en-US
search-icon

SonicOS 5.9 Admin Guide

Network

Configuring Interfaces

Network > Interfaces

The Network > Interfaces page includes interface objects that are directly linked to physical interfaces. The SonicOS scheme of interface addressing works in conjunction with network zones and address objects. The interfaces displayed on the Network > Interfaces page depend on the type of SonicWall appliance.

The page pictured below is for SonicWall NSA appliances.

Topics:

Setup Wizard

The Setup Wizard button accesses the Setup Wizard. The Setup Wizard walks you through the configuration of the SonicWall security appliance for Internet connectivity. For Setup Wizard instructions, see Wizards > Setup Wizard.

Interface Settings

The Interface Settings table lists the following information for each interface:

Name - listed as X0 through X8 and W0, depending on your SonicWall security appliance model.
* 
NOTE: The X0 and X1 gigabit interfaces are for LAN and WAN, respectively. On the TZ 210 Series, X0 and X1 are the only gigabit interfaces. X2 is the only gigabit interface for the NSA 240.
Zone - LAN, DMZ, WAN, and WLAN are listed by default. As zones are configured, the names are listed in this column.
Group - the group to which the interface belongs.
IP Address - IP address assigned to the interface.
Subnet Mask - the network mask assigned to the subnet.
IP Assignment - the main page displays one of the following types of IP assignments, based on the zone type of the interfaces:
Non-WAN: Static, Transparent, or Layer 2 Bridged Mode.
WAN: Static, DHCP, PPPoE, PPTP, or L2TP.
W0: Static (available on wireless appliances only)
Status - the link status and speed.
Comment - any user-defined comments.
Configure - click the Configure icon to display the Edit Interface dialog, which allows you to configure the settings for the specified interface.

Using Add Interface

The Add Interface drop-down menu is located below the Interface Settings table. You can select from the following interface types (if supported on your platform):

Virtual Interface

For conceptual and configuration information, see Physical and Virtual Interfaces and Configuring VLAN Subinterfaces (NSA series).

Tunnel Interface

This option creates a numbered tunnel interface. For more information, see Configuring a Numbered VPN Tunnel Interface.

WLAN Tunnel Interface

For information about creating a WLAN tunnel interface, see Creating a WLAN Tunnel Interface.

Interface Traffic Statistics

The Interface Traffic Statistics table lists received and transmitted information for all configured interfaces.

The following information is displayed for all SonicWall security appliance interfaces:

Name - indicates the name of the interface.
Rx Unicast Packets - indicates the number of point-to-point communications received by the interface.
Rx Broadcast Packets - indicates the number of multipoint communications received by the interface.
RX Errors - indicates the number of receiving errors on the interface.
RX Bytes - indicates the volume of data, in bytes, received by the interface.
Tx Unicast Packets - indicates the number of point-to-point communications transmitted by the interface.
Tx Broadcast Bytes - indicates the number of mutlipoint communications transmitted by the interface.
Tx Errors - indicates the number of transmitting errors on the interface
Tx Bytes - indicates the volume of data, in bytes, transmitted by the interface.
Skipped DPI - indicates the number of packet that bypassed DPI inspection.

To clear the current statistics, click the Clear button in the toolbar.

Physical and Virtual Interfaces

Interfaces in SonicOS can be:

Physical interfaces – Physical interfaces are bound to a single port.
Virtual interfaces – Virtual interfaces are assigned as subinterfaces to a physical interface and allow the physical interface to carry traffic assigned to multiple interfaces.
PortShield interfaces – PortShield interfaces are a feature of the SonicWall TZ series, NSA 240, and NSA 2400MX. Any number of the LAN ports on these appliances can be combined into a single PortShield interface.
Topics:

Physical Interfaces

Physical interfaces must be assigned to a zone to allow for configuration of Access Rules to govern inbound and outbound traffic. Security zones are bound to each physical interface where it acts as a conduit for inbound and outbound traffic. If there is no interface, traffic cannot access the zone or exit the zone.

For more information on zones, see Network > Zones.

The first two interfaces, LAN and WAN are fixed interfaces, permanently bound to the Trusted and Untrusted Zone types. The TZ series appliances can also have two special interfaces for Modem and WLAN. The remaining Interfaces can be configured and bound to any Zone type, depending on your SonicWall security appliance.

Virtual Interfaces (SonicWall NSA Series Appliances)

Supported on SonicWall NSA series security appliances, virtual Interfaces are subinterfaces assigned to a physical interface. Virtual interfaces allow you to have more than one interface on one physical connection.

Virtual interfaces provide many of the same features as physical interfaces, including zone assignment, DHCP Server, and NAT and Access Rule controls.

Virtual Local Area Networks (VLANs) can be described as a ‘tag-based LAN multiplexing technology’ because through the use of IP header tagging, VLANs can simulate multiple LAN’s within a single physical LAN. Just as two physically distinct, disconnected LAN’s are wholly separate from one another, so too are two different VLANs, however the two VLANs can exist on the very same wire. VLANs require VLAN aware networking devices to offer this kind of virtualization – switches, routers and firewalls that have the ability to recognize, process, remove and insert VLAN tags in accordance with the network’s design and security policies.

VLANs are useful for a number of different reasons, most of which are predicated on the VLANs ability to provide logical rather than physical broadcast domain, or LAN boundaries. This works both to segment larger physical LAN’s into smaller virtual LAN’s, as well as to bring physically disparate LAN’s together into a logically contiguous virtual LAN. The benefits of this include:

Increased performance – Creating smaller, logically partitioned broadcast domains decreases overall network utilization, sending broadcasts only where they need to be sent, thus leaving more available bandwidth for application traffic.
Decreased costs – Historically, broadcast segmentation was performed with routers, requiring additional hardware and configuration. With VLANs, the functional role of the router is reversed – rather than being used for the purposes of inhibiting communications, it is used to facilitate communications between separate VLANs as needed.
Virtual workgroups – Workgroups are logical units that commonly share information, such as a Marketing department or an Engineering department. For reasons of efficiency, broadcast domain boundaries should be created such that they align with these functional workgroups, but that is not always possible: Engineering and Marketing users might be commingled, sharing the same floor (and the same workgroup switch) in a building, or just the opposite – the Engineering team might be spread across an entire campus. Attempting to solve this with complex feats of wiring can be expensive and impossible to maintain with constant adds and moves. VLANs allow for switches to be quickly reconfigured so that logical network alignment can remain consistent with workgroup requirements.
Security – Hosts on one VLAN cannot communicate with hosts on another VLAN unless some networking device facilitates communication between them.

Subinterfaces

VLAN support on SonicOS is achieved by means of subinterfaces, which are logical interfaces nested beneath a physical interface. Every unique VLAN ID (tag) requires its own subinterface. For reasons of security and control, SonicOS does not participate in any VLAN trunking protocols, but instead requires that each VLAN that is to be supported be configured and assigned appropriate security characteristics.

* 
NOTE: VLAN IDs range from 0 – 4094, with these restrictions: VLAN 0 is reserved for QoS and VLAN 1 is reserved by some switches for native VLAN designation.
* 
NOTE: Dynamic VLAN Trunking protocols, such as VTP (VLAN Trunking Protocol) or GVRP (Generic VLAN Registration Protocol), should not be used on trunk links from other devices connected to the SonicWall appliance.

Trunk links from VLAN capable switches are supported by declaring the relevant VLAN ID’s as a subinterface on the SonicWall, and configuring them in much the same way that a physical interface would be configured. In other words, only those VLANs which are defined as subinterfaces will be handled by the SonicWall, the rest will be discarded as uninteresting. This method also allows the parent physical interface on the SonicWall to which a trunk link is connected to operate as a conventional interface, providing support for any native (untagged) VLAN traffic that might also exist on the same link. Alternatively, the parent interface may remain in an ‘unassigned’ state.

VLAN subinterfaces have most of the capabilities and characteristics of a physical interface, including zone assignability, security services, GroupVPN, DHCP server, IP Helper, routing, and full NAT policy and Access Rule controls. Features excluded from VLAN subinterfaces at this time are WAN dynamic client support and multicast support. The following table lists the maximum number of subinterfaces supported on each platform.

 

Maximum Number of Subinterfaces Supported by Platform

Platform

Number of Subinterfaces Supported

NSA 240

10

NSA 2400

25

NSA 3500

50

NSA 4500

200

NSA E5000

300

NSA E5500

400

NSA E6500

500

NSA E7500

512

SonicOS Secure Objects

The SonicOS scheme of interface addressing works in conjunction with network zones and address objects. This structure is based on secure objects, which are utilized by rules and policies within SonicOS.

Secured objects include interface objects that are directly linked to physical interfaces and managed in the Network > Interfaces page. Address objects are defined in the Network > Address Objects page. Service and Scheduling objects are defined in the Firewall section of the SonicWall security appliance Management Interface, and User objects are defined in the Users section of the SonicWall security appliance Management Interface.

Zones are the hierarchical apex of SonicOS secure objects architecture. SonicOS includes predefined zones as well as allow you to define your own zones. Predefined zones include LAN, DMZ, WAN, WLAN, and Custom. Zones can include multiple interfaces, however, the WAN zone is restricted to a total of two interfaces. Within the WAN zone, either one or both WAN interfaces can be actively passing traffic depending on the WAN Failover and Load Balancing configuration on the Network > WAN Failover & LB page.

For more information on WAN Failover and Load Balancing on the SonicWall security appliance, see Network > Failover & Load Balancing.

At the zone configuration level, the Allow Interface Trust setting for zones automates the processes involved in creating a permissive intra-zone Access Rule. It creates a comprehensive Address Object for the entire zone and a inclusively permissive Access Rule from zone address to zone addresses.

Transparent Mode

Transparent Mode in SonicOS uses interfaces as the top level of the management hierarchy. Transparent Mode supports unique addressing and interface routing. .

* 
NOTE: Transparent mode is not supported with CASS at this time.

Layer 2 Bridge Mode

* 
NOTE: Layer 2 bridge mode is not supported with CASS at this time.

SonicOS firmware versions 4.0 and higher includes L2 (Layer 2) Bridge Mode, a new method of unobtrusively integrating a SonicWall security appliance into any Ethernet network. L2 Bridge Mode is ostensibly similar to SonicOS’s Transparent Mode in that it enables a SonicWall security appliance to share a common subnet across two interfaces, and to perform stateful and deep-packet inspection on all traversing IP traffic, but it is functionally more versatile.

In particular, L2 Bridge Mode employs a secure learning bridge architecture, enabling it to pass and inspect traffic types that cannot be handled by many other methods of transparent security appliance integration. Using L2 Bridge Mode, a SonicWall security appliance can be non-disruptively added to any Ethernet network to provide in-line deep-packet inspection for all traversing IPv4 TCP and UDP traffic. In this scenario the SonicWall network security appliance is not used for security enforcement, but instead for bidirectional scanning, blocking viruses and spyware, and stopping intrusion attempts.

Unlike other transparent solutions, L2 Bridge Mode can pass all traffic types, including IEEE 802.1Q VLANs (on SonicWall NSA appliances), Spanning Tree Protocol, multicast, broadcast, and IPv6, ensuring that all network communications will continue uninterrupted.

Another aspect of the versatility of L2 Bridge Mode is that you can use it to configure IPS Sniffer Mode. Supported on SonicWall NSA series appliances, IPS Sniffer Mode uses a single interface of a Bridge-Pair to monitor network traffic from a mirrored port on a switch. IPS Sniffer Mode provides intrusion detection, but cannot block malicious traffic because the SonicWall security appliance is not connected inline with the traffic flow. For more information about IPS Sniffer Mode, see IPS Sniffer Mode (SonicWall NSA series appliances).

L2 Bridge Mode provides an ideal solution for networks that already have an existing firewall, and do not have immediate plans to replace their existing firewall but wish to add the security of SonicWall deep-packet inspection, such as Intrusion Prevention Services, Gateway Anti Virus, and Gateway Anti Spyware. If you do not have SonicWall security services subscriptions, you may sign up for free trials from the Security Service > Summary page of your SonicWall appliance.

You can also use L2 Bridge Mode in a High Availability deployment. This scenario is explained in Layer 2 Bridge Mode with High Availability (SonicWall NSA series appliances).

Topics:

Key Features of SonicOS Layer 2 Bridge Mode

 

Layer 2 Bridge Mode Features and Benefits

Feature

Benefit

L2 Bridging with Deep Packet Inspection

This method of transparent operation means that a SonicWall security appliance can be added to any network without the need for readdressing or reconfiguration, enabling the addition of deep-packet inspection security services with no disruption to existing network designs. Developed with connectivity in mind as much as security, L2 Bridge Mode can pass all Ethernet frame types, ensuring seamless integration.

Secure Learning Bridge Architecture

True L2 behavior means that all allowed traffic flows natively through the L2 Bridge. Whereas other methods of transparent operation rely on ARP and route manipulation to achieve transparency, which frequently proves problematic, L2 Bridge Mode dynamically learns the topology of the network to determine optimal traffic paths.

Universal Ethernet Frame-Type Support

All Ethernet traffic can be passed across an L2 Bridge, meaning that all network communications will continue uninterrupted. While many other methods of transparent operation will only support IPv4 traffic, L2 Bridge Mode will inspect all IPv4 traffic, and will pass (or block, if desired) all other traffic, including LLC, all Ethertypes, and even proprietary frame formats.

Mixed-Mode Operation

L2 Bridge Mode can concurrently provide L2 Bridging and conventional security appliance services, such as routing, NAT, VPN, and wireless operations. This means it can be used as an L2 Bridge for one segment of the network, while providing a complete set of security services to the remainder of the network. This also allows for the introduction of the SonicWall security appliance as a pure L2 bridge, with a smooth migration path to full security services operation.

Wireless Layer 2 Bridging

Use a single IP subnet across multiple zone types, including LAN, WLAN, DMZ, or custom zones. This feature allows wireless and wired clients to seamlessly share the same network resources, including DHCP addresses.The Layer 2 protocol can run between paired interfaces, allowing multiple traffic types to traverse the bridge, including broadcast and non-ip packets.

Key Concepts to Configuring L2 Bridge Mode and Transparent Mode

L2 Bridge Mode – A method of configuring SonicWall security appliance, which enables the SonicWall to be inserted inline into an existing network with absolute transparency, beyond even that provided by Transparent Mode. Layer 2 Bridge Mode also refers to the IP Assignment configuration that is selected for Secondary Bridge Interfaces that are placed into a Bridge-Pair.
Transparent Mode – A method of configuring a SonicWall security appliance that allows the SonicWall to be inserted into an existing network without the need for IP reconfiguration by spanning a single IP subnet across two or more interfaces through the use of automatically applied ARP and routing logic.
IP Assignment – When configuring a Trusted (LAN) or Public (DMZ) interface, the IP Assignment for the interface can either be:
Static – The IP address for the interface is manually entered.
Transparent Mode – The IP address(es) for the interface is assigned using an Address Object (Host, Range, or Group) that falls within the WAN Primary IP subnet, effectively spanning the subnet from the WAN interface to the assigned interface.
Layer 2 Bridge Mode – An interface placed in this mode becomes the Secondary Bridge Interface to the Primary Bridge Interface to which it is paired. The resulting Bridge-Pair will then behave like a two-port learning bridge with full L2 transparency, and all IP traffic that passes through will be subjected to full stateful failover and deep packet inspection.
Bridge-Pair – The logical interface set composed of a Primary Bridge Interface and a Secondary Bridge Interface. The terms primary and secondary do not imply any inherent level of operational dominance or subordination; both interfaces continue to be treated according to their zone type, and to pass IP traffic according to their configured Access Rules. Non-IPv4 traffic across the Bridge-Pair is controlled by the Block all non-IPv4 traffic setting on the Secondary Bridge Interface. A system may support as many Bridge Pairs as it has interface pairs available. In other words, the maximum number of Bridge-Pairs is equal to ½ the number of physical interfaces on the platform. Membership in a Bridge-Pair does not preclude an interface from conventional behavior; for example, if X1 is configured as a Primary Bridge Interface paired to X3 as a Secondary Bridge Interface, X1 can simultaneously operate in its traditional role as the Primary WAN, performing NAT for Internet-bound traffic through the Auto-added X1 Default NAT Policy.
Primary Bridge Interface – A designation that is assigned to an interface once a Secondary Bridge Interface has been paired to it. A Primary Bridge Interface can belong to an Untrusted (WAN), Trusted (LAN), or Public (DMZ) zone.
Secondary Bridge Interface – A designation that is assigned to an interface whose IP Assignment has been configured for Layer 2 Bridge Mode. A Secondary Bridge Interface can belong to a Trusted (LAN), or Public (DMZ) zone.
Bridge Management Address – The address of the Primary Bridge Interface is shared by both interfaces of the Bridge-Pair. If the Primary Bridge Interface also happens to be the Primary WAN interface, it is this address that is uses for outbound communications by the SonicWall, such as NTP, and License Manager updates. Hosts that are connected to either segment of the Bridge-Pair may also use the Bridge Management Address as their gateway, as will be common in Mixed-Mode deployments.
Bridge-Partner – The term used to refer to the ‘other’ member of a Bridge-Pair.
Non-IPv4 Traffic - SonicOS supports the following IP protocol types: ICMP (1), IGMP (2), TCP (6), UDP (17), GRE (47), ESP (50), AH (51), EIGRP (88), OSPF (89), PIM-SM (103), L2TP (115). More esoteric IP types, such as Combat Radio Transport Protocol (126), are not natively handled by the SonicWall, nor are non-IPv4 traffic types such as IPX or (currently) IPv6. L2 Bridge Mode can be configured to either pass or drop Non-IPv4 traffic.
Captive-Bridge Mode – This optional mode of L2 Bridge operation prevents traffic that has entered an L2 bridge from being forwarded to a non-Bridge-Pair interface. By default, L2 Bridge logic will forward traffic that has entered the L2 Bridge to its destination along the most optimal path as determined by ARP and routing tables. In some cases, the most optimal path might involve routing or NATing to a non-Bridge-Pair interface. Activating Captive-Bridge mode ensures that traffic which enters an L2 Bridge exits the L2 Bridge rather than taking its most logically optimal path. In general, this mode of operation is only required in complex networks with redundant paths, where strict path adherence is required. Captive-Bridge Mode is enabled by selecting the Never route traffic on this bridge-pair check box on the Edit Interface window.
Pure L2 Bridge Topology – Refers to deployments where the SonicWall will be used strictly in L2 Bridge Mode for the purposes of providing in-line security to a network. This means that all traffic entering one side of the Bridge-Pair will be bound for the other side, and will not be routed/NATed through a different interface. This will be common in cases where there is an existing perimeter security appliance, or where in-line security is desired along some path (for example, inter-departmentally, or on a trunked link between two switches) of an existing network. Pure L2 Bridge Topology is not a functional limitation, but rather a topological description of a common deployment in heterogeneous environments.
Mixed-Mode Topology – Refers to deployments where the Bridge-Pair will not will not be the only point of ingress/egress through the SonicWall. This means that traffic entering one side of the Bridge-Pair may be destined to be routed/NATed through a different interface. This will be common when the SonicWall is simultaneously used to provide security to one or more Bridge-Pair while also providing:
Perimeter security, such as WAN connectivity, to hosts on the Bridge-Pair or on other interfaces.
Firewall and Security services to additional segments, such as Trusted (LAN) or Public (DMZ) interface, where communications will occur between hosts on those segments and hosts on the Bridge-Pair.
Wireless services with SonicPoints, where communications will occur between wireless clients and hosts on the Bridge-Pair.

Comparing L2 Bridge Mode to Transparent Mode

While Transparent Mode allows a security appliance running SonicOS to be introduced into an existing network without the need for re-addressing, it presents a certain level of disruptiveness, particularly with regard to ARP, VLAN support, multiple subnets, and non-IPv4 traffic types. Consider a scenario where a Transparent Mode SonicWall appliance has just been added to the network with a goal of minimally disruptive integration, particularly:

Negligible or no unscheduled downtime
No need to re-address any portion of the network
No need reconfigure or otherwise modify the gateway router (as is common when the router is owned by the ISP)
Topics:
ARP in Transparent Mode

Address Resolution Protocol (ARP) is the mechanism by which unique hardware addresses on network interface cards are associated to IP addresses, and is proxied in Transparent Mode. If the Workstation on Server on the left had previously resolved the Router (192.168.0.1) to its MAC address 00:99:10:10:10:10, this cached ARP entry would have to be cleared before these hosts could communicate through the SonicWall. This is because the SonicWall proxies (or answers on behalf of) the gateway’s IP (192.168.0.1) for hosts connected to interfaces operating in Transparent Mode. So when the Workstation at the left attempts to resolve 192.168.0.1, the ARP request it sends is responded to by the SonicWall with its own X0 MAC address (00:06:B1:10:10:10).

The SonicWall also proxy ARPs the IP addresses specified in the Transparent Range (192.168.0.100 to 192.168.0.250) assigned to an interface in Transparent Mode for ARP requests received on the X1 (Primary WAN) interface. If the Router had previously resolved the Server (192.168.0.100) to its MAC address 00:AA:BB:CC:DD:EE, this cached ARP entry would have to be cleared before the router could communicate with the host through the SonicWall. This typically requires a flushing of the router’s ARP cache either from its management interface or through a reboot. Once the router’s ARP cache is cleared, it can then send a new ARP request for 192.168.0.100, to which the SonicWall will respond with its X1 MAC 00:06:B1:10:10:11.

VLAN Support in Transparent Mode

While the network depicted in the above diagram is simple, it is not uncommon for larger networks to use VLANs for segmentation of traffic. If this was such a network, where the link between the switch and the router was a VLAN trunk, a Transparent Mode SonicWall would have been able to terminate the VLANs to subinterfaces on either side of the link, but it would have required unique addressing; that is, non-Transparent Mode operation requiring re-addressing on at least one side. This is because only the Primary WAN interface can be used as the source for Transparent Mode address space.

Multiple Subnets in Transparent Mode

It is also common for larger networks to employ multiple subnets, be they on a single wire, on separate VLANs, multiple wires, or some combination. While Transparent Mode is capable of supporting multiple subnets through the use of Static ARP and Route entries, it is not an effortless process.

Non-IPv4 Traffic in Transparent Mode

Transparent Mode will drop (and generally log) all non-IPv4 traffic, precluding it from passing other traffic types, such as IPX, or unhandled IP types.

L2 Bridge Mode addresses these common Transparent Mode deployment issues and is described in the following section.

Simple Transparent Mode Topology

Simple Transparent Mode Topology

ARP in L2 Bridge Mode

L2 Bridge Mode employs a learning bridge design where it will dynamically determine which hosts are on which interface of an L2 Bridge (referred to as a Bridge-Pair). ARP is passed through natively, meaning that a host communicating across an L2 Bridge will see the actual host MAC addresses of their peers. For example, the Workstation communicating with the Router (192.168.0.1) sees the router as 00:99:10:10:10:10, and the Router sees the Workstation (192.168.0.100) as 00:AA:BB:CC:DD:EE.

This behavior allows for a SonicWall operating in L2 Bridge Mode to be introduced into an existing network with no disruption to most network communications other than that caused by the momentary discontinuity of the physical insertion.

* 
NOTE: Stream-based TCP protocols communications (for example, an FTP session between a client and a server) will need to be re-established upon the insertion of an L2 Bridge Mode SonicWall. This is by design so as to maintain the security afforded by stateful packet inspection (SPI); as the SPI engine can not have knowledge of the TCP connections that pre-existed it, it drops these established packets with a log event such as TCP packet received on non-existent/closed connection; TCP packet dropped.
VLAN Support in L2 Bridge Mode (SonicWall NSA Series Appliances)

On SonicWall NSA series appliances, L2 Bridge Mode provides fine control over 802.1Q VLAN traffic traversing an L2 Bridge. The default handling of VLANs is to allow and preserve all 802.1Q VLAN tags as they pass through an L2 Bridge, while still applying all firewall rules, and stateful and deep-packet inspection to the encapsulated traffic. It is further possible to specify white/black lists for allowed/disallowed VLAN IDs through the L2 Bridge.

This allows a SonicWall operating in L2 Bridge Mode to be inserted, for example, inline into a VLAN trunk carrying any number of VLANs, and to provide full security services to all IPv4 traffic traversing the VLAN without the need for explicit configuration of any of the VLAN IDs or subnets. Firewall Access Rules can also, optionally, be applied to all VLAN traffic passing through the L2 Bridge Mode because of the method of handling VLAN traffic.

L2 Bridge IP Packet Path

Layer 2 Bridge IP Packet Path

The following sequence of events describes the above flow diagram:

1
802.1Q encapsulated frame enters an L2 Bridge interface (this first step, the next step, and the final step apply only to 802.1Q VLAN traffic, supported on SonicWall NSA series appliances).
2
The 802.1Q VLAN ID is checked against the VLAN ID white/black list:
If the VLAN ID is disallowed, the packet is dropped and logged.
If the VLAN ID is allowed, the packet is de-capsulated, the VLAN ID is stored, and the inner packet (including the IP header) is passed through the full packet handler.
3
As any number of subnets is supported by L2 Bridging, no source IP spoof checking is performed on the source IP of the packet. It is possible to configure L2 Bridges to only support a certain subnet or subnets using Firewall Access Rules.
4
SYN Flood checking is performed.
5
A destination route lookup is performed to the destination zone, so that the appropriate Firewall Access rule can be applied. Any zone is a valid destination, including the same zone as the source zone (for example, LAN to LAN), the Untrusted zone (WAN), the Encrypted (VPN), Wireless (WLAN), Multicast, or custom zones of any type.
6
A NAT lookup is performed and applied, as needed.
In general, the destination for packets entering an L2 Bridge will be the Bridge-Partner interface (that is, the other side of the bridge). In these cases, no translation is performed.
In cases where the L2 Bridge Management Address is the gateway, as will sometimes be the case in Mixed-Mode topologies, then NAT will be applied as need (see the L2 Bridge Path Determination section for more details).
7
Firewall Access Rules are applied to the packet. For example, on SonicWall NSA series appliances, the following packet decode shows an ICMP packet bearing VLAN ID 10, source IP address 110.110.110.110 destined for IP address 4.2.2.1.

It is possible to construct a Firewall Access Rule to control any IP packet, independent of its VLAN membership, by any of its IP elements, such as source IP, destination IP, or service type. If the packet is disallowed, it will be dropped and logged. If the packet is allowed, it will continue.

8
A connection cache entry is made for the packet, and required NAT translations (if any) are performed.
9
Stateful packet inspection and transformations are performed for TCP, VoIP, FTP, MSN, Oracle, RTSP and other media streams, PPTP and L2TP. If the packet is disallowed, it will be dropped and logged. If the packet is allowed, it will continue.
10
Deep packet inspection, including GAV, IPS, Anti-Spyware, CFS and email-filtering is performed. If the packet is disallowed, it will be dropped and logged. If the packet is allowed, it will continue. Client notification will be performed as configured.
11
If the packet is destined for the Encrypted zone (VPN), the Untrusted zone (WAN), or some other connected interface (the last two of which might be the case in Mixed-Mode Topologies) the packet will be sent via the appropriate path.
12
If the packet is not destined for the VPN/WAN/Connected interface, the stored VLAN tag will be restored, and the packet (again bearing the original VLAN tag) will be sent out the Bridge-Partner interface.
Multiple Subnets in L2 Bridge Mode

L2 Bridge Mode is capable of handling any number of subnets across the bridge, as described above. The default behavior is to allow all subnets, but Access Rules can be applied to control traffic as needed.

Non-IPv4 Traffic in L2 Bridge Mode

Unsupported traffic will, by default, be passed from one L2 Bridge interface to the Bridge-Partner interface. This allows the SonicWall to pass other traffic types, including LLC packets such as Spanning Tree, other EtherTypes, such as MPLS label switched packets (EtherType 0x8847), Appletalk (EtherType 0x809b), and the ever-popular Banyan Vines (EtherType 0xbad). These non-IPv4 packets will only be passed across the Bridge, they will not be inspected or controlled by the packet handler. If these traffic types are not needed or desired, the bridging behavior can be changed by enabling the Block all non-IPv4 traffic option on the Secondary Bridge Interface configuration page.

Comparison of L2 Bridge Mode to Transparent Mode
 

Comparison of L2 Bridge Mode to Transparent Mode

Attribute

Layer 2 Bridge Mode

Transparent Mode

Layer of Operation

Layer 2 (MAC)

Layer 3 (IP)

ARP behavior

ARP (Address Resolution Protocol) information is unaltered. MAC addresses natively traverse the L2 bridge. Packets that are destined for SonicWall’s MAC addresses will be processed, others will be passed, and the source and destinations will be learned and cached.

ARP is proxied by the interfaces operating in Transparent Mode.

Path determination

Hosts on either side of a Bridge-Pair are dynamically learned. There is no need to declare interface affinities.

The Primary WAN interface is always the master ingress/egress point for Transparent mode traffic, and for subnet space determination. Hosts transparently sharing this subnet space must be explicitly declared through the use of Address Object assignments.

Maximum interfaces

Two interfaces, a Primary Bridge Interface and a Secondary Bridge Interface.

Two or more interfaces. The master interface is always the Primary WAN. There can be as many transparent subordinate interfaces as there are interfaces available.

Maximum pairings

The maximum number of Bridge-Pairs allowed is limited only by available physical interfaces. This can be described as “many One-to-One pairings”.

Transparent Mode only allows the Primary WAN subnet to be spanned to other interfaces, although it allows for multiple interfaces to simultaneously operate as transparent partners to the Primary WAN. This can be described as “a single One-to-One” or “a single One-to-Many pairing”.

Zone restrictions

The Primary Bridge Interface can be Untrusted, Trusted, or Public. The Secondary Bridge Interface can be Trusted or Public.

Interfaces in a Transparent Mode pair must consist of one Untrusted interface (the Primary WAN, as the master of the pair’s subnet) and one or more Trusted/Public interface (for example, LAN or DMZ).

Subnets supported

Any number of subnets is supported. Firewall Access Rules can be written to control traffic to/from any of the subnets as needed.

In its default configuration, Transparent Mode only supports a single subnet (that which is assigned to, and spanned from the Primary WAN). It is possible to manually add support for additional subnets through the use of ARP entries and routes.

Non-IPv4 Traffic

All non-IPv4 traffic, by default, is bridged from one Bridge-Pair interface to the Bridge-Partner interface, unless disabled on the Secondary Bridge Interface configuration page. This includes IPv6 traffic, STP (Spanning Tree Protocol), and unrecognized IP types.

Non IPv4 traffic is not handled by Transparent Mode, and is dropped and logged.

VLAN traffic

VLAN traffic is passed through the L2 Bridge, and is fully inspected by the Stateful and Deep Packet Inspection engines.

VLAN subinterfaces can be created and can be given Transparent Mode Address Object assignments, but the VLANs will be terminated by the SonicWall rather than passed.

VLAN subinterfaces

VLAN subinterfaces can be configured on Bridge-Pair interfaces, but they will be passed through the bridge to the Bridge-Partner unless the destination IP address in the VLAN frame matches the IP address of the VLAN subinterface on the SonicWall, in which case it will be processed (for example, as management traffic).

VLAN subinterfaces can be assigned to physical interfaces operating in Transparent Mode, but their mode of operation will be independent of their parent. These VLAN subinterfaces can also be given Transparent Mode Address Object assignments, but in any event VLAN subinterfaces will be terminated rather than passed.

PortShield interfaces

PortShield interfaces cannot be assigned to either interface of an L2 Bridge Pair.

PortShield interfaces may be assigned a Transparent Mode range.

Dynamic addressing

Although a Primary Bridge Interface may be assigned to the WAN zone, only static addressing is allowable for Primary Bridge Interfaces.

Although Transparent Mode employs the Primary WAN as a master interface, only static addressing is allowable for Transparent Mode.

VPN support

VPN operation is supported with one additional route configured. See VPN Integration with Layer 2 Bridge Mode for details.

VPN operation is supported with no special configuration requirements.

DHCP support

DHCP can be passed through a Bridge-Pair.

Interfaces operating in Transparent Mode can provide DHCP services, or they can pass DHCP using IP Helper.

Routing and NAT

Traffic will be intelligently routed in/out of the L2 Bridge-Pair from/to other paths. By default, traffic will not be NATed from one Bridge-Pair interface to the Bridge-Partner, but it can be NATed to other paths, as needed. Custom routes and NAT policies can be added as needed.

Traffic will be intelligently routed from/to other paths. By default, traffic will not be NATed from/to the WAN to/from Transparent Mode interface, but it can be NATed to other paths, as needed. Custom routes and NAT policies can be added as needed.

Stateful Packet Inspection

Full stateful packet inspection will be applied to all IPv4 traffic traversing the L2 Bridge for all subnets, including VLAN traffic on SonicWall NSA series appliances.

Full stateful packet inspection will applied to traffic from/to the subnets defined by Transparent Mode Address Object assignment.

Security services

All security services (GAV, IPS, Anti-Spy, CFS) are fully supported. All regular IP traffic, as well as all 802.1Q encapsulated VLAN traffic.

All security services (GAV, IPS, Anti-Spy, CFS) are fully supported from/to the subnets defined by Transparent Mode Address Object assignment.

Broadcast traffic

Broadcast traffic is passed from the receiving Bridge-Pair interface to the Bridge-Partner interface.

Broadcast traffic is dropped and logged, with the possible exception of NetBIOS which can be handled by IP Helper.

Multicast traffic

Multicast traffic is inspected and passed across L2 Bridge-Pairs providing Multicast has been activated on the Firewall > Multicast page. It is not dependent upon IGMP messaging, nor is it necessary to enable multicast support on the individual interfaces.

Multicast traffic, with IGMP dependency, is inspected and passed by Transparent Mode providing Multicast has been activated on the Firewall > Multicast page, and multicast support has been enabled on the relevant interfaces.

Benefits of Transparent Mode over L2 Bridge Mode

The following are circumstances in which Transparent Mode might be preferable over L2 Bridge Mode:

Two interfaces are the maximum allowed in an L2 Bridge Pair. If more than two interfaces are required to operate on the same subnet, Transparent Mode should be considered.
PortShield interface may not operate within an L2 Bridge Pair. If PortShield interfaces are required to operate on the same subnet, Transparent Mode should be considered.
VLAN subinterfaces, supported on SonicWall NSA series appliances, may not operate within an L2 Bridge Pair. If VLAN subinterfaces are required to operate on the same subnet, Transparent Mode should be considered. It is, however, possible to configure a VLAN subinterface on an interface that is part of a Bridge-Pair; the subinterface will simply operate independently on the Bridge-Pair in every respect.
Comparing L2 Bridge Mode to the CSM Appliance

L2 Bridge Mode is more similar in function to the CSM than it is to Transparent Mode, but it differs from the current CSM behavior in that it handles VLANs and non-IPv4 traffic types, which the CSM does not. Future versions of the SonicOS CF Software for the CSM will likely adopt the more versatile traffic handling capabilities of L2 Bridge Mode.

L2 Bridge Path Determination

Packets received by the SonicWall on Bridge-Pair interfaces must be forwarded along to the appropriate and optimal path toward their destination, whether that path is the Bridge-Partner, some other physical or sub interface, or a VPN tunnel. Similarly, packets arriving from other paths (physical, virtual or VPN) bound for a host on a Bridge-Pair must be sent out over the correct Bridge-Pair interface. The following summary describes, in order, the logic that is applied to path determinations for these cases:

1
If present, the most specific non-default route to the destination is chosen. This would cover, for example:
a
A packet arriving on X3 (non-L2 Bridge LAN) destined for host 15.1.1.100 subnet, where a route to the 15.1.1.0/24 subnet exists through 192.168.0.254 via the X0 (Secondary Bridge Interface, LAN) interface. The packet would be forwarded via X0 to the destination MAC address of 192.168.0.254, with the destination IP address 15.1.1.100.
b
A packet arriving on X4 (Primary Bridge Interface, LAN) destined for host 10.0.1.100, where a route to the 10.0.1.0/24 exists through 192.168.10.50 via the X5 (DMZ) interface. The packet would be forwarded via X5 to the destination MAC address of 192.168.10.50, with the destination IP address 10.0.1.100.
2
If no specific route to the destination exists, an ARP cache lookup is performed for the destination IP address. A match will indicate the appropriate destination interface. This would cover, for example:
a
A packet arriving on X3 (non-L2 Bridge LAN) destined for host 192.168.0.100 (residing on L2 Primary Bridge Interface X2). The packet would be forwarded via X2 to the known destination MAC and IP address of 192.168.0.100, as derived from the ARP cache.
b
A packet arriving on X4 (Primary Bridge Interface, LAN) destined for host 10.0.1.10 (residing on X5 – DMZ). The packet would be forwarded via X5 to the known destination MAC and IP address of 10.0.1.10, as derived from the ARP cache.
3
If no ARP entry is found:
a
If the packet arrives on a Bridge-Pair interface, it is sent to the Bridge-Partner interface.
b
If the packet arrives from some other path, the SonicWall will send an ARP request out both interfaces of the Bridge-Pair to determine on which segment the destination IP resides.

In this last case, since the destination is unknown until after an ARP response is received, the destination zone also remains unknown until that time. This precludes the SonicWall from being able to apply the appropriate Access Rule until after path determination is completed. Upon completion, the correct Access Rule will be applied to subsequent related traffic.

With regard to address translation (NAT) of traffic arriving on an L2 Bridge-Pair interface:

1
If it is determined to be bound for the Bridge-Partner interface, no IP translation (NAT) will be performed.
2
If it is determined to be bound for a different path, appropriate NAT policies will apply:
a
If the path is another connected (local) interface, there will likely be no translation. That is, it will effectively be routed as a result of hitting the last-resort Any->Original NAT Policy.
b
If the path is determined to be via the WAN, then the default Auto-added [interface] outbound NAT Policy for X1 WAN will apply, and the packet’s source will be translated for delivery to the Internet. This is common in the case of Mixed-Mode topologies, such as that depicted in Internal Security.

L2 Bridge Interface Zone Selection

Bridge-Pair interface zone assignment should be done according to your network’s traffic flow requirements. Unlike Transparent Mode, which imposes a system of “more trusted to less trusted” by requiring that the source interface be the Primary WAN, and the transparent interface be Trusted or Public, L2 Bridge mode allows for greater control of operational levels of trust. Specifically, L2 Bridge Mode allows for the Primary and Secondary Bridge Interfaces to be assigned to the same or different zones (for example, LAN+LAN, LAN+DMZ, WAN+CustomLAN) This affects not only the default Access Rules that are applied to the traffic, but also the manner in which Deep Packet Inspection security services are applied to the traffic traversing the bridge. Important areas to consider when choosing and configuring interfaces to use in a Bridge-Pair are Security Services, Access Rules, and WAN connectivity:

Topics:
Security Services Directionality

As it will be one of the primary employments of L2 Bridge mode, understanding the application of security services is important to the proper zone selection for Bridge-Pair interfaces. Security services applicability is based on the following criteria:

1
The direction of the service:
GAV is primarily an Inbound service, inspecting inbound HTTP, FTP, IMAP, SMTP, POP3, and TCP Streams. It also has an additional Outbound element for SMTP.
Anti Spyware is primarily Inbound, inspecting inbound HTTP, FTP, IMAP, SMTP, POP3 for the delivery (that is, retrieval) of Spyware components as generally recognized by their class IDs. It also has an additional Outbound component, where Outbound is used relative to the directionality (namely, Outgoing) ascribed to it by the IPS signatures that trigger the recognition of these Spyware components. The Outgoing classifier (described in the table below) is used because these components are generally retrieved by the client (for example, LAN host) via HTTP from a Web-server on the Internet (WAN host). Referring to the table below, that would be an Outgoing connection, and requires a signature with an Outgoing directional classification.
IPS has three directions: Incoming, Outgoing, and Bidirectional. Incoming and Outgoing are described in the table below, and Bidirectional refers to all points of intersection on the table.
For additional accuracy, other elements are also considered, such as the state of the connection (for example, SYN or Established), and the source of the packet relative to the flow (that is, initiator or responder).
2
The direction of the traffic. The direction of the traffic as it pertains to IPS is primarily determined by the Source and Destination zone of the traffic flow. When a packet is received by the SonicWall, its source zone is generally immediately known, and its destination zone is quickly determined by doing a route (or VPN) lookup.

Based on the source and destination, the packet’s directionality is categorized as either Incoming or Outgoing, (not to be confused with Inbound and Outbound) where the criteria in Directionality Categorization of Packets are used to make the determination:

 

Directionality Categorization of Packets

Dest Src

Untrusted

Public

Wireless

Encrypted

Trusted

Multicast

Untrusted

Incoming

Incoming

Incoming

Incoming

Incoming

Incoming

Public

Outgoing

Outgoing

Outgoing

Incoming

Incoming

Incoming

Wireless

Outgoing

Outgoing

Trust

Trust

Trust

Incoming

Encrypted

Outgoing

Outgoing

Trust

Trust

Trust

Outgoing

Trusted

Outgoing

Outgoing

Trust

Trust

Trust

Outgoing

* 
NOTE: Table data is subject to change.

In addition to this categorization, packets traveling to/from zones with levels of additional trust, which are inherently afforded heightened levels of security (LAN|Wireless|Encrypted<-->LAN|Wireless|Encrypted) are given the special Trust classification. Traffic with the Trust classification has all signatures applied (Incoming, Outgoing, and Bidirectional).

3
The direction of the signature. This pertains primarily to IPS, where each signature is assigned a direction by SonicWall’s signature development team. This is done as an optimization to minimize false positives. Signature directions are:
Incoming – Applies to Incoming and Trust. The majority of signatures are Incoming, and they include all forms of application exploits and all enumeration and footprinting attempts. Approximately 85% of signatures are Incoming.
Outgoing – Applies to Outgoing and Trust. Examples of Outgoing signatures would include IM and P2P login attempts, and responses to successfully launched exploits (for example, Attack Responses). Approximately 10% of signatures are Outgoing.
Bidirectional – Applies to all. Examples of Bidirectional signatures would include IM file transfers, various NetBIOS attacks (for example, Sasser communications) and a variety of DoS attacks (for example, UDP/TCP traffic destined to port 0). Approximately 5% of signatures are Bidirectional.
4
Zone application. For a signature to be triggered, the desired security service must be active on at least one of the zones it traverses. For example, a host on the Internet (X1, WAN) accessing a Microsoft Terminal Server (on X3, Secondary Bridge Interface, LAN) will trigger the Incoming signature “IPS Detection Alert: MISC MS Terminal server request, SID: 436, Priority: Low” if IPS is active on the WAN, the LAN, or both.
Access Rule Defaults

Default, zone-to-zone Access Rules should be considered, although they can be modified as needed. The defaults are shown in Zone-to-Zone Access Rule Defaults.

Zone-to-Zone Access Rule Defaults

WAN Connectivity

Internet (WAN) connectivity is required for stack communications, such as licensing, security services signature downloads, NTP (time synchronization), and CFS (Content Filtering Services). At present, these communications can only occur through the Primary WAN interface. If you require these types of communication, the Primary WAN should have a path to the Internet. Whether or not the Primary WAN is employed as part of a Bridge-Pair will not affect its ability to provide these stack communications.

* 
NOTE: If Internet connectivity is not available, licensing can be performed manually and signature updates can also be performed manually.

Sample Topologies

The following are sample topologies depicting common deployments. Inline Layer 2 Bridge Mode represents the addition of a SonicWall security appliance to provide firewall services in a network where an existing firewall is in place. Perimeter Security represents the addition of a SonicWall security appliance in pure L2 Bridge mode to an existing network, where the SonicWall is placed near the perimeter of the network. Internal Security represents the full integration of a SonicWall security appliance in mixed-mode, where it provides simultaneous L2 bridging, WLAN services, and NATed WAN access. Layer 2 Bridge Mode with High Availability represents the mixed-mode scenario where the SonicWall HA pair provide high availability along with L2 bridging. Layer 2 Bridge Mode with SSL VPN represents the scenario where a SonicWall SSL VPN Series appliance is deployed in conjunction with L2 Bridge mode.

Topics:
Wireless Layer 2 Bridge

In wireless mode, after bridging the wireless (WLAN) interface to a LAN or DMZ zone, the WLAN zone becomes the secondary bridged interface, allowing wireless clients to share the same subnet and DHCP pool as their wired counterparts. See Wireless Layer 2 Bridge Topology.

Wireless Layer 2 Bridge Topology

To configure a WLAN to LAN Layer 2 interface bridge:
1
Navigate to the Network > Interfaces page in the SonicOS management interface.
2
Click the Configure icon for the wireless interface you wish to bridge. The Edit Interface dialog displays.

3
Select Layer 2 Bridged Mode as the IP Assignment.
* 
NOTE: Although a general rule is automatically created to allow traffic between the WLAN zone and your chosen bridged interface, WLAN zone type security properties still apply. Any specific rules must be manually added.
4
Select the Interface which the WLAN should be Bridged To. In this instance, the X0 (default LAN zone) is chosen.
5
Configure the remaining options normally. For more information on configuring WLAN interfaces, see Configuring Wireless Interfaces.
Inline Layer 2 Bridge Mode

This method is useful in networks where there is an existing firewall that will remain in place, but you wish to utilize the SonicWall’s firewall services without making major changes to the network. By placing the SonicWall in Layer 2 Bridge mode, the X0 and X1 interfaces become part of the same broadcast domain/network (that of the X1 WAN interface).

This example refers to a SonicWall network security appliance installed in a Hewlitt Packard ProCurve switching environment.

HP’s ProCurve Manager Plus (PCM+) and HP Network Immunity Manager (NIM) server software packages can be used to manage the switches as well as some aspects of the SonicWall network security appliance. See Inline Layer 2 Bridge Topology.

Inline Layer 2 Bridge Topology

To configure the SonicWall appliance for this scenario:
1
Navigate to the Network > Interfaces page.

2
Click the Configure icon for the X0 LAN interface.
3
On the X0 Settings dialog, set the:
IP Assignment to Layer 2 Bridged Mode.
Bridged To: interface to X1.
4
Ensure the interface is configured for HTTP and SNMP so it can be managed from the DMZ by PCM+/NIM.
5
Click OK to save and activate the change.

You will also need to make sure to modify the firewall access rules to allow traffic from the LAN to WAN, and from the WAN to the LAN, otherwise traffic will not pass successfully. You may also need to modify routing information on your firewall if your PCM+/NIM server is placed on the DMZ.

Perimeter Security

Perimeter Security Topology depicts a network where the SonicWall is added to the perimeter for the purpose of providing security services (the network may or may not have an existing firewall between the SonicWall and the router).

Perimeter Security Topology

In this scenario, everything below the SonicWall (the Primary Bridge Interface segment) will generally be considered as having a lower level of trust than everything to the left of the SonicWall (the Secondary Bridge Interface segment). For that reason, it would be appropriate to use X1 (Primary WAN) as the Primary Bridge Interface.

Traffic from hosts connected to the Secondary Bridge Interface (LAN) would be permitted outbound through the SonicWall to their gateways (VLAN interfaces on the L3 switch and then through the router), while traffic from the Primary Bridge Interface (WAN) would, by default, not be permitted inbound.

If there were public servers, for example, a mail and Web server, on the Secondary Bridge Interface (LAN) segment, an Access Rule allowing WAN->LAN traffic for the appropriate IP addresses and services could be added to allow inbound traffic to those servers.

Internal Security

Internal Security Topology

Internal Security Topology depicts a network where the SonicWall will act as the perimeter security device and secure wireless platform. Simultaneously, it will provide L2 Bridge security between the workstation and server segments of the network without having to readdress any of the workstation or servers.

This typical inter-departmental Mixed Mode topology deployment demonstrates how the SonicWall can simultaneously Bridge and route/NAT. Traffic to/from the Primary Bridge Interface (Server) segment from/to the Secondary Bridge Interface (Workstation) segment will pass through the L2 Bridge.

Since both interfaces of the Bridge-Pair are assigned to a Trusted (LAN) zone, the following apply:

All traffic will be allowed by default, but Access Rules could be constructed as needed.

Consider, for the point of contrast, what would occur if the X2 (Primary Bridge Interface) was instead assigned to a Public (DMZ) zone: All the Workstations would be able to reach the Servers, but the Servers would not be able to initiate communications to the Workstations. While this would probably support the traffic flow requirements (that is, Workstations initiating sessions to Servers), it would have two undesirable effects:

a
The DHCP server would be in the DMZ. DHCP requests from the Workstations would pass through the L2 Bridge to the DHCP server (192.168.0.100), but the DHCP offers from the server would be dropped by the default DMZ->LAN Deny Access Rule. An Access Rule would have to be added, or the default modified, to allow this traffic from the DMZ to the LAN.
b
Security services directionality would be classified as Outgoing for traffic from the Workstations to the Server since the traffic would have a Trusted source zone and a Public destination zone. This might be sub-optimal since it would provide less scrutiny than the Incoming or (ideally) Trust classifications.
Security services directionality would be classified as Trust, and all signatures (Incoming, Outgoing, and Bidirectional) will be applied, providing the highest level of security to/from both segments.

For detailed instructions on configuring interfaces in Layer 2 Bridge Mode, see Configuring Layer 2 Bridge Mode.

Layer 2 Bridge Mode with High Availability (SonicWall NSA series appliances)

This method is appropriate in networks where both High Availability and Layer 2 Bridge Mode are desired. This example is for SonicWall NSA series appliances, and assumes the use of switches with VLANs configured. See Layer 2 Bridge with High Availability Topology.

Layer 2 Bridge with High Availability Topology

The SonicWall HA pair consists of two SonicWall NSA 3500 appliances, connected together on port X5, the designated HA port. Port X1 on each appliance is configured for normal WAN connectivity and is used for access to the management interface of that device. Layer 2 Bridge Mode is implemented with port X0 bridged to port X2.

When setting up this scenario, there are several things to take note of on both the SonicWalls and the switches.

On the SonicWall appliances:

Do not enable the Virtual MAC option when configuring High Availability. In a Layer 2 Bridge Mode configuration, this function is not useful.
Enabling Preempt Mode is not recommended in an inline environment such as this. If Preempt Mode is required, follow the recommendations in the documentation for your switches, as the trigger and failover time values play a key role here.
Consider reserving an interface for the management network (this example uses X1). If it is necessary to assign IP addresses to the bridge interfaces for probe purposes or other reasons, SonicWall recommends using the management VLAN network assigned to the switches for security and administrative purposes. Note that the IP addresses assigned for HA purposes do not directly interact with the actual traffic flow.

On the switches:

Using multiple tag ports: As shown in the above diagram, two tag (802.1q) ports were created for VLAN 100 on both the Edge switch (ports 23 and 24) and Core switch (C24 - D24). The NSA 3500 appliances are connected inline between these two switches. In a high performance environment, it is usually recommended to have Link Aggregation/ Port Trunking, Dynamic LACP, or even a completely separate link designated for such a deployment (using OSPF), and the fault tolerance of each of the switches must be considered. Consult your switch documentation for more information.
On HP ProCurve switches, when two ports are tagged in the same VLAN, the port group will automatically be placed into a failover configuration. In this case, as soon as one port fails, the other one becomes active.
Layer 2 Bridge Mode with SSL VPN

This sample topology covers the proper installation of a SonicWall network security appliance device into your existing SonicWallSonicWall EX-Series SSL VPN or SonicWall SSL VPN networking environment. By placing the firewall into Layer 2 Bridge Mode, with an internal, private connection to the SSL VPN appliance, you can scan for viruses, spyware, and intrusions in both directions. In this scenario the SonicWall network security appliance is not used for security enforcement, but instead for bidirectional scanning, blocking viruses and spyware, and stopping intrusion attempts. When programmed correctly, the firewall will not interrupt network traffic, unless the behavior or content of the traffic is determined to be undesirable. Both one- and two-port deployments of the SonicWall network security appliance are covered in this section.

Topics:
WAN to LAN Access Rules

Because the firewall will be used in this deployment scenario only as an enforcement point for anti-virus, anti-spyware and intrusion prevention, its existing security policy must be modified to allow traffic to pass in both directions between the WAN and LAN.

On the Firewall > Access Rules page, click the Configure icon for the intersection of WAN to LAN traffic. Click the Configure icon next to the default rule that implicitly blocks uninitiated traffic from the WAN to the LAN.

In the Edit Rule dialog, select Allow for the Action setting, and then click OK.

Configure the Network Interfaces and Activate L2B Mode

In this scenario the WAN interface is used for the following:

Access to the management interface for the administrator
Subscription service updates on MySonicWall
The default route for the device and subsequently the “next hop” for the internal traffic of the SSL VPN appliance (this is why the firewall device WAN interface must be on the same IP segment as the internal interface of the SSL VPN appliance)

The LAN interface on the firewall is used to monitor the unencrypted client traffic coming from the external interface of the SSL VPN appliance. This is the reason for running in Layer 2 Bridge Mode (instead of reconfiguring the external interface of the SSL VPN appliance to see the LAN interface as the default route).

On the Network > Interfaces page of the SonicOS management interface, click the Configure icon for the WAN interface, and then assign it an address that can access the Internet so that the appliance can obtain signature updates and communicate with NTP.

The gateway and internal/external DNS address settings will match those of your SSL VPN appliance:

IP address: This must match the address for the internal interface on the SSL VPN appliance.
Subnet Mask, Default Gateway, and DNS Server(s): Make these addresses match your SSL VPN appliance settings.

For the Management setting, select the HTTPS and Ping check boxes. Click OK to save and activate the changes.

To configure the LAN interface settings, navigate to the Network > Interfaces page and click the Configure icon for the LAN interface.

For the IP Assignment setting, select Layer 2 Bridged Mode. For the Bridged to setting, select X1.

If you also need to pass VLAN tagged traffic, supported on SonicWall NSA series appliances, click the VLAN Filtering tab and add all of the VLANs that will need to be passed.

Click OK to save and activate the change. You may be automatically disconnected from the firewall’s management interface. You can now disconnect your management laptop or desktop from the firewall’s X0 interface and power the firewall off before physically connecting it to your network.

Install the SonicWall Network Security Appliance between the Network and SSL VPN Appliance

Regardless of your deployment method (single- or dual-homed), the SonicWall network security appliance should be placed between the X0/LAN interface of the SSL VPN appliance and the connection to your internal network. This allows the device to connect out to SonicWall’s licensing and signature update servers, and to scan the decrypted traffic from external clients requesting access to internal network resources.

If your SSL VPN appliance is in two-port mode behind a third-party firewall, it is dual-homed.

To connect a dual-homed SSL VPN appliance:
1
Cable the X0/LAN port on the firewall to the X0/LAN port on the SSL VPN appliance.
2
Cable the X1/WAN port on the firewall to the port where the SSL VPN was previously connected.
3
Power on the firewall.

If your SSL VPN appliance is in one-port mode in the DMZ of a third-party firewall, it is single-homed.

To connect a single-homed SSL VPN appliance:
1
Cable the X0/LAN port on the firewall to the X0/LAN port of the SSL VPN appliance.
2
Cable the X1/WAN port on the firewall to the port where the SSL VPN was previously connected.
3
Power on the firewall.

Configure or Verify Settings

From a management station inside your network, you should now be able to access the management interface on the firewall using its WAN IP address.

Make sure that all security services for the SonicWall network security appliance are enabled. See Licensing Services and Activating Firewall Services on Each Zone.

SonicWall Content Filtering Service must be disabled before the device is deployed in conjunction with a SonicWall SMA 1000 Series SSL VPN appliance. On the Network > Zones page, click Configure next to the LAN (X0) zone, clear the Enforce Content Filtering Service check box and then click OK.

If you have not yet changed the administrative password on the SonicWall network security appliance, you can do so on the System > Administration page.

To test access to your network from an external client, connect to the SSL VPN appliance and log in. Once connected, attempt to access to your internal network resources. If there are any problems, review your configuration and see Configuring the Common Settings for L2 Bridge Mode Deployments.

IPS Sniffer Mode (SonicWall NSA series appliances)

Supported on SonicWall NSA series appliances, IPS Sniffer Mode is a variation of Layer 2 Bridge Mode that is used for intrusion detection. IPS Sniffer Mode configuration allows an interface on the SonicWall to be connected to a mirrored port on a switch to examine network traffic. Typically, this configuration is used with a switch inside the main gateway to monitor traffic on the intranet.

In Network Using IPS Sniffer Mode Interface, traffic flows into a switch in the local network and is mirrored through a switch mirror port into a IPS Sniffer Mode interface on the SonicWall security appliance. The SonicWall inspects the packets according to the firewall settings configured on the Bridge-Pair. Alerts can trigger SNMP traps which are sent to the specified SNMP manager via another interface on the SonicWall. The network traffic is discarded after the SonicWall inspects it.

The WAN interface of the SonicWall is used to connect to the SonicWall Data Center for signature updates or other data.

Network Using IPS Sniffer Mode Interface

In IPS Sniffer Mode, a Layer 2 Bridge is configured between two interfaces in the same zone on the SonicWall, such as LAN-LAN or DMZ-DMZ. You can also create a custom zone to use for the Layer 2 Bridge. Only the WAN zone is not appropriate for IPS Sniffer Mode.

The reason for this is that SonicOS detects all signatures on traffic within the same zone such as LAN-LAN traffic, but some directional specific (client-side versus server-side) signatures do not apply to some LAN-WAN cases.

Either interface of the Layer 2 Bridge can be connected to the mirrored port on the switch. As network traffic traverses the switch, the traffic is also sent to the mirrored port and from there into the SonicWall for deep packet inspection. Malicious events trigger alerts and log entries, and if SNMP is enabled, SNMP traps are sent to the configured IP address of the SNMP manager system. The traffic does not actually continue to the other interface of the Layer 2 Bridge. IPS Sniffer Mode does not place the SonicWall appliance inline with the network traffic, it only provides a way to inspect the traffic.

The Edit Interfaces dialog from the Network > Interfaces page provides a new check box called Only sniff traffic on this bridge-pair for use when configuring IPS Sniffer Mode. When selected, this check box causes the SonicWall to inspect all packets that arrive on the L2 Bridge from the mirrored switch port. The Never route traffic on this bridge-pair check box should also be selected for IPS Sniffer Mode to ensure that the traffic from the mirrored switch port is not sent back out onto the network. (The Never route traffic on this bridge-pair setting is known as Captive-Bridge Mode.)

For detailed instructions on configuring interfaces in IPS Sniffer Mode, see Configuring IPS Sniffer Mode (SonicWall NSA Series Appliances).

Sample IPS Sniffer Mode Topology

This section provides an example topology that uses SonicWall IPS Sniffer Mode in a Hewlitt Packard ProCurve switching environment. See Sample IPS Sniffer Mode Topology. This scenario relies on the ability of HP’s ProCurve Manager Plus (PCM+) and HP Network Immunity Manager (NIM) server software packages to throttle or close ports from which threats are emanating.

This method is useful in networks where there is an existing firewall that will remain in place, but you wish to use the SonicWall’s firewall services as a sensor.

Sample IPS Sniffer Mode Topology

In this deployment the WAN interface and zone are configured for the internal network’s addressing scheme and attached to the internal network. The X2 port is Layer 2 bridged to the LAN port – but it won’t be attached to anything. The X0 LAN port is configured to a second, specially programmed port on the HP ProCurve switch. This special port is set for mirror mode – it forwards all the internal user and server ports to the “sniff” port on the SonicWall. This allows the SonicWall to analyze the entire internal network’s traffic, and if any traffic triggers the firewall signatures it will immediately trap out to the PCM+/NIM server via the X1 WAN interface, which then can take action on the specific port from which the threat is emanating.

To configure this deployment, navigate to the Network > Interfaces page and click on the configure icon for the X2 interface. On the X2 Settings page, set the IP Assignment to ‘Layer 2 Bridged Mode’ and set the Bridged To: interface to ‘X0’. Select the check box for Only sniff traffic on the bridge-pair. Click OK to save and activate the change.

Next, go to the Network > Interfaces page and click on the configure icon for the X1 WAN interface. On the X1 Settings page, assign it a unique IP address for the internal LAN segment of your network – this may sound wrong, but this will actually be the interface from which you manage the appliance, and it is also the interface from which the appliance sends its SNMP traps as well as the interface from which it gets firewall signature updates. Click OK.

You must also modify the firewall rules to allow traffic from the LAN to WAN, and from the WAN to the LAN, otherwise traffic will not pass successfully.

Connect the span/mirror switch port to X0 on the SonicWall, not to X2 (in fact X2 isn’t plugged in at all), and connect X1 to the internal network. Use care when programming the ports that are spanned/mirrored to X0.

Configuring Static Interfaces

Static means that you assign a fixed IP address to the interface. To configure a Static interface, perform the following:

1
Click on the Configure icon in the Configure column for the Interface you want to configure. The Edit Interface dialog displays.
You can configure X0 through X8, depending on the number of interfaces on your appliance.
If you want to create a new zone, select Create new zone. The Add Zone dialog displays. See Adding and Configuring a Zone for instructions on adding a zone.
2
Select a zone to assign to the interface. You can select LAN, WAN, DMZ, WLAN, or a custom zone.
3
Select Static IP Mode from the Mode / IP Assignment menu.
4
Enter the IP address and subnet mask of the zone in the IP Address and Subnet Mask fields.
* 
NOTE: You cannot enter an IP address that is in the same subnet as another zone.
5
Enter any optional comment text in the Comment field. This text is displayed in the Comment column of the Interface table.
6
If you want to enable remote management of the SonicWall security appliance from this interface, select the supported management protocol(s): HTTP, HTTPS, SSH, Ping, SNMP, and/or SSH.

To allow access to the WAN interface for management from another zone on the same appliance, access rules must be created. See Allowing WAN Primary IP Access from the LAN Zone for more information.

7
If you want to allow selected users with limited management rights to log in to the security appliance, select HTTP and/or HTTPS in User Login.
8
Click OK.
* 
NOTE: The administrator password is required to regenerate encryption keys after changing the SonicWall security appliance’s address.

Configuring Advanced Settings for the Interface

If you need to force an Ethernet speed, duplex and/or MAC address, click the Advanced tab.

Topics:
Advanced Settings

The Advanced Settings section allows you to manage the Ethernet settings of links connected to the SonicWall.

Auto Negotiate—is selected by default as the Link Speed because the Ethernet links automatically negotiate the speed and duplex mode of the Ethernet connection. If you want to specify the forced Ethernet speed and duplex, select one of the following options from the Link Speed menu:
1 Gbps - Full Duplex
100 Mbps - Full Duplex
100 Mbps - Half Duplex
10 Mbps - Full Duplex
10 Mbps - Half Duplex
* 
CAUTION: If you select a specific Ethernet speed and duplex, you must force the connection speed and duplex from the Ethernet card to the SonicWall security appliance as well.
Use Default MAC Address—select this check box to use the default MAC address.
Override Default MAC Address—overrides the default MAC address for the Interface, enter the desired MAC address in the field.
Enable flow reporting—enables flow reporting for flows created on this interface.
Enable Multicast Support—allows multicast reception on this interface.
Enable 802.1p tagging (SonicWall NSA series appliances)—select this check box to tag information passing through this interface with 802.1p priority information for Quality of Service (QoS) management. Packets sent through this interface are tagged with VLAN id=0 and carry 802.1p priority information. In order to make use of this priority information, devices connected to this interface should support priority frames. QoS management is controlled by access rules on the Firewall > Access Rules page. For information on QoS and bandwidth management, see Firewall Settings > QoS Mapping (NSA Series Only).
Management Traffic Only—Select this check box to allow management traffic only.
Load Balancing Virtual IP Address—(Optional) If configuring a LAN interface, a LAN Load Balancing Virtual IP address can be configured. Enter the IP address in the text-field, a node responds to the ARP request for the IP address of the LAN Load Balancing Virtual IP address with their own MAC address. Which Node responds is be based on the source IP address of the request. Traffic is then serviced by that Node. You can then configure all LAN PCs to use the LAN Load Balancing Virtual IP address as the gateway rather than using the different virtual group IPs.
* 
NOTE: This option is only available when Active-Active Clustering is configured and enabled.
Expert Mode Settings

Optionally select the Use Routed Mode checkbox. For more information about Routed Mode, see Configuring Routed Mode.
Bandwidth Management

Optionally enable Bandwidth Management for this interface. For more information about configuring Bandwidth Management, see Configuring Global BWM on an Interface.

Configuring Interfaces in Transparent IP Mode (Splice L3 Subnet)

Transparent IP Mode enables the SonicWall security appliance to bridge the WAN subnet onto an internal interface.

To configure an interface for transparent mode:
1
Click on the Configure icon in the Configure column for the Unassigned Interface you want to configure. The Edit Interface dialog displays.

2
Select an interface.
If you select a configurable interface, select LAN or DMZ for Zone.
* 
NOTE: The options available change according to the type of zone you select.
If you want to create a new zone for the configurable interface, select Create a new zone. The Add Zone dialog displays. See Network > Zones, for instructions on adding a zone.
3
Select Transparent IP Mode (Spice L3 Subnet) from the Mode / IP Assignment drop-down menu.

4
From the Transparent Range drop-down menu, select an address object that contains the range of IP addresses you want to have access through this interface. The address range must be within an internal zone, such as LAN, DMZ, or another trusted zone matching the zone used for the internal transparent interface. If you do not have an address object configured that meets your needs, perform the following:
a
In the Transparent Range menu, select Create New Address Object. The Add Address Object dialog displays.

b
In the Name field, enter a friendly name for the address range.
c
For Zone Assignment, select an internal zone, such as LAN, DMZ, or another trusted/public zone. The range must not include the LAN interface (X0) IP address.
d
For Type, select:
Select Host if you want only one network device to connect to this interface.
Select Range to specify a range of IP addresses by entering beginning and ending value of the range.
Select Network to specify a subnet by entering the beginning value and the subnet mask. The subnet must be within the WAN address range and cannot include the WAN interface IP address.
e
In the IP Address field, enter the IP address of the host, the beginning and ending address of the range, or the IP address and subnet mask of the network.
f
Click OK to create the address object and return to the Edit Interface window.

See Network > Address Objects for more information.

5
Enter any optional comment text in the Comment field. This text is displayed in the Comment column of the Interface table.
6
If you want to enable remote management of the SonicWall security appliance from this interface, from the Management options, select one or more of the supported management protocol(s): HTTPS, Ping, SNMP, SSH.

To allow access to the WAN interface for management from another zone on the same appliance, access rules must be created. See Allowing WAN Primary IP Access from the LAN Zone for more information.

7
If you want to allow selected users with limited management rights to log directly into the security appliance through this interface, select HTTP and/or HTTPS in User Login.
8
(Optional) If you selected HTTPS, to have users redirected from HTTP to HTTPS, select Add rule to enable redirect from HTTP to HTTPS.
9
Click OK.
* 
NOTE: The administrator password is required to regenerate encryption keys after changing the SonicWall security appliance’s address.

Configuring Advanced Settings for the Interface

If you need to force an Ethernet speed, duplex and/or MAC address, click the Advanced tab.

* 
NOTE: Options change depending on the type of zone and mode/IP assignment selected in the General tab.
Topics:
Advanced Settings

The Advanced Settings section allows you to manage the Ethernet settings of links connected to the SonicWall.

Auto Negotiate—is selected by default as the Link Speed because the Ethernet links automatically negotiate the speed and duplex mode of the Ethernet connection. If you want to specify the forced Ethernet speed and duplex, select one of the following options from the Link Speed menu:
1 Gbps - Full Duplex
100 Mbps - Full Duplex
100 Mbps - Half Duplex
10 Mbps - Full Duplex
10 Mbps - Half Duplex
* 
CAUTION: If you select a specific Ethernet speed and duplex, you must force the connection speed and duplex from the Ethernet card to the SonicWall security appliance as well.
Use Default MAC Address—select this check box to use the default MAC address.
Override Default MAC Address—overrides the default MAC address for the Interface, enter the desired MAC address in the field.
Enable flow reporting—enables flow reporting for flows created on this interface.
Enable Multicast Support—allows multicast reception on this interface.
Enable 802.1p tagging (SonicWall NSA series appliances)—select this check box to tag information passing through this interface with 802.1p priority information for Quality of Service (QoS) management. Packets sent through this interface are tagged with VLAN id=0 and carry 802.1p priority information. In order to make use of this priority information, devices connected to this interface should support priority frames. QoS management is controlled by access rules on the Firewall > Access Rules page. For information on QoS and bandwidth management, see Firewall Settings > QoS Mapping (NSA Series Only).
Management Traffic Only—when selected, prioritizes all traffic arriving on that interface.
* 
NOTE: You should enable this option ONLY on interfaces intended to be used exclusively for management purposes. If this option is enabled on a regular interface, it will still prioritize the traffic, but that may not be the desirable result. It is up to you to limit the traffic to just management; the firmware does not have the ability to prevent pass-through traffic.
Enable Gratuitous ARP Forwarding Towards WAN—gratuitous ARP packets received on this interface will be forwarded towards the WAN with the source MAC address as the hardware MAC address of the WAN interface.
Enable Automatic Gratuitous ARP Generation Towards WAN—Whenever a new entry is added into the ARP table for a new machine on this interface, a gratuitous ARP packet will be generated towards the WAN interface with the source MAC address as the hardware MAC address of the WAN interface.
Bandwidth Management

Enable Interface Egress Bandwidth Limitation—Enables outbound bandwidth management.
Maximum Interface Egress Bandwidth (kbps):—Specifies the available bandwidth for WAN interfaces, in Kbps.
Enable Interface Ingress Bandwidth Limitation—Enables inbound bandwidth management.
Maximum Interface Ingress Bandwidth (kbps):—Specifies the available bandwidth for WAN interfaces, in Kbps
* 
NOTE: Change the bandwidth management setting to Advanced, refer to the Firewall Settings > BWM page.

Configuring Wireless Interfaces

A Wireless interface is an interface that has been assigned to a Wireless zone and is used to support SonicWall SonicPoint secure access points.

1
Click on the Configure icon in the Configure column for the Interface you want to configure. The Edit Interface dialog displays.
2
In the Zone list, select WLAN or a custom Wireless zone.
3
Enter the IP address and subnet mask of the zone in the Mode / IP Address and Subnet Mask fields.
* 
NOTE: The upper limit of the subnet mask is determined by the number of SonicPoints you select in the SonicPoint Limit field. If you are configuring several interfaces or subinterfaces as Wireless interfaces, you may want to use a smaller subnet (higher) to limit the number of potential DHCP leases available on the interface. Otherwise, if you use a class C subnet (subnet mask of 255.255.255.0) for each Wireless interface you may exceed the limit of DHCP leases available on the security appliance.
4
In the SonicPoint Limit field, select the maximum number of SonicPoints allowed on this interface.
This value determines the highest subnet mask you can enter in the Subnet Mask field. Maximum Number of Subinterfaces Supported by Platform shows the subnet mask limit for each SonicPoint Limit selection and the number of DHCP leases available on the interface if you enter the maximum allowed subnet mask.
Available Client IPs assumes 1 IP for the SonicWall gateway interface in addition to the presence of the maximum number of SonicPoints allowed on this interface, each consuming an IP address.
 

Maximum Subnet Mask Sizes Allowed

SonicPoints per Interface

Maximum Subnet Mask

Total Usable IP addresses

Available Client IPs

No SonicPoints

30 bits – 255.255.255.252

2

2

2 SonicPoints

29 bits – 255.255.255.248

6

3

4 SonicPoints

29 bits – 255.255.255.248

6

1

8 SonicPoints

28 bits – 255.255.255.240

14

5

16 SonicPoints (NSA 240)

27 bits – 255.255.255.224

30

13

32 SonicPoints (NSA 2400)

26 bits – 255.255.255.192

62

29

48 SonicPoints (NSA 3400)

25 bits - 255.255.255.128

126

61

64 SonicPoints (NSA 4500, 5000)

25 bits - 255.255.255.128

126

61

96 SonicPoints (NSA E5500)

24 bits - 255.255.255.0

190

93

128 SonicPoints (NSA E6500, NSA E7500)

23 bits - 255.255.254.0

254

125

* 
NOTE: The above table depicts the maximum subnet mask sizes allowed. You can still use class-full subnetting (class A, class B, or class C) or any variable length subnet mask that you wish on WLAN interfaces. You are encouraged to use a smaller subnet mask (for example, 24-bit class C: 255.255.255.0 - 254 total usable IPs), thus allocating more IP addressing space to clients if you have the need to support larger numbers of wireless clients.
5
Enter any optional comment text in the Comment field. This text is displayed in the Comment column of the Interface table.
6
If you want to enable remote management of the SonicWall security appliance from this interface, select the supported management protocol(s): HTTP, HTTPS, SSH, Ping, SNMP, and/or SSH.

To allow access to the WAN interface for management from another zone on the same appliance, access rules must be created. See Allowing WAN Primary IP Access from the LAN Zone for more information.

If you want to allow selected users with limited management rights to log in to the security appliance, select HTTP and/or HTTPS in User Login.

7
Click OK.

Configuring Advanced Settings for the Interface

If you need to force an Ethernet speed, duplex and/or MAC address, click the Advanced tab. Bandwidth management settings are also configured on the Advanced tab.

Topics:
Advanced Settings

The Advanced Settings section allows you to manage the Ethernet settings of links connected to the SonicWall.

Auto Negotiate—is selected by default as the Link Speed because the Ethernet links automatically negotiate the speed and duplex mode of the Ethernet connection. If you want to specify the forced Ethernet speed and duplex, select one of the following options from the Link Speed menu:
1 Gbps - Full Duplex
100 Mbps - Full Duplex
100 Mbps - Half Duplex
10 Mbps - Full Duplex
10 Mbps - Half Duplex
* 
CAUTION: If you select a specific Ethernet speed and duplex, you must force the connection speed and duplex from the Ethernet card to the SonicWall security appliance as well.
Use Default MAC Address—select this check box to use the default MAC address.
Override Default MAC Address—overrides the default MAC address for the Interface, enter the desired MAC address in the field.
Enable flow reporting—enables flow reporting for flows created on this interface.
Enable Multicast Support—allows multicast reception on this interface.
Enable 802.1p tagging ( SonicWall NSA series appliances)—select this check box to tag information passing through this interface with 802.1p priority information for Quality of Service (QoS) management. Packets sent through this interface are tagged with VLAN id=0 and carry 802.1p priority information. In order to make use of this priority information, devices connected to this interface should support priority frames. QoS management is controlled by access rules on the Firewall > Access Rules page. For information on QoS and bandwidth management, see Firewall Settings > QoS Mapping (NSA Series Only).
Management Traffic Only—when selected, prioritizes all traffic arriving on that interface.
* 
NOTE: You should enable this option ONLY on interfaces intended to be used exclusively for management purposes. If this option is enabled on a regular interface, it will still prioritize the traffic, but that may not be the desirable result. It is up to you to limit the traffic to just management; the firmware does not have the ability to prevent pass-through traffic.
Expert Mode Settings

Use Routed Mode - Add NAT Policy to prevent outbound/inbound translation—Select to enable Routed Mode for the interface.
Set NAT Policy’s outbound/inbound interface to:—From the drop-down menu, select the WAN interface to be used to route traffic for the interface.
Bandwidth Management

Enable Interface Egress Bandwidth Limitation—Enables outbound bandwidth management.
Maximum Interface Egress Bandwidth (kbps):—Specifies the available bandwidth for WAN interfaces, in Kbps.
Enable Interface Ingress Bandwidth Limitation—Enables inbound bandwidth management.
Maximum Interface Ingress Bandwidth (kbps):—Specifies the available bandwidth for WAN interfaces, in Kbps
* 
NOTE: Change the bandwidth management setting to Advanced, refer to the Firewall Settings > BWM page.

Configuring the WLAN Interface (TZ Wireless Appliances)

The WLAN interface is only available on SonicWall TZ wireless appliances. You can only configure the WLAN interface with a static IP address.

To configure the WLAN interface:
1
Click on the Edit icon in the Configure column for the Unassigned interface you want to configure. The Edit Interface dialog displays.

2
Select the WLAN interface. If you want to create a new zone for the interface, select Create a new zone. The Add Zone dialog displays. See Chapter 11 for instructions on adding a zone.
3
Select one of the following WLAN Network Addressing Mode from the Mode / IP Assignment menu. Depending on the option you choose from the IP Assignment menu, complete the corresponding fields that are displayed after selecting the option.
Static IP Mode—the IP address for the interface is manually entered
Layer 2 Bridge Mode—an interface placed in this mode becomes the Secondary Bridge Interface to the Primary Bridge Interface to which it is paired. The resulting Bridge-Pair will then behave like a two-port learning bridge with full L2 transparency, and all IP traffic that passes through will be subjected to full stateful failover and deep packet inspection
PortShield Switch Mode—this architecture enables you to configure some or all of the LAN ports into separate security contexts, providing protection not only from the WAN and DMZ, but between devices inside your network as well. In effect, each context has its own wire-speed PortShield that enjoys the protection of a dedicated, deep packet inspection firewall.
4
Enter the IP address and subnet mask of the Zone in the IP Address and Subnet Mask fields.
5
Enter any optional comment text in the Comment field. This text is displayed in the Comment column of the Interface table.
6
If you want to enable remote management of the SonicWall security appliance from this interface, select the supported management protocol(s): HTTP, HTTPS, Ping, and/or SNMP.
7
If you want to allow selected users with limited management rights, select HTTP and/or HTTPS in User Login.
8
Click OK.
* 
NOTE: The administrator password is required to regenerate encryption keys after changing the SonicWall security appliance’s address.
9
Click the Advanced tab.
10
If you want to allow multicast reception on this interface, select the Enable Multicast Support option.

Configuring a WAN Interface

Configuring the WAN interface enables Internet connectivity. You can configure multiple WAN interfaces on the SonicWall security appliance. Only the X0 interface cannot be configured as a WAN interface.

* 
NOTE: A default gateway IP is required on the WAN interface if any destination must be reached via the WAN interface that is not part of the WAN subnet IP address space, regardless whether a default route is received dynamically from a routing protocol of a peer device on the WAN subnet.
Topics:

Configuring the General Settings for the WAN Interface

* 
TIP: Informational videos with interface configuration examples are available online. For example, see How to configure the SonicWall WAN / X1 Interface with PPPoE Connection. Additional videos are available at: https://support.sonicwall.com/videos-product-select
To configure General settings:
1
Click on the Edit icon in the Configure column for the Interface you want to configure. The Edit Interface dialog displays.
2
If you’re configuring an Unassigned Interface, select WAN from the Zone menu. If you selected the Default WAN Interface, WAN is already selected in the Zone menu.

3
Select one of the following WAN Network Addressing Mode from the Mode / IP Assignment menu. Depending on the option you choose from the IP Assignment menu, complete the corresponding fields that are displayed after selecting the option.
Static - configures the
SonicWall for a network that uses static IP addresses.
DHCP - configures the
SonicWall to request IP settings from a DHCP server on the Internet. NAT with DHCP Client is a typical network addressing mode for cable and DSL customers.
PPPoE - uses Point to Point Protocol over Ethernet (PPPoE) to connect to the Internet. If desktop software and a username and password is required by your ISP, select NAT with PPPoE. This protocol is typically found when using a DSL modem.
PPTP - uses PPTP (Point to Point Tunneling Protocol) to connect to a remote server. It supports older Microsoft Windows implementations requiring tunneling connectivity.
L2TP - uses IPsec to connect a L2TP (Layer 2 Tunneling Protocol) server and encrypts all data transmitted from the client to the server. However, it does not encrypt network traffic to other destinations.
Wire Mode (2-Port Wire) - is a deployment option where the
SonicWall appliance can be deployed as a “Bump in the Wire”. It provides a least-intrusive way to deploy the appliance in a network. Wire Mode is very well suited for deploying behind a pre-existing Stateful Packet Inspection (SPI) Firewall.Wire Mode is a simplified form of Layer 2 Bridge Mode. A Wire Mode interface does not take any IP address and it is typically configured as a bridge between a pair of interfaces. None of the packets received on a Wire Mode interface are destined to the firewall, but are only bridged to the other interface
Tap Mode (1-Port Tap) - can be configured between a pair of interfaces. All traffic received is bridged to the paired interface; in addition, the firewall does SPI and DPI processing of traffic. There is full Application Visibility, but no Application Control in Tap Mode
* 
NOTE: For Windows clients, L2TP is supported by Windows 2000 and Windows XP. If you are running other versions of Windows, you must use PPTP as your tunneling protocol.
4
If you want to enable remote management of the
5
SonicWall security appliance from this interface, select the supported management protocol(s): HTTP, HTTPS, SSH, Ping, SNMP, and/or SSH. You can also select HTTP for management traffic. However, bear in mind that HTTP traffic is less secure than HTTPS.

To allow access to the WAN interface for management from another zone on the same appliance, access rules must be created. See Allowing WAN Primary IP Access from the LAN Zone for more information.

6
If you want to allow selected users with limited management rights to log directly into the security appliance from this interface, select HTTP and/or HTTPS in User Login.
7
Check Add rule to enable redirect from HTTP to HTTPS, if you want an HTTP connection automatically redirected to a secure HTTPS connection to the
8
SonicWall security appliance management interface.
9
After completing the WAN configuration for your Network Addressing Mode, click OK.

Configuring the Advanced Settings for the WAN Interface

If you need to force an Ethernet speed, duplex and/or MAC address, click the Advanced tab. You can also configure bandwidth management settings on the Advanced tab.

Topics:
Advanced Settings

The Advanced Settings section allows you to manage the Ethernet settings of links connected to the

SonicWall.

Auto Negotiate—is selected by default as the Link Speed because the Ethernet links automatically negotiate the speed and duplex mode of the Ethernet connection. If you want to specify the forced Ethernet speed and duplex, select one of the following options from the Link Speed menu:
1 Gbps - Full Duplex
100 Mbps - Full Duplex
100 Mbps - Half Duplex
10 Mbps - Full Duplex
10 Mbps - Half Duplex
* 
CAUTION: If you select a specific Ethernet speed and duplex, you must force the connection speed and duplex from the Ethernet card to the SonicWall security appliance as well.
Use Default MAC Address—select this check box to use the default MAC address.
Override Default MAC Address—overrides the default MAC address for the Interface, enter the desired MAC address in the field.
Enable flow reporting—enables flow reporting for flows created on this interface.
Enable Multicast Support—allows multicast reception on this interface.
Enable 802.1p tagging (SonicWall NSA series appliances)—select this check box to tag information passing through this interface with 802.1p priority information for Quality of Service (QoS) management. Packets sent through this interface are tagged with VLAN id=0 and carry 802.1p priority information. In order to make use of this priority information, devices connected to this interface should support priority frames. QoS management is controlled by access rules on the Firewall > Access Rules page. For information on QoS and bandwidth management, see Firewall Settings > QoS Mapping (NSA Series Only).
Management Traffic Only—when selected, prioritizes all traffic arriving on that interface.
* 
NOTE: You should enable this option ONLY on interfaces intended to be used exclusively for management purposes. If this option is enabled on a regular interface, it will still prioritize the traffic, but that may not be the desirable result. It is up to you to limit the traffic to just management; the firmware does not have the ability to prevent pass-through traffic.
Interface MTU—Specifies the largest packet size that the interface can forward without fragmenting the packet.
Fragment non-VPN outbound packets larger than this Interface’s MTU—Specifies all non-VPN outbound packets larger than this Interface’s MTU be fragmented. Specifying the fragmenting of VPN outbound packets is set in the VPN > Advanced page.
Ignore Don’t Fragment (DF) Bit—Overrides DF bits in packets.
Suppress ICMP Fragmentation Needed message generation—blocks notification that this interface can receive fragmented packets.
Bandwidth Management

Enable Interface Egress Bandwidth Limitation—Enables outbound bandwidth management.
Maximum Interface Egress Bandwidth (kbps):—Specifies the available bandwidth for WAN interfaces, in Kbps.
Enable Interface Ingress Bandwidth Limitation—Enables inbound bandwidth management.
Maximum Interface Ingress Bandwidth (kbps):—Specifies the available bandwidth for WAN interfaces, in Kbps

For information on Bandwidth Management (BWM), see Bandwidth Management Overview.

Configuring Protocol Settings for a WAN Interface

If you specified a PPPoE, PPTP, or L2TP IP assignment when configuring the WAN interface, the Edit Interface dialog box displays the Protocol tab.

The Internet Service Provider (ISP) provisions the fields (for example, SonicWall IP Address, Subnet Mask, and Gateway Address) in the Settings Acquired via section of the Protocol tab. These fields will show actual values after you connect the appliance to the ISP. Additionally, specifying PPPoE causes SonicOS to set the Interface MTU option in the Advanced tab to 1492 and provides additional settings in the Protocol tab.

To configure additional settings for PPPoE:
1
In the Edit Interface dialog, click the Protocol tab.
2
Select the checkboxes to enable the following options in the PPPoE Client Settings section:
Inactivity Disconnect (minutes): Enter the number of minutes (the default is 10) after which SonicOS will terminate the connection if it detects that packets are not being sent.
Strictly use LCP echo packets for server keep-alive: Select this to have SonicOS terminate the connection if it detects that the PPoE server has not sent a "ppp LCP echo request" packet within a minute. Select this option only if your PPPoE server supports the "send LCP echo" function.
Reconnect the PPPOE client if the server does not send traffic for __ minutes: Enter the number of minutes (the default is 5) after which SonicOS will terminate the PPPoE server's connection, and then reconnect, if the server does not send any packets (including the LCP echo request)

Configuring the NSA Expansion Pack Module Interface (NSA 2400MX and 250M Only)

The SonicWall NSA 2400MX and NSA 250M security appliances support the following optional NSA Expansion Pack modules:

1-Port ADSL (RJ-11) Annex A module
1-Port ADSL (RJ-45) Annex B module
1-Port T1/E1 module
2-Port LAN Bypass module
2-Port SFP module
4-Port Gigabit Ethernet module (SonicWall NSA 2400MX only)

These interfaces are listed in the Interface Settings table as the Mx interfaces.

* 
CAUTION: Before attempting to insert and configure the module, you must power off the appliance. Once the appliance has been powered down, remove the rear module plate cover and insert the expansion module.Tighten the screws to secure the module, then power on the appliance.

Log into the SonicOS management interface. You can now begin configuring the desired expansion module.

Topics:

Configuring the ADSL Expansion Module

ADSL is an acronym for Asymmetric Digital Subscriber Line (or Loop). The line is asymmetric because, when connected to the ISP, the upstream and downstream speeds of transmission are different. The DSL technology allows non-voice services (data) to be provided on regular single copper wire-pair POTS connections (such as your home phone line). It allows voice calls and data to pass through simultaneously by using higher band frequencies for data transmission.

The SonicWall ADSL module cards support only one subscriber ADSL line (one port). Two types of ADSL module cards are supported:

1 Port ADSL (RJ-11) Annex A – ADSL over plain old telephone service (POTS) with a downstream rate of 12.0 Mbit/s and an upstream rate of 1.3 Mbit/s.
1 Port ADSL (RJ-45) Annex B – ADSL over an Integrated Services Digital Network (ISDN) with a downstream rate of 12.0 Mbit/s and an ups.tream rate of 1.8 Mbit/s.

The ADSL standards shown in Supported ADSL Standards are supported.

 

Supported ADSL Standards

Standard Name

Common Name

T1.413

ADSL

G.992.1

ADSL G.DMT

G.992.2

ADSL Lite (G. Lite)

G.992.3

ADSL2

G.992.5

ADSL2+M with Annex M and Annex L

The ADSL module card uses 2 LEDs to indicate connectivity status. The upper green LED is the ADSL link. Its status is as follows:

OFF- No link
ON - ADSL link is active

The lower green LED shows the system and ADSL module activity.

If it is OFF, there is no activity.
If it displays a slow blink rate, it signifies activity on system management interface.
If it displays a fast blink rate, there is data activity on ADSL line.

The ADSL module card is detected on boot, and assigned an interface name of M0 or M1. The interface name is based to it based on the expansion slot hosting the module card. You will see the assigned entry when you log into the Network Interfaces page.

The ADSL interface is never unassigned. When plugged in, it is always present in the WAN zone and zone assignment cannot be modified.

Click on the Configure icon to the right of the interface entry. You will see a menu with three tabs: General, Advanced, and DSL Settings. The DSL Settings tab allows you to configure ISP-specific settings for the ADSL connection.

It displays the configurable DSL fields:

Virtual Path Identifier (VPI)
Virtual Channel Identifier (VCI)
Multiplexing Method (LLC or VC)

The values for these parameters should match the settings on the ISP DSLAM, and are provided by the ISP. These values vary from one ISP to another, and from country to country.

The SNWL default uses the most common values in the USA. The VPI and VCI settings are used to create the Permanent Virtual Circuit (PVC) from the NSA2400MX to the ISP DSLAM.

When finished configuring these ISP settings, click OK.

The Ethernet-specific settings on the Advanced tab, even if set, do not apply to the ADSL module. The Link Speed field in the Advanced tab has a fixed "N/A" selection, since it does not apply to ADSL. The ADSL link speed can't be customized but is predetermined by the DSL Provider.

The standard WAN ethernet settings are not affected by the presence of the ADSL module.

When the ADSL module is first plugged in, it should be added to the WAN Load Balancing default group so that the ADSL module can be used to handle default route traffic. Go to the Failover & LB page and click the Configure icon to edit the settings.

On the General tab, add the ADSL interface to the Load Balancing group. If the default primary WAN, X1, is unused or unconfigured, it can be removed for a cleaner interface configuration.

When done, click OK, and the ADSL module will be added to the group.

Configuring the T1/E1 Module

The 1-port T1/E1 Module provides the connection of a T1 or E1 (digitally multiplexed telecommunications carrier system) circuit to a SonicWall appliance using an RJ-45 jack.

The SonicWall T1/E1 module fully supports Point-to-Point Protocol (PPP) and Cisco HDLC encapsulation, and can connect to Cisco routers and HP ProCurve devices.

* 
NOTE: Only one T1/E1 module can be configured on each appliance.
To configure the T1/E1 Module:
1
Click on the Edit icon in the Configure column for the Interface of the expansion module you want to configure. The Edit Interface dialog displays.

The General tab allows you to set up the type of encapsulation: PPP or HDLC, as well as the management interface type and level of user security login. The Zone setting is disabled.

2
Select the desired type of encapsulation: PPP, HDLC, or Cisco HDLC. If you select a type of encapsulation other than PPP, you will need to assign the IP address and netmask.
3
If HDLC or Cisco HDLC is selected, assign the IP address and subnet mask for the network mask assigned to the subnet.These are auto-filled for you, but you can change them if desired.

If you want to enable remote management of the SonicWall security appliance from this interface, select the supported management protocol(s): HTTP, HTTPS, SSH, Ping, SNMP, and/or SSH. You can also select HTTP for management traffic. However, bear in mind that HTTP traffic is less secure than HTTPS. You can also set the level of security (HTTP or HTTPS) at this time.

4
Click on the Advanced Tab.

You will see two radio buttons, one for T1 and one for E1. Only one button should be selected at a time. Different Line Coding, Framing and Encapsulation configuration choices are offered, depending on the button.

5
Select the Clock Source: Internal or External. This selection is the same for both T1 and E1.
6
Select the Line Coding option:
When T1 is selected, the choices are: B8ZS, AMI
When E1 is selected, the choices are: HDB3, AMI
7
Select the Framing configuration:
When T1 is selected, the choices are: D4 (SF), ESF
When E1 is selected, the choices are: FAS, MFAS
8
Select the DSO speed: 56 KB or 64KB (default).

If desired, you can specify the Data DSO range.

For T1, the range is 1 to 24 (default)
For E1, the range is 1 to 31

Each number can be individually set. For example, “5 to 15”, “1 to 1”, 1 to 20” are valid settings.

9
Line Build Out is available with T1. The options are: 0.0 dB, -7.5 dB, -15 dB, -22.5 dB.

CRC is configured with an enable/disable check-box. When T1 is selected, the check-box is labeled CRC6, when E1 is selected the check-box is labeled CRC4.

You can also choose to enable multicast.

10
When finished with configuration, click OK.

The T1/E1 module interface will be added to the pool of available WAN interfaces

Configuring the LAN Bypass Module

This module allows you to perform a physical bypass of the firewall when the interface is bridged to another interface with LAN bypass capability. This allows network traffic to continue flowing if an unrecoverable firewall error occurs.

1
Click on the Edit icon in the Configure column for the Interface of the expansion module you want to configure. The Edit Interface dialog displays. The Bypass option is only displayed if an interface capable of performing the bridge is present.

2
The dialog shows the LAN interface, and has a check box “Engage Physical ByPass on Malfunction” to enable the physical bypass feature. This is only displayed when the interface is bridged to another interface capable of performing the LAN bypass. Enabling this check box means that the packets between the bridged pairs will not fail, even if the firmware or NSA appliance fails.

If the check box is not enabled, the ports will behave like normal Ethernet ports.

3
Click OK to configure the interface.

Configuring the 2 Port SFP or 4 Port Gigabit Ethernet Modules

Topics:
Configuring General Options
1
Click on the Edit icon in the Configure column for the Interface of the expansion module you want to configure. The Edit Interface dialog displays.
2
If you’re configuring an Unassigned Interface, you can select any zone from the Zone menu. LAN is already selected in the Zone menu.

Select one of the following LAN Network Addressing Modes from the IP Assignment menu.

Static - configures the interface for a network that uses static IP addresses.
Transparent - configures the interface to use interfaces as the top level of the management hierarchy and span multiple interfaces.

Depending on the option you choose from the IP Assignment menu, complete the corresponding fields that are displayed after selecting the option.

3
Assign the IP address and subnet mask for the network mask assigned to the subnet.These are auto-filled for you, but you can change them if desired.
4
If you want to enable remote management of the SonicWall security appliance from this interface, select the supported management protocol(s): HTTP, HTTPS, SSH, Ping, SNMP, and/or SSH. You can also select HTTP for management traffic. However, bear in mind that HTTP traffic is less secure than HTTPS. You can also use a checkbox to add a rule to redirect from HTTP to HTTPS to enforce security on the interface.
5
Click OK to configure the interface.
Configuring the Advanced Settings for the Module Interface

The Advanced tab includes settings for forcing an Ethernet speed and duplex, overriding the Default MAC address, enabling multicast support on the interface, and enabling 802.1p tagging. Packets sent out with 802.1p tagging are tagged VLAN id=0 and carry 802,1p priority information. Devices connected to this interface need to support priority frames.

Configuring Additional Interfaces
6
Each expansion module interface must be individually configured. These initially appear as unassigned interfaces.
7
Click on the Edit icon in the Configure column for the Interface you want to configure.

For each interface, on the General tab of the Edit Interface window, select LAN from the Zone menu. Fill in the desired IP assignment. The subnet will be assigned for you. Add the desired management options and click OK. Then configure the Advanced settings.

Configuring Link Aggregation

Link Aggregation groups up to four Ethernet interfaces together forming a single logical link to support greater throughput than a single physical interface could support, this is referred to as a Link Aggregation Group (LAG). This provides the ability to send multi-gigabit traffic between two Ethernet domains. All ports in an aggregate link must be connected to the same switch. The firewall uses a round-robin algorithm for load balancing traffic across the interfaces in a Link Aggregation Group. Link Aggregation also provides a measure of redundancy, in that if one interface in the LAG goes down, the other interfaces remain connected.

Link Aggregation is referred to using different terminology by different vendors, including Port Channel, Ether Channel, Trunk, and Port Grouping.

Link Aggregation Failover

SonicWall provides multiple methods for protecting against loss of connectivity in the case of a link failure, including High Availability (HA), Load Balancing Groups (LB Groups), and now Link Aggregation. If all three of these features are configured on a firewall, the following order of precedence is followed in the case of a link failure:

High Availability
Link Aggregation
Load Balancing Groups

HA takes precedence over Link Aggregation. Because each link in the LAG carries an equal share of the load, the loss of a link on the Active firewall will force a failover to the Idle firewall (if all of its links remain connected). Physical monitoring needs to be configured only on the primary aggregate port.

When Link Aggregation is used with a LB Group, Link Aggregation takes precedence. LB will take over only if all the ports in the aggregate link are down.

Link Aggregation Limitations

Currently only static addressing is supported for Link Aggregation
Link Aggregation is supported on SonicWall E-Class appliances only.
The Link Aggregation Control Protocol (LACP) is currently not supported

Link Aggregation Configuration

To configure Link Aggregation:
1
On the Network > Interfaces page, click the configure icon for the interface that is to be designated the master of the Link Aggregation Group. The Edit Interface dialog displays.
2
Click on the Advanced tab.
3
In the Redundant/Aggregate Ports drop-down menu, select Link Aggregation.
4
The Aggregate Port option is displayed with a check box for each of the currently unassigned interfaces on the firewall. Select up to three other interfaces to assign to the LAG.
* 
NOTE: After an interface is assigned to a Link Aggregation Group, its configuration is governed by the Link Aggregation master interface and it cannot be configured independently. In the Interface Settings table, the interface's zone is displayed as "Aggregate Port" and the configuration icon is removed.
5
Set the Link Speed for the interface to Auto-Negotiate.
6
Click OK.
* 
NOTE: Link Aggregation requires a matching configuration on the Switch. The switch's method of load balancing will very depending on the vendor. Consult the documentation for the switch for information on configuring Link Aggregation. Remember that it may be referred to as Port Channel, Ether Channel, Trunk, or Port Grouping.

Configuring Port Redundancy

Port Redundancy provides a simple method for configuring a redundant port for a physical Ethernet port. This is a valuable feature, particularly in high-end deployments, to protect against switch failures being a single point of failure.

When the primary interface is active, it processes all traffic to and from the interface. If the primary interface goes down, the secondary interface takes over all outgoing and incoming traffic. The secondary interface assumes the MAC address of the primary interface and sends the appropriate gratuitous ARP on a failover event. When the primary interface comes up again, it resumes responsibility for all traffic handling duties from the secondary interface.

In a typical Port Redundancy configuration, the primary and secondary interfaces are connected to different switches. This provides for a failover path in case the primary switch goes down. Both switches must be on the same Ethernet domain. Port Redundancy can also be configured with both interfaces connected to the same switch.

* 
NOTE: Port Redundancy is supported on SonicWall E-Class appliances only.

Port Redundancy Failover

SonicWall provides multiple methods for protecting against loss of connectivity in the case of a link failure, including High Availability (HA), Load Balancing Groups (LB Groups), and now Port Redundancy. If all three of these features are configured on a firewall, the following order of precedence is followed in the case of a link failure:

Port Redundancy
HA
LB Group

When Port Redundancy is used with HA, Port Redundancy takes precedence. Typically an interface failover will cause an HA failover to occur, but if a redundant port is available for that interface, then an interface failover will occur but not an HA failover. If both the primary and secondary redundant ports go down, then an HA failover will occur (assuming the secondary firewall has the corresponding port active).

When Port Redundancy is used with a LB Group, Port Redundancy again takes precedence. Any single port (primary or secondary) failures are handled by Port Redundancy just like with HA. When both the ports are down then LB kicks in and tries to find an alternate interface.

Port Redundancy Configuration

To configure Port Redundancy:
1
On the Network > Interfaces page, click the configure icon for the interface that is to be designated the master of the Link Aggregation Group. The Edit Interface dialog displays.
2
Click on the Advanced tab.
3
In the Redundant/Aggregate Ports drop-down menu, select Port Redundancy.
4
The Redundant Port drop-down menu is displayed, with all of the currently unassigned interfaces available. Select one of the interfaces.
* 
NOTE: After an interface is selected as a Redundant Port, its configuration is governed by the primary interface and it can not be configured independently. In the Interface Settings table, the interface's zone is displayed as "Redundant Port" and the configuration icon is removed.
5
Set the Link Speed for the interface to Auto-Negotiate.
6
Click OK.

Configuring Routed Mode

Routed Mode provides an alternative for NAT for routing traffic between separate public IP address ranges. Consider the topology in Network Using Routed Mode where the firewall is routing traffic across two public IP address ranges:

10.50.26.0/24
172.16.6.0/24

Network Using Routed Mode

By enabling Routed Mode on the interface for the 172.16.6.0 network, NAT translations will be automatically disabled for the interface, and all inbound and outbound traffic will be routed to the WAN interface configured for the 10.50.26.0 network.

To configure Routed Mode:
1
Navigate to the Network > Interfaces page.
2
Click on the configure icon for the appropriate interface. The Edit Interface dialog displays.
3
Click on the Advanced tab.

4
Under the Expert Mode Settings heading, select the Use Routed Mode - Add NAT Policy to prevent outbound\inbound translation check box to enable Routed Mode for the interface.
5
In the Set NAT Policy's outbound\inbound interface to drop-down menu, select the WAN interface that is to be used to route traffic for the interface.
6
Click OK.

The firewall then creates “no-NAT” policies for both the configured interface and the selected WAN interface. These policies override any more general M21 NAT policies that may be configured for the interfaces.

Configuring the U0/U1/M0 External 3G/4G/Modem Interface

The SonicWall security appliances with a USB port support an external 3G/mobile or analog modem interface. Depending on your appliance, when an analog modem or 3G device is installed prior to starting the appliance, it will be listed as the U0, U1, or M0 (NSA 240 only) interface on the Network > Interfaces page.

The U0/U1/M0 interface must be initially configured on the on the 3G or Modem tab in the left-side navigation bar. Once you have a created configuration profile for the interface, the configuration can be modified from the Network > Interfaces page. For additional information on 3G or analog modem external interfaces, see 3G/4G/Modem.

* 
NOTE: The SonicWall security appliance must be rebooted before it will recognize the external 3G/mobile or analog modem interface.
Topics:

Manually Initiate a Connection

To manually initiate a connection on the U0/U1/M0 external 3G/modem interface:
1
On the Network > Interfaces page, click on the Manage button for the U0/U1/M0 interface.
2
The U0/U1/M0 Connection Status dialog displays. Click the Connect button. When the connection is active, the U0/U1/M0 Connection Status dialog displays statistics on the session.

For a detailed explanation of the behavior of the Ethernet with 3G Failover setting see Understanding 3G/4G Connection Types.

Configuring the U0/U1/M0 Interface from Network > Interfaces

To configure the U0/U1/M0 interface from the Network > Interfaces page:
1
Click the configure icon for the U0/U1/M0 interface.

2
If the interface will be used in Connect on Data mode, select the categories of traffic that will trigger the interface to automatically connect when the appliance detects those types of traffic.

The following categories are supported:

NTP packets
GMS Heartbeats
System log e-mails
AV Profile Updates
SNMP Traps
Licensed Updates
Firmware Update requests
Syslog traffic
* 
NOTE: To configure the SonicWall appliance for Connect on Data operation, you must select Connect on Data as the Connection Type for the Connection Profile. See 3G/4G > Connection Profiles for more details.
3
Select the appropriate Management/User Login options to enable remote management of the SonicWall appliance over the 3G interface.

You can select any of the supported management protocol(s): HTTPS, Ping, SNMP, and/or SSH. You can also select HTTP for management traffic. However, bear in mind that HTTP traffic is less secure than HTTPS.

* 
NOTE: Remote manage the appliance over the U0/U1/M0 interface requires that the 3G provider:
1
Issues a publicly routable IP address upon connection to the 3G network.
2
Allows external connection to be initiated on their network.

Please contact your 3G provider to determine if they support these requirements.

4
Select Add rule to enable redirect from HTTP to HTTPS to have the SonicWall automatically convert HTTP requests to HTTPS requests for added security.
5
To select the preferred configuration profiles for the interface, click the Profiles tab.

6
Select the appropriate connection profiles for Primary Profile, Alternate Profile 1, and Alternate Profile 2.
* 
NOTE: The connection profiles must be initially configured on the 3G > Connection Profiles page. See 3G/4G > Connection Profiles for more details.
7
Click on the Advanced tab.

8
Check the Enable Remotely Triggered Dial-Out check box to enable network administrators to remotely initiate a WAN modem connection. For more information, see Remotely Triggered Dial-Out Settings.
9
(Optional) To authenticate the remote call, check the Requires authentication check box and enter the password in the Password and Confirm Password fields.
10
In the Max Hosts field, enter the maximum number of hosts to allow when this interface is connected. The default value is 0, which allows an unlimited number of nodes.
11
Click the Enable Egress Bandwidth Management check box to enable bandwidth management policy enforcement on outbound traffic.
12
Click the Enable Ingress Bandwidth Management check box to enable bandwidth management policy enforcement on inbound traffic.
13
Select a Compression Multiplier from the drop-down list as necessary to appropriately adjust bandwidth calculations if the dial-up device performs compression.
14
Select the Enable flow reporting check box to have the data for flows on this interface reported to Flow Reporting and the Real-Time Monitor.
* 
NOTE: In earlier SonicOS releases, the failover behavior for the 3G/Modem interface was configured on the Network > Interfaces page. Now, 3G/Modem failover is configured on the Network > Failover & LB page. See Network > Failover & Load Balancing for more information.

Configuring PortShield Interfaces (TZ series, NSA 240, and NSA 2400MX)

PortShield architecture enables you to configure some or all of the LAN ports into separate security contexts, providing protection not only from the WAN and DMZ, but between devices inside your network as well. In effect, each context has its own wire-speed PortShield that enjoys the protection of a dedicated, deep packet inspection firewall.

PortShield is supported on SonicWall TZ Series, NSA 240, and NSA 2400MX appliances.

* 
TIP: Zones can always be applied to multiple interfaces in the Network > Interfaces page, even without the use of PortShield groupings. However, these interfaces will not share the same network subnet unless they are grouped using PortShield.

You can assign any combination of ports into a PortShield interface. All ports you do not assign to a PortShield interface are assigned to the LAN interface.

To configure a PortShield interface:
1
Click on the Network > Interfaces page.

2
Click the Configure button for the interface you want to configure. The Edit Interface dialog displays.

3
In the Zone drop-down menu, select on a zone type option to which you want to map the interface.
* 
NOTE: You can add PortShield interfaces only to Trusted, Public, and Wireless zones.
4
In the IP Assignment drop-down menu, select PortShield Switch Mode.
5
In the PortShield to drop-down menu, select the interface you want to map this port to. Only ports that match the zone you have selected are displayed.

Configuring VLAN Subinterfaces (NSA series)

VLAN subinterfaces are supported on SonicWall NSA series appliances. When you add a VLAN subinterface, you need to assign it to a zone, assign it a VLAN Tag, and assign it to a physical interface. Based on your zone assignment, you configure the VLAN subinterface the same way you configure a physical interface for the same zone.

Adding a Virtual Interface

1
Navigate to the Network > Interfaces page.
2
At the bottom of the Interface Settings table, click the Add Interface drop-down menu and select Virtual Interface. The Edit Interface dialog displays.

3
Select a zone to assign to the interface. You can select LAN, WAN, DMZ, WLAN, or create a zone. The zone assignment does not have to be the same as the parent (physical) interface. In fact, the parent interface can even remain Unassigned.

Your configuration choices for the network settings of the subinterface depend on the zone you select.

LAN, DMZ, or a custom zone of Trusted type: Static or Transparent. LAN can also select Tap Mode (1-Port Tap).
WLAN or a custom Wireless zone: static IP only (no IP Assignment list).
4
Assign a VLAN tag (ID) to the subinterface. Valid VLAN ID’s are 1 to 4094, although some switches reserve VLAN 1 for native VLAN designation. You will need to create a VLAN subinterface with a corresponding VLAN ID for each VLAN you wish to secure with your security appliance.
5
Declare the parent (physical) interface to which this subinterface will belong. There is no per-interface limit to the number of subinterfaces you can assign – you may assign subinterfaces up to the system limit.
6
Configure the subinterface network settings based on the zone you selected. See these interface configuration instructions:
7
Select the management and user-login methods for the subinterface.
8
Click OK.

Configuring Layer 2 Bridge Mode

Topics:

Configuration Task List for Layer 2 Bridge Mode

Choose a topology that suits your network
License firewall services
Disable DHCP server
Configure and enable SNMP and HTTP/HTTPS management
Enable syslog
Activate firewall services on affected zones
Create firewall access rules
Configure log settings
Configure wireless zone settings
Select the zone for the Primary Bridge Interface
Activate management
Activate security services
Select the zone for the Secondary Bridge Interface
Activate management
Activate security services
Apply security services to the appropriate zones

Configuring the Common Settings for L2 Bridge Mode Deployments

The following settings need to be configured on your SonicWall network security appliance prior to using it in most of the Layer 2 Bridge Mode topologies:

Licensing Services

When the appliance is successfully registered, go to the System > Licenses page and click Synchronize under Manage Security Services Online. This will contact the SonicWall licensing server and ensure that the appliance is properly licensed.

To check licensing status, go to the System > Status page and view the license status of all the firewall services (Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention).

Disabling DHCP Server

When using a SonicWall network security appliance in Layer 2 Bridge Mode in a network configuration where another device is acting as the DHCP server, you must first disable its internal DHCP engine, which is configured and running by default. On the Network > DHCP Server page, clear the Enable DHCPv4 Server check box, and then click on the Accept button at the top of the page.

Configuring SNMP Settings

On the System > SNMP page, make sure the check box next to Enable SNMP is checked, and then click on the Accept button at the top of the screen.

Then, click the Configure button. On the SNMP Settings page, enter all the relevant information for your firewall: the GET and TRAP SNMP community names that the SNMP server expects, and the IP address of the SNMP server. Click OK to save and activate the changes.

Enabling SNMP and HTTPS on the Interfaces

On the Network > Interfaces page, enable SNMP and HTTP/HTTPS on the interface through which you will be managing the appliance.

Enabling Syslog
1
On the Log > Syslog page, click on the Add button.

The Add Syslog Server dialog displays.

2
Create an entry for the syslog server.
3
Click OK to save and activate the change.
Activating Firewall Services on Each Zone

On the Network > Zones page, for each zone you will be using, make sure that the firewall services are activated.

Then, on the Security Services page for each firewall service, activate and configure the settings that are most appropriate for your environment.

An example of the Gateway Anti-Virus settings is shown below:

An example of the Intrusion Prevention settings is shown below:

An example of the Anti-Spyware settings is shown below:

Creating Firewall Access Rules

If you plan to manage the appliance from a different zone, or if you will be using a server such as the HP PCM+/NIM server for management, SNMP, or syslog services, create access rules for traffic between the zones. On the Firewall > Access Rules page, click on the Configure icon for the intersection of the zone of the server and the zone that has users and servers (your environment may have more than one of these intersections). Create a new rule to allow the server to communicate with all devices in that zone.

Configuring Log Settings

On the Log > Categories page, set the Logging Level to Informational and the Alert Level to Critical. Click Accept to save and activate the change.

Then, go to the Log > Name Resolution page and set the Name Resolution Method to DNS then NetBios. Click Accept to save and activate the change.

Configuring Wireless Zone Settings

In the case where you are using a HP PCM+/NIM system, if it will be managing a HP ProCurve switch on an interface assigned to a WLAN/Wireless zone, you will need to deactivate two features, otherwise you will not be able to manage the switch. Go to the Network > Zones page and select your Wireless zone. On the Wireless tab, clear the check boxes next to Only allow traffic generated by a SonicPoint and WiFiSec Enforcement. Click OK to save and activate the change.

Configuring Layer 2 Bridge Mode Procedure

Choose a topology that best suits your network. In this example, we will be using a topology that most closely resembles the Simple L2 Bridge Topology.

Choose an interface to act as the Primary Bridge Interface. In this example, we will use X1 (automatically assigned to the Primary WAN).

* 
NOTE: For information on choosing a topology and interface, refer to L2 Bridge Interface Zone Selection,
Topics:
Configuring the Primary Bridge Interface
1
Navigate to the Network > Interfaces page.
2
Click the Configure icon for the X1 (WAN) interface.
* 
NOTE: Configure the interface with a Static IP address (for example, 10.203.15.82).

The Primary Bridge Interface must have a Static IP assignment.

3
Configure the default gateway. This is required for the security appliance itself to reach the Internet. (This applies only to WAN interfaces.)
4
Configure the DNS server. (This applies only to WAN interfaces.)
5
Configure management (HTTP, HTTPS, Ping, SNMP, SSH, User Logins, HTTP Redirects).
6
Click OK.

Configuring the Secondary Bridge Interface

Choose an interface to act as the Secondary Bridge Interface. Refer to L2 Bridge Interface Zone Selection, for information in making this selection. In this example, we will use X0 (automatically assigned to the LAN):

1
On the Network > Interfaces page, click the Configure icon in the right column of the X0 (LAN) interface.
2
In the IP Assignment drop-down list, select Layer 2 Bridged Mode.
3
In the Bridged to drop-down list, select the X1 interface.
4
Configure management (HTTP, HTTPS, Ping, SNMP, SSH, User Logins, HTTP Redirects).
5
You may optionally enable the Block all non-IPv4 traffic setting to prevent the L2 bridge from passing non-IPv4 traffic.
6
Optional: VLAN Filtering ( SonicWall NSA series appliances)

You may also optionally navigate to the VLAN Filtering tab to control VLAN traffic through the L2 bridge. By default, all VLANs are allowed:

Select Block listed VLANs (blacklist) from the drop-down list and add the VLANs you wish to block from the left pane to the right pane. All VLANs added to the right pane will be blocked, and all VLANs remaining in the left pane will be allowed.
Select Allow listed VLANs (whitelist) from the drop-down list and add the VLANs you wish to explicitly allow from the left pane to the right pane. All VLANs added to the right pane will be allowed, and all VLANs remaining in the left pane will be blocked.
7
Click OK.

The Network > Interfaces page displays the updated configuration:

You may now apply security services to the appropriate zones, as desired. In this example, they should be applied to the LAN, WAN, or both zones.

Engage Physical Bypass on Malfunction

The “Engage Physical Bypass on Malfunction” option allows you to perform a physical bypass of the firewall when two interfaces are bridged together with LAN bypass capability. This means that the packets between the bridged pairs will continue flowing if an unrecoverable firewall error occurs, that is, if the firmware or NSA series appliance fails. If this option is not enabled, the ports will behave like normal Ethernet ports.

* 
NOTE: This option is only available when the X0 and X1 interfaces are bridged together on an NSA 7500 or above appliance and on appliances that support the LAN Bypass Module.
To enable this option:
1
Click on the Edit icon in the Configure column for the Layer 2 Bridge Mode Interface you want to configure. The Edit Interface dialog displays.

2
Click the Engage Physical Bypass on Malfunction check box.
3
Click the OK button.

VLAN Integration with Layer 2 Bridge Mode (SonicWall NSA Series Appliances)

VLANs are supported on SonicWall NSA series appliances. When a packet with a VLAN tag arrives on a physical interface, the VLAN ID is evaluated to determine if it is supported. The VLAN tag is stripped, and packet processing continues as it would for any other traffic. A simplified view of the inbound and outbound packet path includes the following potentially reiterative steps:

1
IP validation and reassembly
2
Decapsulation (802.1q, PPP)
3
Decryption
4
Connection cache lookup and management
5
Route policy lookup
6
NAT Policy lookup
7
Access Rule (policy) lookup
8
Bandwidth management
9
NAT translation
10
Advanced Packet Handling (as applicable)
a
TCP validation
b
Management traffic handling
c
Content Filtering
d
Transformations and flow analysis (on SonicWall NSA series appliances): H.323, SIP, RTSP, ILS/LDAP, FTP, Oracle, NetBIOS, Real Audio, TFTP
e
IPS and GAV

At this point, if the packet has been validated as acceptable traffic, it is forwarded to its destination. The packet egress path includes:

Encryption
Encapsulation
IP fragmentation

On egress, if the route policy lookup determines that the gateway interface is a VLAN subinterface, the packet is tagged (encapsulated) with the appropriate VLAN ID header. The creation of VLAN subinterfaces automatically updates the SonicWall’s routing policy table:

The auto-creation of NAT policies, Access Rules with regard to VLAN subinterfaces behave exactly the same as with physical interfaces. Customization of the rules and policies that govern the traffic between VLANs can be performed with customary SonicOS ease and efficiency.

When creating a zone (either as part of general administration, or as a step in creating a subinterface), a check box will be presented on the zone creation page to control the auto-creation of a GroupVPN for that zone. By default, only newly created Wireless type zones will have ‘Create GroupVPN for this zone’ enabled, although the option can be enabled for other zone types by selecting the check box during creation.

Management of security services between VLAN subinterfaces is accomplished at the zone level. All security services are configurable and applicable to zones comprising physical interfaces, VLAN subinterfaces, or combinations of physical and VLAN subinterfaces.

Gateway Anti-Virus and Intrusion Prevention Services between the different workgroups can easily be employed with the use of VLAN segmentation, obviating the need for dedicated physical interfaces for each protected segment.

VLAN support enables organizations to offer meaningful internal security (as opposed to simple packet filtering) between various workgroups, and between workgroups and server farms without having to use dedicated physical interfaces on the SonicWall.

Here the ability to assign VLAN subinterfaces to the WAN zone, and to use the WAN client mode (only Static addressing is supported on VLAN subinterfaces assigned to the WAN zone) is illustrated, along with the ability to support WAN Load Balancing and failover. Also demonstrated is the distribution of SonicPoints throughout the network by means of connecting them to access mode VLAN ports on workgroup switches. These switches are then backhauled to the core switch, which then connects all the VLANs to the appliance via a trunk link.

VPN Integration with Layer 2 Bridge Mode

When configuring a VPN on an interface that is also configured for Layer 2 Bridge mode, you must configure an additional route to ensure that incoming VPN traffic properly traverses the SonicWall security appliance. Navigate to the Network > Routing page, in the Route Policies section, click on the Add button. In the Add Route Policy window, configure the route as follows:

Source: ANY
Destination: custom-VPN-address-object (This is the address object for the local VPN tunnel IP address range.)
Service: ANY
Gateway: 0.0.0.0
Interface: X0

Virtual Access Point Layer 2 Bridge

The Virtual Access Point (VAP) Layer 2 Bridge feature enables network administrators to bridge a wireless interface zone to a wired interface zone. The VAP Layer 2 Bridge is based on the WLAN Layer 2 bridge and the wireless VAP and makes it much easier to deploy a combined wireless and wired network.

All devices on a VAP Layer 2 Bridge share the same subnet and can forward broadcast packets. On a wired interface Layer 2 Bridge, all packets with VLAN tags are forwarded to the bridge-partner interface (the interface with the same VLAN address).

A VLAN subinterface does not support Layer 2 Bridge mode. However, the VAP Layer 2 Bridge feature supports Layer 2 bridges for subinterfaces when the interface zone is a WLAN zone.

When a VAP Layer 2 Bridge is configured, wireless clients on VAP interfaces share the same subnet with the primary bridge interface.

Topics:

Key Concepts of VAP Layer 2 Bridge

Bridged-Pair—two logical interfaces composed of a primary bridge interface and a secondary bridge interface. Primary and secondary does not indicate the level dominance or subordination. Both interfaces function according to their zone type and pass IP traffic according to their configured access rules. Each bridge-pair requires two physical interfaces. The number of bridge-pairs available is half the number of physical interfaces on the appliance. Non-IPv4 traffic across a bridge-pair is controlled by the “Block All Non-IPV4 Traffic” setting on the secondary bridge interface.
Primary Bridge Interface—The designation assigned to an interface after a secondary bridge interface is paired to it. A primary bridge interface may belong to any of these zones:
Untrusted (WAN)
Trusted (LAN)
Public (DMZ)
Secondary Bridge Interface—The designation assigned to an interface whose IP assignment is configured for Layer 2 Bridge Mode. A secondary bridge interface may belong to any of these zones:
Trusted (LAN)
Public (DMZ)
WLAN
Bridged-Partner—the term that refers to the other member of a bridge-pair. This can be the primary bridge interface or the secondary bridge interface.
Non-IPv4 Traffic—SonicOS supports the following IP protocol types: ICMP, IGMP, TCP, UDP, GRE, ESP, AH, EIGRP, OSPF, PIM-SM, L2TP.

Other IP types, such as Combat Radio Transport Protocol and non-IPv4 traffic types such as IPX and IPv6, are not natively handled by the SonicOS. The Layer 2 Bridge Mode can be configured to pass or drop non-IPv4 traffic.

Captive-Bridge Mode—an optional mode for a Layer 2 Bridge that prevents traffic from being forwarded through a non-bridge-pair interface instead of through the Layer 2 Bridge. By default, a Layer 2 Bridge forwards all traffic to its destination through the most optimal path as determined by ARP and the routing tables. In some cases, traffic may be forwarded through a non-bridge-pair interface. When a Layer 2 Bridge is set to captive-bridge mode, all traffic that enters the Layer 2 Bridge is forced to exit through the Layer 2 Bridge rather than taking another route, such as through a non-bridge-pair interface, even though that may be the optimal path. In general, Captive-Bridge Mode is only required in complex networks with redundant paths, where strict path adherence is required.
Virtual Access Point (VAP)—a VAP is a multiplexed instantiation of a single physical Access Point (AP) so that it presents itself as multiple discrete Access Points. To WLAN clients, each VAP appears to be an independent physical AP, when in actuality there is only a single physical AP. For WLANs operating in Layer 2 Bridge Mode, a VAP is a WLAN zone subinterface.

Setting a WLAN Zone to Layer 2 Bridged Mode

In addition to being able to support static IP address assignment on a WLAN zone interface, you can also bridge a WLAN zone interface to another interface. When a WLAN interface is bridged to a LAN/DMZ interface, the LAN/DMZ interface becomes the primary bridge interface, and the WLAN interface becomes the secondary bridged interface, as illustrated below:

Zone: set to WLAN
IP Assignment: set to Layer 2 Bridged Mode
Parent Interface: is X4:V1, which is the WLAN interface on which this dialog was opened.
Bridged to: is set to X5:100, which is the LAN interface.

When you set the IP Assignment to Layer 2 Bridge Mode, the WLAN interface becomes the secondary bridge interface to the primary bridge interface to which it is paired in the Bridged to: box. In this case, the WLAN interface, X4:V1, becomes the secondary bridge interface, and the LAN interface, X5:V100, becomes the primary bridge interface.

The resulting Bridge-Pair is a two-port learning bridge with full Layer 2 transparency. All IP traffic that passes though the bridge is subjected to a full stateful, deep-packet inspection.

After the Bridge-Pair is created, the Network > Interfaces screen displays the primary and secondary bridge interface designations as shown in this graphic.

Set WLAN Zone to Layer 2 Bridge Mode
To set a WLAN zone to Layer 2 Bridge Mode:
1
On the SonicWall Security appliance, go to Network > Interfaces.
2
On the interface you want to set to Layer 2 Bridge Mode, click the Configure icon. (This interface becomes the secondary bridge interface.)
3
In the Interface Settings dialog, set the Zone to WLAN.
4
Set the Mode / IP Assignment box to Layer 2 Bridge Mode.
5
Set the Bridged to: box to the interface you want. (This interface becomes the primary bridge interface.)

Address Resolution Protocol

Layer 2 Bridge Mode employs a secure learning bridge architecture, enabling it to pass and inspect traffic types that cannot be handled by many other methods of transparent security appliance integration.

On a Layer 2 Bridge, Address Resolution Protocol (ARP) is used to determine the addresses of the interfaces in the bridge-pair; see Address Resolution Protocol (ARP) Topology. The Layer 2 Bridge Mode ARP dynamically determines which hosts are on which interfaces of a Layer 2 Bridge. ARP data is passed through a Layer 2 Bridge natively, so a host communicating across a Layer 2 Bridge sees the host MAC addresses of its peers and not the IP addresses.

Address Resolution Protocol (ARP) Topology

For example, Workstation A communicates with a SonicWall Security Appliance (192.168.0.1) and Workstation B (192.168.0.200). Workstation A sees the SonicWall Security Appliance as 00:11:11:11:11:11 and Workstation B as 00:90:10:10:10:10.

For wireless interfaces in AP mode or WLAN zone interfaces connecting SonicPoints, ARP packets are forwarded only to the WLAN zone interface for inner-client communication.

For WLAN zone interfaces in Layer 2 Bridge mode, ARP packets are forwarded to both bridge-pair interfaces.

ARP Packet Path on a WLAN Zone Bridged Interface shows the ARP packet path on a WLAN zone bridged interface

ARP Packet Path on a WLAN Zone Bridged Interface

Wireless Address Objects

In wireless mode, after bridging the wireless (WLAN) interface to a LAN/DMZ zone, the WLAN zone becomes the secondary bridged interface, allowing wireless clients to share the same subnet and DHCP pool as their wired counterparts. For wireless interfaces set to Layer 2 Bridge mode, the WLAN interface address objects have the same IP address as the primary bridge interface.

Wireless Address Objects shows three wireless address objects for WLAN subnets and three for WLAN Interface IP. The WLAN zone objects are on the secondary bridge interface and should have the same IP addresses as the primary bridge interface. The primary bridge interface IP addresses are 192.168.0.1, 192.168.100.1, and 192.168.200.1.

Wireless Address Objects

DHCP Support

When a WLAN zone operates in Layer 2 Bridge Mode, a DHCP server is not allowed on the primary bridge interface or the secondary bridge interface. DHCP may only be passed through the bridge-pair. However, wireless clients can get their IP addresses from DHCP.

When a WLAN zone operates in Static IP Mode, a default DHCP lease scope is automatically created. If a wireless interface is bridged to another interface, the wireless client gets its IP address from the primary interface DHCP.

DHCP Lease Scopes shows the DHCP lease scopes for WLAN interfaces in Layer 2 Bridge Mode:

DHCP Lease Scopes

If a bridge-pair does not include a WLAN zone interface, DHCP is passed through the bridge-pair. The SonicOS acts as a DHCP server for WLAN zone interfaces. A DHCP packet received on WLAN zone interface is terminated at the box and passed to the DHCP task. DHCP Packet Path shows the DHCP packet path.

DHCP Packet Path

Route Policy

The route policy determines the interface on which packets are forwarded. In WLAN Layer 2 Bridge mode, packets are sent to the primary interface subnet. Then the system searches the ARP hash table for the IP address of an egress interface operating in Layer 2 Bridge mode and sends the packet out that interface.

In the route policy table shown in this graphic, the Layer 2 Bridge-Pair consists of item numbers 4 through 9. Interface X5 is the primary bridge interface and Interface X4 is the secondary bridge interface. Both interfaces have the same Gateway IP address. So, the route policy for the secondary interface is automatically removed by the system. Route Policy Removed shows which route policy is removed.

Route Policy Removed

Access Rules

Allow Access Rules for WLAN Layer 2 Bridges are automatically added to the primary bridge interface of a bridge-pair. For example, when you add an Allow Access Rule for a WLAN Layer 2 Bridge, the same Allow Access Rule is automatically added to the DMZ/LAN zone. Also, when an Allow Access Rule is deleted from a WLAN zone, it is also deleted from the corresponding DMZ/LAN zone. Added Allow Access Rules shows an example of added Allow Access Rules.

Added Allow Access Rules

Configuring IPS Sniffer Mode (SonicWall NSA Series Appliances)

To configure the SonicWall NSA appliance for IPS Sniffer Mode, you will use two interfaces in the same zone for the L2 Bridge-Pair. You can use any interfaces except the WAN interface. For this example, we will use X2 and X3 for the Bridge-Pair, and configure them to be in the LAN zone. The WAN interface (X1) is used by the SonicWall appliance for access to the SonicWall Data Center as needed. The mirrored port on the switch will connect to one of the interfaces in the Bridge-Pair.

Topics:

Configuration Task List for IPS Sniffer Mode

1
Configure the Primary Bridge Interface
Select LAN as the Zone for the Primary Bridge Interface
Assign a static IP address
2
Configure the Secondary Bridge Interface
Select LAN as the Zone for the Secondary Bridge Interface
Enable the L2 Bridge to the Primary Bridge interface
3
Enable SNMP and configure the IP address of the SNMP manager system where traps can be sent
4
Configure Security Services for LAN traffic
5
Configure logging alert settings to “Alert” or below
6
Connect the mirrored port on the switch to either one of the interfaces in the Bridge-Pair
7
Connect and configure the WAN to allow access to dynamic signature data over the Internet

Configuring the Primary Bridge Interface

1
Navigate to the Network > Interfaces page.
2
Click the Configure icon in the right column of interface X2.
3
In the Edit Interface dialog box on the General tab, select LAN from the Zone drop-down menu.
* 
NOTE: You do not need to configure settings on the Advanced or VLAN Filtering tabs.
4
For IP Assignment, select Static from the drop-down menu.
5
Configure the interface with a static IP Address (for example, 10.1.2.3). The IP address you choose should not collide with any of the networks that are seen by the switch.
* 
NOTE: The Primary Bridge Interface must have a static IP assignment.
6
Configure the Subnet Mask.
7
Type in a descriptive comment.
8
Select management options for the interface (HTTP, HTTPS, Ping, SNMP, SSH, User Logins, HTTP Redirects).
9
Click OK.

Configuring the Secondary Bridge Interface

Our example continues with X3 as the secondary bridge interface.

1
Navigate to the Network > Interfaces page.
2
Click the Configure icon in the right column of the X3 interface.
3
In the Edit Interface dialog on the General tab, select LAN from the Zone drop-down menu.
* 
NOTE: You do not need to configure settings on the Advanced or VLAN Filtering tabs.
4
In the Mode / IP Assignment drop-down menu, select Layer 2 Bridged Mode.
5
In the Bridged to drop-down menu, select the X2 interface.
6
Do not enable the Block all non-IPv4 traffic setting if you want to monitor non-IPv4 traffic.
7
Select Never route traffic on this bridge-pair to ensure that the traffic from the mirrored switch port is not sent back out onto the network. (The Never route traffic on this bridge-pair setting is known as Captive-Bridge Mode.)
8
Select Only sniff traffic on this bridge-pair to enable sniffing or monitoring of packets that arrive on the L2 Bridge from the mirrored switch port.
9
Select Disable stateful-inspection on this bridge-pair to exempt these interfaces from stateful high availability inspection. If Deep Packet Inspection services are enabled for these interfaces, the DPI services will continue to be applied.
10
Configure management (HTTP, HTTPS, Ping, SNMP, SSH, User Logins, HTTP Redirects).
11
Click OK.

Enabling and Configuring SNMP

When SNMP is enabled, SNMP traps are automatically triggered for many events that are generated by SonicWall Security Services such as Intrusion Prevention and Gateway Anti-Virus.

More than 50 IPS and GAV events currently trigger SNMP traps. The SonicOS Log Event Reference Guide contains a list of events that are logged by SonicOS, and includes the SNMP trap number where applicable. The guide is available online at https://support.sonicwall.com/technical-documents.

To determine the traps that are possible when using IPS Sniffer Mode with Intrusion Prevention enabled, search for Intrusion in the table found in the Index of Log Event Messages section in the SonicOS Log Event Reference Guide. The SNMP trap number, if available for that event, is printed in the SNMP Trap Type column of the table.

To determine the possible traps with Gateway Anti-Virus enabled, search the table for Security Services, and view the SNMP trap number in the SNMP Trap Type column.

To enable and configure SNMP:
1
Navigate to the System > SNMP page.
2
Select the Enable SNMP check box, then click the Configure button.

The SNMP Settings dialog box is displayed:

3
In the SNMP Settings dialog box, for System Name, type the name of the SNMP manager system that will receive the traps sent from the SonicWall.
4
Enter the name or email address of the contact person for the SNMP Contact.
5
Enter a description of the system location, such as “3rd floor lab”.
6
Enter the system’s asset number.
7
For Get Community Name, type the community name that has permissions to retrieve SNMP information from the SonicWall, such as public.
8
For Trap Community Name, type the community name that will be used to send SNMP traps from the SonicWall to the SNMP manager, for example, public.
9
For the Host fields, type in the IP address(es) of the SNMP manager system(s) that will receive the traps.
10
Click OK.

Configuring Security Services (Unified Threat Management)

The settings that you enable in this section will control what type of malicious traffic you detect in IPS Sniffer Mode. Typically you will want to enable Intrusion Prevention, but you may also want to enable other Security Services such as Gateway Anti-Virus or Anti-Spyware.

To enable Security Services, your SonicWall must be licensed for them and the signatures must be downloaded from the SonicWall Data Center. For complete instructions on enabling and configuring IPS, GAV, and Anti-Spyware, see Security Services.

Configuring Logging

You can configure logging to record entries for attacks that are detected by the SonicWall.

To enable logging:
1
Select the Log tab, Categories folder from the navigation panel.
2
Under Log Categories, select All Categories in the View Style drop-down list.
3
In the Attacks category, enable the check boxes for Log, Alerts, and Syslog.
4
Click Apply.

Connecting the Mirrored Switch Port to an IPS Sniffer Mode Interface

Use a standard Cat-5 Ethernet cable to connect the mirrored switch port to either interface in the Bridge-Pair. Network traffic will automatically be sent from the switch to the SonicWall where it can be inspected.

Consult the switch documentation for instructions on setting up the mirrored port.

Connecting and Configuring the WAN Interface to the Data Center

Connect the WAN port on the SonicWall, typically port X1, to your gateway or to a device with access to the gateway. The SonicWall communicates with the SonicWall Data Center automatically. For detailed instructions on configuring the WAN interface, see Configuring a WAN Interface.

Configuring Wire Mode (SonicWall NSA series appliances)

In addition to the broad collection of traditional modes of SonicOS interface operation, including all LAN modes (Static, NAT, Transparent Mode, L2 Bridge Mode, Portshield Switch Mode), and all WAN modes (Static, DHCP, PPPoE, PPTP, and L2TP), SonicOS also offers Wire-Mode, which provides four new methods of non‑disruptive, incremental insertion into networks.

Topics:

Wire Mode Settings

 

Wire Mode Methods

Wire Mode Setting

Description

Bypass Mode

Bypass Mode allows for the quick and relatively non-interruptive introduction of Wire Mode into a network. Upon selecting a point of insertion into a network (for example, between a core switch and a perimeter firewall, in front of a VM server farm, at a transition point between data classification domains) the SonicWall security appliance is inserted into the physical data path, requiring a very short maintenance window. One or more pairs of switch ports on the appliance are used to forward all packets across segments at full line rates. While Bypass Mode does not offer any inspection or firewalling, this mode allows the administrator to physically introduce the SonicWall security appliance into the network with a minimum of downtime and risk, and to obtain a level of comfort with the newly inserted component of the networking and security infrastructure. The administrator can then transition from Bypass Mode to Inspect or Secure Mode instantaneously through a simple user-interface driven reconfiguration.

Inspect Mode

Inspect Mode extends Bypass Mode without functionally altering the low-risk, zero-latency packet path. Packets continue to pass through the SonicWall security appliance, but they are also mirrored to the multi-core RF-DPI engine for the purposes of passive inspection, classification, and flow reporting. This reveals the appliance’s Application Intelligence and threat detection capabilities without any actual intermediate processing.

When Inspect Mode is selected, the Restrict analysis at resource limit option specifies whether all traffic is inspected. When this option is enabled (which is the default), the appliance scans the maximum number of packets it can process. The remaining packets are allowed to pass without inspection. If this option is disabled, traffic will be throttled in the flow of traffic exceeds the firewalls inspection ability.

NOTE: Disabling the Restrict analysis at resource limit option will reduce throughput if the rate of traffic exceeds the appliance’s ability to scan all traffic.

Secure Mode

Secure Mode is the progression of Inspect Mode, actively interposing the SonicWall security appliance’s multi-core processors into the packet processing path. This unleashes the inspection and policy engines’ full-set of capabilities, including Application Intelligence and Control, Intrusion Prevention Services, Gateway and Cloud-based Anti-Virus, Anti-Spyware, and Content Filtering. Secure Mode affords the same level of visibility and enforcement as conventional NAT or L2 Bridge mode deployments, but without any L3/L4 transformations, and with no alterations of ARP or routing behavior. Secure Mode thus provides an incrementally attainable NGFW deployment requiring no logical and only minimal physical changes to existing network designs.

Tap Mode

Tap Mode provides the same visibility as Inspect Mode, but differs from the latter in that it ingests a mirrored packet stream via a single switch port on the SonicWall security appliance, eliminating the need for physically intermediated insertion. Tap Mode is designed for use in environments employing network taps, smart taps, port mirrors, or SPAN ports to deliver packets to external devices for inspection or collection. Like all other forms of Wire Mode, Tap Mode can operate on multiple concurrent port instances, supporting discrete streams from multiple taps.

Functionality of the Different Wire Mode Settings

Wire Modes: Functional Differences summarizes the key functional differences between modes of interface configuration:

 

Wire Modes: Functional Differences

 

Bypass Mode

Inspect Mode

Secure Mode

Tap Mode

L2 Bridge, Transparent, NAT, Route Modes

Active/Active Clustering 1

No

No

No

No

Yes

Application Control

No

No

Yes

No

Yes

Application Visibility

No

Yes

Yes

Yes

Yes

ARP/Routing/NAT a.

No

No

No

No

Yes

Comprehensive Anti‑Spam Service a.

No

No

No

No

Yes

Content Filtering

No

No

Yes

No

Yes

DHCP Server a.

No

No

No

No

Yes 2

DPI Detection

No

Yes

Yes

Yes

Yes

DPI Prevention

No

No

Yes

No

Yes

DPI-SSLa.

No

No

Yes

No

Yes

High-Availability a.

Yes

Yes

Yes

Yes

Yes

Link-State Propagation 3

Yes

Yes

Yes

No

No

SPI

No

Yes

Yes

Yes

Yes

TCP Handshake Enforcement 4

No

No

No

No

Yes

Virtual Groups a.

No

No

No

No

Yes


1
These functions or services are unavailable on interfaces configured in Wire Mode, but remain available on a system-wide level for any interfaces configured in other compatible modes of operation.

2
Not available in L2 Bridge Mode.

3
Link State Propagation is a feature whereby interfaces in a Wire-Mode pair will mirror the link-state triggered by transitions of their partners. This is essential to proper operations in redundant path networks, in particular.

4
Disabled by design in Wire Mode to allow for failover events occurring elsewhere on the network to be supported when multiple Wire-Mode paths, or when multiple SonicWall security appliance units are in use along redundant or asymmetric paths.

* 
NOTE: When operating in Wire-Mode, the SonicWall security appliance’s dedicated “Management” interface will be used for local management. To enable remote management and dynamic security services and application intelligence updates, a WAN interface (separate from the Wire-Mode interfaces) must be configured for Internet connectivity. This is easily done given that SonicOS supports interfaces in mixed-modes of almost any combination.

Configuring an Interface for Wire Mode

To configure an interface for Wire Mode:
1
On the Network > Interfaces page, click the Configure button for the interface you want to configure for Wire Mode.

2
In the Zone drop-down menu, select LAN.
3
To configure the Interface for Tap Mode, in the Mode / IP Assignment drop-down menu, select Tap Mode (1-Port Tap) and click OK.
4
To configure the Interface for Wire Mode, in the Mode / IP Assignment drop-down menu, select Wire Mode (2-Port Wire).

5
In the Wire Mode Type drop-down menu, select the appropriate mode:
Bypass Mode (via Internal Switch / Relay)
Inspect Mode (Passive DPI of Mirrored Traffic)
Secure Mode (Active DPI of Inline Traffic)
6
When Inspect Mode is selected, the Restrict analysis at resource limit option is displayed. It is enabled by default. When this option is enabled, the appliance scans the maximum number of packets it can process. The remaining packets are allowed to pass without inspection. If this option is disabled, traffic will be throttled in the flow of traffic exceeds the firewalls inspection ability.
* 
NOTE: Disabling the Restrict analysis at resource limit option will reduce throughput if the rate of traffic exceeds the appliance’s ability to scan all traffic.
7
In the Paired Interface drop-down menu, select the interface that will connect to the upstream firewall. The paired interfaces must be of the same type (two 1 GB interfaces or two 10 GB interfaces).
* 
NOTE: Only unassigned interfaces are available in the Paired Interface drop-down menu. To make an interface unassigned, click on the Configure button for it, and in the Zone drop-down menu, select Unassigned.
8
Click OK.

Wire Mode can be configured on any zone (except wireless zones). Wire Mode is a simplified form of Layer 2 Bridge Mode, and is configured as a pair of interfaces. In Wire Mode, the destination zone is the Paired Interface Zone. Access rules are applied to the Wire Mode pair based on the direction of traffic between the source Zone and its Paired Interface Zone. For example, if the source Zone is WAN and the Paired Interface Zone is LAN, then WAN to LAN and LAN to WAN rules are applied, depending on the direction of the traffic.

In Wire Mode, administrators can enable Link State Propagation, which propagates the link status of an interface to its paired interface. If an interface goes down, its paired interface is forced down to mirror the link status of the first interface. Both interfaces in a Wire Mode pair always have the same link status.

In Wire Mode, administrators can Disable Stateful Inspection. When Disable Stateful Inspection is selected, Stateful Packet Inspection (SPI) is turned off. When Disable Stateful Inspection is not selected, new connections can be established without enforcing a 3-way TCP handshake. Disable Stateful Inspection must be selected if asymmetrical routes are deployed.

Configuring Wire Mode for a WAN/LAN Zone Pair

The following configuration is an example of how Wire Mode can be configured. This example is for a WAN zone paired with a LAN zone. Wire Mode can also be configured for DMZ and custom zones.

* 
NOTE: Wire Mode can only be configured on physical interfaces, it cannot be configured on virtual or tunnel interfaces.
To configure Wire Mode:
1
On the firewall Security Appliance, go to Network > Interfaces.
2
For the interface you want to configure, click either of these buttons:
The Add Interface button.
The Configure button.

3
Under the General tab, in the Zone list, select WAN.
4
In the IP Assignment list, select Wire Mode (2-Port Wire).
5
In the Wire Mode Type list, select Secure (Active DPI of Inline Traffic).
6
In the Paired Interface list, select X3.
7
In the Paired Interface Zone list, select LAN.
8
Select the Enable Link State Propagation option.
9
Select the Disable Stateful Inspection option.
10
Click the OK button.

Configuring Interfaces for IPv6

For complete information on the SonicOS implementation of IPv6, see About IPv6 and Configuring IPv6 Tunnel Interfaces.

IPv6 interfaces are configured on the Network > Interfaces page by clicking the IPv6 option for the View IP Version radio button at the top right corner of the page.

By default, all IPv6 interfaces appear as routed with no IP address. Multiple IPv6 addresses can be added on the same interface. Auto IP assignment can only be configured on WAN interfaces.

Each interface can be configured to receive router advertisement or not. IPv6 can be enabled or disabled on each interface.

The zone assignment for an interface must be configured through the IPv4 interface page before switching to IPv6 mode

Configuring PortShield Interfaces

Network > PortShield Groups

The PortShield architecture enables you to configure some or all of the LAN ports into separate security contexts, providing protection not only from the WAN and DMZ, but between devices inside your network as well. In effect, each context has its own wire-speed PortShield that enjoy the protection of a dedicated, deep packet inspection firewall.

PortShield is supported on SonicWall TZ Series and NSA 240 appliances; PortShield and switching are not available on the NSA2600.

 
* 
TIP: Zones can always be applied to multiple interfaces in the Network > Interfaces page, even without the use of PortShield groupings. However, these interfaces will not share the same network subnet unless they are grouped using PortShield.

You can assign any combination of ports into a PortShield interface. All ports you do not assign to a PortShield interface are assigned to the LAN interface.

The Network > PortShield Groups page allows you to manage the assignments of ports to PortShield interfaces.

Topics:

Static Mode and Transparent Mode

A PortShield interface is a virtual interface with a set of ports assigned to it. There are two IP assignment methods you can deploy to create PortShield interfaces. They are Static and Transparent modes. The following two sections describe each.

Working in Static Mode

When you create a PortShield interface in Static Mode, you manually create an explicit address to be applied to the PortShield interface. All ports mapped to the interface are identified by this address. Static mode is available on interfaces assigned to Trusted, Public, or Wireless zones.

* 
NOTE: When you create a PortShield interface in Static Mode, make sure the IP address you assign to the interface is not already in use by another PortShield interface.
Topics:

Working in Transparent Mode

Transparent Mode addressing allows for the WAN subnetwork to be shared by the current interface using Address Object assignments. The interface’s IP address is the same as the WAN interface IP address. Transparent mode is available on interfaces assigned to Trusted and Public Zones.

* 
NOTE: Make sure the IP address you assign to the PortShield interface is within the WAN subnetwork.

When you create a PortShield interface in Transparent Mode, you create a range of addresses to be applied to the PortShield interface. You include these addresses in one entity called an Address Object. Address Objects allow for entities to be defined one time and to be re-used in multiple referential instances throughout the SonicOS interface. When you create a PortShield interface using an address object, all ports mapped to the interface are identified by any of the addresses specified in the address range.

* 
NOTE: Each statically addressed PortShield interface must be on a unique subnetwork. You can not overlap PortShield interfaces across multiple subnetworks.

Configuring PortShield Groups

PortShield groups can be configured on several different pages in the SonicOS management interface:

Configuring PortShield Interfaces on Network > Interfaces

To configure a PortShield interface:
1
Click on the Network > Interfaces page.

2
Click the Configure button for the interface you want to configure. The Edit Interface dialog displays.

3
In the Zone drop-down menu, select on a zone type option to which you want to map the interface.
* 
NOTE: You can add PortShield interfaces only to Trusted, Public, and Wireless zones.
4
In the Mode / IP Assignment drop-down menu, select PortShield Switch Mode.
5
In the PortShield to drop-down menu, select the interface you want to map this port to. Only ports that match the zone you have selected are displayed.

Configuring PortShield Interfaces on Network > PortShield Groups

The Network > PortShield Groups page displays a graphical representation of the current configuration of PortShield interfaces.

Interfaces in black are not part of a PortShield group.
Interfaces in yellow have been selected to be configured
Interfaces that are the same color (other than black or yellow) are part of a PortShield group, with the master interface having a white outline around the color.
Interfaces that are greyed out cannot be added to a PortShield group.

On the Network > PortShield Groups page, you can manually group ports together using the graphical PortShield Groups interface. Grouping ports allows them to share a common network subnet as well as common zone settings.

* 
NOTE: Interfaces must be configured before being grouped with PortShield.
To configure PortShield groups:
1
In the graphic, select the interface(s) you want to configure as part of a PortShield group. The interfaces will turn yellow.
2
Click the Configure button.

3
In the Port Enabled drop-down menu, select whether you want to enable or disable the interfaces.
4
In the PortShield Interface drop-down menu, select which interface you want to assign as the master interface for these PortShield interfaces.
5
In the Link Speed drop-down menu, select the link speed for the interfaces.

Configuring PortShield Interfaces with the PortShield Wizard

The PortShield Wizard quickly and easily guides you through several common PortShield group configurations. For how to configure your PortShield interfaces with the PortShield Wizard, see Using the PortShield Interface Wizard.

Setting Up Failover and Load Balancing

Network > Failover & Load Balancing

Failover and Load Balancing

For Failover & Load Balancing (LB), multiple WAN members are supported (N–1, where N is the total number of interfaces on a hardware platform). For example:

Primary WAN Ethernet Interface
Alternate WAN #1
Alternate WAN #2
Alternate WAN #<N–1> …
* 
IMPORTANT: It is recommended that Load Balancing be enabled at all times, even if there is only one WAN. For more information, see https://support.sonicwall.com/kb/sw13851 for the Knowlege Base article on global load balancing.

The Primary WAN Ethernet Interface has the same meaning as the previous firmware’s concept of “Primary WAN.” It is the highest ranked WAN interface in the LB group. The Alternate WAN #1 corresponds to “Secondary WAN,” it has a lower rank than the Primary WAN, but has a higher rank than the next two alternates. The others, Alternate WAN #2 and Alternate WAN #3, are new, with Alternate WAN #3 being the lowest ranked among the WAN members of the LB group.

The Failover and Load Balancing settings are described below:

Enable Load Balancing—This option must be enabled for the user to access the LB Groups and LB Statistics section of the Failover & Load Balancing configuration. If disabled, no options for Failover & Load Balancing are available to be configured.
Respond to Probes—When enabled, the appliance can reply to probe request packets that arrive on any of the appliance’s interfaces.
Any TCP-SYN to Port—This option is available when the Respond to Probes option is enabled. When selected, the appliance will only respond to TCP probe request packets having the same packet destination address TCP port number as the configured value.

For information about load balancing members and groups, see Load Balancing Members and Groups.

Load Balancing Members and Groups

LB Members added to a LB Group take on certain “roles.” A member can only work in one of the following roles:

Primary—Only one member can be the Primary per Group. This member always appears first or at the top of the Member List. Note that although a group can be configured with an empty member list, it is impossible to have members without a Primary.
Alternate—More than one member can be an Alternate, however, it is not possible to have a Group of only Alternate members.
Last-Resort—Only one member can be designed as Last-Resort. Last-Resort can only be configured with other group members.

Each member in a group has a rank. Members are displayed in descending order of rank. The rank is determined by the order of interfaces as they appear in the Member List for the group. The order is important in determining the usage preferences of the Interfaces, as well as the level of precedence within the group. Thus, no two interfaces within a group will have the same or equal rank; each Interface will have a distinct rank.

Topics:
General Tab

To configure the Group Member Rank settings, click the Configure icon of the Group you wish to configure on the Network > Failover & LB page. The Edit LB Group dialog displays.

The General tab allows you to modify the following settings:

Display name—Edit the display name of the Group
Type (or method) of LB—Choose the type of LB from the drop-down list (Basic Failover, Round Robin, Spillover-Based, or Ratio).
Basic Failover—The WAN interfaces use ‘rank’ to determine the order of preemption when the Preempt checkbox has been enabled. Only a higher-ranked interface can preempt an Active WAN interface.
Round Robin—This option allows the user to re-order the WAN interfaces for Round Robin selection. The order is as follows: Primary WAN, Alternate WAN #1, Alternate WAN #2, and Alternate WAN #3; the Round Robin will then repeat back to the Primary WAN and continue the order.
Spillover—The bandwidth threshold applies to the Primary WAN. Once the threshold is exceeded, new traffic flows are allocated to the Alternates in a Round Robin manner. Once the Primary WAN bandwidth goes below the configured threshold, Round Robin stops, and outbound new flows will again be sent out only through the Primary WAN.
* 
NOTE: Existing flows will remain associated with the Alternates (as they are already cached) until they timeout normally.
Ratio—Percentages can be set for each WAN in the LB group. To avoid problems associated with configuration errors, please ensure that the percentage correctly corresponds to the WAN interface it indicates.
Add/delete member interfaces—Members can be added by selecting a displayed interface from the “Group Members:” column, and then clicking the Add>> button. Note that the interface listed at the top of the list is the Primary. Members can be deleted from the “Selected:” column by selecting the displayed interface, and then clicking the Remove>> button.
* 
NOTE: The Interface Rank does not specify the operation that will be performed on the individual member. The operation that will be performed is specified by the Group Type.
Probing Tab

When Logical probing is enabled, test packets can be sent to remote probe targets to verify WAN path availability. A new option has been provided to allow probing through the additional WAN interfaces: Alternate WAN #3 and Alternate WAN #4.

* 
NOTE: VLANs for alternate WANs do not support QoS or VPN termination.

To configure the probing options for a specific Group, click the Configure icon of the Group you wish to configure on the Network > Failover & LB page. Then, click the Probing tab.

The Probing tab allows you to modify the following settings:

Check Interface—The interval of health checks in units of seconds
Deactivate Interface—After a series of failed health checks, the interface sets to “Failover”
Reactivate Interface—After a series of successful health checks, the interface sets to “Available”
Probe responder.global.SonicWall.com on all interfaces in this group—Enable this checkbox to automatically set Logical/Probe Monitoring on all interfaces in the Group. When enabled, this sends TCP probe packets to the global SNWL host that responds to SNWL TCP packets, responder.global.SonicWall.com, using a target probe destination address of 204.212.170.23:50000. Once this checkbox is selected, the rest of the probe configuration will automatically enable built-in settings. The same probe will be applied to all WAN Ethernet interfaces. Note that the Dialup WAN probe setting also defaults to the built-in settings.

Load Balancing Statistics

The Load Balancing Statistics table displays the following LB group statistics for the SonicWall:

Total Connections
New Connection
Current Ratio
Average Ratio
Total Unicast Bytes
Rx Unicast
Rx Bytes
Tx Unicast
Tx Bytes
Throughput (KB/s)
Throughput (Kbits/s)

In the Display Statistics for drop-down menu, select which LB group you want to view statistics for.

Click the Clear Statistic button on the bottom right of the Network > Failover & LB page to clear information from the Load Balancing Statistics table.

Multiple WAN (MWAN)

The Multiple WAN (MWAN) feature allows the administrator to configure all but one of the appliance's interface for WAN network routing (one interface must remain configured for the LAN zone for local administration). All of the WAN interfaces can be probed using the SNWL Global Responder host.

Topics:

Network Interfaces

The Network Interfaces page allows more than two WAN interfaces to be configured for routing. It is possible to configure WAN interfaces in the Network Interfaces page, but not include them in the Failover & LB. Only the Primary WAN Ethernet Interface is required to be part of the LB group whenever LB has been enabled. Any WAN interface that does not belong to the LB group is not included in the LB function, but performs normal WAN routing functions.

* 
NOTE: A virtual WAN interface may belong to the LB group. However, prior to using within the LB group, please ensure that the virtual WAN network is fully routable like that of a physical WAN.

Routing the Default & Secondary Default Gateways

Because the gateway address objects previously associated with the Primary WAN and Secondary WAN are now deprecated, user-configured Static Routes need to be re-created in order to use the correct gateway address objects associated with the WAN interfaces. This will have to be configured manually as part of the firmware upgrade procedure.

The old address object Default Gateway corresponds to the default gateway associated with the Primary WAN in the LB group. The Secondary Default Gateway corresponds to the default gateway associated with Alternate WAN #1.

* 
NOTE: After re-adding the routes, delete the old ones referring to the Default and Secondary Default Gateways.

DNS

When DNS name resolution issues are encountered with this firmware, you may need to select the Specify DNS Servers Manually option and set the servers to Public DNS Servers (ICANN or non-ICANN).

* 
NOTE: Depending on your location, some DNS Servers may respond faster than others. Verify that these servers work correctly from your installation prior to using your SonicWall appliance.

Configuring Zones

Network > Zones

A zone is a logical grouping of one or more interfaces designed to make management, such as the definition and application of Access Rules, a simpler and more intuitive process than following strict physical interface scheme. Zone-based security is a powerful and flexible method of managing both internal and external network segments, allowing the administrator to separate and protect critical internal network resources from unapproved access or attack.

A network security zone is simply a logical method of grouping one or more interfaces with friendly, user-configurable names, and applying security rules as traffic passes from one zone to another zone. Security zones provide an additional, more flexible, layer of security for the firewall. With the zone-based security, the administrator can group similar interfaces and apply the same policies to them, instead of having to write the same policy for each interface.

For more information on configuring interfaces, see Network > Interfaces.

SonicOS Enhanced zones allows you to apply security policies to the inside of the network. This allows the administrator to do this by organizing network resources to different zones, and allowing or restricting traffic between those zones. This way, access to critical internal resources such as payroll servers or engineering code servers can be strictly controlled.

Zones can also be used to set up the zones in which Guest Services are enabled.

Zones also allow full exposure of the NAT table to allow the administrator control over the traffic across the interfaces by controlling the source and destination addresses as traffic crosses from one zone to another. This means that NAT can be applied internally, or across VPN tunnels, which is a feature that users have long requested. SonicWall security appliances can also drive VPN traffic through the NAT policy and zone policy, since VPNs are now logically grouped into their own VPN zones.

Topics:

How Zones Work

An easy way to visualize how security zones work is to imagine a large new building, with several rooms inside the building, and a group of new employees that do not know their way around the building. This building has one or more exits, which can be thought of as the WAN interfaces. The rooms within the building have one or more doors, which can be thought of as interfaces. These rooms can be thought of as zones inside each room are a number of people. The people are categorized and assigned to separate rooms within the building. People in each room going to another room or leaving the building, must talk to a doorperson on the way out of each room. This doorperson is the inter-zone/intra-zone security policy, and the doorperson’s job to consult a list and make sure that the person is allowed to go to the other room, or to leave the building. If the person is allowed (that is, the security policy lets them), they can leave the room via the door (the interface).

Upon entering the hallway, the person needs to consult with the hallway monitor to find out where the room is, or where the door out of the building is located. This hallway monitor provides the routing process because the monitor knows where all the rooms are located, and how to get in and out of the building. The monitor also knows the addresses of any of the remote offices, which can be considered the VPNs. If the building has more than one entrance/exit (WAN interfaces), the hallway monitor can direct people to use the secondary entrance/exit, depending upon how they’ve been told to do so (that is, only in an emergency, or to distribute the traffic in and out of the entrance/exits). This function can be thought of as WAN Load Balancing.

There are times that the rooms inside the building have more than one door, and times when there are groups of people in the room who are not familiar with one another. In this example, one group of people uses only one door, and another group uses the other door, even though groups are all in the same room. Because they also do not recognize each other, in order to speak with someone in another group, the users must ask the doorperson (the security policy) to point out which person in the other group is the one with whom they wish to speak. The doorperson has the option to not let one group of people talk to the other groups in the room. This is an example of when zones have more than one interface bound to them, and when intra-zone traffic is not allowed.

Sometimes, people will wish to visit remote offices, and people may arrive from remote offices to visit people in specific rooms in the building. These are the VPN tunnels. The hallway and doorway monitors check to see if this is allowed or not, and allow traffic through. The doorperson can also elect to force people to put on a costume before traveling to another room, or to exit, or to another remote office. This hides the true identity of the person, masquerading the person as someone else. This process can be thought of as the NAT policy.

Predefined Zones

The predefined zones on your the SonicWall security appliance depend on the device.The predefined security zones on the SonicWall security appliance are not modifiable and are defined as follows:

WAN—This zone can consist of either one or two interfaces. If you’re using the security appliance’s WAN failover capability, you need to add the second Internet interface to the WAN zone.
LAN—This zone can consist of one to five interfaces, depending on your network design. Even though each interface will have a different network subnet attached to it, when grouped together they can be managed as a single entity. This zone supports guest service configurations.
DMZ—This zone is normally used for publicly accessible servers. This zone can consist of one to four interfaces, depending on you network design. This zone supports guest service configurations.
VPN—This virtual zone is used for simplifying secure, remote connectivity. It is the only zone that does not have an assigned physical interface.
MULTICAST—This zone provides support for IP multicasting, which is a method for sending IN packets from a single source simultaneously to multiple hosts.
WLAN—This zone provides support to SonicWall SonicPoints. When assigned to the Opt port, it enforces SonicPoint Enforcement, automatically dropping all packets received from non-SonicPoint devices. The WLAN zone supports SonicPoint Discovery Protocol (SDP) to automatically poll for and identify attached SonicPoints. It also supports SonicWall Simple Provisioning Protocol to configure SonicPoints using profiles. It can support either wired or wireless Guest Services.

Where Guest Services are supported, either wired or wireless devices Guest login is supported.

* 
NOTE: Even though you may group interfaces together into one security zone, this does not preclude you from addressing a single interface within the zone.

Security Types

Each zone has a security type, which defines the level of trust given to that zone. There are five security types:

Trusted—Trusted is a security type that provides the highest level of trust—meaning that the least amount of scrutiny is applied to traffic coming from trusted zones. Trusted security can be thought of as being on the LAN (protected) side of the security appliance. The LAN zone is always Trusted.
Encrypted—Encrypted is a security type used exclusively by the VPN zone. All traffic to and from an Encrypted zone is encrypted.
Wireless—Wireless is a security type applied to the WLAN zone or any zone where the only interface to the network consists of SonicWall SonicPoint devices. Wireless security type is designed specifically for use with SonicPoint devices. Placing an interface in a Wireless zone activates SDP (SonicWall Discovery Protocol) and SSPP (SonicWall Simple Provisioning Protocol) on that interface for automatic discovery and provisioning of SonicPoint devices. Only traffic that passes through a SonicPoint is allowed through a Wireless zone; all other traffic is dropped.
Public—A Public security type offers a higher level of trust than an Untrusted zone, but a lower level of trust than a Trusted zone. Public zones can be thought of as being a secure area between the LAN (protected) side of the security appliance and the WAN (unprotected) side. The DMZ, for example, is a Public zone because traffic flows from it to both the LAN and the WAN. By default traffic from DMZ to LAN is denied. But traffic from LAN to ANY is allowed. This means only LAN initiated connections will have traffic between DMZ and LAN. The DMZ will only have default access to the WAN, not the LAN.
Untrusted—The Untrusted security type represents the lowest level of trust. It is used by both the WAN and the virtual Multicast zone. An Untrusted zone can be thought of as being on the WAN (unprotected) side of the security appliance.By default, traffic from Untrusted zones is not permitted to enter any other zone type without explicit rules, but traffic from every other zone type is permitted to Untrusted zones.

Allow Interface Trust

The Allow Interface Trust setting in the Add Zone window automates the creation of Access Rules to allow traffic to flow between the interface of a zone instance. For example, if the LAN zone has both the LAN and X3 interfaces assigned to it, checking Allow Interface Trust on the LAN zone creates the necessary Access Rules to allow hosts on these interfaces to communicate with each other.

Enabling SonicWall Security Services on Zones

You can enable SonicWall Security Services for traffic across zones. For example, you can enable SonicWall Intrusion Prevention Service for incoming and outgoing traffic on the WLAN zone to add more security for internal network traffic. You can enable the following SonicWall Security Services on zones:

Enforce Client CF Service—Enforces content filtering on multiple interfaces in the same Trusted, Public and WLAN zones. After enabling this, select the appropriate CFS Policy in the drop-down menu.
Enforce Client AV Enforcement Service—Enforces anti-virus protection on multiple interfaces in the same Trusted, Public or WLAN zones.
Create Group VPN—Creates a GroupVPN policy for the zone, which is displayed in the VPN Policies table on the VPN > Settings page. You can customize the GroupVPN policy on the VPN > Settings page.
* 
CAUTION: Disabling the Create Group VPN check box removes any corresponding GroupVPN policy from the VPN > Settings page.
Enable Gateway Anti-Virus Service—Enforces gateway anti-virus protection on multiple interfaces in the same Trusted, Public or WLAN zones.
Enable Anti-Spyware Service—Enforces anti-spyware detection and prevention on multiple interfaces in the same Trusted, Public or WLAN zones.
Enable SSLVPN Access—Enables users to establish SSL VPN connections to this zone. For more information, see SSL VPN.
Enable SSL Control—Requires inspection of all new SSL connections initiated from the zone.
* 
NOTE: SSL Control must first be enabled globally on the Firewall > SSL Control page. For more information, see Firewall Settings > SSL Control.
Enable IPS—Enforces intrusion detection and prevention on multiple interfaces in the same Trusted, Public or WLAN zones.
Enable App Control Service—Enforces App Control to create network policy object-based control rules to filter network traffic flows.

The Zone Settings Table

The Zone Settings table displays a listing of all the SonicWall security appliance default predefined zones as well as any zones you create.

The table displays the following status information about each zone configuration:

Name—Lists the name of the zone. The predefined LAN, WAN, WLAN, VPN, and Encrypted zone names cannot be changed.
Security Type—Displays the security type: Trusted, Untrusted, Public, Wireless, or Encrypted.
Member Interface—Displays the interfaces that are members of the zone.
Interface Trust—A check mark indicates the Allow Interface Trust setting is enabled for the zone.
Client AV—A check mark indicates SonicWall Client Anti-Virus is enabled for traffic coming in and going out of the zone. SonicWall Client Anti-Virus manages an anti-virus client application on all clients on the zone.
Client CF—A check mark indicates SonicWall Content Filtering Service is enabled for traffic coming in and going out of the zone.
Client CFS—A check mark indicates SonicWall Client Content Filtering Service is enabled for traffic coming in and going out of the zone. SonicWall Client Content Filtering Service manages a content-filtering client application on all clients on the zone.
Gateway AV—A check mark indicates SonicWall Gateway Anti-Virus is enabled for traffic coming in and going out of the zone. SonicWall Gateway Anti-Virus manages the anti-virus service on the SonicWall appliance.
Anti-Spyware Service—A check mark indicates SonicWall Anti-Spyware detection and prevention is enabled for traffic through interfaces in the zone.
IPS—A check mark indicates SonicWall Intrusion Prevention Service is enabled for traffic coming in and going out of the zone.
App Control—A check mark indicates App Control is enabled for traffic coming in and gout out of the zone.
SSL Control—A check mark indicates inspection of all new SSL connections initiated from the zone is required.
SSLVPN Access—A check mark indicates SSL VPN access is enabled to this zone.
Configure—Clicking the Configure icon displays the Edit Zone dialog. Clicking the delete icon deletes the zone. The Delete icon is dimmed for the predefined zones. You cannot delete these zones.

Adding and Configuring a Zone

To add a new zone:
1
Navigate to the Network > Zones page.
2
Click the Add button by Zone Settings table. To modify an existing zone, click the Edit icon for the zone. The Add Zone/Edit Zone dialog displays.

* 
NOTE: If you are editing an existing zone, the Edit Zone dialog displays the options as you have configured them.
3
Type a friendly name for the new zone in the Name field.
4
From the Security Type drop-down menu, select a security type:
Trusted – for zones you want to assign the highest level of trust, such as internal LAN segments.
Public – for zones with a lower level of trust requirements, such as a DMZ interface.
Wireless – for the WLAN interface.
SSLVPN – for the NetExtender feature is a transparent software application for Windows, Mac, and Linux users that enables remote users to securely connect to the remote network. For more information about SSL VPN, see SSL VPN.
* 
NOTE: Depending on the security type you select, other tabs may appear:

For Trusted, Public, and Wireless security types, a Guest Services tab appears. For how to configure guest services, see