for the SNMP server in the System Contact field.
6
Enter the location of the SNMP server in the System Location field.
7
Enter the asset number in the Asset Number text-field.
8
Enter the community name from which the SNMP server responds to Get requests in the Get Community Name field.
9
Enter the name of administrator group that can view SNMP traps in the Trap Community Name field
10
Enter the SNMP server IP addresses or hostnames in the Hosts 1-4 fields.
11
Click the Advanced tab.
12
If you wish to require SNMPv3 for your configuration, click Mandatorily Require SNMPv3. This disables SNMPv1/v2 and only allows access using SNMPv3, maximizing security for SNMP management.
13
Enter the Engine ID using hexadecimal characters.
14
When you are finished, click Update. A task gets spooled and after it is executed successfully, the information is updated for each selected SonicWall appliances.

Views Search

To search for and configure views, complete the following steps:
1
Click the Search drop-down list and select the search filters from the following:
Name
OID
Equals
Starts with
Ends with
Contains
2
Enter the criteria you wish to search for in the Views Search text-field.
3
Click Search. The results display in the Views Search list.
4
Click Add New View.

5
Enter a name for the new view in the View Name text-field.
6
Enter the OID that is associated with the new view in the text-field, then click Add OID. The new OID populates in the OID list. To delete an OID, select it in list and click Delete.
7
Click OK. The new View is added to the Views list.
8
Select or deselect Views from the list and edit them by clicking the Configure icon for the desired View. You can also delete views by selecting them from the list and then clicking the Delete Views link.

Users and Groups Search

To search for and configure Users and Groups, complete the following steps:
1
Click the Search drop-down list and select the search filters from the following:
Name
Equals
Starts with
Ends with
Contains
2
Enter the criteria you wish to search for in the User Groups Search text-field.
3
Click Search. The results display in the User Groups Search list.
4
Click the Add New Group link.

5
Enter a group name in the Group Name text-field.
6
Click OK. The new group is populated in the User/Group list.
7
Click the Add New User link.

8
Enter a new user name in the User Name text-field
9
Select the desired security level from the Security Level drop-down menu:
None
Authentication Only
Authentication and Privacy
10
Select the group type form the Group drop-down menu. There is a user group called “No Group”, this is not a physical group rather it's a logical group that is just used to display the users in the management interface. This group cannot be considered for any operations like searching and sorting.
11
Click OK. The new user is populated in the User/Group list.
12
Select or deselect users/groups from the list and edit them by clicking the Configure icon for the desired users/groups. You can also delete users/views by selecting them from the list and then clicking the Delete Group(s) link.

Accesses Search

To search for and configure Accesses, complete the following steps:
1
Click the Search drop-down list and select the search filters from the following:
Name
Read View
Master Group
Security Level
Equals
Starts with
Ends with
Contains
2
Enter the criteria you wish to search for in the Accesses Search text-field.
3
Click Search. The results display in the Accesses Search list.
4
Click the Add New Access link.

5
Enter a name for the new accesses in the Access Name text-field.
6
Click the Read View drop-down menu and select a view.
7
Click the Master SNMPv3 Group drop-down menu and select a group.
8
Click the Access Security Level drop-down menu and select the desired level:
None
Authentication Only
Authentication and Privacy
9
Click OK. The new SNMP Access is populated in the Accesses list.
10
Select or deselect accesses from the list and edit them by clicking the Configure icon for the desired accesses. You can also delete accesses by selecting them from the list and then clicking the Delete Access(s) link.

Configuring Certificates

The Certificates dialog box displays details for Certificate Authority (CA) Certificates and local certificates that you have imported or configured on your SonicWall appliance.

This section contains the following sub-sections:

Navigating the System > Certificates Page

The Certificate and Certificate Requests section provides all the settings for managing CA and Local Certificates.

View Style

The View Style menu allows you to choose which certificates are displayed.

Options include:

All Certificates - displays all certificates and certificate requests.
Imported certificates and requests - displays all imported certificates and generated certificate requests.
Built-in certificates - displays all certificates included with the SonicWall security appliance.
Include expired and built-in certificates - displays all expired and built-in certificates.

Certificates and Certificate Requests

The Certificates and Certificate Requests table displays information about your certificates.

Information and options include:

Name - the name of the certificate.
Type - the type of certificate, which can include CA or Local.
Validated - the validation information.
Expires - the date and time the certificate expires.
Details - the details of the certificate. Moving the pointer over the MAGNIFYING GLASS icon displays the details of the certificate.
Configure - Allows configuration with the following options:
Edit icon to make changes to the certificate
Delete icon to remove a certificate
Import icon to import either certificate revocation lists (for CA certificates) or signed certificates (for Pending requests).
Import Certificate(s) - Import local end-user and CA certificates from specifically encoded files.
New Signing Request - Create a new signing request directly from the GMS user interface
SCEP - Manage certificates using the Simple Certificate Enrollment Protocol (SCEP) standard

About Certificates

A digital certificate is an electronic means to verify identity by using a trusted third-party known as a Certificate Authority (CA). SonicWall now supports third-party certificates in addition to the existing Authentication Service.

SonicWall security appliances interoperate with any X.509v3-compliant provider of Certificates. However, SonicWall security appliances have been tested with the following vendors of Certificate Authority Certificates:

Entrust
Microsoft
OpenCA
OpenSSL and TLS
VeriSign

Configuring CA Certificates

To configure CA Certificates in this dialog box, complete the following steps:
1
From the Name list box, click on a certificate.
2
Note the details, including the certificate name and subject in the Details region.
3
Click on Email Certificate if you want to send the certificate to a location by email.
4
Click Delete Certificate if you want to remove the certificate.
5
Specify a URL of the location of the Certificate Revocation List (CRL) in the CRL URL field. Then click CRL URL to launch the CRL.
6
To import a CRL, click Browse for the Import CRL field and navigate to the CRL. Then click Import CRL to import the CRL.
7
Click Invalidate Certificates and Security Association if CRL import or processing fails to ensure safe cleanup of half-imported certificates if when trying to import a CRL, the process is interrupted.

Importing New Local and CA Certificates

This option allows you to import pre-existing certificates stored locally.

To import a certificate:
1
Click the Import Certificate link.
2
Choose between a local end-user certificate or a CA certificate.
3
(local only) Enter a name in the Certificate Name field.
4
(local only) Enter the password used to encrypt the certificate in the Certificate Management Password field.
5
Browse to the certificate location and Open the file.
6
Click Import to complete the process.

Generating a Certificate Signing Request

* 
NOTE: This section assumes that you are familiar with Public Key Infrastructure (PKI) and the implementation of digital certificates with VPN.
To obtain a certificate, complete the following steps:
1
On the System > Certificates page, click the New Signing Request link.

2
Complete the information in the Generate Certificate Request section and click Generate Request. The request displays in the Current Certificate Requests section.
3
Click Export. You are prompted to save the file. It is saved in the PKCS 10 format.
4
Obtain a certificate from one of the approved certificate authorities using the PKCS 10 file.
5
After you receive the certificate file, locate and import the file by clicking Browse in the Import Certificate With Private Key section. Then click Import. The certificate appears in the Current Local Certificates section.

Configuring SCEP

* 
NOTE: SCEP configuration is supported at the appliance level.

The Simple Certificate Enrollment Protocol (SCEP) simplifies the process of issuing large numbers of certificates using an automatic enrollment technique. SCEP is supported for appliances running SonicOS Enhanced 5.5 or higher.

To configure SCEP, complete the following steps:
1
On the System > Certificates page, click the SCEP link. The SCEP Configuration window displays.

2
Configure the following options for the SCEP configuration:
CSR list - Select a certificate signing request (CSR) list if one has been uploaded.
Challenge Password - (optional) Enter the password that is used to authenticate the enrollment request.
CA URL - Enter the URL of the certificate authority.
Request Count - The default is 256.
Polling Interval(S) - The default is 30.
Max Polling Time(S) - The default is 28800.
3
Click SCEP to apply the SCEP configuration.

Configuring Time Settings

The Global Management System (GMS) user interface (UI) is similar to the standard SonicWall appliance UI. However, GMS offers the ability to push configuration settings to a single SonicWall appliance, a group of SonicWall appliances, or all SonicWall appliances being managed by the GMS.

To change time settings on one or more SonicWall appliances, complete the following steps:
1
Expand the System tree and click Time. The Set Time page displays.

2
Select the Time Zone of the appliance(s) from the Time Zone field.
3
To configure the SonicWall(s) to automatically adjust their clocks for Daylight Savings Time, select Automatically Adjust Clock for Daylight Savings Changes.
4
To configure the SonicWall(s) to use Universal Time Coordinated (UTC) or Greenwich Mean Time (GMT) instead of local time, select Display UTC in Logs Instead of Local Time.
5
To configure the SonicWall(s) to display the time in the international time format, select Display Time in International Format.
6
To configure the SonicWall(s) to only use custom NTP servers, select Only use custom NTP servers.
7
Select from the following:
To manually configure the time and date, make sure Use NTP to set time automatically is deselected. The SonicWall appliance(s) automatically uses the time settings of the GMS agent.
To configure the SonicWall(s) to automatically set the local time using Network Time Protocol (NTP), select Use NTP to set time automatically, then set the update interval.
8
When you are finished, click Update. A task gets scheduled to apply the new settings for each selected appliance.
9
To clear all screen settings and start over, click Reset.
* 
NOTE: If you are not using NTP for the appliance, then GMS configures the time of the appliance to be identical to the time of the GMS Agent pushing the configuration to the appliance (after adjusting for any time zone differences).
10
If you do not want to use the SonicWall appliance's internal NTP list, you can add your own NTP list. To add an NTP server, click the Add NTP Server link. A pop-up window displays:

11
Enter the IP address or FQDN of the remote NTP server. A task gets scheduled to add the NTP server to each selected SonicWall appliance.
12
From the NTP Server drop-down menu, select No Auth or MD5, depending on your deployment. If you selected an auth type, enter the trust key number, key number, and password.
13
Click OK, the newly added server is populated in the NTP Servers list. Multiple servers can be added by clicking Add NTP Server.
14
A search function is available for NTP Servers. Select your search criteria in the NTP Server Search section, then click Search. A list of servers that match your criteria will display. From here you can edit the server settings or delete unwanted servers from the list.

Configuring Schedules

You can configure schedule groups on the Policies panel, in System > Schedules. Schedule Groups are groups of schedules to which you can apply firewall rules. For example, you might want to block access to auction sites during business hours, but allow employees to access the sites after hours.

You can apply rules to specific schedule times or all schedules within a Schedule Group. For example, you might create an Engineering Work Hours group that runs from 11:00 AM to 9:00 PM, Monday through Friday and 12:00 PM to 5:00 PM, Saturday and Sunday. After configured, you can apply specific firewall rules to the entire Engineering Work Hours Schedule Group or only to the weekday schedule.

To create a Schedule Group, complete the following steps:
1
Expand the System tree and click Schedules. The Schedules page displays.

2
To add a Schedule Group, click Add Schedule Group.

3
Enter the name of the Schedule Group in the Name field.
4
In the Schedule Type section, select if the schedule will occur Once, Recurring, or Mixed.
* 
NOTE: The one-time and mixed schedule types are only available for systems running SonicOS Enhanced 5.5 and newer.
5
For a schedule that occurs only once, select the year, month, date, hour, and minutes for the Start and End fields.
6
For recurring schedules, select the check boxes for each day the schedule applies.
7
Enter the start time for the recurring schedule in the Start Time field. Make sure to use the 24-hour format.
8
Enter the end time for the recurring schedule in the Stop Time field. Make sure to use the 24-hour format.
9
Click Add.
10
Repeat Step 4 through Step 9 for each schedule to add.
11
To delete a schedule, select the schedule and click Delete.
12
Click OK. The Schedule Group is added and configured.
13
To edit a Schedule Group, click its Edit icon (). The Edit Schedule Group dialog box displays. Edit the Schedule Group details and click OK.

Using Configuration Tools

This chapter describes how to use SonicWall tools to restart SonicWall appliances, request diagnostics, inherit settings from the group, and more. The following sections describe the options available in the GMS tools menu:

Restarting SonicWall Appliances

Some GMS changes require the SonicWall appliance(s) to automatically be restarted after changes are applied. However, there might be instances when you want to restart the SonicWall appliance(s) manually.

To restart one or more SonicWall appliances, complete the following steps:
1
Expand the System tree and click Tools. The Tools page displays.

2
To restart the selected SonicWall appliance(s), click Restart SonicWall.
* 
NOTE: We recommend restarting the SonicWall appliance(s) when network activity is low.

Requesting Diagnostics for SonicWall

To request diagnostics for SonicWall appliances, complete the following steps:
1
Expand the System tree and click Tools. The Tools page displays.
2
To request diagnostics for the selected SonicWall appliance(s), click Request Diagnostics. GMS schedules a task to request diagnostics for the selected SonicWall appliances.
3
To view the diagnostics, navigate to Diagnostics > Snapshot Status on the Console tab.
4
In the Diagnostics Requested pull-down list, select the diagnostics that you want to review.
5
Click View SnapShot Data.

Inheriting Settings

On the Policies panel, in the System > Tools screen, you can apply inheritance filters at a global, group, or appliance level. You can select an existing inheritance filter and customize which of its rules are actually inherited. You can do this on the fly, without the need to create an entirely separate filter.

For more information on inheritance, refer to Configuring Inheritance Filters.

To apply the inheritance filters, complete the following steps:
1
Expand the System tree and click Tools. The Tools page displays.

2
Select the appropriate radio button for either forward or reverse inheritance. Use the Filter drop down menu to select the desired filter to apply. Click Preview to proceed to the “Preview of Inheritance Settings” window.
* 
NOTE: When configuring forward inheritance at the group level, all selected settings are pushed to all units in the group.

3
Review the settings to be inherited. You can continue with all of the default screens selected for inheritance or select only specific screens for inheritance by checking boxes next to the desired settings.
* 
NOTE: The Preview panel footer states, “All referring objects should also be selected as part of the settings picked, to avoid any dependency errors while inheriting.” If the user deselects dependent screen data, the settings will not inherit properly.
4
If the user is attempting forward inheritance, they might click “Update” to proceed. If the user is attempting to reverse inherit settings, an additional selection must be made at the bottom of the Preview panel. The user must select either to update the chosen settings to only the target parent node, or to update the target parent node along with all unit nodes under it. After the user makes this selection, they might click “Update” to proceed, or “Reset” to edit previous selections.

5
If the user selects to update the target parent node and all unit nodes, a “Modify Task Description and Schedule” panel opens in place of the Preview panel (This panel does not appear if the user selects “Update only target parent node”). If the “Modify Task Description and Schedule” panel opens, the user can edit the task description in the “Description” field. They might also adjust the schedule for inheritance, or continue with the default scheduling. If the user chooses to edit the timing by clicking on the arrow next to “Schedule,” a calendar expands allowing the user to click on a radio button for “Immediate” execution, or to select an alternate day and time for inheritance to occur.
6
After the user has completed any edits, they select either “Accept” or “Cancel” to execute or cancel the scheduled inheritance, respectively.

After the inheritance operation begins, a progress bar appears, along with text stating the operation might take a few minutes, depending on the volume of data to be inherited.

After the inheritance operation is complete, the desired settings from the unit or group node should now be updated and reflected in the parent node’s settings, as well as in the settings of all other units, if selected.

* 
NOTE: For the Access/Services and Access/Rules pages, by default, inheriting group settings overwrites the values at the unit level with the group values. If you wish for SonicWall GMS to append the group settings to the values at the unit level, you need to enable the Append Group Settings option on the General/GMS Settings page on the Console tab.

For more information on inheritance, refer to Configuring Inheritance Filters.

Synchronizing Appliances

If a change is made to the SonicWall appliance through any means other than through GMS, GMS is notified of the change through the syslog data stream. You can configure an alert through the Granular Event Management framework to send email notification when a local administrator makes changes to a SonicWall appliance through the local user interface rather than through GMS. After the syslog notification is received, GMS schedules a task to synchronize its database with the local change. After the task successfully executes, the current configuration (prefs) file is read from the SonicWall appliance and loaded into the database.

Auto-synchronization automatically occurs whenever GMS receives a local change notification status syslog message from a SonicWall appliance.

You can also force an auto-synchronization at any time for a SonicWall appliance or a group of SonicWall appliances.

To do this, complete the following steps:
1
Expand the System tree and click Tools. The Tools page displays.
2
To synchronize the selected SonicWall appliance(s), click Synchronize Now. GMS schedules a task to synchronize the selected SonicWall appliances.
* 
NOTE: The auto-synchronization feature can be disabled on the Console/Management Settings screen and by unchecking Enable Auto Synchronization.

Synchronizing with MySonicWall.com

SonicWall appliances check their licenses/subscriptions with MySonicWall.com once very 24 hours. Using Synchronize with mysonicwall.com Now, a user can have an appliance synchronize this information with mysonicwall.com without waiting for the 24-hour schedule.

To force the SonicWall to synchronize with mysonicwall.com now, complete the following steps:
1
Expand the System tree and click Tools. The Tools page displays.
2
To synchronize the selected SonicWall appliance(s), click Synchronize with mysonicwall.com Now. GMS schedules a task to synchronize the selected SonicWall appliances’ license information into GMS.

Manually Uploading Signature Updates

For SonicWall appliances that do not have direct access to the Internet (for example, appliances in high-security environments) you can manually upload updates to security service signatures.

To instruct GMS to download updates to security service signatures, complete the following steps:
1
Click on the Console tab, expand the Management tree, and click on Settings.
2
Select the check boxes for the Manage Signature Upload settings. Refer to Configuring Management Settings for more information.
3
Click on the Policies tab, expand the System tree, and click Tools.
4
When there are updates signatures to upload, Upload Signatures Now is displayed. Click this button to manually upload the signatures.
* 
NOTE: Upload Signatures Now is displayed only when the GMS has downloaded updated signature files that are ready to be uploaded.

Configuring Contact Information

The System > Info page contains contact information for the SonicWall appliance. These settings are for informational purposes only and do not affect the operation of SonicWall appliances.

To change informational settings on one or more SonicWall appliances, complete the following steps:
1
Expand the System tree and click Info. The Info page displays.

2
Enter appliance contact information for the SonicWall appliance(s).
3
After entering the street address, city, state, zip code, and country appliance contact information, click Locate Geocode. This populates the GeoLocation field with the SonicWall appliance latitude and longitude coordinates. Similarly, you can enter the latitude or longitude coordinates, and click Locate Address to populate the address information fields. The location information enables your SonicWall appliance to display on the Dashboard Geographic Map. For more information on using the Dashboard Geographic Map to drag and drop the location of your unit, refer to Using the Universal Dashboard.
4
When you are finished, click Update. A task gets spooled and after it is executed successfully, the information is updated for the selected SonicWall appliances.
5
To reset all screen settings and start over, click Reset.

Configuring System Settings

GMS enables you to save SonicWall appliance settings to the GMS database that can be used for restoration purposes. GMS can automatically take back ups of the appliance configuration files at regular schedules and store them in the database. The schedule is configured in the Console > Management > GMS Settings screen Automatically save... Here you can specify that a back up should never be taken or back ups should be taken on a daily or weekly schedule. If the schedules are set for daily or weekly, then the back ups are done for all appliances for which Enable Prefs File Backup is selected in this screen.

To purge older back ups, you can specify how many of the latest prefs files should be stored in the database. The listbox here displays all the Prefs files backed up, along with the firmware version. In addition to automatic back ups, you can manually force a Prefs back up by selecting Store settings...

To save or apply SonicWall appliance settings, complete the following steps:
1
Expand the System tree and click Settings. The Settings page displays.

2
To apply settings to the SonicWall appliance directly from GMS database, select the saved settings and click Restore the settings to the unit.
* 
NOTE: The Restore the settings to the unit option is available only at the unit level, and not at the group and global levels. This option previously was available at the group and global levels. GMS now does not display the option at both the group and global levels to minimize risk of you writing a non-compatible prefs file to an incorrect firmware version running on a SonicWall appliance.
3
To store an external Prefs file into the database, enter the path to the file and click Store settings from local file. The Store settings from local file button is used to store the prefs file from the local hard disk into the GMS database so that it displays in the list box of the Settings page. After stored in the database (when it will display in the list box), you can then click Restore the settings to the unit.
4
To delete the saved settings, click the Delete the settings link.
5
To save the settings of a SonicWall appliance to the GMS database, enter a name for the settings in the Name field and click Store settings read from unit. Then, if you want to save these settings to a local file, click Store the settings from local file. You can save multiple version of settings for each SonicWall appliance to the GMS database and to different local files.
6
To automatically backup the preferences for the selected SonicWall appliance, select Enable Settings File Backup and click Update.
* 
NOTE: The backed up prefs file contains the configuration settings and the firmware version of the security appliance you are backing up.
7
Go to the Console > Management > GMS Settings page and update the values in the Automatically save prefs file section. This enables you to specify when and how frequently GMS backs up the prefs files.
8
If you want to automatically purge older backups, select the number of newer backup files you want to keep in the Number of newest Prefs Files to be preserved field. Enter 0 to prevent purging of older backups. Click Update.
9
Set the value in the Missed Reports Threshold field to the number of heartbeat messages GMS can miss before considering the unit to be down. Click Update.

GMS relies on special syslogs called heartbeat messages to determine if an appliance is up and running. By default, if GMS does not receive three successive heartbeat messages, it makes the appliance as “down”. You can customize this threshold to any number. If you set the value to “0”, then GMS will not mark this node as down.
10
To delete settings from the GMS database, select the saved settings and click Delete the settings.

Configuring Firewall Network Settings

This describes how to configure network settings for SonicWall appliances. It is divided into sections for SonicWall security appliances running SonicOS Enhanced and SonicOS Standard.

Overview of Interfaces

You can configure the LAN interface in five different modes:

Static IP—Uses a static IP address and acts as a gateway for devices on the LAN.
Transparent Mode—Allows you to assign a single IP address to two physical interfaces, where each interface accesses an exclusive range of IP addresses in the shared subnet. Behaves as a proxy at Layer 3, intercepting ARPs and changing source MAC addresses of packets traversing the interface pair.
Layer 2 Bridged Mode—Similar to Transparent Mode, but dynamically learns IP addresses on both interfaces so that you do not need to subdivide the subnet that is being bridged. Provides deep-packet inspection and application of policies before forwarding packets. Places the bridged interfaces into promiscuous mode and passes traffic between them with source and destination MAC addresses intact.
Wired Mode—Adding to the broad collection of traditional modes of SonicOS interface operation, including all LAN modes (Static, NAT, Transparent Mode, L2 Bridge Mode, Portshield Switch Mode), and all WAN modes (Static, DHCP, PPPoE, PPTP, and L2TP), SonicOS 5.8 introduces Wire-Mode, which provides four new methods non‑disruptive, incremental insertion into networks.
Tap Mode—Provides the same visibility as Inspect Mode, but differs from the latter in that it ingests a mirrored packet stream by a single switch port on the SonicWall security appliance, eliminating the need for physically intermediated insertion. Tap Mode is designed for use in environments employing network taps, smart taps, port mirrors, or SPAN ports to deliver packets to external devices for inspection or collection. Like all other forms of Wire Mode, Tap Mode can operate on multiple concurrent port instances, supporting discrete streams from multiple taps.

Interfaces shows the basic interfaces for a SonicWall appliance. The WAN interface can use a static or dynamic IP address and can connect to the Internet through Transmission Control Protocol (TCP), Point-to-Point Protocol over Ethernet (PPPoE), Level 2 Tunneling Protocol (L2TP), or Point-to-Point Tunneling Protocol (PPTP).

A SonicWall appliance might have one, many, or no optional interfaces. Optional interfaces can be configured for LAN, WAN, DMZ, WLAN, or Multicast connections, or they can be disabled.

Interfaces

Virtual Interfaces (VLAN)

On the SonicWall NSA Series and SonicWall PRO 2040/3060/4060/4100/5060 security appliances, virtual Interfaces are sub-interfaces assigned to a physical interface. Virtual interfaces allow you to have more than one interface on one physical connection. Virtual interfaces provide many of the same features as physical interfaces, including Zone assignment, DHCP Server, and NAT and Access Rule controls. Selecting Layer 2 Bridged mode is not possible for a VLAN interface.

VLAN support on SonicOS Enhanced is achieved by means of sub-interfaces, which are logical interfaces nested beneath a physical interface. Every unique VLAN ID requires its own sub-interface. For reasons of security and control, SonicOS does not participate in any VLAN trunking protocols, but instead requires that each VLAN that is to be supported be configured and assigned appropriate security characteristics.

VLAN Interfaces

SonicOS Enhanced 4.0 and higher can apply bandwidth management to both egress (outbound) and ingress (inbound) traffic on the WAN interface. Outbound bandwidth management is done using Class Based Queuing. Inbound Bandwidth Management is done by implementing ACK delay algorithm that uses TCP’s intrinsic behavior to control the traffic.

Class Based Queuing (CBQ) provides guaranteed and maximum bandwidth Quality of Service (QoS) for the SonicWall security appliance. Every packet destined to the WAN interface is queued in the corresponding priority queue. The scheduler then dequeues the packets and transmits it on the link depending on the guaranteed bandwidth for the flow and the available link bandwidth.

Configuring Network Settings in SonicOS Enhanced

The following sections describe how to configure network settings in SonicOS Enhanced:

Configuring Interface Settings

Interface settings define the networks associated with the LAN, WAN, optional (OPT), and WWAN interfaces. This includes protocols, gateways, DNS servers, Virtual LANs, and management settings.

* 
NOTE: Group level interface edits are only available for SonicWall firewall appliances.For a WWAN interface, GMS navigates directly to the Network > WWAN > Settings screen. For configuration information, refer to Configuring WWAN Settings.

IPv4 and IPv6 IP addresses are accepted/displayed in the Network > Interfaces screens.

To configure the network interface general settings for one or more SonicWall appliance, select the desired configuration from the following:

Static Mode

Static means that you assign a fixed IP address to the interface.

1
Click on the Configure icon in the Configure column for the Interface you want to configure. The Edit Interface window is displayed.
If you want to create a new zone, select Create new zone. The Add Zone window is displayed. See the Network > Zones page for instructions on adding a zone.
2
Select a zone to assign to the interface. You can select LAN, WAN, DMZ, WLAN, or a custom zone.
3
Select Static from the IP Assignment menu.
4
Enter the IP Address (Primary), and the IP Address (Secondary) if high availability is enabled, and the Subnet Mask of the zone in the IP Address (Primary), IP Address (Secondary), and Subnet Mask fields.
* 
NOTE: You cannot enter an IP address that is in the same subnet as another zone.
5
Enter an IP address for a Default Gateway (optional). This feature is not supported for WLAN and VPN zones.
6
Enter any optional comment text in the Comment field. This text is displayed in the Comment column of the Interface table.
7
If you want to enable remote management of the SonicWall appliance from this interface, select the supported management protocol(s): HTTP, HTTPS, SSH, Ping, SNMP, and/or SSH.
8
If you want to allow selected users with limited management rights to log in to the security appliance, select HTTP and/or HTTPS in User Login.
9
Click OK.

Transparent Mode

The following options are available when configuring an interface in Transparent Mode:

For LAN, DMZ, or Multicast interfaces, configure the following settings:

For IP Assignment, select Static, Transparent Mode, or Layer 2 Bridged Mode. The display changes according to your selection. Configure the resulting field as follows:
Static—For static IP addresses, enter the IP Address for the interface and Subnet Mask for the network.
Transparent Mode—For transparent mode, select an address object that contains the range of IP addresses you want to have access through this interface in the Transparent Range menu.
PortShield Switch Mode—For SonicWall TZ 210, TZ 210W and NSA 240 appliances, you can configure interfaces for PortShield switch mode that manually groups ports together to share a common network subnet as well as common zone settings. For more information, refer to Configuring PortShield Groups.

Layer 2 Bridge Mode

* 
NOTE: When configuring a zone for Layer 2 Bridge Mode, the only access rule automatically added is an allow rule between the bridge pair. Other necessary access rules must be added manually.

The following options are available when configuring an interface in Layer 2 Bridge Mode:

Layer 2 Bridged Mode—On appliances running SonicOS Enhanced 3.5 and 4.0 or higher, you can select Layer 2 Bridged Mode for physical interfaces in either the LAN or the DMZ zone. On appliances running SonicOS Enhanced 5.5 or higher, you can select Layer 2 Bridge Mode for the WLAN zone.
In the Bridged-to field, select a WAN, LAN, or DMZ interface with a static IP address.
Select Block all non-IPv4 traffic to allow only IPv4 traffic on this bridge-pair.
Select Never route traffic on this bridge-pair to prevent traffic from being routed to another interface.
Select Only sniff traffic on this bridge-pair to allow the bridged interface to be connected to a mirrored port on a switch in a one-arm mode to do intrusion detection by examining traffic going through the switch.
Select Disable stateful-inspection on this bridge-pair to enable asymmetric routing on this interface.

Layer 2 Bridge Bypass Relay Control

The Engage physical bypass on malfunction option enables Layer 2 Bridge Bypass Relay Control, also known as “Fail to Wire.” The bypass relay option provides the user the choice of avoiding disruption of network traffic by bypassing the firewall in the event of a malfunction. The bypass relay is closed for any unexpected anomaly (power failure, watchdog exception, fallback to safe-mode).

* 
NOTE: The Engage physical bypass on malfunction option is available only for SonicWall E7500 appliances running SonicOS Enhanced version 5.5 or higher and only when the X0 interface is bridged to the X1 interface.

Selecting the Engage physical bypass on malfunction option automatically configures the other Layer 2 Bridge mode options as follows:

Block all non-IPv4 traffic - Disabled
Never route traffic - Enabled
Only sniff traffic - Disabled
Disable stateful-inspection - Not modified
Comment—Enter any comments regarding the interface.
Management—Select one or more of the following management options:
HTTP—Allows HTTP management over the interface.
HTTPS—Allows HTTPS management over the interface.
Ping—The interface responds to ping requests.
SNMP—The interface supports Simple Network Management Protocol (SNMP).
SSH—The interface supports Secure Shell (SSH) for CLI-based administration.
User Login—Select from the following user login options:
HTTP—When selected, you are able to login using HTTP.
HTTPS—When selected, you are able to login using HTTPS.
Add rule to enable redirect from HTTP to HTTPS—Redirects you to HTTPS when they attempt to access the device using HTTP. This option is only applicable when HTTPS access is enabled and HTTP access is not.

Wired Mode (2-Port Wire)

* 
NOTE: The Wire Mode feature is supported only on NSA and SuperMassive platforms.

Wire Mode 2.0 can be configured on any zone (except wireless zones). Wire Mode is a simplified form of Layer 2 Bridge Mode, and is configured as a pair of interfaces. In Wire Mode, the destination zone is the Paired Interface Zone. Access rules are applied to the Wire Mode pair based on the direction of traffic between the source Zone and its Paired Interface Zone. For example, if the source Zone is WAN and the Paired Interface Zone is LAN, then WAN to LAN and LAN to WAN rules are applied, depending on the direction of the traffic.

In Wire Mode, administrators can enable Link State Propagation, which propagates the link status of an interface to its paired interface. If an interface goes down, its paired interface is forced down to mirror the link status of the first interface. Both interfaces in a Wired Mode pair always have the same link status.

In Wire Mode, administrators can Disable Stateful Inspection. When Disable Stateful Inspection is selected, Stateful Packet Inspection (SPI) is turned off. When Disable Stateful Inspection is not selected, new connections can be established without enforcing a 3-way TCP handshake. Disable Stateful Inspection must be selected if asymmetrical routes are deployed.

When the Bypass when SonicOS is restarting or down option is selected, and the Wire Mode Type is set to Secure, traffic continues to flow even when the SonicWall Security Appliance is rebooting or is down. The Bypass when SonicOS is restarting or down option is always enabled and is not editable when Disable Stateful Inspection is selected.

To configure Wire Mode 2.0:
1
Navigate to Network > Interfaces.
2
Click Add Interface.
or
Click Configure for the interface you want to configure.
3
Under the General tab, in the IP Assignment list, select Wire Mode (2-Port Wire).
4
In the Zone list, select WAN.
5
In the Paired Interface Zone list, select LAN.

6
Select Enable Link State Propagation.
7
Select Disable Stateful Inspection.
8
Select Bypass when SonicOS is restarting or down.
9
Click OK.

Tap Mode (1-Port Tap)

To configure an interface for Tap Mode, complete the following steps:
1
On the Network > Interfaces page, click Configure for the interface you want to configure for Wire Mode.
2
In the Zone pull-down menu, select LAN.
3
To configure the Interface for Tap Mode, in the Mode / IP Assignment pull-down menu, select Tap Mode (1-Port Tap) and click OK.

4
To configure the Interface for Wire Mode, in the Mode / IP Assignment pull-down menu, select Wire Mode (2-Port Wire).
5
Click OK.

Configuring WAN Settings

To configure the WAN settings for the SonicWall appliance, complete the following steps:

1
Select how the WAN connects to the Internet from the IP Assignment list box:
Static—Configure the following settings for static IP address interfaces:
IP Address—Enter the IP address of the interface.
Subnet Mask—Enter the subnet mask for the network.
Default Gateway—IP address of the WAN gateway.
DNS Server 1-3—IP addresses of the DNS Servers.
Comment—Enter any comments regarding the interface.
DHCP—Configure the following settings if the WAN IP address will use DHCP:
Host Name—Specifies the host name of the SonicWall device on the WAN interface.
Comment—Enter any comments regarding the interface.
IP Address, Subnet Mask, Gateway (Router) Address, and DNS Server 1-3—These settings are automatically filled in by DHCP.
PPPoE—Configure the following client settings if the WAN interface uses PPPoE:

Schedule—Select the schedule for when the interface is enabled. The default value is Always on. The available options can be customized in the System > Schedule page. The default choices are:

Always On

Work Hours or M-T-W-TH-F 08:00-17:00 (these two options are the same schedules)

M-T-W-TH-F 00:00-08:00

After Hours or M-T-W-TH-F 17:00-24:00 (these two options are the same schedules)

Weekend Hours or SA-SU 00:00-24:00 (these two options are the same schedules)

AppFlow Report Hours or SU-M-T-W-TH-F-S 00:00-24:00

TSR Report Hours

User Name—Enter username provided by the ISP.
User Password—Enter the password used to authenticate the username with the ISP. This field is case-sensitive.
Comment—Enter any comments regarding the interface.
Service Name—Enter the name of a service that must be supported by PPPoE servers that respond to a client connection request. The service name can be up to 50 characters. Many installations use the system name as a service name, for example “sonicwall-server” or “redback-server.” If the service name is left blank the client connects to any service.
Select from the following:

To configure the SonicWall appliance(s) to dynamically obtain an IP address, select Obtain IP Address automatically.

To configure the SonicWall appliance(s) to use a fixed IP address, select Specify IP Address and enter the IP address.

To configure an unnumbered PPPoE interface,

Select from the following:

To configure the SonicWall appliance(s) to obtain the DNS server information automatically, select Obtain DNS Server Address Automatically.

To specify DNS servers, select Specify DNS Servers and enter the DNS Server IP addresses.

* 
NOTE: For PPPoE interfaces, a Protocol tab appears that displays the acquired IP address, subnet mask, gateway address, and DNS server addresses.
To configure an Unnumbered PPPoE Interface, complete the following steps:
1
Click the Protocol tab.
2
For Zone, select LAN, DMZ, or create a new zone.
3
For Mode / IP Assignment, select IP Unnumbered.
4
For IP Address, enter the address provided by your ISP. Usually it is the second IP address assigned by the provider. The subnet mask is also assigned by the ISP.
* 
NOTE: The default MTU of PPPoE is 1492.
NOTE: To change X3 to another mode when X2 unnumbered to X3 is configured, first terminate the relationship with X2 by changing X2 to another mode. Otherwise, if you change the IP address or mask of interface X3, it causes X3 to reconnect to the PPPoE server.
NOTE: If X3 is set as unnumbered interface, other interfaces cannot connect to X3 using an L2 Bridge.
View the settings for the acquired IP address, subnet mask, gateway address, and DNS server addresses.
Inactivity Disconnect—Specify how long (in minutes) the SonicWall appliance waits before disconnecting from the Internet, and select the check box.
Strictly use LCP echo packets for server keep-alive—This check box is enabled when the client recognizes that the server relies on Link Control Protocol (LCP) echo requests for keeping the PPPoE connection alive.
Disconnect the PPPoE client if the server does not send traffic for __ minutes—Select this check box and enter the number of minutes to wait without traffic before the connection is ended. When enabled, the PPPoE client monitors traffic from the server on the tunnel and disconnects when no traffic is seen for the specified time period.
5
If High Availability is enabled, High Availability > Settings is configured with Unnumbered PPPoE.

A sample network topology is as follows:

In this topology, X2 is the PPPoE unnumbered interface and X3 is an unnumbered interface.

GMS adds two routes:

GMS also adds two NAT policies:

A manually added NAT policy would have settings such as:

PPTP—Configure the following settings if the WAN IP address will use PPTP:
Schedule—Select the schedule for when the interface is enabled. The default value is Always on. The available options can be customized in the System > Schedules page. The default choices are:

Always on

Work Hours or M-T-W-TH-F 08:00-17:00 (these two options are the same schedules)

M-T-W-TH-F 00:00-08:00

After Hours or M-T-W-TH-F 17:00-24:00 (these two options are the same schedules)

Weekend Hours or SA-SU 00:00-24:00 (these two options are the same schedules)

User Name—Enter username provided by the ISP.
User Password—Enter the password used to authenticate the username with the ISP. This field is case-sensitive.
PPTP Server IP Address—this information is provided by your ISP.
PPTP (Client) Host Name—this information is provided by your ISP.
Comment—Enter any comments regarding the interface.
Inactivity Disconnect—Specify how long (in minutes) the SonicWall appliance waits before disconnecting from the Internet.
Select from the following from the PPTP IP Assignment list box:
To configure the SonicWall appliance(s) to dynamically obtain an IP address, select DHCP.
To configure the SonicWall appliance(s) to use a fixed IP address, select Static and enter the IP address, subnet mask, and gateway IP address.
* 
NOTE: For PPTP interfaces, a Protocol tab appears that displays the acquired IP address, subnet mask, gateway address, and DNS server addresses.
L2TP—Configure the following settings if the WAN IP address uses L2TP:
Schedule—Select the schedule for when the interface is enabled. The default value is Always on. The available options can be customized in the System > Schedules page. The default choices are:

Always on

Work Hours or M-T-W-TH-F 08:00-17:00 (these two options are the same schedules)

M-T-W-TH-F 00:00-08:00

After Hours or M-T-W-TH-F 17:00-24:00 (these two options are the same schedules)

Weekend Hours or SA-SU 00:00-24:00 (these two options are the same schedules)

User Name—Enter username provided by the ISP.
User Password—Enter the password used to authenticate the username with the ISP. This field is case-sensitive.
L2TP Server IP Address—this information is provided by your ISP.
L2TP (Client) Host Name—this information is provided by your ISP.
Comment—Enter any comments regarding the interface.
Inactivity Disconnect—Specify how long (in minutes) the SonicWall appliance waits before disconnecting from the Internet.
Select from the following from the L2TP IP Assignment list box:

To configure the SonicWall appliance(s) to dynamically obtain an IP address, select DHCP.

To configure the SonicWall appliance(s) to use a fixed IP address, select Static and enter the IP address, subnet mask, and gateway IP address.

* 
NOTE: For L2TP interfaces, a Protocol tab appears that displays the acquired IP address, subnet mask, gateway address, and DNS server addresses.
6
Select one or more of the following management options:
HTTP—When selected, allows HTTP management from the interface.
HTTPS—When selected, allows HTTPS management from the interface.
Ping—When selected, the interface responds to ping requests.
SNMP—When selected, the interface supports Simple Network Management Protocol (SNMP).
7
User Login—Select from the following user login options:
HTTP—When selected, you are able to login using HTTP.
HTTPS—When selected, you are able to login using HTTPS.
Add rule to enable redirect from HTTP to HTTPS—Redirects you to HTTPS when they attempt to access the device using HTTP. This option is only applicable when HTTPS access is enabled and HTTP access is not.
8
Click Update. The settings are saved. To clear any changes and start over, click Reset.

Advanced Settings

1
Click the Advanced tab and configure the following Ethernet settings:
Link Speed—To configure the interface to automatically negotiate Ethernet settings, select Auto Negotiate. If you want to specify the forced Ethernet speed and duplex, select the appropriate setting.
Use Default MAC Address—Select to use the default MAC address.
Override Default MAC Address—Select to manually enter the MAC address.
Shutdown Port—Select to temporarily take this interface offline for maintenance or other reasons. If connected, the link will go down.
Enable flow reporting—Select to enable flow reporting on flows created for this interface. This check box is available on SonicWall appliances running 5.9 and higher firmware.
Enable Multicast Support—Select to enable multicast on the interface.
Interface MTU—Specify the size of the Maximum Transmission Unit (MTU) in octets (default: 1500).
Enable 802.1p tagging—QoS Marking is controlled per Access Rule from the Firewall > Access Rules page. Packets sent out this interface are tagged with VLAN id=0 and carry 802.1p priority information. Devices connected to this interface should support priority frames. This check box is available on SonicWall appliances running 5.9 and higher firmware.
Optionally, to exclude the interface from Route Advertisement, select Exclude from Route Advertisement (NSM, OSPF, BGP, RIP). This option is not selected by default.
Optionally, select Management Traffic Only to restrict traffic to only SonicWall management traffic and routing protocols. This option is not selected by default.
Optionally, enable Asymmetric Route Support on the interface by selecting Enable Asymmetric Route Support. If enabled, the traffic initialized from this interface supports asymmetric routes, that is, the initial packet or response packet can pass through from other interfaces. This check box is not selected by default.
Secondary IP Address—This can be used, for example, to have the firewall device reply for a secondary IP address on a particular interface by adding the address of the firewall.
Secondary Subnet Mask—Allows for secondary subnets to be added on other interfaces, and without the addition of automatic NAT rules.
To shutdown the port, click Shutdown Port. A warning pop-up window displays, asking if you wish to administratively want to shut down the port. This check box is only available for SuperMassive series appliances running SonicOS 6.1 and higher firmware images.
To fragment packets that are larger than this MTU, select Fragment non-VPN outbound packets larger than this Interface's MTU.
To block notifications that this interface can receive fragmented packets, select Do not send ICMP Fragmentation Needed for outbound packets over the Interface MTU.
* 
NOTE: If the maximum transmission unit (MTU) size is too large for a remote router, it might require more transmissions. If the packet size is too small, this could result in more packet header overhead and more acknowledgements that have to be processed.
To ignore Don’t Fragment (DF) bits from routers connected to the SonicWall appliance, select Ignore Don't Fragment (DF) Bit.
Expert Mode
2
Under the Expert Mode Settings heading, select Use Routed Mode - Add NAT Policy to prevent outbound\inbound translation to enable Routed Mode for the interface. Routed Mode provides an alternative for NAT for routing traffic between separate public IP address ranges. NAT translations are automatically disabled for the interface, and all inbound and outbound traffic is routed to the WAN interface
In the Set NAT Policy's outbound\inbound interface to pull-down menu, select the WAN interface that is to be used to route traffic for the interface. The firewall then creates “no-NAT” policies for both the configured interface and the selected WAN interface. These policies override any more general M21 NAT policies that might be configured for the interfaces.
3
Click OK.
4
The firewall then creates “no-NAT” policies for both the configured interface and the selected WAN interface. These policies override any more general M21 NAT policies that might be configured for the interfaces.
The availability of Expert Mode depends on the zone and IP address assignment configuration of the interface, as follows:
LAN & DMZ – Expert Mode is available for interfaces that are assigned a static IP address.
WAN – Expert Mode is not available.
WLAN - Expert Mode is available for all WLAN interfaces, regardless of IP assignment.
Bandwidth Management

Bandwidth Management (BWM) allows you to guarantee minimum bandwidth and prioritize traffic. BWM is enabled in the Firewall Settings > BWM page. By controlling the amount of bandwidth to an application or user, you can prevent a small number of applications or users from consuming all available bandwidth.

Various types of bandwidth management can be enabled on the Firewall > BWM page:

Advanced—Enables you to configure maximum egress and ingress bandwidth limitations per interface, by configuring bandwidth objects, access rules, and application policies.
Global—Allows you to enable BWM settings globally and apply them to any interfaces.
None (default)—Disables BWM.

GMS can apply bandwidth management to both egress (outbound) and ingress (inbound) traffic on the interfaces in the WAN zone. Outbound bandwidth management is done using Class Based Queuing. Inbound Bandwidth Management is done by implementing ACK delay algorithm that uses TCP’s intrinsic behavior to control the traffic.

Class Based Queuing (CBQ) provides guaranteed and maximum bandwidth Quality of Service (QoS) for the SonicWall security appliance. Every packet destined to the WAN interface is queued in the corresponding priority queue. The scheduler then dequeues the packets and transmits it on the link depending on the guaranteed bandwidth for the flow and the available link bandwidth. Balancing the bandwidth allocated to different network traffic and then assigning priorities to traffic improves network performance.

Use the Bandwidth Management section of the Edit Interface screen to enable or disable the ingress and egress bandwidth management. Egress and Ingress available link bandwidth can be used to configure the upstream and downstream connection speeds in kilobits per second.

* 
NOTE: The Bandwidth Management settings are applied to all interfaces in the WAN zone, not just to the interface being configured.
Enabling Bandwidth Management
To enable or disable ingress and egress BWM:
1
Click the Edit icon of an interface. The Add/Edit Interface dialog displays.
2
Click the Advanced tab.

* 
NOTE: Advanced Settings could differ, depending on your firewall model.
3
Scroll to the Bandwidth Management section.
4
Select Enable Interface Egress Bandwidth Limitation. This option is not selected by default.

When this option is:

Selected, the maximum available egress BWM is defined, but as advanced BWM is policy based, the limitation is not enforced unless there is a corresponding Access Rule or App Rule.
Not selected, no bandwidth limitation is set at the interface level, but egress traffic can still be shaped using other options.
5
In the Maximum Interface Egress Bandwidth (kbps) field, enter the maximum egress bandwidth for the interface (in kilobytes per second). The default is 384.000000 Kbps.
6
Select Enable Interface Ingress Bandwidth Limitation. This option is not selected by default.
7
Click OK.
Enable Egress Bandwidth Management - Enables outbound bandwidth management.
Available Interface Egress Bandwidth (Kbps) - Specifies the available bandwidth for WAN interfaces in Kbps.
Enable Ingress Bandwidth Management - Enables inbound bandwidth management.
8
Available Interface Ingress Bandwidth (Kbps) - Specifies the available bandwidth for WAN interfaces in Kbps
9
Click Update. The settings are saved. To clear any changes and start over, click Reset.

Configuring Link Aggregation (SonicOS 5.9 or higher)

* 
NOTE: The Link Aggregation features are supported only on NSA and SuperMassive platforms.

Link Aggregation groups up to four Ethernet interfaces together forming a single logical link to support greater throughput than a single physical interface could support, this is referred to as a Link Aggregation Group (LAG). This provides the ability to send multi-gigabit traffic between two Ethernet domains. All ports in an aggregate link must be connected to the same switch. The firewall uses a round-robin algorithm for load balancing traffic across the interfaces in a Link Aggregation Group. Link Aggregation also provides a measure of redundancy, in that if one interface in the LAG goes down, the other interfaces remain connected.

Link Aggregation is referred to using different terminology by different vendors, including Port Channel, Ether Channel, Trunk, and Port Grouping.

Link Aggregation failover

SonicWall provides multiple methods for protecting against loss of connectivity in the case of a link failure, including High Availability (HA), Load Balancing Groups (LB Groups), and now Link Aggregation. If all three of these features are configured on a firewall, the following order of precedence is followed in the case of a link failure:

1
High Availability
2
Link Aggregation
3
Load Balancing Groups

HA takes precedence over Link Aggregation. Because each link in the LAG carries an equal share of the load, the loss of a link on the Active firewall forces a failover to the Idle firewall (if all of its links remain connected). Physical monitoring needs to be configured only on the primary aggregate port.

When Link Aggregation is used with a LB Group, Link Aggregation takes precedence. LB takes over only if all the ports in the aggregate link are down.

Link Aggregation Configuration
To configure Link Aggregation, complete the following steps:
1
On the Network > Interfaces page, click the configure icon for the interface that is to be designated the master of the Link Aggregation Group. The Edit Interface window displays.
2
In the General tab, select a zone from the Zone pull-down menu.
3
Click on the Advanced tab.

4
In the Redundant/Aggregate Ports pull-down menu, select Link Aggregation.
5
The Aggregate Port option is displayed with a check box for each of the currently unassigned interfaces on the firewall. Select up to three other interfaces to assign to the LAG.
6
(Wire Mode only) The Paired Interface Aggregate Port option is displayed, select up to three paired interfaces.
* 
NOTE: After an interface is assigned to a Link Aggregation Group, its configuration is governed by the Link Aggregation master interface and it cannot be configured independently. In the Interface Settings table, the interface's zone is displayed as “Aggregate Port” and the configuration icon is removed.
7
Set the Link Speed for the interface to Auto-Negotiate.
8
Click OK.
* 
NOTE: Link Aggregation requires a matching configuration on the Switch. The switch's method of load balancing will very depending on the vendor. Consult the documentation for the switch for information on configuring Link Aggregation. Remember that it might be referred to as Port Channel, Ether Channel, Trunk, or Port Grouping.

Port Redundancy (SonicOS 5.9 or higher)

* 
NOTE: The Port Redundancy features are supported only on NSA and SuperMassive platforms.

Port Redundancy provides a simple method for configuring a redundant port for a physical Ethernet port. This is a valuable feature, particularly in high-end deployments, to protect against switch failures being a single point of failure.

When the primary interface is active, it processes all traffic to and from the interface. If the primary interface goes down, the secondary interface takes over all outgoing and incoming traffic. The secondary interface assumes the MAC address of the primary interface and sends the appropriate gratuitous ARP on a failover event. When the primary interface comes up again, it resumes responsibility for all traffic handling duties from the secondary interface.

In a typical Port Redundancy configuration, the primary and secondary interfaces are connected to different switches. This provides for a failover path in case the primary switch goes down. Both switches must be on the same Ethernet domain. Port Redundancy can also be configured with both interfaces connected to the same switch.

Port Redundancy Failover

SonicWall provides multiple methods for protecting against loss of connectivity in the case of a link failure, including High Availability (HA), Load Balancing Groups (LB Groups), and now Port Redundancy. If all three of these features are configured on a firewall, the following order of precedence is followed in the case of a link failure:

1
Port Redundancy
2
HA
3
LB Group

When Port Redundancy is used with HA, Port Redundancy takes precedence. Typically an interface failover causes an HA failover to occur, but if a redundant port is available for that interface, then an interface failover occurs but not an HA failover. If both the primary and secondary redundant ports go down, then an HA failover occurs (assuming the secondary firewall has the corresponding port active).

When Port Redundancy is used with a LB Group, Port Redundancy again takes precedence. Any single port (primary or secondary) failures are handled by Port Redundancy just like with HA. When both the ports are down then LB kicks in and tries to find an alternate interface.

Port Redundancy Configuration
To configure Port Redundancy, complete the following steps:
1
On the Network > Interfaces page, click the configure icon for the interface that is to be designated the master of the Link Aggregation Group. The Edit Interface window displays.
2
In the General tab, select a zone from the Zone pull-down menu.
3
Click on the Advanced tab.

4
In the Redundant/Aggregate Ports pull-down menu, select Port Redundancy.
5
The Redundant Port pull-down menu is displayed, with all of the currently unassigned interfaces available. Select one of the interfaces.
* 
NOTE: After an interface is selected as a Redundant Port, its configuration is governed by the primary interface and it cannot be configured independently. In the Interface Settings table, the interface's zone is displayed as “Redundant Port” and the configuration icon is removed.
6
Set the Link Speed for the interface to Auto-Negotiate.
7
Click OK.

Configuring VLAN Sub-Interfaces

When you add a VLAN sub-interface, you need to assign it to a Zone, assign it a VLAN Tag, and assign it to a physical interface. Based on your zone assignment, you configure the VLAN sub-interface the same way you configure a physical interface for the same zone.

1
At the bottom of the Network > Interfaces page, click Add VLAN Interface. The Add Interface window displays.

2
Select a Zone to assign to the interface. You can select LAN, DMZ, WLAN, or unassigned. The zone assignment does not have to be the same as the parent (physical) interface.
3
Enter a Portshield Interface Name for the sub-interface.
4
Declare the parent (physical) interface to which this sub-interface belongs. There is no per-interface limit to the number of sub-interfaces you can assign – you might assign sub-interfaces up to the system limit (in the hundreds).
5
For LAN and DMZ, select Static or Transparent for the IP Assignment. WLAN interfaces use static IP addresses:
For static IP addresses, enter the IP Address for the interface and Subnet Mask for the network.
For transparent mode, select an address object that contains the range of IP addresses you want to have access through this interface in the Transparent Range menu.
6
Management—Select from the following management options:
HTTP—When selected, allows HTTP management from the interface.
HTTPS—When selected, allows HTTPS management from the interface.
Ping—When selected, the interface responds to ping requests.
SNMP—When selected, the interface supports Simple Network Management Protocol (SNMP).
7
User Login—Select from the following user login options:
HTTP—When selected, you are able to login using HTTP.
HTTPS—When selected, you are able to login using HTTPS.
Add rule to enable redirect from HTTP to HTTPS—Redirects you to HTTPS when they attempt to access the device using HTTP. This option is only applicable when HTTPS access is enabled and HTTP access is not.
8
Check Create Default DHCP Lease Scope to indicate that the amount of time allowed for an IP address issued by DHCP will be the default.
9
Click OK.

The Virtual interface displays in the VLAN Interfaces table below the Interfaces table.

WAN Connection Model

To configure the WAN connection model for a SonicWall appliance with WWAN capability running SonicOS Enhanced 3.6 or higher, navigate to the Network > Interfaces page and select one of the following options in the WAN Connection Model pull-down menu:

WWAN only—The WAN interface is disabled and the WWAN interface is used exclusively.
Ethernet only—The WWAN interface is disabled and the WAN interface is used exclusively.
Ethernet with WWAN Failover—The WAN interface is used as the primary interface and the WWAN interface is disabled. If the WAN connection fails, the WWAN interface is enabled and a WWAN connection is automatically initiated.
* 
NOTE: The Wan Connection Model option does not apply to TZ200 through NSA240 units running SonicOS Enhanced 5.6 and above. For these devices, any WWAN interfaces are treated as a regular WAN interface and failover to the WWAN is configured as a secondary WAN interface. See Configuring Multiple WAN Interfaces on page 177 for more information.

Managing WWAN Connections

To initiate a WWAN connection, complete the following steps:
1
In the Interface Settings table, in the WWAN row, click Connect. The SonicWall appliance attempts to connect to the WWAN service provider.
2
To disconnect a WWAN connection, click Disconnect.

Configuring MGMT Interfaces

To configure an interface for Management (MGMT) mode, complete the following steps:
1
Click on the Configure icon in the Configure column for the Interface you want to configure. The Edit Interface window is displayed.
* 
NOTE: A MGMT interface cannot be added, it is a default interface present on the firewall, and can only be edited. MGMT interfaces are only supported on select SonicWall firewalls, check the SonicOS Release Notes for support information.
2
Enter the IP Address (Primary), and the IP Address (Secondary) if high availability is enabled, and the Subnet Mask of the zone in the IP Address (Primary), IP Address (Secondary), and Subnet Mask fields.
* 
NOTE: If Active/Active Clustering is enabled and the firewall is running SonicOS 6.1 or higher firmware, IP Address text-fields for multiple nodes are available.

* 
NOTE: You cannot enter an IP address that is in the same subnet as another zone.
3
Enter an IP address for a Default Gateway (optional).
4
Enter any optional comment text in the Comment field. This text is displayed in the Comment column of the Interface table.
5
If you want to enable remote management of the SonicWall appliance from this interface, select the supported management protocol(s): HTTP, HTTPS, SSH, Ping, SNMP, and/or SSH.
6
If you want to allow selected users with limited management rights to log in to the security appliance, select HTTP and/or HTTPS in User Login.
7
To add a rule to redirect from HTTP to HTTPS, click Add rule to enable redirect from HTTP to HTTPS. This option is only visible if Allow management via HTTP is enabled on the System > Administration page.
8
Click OK.

WAN Failover and Load Balancing

WAN Failover enables you to configure one of the user-defined interfaces as a secondary WAN port. The secondary WAN port can be used in a simple “active/passive” setup to allow traffic to be only routed through the secondary WAN port if the Primary WAN port is unavailable. This allows the SonicWall to maintain a persistent connection for WAN port traffic by “failing over” to the secondary WAN port.

For a SonicWall appliance with a WWAN interface, such as a TZ 190, you can configure failover using the WWAN interface. Failover between the Ethernet WAN (the WAN port, OPT port, or both) and the WWAN is supported through the WAN Connection Model setting.

This feature also allows you to do simple load balancing for the WAN traffic on the SonicWall. You can select a method of dividing the outbound WAN traffic between the two WAN ports and balance network traffic. Load-balancing is currently only supported on Ethernet WAN interfaces, but not on WWAN interfaces.

The SonicWall can monitor WAN traffic using Physical Monitoring that detects if the link is unplugged or disconnected, or Physical and Logical Monitoring that monitors traffic at a higher level, such as upstream connectivity interruptions.

* 
NOTE: Before you begin, be sure you have configured a user-defined interface to mirror the WAN port settings.
To configure the WAN Failover for a SonicWall appliance, complete the following steps:
1
Expand the Network tree and click Failover & LB. The Failover & LB page displays.
2
Select Enable Load Balancing. This option must be enabled for the user to access the LB Groups and LB Statistics section of the Failover & Load Balancing configuration. If disabled, no options for Failover & Load Balancing are available to be configured.
3
Select Respond to Probes. When enabled, the appliance can reply to probe request packets that arrive on any of the appliance’s interfaces.
4
Select Any TCP-SYN to Port. This option is only available when the Respond to Probes option is enabled. When selected, the appliance only responds to TCP probe request packets having the same packet destination address TCP port number as the configured value.
5
Click Update.
To access the WAN Failover & Load Balancing Settings:
1
Click Configure and select the secondary interface(s) from the Secondary WAN Interface pull-down menu. If this is not configured, you need to configure a WAN interface from the Network > Interfaces page.

Appliances running SonicOS Enhanced 5.5 can support up to three alternate WAN interfaces. For these appliances, the Secondary WAN Interface pull-down menu is replaced with up to three Alternate WAN pull-down menus. The pull-down menu contains all interfaces configured as WAN interfaces.
2
Specify how often the SonicWall appliance checks the interface (5-300 seconds) in the Check interface every field (default: 5 seconds).
3
Specify the number of times the SonicWall appliance tests the interface as inactive before failing over in the Deactive interface after field (default: 3). For example, if the SonicWall appliance tests the interface every five seconds and finds the interface inactive after three successive attempts, it fails over to the secondary interface after 15 seconds.
4
Specify the number of times the SonicWall appliance tests the interface as active before failing back to the primary interface in the Deactive interface after field (default: 3). For example, if the SonicWall appliance tests the interface every five seconds and finds the interface active after three successive attempts, it fails back to the primary interface after 15 seconds.

General tab

To configure the Group settings, complete the following steps:
1
Click Configure on the Group you wish to configure on the Network > Failover & LB page. The Edit LB Group dialog displays.

2
On the General tab, edit the display name of the Group in the Name field. The name of the default group cannot be changed.
3
From the Type drop-down menu, choose the type (or method) of LB; options change depending on the type selected:
Basic Failover—The four WAN interfaces use rank to determine the order of preemption when Preempt has been enabled. Only a higher-ranked interface can preempt an Active WAN interface. This is selected by default.
Round Robin—This option now allows you to re-order the WAN interfaces for Round Robin selection. The default order is:
Primary WAN
Alternate WAN #1
Alternate WAN #2
Alternate WAN #3

The Round Robin then returns to the Primary WAN to continue the order.

Spill-over—The bandwidth threshold applies to the Primary WAN. When the threshold is exceeded, new traffic flows are allocated to the Alternates in a Round Robin manner. If the Primary WAN bandwidth goes below the configured threshold, Round Robin stops, and outbound new flows will again be sent out only through the Primary WAN.
* 
NOTE: Existing flows remain associated with the Alternates (as they are already cached) until they time out normally.
Ratio—A percentages can be set for each WAN in the LB group. To avoid problems associated with configuration errors, ensure that the percentage corresponds correctly to the WAN interface it indicates.
4
Depending on what you selected from the Type drop-down menu, one of these options display:

Type drop-down options

Type selection

Option

Basic Failover

Preempt and failback to preferred interfaces when possible

Select to enable rank to determine the order of preemption. Selected by default.

Spill-over

When bandwidth exceeds BandwidthLimit Kbit/s on PrimaryInterface, new flows will go to the alternate group members in Round Robin manner

Specify the bandwidth for the Primary in the field. If this value is exceeded, new flows are then sent to alternate group members according to the order listed in the Selected column.

The default value is 0.

Round Robin, Spillover, and Ratio

Use Source and Destination IP Address binding

The option is especially useful when using HTTP/HTTPS redirection or in a similar situation. For example, connection A and connection B need to be on the same WAN interface, the source and destination IP addresses in Connection A are the same as those for connection B, but a different service is being used. In this case, source and destination IP address binding is required to keep both the connections on the same WAN interface so that the transactions do not fail.

This option is not selected by default

5
Add, delete, and order member interfaces in the Group Members: Select here:/Selected lists. The use of the selected members in the Selected list depends on the Type selected:
Basic Failover: Interface Ordering:
Round Robin: Interface Pool:
Spill-over: Primary/Alt. Pool:
Ratio: Interface Distribution:
6
Add members by selecting a displayed interface from the Group Members: column, and then clicking Add>>.
7
You can order the entries in the Selected column by:
a
Selecting an entry
b
Clicking Up/Down.

If you selected Ratio, instead of ordering the entries, you can specify the ratio of bandwidth for each interface. See Configuring Bandwidth as a Ratio.

* 
IMPORTANT: To avoid problems associated with configuration errors, ensure that the percentage corresponds correctly to the WAN interface it indicates.
a
Enter a percentage of bandwidth to be assigned to an interface in the percent (%) field. The total bandwidth for all interfaces should add up to 100%. The total percentage of bandwidth allocated is displayed.

You can modify the ratio by clicking Modify Ratio or have the ratios adjusted automatically by clicking Auto Adjust.

Delete members from the Selected: column by:

a
Selecting the displayed interface,
b
Clicking <<Remove.
* 
NOTE: The interface at the top of the list is the Primary.
The Interface Rank does not specify the operation performed on the individual member. The operation that is performed is specified by the Group Type.
8
Optionally, enter this setting:
Final Back-Up—An entry in this setting is an interface of “last resort,” that is, an interface that is used only when all other interfaces in the Selected: group are either unavailable or unusable. To specify a Final Back-Up interface, select an entry in the Group Members list, and then click the double right arrow button. To remove a Final Back-Up interface, click the double left arrow button.
9
Click OK.

Configuring Bandwidth as a Ratio

If Ratio is selected, the Add >> button is replaced by a percent (%) field and a Double Right Arrow button, and the Up/Down Arrow buttons are replaced with the Auto Adjust button.

Enter a percentage of bandwidth to be assigned to the interface. The total percentage of bandwidth allocated is displayed.

* 
IMPORTANT: To avoid problems associated with configuration errors, ensure that the percentage corresponds correctly to the WAN interface it indicates.

If multiple interfaces are selected, you can either:

Click Auto Adjust to distribute the bandwidth equally among the interfaces.
Enter a percentage of bandwidth to be assigned to each interface.
To modify the bandwidth percentage for an interface:
1
Select the interface in the Selected column.
2
Click Modify Ratio.
3
Enter a new percentage in the percent (%) field.
4
Click Modify Ratio again. The percentage for the bandwidth and the total bandwidth allocated are updated.

Probing tab

When Logical probing is enabled, test packets can be sent to remote probe targets to verify WAN path availability. A new option has been provided to allow probing through the additional WAN interfaces: Alternate WAN #3 and Alternate WAN #4.

* 
NOTE: VLANs for alternate WANs do not support QoS or VPN termination.
To configure the probing options for a specific group, complete the following steps:
1
Click the Configure icon of the Group you wish to configure on the Network > Failover & LB page. The Edit LB Group dialog displays.

2
Click the Probing tab.

3
Modify the following settings:
Check Interface every: n sec —The interval of health checks in units of seconds. The default value is 5 seconds.
Deactivate Interface after: n missed intervals—The number of failed health checks after which the interface sets to Failover. The default value is 6 seconds.
Reactivate Interface after: n successful intervals—The number of successful health checks after which the interface sets to Available. The default value is 3 seconds.
Probe responder.global.sonicwall.com on all interfaces in this group—Enable this check box to automatically set Logical/Probe Monitoring on all interfaces in the Group. When enabled, TCP probe packets are sent to the global SNWL host that responds to SNWL TCP packets, responder.global.sonicwall.com, using a target probe destination address of 204.212.170.23:50000. When this check box is selected, the rest of the probe configuration enables built-in settings automatically. The same probe will be applied to all four WAN Ethernet interfaces.
* 
NOTE: The Dialup WAN probe setting also defaults to the built-in settings.
4
Click OK.

Configuring Probe Settings

To configure the Group Member settings:
1
Click the Configure icon of the Group member you wish to configure on the Network > Failover & LB page. The Probe Settings dialog displays.

2
Select the type of probing to be done:
Physical Monitoring Only (default; all other options are dimmed).
Logical/Probe Monitoring enabled – all other options become available.
3
From the Logical/Probe Monitoring enabled drop-down menu, select when the probe succeeds:
Probe succeeds when either Main Target or Alternate Target responds.
Probe succeeds when both Main Target and Alternate Target respond.
Probe succeeds when Main Target responds.
Succeeds Always (no probing). – Default; all other options are dimmed.
4
4From the Main Target drop-down menu, select:
Ping (ICMP)
TCP (default)
a
In the Main Target Host field, enter the host name. The default is responder.global.sonicwall.com.
b
In the Main Target Port field, enter the applicable port. The default is 50000.
5
From the Alternate Target drop-down menu, select:
* 
NOTE: The Alternate Target options are available only when Probe succeeds when either Main Target or Alternate Target responds or Probe succeeds when both Main Target and Alternate Target respond is selected for Logical/Probe Monitoring enabled.
Ping (ICMP)
TCP (default)
a
In the Alternate Target Host field, enter the host name. The default is responder.global.sonicwall.com.
b
In the Alternate Target Port field, enter the applicable port. The default is 50000.
6
In the Default Target IP field, enter the IP address of the default target.
* 
NOTE: This option is dimmed if Succeeds Always (no probing) is selected for Logical/Probe Monitoring enabled.
An IP Address of 0.0.0.0 or a DNS resolution failure uses the configured Default Target IP.
7
Click OK.

Configuring Multiple WAN Interfaces

The Multiple WAN (MWAN) feature allows the administrator to configure all but one of the appliance's interface for WAN network routing (one interface must remain configured for the LAN zone for local administration). All of the WAN interfaces can be probed using the SNWL Global Responder host. Multiple WAN is configured across the following sections of the UI.

Configuring Network Interfaces for Multiple WAN

The Network > Interfaces page allows more than two WAN interfaces to be configured for routing. It is possible to configure WAN interfaces in the Network Interfaces page, but not include them in the Failover & LB. Only the Primary WAN Ethernet Interface is required to be part of the LB group whenever LB has been enabled. Any WAN interface that does not belong to the LB group is not included in the LB function, but does normal WAN routing functions.

* 
NOTE: A virtual WAN interface might belong to the LB group. However, prior to using within the LB group, ensure that the virtual WAN network is fully routable like that of a physical WAN.
Routing the Default & Secondary Default Gateways for Multiple WAN

Because the gateway address objects previously associated with the Primary WAN and Secondary WAN are now deprecated, user-configured Static Routes need to be re-created in order to use the correct gateway address objects associated with the WAN interfaces. This must be configured manually as part of the firmware upgrade procedure on the Network > Routing page.

The old address object, Default Gateway, corresponds to the default gateway associated with the Primary WAN in the LB group. The Secondary Default Gateway address object corresponds to the default gateway associated with Alternate WAN #1.

* 
NOTE: After re-adding the routes, delete the old ones referring to the Default and Secondary Default Gateways.
Configuring DNS for Multiple WAN

If DNS name resolution issues are encountered with multiple WAN interfaces, you might need to select the Specify DNS Servers Manually option on the Network > DNS page and set the servers to Public DNS Servers (ICANN or non-ICANN).

Depending on your location, some DNS Servers might respond faster than others. Verify that these servers work correctly from your installation prior to using your SonicWall appliance.

Configuring Zones

A Zone is a logical grouping of one or more interfaces designed to make management, such as the definition and application of Access Rules, a simpler and more intuitive process than following a strict physical interface scheme. There are four fixed Zone types: Trusted, Untrusted, Public, and Encrypted. Trusted is associated with LAN Zones. These fixed Zone types cannot be modified or deleted. A Zone instance is created from a Zone type and named accordingly, such as Sales, Finance, and so on.

Only the number of interfaces limits the number of Zone instances for Trusted and Untrusted Zone types. The Untrusted Zone type (such as the WAN) is restricted to two Zone instances. The Encrypted Zone type is a special system Zone comprising all VPN traffic and does not have any associated interfaces.

Trusted and Public Zone types offer an option, Interface Trust, to automate the creation of Access Rules to allow traffic to flow between the Interfaces of a Zone instance. For example, if the LAN Zone has interfaces X0, X3, and X5 assigned to it, checking Allow Interface Trust on the LAN Zone creates the necessary Access Rules to allow hosts on these Interfaces to communicate with each other.

To add or edit a Zone, complete the following steps:
1
Select the global icon, a group, or a SonicWall appliance.
2
Expand the Network tree and click Zones. The Zones page displays.

3
Click the Edit Icon () for a Zone or click Add New Zone.

The Edit Zone or Add Zone dialog box displays.

4
If this is a new Zone, enter a name for the Zone.
5
Select the Security Type.
6
To configure the SonicWall appliance to automatically create the rules that allow data to freely flow between interfaces in the same Zone, select Allow Interface Trust.
7
To enforce content filtering on multiple interfaces in the same Trusted or Public Zones, select Enforce Content Filtering Service.
8
For appliances running SonicOS Enhanced 4.0 or above, if the selected node is a group or global node, or if the selected appliance is licensed for SonicWall CFS Premium, select a predefined CFS policy or the default policy from the CFS Policy pull-down list. The pull-down list is only populated if Enforce Content Filtering Service is enabled. It is not available for the WAN zone.
9
To enforce network anti-virus protection on multiple interfaces in the same Trusted or Public Zones, select Enforce Network Anti-Virus Service.
10
To enforce gateway anti-virus protection on multiple interfaces in the same Trusted or Public Zones, select Enable Gateway Anti-Virus Service.
11
To enforce Intrusion Prevention Services (IPS) on multiple interfaces in the same Trusted or Public Zones, select Enable IPS.
12
To enable Anti-Spyware on the zone, select Enable Anti-Spyware Service.
13
To enforce security policies for Global Security Clients on multiple interfaces in the same Trusted or Public Zones, select Enforce Global Security Clients.
14
To automatically create a GroupVPN policy for this zone, select Create Group VPN.
15
For appliances running SonicOS Enhanced 4.0 or above, select Enable SSL Control to allow SSL Control in this zone. This check box is not active for the VPN or Multicast zones.
16
For WLAN zones, see for information about configuring settings on the other tabs. For all other zones, click Update when you are finished. The Zone is modified or added for selected SonicWall appliance. To clear all settings and start over, click Reset.

Configuring Guest Services on Non-Wireless Zones

Trusted and Public Zone types offer the ability to configure guest services.

To configure Guest Services on a non-wireless zone, complete the following steps:
1
When the Security Type for a zone is selected as either Trusted or Public, the Guest Services tab displays.

2
Select Enable Guest Services.
3
Configure any of the following options:

Enforce Guest Login over HTTPS—Requires guests to use HTTPS instead of HTTP to access the guest services.

Enable inter-guest communication—Allows guests connecting to SonicPoints in this Zone to communicate directly and wirelessly with each other.

Bypass AV Check for Guests—Allows guest traffic to bypass Anti-Virus protection.

Enable External Guest Authentication—Requires guests connecting from the device or network you select to authenticate before gaining access. This feature, based on Lightweight Hotspot Messaging (LHM) is used for authenticating Hotspot users and providing them parametrically bound network access.

* 
NOTE: Refer to the SonicWall Lightweight Hotspot Messaging tech note available at the SonicWall documentation Web site https://support.sonicwall.com/search?k=5447759 for complete configuration of the Enable External Guest Authentication feature.

Custom Authentication Page—Redirects you to a custom authentication page when you first connect to the zone. Click Configure to set up the custom authentication page. Enter either a URL to an authentication page or a custom challenge statement in the text field, and click OK.

Post Authentication Page—Directs you to the page you specify immediately after successful authentication. Enter a URL for the post-authentication page in the field.

Bypass Guest Authentication—Allows the appliance to integrate into environments already using some form of user-level authentication. This feature automates the Guest Services authentication process, allowing you to reach Guest Services resources without requiring authentication. This feature should only be used when unrestricted Guest Services access is desired, or when another device upstream of the appliance is enforcing authentication.

Redirect SMTP traffic to—Redirects SMTP traffic incoming on this zone to an SMTP server you specify. Select the address object from which to redirect traffic.

Deny Networks—Blocks traffic from the networks you name. Select the subnet, address group, or IP address from which to block traffic.

Pass Networks—Automatically allows traffic through the zone from the networks you select.

Max Guests—Specifies the maximum number of guest users allowed to connect to the zone. The default is 10.

4
Click OK to apply these settings to the zone.

Configuring the WLAN Zone

The Add Zone or Edit Zone screens for WLAN zones contain two tabs that are not available for other zones. This section describes the settings on the Wireless and Guest Services tabs of the Add or Edit Zone screens. For instructions about WLAN configuration settings on the General tab, see Configuring Zones.

To configure specific wireless-zone settings:

1
Select the global icon, a group, or a SonicWall appliance.
2
In the Network > Zones pages, click the Add New Zone or the Edit icon for the WLAN zone.
3
Configure the settings on the General tab as described for other zones. To expose the wireless-only tabs when adding a new zone, select Wireless for the Security Type.
4
Click the Wireless tab.

5
On the Wireless tab, select Only allow traffic generated by a SonicPoint to allow only traffic from SonicWall SonicPoints to enter the WLAN Zone interface. This allows maximum security of your WLAN. Uncheck this option if you want to allow any traffic on your WLAN Zone regardless of whether or not it is from a wireless connection.
* 
TIP: Uncheck Only allow traffic generated by a SonicPoint and use the zone on a wired interface to allow guest services on that interface.
6
Select SMA Enforcement to require that all traffic that enters into the WLAN Zone be authenticated through a SonicWall SMA appliance. If you select both SMA Enforcement, and WiFiSec Enforcement, the Wireless zone will allow traffic authenticated by either a SMA or an IPsec VPN.
7
In the SMA Server list, select an address object to direct traffic to the SonicWall SMA appliance.
8
In the SMA Service list, select the service or group of services you want to allow for clients authenticated through the SMA.
9
Select WiFiSec Enforcement to require that all traffic that enters into the WLAN Zone interface be either IPsec traffic, WPA traffic, or both. With WiFiSec Enforcement enabled, all non-guest wireless clients connected to SonicPoints attached to an interface belonging to a Zone on which WiFiSec is enforced are required to use the strong security of IPsec. The VPN connection inherent in WiFiSec terminates at the “WLAN GroupVPN”, which you can configure independently of “WAN GroupVPN” or other Zone GroupVPN instances. If you select both WiFiSec Enforcement, and SMA Enforcement, the Wireless zone allows traffic authenticated by either a SMA or an IPsec VPN.
10
If you have enabled WiFiSec Enforcement, you can specify services that are allowed to bypass the WiFiSec enforcement by checking WiFiSec Exception Service and then selecting the service you want to exempt from WiFiSec enforcement.
11
If you have enabled WiFiSec Enforcement, you can select Require WiFiSec for Site-to-Site VPN Tunnel Traversal to require WiFiSec security for all wireless connections through the WLAN zone that are part of a site-to-site VPN.
12
Select Trust WPA traffic as WiFiSec to accept WPA as an allowable alternative to IPsec. Both WPA-PSK (Pre-shared key) and WPA-EAP (Extensible Authentication Protocol using an external 802.1x/EAP capable RADIUS server) will be supported on SonicPoints.
13
Under the SonicPoint Settings heading, select the SonicPoint Provisioning Profile you want to apply to all SonicPoints connected to this zone. Whenever a SonicPoint connects to this zone, it will automatically be provisioned by the settings in the SonicPoint Provisioning Profile, unless you have individually configured it with different settings.
14
Click the Guest Services tab. You can choose from the following configuration options for Wireless Guest Services:

Enable Wireless Guest Services—Enables guest services on the WLAN zone.

Enforce Guest Login over HTTPS—Requires guests to use HTTPS instead of HTTP to access the guest services.

Enable inter-guest communication—Allows guests connecting to SonicPoints in this WLAN Zone to communicate directly and wirelessly with each other.

Bypass AV Check for Guests—Allows guest traffic to bypass Anti-Virus protection.

Enable External Guest Authentication—Requires guests connecting from the device or network you select to authenticate before gaining access. This feature, based on Lightweight Hotspot Messaging (LHM) is used for authenticating Hotspot users and providing them parametrically bound network access.

* 
NOTE: Refer to the SonicWall Lightweight Hotspot Messaging tech note available at the SonicWall documentation Web site https://support.sonicwall.com/search?k=5447759 for complete configuration of the Enable External Guest Authentication feature.

Custom Authentication Page—Redirects you to a custom authentication page when you first connect to a SonicPoint in the WLAN zone. Click Configure to set up the custom authentication page. Enter either a URL to an authentication page or a custom challenge statement in the text field, and click OK.

Post Authentication Page—Directs you to the page you specify immediately after successful authentication. Enter a URL for the post-authentication page in the field.

Bypass Guest Authentication—Allows a SonicPoint running WGS to integrate into environments already using some form of user-level authentication. This feature automates the WGS authentication process, allowing wireless users to reach WGS resources without requiring authentication. This feature should only be used when unrestricted WGS access is desired, or when another device upstream of the SonicPoint is enforcing authentication.

Redirect SMTP traffic to—Redirects SMTP traffic incoming on this zone to an SMTP server you specify. Select the address object to redirect traffic to.

Deny Networks—Blocks traffic from the networks you name. Select the subnet, address group, or IP address to block traffic from.

Pass Networks—Automatically allows traffic through the WLAN zone from the networks you select.

Max Guests—Specifies the maximum number of guest users allowed to connect to the WLAN zone. The default is 10.

Enable Dynamic Address Translation (DAT)—Wireless Guest Services (WGS) provides spur of the moment “hotspot” access to wireless-capable guests and visitors. For easy connectivity, WGS allows wireless users to authenticate and associate, obtain IP settings from the SonicWall appliance Wireless DHCP services, and authenticate using any Web-browser. Without DAT, if a WGS user is not a DHCP client, but instead has static IP settings incompatible with the Wireless WLAN network settings, network connectivity is prevented until the user’s settings change to compatible values. Dynamic Address Translation (DAT) is a form of Network Address Translation (NAT) that allows the SonicWall Wireless to support any IP addressing scheme for WGS users. For example, the SonicWall Wireless WLAN interface is configured with an address of 172.16.31.1, and one WGS client has a static IP Address of 192.168.0.10 and a default gateway of 192.168.0.1, while another has a static IP address of 10.1.1.10 and a gateway of 10.1.1.1, and DAT enables network communication for both of these clients.

15
Click OK to apply these settings to the WLAN zone.

Configuring DNS

Domain Name System (DNS) is the Internet standard for locating domain names and translating them into IP addresses. By default, the SonicWall appliance inherits its DNS settings from the WAN Zone.

To configure DNS, complete the following steps:
* 
NOTE: Network > DNS is only available in appliances running SonicOS Enhanced.
1
Expand the Network tree and click DNS. The DNS page displays.

2
Select the View IP Version:
To view the IPv4 DNS settings, click IPv4.
To view the IPv6 DNS settings, click IPv6.
3
Select from the following:
To specific IP addresses manually, select Specify DNS Servers Manually and enter the IP addresses of the servers.
To inherit the DNS settings from the WAN Zone configuration, select Inherit DNS Settings Dynamically from WAN Zone.
4
When you are finished, click Update. The settings are changed for the selected SonicWall appliance. To clear all screen settings and start over, click Reset.

DNS Rebinding Attack Prevention

DNS rebinding is a DNS-based attack on code embedded in web pages. Normally requests from code embedded in web pages (JavaScript, Java and Flash) are bound to the web-site they are originating from.DNS rebinding attackers register a domain which is delegated to a DNS server they control. The domains exploit very short TTL parameters to scan the attacked network and do other malicious activities.

To configure DNS, complete the following steps:
1
Select Enable DNS Rebinding Attack Prevention.
2
From the Action pull-down menu, select an action to do when a DNS rebinding attack is detected:
Log Attack
Log Attack & Return a Query Refused Reply
Log Attack & Drop DNS Reply
3
(Optional) For the Allowed Domains pull-down menu, select an FQDN Address Object/Group containing allowed domain-names (for example, *.sonicwall.com) for which locally connected/routed subnets should be considered legal responses.

Configuring Dynamic DNS

Dynamic DNS (DDNS) is a service provided by various companies and organizations that dynamically changes IP addresses to automatically update DNS records without manual intervention. This service allows for network access using domain names rather than IP addresses, even when the target’s IP addresses change. DDNS is supported for IPv6 as well as IPv4.

To configure Dynamic DNS on the SonicWall security appliance, complete these steps:

1
Expand the Network tree and click Dynamic DNS. The Dynamic DNS page displays.

2
Click Add Dynamic DNS Profile.

The Add Dynamic DNS Profile window is displayed.

3
Select the Provider from the drop-down menu at the top of the page. DynDNS.org and changeip.com use HTTPS, while yi.org and no-ip.com use HTTP. This example uses DynDNS.org. DynDNS.org requires the selection of a service. This example assumes you have created a dynamic service record with dyndns.org.
4
Enter a name to assign to the DDNS entry in the Profile Name field. This can be any value used to identify the entry in the Dynamic DNS Settings table. The minimum length is 1 character, and the maximum length is 63 characters.
5
If Enable this profile is checked, the profile is administratively enabled, and the SonicWall security appliance takes the actions defined in the Online Settings section on the Advanced tab. This option is selected by default
6
If Use Online Settings is checked, the profile is administratively online. This option is selected by default.
7
Enter your dyndns.org username and password in the User Name and Password fields. For user names, the minimum length is 1 character, and the maximum length is 63 characters. For passwords, the minimum length is 1 character, and the maximum length is 31 characters.
8
Enter the fully qualified domain name (FQDN) of the hostname you registered with dyndns.org in the Domain Name field. Make sure you provide the same hostname and domain as you configured. The minimum length is 1 character, and the maximum length is 63 characters.
9
Optionally, select a WAN interface in the Bound to pull-down menu to assign this DDNS profile to that specific WAN interface. This allows administrators who are configuring multiple-WAN load balancing to advertise a predictable IP address to the DDNS service. By default, this is set to ANY, which means the profile is free to use any of the WAN interfaces on the appliance.
10
When using dyndns.org, select the Service Type from the pull-down list that corresponds to your type of service through dyndns.org. The options are:
Dynamic—A free Dynamic DNS service.
Custom—A managed primary DNS solution that provides a unified primary/secondary DNS service and a web-based interface. Supports both dynamic and static IP addresses.
Static—A free DNS service for static IP addresses.
11
When using DynsDNS.org, you might optionally select Enable Wildcard and/or configure an MX entry in the Mail Exchanger field. Check Enable Backup MX if your DDNS provider allows for the specification of an alternative IP address for the MX record.
12
Click the Advanced tab. You can typically leave the default settings on this page.

13
The On-line Settings section provides control over what address is registered with the dynamic DNS provider. The options are:
Let the server detect IP Address—The dynamic DNS provider determines the IP address based upon the source address of the connection. This is the most common setting.
Automatically set IP Address to the Primary WAN Interface IP Address—This causes the SonicWall device to assert its WAN IP address as the registered IP address, overriding auto-detection by the dynamic DNS server. Useful if detection is not working correctly.
Specify IP Address manually—Allows for the IP address to be registered to be manually specified and asserted.
14
The Off-line Settings section controls what IP Address is registered with the dynamic DNS service provider if the dynamic DNS entry is taken off-line locally (disabled) on the SonicWall. The options are:
Do nothing—the default setting. This allows the previously registered address to remain current with the dynamic DNS provider.
Use the Off-Line IP Address previously configured at Providers site—if your provider supports manual configuration of Off-Line Settings, you can select this option to use those settings when this profile is taken administratively offline.
Make Host Unknown—Unregisters the entry.
Specify IP Address manually—Manually specify the IP address.
15
When you are finished, click Update. The settings are changed for the selected SonicWall appliance. To clear all screen settings and start over, click Reset.

Configuring NAT Policies

* 
NOTE: The NAT policies page is only supported in SonicOS Enhanced.
Topics:
NAT Policies Tab on page 477
NAT Policy Settings on page 479
NAT Load Balancing Overview on page 481
Creating NAT Policies: Examples on page 485
Using NAT Load Balancing on page 506

Network > NAT Policies

About NAT in GMS

* 
IMPORTANT: Before configuring NAT Policies, be sure to create all Address Objects associated with the policy. For instance, if you are creating a One-to-One NAT policy, be sure you have Address Objects for your public and private IP addresses.
* 
TIP: By default, LAN to WAN has a NAT policy predefined on the firewall.

The Network Address Translation (NAT) engine in SonicOS allows you to define granular NAT polices for your incoming and outgoing traffic. By default, the firewall has a preconfigured NAT policy to allow all systems connected to the X0 interface to perform Many-to-One NAT using the IP address of the X1 interface, and a policy to not perform NAT when traffic crosses between the other interfaces. This section explains how to set up the most common NAT policies.

Understanding how to use NAT policies starts with an the construction of an IP packet. Every packet contains addressing information that allows the packet to get to its destination, and for the destination to respond to the original requester. The packet contains (among other things) the requester’s IP address, the protocol information of the requestor, and the destination’s IP address. The NAT Policies engine in SonicOS can inspect the relevant portions of the packet and can dynamically rewrite the information in specified fields for incoming, as well as outgoing traffic.

You can add up to 512 NAT Policies on a SonicWall Security Appliance running SonicOS, and they can be as granular as you need. It is also possible to create multiple NAT policies for the same object. for instance, you can specify that an internal server use one IP address when accessing Telnet servers, and to use a totally different IP address for all other protocols. Because the NAT engine in SonicOS supports inbound port forwarding, it is possible to hide multiple internal servers off the WAN IP address of the firewall. The more granular the NAT Policy, the more precedence it takes.

Below, the Maximum routes and NAT policies allowed per firewall model table shows the maximum number of routes and NAT policies allowed for each network security appliance model.

Maximum routes and NAT policies allowed per firewall model 

Model

Routes

NAT Policies

Model

Routes

NAT Policies

Static

Dynamic

Static

Dynamic

SM 9600

3072

4096

2048

TZ600

256

1024

512

SM 9400

3072

4096

2048

TZ500/TZ500 W

256

1024

512

SM 9200

3072

4096

2048

TZ400/TZ400 W

256

1024

512

NSA 6600

2048

4096

2048

TZ300/TZ300 W

256

1024

512

NSA 5600

2048

4096

2048

 

 

 

 

NSA 4600

1088

2048

1024

SOHO W

256

1024

512

NSA 3600

1088

2048

1024

 

 

 

 

NSA 2600

1088

2048

1024

 

 

 

 

Topics:

About NAT64

Beginning with GMS 8.3, GMS supports the NAT64 feature that enables an IPv6-only client to contact an IPv4-only server through an IPv6-to-IPv4 translation device known as a NAT64 translator. NAT64 provides the ability to access legacy IPv4-only servers from IPv6 networks; a SonicWall with NAT64 is placed as the intermediary router.

As a NAT64 translator, GMS allows an IPv6-only client from any zone to initiate communication to an IPv4-only server with proper route configuration. GMS maps IPv6 addresses to IPv4 addresses so IPv6 traffic changes to IPv4 traffic and vice versa. IPv6 address pools (represented as Address Objects) and IPv4 address pools are created to allow mapping by translating packet headers between IPv6 and IPv4. The IPv4 addresses of IPv4 hosts are translated to and from IPv6 addresses by using an IPv6 prefix configured in GMS.

The DNS64 translator enables NAT64. Either an IPv6 client must configure a DNS64 server or the DNS server address the IPv6 client gets automatically from the gateway must be a DNS64 server. The DNS64 server of an IPv6-only client creates AAAA (IPv6) records with A (IPv4) records. GMS does not act as a DNS64 server.

* 
IMPORTANT: Currently, NAT64:
Only translates Unicast packets carrying TCP, UDP, and ICMP traffic.
Supports FTP and TFTP application-layer protocol streams, but does not support H.323, MSN, Oracle, PPTP, RTSP, and RealAudio application-layer protocol streams.
Does not support IPv4-initiated communications to a subset of the IPv6 hosts.
Does not support High Availability.

For NAT64 traffic matches, two mixed connection caches are created. Thus, the capacity for NAT64 connection caches is half that for pure IPv4 or IPv6 connections.

Pref64::/n

The DNS64 server uses Pref64::/n to judge if an IPv6 address is an IPv4-converted IPv6 address by comparing the first n bits with pref64::. DNS64 creates IPv4-converted IPv6 addresses by synthesizing pref64:: with IPv4 addresses records and sending a DNS response to IPv6-only clients. Pref64::/n defines a source network that can go from an IPv6-only client through NAT64 to an IPv4-only client. In GMS, an Address Object of the Network can be configured to represent all addresses with pref64::/n to represent all IPv6 clients that can do NAT64. For configuring a Pref64::/n Address Object, see Default Pref64 Network Address Object on page 408.

Glossary

 

DNS64

DNS Extensions for Network Address Translation from IPv6 Clients to IPv4 Servers

IPv4-converted IPv6 addresses

IPv6 addresses used to represent IPv4 nodes in an IPv6 network

IPv4-embedded IPv6 addresses

IPv6 addresses in which 32 bits contain an IPv4 address

NAT

Network Address Translation

NAT64

Stateful Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers

NATPT

Network Address Translation - Protocol Translation

PMTUD

Path MTU discovery

XLATs

IP/ICMP translators

NAT Policies Tab

The NAT Policies tab allows you to view and manage your NAT Policies.

Viewing NAT Policy Entries

Topics:
Deleting Entries on page 466

Changing the Display

You can change the display of your route policies in the NAT Policies tab by selecting one of the Select radio buttons:

 

All Types

Displays all the routing policies including Custom Policies and Default Policies. Initially, before you create NAT policies, only the Default Policies.

Default Policies

Displays only Default Policies.

Custom Policies

Displays only those NAT policies you configure.

Filtering the Display

You can enter the policy number (the number listed in the # column) in the Search field to display a specific VPN policy. You can also enter alphanumeric search patterns, such as WLAN, X1 IP, or Private, to display only those policies of interest.

Displaying Information about Policies

Moving your pointer over the Comment icon in the Configure column of NAT Policies table displays the comments entered in the Comments field of the Add NAT Policy dialog for custom policies. Default policies have a brief description of the type of NAT policy, such as IKE NAT Policy or NAT Management Policy.

Moving your pointer over the Statistics icon in the Configure column of NAT Policies table displays traffic statistics for the NAT policy.

Deleting Entries

Clicking the Delete icon deletes the NAT Policy entry. If the icon is dimmed, the NAT Policy is a default entry, and you cannot delete it.

Selecting the checkboxes of specific custom policies makes the Delete button available. Clicking the button deletes the selected policies.

Clicking Delete All deletes all custom policies.

 

 

SonicWall appliances support Network Address Translation (NAT). NAT is the automated translation of IP addresses between different networks. For example, a company might use private IP addresses on a LAN that are represented by a single IP address on the WAN side of the SonicWall appliance.

SonicWall appliances support two types of NAT:

Address-to-Address Translation—local addresses are matched to public IP addresses. For example, the private IP address 10.50.42.112 might be mapped to the public IP address 132.22.3.2.
Port Translation or Network Address Port Translation (NAPT)—local addresses are dynamically matched to public IP address/port combinations (standard TCP ports). For example, the private IP address 192.168.102.12 might be mapped to the public IP address 48.12.11.1 using port 2302.
* 
NOTE: IP address/port combinations are dynamic and not preserved for new connections. For example, the first connection for IP address might use port 2302, but the second connection might use 2832.

IPv6 address objects display in the Original Source, Original Destination, Translated Source, and Translated Destination columns of the Nat Polices table. To add a NAT Policy, click the Add NAT Policy link. To edit an existing policy, click the Configure icon for the policy you want to edit. The procedures for adding and editing NAT policies in IPv6 is configured in the same method as for IPv4.

Common Types of Mapping

SonicWall supports several types of address mapping. These include

One-to-One Mapping—one local IP address is mapped to one public IP address using Address-to-Address translation.
Many-to-One Mapping—many local IP addresses are mapped to a single public IP address using NAPT.
Many-to-Many Mapping—many local IP addresses are mapped to many public IP addresses. If the number of public IP addresses are greater than or equal to the number of local IP addresses, the SonicWall appliance uses Address-to-Address translation. If the number of public IP addresses is less than the number of local IP addresses, the SonicWall appliance uses NAPT. For example. If there are 10 private IP addresses and 5 public IP addresses, two private IP addresses will be assigned to each public IP address using NAPT.

SonicWall NAT Policy Fields

When configuring a NAT Policy, you will configure a group of settings that specifies how the IP address originates and how it will be translated. Additionally, you can apply a group of filters that allow you to apply different policies to specific services and interfaces.

Original Source—used to remap IP addresses based on the source address, this field specifies an Address Object that can consist of an IP address or IP address range.
* 
NOTE: This field can also be used as a filter.
Translated Source—specifies the IP address or IP address range to which the original source will be mapped. This drop-down menu setting is what the specified Original Source is translated to, as it exits the firewall, whether it is to another interface, or into/out-of VPN tunnels. You can:
Specify predefined Address Objects
Select Original
Create your own Address Objects entries.

These entries can be single host entries, address ranges, or IP subnets.

Original Destination—used to remap IP addresses based on the destination address, this field specifies an Address Object that can consist of an IP address or IP address range.
* 
NOTE: This field can also be used as a filter.

This drop-down menu setting is used to identify the Destination IP address(es) in the packet crossing the firewall, whether it be across interfaces, or into/out-of VPN tunnels. When creating outbound NAT polices, this entry is usually set to Any as the destination of the packet is not being changed, but the source is being changed. However, these Address Object entries can be single host entries, address ranges, or IP subnets.

Translated Destination—specifies the IP address or IP address range to which the original source will be mapped.

This drop-down menu setting is what the firewall translates the specified Original Destination to as it exits the firewall, whether it is to another interface, or into/out-of VPN tunnels. When creating outbound NAT polices, this entry is usually set to Original, as the destination of the packet is not being changed, but the source is being changed. However, these Address Objects entries can be single host entries, address ranges, or IP subnets.

Original Service—used to filter destination addresses by service, this field specifies a Service Object that can be a single service or group of services.

This drop-down menu setting is used to identify the IP service in the packet crossing the firewall, whether it is across interfaces, or into/out-of VPN tunnels. You can use the predefined services on the firewall, or you can create your own entries. For many NAT policies, this field is set to Any, as the policy is only altering source or destination IP addresses.

Translated Service—specifies the service or port to which the original service is remapped.

This drop-down menu setting is what the firewall translates the Original Service to as it exits the firewall, whether it be to another interface, or into/out-of VPN tunnels. You can use the predefined services in the firewall, or you can create your own entries. For many NAT Policies, this field is set to Original, as the policy is only altering source or destination IP addresses.

Inbound Interface—filters source addresses by interface.

This drop-down menu setting is used to specify the entry interface of the packet. When dealing with VPNs, this is usually set to Any, as VPN tunnels are not really interfaces.

Outbound Interface—filters destination addresses by interface.

This drop-down is used to specify the exit interface of the packet after the NAT policy has been applied. This field is mainly used for specifying to which WAN interface to apply the translation.

* 
IMPORTANT: Of all fields in NAT policy, this one has the most potential for confusion.
Enable NAT Policy—By default, this box is checked, meaning the new NAT policy is activated the moment it is saved. To create a NAT policy entry but not activate it immediately, clear this box.
Comment—This field can be used to describe your NAT policy entry. The field has a 32-character limit, and once saved, can be viewed in the main Network > NAT Policies page by running the mouse over the text balloon next to the NAT policy entry. Your comment appears in a pop-up window as long as the mouse is over the text balloon.

Common NAT Configuration Types

The following sections describe common NAT configuration types:

One-to-One Mapping

To configure one-to-one mapping from the private network to the public network, select the Address Object that corresponds to the private network IP address in the Original Source field and the public IP address that is used to reach the Internet in the Translated Source field. Leave the other fields alone, unless you want to filter by service or interface.

* 
NOTE: If you map more than one private IP address to the same public IP address, the private IP addresses will automatically be configured for port mapping or NAPT.

To configure one-to-one mapping from the public network to the private network, select the Address Object that corresponds to the public network IP address in the Original Destination field and the private IP address that is used to reach the server in the Translated Destination field. Leave the other fields alone, unless you want to filter by service or interface.

* 
NOTE: If you map one public IP address to more than one private IP address, the public IP addresses is mapped to the first private IP address. Load balancing is not supported. Additionally, you must set the Original Source to Any.
Many-to-One Mapping

To configure many-to-one mapping from the private network to the public network, select the select the Address Object that corresponds to the private network IP addresses in the Original Source field and the public IP address that is used to reach the Internet in the Translated Source field. Leave the other fields alone, unless you want to filter by service or interface.

* 
NOTE: You can also specify Any in the Original Source field and the Address Object of the LAN interface in the Translated Source field.
Many-to-Many Mapping

To configure many-to-many mapping from the private network to the public network, select the select the Address Object that corresponds to the private network IP addresses in the Original Source field and the public IP addresses to which they are mapped in the Translated Source field. Leave the other fields alone, unless you want to filter by service or interface.

* 
NOTE: If the IP address range specified in the Original Source is larger than the Translated Source, the SonicWall appliance uses port mapping or NAPT. If the Translated Source is equal to or larger than the Original Source, addresses are individually mapped.

To configure many-to-many mapping from the public network to the private network, select the Address Object that corresponds to the public network IP addresses in the Original Destination field and the IP addresses on the private network in the Translated Destination field. Leave the other fields alone, unless you want to filter by service or interface.

* 
NOTE: If the IP address range specified in the Original Destination is smaller than the Translated Destination, the SonicWall appliance will be individually mapped to the first translated IP addresses in the translated range. If the Translated Destination is equal to or smaller than the Original Destination, addresses are individually mapped.

NAT Load Balancing and Probing

NAT load balancing provides the ability to balance incoming traffic across multiple, similar network resources. Load Balancing distributes traffic among similar network resources so that no single server becomes overwhelmed, allowing for reliability and redundancy. If one server becomes unavailable, traffic is routed to available resources, providing maximum uptime.

With probing enabled, the SonicWall uses one of two methods to probe the addresses in the load-balancing group, using either a simple ICMP ping query to determine if the resource is alive, or a TCP socket open query to determine if the resource is alive. Per the configurable intervals, the SonicWall can direct traffic away from a non-responding resource, and return traffic to the resource after it has begun to respond again.

NAT Load Balancing Methods

NAT load balancing is configured on the Advanced tab of a NAT policy.

SonicOS offers the following NAT methods:

Sticky IP—Source IP always connects to the same Destination IP (assuming it is alive). This method is best for publicly hosted sites requiring connection persistence, such as Web applications, Web forms, or shopping cart applications. This is the default mechanism, and is recommended for most deployments.
Round Robin—Source IP cycles through each live load-balanced resource for each connection. This method is best for equal load distribution when persistence is not required.
Block Remap/Symmetrical Remap—These two methods are useful when you know the source IP addresses/networks (for example, when you want to precisely control how traffic from one subnet is translated to another).
Random Distribution—Source IP connects to Destination IP randomly. This method is useful when you wish to randomly spread traffic across internal resources.

For more information about NAT Load Balancing, see the SonicOS Enhanced 4.0 Administration Guide.

Configuring NAT Policies

To configure NAT Policies on a unit running SonicOS Enhanced, complete the following steps:
1
Expand the Network tree and click NAT Policies. The NAT Policies page displays.

2
To edit an existing policy, click its Edit icon (). To add a new policy, click Add NAT Policy.

3
Configure the following:
Original Source—used to remap IP addresses based on the source address, this field specifies an Address Object that can consist of an IP address or IP address range.
Translated Source—specifies the IP address or IP address range to which the original source will be mapped.
Original Destination—used to remap IP addresses based on the destination address, this field specifies an Address Object that can consist of an IP address or IP address range.
Translated Destination—specifies the IP address or IP address range to which the original source will be mapped.
Original Service—used to filter source addresses by service, this field specifies a Service Object that can be a single service or group of services.
Translated Service—used to filter destination addresses by service, this field specifies a Service Object that can be a single service or group of services.
Inbound Interface: This drop-down menu setting specifies the entry interface of the packet. The default is Any.

When dealing with VPNs, this is usually set to Any (the default), as VPN tunnels are not really interfaces.

Outbound Interface: This drop-down menu specifies the exit interface of the packet after the NAT policy has been applied. This field is mainly used for specifying to which WAN interface to apply the translation.
* 
IMPORTANT: Of all fields in NAT policy, this one has the most potential for confusion.

When dealing with VPNs, this is usually set to Any (the default), as VPN tunnels are not really interfaces. Also, as noted in Configuring NAT Policies, when creating inbound 1-2-1 NAT Policies where the destination is being remapped from a public IP address to a private IP address, this field must be set to Any.

4
To enable the NAT policy, select Enable.
5
Add any comments to the Comments field.
6
If you selected an Address Group Object for any of the pull-down lists on the General tab, you can make changes on the Advanced tab. Click the Advanced tab.

* 
NOTE: Except for Disable Source Port Remap, the options on this tab can only be activated when a group is specified in one of the drop-down menus on the General tab. Otherwise, the NAT policy defaults to Sticky IP as the NAT method.
7
Select the NAT method from the NAT Method pull-down list. For information on the available methods, see NAT Load Balancing Methods.
8
Optionally, force the appliance to only do IP address translation and no port translation for the NAT policy, select Disable Source Port Remap. GMS preserves the source port of the connection while executing other NAT mapping. This option is available when adding or editing a NAT policy if the source IP address is being translated. This option is not selected by default.
* 
NOTE: This option is unavailable and dimmed if the Translated Source (on the General tab) is set to Original.

You can select this option to temporarily take the interface offline for maintenance or other reasons. If connected, the link goes down. Clear the check box to activate the interface and allow the link to come back up.

9
Optionally select Enable Probing and make desired changes to the following fields:
Probe host every ... seconds—indicates how often to probe the addresses in the load-balancing group
Probe Type—specifies to use either Ping (ICMP) or TCP (checks that a socket is opened) for probing
Port—specifies the port that the probe uses, such as TCP port 80 for a Web server
Reply time out—specifies the number of seconds to wait for a reply to the probe
Deactivate host after ... missed intervals—specifies the number of reply time outs before deciding that the host is unreachable
Reactivate host after ... successful intervals—specifies the number of replies received before deciding that the host is available for load balancing again
10
RST Response Counts as Miss – Select to count RST responses as misses. The option is selected by default if Enable Port Probing is selected.
11
Enable Port Probing – Select to enable port probing for TCP. Selecting this option enhances NAT to also consider the port while load balancing. This option is disabled by default.
12
When you are finished, click Update. The policy is added and you are returned to the NAT Policies screen.

Configuring Web Proxy Forwarding Settings

A Web proxy server intercepts HTTP requests and determines if it has stored copies of the requested Web pages. If it does not, the proxy completes the request to the server on the Internet, returning the requested information to the user and also saving it locally for future requests.

Setting up a Web proxy server on a network can be cumbersome, because each computer on the network must be configured to direct Web requests to the server.

If there is a proxy server on the SonicWall appliance’s network, you can move the SonicWall appliance between the network and the proxy server, and enable Web Proxy Forwarding. This forwards all WAN requests to the proxy server without requiring the computers to be individually configured.

Configuring Automatic Proxy Forwarding (Web Only)

* 
NOTE: The proxy server must be located on the WAN or DMZ; it cannot be located on the LAN.

To configure a Proxy Web sever, select the Network > Web Proxy page.

1
Connect your Web proxy server to a hub, and connect the hub to the SonicWall appliance’s WAN or DMZ port.
2
Type the name or IP address of the proxy server in the Proxy Web Server (name or IP address) field.
3
Type the proxy IP port in the Proxy Web Server Port field.
4
To bypass the Proxy Servers if a failure occurs, select Bypass Proxy Servers Upon Proxy Server Failure.
5
Select Forward DMZ Client Requests to Proxy Server if you have clients configured on the DMZ.
6
Select Divert traffic to the WXA series appliance’s Web Cache if you would like to divert web traffic to a WXA series appliance.
7
For Client Inclusion Address Object, specify the appropriate client inclusion option from the pull-down. Select the Address Object or Group that represents those local subnets with web traffic that should be delivered through the WXA Web Cache. Alternatively, choose Any and traffic from any source IP address is forwarded to the WXA.
8
For Server Exclusion Address Object, specify the appropriate server exclusion option from the pull-down. Select the Address Object or Group that contains the destination addresses of web servers for which traffic should not be diverted through the WXA Web Cache. By selecting None, no web server is excluded and all appropriate traffic is sent through the WXA.
9
Click Update.
10
Confirm the Description and Schedule and click Accept.
11
After the SonicWall appliance has been updated, a message confirming the update is displayed at the bottom of the browser window.

Bypass Proxy Servers Upon Proxy Failure

If a Web proxy server is specified on the Firewall > Web Proxy page, selecting Bypass Proxy Servers Upon Proxy Server Failure allows clients behind the SonicWall appliance to bypass the Web proxy server in the event it becomes unavailable. Instead, the client’s browser accesses the Internet directly as if a Web proxy server is not specified.

Adding a Proxy Server

To add a Web Proxy server through which users’ web request might come, complete the following steps:
1
In the User Proxy Settings sections, click Add.
2
Enter a proxy server host name or IP address in the text-field, and then click OK.

The new proxy server populates in the User Proxy Servers list. This list if full configurable and includes edit, remove, and delete actions.

3
Click Update.

Configuring Routing in SonicOS Enhanced

If you have routers on your interfaces, you can configure the SonicWall appliance to route network traffic to specific predefined destinations. Static routes must be defined if the network connected to an interface is segmented into subnets, either for size or practical considerations. For example, a subnet can be created to isolate a section of a company, such as finance, from network traffic on the rest of the LAN, DMZ, or WAN.

To add static routes, complete the following steps:
1
Expand the Network tree and click Routing. The Routing page displays.
2
Click Add Route Policy.

3
Select the source address object from the Source list box.
4
Select the destination address object from the Destination list box.
5
Specify the type of service that is routed from the Service list box.
6
Select the address object that acts as a gateway for packets matching these settings.
7
Select the interface through which these packets are routed from the Interface list box.
8
Specify the RIP metric in the Metric field.
9
Type a descriptive comment into the Comment field.
10
For appliances running SonicOS Enhanced 4.0 and above, optionally select Disable route when the interface is disconnected.
11
For appliances running SonicOS Enhanced 4.0 and above, select Allow VPN path to take precedence to allow a matching VPN network to take precedence over the static route when the VPN tunnel is up.
12
For appliances running SonicOS Enhanced 6.1 and above, select Permit TCP Acceleration to allow accelerated TCP traffic to pass through the SonicWall appliance.
13
Click the Probe drop-down menu and select a probe type.
14
Click Disable route when probe succeeds.
15
Click Probe default state is UP.
16
To configure the routing policy advanced settings, click the Advanced tab.
17
Enter the ToS hexadecimal value in the TOS text-field.
18
Enter the ToS Mask hexadecimal value in the TOS Mask text-field.
19
Enter a value for the Admin Distance, or select Auto for an automatically created Admin Distance.
20
When you are finished, click Update. The route settings are configured for the selected SonicWall appliance(s). To clear all screen settings and start over, click Reset.

Probe-Enabled Policy Based Routing Configuration

For appliances running SonicOS Enhanced 5.5 and above, you can optionally configure a Network Monitor policy for the route. When a Network Monitor policy is used, the static route is dynamically disabled or enabled, based on the state of the probe for the policy.

Policy Based Routing is fully supported for IPv6 by selecting IPv6 address objects and gateways for route policies on the Network > Routing page. IPv6 address objects are listed in the Source, Destination, and Gateway columns of the Route Policies table. Configuring routing polices for IPv6 is nearly identical to IPv4.

To configure a policy based route, complete the following steps:
1
In the Probe pull-down menu select the appropriate Network Monitor object or select Create New Network Monitor object... to dynamically create a new object. For more information, see Configuring Network Monitor.
2
Typical configurations do not have Disable route when probe succeeds checked because typically administrators will want to disable a route when a probe to the route’s destination fails. This option is provided to give administrators added flexibility for defining routes and probes.
3
Select the Probe default state is UP to have the route consider the probe to be successful (such as in the “UP” state) when the attached Network Monitor policy is in the “UNKNOWN” state. This is useful to control the probe-based behavior when a unit of a High Availability pair transitions from “IDLE” to “ACTIVE,” because this transition sets all Network Monitor policy states to “UNKNOWN.”
4
Click Update to apply the configuration.

Configuring RIP in SonicOS Enhanced

Routi