en-US
search-icon

Secure Mobile Access 8.6 Admin Guide

Configuring Services & Clients

End Point Control

This section provides information and configuration tasks specific to the End Point Control pages on the Secure Mobile Access web-based management interface.

Topics:

Configuring End Point Control

In traditional VPN solutions, accessing your network from an untrusted site like an employee-owned computer or a kiosk at an airport or hotel increases the risk to your network resources. The SMA/SRA appliance provides secure access from any Web-enabled system, including devices in untrusted environments. Secure Mobile Access supports End Point Control (EPC), a default service available on SMA 400/200, SRA 4600/1600, and SMA 500v Virtual Appliance.

EPC verifies that the user’s environment is secure before establishing a connection. EPC protects sensitive data and ensures that your network is not compromised when accessed from devices in untrusted environments. EPC also protects the network from threats originating from client devices participating in the SMA/SRA.

EPC is checked when users log in to the web portal from a web browser that blocks any access to the private network from untrusted sites. The EPC portal checking process uses the browser plug-ins on your system.

EPC is supported on iOS and Android mobile devices using Mobile Connect, allowing device profiles to be created for these mobile devices. This provides security protection from threats against client devices and protection to the SMA/SRA appliance from threats originating from client devices participating in the SSL VPN. For more information on Mobile Connect, refer to the Mobile Connect User Guides.

Secure Mobile Access provides these end point security controls by completing host integrity checking and security protection mechanisms before a tunnel session is begun. Host integrity checks help ensure that the client system is in compliance with your organization’s security policy. SonicWall Inc. end point security controls are tightly integrated with access control to analyze the client system and apply access controls based on the results.

EPC supports the Windows, Linux, and Mac NetExtender client. It also supports Mobile Connect for iOS, Android, OSX, Windows Phone, and Windows Next. For Web Portal login, EPC is supported only on Windows platforms. EPC enhancements are supported on the SonicWall Inc. SMA 400/200, SRA 4600/1600, and SMA 500v Virtual Appliance platforms.

* 
NOTE: When the EPC feature is active other features might run slower because of the increased traffic.
To configure EPC:
1
Image the appliance with the latest Secure Mobile Access firmware, as explained in the Getting Started Guide for your appliance.
2
Configure Device Profiles that allow or deny user authentication based on various global, group, or user attributes. See End Point Control > Device Profiles.
3
Add and configure groups and users to allow or deny End Point Control profiles. See End Point Control > Status.
4
Configure users to inherit their group profiles. See Users > Local Groups > Edit EPC Settings.
5
Enable End Point Control. See End Point Control > Status.
6
Connect to NetExtender and monitor the End Point Control log. See End Point Control > Log.

End Point Control > Device Profiles

Create device profiles to configure authentication guidelines for users or groups of users based on various global, group, or user attributes. For example, you can select groups that use an Antivirus program or users with a specific Windows version.

Two kinds of profiles are available: Allow profiles and Deny profiles. Allow profiles identify attributes of the client’s network that must be present before a user is authenticated, and Deny profiles identify attributes of the network that cannot be present. If multiple profiles are defined for a group or user, connection to the SMA/SRA appliance is granted only when a client’s environment fulfills all Allow profiles for the group or user and does not fulfill any Deny profiles.

Use the End Point Control > Device Profiles page to manage device profiles.

End Point Control > Device Profiles

The End Point Control > Device Profiles page lists all device profiles and identifies the platform where the profile can be used. This page also contains buttons that allow you to add, edit, or delete profiles. Hover the mouse over an icon or button to identify it.

To create a device profile:
1
On the End Point Control > Device Profiles page, click Add Device Profile.

The Add Device Profile page is displayed.

2
In the Name field, type the name that is used to identify the profile.
3
In the Description field, optionally type a brief description of the profile that helps identify the profile.
4
Select whether the profile is being created for Windows, Mac, Linux, iOS, or Windows Phone clients.
5
Use the Type drop-down list to select the attribute used to select users. The remaining fields on this page vary based on your selection.
6
Click Add to current attribute.
7
Repeat 5 and 6 for each attribute that should be included in the profile.
8
You can optionally enter a custom message that shows the user the EPC check has failed. The Administrator could enter text to indicate how to fix the issue or the reason the policy failed.
9
To complete the profile, click Accept at the upper right of the page.

Users > Local Groups > Edit EPC Settings

After creating device profiles, assign them to the local groups that uses them to authenticate users. Device profiles can be Allow profiles and Deny profiles. Allow profiles identify attributes of the client’s network that must be present before a user is authenticated, and Deny profiles identify attributes of the network that cannot be present. If multiple profiles are defined for a group, connection to the SMA/SRA appliance is granted only when a client’s environment fulfills all Allow profiles for the group and does not fulfill any Deny profiles. Use the EPC tab on the Users > Local Groups > Edit page to assign device profiles to a group.

NetExtender login can be disabled on platforms where EPC is enabled.

EPC portal checking uses the NetExtender browser plug-in. EPC is checked when users log in to the web portal from a web browser that blocks any access to the private network from untrusted sites.

To configure device profiles to be used when authenticating users in a local group:
1
Navigate to the Users > Local Groups page and click Edit for the Global group or a local group to be configured for EPC.
2
When the Edit Local Group page appears, go to the EPC settings section. Use the EPC tab to enable or disable EPC for the group, select how to handle authentication requests from unsupported clients, and to add or remove device profiles.

3
In the Enable EPC field, select Enabled to enable EPC for the group, Disabled to disable EPC for the group, or Use global setting to either enable or disable EPC based on whether EPC is enabled on the Users > Local Users > Edit Global Policies or Users > Local Groups > Edit Global Policies page.
4
In the Enable Portal Login field, set the default action to Enabled to allow or Disabled to block logins from these portals when EPC is enabled.
5
EPC is supported for iOS and Android mobile clients. In the Enable Mobile Client Login field, set the default action to Enabled to allow or Disabled to block logins from these clients when EPC is enabled.
6
Fields in the Recurring EPC section vary, depending on whether you are configuring EPC for the Global group or a local group. To configure EPC for the Global group, select Check endpoint at login to do EPC checks only when users login, or select Check endpoint at login and every x minutes thereafter to also do EPC checks at set intervals. For example, to do EPC checks whenever a user logs in and every x minutes thereafter while the user is logged in, select Check endpoint at login and every x minutes thereafter and type the number of minutes to wait between EPC checks.

OR

To configure EPC for a local group, select Use global setting or Custom Setting from the Recurring EPC drop-down list. If you select Use global setting, the local group inherits the EPC settings from the Global group. If you select Custom Setting, the Check endpoint at login and Check endpoint at login and every x minutes thereafter prompts are displayed and you can configure EPC, as explained for the Global group.

7
Either select Inherit global device profiles to use all defined Allow and Deny device profiles for the group.

OR

Add or remove profiles using the Edit EPC page:

a
To add or remove an Allow profile for the group, click Add Allow Profiles.
b
In the Edit EPC page, select the profiles from the All Profiles list that you want to add to the group and click Add selected profiles. Selected profiles are then moved to the In Use Profiles list on the page that lists all device profiles that are used for the group.
c
To disable a profile without deleting it, clear Enabled next to the profile. To enable a profile, select Enabled. This allows you to selectively enable or disable a profile that is used periodically.
d
To remove an Allow profile from the group, select the profile from the In Use Profiles list and click Remove selected profiles.
e
To add or remove a Deny profile for the group, click Add Deny Profiles and follow the preceding steps b and d.
8
Click Accept to save your changes.

Users > Local Users > Edit EPC Settings

After creating device profiles, assign them to the local users. Device profiles can be Allow profiles and Deny profiles. Allow profiles identify attributes of the client’s network that must be present before a user is authenticated, and Deny profiles identify attributes of the network that cannot be present. If multiple profiles are defined for a user, connection to the SMA/SRA appliance is granted only when a client’s environment fulfills all Allow profiles for the user and does not fulfill any Deny profiles. Use the EPC tab on the Users > Local Users > Edit page to assign device profiles to a user.

NetExtender login can be disabled on platforms where EPC is enabled.

To configure device profiles to be used when authenticating a local user:
1
Navigate to the Users > Local Users page and click Edit for the user to be configured for EPC.
2
When the Edit Local User page appears, click the EPC tab. Use the EPC tab to enable or disable EPC for the user, select how to handle authentication requests from unsupported clients, and to add or remove device profiles.

3
In the Enable EPC field, select Enabled to enable EPC for the user, Disabled to disable EPC for the user, or Use group setting to either enable or disable EPC based on whether EPC is enabled on the End Point Control > Settings page.
4
In the Enable Portal Login field, set the default action to Enabled to allow or Disabled to block logins when EPC is enabled.
5
EPC is supported for iOS and Android mobile clients. In the Enable Mobile Client Login field, set the default action to Enabled to allow logins or Disabled to block logins from these clients when EPC is enabled. Or set the default action to Use group setting to either enable or disable EPC based on whether EPC is enabled on the End Point Control > Settings page
6
In the Recurring EPC section, configure when EPC checks should be conducted. Select Check endpoint at login to do EPC checks only when users login, or select Check endpoint at login and every x minutes thereafter to also do EPC checks at set intervals. For example, to do EPC checks whenever a user logs in and every x minutes thereafter while the user is logged in, select Check endpoint at login and every x minutes thereafter and type the number of minutes to wait between EPC checks.
7
Fields in the Recurring EPC section vary, depending on whether you are configuring EPC for the Global group or a local user. To configure EPC for the Global group, select Check endpoint at login to do EPC checks only when users login, or select Check endpoint at login and every x minutes thereafter to also do EPC checks at set intervals. For example, to do EPC checks whenever a user logs in and every x minutes thereafter while the user is logged in, select Check endpoint at login and every x minutes thereafter and type the number of minutes to wait between EPC checks.

OR

To configure EPC for a local user, select Use global setting or Custom Setting from the Recurring EPC drop-down list. If you select Use global setting, the local user inherits the EPC settings from the Global group. If you select Custom Setting, the Check endpoint at login and Check endpoint at login and every x minutes thereafter prompts are displayed and you can configure EPC, as explained for the Global group.

8
Either select Inherit group device profiles to use all defined Allow and Deny device profiles for the user.

OR

Add or remove profiles using the Edit EPC page:

a
To add or remove an Allow profile for the user, click Add Allow Profiles.
b
In the Edit EPC page, select the profiles from the All Profiles list that you want to add for the user and click Add selected profiles. Selected profiles are then moved to the In Use Profiles list on the page that lists all device profiles that are used for the user.
c
To remove an Allow profile for the user, select the profile from the In Use Profiles list and click Remove selected profiles.
d
To add or remove a Deny profile for the user, click Add Deny Profiles and follow the preceding steps b and d.
9
Click Accept to save your changes.

End Point Control > Status

The End Point Control > Status page allows you to configure auto updates, view the current EPC version being used, update the EPC version, and the service expiration date.

End Point Control > Status

1
Select Allow auto update to enable the OPSWAT to update automatically.
2
The Installed version displays the current version being used.
3
Click Check Update to instantly query if there are any available updates. If there is a new update available, the button changes to Apply Update.
4
The Service Expiration Date displays when the current service expires.
5
Click Previous Settings to apply the previous version of the service.

End Point Control > Settings

EPC is globally enabled or disabled on the End Point Control > Settings page. When EPC is disabled, it is disabled at the global, group, and user level. The Settings page also is used to customize the message displayed when a NetExtender client login fails EPC security checking.

End Point Control > Settings

End Point Control > Log

The End Point Control > Log page lists all client logins blocked by EPC. This log can be searched, filtered, e-mailed, and exported.

End Point Control > Log

Use this page to complete the following functions:

Click Export Log to save a zip file containing the full text of all logged sessions.
Click Clear Log to erase all log messages.
Click E-mail Log to send the log to the e-mail address configured on the Log > Settings page.
Use the Search options to filter log messages. Note that the search is case sensitive. In the drop-down menu, select the field you want to search in. Click Search to only display messages that match the search string. Click Exclude to hide messages that match the search string. Click Reset to display all messages.
Change the value in the Items per page field to display more or fewer log messages per page. Click the forward or backward arrows to scroll through the pages of the log messages.
Click any of the headings to sort the log messages alphabetically by heading.

Secure Virtual Assist Configuration

This section provides information and configuration tasks specific to the Secure Virtual Assist pages on the Secure Mobile Access web-based management interface.

Secure Virtual Assist is an easy to use tool that allows Secure Mobile Access users to remotely support customers by taking control of their computers while the customer observes. Providing support to customers is traditionally a costly and time consuming aspect of business. Virtual Assist creates a simple to deploy, easy to use remote support solution. This feature is now supported on Windows and MacOS.

For more information on Secure Virtual Assist concepts, see Secure Virtual Assist Overview. You can also view the Secure Mobile Access Secure Virtual Meeting and Secure Virtual Assist Feature Module for additional information.

Topics:

Secure Virtual Assist > Status

This section provides an overview of the Secure Virtual Assist > Status page and a description of the configuration tasks available on this page.

The Secure Virtual Assist > Status page displays a summary of current active requests, including the customer name, the summary of their issue they provided, the status of the Virtual Assist session, and which technician is assisting the customer. For the technician, the page displays the portal, domain, and status.

Virtual Assist > Status

On the right side of the screen, Streaming Updates indicates that changes to the status of customers is dynamically updated. Click ON/OFF to enable/disable Streaming Updates, respectively.

Click Logout to remove a customer from the queue. If the customer is currently in a session, both the customer and technician are disconnected.

For information about using Virtual Assist as a technician, see the following sections:

Secure Virtual Assist > Settings

This section describes the Secure Virtual Assist > Settings page and the configuration tasks available on this page. The Virtual Assist options are divided into the following tabs:

General Settings

To configure Virtual Assist general settings:
1
Navigate to the Secure Virtual Assist > Settings page.

2
To require customers to enter a password before being allowed to access Virtual Assist, enter the password in the Assistance Code window.
3
(Optional) Select Enable support without invitation to allow customers who have not received an email invitation to request assistance. If this is disabled, customers can receive assistance only if they are explicitly invited by a technician.
4
(Optional) Select Enable technician to make to wake the client on LAN to wake a client running Virtual Assist on the LAN if both are in the same subnet. The client can be woken when powered off, in the Sleep state, or in the Hibernate state. This feature can be enabled globally, per portal, or from the client.
* 
NOTE: To enable Wake Client, this feature must also be enabled on the portal using the Portals > Portals page and in the BIOS of the client machine.
5
(Optional) Select Run Virtual Assist without installation to run Virtual Assist from the web without installing it on the local machine. This feature can be enabled globally or per portal.
6
(Optional) Select Allow to download Virtual Assist on customer portal if you would like to provide your customers the ability to download the Virtual Assist client.
7
(Optional) To present customers with a legal disclaimer, instructions, or any other additional information, enter the text in the Disclaimer field. HTML code is allowed in this field. Customers are presented with the disclaimer and required to click “Accept” before beginning a Virtual Assist session.
8
To include a link to Virtual Assist on the portal login page, select Display Virtual Assist link from Portal Login. Customers can then click on a link to go directly to the Virtual Assist portal login page without having to log in to the Virtual Office.

Request Settings

To configure Virtual Assist request settings:
1
On the Secure Virtual Assist > Settings page, click the Request Settings tab at the bottom of the page.

2
To have Virtual Assist requests timeout after a certain amount of time, enter a value in the Expire Ticket field. The default is 0, which means there is no expiration. After the timeout duration has passed, customers have to reinitiate their Virtual Assist request.
3
To limit the number of customers allowed in the Virtual Assist queue, enter a value in the Maximum Request field.
4
Optionally, you can customize the message that is displayed to customers when the queue is full in the Limit Message field. The message is limited to 256 characters.
5
Entering a value in the Maximum requests From One IP field can be useful if individual customers are repeatedly requesting help. However, this might cause problems for customers using DHCP behind a single IP address. The default 0 does not limit request from individual IP addresses.
6
Enter a value in the Pending Request Expired field to have customers automatically removed from the queue if they are not assisted within the specified number of minutes. The default 0 does not remove unassisted customers.

Notification Settings

To configure Virtual Assist notification settings:
1
On the Secure Virtual Assist > Settings page, click the Notification Settings tab at the bottom of the page.

2
To automatically email support technicians when a customer logs in to the Virtual Assist queue, enter the technicians’ emails in the Technician Email List. Separate multiple emails with semi-colons (the ; symbol).
3
The next three fields allow you to customize the email invitation:
Subject of Invitation - The email subject line.
Support Link Text in Invitation - Text that introduces the link to the URL for accessing Virtual Assist.
Invitation Message - The body of the invitation email message.
Default Email Address for Invitation - The default source email.

These three fields support the following variables to customize and personalize the invitation:

%EXPERTNAME% - The name of the technician sending the invitation email.
%CUSTOMERMSG% - The disclaimer configured on the General Settings tab.
%SUPPORTLINK% - The URL for accessing Virtual Assist.
%ACCESSLINK% - The URL for accessing the Secure Mobile Access Virtual Office.
* 
NOTE: The currently configured mail server and email return address are listed at the bottom of the Secure Virtual Assist > Settings page. To enable technicians to receive notification emails and to email Virtual Assist invitations to customers, a mail server must be configured on the Log > Settings page. An accurate technician email address also allows blocked email notifications to the technician in deployments where a third-party email filter might block emails sent to the customer without providing an error to the Virtual Assist client.

Log > Settings

Restriction Settings

To configure Virtual Assist restriction settings:
1
On the Secure Virtual Assist > Settings page, click the Restriction Settings tab at the bottom of the page.

2
To deny Virtual Assist requests from specific IP addresses or networks, select Deny from the Request From Defined Addresses drop-down menu.
3
To allow Virtual Assist requests only from specific IP addresses or networks, select Allow from the Request From Defined Addresses drop-down menu.
4
To add an IP address or network to the Deny or Allow list, click Add ... The Admin Addresses window displays. See Adding an Address to Restriction Settings.
5
To delete a configured restriction setting, select the desired address in the Addresses field and click Delete. The address is removed from the field.

Adding an Address to Restriction Settings

To add an IP address or network to the Deny or Allow list for Virtual Assist restriction settings:
1
On the Secure Virtual Assist > Settings page, click the Restriction Settings tab at the bottom of the page.
2
Click Add ... The Admin Addresses window displays.
3
In the Source Address Type drop-down menu, select which of the following you want to specify:
IP Address
IP Network
IPv6 Address
IPv6 Network
4
Enter the information to define the address or network and click Accept.

Secure Virtual Assist > Log

The Secure Virtual Assist > Log page provides access to detailed information about previous Virtual Assist sessions. The Log page displays a summary of recent sessions.

The Technician's activities while servicing the customer are now fully logged, including the Technician ID, the time of service, information about the customer’s and Technician’s computers, the chat dialog, the customer request login, if the customer exit prior to servicing, and Technician input after the end of the session.

Virtual Assist > Log

Click on the Ticket Number to view details about a session, or ticket. The Secure Virtual Assist > Log > <ticket number> page is displayed. Click Save Log to save the information on the page. To return to the Secure Virtual Assist > Log summary page, click Back.

Click Export Log to save a zip file containing the full text of all logged sessions. The log contains a summary file and a detail file for each session. The files can be viewed in Microsoft Word.

Click Clear Log to erase all log messages.

Click Email Log to send the log to the email address configured on the Log > Settings page.

The Search options allow you to filter the log messages. Note that the search is case sensitive. In the drop-down menu, select the field you want to search in. Click Search to only display messages that match the search string. Click Exclude to hide messages that match the search string. Click Reset to display all messages.

Change the value in the Items per page field to display more or fewer log messages. Click the forward or backward arrows to scroll through the pages of the log messages.

Click any of the headings to sort the log messages alphabetically by heading.

Secure Virtual Assist > Licensing

This section provides an overview of the Secure Virtual Assist > Licensing page and a description of the configuration tasks available on this page.

Secure Virtual Assist > Licensing Overview

Secure Virtual Assist is a licensed service.

Enabling Secure Virtual Assist

By default, Virtual Assist is enabled on portals that are created after Virtual Assist is licensed. Virtual Assist is disabled by default on all portals that were created before the Secure Virtual Assist license is purchased.

For users, administrator rights are not required for basic screen sharing support. For full installation of the client, admin rights might be necessary, but full installation is not necessary to use the service. Secure Virtual Access or unattended mode requires admin rights.

To configure Virtual Assist:
1
To purchase and activate a Secure Virtual Assist license, navigate to System > Licensing and click on the link to Activate, Upgrade, or Renew services.

For more information, see System > Licenses.

2
To enable Virtual Assist on a portal, go to the Portals > Portals page and click the Configure icon for the desired portal. To create a new portal, go to the Portals > Portals page and click Add Portal. See Portals > Portals.
3
In the Edit Portal window that displays, click the Virtual Assist tab.

4
Click on Enable Virtual Assist for this Portal and click Accept. Virtual Assist is now enabled and ready to use. Secure Mobile Access users now see the Virtual Assist icon on the Virtual Office page.
5
Clear Display Technician Button to hide the technician button on the Virtual Office window and require technicians to login directly through the client.
6
Select Display Request Help Button to display the help button on the Virtual Office for users to launch Virtual Assist.
7
Select Enable Virtual Access Mode to allow Secure Virtual Access connections to be made to this portal. This must be enabled for Virtual Assist to function on this portal.
8
Select Display Virtual Access Setup Link to display the Secure Virtual Access Setup link on the Virtual Office.
9
(Optional) Select Run Virtual Assist without installation to run Virtual Assist from the web without installing it on the local machine. This feature can be enabled globally or per portal.
10
Use the Wake customer on LAN feature to allow Technicians to wake a client running Virtual Assist on the LAN if both are in the same subnet. The client can be woken when powered off, in the Sleep state, or in the Hibernate state. This feature can be enabled globally or per portal.
Select Use Global Setting to apply the global setting to this portal.
Select Enable this feature, no matter what is selected for the global setting.
Select Disable this feature, no matter what is selected for the global setting.
* 
NOTE: To use Wake Client, this feature must be configured on the client machine, as explained in the Secure Mobile Access User Guide.
11
In the Limit Support Sessions field, enter the number of active support sessions allowed on this portal, or enter zero for no limitation.
12
Check Enable Assistance Code to require a user to enter the designated code before requesting assisting. Checking this check box displays an Assistance Code field, where you specify the code users must enter.
13
(Optional) Select Enable support without invitation to allow customers who have not received an email invitation to request assistance. If this is disabled, customers can receive assistance only if they are explicitly invited by a technician.
14
When Enable Disclaimer is enabled, the customer should offer a code when requesting support. If the option is disabled, the code is not necessary.
15
(Optional) Select Allow to download Virtual Assist on customer portal page if you would like to provide your customers the ability to download the Virtual Assist client.
16
Optionally, you can customize all of the Virtual Assist settings for this individual portal using the tabs on this window.

Virtual Assist is now enabled and ready to use. Secure Mobile Access users now see the Virtual Assist icon on the Virtual Office page.

Secure Virtual Meeting

This section provides information and configuration tasks specific to the Secure Virtual Meeting pages on the Secure Mobile Access web-based management interface and a description of the configuration tasks available for Virtual Meeting.

Topics:

For information about using Virtual Meeting, see the Secure Mobile Access User Guide. You can also view the Secure Mobile Access Secure Virtual Meeting and Secure Virtual Assist Feature Module for additional information.

Secure Virtual Meeting > Status

The Secure Virtual Meeting > Status page displays a summary of current active meetings and attendees, in addition to upcoming meetings.

Virtual Meeting > Status

On the right side of the screen, Streaming Updates indicates that changes to the status of customers are dynamically updated. Click ON/OFF to enable/disable Streaming Updates, respectively.

Click Logout next to a meeting in the Meeting Info section to delete an upcoming meeting.

Secure Virtual Meeting > Settings

This section describes the Secure Virtual Meeting > Settings page and the configuration tasks available for Virtual Meeting. The Virtual Meeting settings are divided into the following tabs:

General Settings

Use the General Settings page to configure general Virtual Meeting settings.

To configure Virtual Meeting general settings:
1
Navigate to the Secure Virtual Meeting > Settings page.

2
Select Enable join without Invitation to allow Participants to join the meeting without clicking the link in the e-mail invitation. Participants run the Virtual Meeting client and join the meeting directly with a meeting code set by the Coordinator.
3
Select Allow starting meeting without meeting creator to allow a meeting to start without the Coordinator present. If enabled and a scheduled meeting has no Coordinator in the meeting room at the scheduled start time, a participant is selected to become the Coordinator and begin the meeting. The meeting ends if this check box is not selected and the Coordinator is not present at the start time.
4
In the Meeting Waiting Message field, type the message to be displayed to Participants in the lobby waiting for the meeting to start. The lobby is a waiting room and meeting room, where you can initiate virtual meeting functions like chats and email invites.
5
In the Allow joining before start time field, select the number of minutes that Participants are allowed to join a meeting before it starts. Select 0 if Participants are allowed to join a meeting at any time, but you might want to consider that a license is in use from the time a Participant enters the lobby. See Licensing Overview for additional licensing information.
6
In the Max Attendees per Meeting field, select the maximum number of attendees that could join any given meeting. Select 0 if the number of meeting attendees is unlimited.
* 
NOTE: Secure Virtual Meeting uses Secure Virtual Assist licenses and one Secure Virtual Assist technician license is required for every three active Virtual Meeting attendees.
7
In the Max Concurrent Meeting Rooms field, select the maximum number of meetings that can take place simultaneously on the appliance.

For example, your company has five Secure Virtual Assist technician licenses and two of them are being used for Virtual Assist technicians. Any number of Virtual Meetings can occur concurrently, but the number of concurrent users in the lobby is limited to nine (5-2=3 licenses available, 3x3=9 licenses for meeting users available).

Notification Settings

To configure Virtual Meeting notification settings:
1
On the Secure Virtual Meeting > Settings page, click the Notification Settings tab at the bottom of the page.

2
In the Subject of Invitation field type the subject used for Virtual Meeting e-mail invitations sent to Participants. The subject could include variables such as %MEETINGNAME%. Move the mouse pointer over the icon to the right of this field to display possible variables.
3
In the Invitation Message field type the text you want to include in the body of the Virtual Meeting e-mail invitation. The body can include variables. Move the mouse pointer over the icon to the right of this field to display possible variables.

Secure Virtual Meeting > Log

The Secure Virtual Meeting > Log page provides access to detailed information about recent meetings.

The log shows the meeting name, owner, meeting time, portal used time, and the time the meeting was created.

Click the meeting name to display additional information about a specific meeting. To return to the Secure Virtual Meeting > Log page, click the browser’s Back button.

Click Export Log to create a zip file containing the full text of all logged meetings. The zip file contains a summary log file and a detail log file for each meeting that can be viewed in Microsoft Word.

Click Clear Log to erase all log messages.

Click Email Log to send the log to the e-mail address configured on the Log > Settings page.

The Search options allow you to filter the log messages. Note that the search is case sensitive. In the drop-down menu, select the field you want to search, and click Search to display only messages that match the search string. Click Exclude to hide messages that match the search string. Click Reset to display all messages.

Change the value in the Items per page field to display more or fewer log messages. Click the forward or backward arrows to scroll through the pages of the log messages.

Click any of the headings to sort the displayed log messages by heading.

Secure Virtual Meeting > Licensing

This section provides an overview of the Secure Virtual Meeting > Licensing page and a description of the configuration tasks available on this page.

Licensing Overview

Secure Virtual Meeting is part of the Secure Virtual Assist package. Multiple Virtual Meetings and Virtual Assist sessions can occur simultaneously. However, one Virtual Assist technician license is required for every three active Virtual Meeting users. For example, your company has five Virtual Assist technician licenses and two of them are being used for Virtual Assist technicians. Any number of Virtual Meetings can occur concurrently, but the number of concurrent users in the lobby is limited to 9 (5-2=3 licenses available, 3x3=9 licenses for meeting users available).

Licenses are assigned on a first come, first served basis. Secure Virtual Meeting licenses are considered in use when an attendee is in the lobby. Secure Virtual Assist/Access licenses are considered in use when the connection is active and screen sharing is occurring.

Licensing Information

The Secure Virtual Meeting > Licensing page displays the Secure Virtual Assist license status that is also displayed on the System > Licenses page. See Licensing Overview for an explanation of how Secure Virtual Assist licenses are used for Secure Virtual Meeting. The Licensing page also contains links to the System > Licenses page where you can obtain a license.

Secure Virtual Meeting Licensing

 

Web Application Firewall Configuration

This section provides information and configuration tasks specific to the Web Application Firewall pages on the Secure Mobile Access (web-based management interface.

Web Application Firewall is subscription-based software that runs on the SMA/SRA appliance and protects Web applications running on servers behind the SMA/SRA. A Web Application Firewall also provides real-time protection for resources such as HTTP(S) bookmarks, Citrix bookmarks, offloaded Web applications, and the Secure Mobile Access management interface and user portal that run on the SMA/SRA appliance itself.

For more information on Web Application Firewall concepts, see Web Application Firewall Overview.

Topics:

Licensing Web Application Firewall

The Secure Mobile Access Web Application Firewall must be licensed before you can begin using it. You can access the MySonicWall Web site directly from the Secure Mobile Access management interface to obtain a license.

The Web Application Firewall > Licensing page in the Secure Mobile Access management interface provides a link to the System > Licenses page, where you can connect to MySonicWall and purchase the license or start a free trial. You can view all system licenses on the System > Licenses page of the Secure Mobile Access management interface.

To view license details and obtain a license on MySonicWall for Web Application Firewall:
1
Log in to your SMA/SRA appliance and navigate to Web Application Firewall > Licensing.

2
If Web Application Firewall is not licensed, click the System > Licenses link. The System > Licenses page is displayed.

3
Under Manage Security Services Online, click the Activate, Upgrade, or Renew services link. The MySonicWall Login page is displayed.

4
Type your MySonicWall credentials into the fields, and then click Submit.
5
The System > Licenses page is displayed.

6
Click Try to start a 30 day free trial, or click Activate to subscribe to the service for 1 year. The screen that follows is displayed after selecting the free trial.

7
Click Synchronize to view the license on the System > Licenses page.

Web Application Firewall is now licensed on your SMA/SRA appliance. Navigate to Web Application Firewall > Settings to enable it, and then restart your appliance to completely activate Web Application Firewall.

Configuring Web Application Firewall

* 
NOTE: Web Application Firewall requires the purchase of an additional license.

Topics:

Viewing and Updating Web Application Firewall Status

The Web Application Firewall > Status page provides status information about the Web Application Firewall service and signature database, and displays the license status and expiration date. Synchronize allows you to download the latest signatures from the SonicWall Inc. online database. You can use Download to generate and download a PCI compliance report file.

Viewing Status and Synchronizing Signatures

To view the status of the signature database and Web Application Firewall service license, and synchronize the signature database, complete the following steps in the Secure Mobile Access management interface:
1
Navigate to Web Application Firewall > Status. The WAF Status section displays the following information:
Status of updates to the signature database
Timestamp of the signature database
Time that the system last checked for available updates to the signature database
Expiration date of the Web Application Firewall subscription service
Status of the Web Application Firewall license

2
If updates are available for the signature database, Apply is displayed. Click Apply to download the updates.

You can select an option to update and apply new signatures automatically on the Web Application Firewall > Settings page. If this automatic update option is enabled, Apply disappears from the Web Application Firewall > Status screen as soon as the new signatures are automatically applied.

3
To synchronize the signature database with the SonicWall Inc. online database server, click Synchronize. The timestamp is updated.

Downloading a PCI Compliance Report

To download a PCI DSS 6.5/6.6 compliance report:
1
Navigate to Web Application Firewall > Status.
2
Click Download.
3
In the File Download dialog box, click Open to create the PCI report as a temporary file and view it with Adobe Acrobat, or click Save to save the report as a PDF file.

Configuring Web Application Firewall Settings

The Web Application Firewall > Settings page allows you to enable and disable Web Application Firewall on your SMA/SRA appliance globally and by attack priority. You can individually specify detection or prevention for three attack classes: high, medium, and low priority attacks.

This page also provides configuration options for other Web Application Firewall settings. The following sections describe the procedures for enabling and configuring Web Application Firewall settings:

Enabling Web Application Firewall and Configuring General Settings

To enable and activate Web Application Firewall, you must select the check box to globally enable it and select at least one of the check boxes in the Signature Groups table. The settings in the General Settings section on this page allow you to globally manage your network protection against attacks by selecting the level of protection for high, medium, or low priority attacks. You can also clear Global Enable Web Application Firewall to temporarily disable Web Application Firewall without losing any of your custom configuration settings.

You can enable automatic signature updates in the General Settings section, so that new signatures are automatically downloaded and applied when available. A log entry is generated for each automatic signature update. If a signature is deleted during automatic updating, its associated Exclusion List is also removed. A log entry is generated to record the removal. You can view the log entries on the Web Application Firewall > Log page.

Cross-Site Request Forgery protection settings are also available on this page. When a CSRF attack is detected, log entries are created in both the Web Application Firewall > Logs and Logs > View pages. For more information about CSRF/XSRF attacks, see How is Cross-Site Request Forgery Prevented?.

To configure global settings for Web Application Firewall:
1
On the Web Application Firewall > Settings page, expand the General Settings section.
2
Select Enable Web Application Firewall.
3
A warning dialog box is displayed if none of the signature groups have Prevent All already selected. Click OK in the dialog box to set all signature groups to Prevent All, or click Cancel to leave the settings as they are or to manually continue the configuration.

4
Select Apply Signature Updates Automatically to enable new signatures to be automatically downloaded and applied when available. You do not have to click Apply on the Web Application Firewall > Status page to apply the new signatures.
5
Select the desired level of protection for High Priority Attacks in the Signature Groups table. Select one of the following options:
Select Prevent All to block access to a resource when an attack is detected. Selecting Prevent All automatically selects Detect All, turning on logging.
Clear Prevent All and select Detect All to log attacks while allowing access to the resource.
To globally disable all logging and prevention for this attack priority level, clear both check boxes.
6
Select the desired level of protection for Medium Priority Attacks in the Signature Groups table.
7
Select the desired level of protection for Low Priority Attacks in the Signature Groups table.
8
When finished, click Accept.

Configuring Global Exclusions

There are three ways that you can exclude certain hosts from currently configured global Web Application Firewall settings. You can completely disable Web Application Firewall for certain hosts, you can lower the action level from Prevent to Detect for certain hosts, or you can set Web Application Firewall to take no action.

The affected hosts must match the host names used in your HTTP(S) bookmarks and Citrix bookmarks, and the Virtual Host Domain Name configured for an offloaded Web application.

To configure global exclusions:
1
On the Web Application Firewall > Settings page, expand the General Settings section.
2
Click Global Exclusions.
3
In the Edit Global Exclusions page, the action you set overrides the signature group settings for the resources configured on these host pages. Select one of the following from the Action drop-down list:
Disable – Disables Web Application Firewall inspection for the host.
Detect – Lowers the action level from prevention to only detection and logging for the host.
No Action – Web Application Firewall inspects host traffic, but takes no action.

4
In the Host field, type in the host entry as it appears in the bookmark or offloaded application. This can be a host name or an IP address. Up to 32 characters are allowed. To determine the correct host entry for this exclusion, see Determining the Host Entry for Exclusions.

You can configure a path to a particular folder or file along with the host. The protocol, port, and the request parameters are simply ignored in the URL. If a path is configured, then the exclusion is recursively applied to all subfolders and files. For instance, if Host is set to webmail.company.com/exchange, then all files and folders under exchange are also excluded.

5
Click Add to move the host name into the list box.
6
Repeat Step 4 and Step 5 to add more hosts to this exclusion.
7
When finished, click Accept.

Configuring Intrusion Prevention Error Page Settings

To configure the error page to use when intrusions are detected:
1
Expand the Intrusion Prevention Error Page Settings section.
2
In the Intrusion Prevention Response drop-down list, select the type of error page to be displayed when blocking an intrusion attempt.

3
To create a custom page, select Custom Intrusion Prevention Page and modify the sample HTML in the text box.
4
To view the resulting page, click Preview.
5
To reset the current customized error page to the default error page, click Default Blocked Page and then click OK in the confirmation dialog box.
6
If you do not want to use a customized error page, select one of the following for the error page:
HTTP Error Code 400 Bad Request
HTTP Error Code 403 Forbidden
HTTP Error Code 404 Not Found
HTTP Error Code 500 Internal Server Error
7
When finished, click Accept.

Configuring Cross-Site Request Forgery Protection Settings

Cross-Site Request Forgery (CSRF) is configured independently for each Application Offloading portal. New with this release is the Form-based Protection Method that provides a seamless solution and results in less false positives. Optionally, you can select the original Protection Method, URL Rewrite-based Protection Method.

When a CSRF attack is detected, log entries are created in both the Web Application Firewall > Logs and Logs > View pages. For more information about CSRF/XSRF attacks, see How is Cross-Site Request Forgery Prevented?.

To configure the settings for CSRF protection with the URL Rewrite-based Protection Method:
1
Expand the Cross-Site Request Forgery (CSRF/XSRF) Protection section.
2
In the Portals drop-down list, select the Portal to which these CSRF protection settings apply. To make these CSRF settings the default for all portals, select Global.
3
Select URL Rewrite-based Protection from the Protection Method drop-down list.
4
For Protection Mode, select the desired level of protection against CSRF attacks. You can select Detect Only to log these attacks, or Prevent to log and block them. Select Disabled to disable CSRF protection on the portal.
5
When finished, click Accept.

To configure the settings for CSRF protection with the Form-based Protection Method:
1
Expand the Cross-Site Request Forgery (CSRF/XSRF) Protection section.
2
In the Portals drop-down list, select the Portal to which these CSRF protection settings apply. To make these CSRF settings the default for all portals, select Global.
3
Select Form-based Protection from the Protection Method drop-down list.
4
For Content Types, select the types of content you want to be profiled by CSRF. You can select All, HTML/XML, JavaScript, or CSS.
5
Click Begin Profiling to start the CSRF Form-based Protection. If you wish to stop profiling, click End Profiling.
6
When finished, click Accept.

* 
NOTE: If you are upgrading from a previous firmware version and switch the Protection Method to Form-based Protection, the controls might appear grayed and disabled. Simply click Accept to activate the controls.

Configuring Web Site Cloaking

Under Web Site Cloaking, you can filter out headers in response messages that could provide information to clients about the backend Web server that could possibly be used to find a vulnerability.

To configure Web site cloaking:
1
Expand the Web Site Cloaking section.
2
In the Block Response Header fields, select Manual and type the server host name into the first field and type the header name into the second field, then click Add.

For example, if you set the host name to “webmail.xyz.com” and the header name to “X-OWA-version,” headers with the name “X-OWA-version” from host “webmail.xyz.com” is blocked. In general, listed headers are not sent to the client if an HTTP/HTTPS bookmark or off-loaded application is used to access a listed Web server.

To block a certain header from all hosts, set the host name to an asterisk (*). You can add up to 64 host/header pairs. In the HTTP protocol, response headers are not case-sensitive.

* 
NOTE: Blocking does not occur for headers such as Content-Type that are critical to the HTTP protocol.
3
To remove a host/header pair from the list to be blocked, select the pair in the text box and then click Remove.
4
When finished, click Accept.

Configuring Information Disclosure Protection

Under Information Disclosure Protection, you can protect against inadvertent disclosure of credit card and Social Security numbers (SSN) in HTML Web pages. You can also enter confidential text strings that should not be revealed on any Web site protected by Web Application Firewall.

To configure information disclosure protection:
1
Expand the Information Disclosure Protection section. The table contains a row for each possible pattern or representation of a social security number or credit card number that Web Application Firewall can detect in the HTML response.

2
Select Enable Credit Card/SSN Protection.
3
In the Mask Character drop-down list, select the character to be substituted when masking the SSN or credit card number.
4
In the table, select the level of protection desired for each representation of a SSN or credit card number. You can select one of the following in each row:
Disabled – Do not match numbers in this format. No logging or masking is done.
Detect – Detect numbers in this format and create a log entry when detected.
Mask Partially – Substitute the masking character for the all digits in the number, except the last few digits such that the confidentiality of the number is still preserved.
Mask Fully – Substitute the masking character for all digits in the number.
Block – Do not transmit or display the number at all, even in masked format.
5
Below the table, in the Block sensitive information within HTML pages text box, type confidential text strings that should not be revealed on any Web site protected by Web Application Firewall. This text is case insensitive, can include any number of spaces between the words, but cannot include wildcard characters. Add new phrases on separate lines. Each line is pattern matched within any HTML response.
6
When finished, click Accept.

Configuring Session Management Settings

Under Session Management, you can control whether the logout dialog window is displayed when a user logs into the user portal or into an application offloaded portal. You can also set the inactivity timeout for users in this section.

To configure session management settings:
1
Expand the Session Management section.

2
Select Launch Logout Dialog Window after Login to display the session logout popup dialog box when the user portal is launched or when a user logs into an application offloaded portal.

3
In the Global Inactivity Timeout field, type the number of inactive minutes allowed before the user is logged out. This setting can be overridden by Group or User settings.
* 
NOTE: To mitigate CSRF attacks, it is important to keep a low idle timeout value for user sessions, such as 10 minutes.
4
When finished, click Accept.

Configuring Web Application Firewall Signature Actions

The Web Application Firewall > Signatures page allows you to configure custom handling or exclusion of certain hosts on a per-signature basis. You can use signature-based exclusions to apply exclusions for all hosts for each signature.

You can also revert back to using the global settings for the signature group to which this signature belongs without losing the configuration details of existing exclusions.

The list of signatures can be sorted by the contents of any column in ascending or descending order by clicking the column heading. In addition, signatures can be divided into pages and filtered by searching for a key word. To display only signatures containing a key word in all fields or a specific field, type the key word in the Search field, select All Fields or a specific field to search, and click Search. Or, click Exclude to display only signatures that do not contain the key word. Click Reset to display all signatures. All matches are highlighted. The default is 50 signatures per page.

On the Web Application Firewall > Settings page, global settings must be set to either Prevent All or Detect All for the Signature Group to which the specific signature belongs. If neither is set, that Signature Group is globally disabled and cannot be modified on a per-signature basis. See Enabling Web Application Firewall and Configuring General Settings.

See the following sections:

Enabling Performance Optimization

The Performance Optimization option allows you to disable some relatively less severe signatures that significantly affect the performance of certain Web applications. These signatures are identified by the SonicWall Inc. signature team and the list is pushed out to SMA/SRA appliances. When you select Enable Performance Optimization, these signatures are disabled for Web Application Firewall.

The Web Application Firewall > Signatures page indicates the disabled signatures by displaying them in gray, as shown in Enabling Performance Optimization.

Enabling Performance Optimization

Configuring Signature Based Custom Handling and Exclusions

You can disable inspection for a signature in traffic to an individual host, or for all hosts. You can also change the handling of detected threats for an individual host or for all hosts. If the signature group to which the signature belongs is set globally to Detect All, you can raise the level of protection to Prevent for the configured hosts. If no hosts are configured, the action is applied to the signature itself and acts as a global setting for all hosts. This change blocks access to a host when the attack signature is detected. Similarly, you can lower the level of protection to Detect if the associated signature group is globally set to Prevent All.

* 
NOTE: For signature based customization to take effect, the signature group of the modified signature must be globally enabled for either prevention or detection on the Web Application Firewall > Settings page.
To configure one or more hosts with an exclusion from inspection for a signature, or to configure custom handling when Web Application Firewall detects a specific signature for one or more hosts, complete the following steps:
1
On the Web Application Firewall > Signatures page, click Configure for the signature that you wish to change. The Edit WAF Signature-based Exclusions screen displays.

2
In the Edit WAF Signature-based Exclusions screen, select one of the following actions from the Action drop-down list:
DISABLE – Disable Web Application Firewall inspections for this signature in traffic from hosts listed in this exclusion
DETECT – Detect and log threats matching this signature from hosts listed in this exclusion, but do not block access to the host
PREVENT – Log and block host access for threats matching this signature from hosts listed in this exclusion
3
To apply this action globally to all hosts, leave the Host field blank. To apply this action to an individual host, type the host entry as it appears in the bookmark or offloaded application into the Host field. This can be a host name or an IP address. To determine the correct host entry for this exclusion, see Determining the Host Entry for Exclusions.

You can configure a path to a particular folder or file along with the host. The protocol, port, and the request parameters are simply ignored in the URL. If a path is configured, then the exclusion is recursively applied to all subfolders and files. For instance, if Host is set to webmail.yourcompany.com/exchange, then all files and folders under exchange are also excluded.

4
If you specified a host, click Add to move the host name into the list box.
5
If you want to apply this action to additional individual hosts, repeat Step 3 and Step 4 to add more hosts to this exclusion.
6
Click Accept. If the Host list contains host entries, Secure Mobile Access verifies that each host entry is valid. If no hosts were specified, a dialog box confirms that this is a global action to be applied to the signature itself.
7
Click OK in the confirmation dialog box.
8
Click Accept on the Web Application Firewall > Signatures page to apply the updated settings. New settings are applied to any new HTTP connections and requests. The existing HTTP connections and requests continues to use the old settings until they are terminated.

Reverting a Signature to Global Settings

You can revert to using global signature group settings for a signature that was previously configured with an exclusion, without losing the configuration. This allows you to leave the host names in place in case you need to re-enable the exclusion.

To revert to using global signature group settings for a signature:
1
On the Web Application Firewall > Signatures page, click Configure for the signature that you wish to change.
2
In the Edit WAF Signature-based Exclusions screen, select INHERIT GLOBAL from the Action drop-down list.
3
The Host field might be blank if global settings were previously applied to this signature. To revert to global signature settings for all hosts, leave the Host field blank. To apply this action to one or more individual hosts, leave these host entries in the Host field and remove any host entries that are not to be reverted.
4
Click Accept. Secure Mobile Access verifies that each host entry is valid.
5
Click OK in the confirmation dialog box.
6
Click Accept on the Web Application Firewall > Signatures page to apply the updated settings. New settings are applied to any new HTTP connections and requests. The existing HTTP connections and requests continue to use the old settings until they are terminated.

Removing a Host from a Per-Signature Exclusion

To remove a host from a configured exclusion for a signature, complete the following steps:
1
On the Web Application Firewall > Signatures page, click Configure for the signature that you wish to change.
2
Select the host entry in the list box under the Host field, and then click Remove.
3
Repeat Step 2 to remove other listed hosts, if desired.
4
Click Accept. Secure Mobile Access verifies that each host entry is valid.
5
Click OK in the confirmation dialog box.
6
Click Accept on the Web Application Firewall > Signatures page to apply the updated settings. New settings are applied to any new HTTP connections and requests. The existing HTTP connections and requests continue to use the old settings until they are terminated.

Determining the Host Entry for Exclusions

When configuring an exclusion, either globally or per-signature, you must provide the host name or IP address. The affected hosts must match the host names used in your HTTP(S) bookmarks and Citrix bookmarks, and the virtual host domain name configured for an offloaded Web application.

For a description of how to determine the correct host name, see the following sections:

Viewing the Host Entry in a Bookmark

You can determine exactly what host name to enter in your exclusion by viewing the configuration details of the bookmark.

To view the host entry in a bookmark:
1
Navigate to the Virtual Office page, and click Show Edit Controls above the list of bookmarks.

2
Click Edit for the bookmark.
3
In the Edit Bookmark screen, view the host entry in the Name or IP Address field.

4
Click Cancel.

Viewing the Host Entry in an Off-loaded Application

You can determine exactly what host name to enter in your exclusion by viewing the configuration details of the off-loaded application. In an off-loaded application, you use the virtual host domain name.

To view the virtual host domain name in an off-loaded application:
1
Navigate to the Portals > Portals page and click Configure next to the off-loaded application.
2
In the Edit Portal screen, click the Virtual Host tab.

3
View the host entry for your exclusion in the Virtual Host Domain Name field.
4
Click Cancel.

Configuring Custom Rules and Application Profiling

The Web Application Firewall > Rules page allows you to configure custom rules and application profiling.

Application profiling allows you to generate custom rules in an automated manner based on a trusted set of inputs used to develop a profile of what inputs are acceptable by an application. Other inputs are denied, providing positive security enforcement. When you place the SMA/SRA appliance in learning mode in a staging environment, it learns valid inputs for each URL accessed by the trusted users. At any point during or after the learning process, custom rules can be generated based on the “learned” profiles. For more information about application profiling, see How Does Application Profiling Work?.

* 
NOTE: Application profiling is supported only on the SMA 400, SRA 4600, and SMA 500v Virtual Appliance.

Custom rules created on this page have all the same properties as the signatures that SonicWall Inc. pushes out to Web Application Firewall-enabled appliances. Web Application Firewall > Rules Page shows the Rules page.

Web Application Firewall > Rules Page

To add a rule manually, you create a rule chain and then add rules within it. A rule chain is a collection of rules and includes additional attributes such as the severity rating, name, description, hit counters for rate limiting, and the action to take when the rule chain matches some traffic. Rule Chains shows all rule chain fields.

Rules in the Web Application Firewall > Rules page can be divided into pages and filtered by searching for a key word. To display only rules containing a key word in all fields or a specific field, type the key word in the Search field, select All Fields or a specific field to search, and click Search. Or, click Exclude to display only rules that do not contain the key word. Click Reset to display all rules. All matches are highlighted. The default is 50 rules per page.

Rule Chains

Custom rules and rule chains can be used to distinguish between legitimate and illegitimate traffic as defined by a Web application that is using a certain URI or running on a certain portal. One rule in the chain is configured to match the URI or portal host name, while another rule is created that matches an undesirable value for another element of the HTTP(S) traffic. When the rule chain (both rules) matches some traffic, the configured action is done to block or log the bad traffic from that URI or portal. When the request is blocked, the user sees a custom block page such as that in Block Page.

Block Page

The Web Application Firewall > Monitoring page also shows the activity in the graphs. Monitoring Page After Blocking shows several detected and prevented threats during a 12 hour period. For more information about the Monitoring page, see Using Web Application Firewall Monitoring.

Monitoring Page After Blocking

Rules are matched against both inbound and outbound HTTP(S) traffic. When all rules in a rule chain find a match, the action defined in the rule chain is done. You can also enable rate limiting in rule chains to trigger an action only after the number of matching attacks exceeds a threshold within a certain time period. You can configure the action to block the traffic and log the match, or to simply log it. You can also set the action to Disabled to remove the rule chain from active status and stop comparing traffic against those rules.

The Custom Rules feature can be enabled or disabled using the Enable Custom Rules global setting.

* 
NOTE: Rule chains are enforced in the order that the rule chains were added. This order can be changed by deleting and re-creating rule chains.

Similarly, rules within rule chains are enforced in the order that the rules were added. This order can be changed by deleting and re-creating rules.

Configuring Application Profiling

You can create URL profiles by putting the SMA/SRA appliance into learning mode while applications are in use by trusted users, and then use those URL profiles to generate rule chains that prevent malicious misuse of the applications.

* 
NOTE: Application profiling is supported only on the SMA 400, SRA 4600, and SMA 500v Virtual Appliance.
To configure application profiling and automatically generate rules:
1
Navigate to the Web Application Firewall > Rules page.
2
Under Application Profiling, select one or more portals with the application(s) to be profiled from the Portals drop-down list. Use Shift+click or CTRL+click to select multiple portals.

3
For Content Types, select the type of content to be profiled:
All – Includes all content types such as images, HTML, and CSS.
HTML/XML – Selected by default, this is the most important from a security standpoint, because it typically covers the more sensitive Web transactions.
Javascript – Appropriate for an application written in Javascript.
CSS – Select CSS to profile the cascading style sheet content used to control the formatting of Web pages written in HTML, XHTML, or XML variants.
4
Click Begin Profiling to start the “learning” process. Trusted users should be using the relevant applications on the selected portal during the active profiling period. Begin Profiling changes to End Profiling. Profiling continues until you click End Profiling.

During profiling, the Secure Mobile Access records inputs and stores them as URL profiles. The URL profiles are listed as a tree structure on the Web Application Firewall > Rules page in the Application Profiling section.

5
After a period of time adequate to record inputs from normal application use, click End Profiling to stop the profiling process.
6
Optionally click any of the links in the URL profile tree display to edit the learned values. Click to expand all URLs at that level in the tree. You can also click to refresh all URLs in the list or click to delete a selected URL.

The editing page for the clicked URL is displayed.

7
To add a value, type the value into the field next to the parameter and then click the plus button. To remove a value, select it in the list and then click the minus button.
8
Click Accept when finished editing. Repeat for other URLs as needed.
9
Before generating the rules from the URL profiles, select one of the following actions from the Default Action for generated Rule Chains drop-down list:
Disabled – The generated rules are disabled rather than active.
Detect Only – Content triggering the generated rule is detected and logged.
Prevent – Content triggering the generated rule is blocked and logged.
10
Select Overwrite existing Rule Chains for URL Profiles to overwrite rule chains that have already been generated from a URL profile.
11
Click Generate Rules to generate rules from the URL profiles. If a URL profile has been modified, those changes are incorporated.

If rule chains are successfully generated, the status bar indicates how many rule chains were generated, including any that were overwritten.

12
If you do not want to accept the generated rule chains, click Delete Selected Rule Chains that is available following the rule chain list. All of the automatically added rule chains are pre-selected right after generation for easy deletion of the group.
13
Click Accept to apply the generated rule chains to the Secure Mobile Access configuration.

Configuring Rule Chains

You can add, edit, delete and clone rule chains. Example rule chains (with Rule Chain ID greater than 15000) are available in the Secure Mobile Access management interface for administrators to use as reference. These cannot be edited or deleted. You can view the rules associated with the rule chain by clicking its Edit Rule Chain icon under Configure.

For ease of configuration, you can clone example rule chains or regular rule chains. Cloning a rule chain clones all rules associated with the chain. After cloning the rule chain, you can edit it by clicking its Edit Rule Chain icon under Configure.

Adding or Editing a Rule Chain
To add or edit a rule chain:
1
On the Web Application Firewall > Rules page, click Add Rule Chain to add a new rule chain.

To edit an existing rule chain, click its Edit Rule Chain icon under Configure.

The New Rule Chain screen or the screen for the existing rule chain displays. Both screens have the same configurable fields in the Rule Chain section.

2
On the New Rule Chain page, type a descriptive name for the rule chain in the Name field.
3
Select a threat level from the Severity drop-down list. You can select HIGH, MEDIUM, or LOW.
4
Select Disabled, Detect Only, or Prevent from the Action drop-down list.
Disabled – The rule chain should not take effect.
Detect Only – Allow the traffic, but log it.
Prevent – Block traffic that matches the rule and log it.

The Disabled option allows you to temporarily deactivate a rule chain without deleting its configuration.

5
In the Description field, type a short description of what the rule chain matches or other information.
6
Select a category for this threat type from the Category drop-down list. This field is for informational purposes, and does not change the way the rule chain is applied.
7
Under Counter Settings, to enable tracking the rate at which the rule chain is being matched and to configure rate limiting, select Enable Hit Counters. Additional fields are displayed.
8
In the Max Allowed Hits field, enter the number of matches for this rule chain that must occur before the selected action is triggered.
9
In the Reset Hit Counter Period field, enter the number of seconds allowed to reach the Max Allowed Hits number. If Max Allowed Hits is not reached within this time period, the selected action is not triggered and the hits counter is reset to zero.
10
Select Track Per Remote Address to enforce rate limiting against rule chain matches coming from the same IP address. Tracking per remote address uses the remote address as seen by the SMA/SRA appliance. This covers the case where different clients sit behind a firewall with NAT enabled, causing them to effectively send packets with the same source IP.
11
Select Track Per Session to enable rate limiting based on an attacker’s browser session. This method sets a cookie for each browser session. Tracking by user session is not as effective as tracking by remote IP if the attacker initiates a new user session for each attack.
12
Click Accept to save the rule chain. A Rule Chain ID is automatically generated.
13
Next, add one or more rules to the rule chain. See Configuring Rules in a Rule Chain for detailed information.
Cloning a Rule Chain
To clone a rule chain:
1
On the Web Application Firewall > Rules page, click its Clone Rule Chain icon under Configure.
2
Click OK in the confirmation dialog box.

You can now edit the rule chain to customize it. See Adding or Editing a Rule Chain.

Deleting a Rule Chain
* 
NOTE: Deleting a rule chain also deletes all the associated rules.
To delete a rule chain:
1
On the Web Application Firewall > Rules page, click the Delete Rule Chain icon under Configure for the rule chain you want to delete.
2
Click OK in the confirmation dialog box.
3
Click Accept.
Correcting Misconfigured Rule Chains

Misconfigured rule chains are not automatically detected at the time of configuration. When a misconfiguration occurs, the administrator must log in and fix or delete the bad rules.

* 
NOTE: If any rules or rule chains are misconfigured, the appliance does not enforce any custom rules or rule chains.

It is difficult to detect a false positive from a misconfigured rule chain unless a user runs into it and reports it to the administrator. If the rule chain has been set to PREVENT, then the user sees the Web Application Firewall block page (as configured on the Web Application Firewall > Settings page). If not, there is a log message indicating that the “threat” has been detected.

Consider a scenario in which the administrator inadvertently creates a custom rule chain that blocks access to all portals of the SMA/SRA appliance. For example, the admin might have wanted to enforce a rule for an Application Offloading portal. However, he or she forgot to add another rule to narrow the criteria for the match to requests for that portal, host or URL. If the first rule was too broad, then this means a denial of service for the appliance. Specifically, the administrator creates a rule chain to deny using the GET HTTP method for a specific URL that expects a POST request.

For this, the administrator needs to create two rules:
1
The first rule is to match GET requests.
2
The second rule is to match a specific URL.

If the administrator forgets to create the second rule, then access to the SMA/SRA appliance is denied, because the Secure Mobile Access web-based management interface depends on the GET method.

To fix a misconfigured rule chain, complete the following tasks:
1
Point your browser to https://<SMA IP>/cgi-bin/welcome.

If you try to reach the welcome page by simply using the URL https://<SMA IP>/, the usual redirect to https://<SMA IP>/cgi-bin/welcome might not work. To repair misconfigured rules, you need to explicitly go to https://<SMA IP>/cgi-bin/welcome, where <SMA IP> is the host name or IP address of your SMA/SRA appliance.

2
Log in as admin.
3
Navigate to the Web Application Firewall > Rules page.
4
Edit or delete the bad rules.
5
Click Accept.

Configuring Rules in a Rule Chain

You can add, edit, delete and clone rules. A rule is a condition that is checked against inbound or outbound HTTP(S) traffic. Each rule chain can have one or more rules configured, and must have at least one rule before it can be used. Add Rule page shows the Add Rule page.

Add Rule page

Rules allow the administrator to employ both a positive security model and a negative security model. In a positive security model, policies are written only to allow known traffic and block everything else.

A rule has several components:

Variables – These are HTTP protocol entities that are scanned by Web Application Firewall to help identify legitimate or illegitimate traffic. Multiple variables can be matched against the configured value in the Value field. The ‘+’ and ‘-’ buttons allow you to add variables from the Variables drop-down list or delete them from the list of selected variables. You can combine multiple variables as required to match the specified value. If multiple variables are configured, then the rule is matched if any one of the configured variables matches the target value. See About Variables for more information about variables.
Operators – These are arithmetic and string operators. The Not check box is an inversion operator used to match any value except the configured condition. See About Operators for more information about the operators.
Value – This entity can be a number, literal string, or a regular expression that is compared with the scanned target. It is compared with the value of the configured variable(s) according to the specified operator.

To compare the variable(s) to more than one value, you can enter multiple values separated by spaces into the Value field, and select the Matches Keyword operator. Delimiting by spaces only works if the Matches Keyword operator is selected.

Anti-Evasive MEASUREs – This field allows you to apply measures beyond those supported by the Operators field, especially to enforce Anti-Evasive protection. See About Anti-Evasive Measures for more information about these measures.

The following sections provide detailed information about rules:

About the Tips/Help Sidebar

You can select a variable in the Variables drop-down list to display more information about that variable in the Tips/Help sidebar. The sidebar explains when each variable would be used and where it is found in the HTTP protocol. An example use case is provided for each variable.

You can also select an entry in the Anti-Evasive Measures drop-down list to display more information about it in the Tips/Help sidebar.

The sidebar also provides context-sensitive search. When you click on a variable and then search for a particular keyword, the search results are only related to variables.

About Variables

Variables are HTTP protocol entities that are scanned by Web Application Firewall to help identify legitimate or illegitimate traffic. Multiple variables can be matched against the configured value in the Value field. The ‘+’ and ‘-’ buttons allow you to add variables from the Variables drop-down list or delete them from the list of selected variables.

You can combine multiple variables as required to match the specified value. If multiple variables are configured, then the rule is matched if any one of the configured variables matches the target value.

A variable can represent a single value or a collection. If a variable represents a collection, such as Parameter Values, then a specific variable within the collection can be configured by entering its name in the selection text box to the right of the colon (:). For example, the value for the URI or Host variable is unique in each HTTP(S) request. For such variables, the selection text box is not displayed. Other variables, such as Request Header Values and Response Header Names, represent a collection.

If you need to test the collection itself against an input, then you would leave the selection text box empty. However, if you need to retrieve the value of a specific item in the collection, you would specify that item in the selection text box. For example, if you need to test if the parameter password exists in the HTTP(S) request, then you would configure the variable Parameter Names and leave the selection text box empty. You would set the Operator to String equals and the Value to password. But, if you want to check whether the value of the password parameter matches a particular string, such as “foo,” then you would select the Parameter Values variable and specify password in the selection text box. In the Value field, you would enter foo.

Variables for Use in Rules describes the available variables.

 

Variables for Use in Rules 

Variable Name

Collection

Description

Host

No

Refers to the host name or the IP address in the Host header of an HTTP request. This typically refers to the host part of the URL in the address bar of your browser.

URI

No

Refers to the combination of path and the query arguments in a URL.

HTTP Method

No

Refers to the method, such as GET and POST, used by the browser to request a resource on the Web server.

HTTP Status Code

No

Refers to the response status from the Web server. You can use this to configure actions for various error codes from the Web server.

Parameter Values

Yes

Refers to the collection of all request parameter values, including the values of all query arguments and form parameters that are part of the current request.

To match against some aspect of the entire list of parameter values, such as the number of parameter values, leave the selection field empty.

To match against the value of a particular parameter, specify the name of the parameter in the selection field to the right of the colon.

Parameter Names

Yes

Refers to the collection of all request parameter names, including the names of all query arguments and form parameters that are part of the current request.

To match against some aspect of the entire list of parameter names, leave the selection field empty.

To match against the name of a particular parameter, specify the parameter name in the selection field to the right of the colon.

Remote Address

No

Refers to the client's IP address. This variable allows you to allow or block access from certain IP addresses.

Request Header Values

Yes

Refers to the collection of all HTTP(S) request header values for the current request.

To match against some aspect of the entire list of request header values, leave the selection field empty.

To match against a particular header value, specify the name of the header in the selection field to the right of the colon.

For example, to block Ajax requests, select Request Header Values as the Variable, specify X-Request-With in the selection text box, and specify ajax in the Value field.

Request Header Names

Yes

Refers to the collection of all HTTP(S) request header names for the current request.

To match against some aspect of the entire list of request header names, leave the selection field empty.

To match against a particular header name, specify the name of the header in the selection field to the right of the colon.

For example, to block requests that are not referred by a trusted host, select Request Header Names as the Variable, specify Referrer in the selection text box, enter the host names or IP addresses of the trusted hosts in the Value field, select the Not check box and select the Matches Keyword operator.

Response Header Values

Yes

Refers to the collection of all HTTP(S) response header values for the current request.

To match against some aspect of the entire list of response header values, leave the selection field empty.

To match against a particular header value, specify the name of the header in the selection field to the right of the colon.

Response Header Names

Yes

Refers to the collection of all HTTP(S) response header names for the current request.

To match against some aspect of the entire list of response header names, leave the selection field empty.

To match against a particular header name, specify the name of the header in the selection field to the right of the colon.

Response Content Length

No

Refers to the size of the response payload.

Response Payload

No

Refers to the Web page content that is displayed to the user.

Portal Hostname

No

Refers to the virtual host name of the Secure Mobile Access portal which accepts the request from the client.

To create a rule chain that applies to a particular virtual host, one rule would match the host and another would specify other criteria for the match.

Portal Address

No

Refers to the IP address or virtual IP address of the Secure Mobile Access portal which accepts the request from the client.

Request Path

No

Refers to the relative path used to access a particular resource in a Web site.

About Operators

There are a number of arithmetic and string operators. The Not check box is an inversion operator that results in a match for any value except the configured condition.

These operators can be used in conjunction with Anti-Evasive Measures. For example, you might use the Equals String operator with Convert to Lowercase or Normalize URI Path in Anti-Evasive Measures.

Rule Operators describes the available operators for use with rules.

 

Rule Operators 

Operator

Type

Description

Contains

String

One or more of the scanned variables contains the content of the Value field.

Equals String

String

The scanned variable(s) match the alphanumeric string in the Value field exactly.

=

Arithmetic

The scanned variable is equal to the content of the Value field.

>

Arithmetic

The scanned variable is greater than the content of the Value field.

>=

Arithmetic

The scanned variable is greater than or equal to the content of the Value field.

<

Arithmetic

The scanned variable is less than the content of the Value field.

<=

Arithmetic

The scanned variable is less than or equal to the content of the Value field.

Matches Keyword

String

One or more of the scanned variables matches one of the keywords in the Value field. If multiple keywords are specified, they should be separated by spaces.

Matches Regex

String

One or more of the scanned variables matches the regular expression in the Value field. An example of a regular expression that matches any four decimal numbers is \d{4}.

About Anti-Evasive Measures

Anti-evasive measures are applied to input identified by the selected variables before the input is matched against the specified value. For instance, the String Length measure is used to compute the length of the matched input and use it for comparison. Some of the anti-evasive measures are used to thwart attempts by hackers to encode inputs to bypass Web Application Firewall rules. You can click on an anti-evasive measure in the list to read more information on it in the Tips/Help sidebar.

The anti-evasive measures can be used in conjunction with regular operators. There are ten measures to choose from in the Anti-Evasive Measures field, including the None measure which leaves the input alone.

Multiple anti-evasive measures can be selected together and individually enforced. You can select multiple measures by holding the Ctrl key while clicking an additional measure. When the None measure is selected along with other measures in your rule, the input is compared as is and also compared after decoding it or converting it with another measure. Anti-Evasive Measures for Rules describes the anti-evasive measures available for use with rules.

 

Anti-Evasive Measures for Rules 

Measure

Description

None

Use the None measure when you want to compare the scanned input to the configured variable(s) and value(s) without changing the input.

String Length

Use the String Length measure when the selected variable is a string and you want to compute the length of the string before applying the selected operator.

Convert to Lowercase

Use the Convert to Lowercase measure when you want to make case-insensitive comparisons by converting the input to all lowercase before the comparison. When you use this measure, make sure that strings entered in the Value field are all in lowercase.

This is an anti-evasive measure to prevent hackers from changing case to bypass the rule.

Normalize URI Path

Use the Normalize URI Path measure to remove invalid references, such as back-references (except at the beginning of the URI), consecutive slashes, and self-references in the URI. For example, the URI www.eshop.com/././//login.aspx is converted to www.eshop.com/login.aspx.

This is an anti-evasive measure to prevent hackers from adding invalid references in the URI to bypass the rule.

Remove Spaces

Use the Remove Spaces measure to remove spaces within strings in the input before the comparison. Extra spaces can cause a rule to not match the input, but are interpreted by the backend Web application.

This is an anti-evasive measure to prevent hackers from adding spaces within strings to bypass the rule.

Base64 Decode

Use the Base64 Decode measure to decode base64 encoded data before the comparison is made according to the rule.

Some applications encode binary data in a manner convenient for inclusion in URLs and in form fields. Base64 encoding is done to this type of data to keep the data compact. The backend application decodes the data.

This is an anti-evasive measure to prevent hackers from using base64 encoding of their input to bypass the rule.

Hexadecimal Decode

Use the Hexadecimal Decode measure to decode hexadecimal encoded data before the comparison is made according to the rule.

This is an anti-evasive measure to prevent hackers from using hexadecimal encoding of their input to bypass the rule.

URL Decode

URL Decode (Unicode)

Use the URL Decode measure to decode URL encoded strings in the input. Use the URL Decode (Unicode) measure to handle %uXXXX encoding. URL encoding is used to safely transmit data over the Internet when URLs contain characters outside the ASCII character set.

NOTE: Do not use these measures against an input that has been decoded already.

This is an anti-evasive measure to prevent hackers from using URL encoding to bypass rules, knowing that the backend Web server can interpret their malicious input after decoding it.

For example, the URI www.eshop.com/hack+URL%3B is converted to www.eshop.com/hack URL by this operator before the comparison is made.

Trim

Use the Trim measure to remove spaces before and after the input data before the comparison. Extra spaces can cause a rule to not match the input, but are interpreted by the backend Web application.

This is an anti-evasive measure to prevent hackers from adding spaces before and after the input data to bypass the rule.

Example Use Cases for Rules

This section provides examples of positive and negative security models, as well as several examples showing the use of anti-evasive measures to provide a deeper understanding of these anti-evasive techniques.

Example – Positive Security Model: Blocking Bad Logins

To prevent log in to an Application Offloaded Web site if the length of the password is less than 8 characters, you would create a rule chain containing the following two rules:

1
Select Host as the Variable and click + to add it, set the Operator to Equals String, and set Value to the Virtual Host name of the portal. This checks that the Host header of the login request matches the site you are trying to protect. In this case, the rule chain is only being applied to one site.
2
Select Parameter Value as the Variable and type password into the selection field, then click + to add the variable and selected item to the rule, set the Operator to < (less than), and set Value to 8. Select String Length in the Anti-Evasive Measures list to compute the length of the password form parameter.

The action for the rule chain would be set to Prevent. Example Rule Chain – Blocking Bad Logins shows the rule chain for this example.

Example Rule Chain – Blocking Bad Logins

Example – Positive Security Model: Blocking a Form Submission with Unwanted Parameters

This rule chain blocks a form submission if the form has a request parameter other than formId or if the value of formId contains more than four digits. To accomplish this, you would need two rule chains:

1
The first rule chain contains two rules:
The first rule identifies the URL where the form is submitted.
The second rule checks if Parameter Names does not match the name of the valid parameter, formId. It uses the Equals String operator with the Not inversion check box selected.

2
The second rule chain contains two rules:
The first rule identifies the URL where the form is submitted.
The second rule checks if the value contained by the Parameter Value: formId variable matches the regular expression ^\d{1,4}$ which matches anything that consists of one to four digits. The Not inversion check box is selected to change the rule to match anything that does not consist of one to four digits.

Example – Negative Security Model: Blocking Malicious Input to a Form
To block malicious input to a form, you would create a rule chain containing the following two rules:
1
The first rule identifies the URL for the form.
2
The second rule identifies the form parameter, shell_cmd and the bad input, traceroute.

Example – Using URL Decode and None

If a hacker perceives that a Request URI is being scanned for CR and LF characters (carriage return and line feed), the hacker might attempt to sneak those characters into the request by completing URL encoding on the characters before adding them to the request. The URI then contains %0D and %0A characters that could be used to launch an HTTP response splitting attack. The URL Decode and/or URL Decode (Unicode) measures can be used to thwart this type of attack by decoding the scanned input before comparing it against the configured value(s) to check for a match.

Specifically, if a request is made to the URI http://www.host.com/foo%20bar/ and the URL Decode measure is selected, the scanned URI becomes http://www.host.com/foo bar/ after decoding that can now be safely matched. To thwart a hacker who sends a non-encoded request in addition to the encoded one, the administrator can select the None and the URL Decode options in the rule.

Example – Using Convert to Lowercase and URL Decode with Parameter Values

An administrator wants to check whether the content of the variable Parameter Values matches the value foo bar in order to block such a request. Because the backend application accepts case-insensitive inputs (foo bar and FOO BAR), the hacker can pass foo BAR in the request and evade the rule. To prevent this evasion, the administrator specifies Convert to Lowercase as an anti-evasive measure and configures the value as foo bar in all lower case. This causes all request parameter values to be converted to lower case and compared against the value for a case-insensitive check.

Similarly, the hacker could pass foo%20BAR, which is the URL encoded version typically used by browsers. To prevent this evasion, the administrator specifies URL Decode as the anti-evasive measure to apply to the request entity. The input foo%20BAR is URL decoded to foo BAR. If the input is already foo BAR, then URL decoding is not applied.

Example – Using String Length and URL Decode with Parameter Values:ID

Comparing against a decoded input allows the administrator to use the String Length measure to check the length of the input against the matching variable. For example, if a Web application ID parameter should not be more than four characters, the administrator could select Parameter Values in the Variable field, enter ID in the selection field, click + to add the variable and selected item to the rule, enter 4 in the Value field, select > in the Operator list, and select both URL Decode and String Length in the Anti-Evasive Measures list.

Deleting a Rule
To delete a rule from a rule chain:
1
On the Web Application Firewall > Rules page, click the Edit Rule Chain icon under Configure for the rule chain from which you want to delete a rule. The page for that rule chain opens.
2
Click the Delete icon under Configure for the rule you want to delete.
3
Click OK in the confirmation dialog box.
4
Click Accept.
Cloning a Rule
To clone a rule:
1
On the Web Application Firewall > Rules page, click the Edit Rule Chain icon under Configure for the rule chain which contains the rule you want to clone. The page for that rule chain opens.
2
Click the Clone icon under Configure for the rule you want to clone.
3
Click OK in the confirmation dialog box.

You can now edit the rule to customize it. See Adding or Editing a Rule.

Adding or Editing a Rule
To add or edit a rule in a rule chain:
1
Click the Edit Rule Chain icon under Configure for the rule chain on which you want to add or edit a rule. The page for that rule chain opens.
2
Click Add Rule to add a new rule, or click the Edit icon under Configure for the rule you want to edit.
3
In the Add Rule page or the page for the edited rule, select a variable from the Variables drop-down list. See About Variables for information about the available variables.
4
If the chosen variable is a collection of variables, a selection field is displayed to the right of the Variables field, after the colon. If you wish to make a comparison against a particular member of the collection, type the name of that item into the selection field.

To test the collection itself against an input, leave the selection field blank. For example, to test whether a certain parameter exists in the request, you could select the Parameter Names variable and then type the specific parameter name into the Value field (but not into the variable selection field).

5
Click Plus to add the variable to the rule. Repeat Step 2 through Step 5 to add more variables.

To delete a variable, select it in the large text box and click Minus .

6
Select a string or arithmetic operator from the Operators drop-down list. To complete the inverse operation, select Not.
7
In the Value field, type in the value to be compared with the selected variable(s) in the scanned HTTP(S) input. If you selected the Matches Keyword operator, you can compare the input against multiple values by typing in each value separated by a space. Each value is compared individually.
8
Select one or more measures from the Anti-Evasive Measures list. Hold Ctrl on your keyboard while clicking to select multiple measures.
9
Click Accept when finished.

Using Web Application Firewall Monitoring

The Web Application Firewall > Monitoring page provides two tabs: Local and Global. The pages for both tabs display statistics and graphs for detected/prevented threats over time and top 10 threats. The Local tab also displays Web server status statistics and graphs of the number of requests and the amount of traffic during the selected monitoring period.

The monitoring functions of each tab are explained in the following sections:

Monitoring on the Local Tab

The Local tab displays statistics and graphs for the local appliance. Graphs are displayed for Web Server Status and WAF Threats Detected & Prevented. For the latter, you can use the Perspective options to change the view between Signature, Severity, and Server, and you can display the statistics in list format rather than as graphs.

Using the Control Buttons

The control buttons are displayed at the top of the page. They control the statistics that are displayed on this page. On the Local tab, you can use the control buttons to turn streaming updates on or off, refresh the data on the page, clear the graphs, and download a report. If streaming is turned on, Web Application Firewall statistics information is fetched periodically, and displayed in the graphs and threat list. If streaming is turned off, no new information can be displayed.

To use the control buttons, complete the following steps:
1
Select the Local tab. The active tab name is displayed in red or pink, while the inactive tab name is blue. The control buttons act on the page that is currently displayed.
2
To turn streaming on or off, click the ON or OFF indicator next to Streaming Updates.
3
To refresh the display, click Refresh.
4
To clear all Web Application Firewall statistics from the graphs and list, click Clear Graphs.
5
To generate a PDF report containing Web Application Firewall statistics, click Download Report.
* 
NOTE: Internet Explorer requires Adobe Flash Player version 10 or higher to generate the report.
6
If prompted to install Adobe Flash Player, click Get Flash and then after the installation click Try Again to generate the PDF report from Internet Explorer.

Monitoring Web Server Status

On the Local tab, below the control buttons, this page displays graphs for Web server status. One graph shows the number of Web requests detected over time, and another graph shows the amount of traffic in kilobytes (KB).

The Web servers tracked are those servers within the local network of the SMA/SRA appliance that provide HTTP/HTTPS bookmarks, offloaded applications, and other Web services. The Traffic graph indicates the amount of HTTP/HTTPS payload data that is sent to client browsers.

You can view Web server activity on the Local tab over different time periods by selecting one of the following options from the Monitoring Period drop-down list:

Last 60 Seconds
Last 60 Minutes
Last 24 Hours
Last 30 Days

Web Server Status For Last 24 Hours shows a 24 hour period of Web server activity.

Web Server Status For Last 24 Hours

Web Server Status For Last 60 Minutes shows a 60 minute period of Web server activity.

Web Server Status For Last 60 Minutes

Monitoring Detected and Prevented Threats

On the Local tab below the Web server status graphs, the Web Application Firewall > Monitoring page displays graphs indicating the number of detected and prevented threats. Two graphs are presented, one showing the number of threats over time, and the other showing the top ten threats that were detected and prevented during that time frame.

You can change the time frame displayed in both graphs or change the view to display all threats in list format by selecting one of the following options from the Monitoring Period drop-down list:

Last 12 Hours
Last 14 Days
Last 21 Days
Last 6 Months
All in Lists

Threats Over Last 21 Days shows the number and severities of threats detected and prevented over the last 21 days.

Threats Over Last 21 Days

When displaying the top 10 threats graph with Perspective set to Signature, hovering your mouse pointer over the signature ID causes a tooltip to appear with details about the threat.

Threat Details Tooltip

Viewing Threats in List Format

To see the threats in list format rather than as a graph, select All in Lists from the Monitoring Period drop-down list. Threats in List Format shows the list format.

The Severity column of the threat list is color coded for quick reference, as follows:

High severity threats – Red
Medium severity threats – Orange
Low severity threats – Black

The initial, default sorting order lists the high severity threats with highest frequency values first. You can change the order of listed threats by clicking on the column headings to sort them by ID, signature name, classification, severity, or frequency. Click again to toggle between ascending and descending order. The active sorting column is marked by an arrowhead pointing upwards for ascending order, and downwards for descending order.

Threats in List Format

To view and hide threat details:
1
On the Web Application Firewall > Monitoring page, select All in Lists from the Monitoring Period drop-down list. The list of detected or prevented threats is displayed in the WAF Threats Detected & Prevented table.
2
To display details about a threat, click on the threat. The details include the following:
URL – The URL to the SonicWall Inc. knowledge base for this threat
Category – The category of the threat
Severity – The severity of the threat, either high, medium, or low
Summary – A short description of how the threat behaves

3
To collapse the threat details, click the threat link again.
Changing Perspective

For the Top 10 Threats graph, you can select the following display options from the Perspective drop-down list:

Signature – The name of each threat shown is listed at the left side of the graph.

Severity – High, medium, and low severity threats are displayed using color coding.

Server – The server names are listed at the left side of the graph.

Monitoring on the Global Tab

The Global tab displays statistics and graphs for threats reported by all SMA/SRA appliances with Web Application Firewall enabled. Graphs are displayed for WAF Threats Detected & Prevented.

Using the Control Buttons

The control buttons are displayed at the top of the page. They control the statistics that are displayed on this page. On the Global tab, you can use the control buttons to turn streaming updates on or off, refresh the data on the page, and download a report. If streaming is turned on, Web Application Firewall statistics information is fetched periodically, and displayed in the graphs and threat list. If streaming is turned off, no new information can be displayed.

To use the control buttons, complete the following steps:
1
Select the Global tab. The active tab name is displayed in red or pink, while the inactive tab name is blue. The control buttons act on the page that is currently displayed.
2
To turn streaming on or off, click the ON or OFF indicator next to Streaming Updates.
3
To refresh the display, click Refresh.
4
To generate a PDF report containing Web Application Firewall statistics, click Download Report.
* 
NOTE: Internet Explorer requires Adobe Flash Player version 10 or higher to generate the report.
5
If prompted to install Adobe Flash Player, click Get Flash and then after the installation click Try Again to generate the PDF report from Internet Explorer.

Monitoring Detected and Prevented Threats

At the top of the Global tab, the Web Application Firewall > Monitoring page displays graphs indicating the number of detected and prevented threats. Two graphs are presented, one showing the number of threats over time, and the other showing the top ten threats that were detected and prevented during that time frame.

You can change the time frame displayed in both graphs by selecting one of the following options from the Monitoring Period drop-down list:

Last 12 Hours
Last 14 Days
Last 21 Days
Last 6 Months

Threats Over Last 21 Days shows the number and severities of threats detected and prevented over the last 21 days.

Threats Over Last 21 Days

Hovering your mouse pointer over the signature ID causes a tooltip to appear with details about the threat.

Threat Details Tooltip

The local signature database on the appliance is accessed to get detailed threat information, but if the database is not up-to-date, some detailed information for the Top 10 Threats might not be available. In this case, the threat color in the graph is light grey, and the severity is displayed as unknown in the tooltip for this threat. The following error message is also displayed below the graphs:

“Warning: Web Application Firewall Signature Database for this device is not current. Synchronize the Database from the Web Application Firewall > Status page”

Using Web Application Firewall Logs

The Web Application Firewall > Log page provides a number of functions, including a flexible search mechanism, and the ability to export the log to a file or email it. The page also provides a way to clear the log. Clicking on a log entry displays more information about the event.

See the following sections:

Searching the Log

You can search for a value contained in a certain column of the log table, and can also search for log entries that do not contain the specified value.

To view and search Web Application Firewall log files:
1
On the Web Application Firewall > Log page, type the value to search for into the Search field.
2
Select the column in which to search from the drop-down list to the right of the Search field.
3
Do one of the following:
To start searching for log entries containing the search value, click Search.
To start searching for log entries that do not contain the search value, click Exclude.
To clear the Search field, set the drop-down list back to the default (Time), and display the first page of log entries, click Reset.

Controlling the Log Pagination

To adjust the number of entries on the log page and display a different range of entries, complete the following steps:
1
On the Web Application Firewall > Log page, enter the number of log entries that you want on each page into the Items per Page field. The Log page display changes to show the new number of entries.
2
To view the log entries beginning at a certain number, type the starting number into the Item field and press Enter on your keyboard.
3
To view the first page of log entries, click the left-most button in the arrow control pad.
4
To view the previous page of log entries, click the left arrow in the arrow control pad.
5
To view the next page of log entries, click the right arrow in the arrow control pad.
6
To view the last page of log entries, click the right-most button in the arrow control pad.

Viewing Log Entry Details

The log entry details vary with the type of log entry. The URI (Uniform Resource Indicator) is provided along with the command for detected threats. Information about the agent that caused the event is also displayed. For an explanation of the rather cryptic Agent string, the following Wikipedia page provides a description and links to external sites that can analyze any user agent string: http://en.wikipedia.org/wiki/User_agent

To view more details about an individual log entry:
1
On the Web Application Firewall > Log page, click anywhere on the log entry that you want to view. The details are displayed directly beneath the entry.

2
To collapse the details for a log entry, click again on the entry.

Exporting and Emailing Log Files

You can export the current contents of the Web Application Firewall log to a file, or email the log contents by using the buttons in the top right corner of the Web Application Firewall > Log page.

Exported files are saved with a .wri file name extension, and open with WordPad, by default.

Emailed files are automatically sent to the address configured on the Log > Settings page of the Secure Mobile Access management interface. If no address is configured, the Status line at the bottom of the browser displays an error message when you click E-Mail Log on the Web Application Firewall > Log page.

To export or email the log:
1
To export the log contents, click Export in the top right corner of the Web Application Firewall > Log page. The File Download dialog box is displayed.

2
In the File Download dialog box, do one of the following:
To open the file, click Open.
To save the file, click Save, then browse to the folder where you want to save the file and click Save.
3
To email the log contents, click E-Mail Log in the top right corner of the Web Application Firewall > Log page. The log contents are emailed to the address specified in the Log > Settings page.

Clearing the Log

You can remove all entries from the Web Application Firewall log on the Web Application Firewall > Log page. The entries on the page are removed, and any attempt to export or email the log file while it is still empty causes a confirmation dialog box to display.

To clear the Web Application Firewall log:
1
On the top right corner of the Web Application Firewall > Log page, click Clear.
2
Click OK in the confirmation dialog box.

Verifying and Troubleshooting Web Application Firewall

One way to verify the correct configuration of Web Application Firewall is by viewing the Web Application Firewall > Monitoring page. This page displays statistics and graphs for detected/prevented threats over time and top 10 threats. The Local tab also displays Web server status statistics and graphs of the number of requests and the amount of traffic during the selected monitoring period. With normal use and exposure to the Internet, you should begin to see statistics within a day of activation.

You can also find helpful information in both the Log > View page and Web Application Firewall > Log page. This section lists some of the relevant log messages and provides an explanation or suggestions for actions in those cases.

Log > View Messages

The following messages can be viewed from the Log > View page:

License Manager SSL connection failed - Restarting the appliance could be necessary

Test the connectivity to licensemanager.sonicwall.com from the System > Diagnostics page using the Ping and DNS Lookup diagnostic utilities to ensure that there is connectivity to the backend server.

License Manager Failed to resolve host. Check DNS.

Test the connectivity to licensemanager.sonicwall.com from the System > Diagnostics page using the Ping and DNS Lookup diagnostic utilities to ensure that there is connectivity to the backend server.

License Manager Peer Identity failed - Check certs and time

The License Manager server or the signature database server might not have a valid SSL Certificate.

License Manager Reset called

The device licenses have been reset. Navigate to the System > Licenses page to activate, upgrade or renew licenses.

Web Application Firewall > Log and Log > View Messages

The following messages can be viewed from the Web Application Firewall > Log page and the Log > View page:

WAF signature database update failed: No signatures were found in the update

The download for the database update completed, but no suitable signatures were found in the database.

WAF signature database update failed: Old signature timestamp found in the update

The timestamp found in the database update from the License Manager is older than what was originally advertised before the download for the update started.

WAF signature database update failed: Error occurred while processing the update

There was a general error in downloading and processing the database update. This is possible if the data in the update does not conform to the signature parser schema.

WAF signature database update failed: Error occurred while downloading the WAF signature database update

There was a general error in downloading and processing the database update. This is possible if the data in the update does not conform to the signature parser schema.

WAF signature database update was downloaded successfully. The new database contains <num> rules

Signature database download was successful. The new database contains <num> number of rules. A rule is an internal property which is used by SonicWall Inc. to determine how many signatures were downloaded.

* 
NOTE: You can select the Apply Signature Updates Automatically option on the Web Application Firewall > Settings page to apply new signatures automatically. If this option is not selected, you must click Apply that appears on the Web Application Firewall > Status page after a successful download. After the database has been successfully applied, all of the signatures within the new database can be found on the Web Application Firewall > Signatures page.
WAF signature database has been updated.

The signature database update was applied after the administrator clicked on Apply on the Web Application Firewall > Status page.

WAF engine is being started with the factory default signature database.

The Web Application Firewall engine is using the factory default signature database for traffic inspection. This could imply that no new signatures were found since the firmware update. If an attempt to download is revealed in the logs earlier, then this message could also imply that the update could not be processed successfully because of database errors and as a precautionary measure the factory default database has been used.

Geo IP and Botnet Filter

This section provides information and configuration tasks specific to the Geo IP and Botnet Filter page on the Secure Mobile Access management interface. The Geo IP feature enables administrators to monitor and enforce policies effectively based on the geographical locations of remote users. The Botnet Filter feature enforces a strong and anti-evasive defense against any rogue activity from Botnets using a dynamically updated database maintained by SonicWall Inc.. Botnets pose huge security risks such as Denial of Service (DoS) attacks and Data Leakage. They are hard to identify and control because of the transient nature of their origins. These features are disabled by default.

Topics:

Status

The Geo IP & Botnet Filter > Status page contains two tabs of information: General Status and Botnet Status.

See:

General Status

The General Status tab shows general information about the Geo IP & Botnet filter and offers an option to synchronize the database. When the Geo IP & Botnet Filter is enabled, the General Status tab provides the following information:

Database shows the update status and provides Synchronize to manually synchronize updates. When Synchronize is clicked, the server immediately checks for new updates on the backend server.
Server Status shows whether the backend server is connected. Offline status might indicate that the network settings need to be changed.
Cache Count shows the total number of Geo IP and Botnet caches. All caches are managed automatically by the server.
Last checked displays the most recent timestamp of the cache.
Service Expiration Date shows the license expiration date of the Geo IP & Botnet Filter service.
License Status identifies whether the Geo IP & Botnet Filter service is licensed. The Geo IP & Botnet Filter is a subscription service that includes a free trial.

When the Geo IP & Botnet Filter is licensed but disabled, the Status page displays a warning that contains a link to the Settings page where the feature can be enabled:

Botnet Status

The Botnet Status tab shows traffic statistics for Botnet IP addresses for the current reporting period. Statistics are shown for the top 10 IP addresses detected by the Botnet Filter during the selected period.

* 
NOTE: If the location of an IP address changes, each location is shown as a different IP address and statistics are divided.

Use the Monitoring Period drop-down list to select the reporting period: Last 12 Hours, Last 14 Days, Last 21 Days, Last 6 Months, or All recorded traffic data.

Click Clear to clear statistics that are beyond the selected Monitoring Period. Before clearing, a popup window displays to confirm the clear action:

* 
TIP: Clear should be used in conjunction with the Monitoring Period. For example, if Last 12 Hours is selected for the Monitoring Period, when clicking Clear, all histories that are beyond the “Last 12 Hours” are cleared, while the latest “Last 12 Hours” histories are kept.

Settings

The Geo IP & Botnet Filter > Settings page is used to enable/disable the Geo IP and Botnet Filter and configure Remediation Settings. The Geo IP & Botnet Filter > Settings page contains these tabs:

General Settings

Use the General Settings section of the Geo IP & Botnet Filter > Settings page to globally enable or disable the Geo IP & Botnet Filter that is disabled by default.

* 
NOTE: An IP address can be manually identified as a Botnet IP address by using the Botnet Test diagnostic tool accessed from the System > Diagnostics page.

To enable the Geo IP & Botnet Filter:
1
Select Enable Geo IP & Botnet Filter to globally enable this feature. When enabled, a Location column is added to the NetExtender > Status, Virtual Assist > Status, Virtual Meeting > Status, and User > Status pages that identifies the location of users’ source IP addresses. Mousing over an icon in the Location column displays the City (if applicable), Region, and Country of the source IP.
2
Click Accept.

When this feature is enabled, the General Settings section displays four sub-features that can be individually enabled or disabled:

Enforce Geo IP Policy — Select this option to enforce Geo IP policies.
Enforce Botnet Filter Policy — Select this option to enable blocking of IP addresses in the SonicWall Botnet Database (for which no defined Policy is required) and enforce Botnet Filter policies. If this is disabled, Botnet IP addresses are not blocked, however, they are still detected and included in the Botnet Filter Statistics.
Find Geo IP Location for Logs — When this option is enabled, a column indication the location of the source IP is added to the following screens: End Point Control > Log, Web Application Firewall > Log, Geo IP & Botnet Filter > Log, and Log > Views.
Enable Packet Log (Debug mode) — Select this option to generate logs for allowed or denied packets. This option is for debug purposes only. Enabling the Packet Log makes logs increase rapidly if the log level is set to Debug.

Remediation Settings

Access to resources protected by an SMA/SRA appliance from aggressive IP addresses is denied when Geo IP & Botnet Filter is enabled. Remediation provides valid users an opportunity to prove that they are real users rather than “bots” and be allowed access.

For web access, user are redirected to the CAPTCHA page, as shown in the following figure. A countdown timer tells the time that remains for the user to complete remediation. The user must finish remediation within the allotted time, otherwise the user IP address is added to the block list and all access from that IP address is blocked for a period of time.

If remediation is successful within the verification time, the user is directed to the requested page. A CAPTCHA session is then created to record the remediation status. During the valid duration, all access from the IP address is allowed. After the valid duration, the CAPTCHA session expires. If the user is still logged in, access is not interrupted, but after the user login session expires the CAPTCHA session is deleted and remediation is required again.

To enable Remediation and configure the settings:
1
Click Remediation Settings.

2
Click Enable Remediation. Denied users cannot access resources protected by the appliance without CAPTCHA-based remediation. Remediation can be enforced separately for the IP addresses defined by your Geo IP Policy, Botnet Filter Policy, and/or in the backend Botnet Database. Select additional options as needed.
3
In the Max allowed time for CAPTCHA entries (s) field, enter the number of seconds that the user has to complete Remediation. The minimum/maximum range is 30-300 seconds, the default is 60 seconds.
4
In the Allowed/Blocked duration after CAPTCHA validation (m) field, enter the number of minutes that the user is allowed/blocked after completing the CAPTCHA validation. The minimum value is five minutes and the maximum is 30, the default is 15 minutes.

Access Policies

The Geo IP & Botnet Filter > Policies page is used to view, add, edit, and delete Geo IP and Botnet Filter access policies. Up to a total of 64 Geo IP and Botnet Filter access policies can be created.

Each policy is automatically assigned a different priority with 1 being the highest priority. A policy’s priority determines the order of enforcement, which is identified by the order policies are listed on the Settings page.

Botnet Filter policies have a higher priority than Geo IP policies. Geo IP policies are prioritized according to the time they were created with those created first having the higher priority.
Botnet Filter policies defined for a single IP address have a higher priority than Botnet Filter policies defined for a subnet, and each type is then prioritized based on the time they were created with those created first having the higher priority.
Custom created policies are enforced first, which means if an IP address is listed in the SonicWALL Botnet Filter database, but the administrator defines an allow policy for this IP, then access from this IP is allowed.

A policy can be modified by clicking the edit button, but a policy name cannot be modified.

A policy can be deleted by clicking the delete button.

To create a new access policy, click the Add policy... button. Two types of policies can be added:

Geo IP Policy tab

A Geo IP policy allows or denies traffic from specified countries. Enter a Policy Name, then select the Countries you want to allow or deny. You can sort countries by continent, just click the drop-down and select the desired continent, to display all the countries within that continent in the Apply Policy To list. You can also select countries directly from the map.

The map displays selected/deselected countries by color. The deselected countries display gray, while the selected countries display in color. Mouse over a country in the Apply Policy To list and the corresponding country blinks on the map. Use the Zoom tool to zoom in or out on the map. If you do not wish to use the map, hide it by clicking the Map icon to the left of the map.

Botnet Policy

A Botnet Policy allows or denies access from a specified IPv4 IP address or IP address range. Up to 64 policies can be created. Enter a Policy Name, then select an IP address or IP range you want to allow or deny (based on your selection in the Action drop-down.

Log

The Geo IP & Botnet Filter > Log page lists information detected by the Geo IP & Botnet Filter:

Location information that identifies the geographical location of the source IP for each event log message generated by Geo IP. Location information is also displayed on applicable Secure Mobile Access log and status pages. If Geo IP logging is disabled, this column contains a Not Logged icon. If a location or country flag is not available, this column contains an Unknown icon.

Mousing over an icon in the Location field displays the City (if available), Region, and Country of the source IP.

Traffic detected by the Botnet Filter. Traffic from each IP is logged only one time per second, no matter if it is denied or allowed.

Several functions can be completed on this page, including a flexible search mechanism and the ability to export the log to a file or email it.

Click on a log entry displays more information about the event, if available.
Click on any of the headings to sort the log messages alphabetically by heading.

Searching the Log

Search for a value contained in a specific column of the log table or search for log entries that do not contain the specified value.

To view and search the log:
1
On the Geo IP & Botnet Filter > Log page, type the value to search for into the Search field. The search value is case sensitive.
2
Select the column in which to search from the drop-down list to the right of the Search field.
3
Do one of the following:
To start searching for log entries containing the search value, click Search.
To start searching for log entries that do not contain the search value, click Exclude.
To clear the Search field and display the first page of log entries, click Reset.

Controlling the Log Pagination

To adjust the number of entries on the log page and display a different range of entries:
1
On the Geo IP & Botnet Filter > Log page, enter the number of log entries that you want on each page into the Items per Page field. The Log page changes to show the new number of entries.
2
To view the log entries beginning at a certain number, type the starting number into the Item field and press Enter on your keyboard.
3
To view the first page of log entries, click the left-most button in the arrow control pad.
4
To view the previous page of log entries, click the left arrow in the arrow control pad.
5
To view the next page of log entries, click the right arrow in the arrow control pad.
6
To view the last page of log entries, click the right-most button in the arrow control pad.

Exporting and Emailing Log Files

You can export the current contents of the log to a file, or email the log contents by using the buttons in the top right corner of the Geo IP & Botnet Filter > Log page.

Exported files are saved with a .wri file name extension, and open with WordPad, by default.

Emailed files are automatically sent to the address configured on the Log > Settings page of the Secure Mobile Access management interface. If no address is configured, the Status line at the bottom of the browser displays an error message when you click E-Mail Log.

To export or email the log:
1
To export the log contents, click Export in the top right corner of the Geo IP & Botnet Filter > Log page. The File Download dialog box is displayed.

2
In the File Download dialog box, do one of the following:
To open the file, click Open.
To save the file, click Save, then browse to the folder where you want to save the file and click Save.
3
To email the log contents, click E-Mail Log in the top right corner of the Geo IP & Botnet Filter > Log page. The log contents are emailed to the address specified in the Log > Settings page.

Clearing the Log

You can remove all entries from the log on the Geo IP & Botnet Filter > Log page. The entries on the page are removed, and any attempt to export or email the log file while it is still empty causes a confirmation dialog box to display.

To clear the log, complete the following steps:
1
On the top right corner of the Geo IP & Botnet Filter > Log page, click Clear.
2
Click OK in the confirmation dialog box.

Licensing

Geo IP & Botnet Filter is a subscription service that includes a free trial that expires one year after the release date. The licensing status of the Geo IP & Botnet Filter subscription service is shown on the Geo IP & Botnet Filter > Licensing page.

The Licensing page also includes a brief description of the feature and a link to the System > Licenses page where you can activate, upgrade, and renew licenses.

High Availability Configuration

This section provides information and configuration tasks specific to the High Availability page on the Secure Mobile Access web-based management interface.

High Availability allows two identical SMA/SRA appliances or SMA 500v Virtual Appliances to provide a reliable, continuous connection to the public Internet. The two SMA/SRA appliances are deployed at the same time and connected together, and are called a High Availability Pair (HA Pair).

Topics:

High Availability Overview

High Availability requires one SMA/SRA appliance configured as the primary device, and an identical SMA/SRA configured as the backup device.

High availability configuration

During normal operation, the primary device is in an active state, and services all connections. The backup device is in an idle state. When the primary device loses connectivity, the backup transitions to the active state and begins to service outside connections. The necessary data is synchronized between primary and backup devices, including settings data and session data.

The failover applies to loss of functionality or network-layer connectivity on the primary appliance. The failover to the backup unit occurs when critical services are affected, physical (or logical) link failure is detected, or when the primary unit loses power.

Supported Platforms

High Availability is supported on the SMA 400, SRA 4600, and the SMA 500v Virtual Appliance.

Configuring High Availability

High Availability (HA) requires one SMA 400, SRA 4600, or SMA 500v Virtual Appliance configured as a primary device and an identical SMA/SRA configured as a backup device. The HA connection between two SMA/SRA appliances is in an Active/Passive state. The session information is synchronized between the HA pair to help avoid re-authentication of users in the event of a failover to the backup device.

See the following sections for configuration information:

Physical Connectivity

You can select the interface to use for HA control traffic. The HA link should connect the identical ports of the SMA/SRA HA Pair, for example X3 of the primary appliance to X3 of the backup appliance.

During normal operation, the primary device is in an active state and services all connections, while the backup device is in an idle state. When the primary device loses connectivity, the backup transitions to the active state and begins to service outside connections.

Preparing for High Availability

Before configuring the options on the High Availability > Settings page, prepare your devices for High Availability with the following steps:

1
Configure both SMA/SRA appliances as separate devices with independent IP addresses on your subnet.
* 
NOTE: SMA/SRA appliances in an HA pair cannot be deployed behind a proxy.
2
Upload the latest Secure Mobile Access firmware to both devices. High Availability does not work unless both devices have the same firmware version installed.
3
Connect the X3 interfaces of the two appliances together with a CAT 5E or better cable to ensure a gigabit connection.
* 
NOTE: SonicWall Inc. recommends that you backup and download the settings for both SMA/SRA appliances at this stage.
4
In a browser, log in to the primary unit and navigate to the Network > Interfaces page. Confirm that the X3 port is active by checking the Status that should show 1000 Mbps Full Duplex.

Configuring High Availability Settings on a hardware appliance

The High Availability > Settings page provides settings for configuring High Availability.

* 
NOTE: The contents of this page vary slightly for a Virtual Appliance, as explained in Configuring High Availability Settings on a Virtual Appliance.
To enable High Availability and configure the options in the High Availability Settings section:
1
In a browser, log in to the primary unit and navigate to the High Availability > Settings page.
2
Select Enable High Availability.

The HA interface can only be set when the unit is in the HA unconnected mode, and both units must be set to the same interface.

3
Select the High Availability Interface from the drop-down list. The HA interface can only be set when the unit is in the HA unconnected mode, and the interface must be set to the same interface on both units.
4
Enter a number of milliseconds for the Heartbeat Interval. The heartbeat is used to test the connectivity between the primary and backup devices. The heartbeat interval controls how often the two units communicate. The minimum is 500 milliseconds (a half second), and the maximum is 300,000 milliseconds (five minutes).
5
Enter a value for the Failover Trigger Level. This is the number of heartbeats that must be missed before failover occurs. The minimum is four, and the maximum is 99.
6
In the Primary Serial Number field, type in the serial number of the primary device. The maximum length is 12 characters.
7
In the Backup Serial Number field, type in the serial number of the backup device. The maximum length is 12 characters.
8
Click Accept.
9
In the browser, open a new tab and point it to the IP address of the backup unit. Log in to the backup.
10
Repeat 1 through 8 on the backup unit.

When you click Accept, the backup device becomes IDLE and you are no longer able to access it with its IP address. The primary device is now Active with the same settings it had before the HA configuration.

The appliances in the HA Pair immediately begin to synchronize data from the primary to the backup unit. When failover occurs and the primary is down, the backup unit becomes Active with the same settings as the primary.

Configuring High Availability Settings on a Virtual Appliance

The High Availability > Settings page provides settings for configuring High Availability.

To enable High Availability for a Virtual Appliance and configure the options in the High Availability Settings section:
1
In a browser, log in to the primary unit and navigate to the High Availability > Settings page.
2
Select Enable High Availability.

The HA interface can only be set when the unit is in the HA unconnected mode, and both units must be set to the same interface.

3
Select Primary Appliance if this Virtual Appliance is the primary appliance in the HA pair.
4
Select the High Availability Interface from the drop-down list. The HA interface can only be set when the unit is in the HA unconnected mode, and the interface must be set to the same interface on both units.
5
Enter a number of milliseconds for the Heartbeat Interval. The heartbeat is used to test the connectivity between the primary and backup devices. The heartbeat interval controls how often the two units communicate. The minimum is 500 milliseconds (a half second), and the maximum is 300,000 milliseconds (five minutes).
6
Enter a value for the Failover Trigger Level. This is the number of heartbeats that must be missed before failover occurs. The minimum is four, and the maximum is 99.
7
Click Accept.
8
In the browser, open a new tab and point it to the IP address of the backup unit. Log in to the backup.
9
Configure High Availability on the backup unit.

When you click Accept, the backup device becomes IDLE and you are no longer able to access it with its IP address. The primary device is now Active with the same settings it had before the HA configuration.

The appliances in the HA Pair immediately begin to synchronize data from the primary to the backup unit. When failover occurs and the primary is down, the backup unit becomes Active with the same settings as the primary.

Enabling Interface Monitoring

In the Interface Monitoring section of the page, you can enable monitoring of the working interfaces to which VPN users connect.

The monitored interfaces available for selection are X0, X1, and X2. When Interface Monitoring is enabled and configured, if any of the monitored interfaces loses connectivity on the active unit and is still reachable on the idle unit, failover occurs.

To enable interface monitoring:
1
On the High Availability > Settings page under Interface Monitoring, select Enable Interface Monitor.
2
In the Monitor Interfaces list, select the interfaces that you want to monitor.
3
Click Accept.

Configuring Network Monitoring Addresses

In the Network Monitoring Address section, you can configure monitoring of the LAN and WAN IP addresses. When Network Monitoring is configured, if the LAN or WAN connection is lost on the active unit, but is reachable on the idle unit, failover occurs.

When configured, the LAN and WAN connection status is detected and displayed in the High Availability Status section at the top of the page.

To configure network monitoring:
1
On the High Availability > Settings page under Network Monitoring Address, type the LAN IP address into the LAN Monitoring Address field.
2
Type the WAN IP address into the WAN Monitoring Address field.
3
Click Accept.

Configuring Management Settings for Idle Unit

In the Network Monitoring Address section, you can configure management settings for the idle unit.

High Availability configuration is limited for SMA 500v Virtual Appliances. Use the High Availability > Settings page to enable High Availability on the SMA 500v Virtual Appliance, designate it as the primary or secondary unit, and select the interface. Note the following limitations when configuring management settings for an SMA 500v Virtual Appliance:

High Availability is not supported on an SMA 500v Virtual Appliance in Single Network Interface mode.
The Synchronize Firmware function is not supported for an SMA 500v Virtual Appliance.
To configure management settings for the idle unit:
1
On the High Availability > Settings page under Management Settings for Idle Unit, check Enable To Manage Idle Unit.
2
Select the management interface using the drop-down list.
3
Type the idle unit’s management IP address in the Management Address field.
* 
NOTE: If a management IP address is not entered, the High Availability Status > Backup Status field displays as “not available,” regardless of the actual status of the unit. Enter the management IP address of the idle unit if you wish to view the status of it.
4
Click Accept.

Synchronizing Firmware

You can synchronize firmware from the active unit to the idle unit in the HA pair by clicking Synchronize Firmware.

This allows you to synchronize firmware between the units after upgrading the active unit to a different version.

* 
NOTE: Synchronizing firmware on an SMA 500v Virtual Appliance is currently not supported.

Synchronizing Settings

Synchronize settings by clicking Accept. Synchronizing settings does not synchronize firmware, but synchronizes settings from the active to the idle unit.

The appliances in the HA Pair immediately begin to synchronize data from the primary to the backup unit. When failover occurs and the primary is down, the backup unit becomes Active with the same settings as the primary.

Synchronizing Licenses

To synchronize licenses between two SMA/SRA appliances in an HA pair, log in to MySonicWall.com and bind the two SMA/SRA appliances together. Both appliances share the primary unit's license information.

* 
NOTE: There is no function in the Secure Mobile Access management interface to synchronize licenses between the two units in the HA pair, all license synchronization is controlled through MySonicWall.

Technical FAQ

1
After HA is enabled, can the idle device be used separately?

No. After HA is configured, only one device can be in use at any one time. During failover the Idle device becomes Active. Two devices in HA mode cannot be used as separate SMA/SRA appliances.

2
What happens if we remove the HA interface cable from the devices?

If you remove the HA interface cable, then the IDLE device can be re-configured to work as a standalone. However, this causes an IP conflict, as both the primary and backup devices have the same IP configuration.

3
Can the HA interface settings be amended, after HA is enabled?

When HA is configured, the ‘Edit’ button for the HA interface is dimmed and disabled. So the HA interface setting cannot be changed after the devices are in HA mode.

4
Can the X0, X1 and X2 interface settings be amended after HA mode is set up?

Yes, the X0, X1 and X2 interface settings can be amended on the primary device and these new settings are copied to the backup device.

5
Can the synchronization status between the devices be viewed in the Secure Mobile Access management interface?

Yes. These can be viewed on the Active SMA/SRA in the Log > View page. The log message: “Finish synchronizing all data,” appears.

6
Is there any provision to make sure that the backup device is working correctly?

Yes. There are many messages on the Log > View page regarding Active and Idle device transitions.

You can check the High Availability page for the device status; one should be ACTIVE and the other is IDLE, as indicated in the image that follows:

If the LAN and WAN monitoring IP addresses are configured in the Network Monitoring Address section, the status of those interfaces is displayed.

You can also check the Network > Interfaces page for the X3 interface status, this should be “HA Link-Connected.”

7
Are firmware and settings synchronized to the Idle unit?

Yes, both firmware and settings are synchronized between Active and Idle nodes. The Synchronize Firmware button allows you to synchronize firmware from the Active to the Idle unit. When settings are changed, clicking Accept synchronizes settings.

8
Does the HA configuration for SMA/SRA appliances differ from the HA configuration of SonicWall Inc. firewall devices?

Yes. HA configuration on a firewall is very different. Along with other items, firewall HA is also available in Active/Active state and can be assigned a virtual IP address. HA with SMA/SRA appliances is currently available only in Active/Passive mode.

9
How are settings applied to the Idle device?

Settings from the Active device are copied over to the Idle device as soon as HA configuration is complete. You can check the success of this in the active device logs.

10
What happens to the backup device settings?

The backup device settings are deleted and replaced with the primary device settings. If you wish to keep any settings from the backup device, it is recommended that you download a backup of the settings before switching to HA.

11
How do I view the status of the Backup unit?

Enter the management IP address of the idle unit into the High Availability > Settings > Management Settings For Idle Unit > Management Address text-field, then click Accept. Navigate to the High Availability Status and view the status in the Backup Status field. If the management IP address of the idle unit is not entered, the Backup Status displays as “Not Available.”

12
Can I deploy an HA pair behind a proxy?

No, SMA/SRA appliances in an HA pair cannot be deployed behind a proxy. They communicate with the backend servers directly to download signatures and so on.