en-US
search-icon

SonicOS 5.9 Admin Guide

System

Viewing Status Information

System > Status

The System > Status page provides a comprehensive collection of information and links to help you manage your SonicWall security appliance and SonicWall Security Services licenses. It includes status information about your SonicWall security appliance organized into five sections: System Messages, System Information, Security Services, Latest Alerts, and Network Interfaces as well as the Wizards button for accessing the SonicWall Configuration Wizard.

Topics:

Wizards

The Wizards button on the System > Status page provides access to the SonicWall Configuration Wizard, which allows you to easily configure the SonicWall security appliance using the following sub-wizards:

Setup Wizard - This wizard helps you quickly configure the SonicWall security appliance to secure your Internet (WAN) and LAN connections.
Registration and License Wizard - This wizard simplifies the process of registering your SonicWall security appliance and obtaining licenses for additional security services.
Public Server Wizard - This wizard helps you quickly configure the SonicWall security appliance to provide public access to an internal server, such as a Web or E-mail server.
VPN Wizard - This wizard helps you create a new site-to-site VPN Policy or configure the WAN GroupVPN to accept VPN connections from SonicWall Global VPN Clients.
Application Firewall Wizard - Supported on SonicWall NSA series appliances, this wizard helps you quickly configure your SonicWall security appliance with policies to inspect application level network traffic. With the wizard you will be able to create Application Firewall Policies based on series of predefined steps.
Wireless Wizard - (SonicWall wireless appliances only), this wizard helps you select a wireless deployment mode and configure the radio settings of the built-in 802.11b/g antennas.

For more information on using the SonicWall Configuration Wizard, see Wizards.

System Messages

Any information considered relating to possible problems with configurations on the SonicWall security appliance such as password, log messages, as well as notifications of SonicWall Security Services offers, new firmware notifications, and upcoming Security Services expirations are displayed in the Alert banner at the top of the page.

System Information

The following information is displayed in this section:

Model - Type of SonicWall security appliance product.
Product Code - The numeric code for the model of SonicWall security appliance.
Serial Number - Also the MAC address of the SonicWall security appliance.
Authentication Code - The alphanumeric code used to authenticate the SonicWall security appliance on the registration database at https://www.MySonicWall.com/.
Firmware Version - The firmware version loaded on the SonicWall security appliance.
Safemode Version - The SafeMode firmware version loaded on the SonicWall security appliance.
ROM Version - Indicates the ROM version.
CPUs - Displays the average CPU usage over the last 10 seconds and the type of the SonicWall security appliance processor.
Total Memory - Indicates the amount of RAM and flash memory.
System Time - The time registered on the internal clock on the SonicWall appliance.
Up Time - The length of time, in days, hours, and seconds the SonicWall security appliance is active.
Connections - Displays the maximum number of network connections the SonicWall security appliance can support, the peak number of concurrent connections, and the current number of connections.
Connection Usage - The percentage of the maximum number of connections that are currently established (that is, this percentage is the current number of connections divided by the maximum number of connections).
Last Modified By - The IP address of the user who last modified the system and the time stamp of the last modification.
Registration Code - The registration code is generated when your SonicWall security appliance is registered at https://www.MySonicWall.com/.

Latest Alerts

Any messages relating to system errors or attacks are displayed in this section. Attack messages include AV Alerts, forbidden e-mail attachments, fraudulent certificates, etc. System errors include WAN IP changed and encryption errors. Clicking the blue arrow displays the
Log > Log View
page.

For more information on SonicWall security appliance logging, see Log.

Security Services

If your SonicWall security appliance is not registered at MySonicWall, the following message is displayed in the Security Services folder: Your SonicWall security appliance is not registered. Click here to Register your SonicWall security appliance. You need a MySonicWall account to register your SonicWall security appliance or activate security services. You can create a MySonicWall account directly from the SonicOS management interface.

If your SonicWall security appliance is registered, a list of available SonicWall Security Services are listed in this section with the status of Licensed or Not Licensed. If Licensed, the Status column displays the number of licenses and the number of licenses in use. Clicking the Arrow icon displays the System > Licenses page in the SonicWall Web-based management interface. SonicWall Security Services and SonicWall security appliance registration is managed by mySonicWall.

Refer to Security Services for more information on SonicWall Security Services and activating them on the SonicWall security appliance.

Registering Your SonicWall Security Appliance

Once you have established your Internet connection, it is recommended you register your SonicWall security appliance. Registering your SonicWall security appliance provides the following benefits:

Try a FREE 30-day trial of SonicWall Intrusion Prevention Service, SonicWall Gateway Anti-Virus, Content Filtering Service, and Client Anti-Virus
Activate SonicWall Anti-Spam
Activate SonicWall security services and upgrades
Access SonicOS firmware updates
Get SonicWall technical support
Topics:

Before You Register

If your SonicWall security appliance is not registered, the following message is displayed in the Security Services folder on the System > Status page in the SonicOS management interface: Your SonicWall is not registered. Click here to Register your SonicWALL. You need a MySonicWall account to register the SonicWall security appliance.

If your SonicWall security appliance is connected to the Internet, you can create a MySonicWall account and register your SonicWall security appliance directly from the SonicOS management interface. If you already have a mySonicWall account, you can register the SonicWall security appliance directly from the management interface.

Your MySonicWall account is accessible from any Internet connection by pointing your Web browser to https://www.MySonicWall.com/. MySonicWall uses the HTTPS (Hypertext Transfer Protocol Secure) protocol to protect your sensitive information.

* 
NOTE: Make sure the Time Zone and DNS settings on your SonicWall security appliance are correct when you register the device. See SonicWall Setup Wizard instructions for instructions on using the Setup Wizard to set the Time Zone and DNS settings.
* 
NOTE: MySonicWall registration information is not sold or shared with any other company.

You can also register your security appliance at the https://www.MySonicWall.com/ site by using the Serial Number and Authentication Code displayed in the Security Services section. Click the SonicWall link to access your MySonicWall account. You are given a registration code after you have registered your security appliance. Enter the registration code in the field below the You will be given a registration code, which you should enter below heading, then click Update.

Creating a MySonicWall Account

Creating a MySonicWall account is fast, simple, and FREE. Simply complete an online registration form in the SonicOS management interface.

To create a MySonicWall account from the SonicOS management interface:
1
In the Security Services section on the System > Status page, click the update your registration link.

2
Click the link for If you do not have a MySonicWall account, please click here to create one.

3
In the MySonicWall Account page, enter in your information in the Account Information, Personal Information and Preferences fields in the MySonicWall account form. All fields marked with an * are required fields.
* 
NOTE: Remember your username and password to access your MySonicWall account.
4
Click Submit after completing the My SonicWALL Account form.
5
When the MySonicWall.com server has finished processing your account, a page is displayed confirming your account has been created. Click Continue.
6
Congratulations! Your MySonicWall.com account is activated. Now you need to log into MySonicWall.com from the management appliance to register your SonicWALL security appliance.

Registering Your SonicWALL Security Appliance

* 
NOTE: To register your SonicWALL security appliance, you must have a MySonicWall.com account.
To register your security appliance:
1
In the Security Services section on the System > Status page, click the Update your Registration link. The MySonicWall Login page is displayed:

2
Enter your MySonicWall username and password in the User Name and Password fields, and then click Submit.
3
The next several pages inform you about free trials available to you for SonicWALL’s Security Services:
Gateway Anti-Virus - protects your entire network from viruses
Client Anti-Virus - protects computers on your network from viruses
Premium Content Filtering Service - protects your network and improves productivity by limiting access to unproductive and inappropriate Web sites
Intrusion Prevention Service - protects your network from Trojans, worms, and application layer attacks
4
Click Continue on each page.
5
At the top of the Product Survey page, enter a friendly name for your SonicWALL security appliance in the Friendly name field, and complete the optional product survey.
6
Click Submit.
7
When the MySonicWall server has finished processing your registration, a page is displayed confirming your SonicWALL security appliance is registered.
8
Click the Continue button. The Security Services Summary table on the System > Licenses page displayed.

Network Interfaces

Network Interfaces displays information about the interfaces for your SonicWALL security appliance. Clicking the blue arrow displays the Network > Interfaces page for configuring your Network settings. The available interfaces displayed in the Network Interfaces section depend on the SonicWALL security appliance model.

Managing SonicWall Licenses

System > Licenses

The System > Licenses page provides links to activate, upgrade, or renew SonicWall Security Services licenses. From this page in the SonicOS management interface, you can manage all the SonicWall Security Services licensed for your SonicWall security appliance. The information listed in the Security Services Summary table is updated from your MySonicWall account. The System > Licenses page also includes links to FREE trials of SonicWall Security Services.

* 
CAUTION: By design, the SonicWall License Manager cannot be configured to use a third party proxy server. Networks that direct all HTTP and HTTPS traffic through a third party proxy server may experience License Manager issues.
Topics:

Node License Status

A node is a computer or other device connected to your LAN with an IP address.

If your SonicWall security appliance is licensed for unlimited nodes, the Node License Status section displays the message: The SonicWall is licensed for unlimited Nodes/Users. No other settings are displayed.

If your SonicWall security appliance is not licensed for unlimited nodes, the Node License Status table lists how many nodes your security appliance is licensed to have connected at any one time, how many nodes are currently connected, and how many nodes you have in your Node License Exclusion List.

The Currently Licensed Nodes table lists details on each node connected to your security appliance. The table is not displayed if no nodes are connected.

Excluding a Node

When you exclude a node, you block it from connecting to your network through the security appliance. Excluding a node creates an address object for that IP address and assigns it to the Node License Exclusion List address group.

To exclude a node:
1
Select the node you want to exclude in the Currently Licensed Nodes table on the System > Licenses page, and click the Edit icon in the Exclude column for that node.
2
A warning displays, saying that excluding this node will create an address object for it and place it in the License Exclusion List address group. Click OK to exclude the node.

You can manage the License Exclusion List group and address objects in the Network > Address Objects page of the management interface. Click the Node License Exclusion List link to jump to the Network > Address Objects page.

Security Services Summary

The Security Services Summary tables list the available and activated security services and support services on the SonicWall security appliance.

Topics:

Security Services Table

The Security Service column lists all the availableSonicWall Security Services and upgrades available for the SonicWall security appliance.
The Status column indicates is the security service is activated (Licensed), available for activation (Not Licensed), or no longer active (Expired).
The number of nodes/users allowed for the license is displayed in the Count column.
The Expiration column displays the expiration date for any Licensed Security Service.

The information listed in the Security Services Summary table is updated from your MySonicWall account the next time the SonicWall security appliance automatically synchronizes with your mySonicWall.com account (once a day) or you can click the link in To synchronize licenses with MySonicWall click here in the Manage Security Services Online section.

For more information on SonicWall Security Services, see Security Services.

Support Services Table

The Support Service table displays a summary of the current status of support services for the SonicWall security appliance. The Support Service table lists all support services for the appliance (such as Dynamic Support), their current status, and their expiration date.

Manage Security Services Online

Once you have established your Internet connection, it is recommended you register your SonicWall security appliance. Registering your SonicWall security appliance provides the following benefits:

Try a FREE 30-day trial of SonicWall Intrusion Prevention Service, SonicWall Gateway
Anti-Virus, Content Filtering Service, and Client Anti-Virus
Activate SonicWall Anti-Spam
Activate SonicWall security services and upgrades
Access SonicOS firmware updates
Get SonicWall technical support

Instructions for creating a MySonicWall Account and for registering your appliance can be found in the Getting Started Guide for your appliance. When you log in to your primary appliance for the first time, a Software Transaction Agreement (STA) form displays for your acceptance before you can proceed. If you are using a CLI, you must type (or select) Yes before proceeding. Once you have accepted the STA, it will not be shown for upgrades of either firmware or software.

* 
NOTE: MySonicWall registration information is not sold or shared with any other company.
Topics:

Activating, Upgrading, or Renewing Services

The procedures for activating services can be found in the Getting Started Guide for your appliance.

To upgrade or renew services:
1
Display the System > Licenses page and scroll to the Manage Security Services Online section.

2
Click the link in To Activate, Upgrade, or Renew service, click here. The Licenses > License Management page is displayed.

3
In the MySonicWall.com Login section, enter your MySonicWall username and password in the User Name/Email and Password fields, and then click Submit. If your SonicWall security appliance is already registered to your MySonicWall account, the Licenses > Licenses Management page appears.

The Manage Services Online table has five columns:

Security Service—lists all the SonicWall services.
Status—displays whether the service is Licensed or Unlicensed or the license is Expired or a Free Trial.
Manage Service—provides links to Try (a FREE TRIAL), Activate a license, Upgrade a license, Renew a license, or Share a license.
Users—lists the number of users licensed for the service; some services may be licensed for Unlimited users.
Expiration—displays the date the license expires or has expired.
4
Scroll to the Gateway AV/Anti-Spyware/Intrusion Prevention/App Control/App Visualization entry in the Manage Services Online table.
5
Click on the Activate link in the Manage Service column. A License > License Management page displays to Activate Gateway Anti-Virus, Anti-Spyware & Intrusion Prevention Service.

6
Type in the Activation Key in the New License Key 1 field. If you purchased more than one Activation Key, enter all of them.
7
Click Submit. SonicWall Intrusion Prevention Service is activated. The Gateway AV/Anti-Spyware/Intrusion Prevention/App Control/App Visualization entry in the Security Services Summary table shows a status of Licensed.

* 
NOTE: The activation is enabled automatically on your SonicWall security appliance within 24-hours or you can click the Synchronize button to immediately update your SonicWall security appliance.

Managing Your Licenses

Manage your licenses from your MySonicWall.com account. In the Manage Security Services Online section of the System > Licenses page, click on the link in To manage your licenses go to www.MySonicWall.com. The Manage Services Online page is displayed with licensing information from your MySonicWall account.

Synchronizing Your Licenses

Once a day, the SonicWall security appliance synchronizes your license information automatically with your MySonicWall.com account. To synchronize your licenses with your MySonicWall.com account manually, click the Synchronize button in the Manage Security Services Online section. When the synchronization is complete, the status will appear in Status bar at the bottom of the management interface and the Security Services Summary table displays the updated information.

Obtaining Free Trial Subscriptions

You can also get free trial subscriptions to SonicWall Content Filter Service and Active Active Service as well as Gateway Anti-Virus, SonicWall Anti-Spyware, and SonicWall Intrusion Prevention Service.

To activate a free trial subscription:
1
On the System > Licenses page, scroll to the Manage Security Services Online section.
2
Click the link in To Activate, Upgrade, or Renew services, click here. The MySonicWall Login on the License > Licenses page is displayed.
3
Enter your MySonicWall account username and password in the Username/Email and Password fields, then click Submit. If your SonicWall security appliance is already registered to your MySonicWall account, the Licenses > Licenses Management page appears.
4
Scroll to the entry for the service you want to try, such as Active Active Service, in the Manage Services Online table.
5
Click on the Try link in the Manage Service column. A License > License Management page displays with an agreement for a 30-day free trial.

6
Click Continue, The service is enabled on your security appliance.

The Status column in the Manage Services Online table for the service listing now displays Free Trial, the Manage Service column displays Upgrade, and the Expiration column displays the date the Free Trial ends.

Manually Activating, Upgrading, or Renewing for Closed Environments

* 
NOTE: Manual upgrade of the encrypted License Keyset is only for Closed Environments. If your SonicWall security appliance is connected to the Internet, it is recommended you use the automatic registration and Security Services upgrade features of your appliance.

If your SonicWall security appliance is deployed in a high security environment that does not allow direct Internet connectivity from the SonicWall security appliance, you can enter the encrypted license key information from http://www.MySonicWall.com manually on the System > Licenses page in the SonicWall Management Interface.

The Manual Upgrade section allows you to activate your services by typing the service activation key supplied with the service subscription not activated on MySonicWall. Type the activation key from the product into the Enter upgrade key field and then click Submit.

Manually upgrading is a two-step process:

Access MySonicWall.com from a computer connected to the Internet
1
Make sure you have an account at https://www.MySonicWall.com/ and your SonicWall security appliance is registered to the account before proceeding.
2
After logging into MySonicWall, click on your registered SonicWall security appliance listed in Registered SonicWall Products.
3
Click the View License Keyset link. The scrambled text displayed in the text box is the License Keyset for the selected SonicWall security appliance and activated Security Services.
4
Copy the Keyset text for pasting into the Enter keyset field of the Manual Upgrade section of the System > Licenses page or print the page if you plan to manually type in the Keyset into the SonicWall security appliance.
Go to the management interface of your SonicWall security appliance
5
Navigate to the System > Licenses page and scroll down to the Manual Upgrade section.

6
Paste (or type) the Keyset (from Step 4) into the Enter Keyset field.
7
Click the Submit or the Accept button to update your SonicWall security appliance. The status field at the bottom of the page displays The configuration has been updated.
8
You can generate the System > Diagnostics > Tech Support Report to verify the upgrade details.
* 
NOTE: After the manual upgrade, the System > Licenses page does not contain any registration and upgrade information.
* 
NOTE: The warning message: SonicWall Registration Update Needed. Please update your registration information remains on the System > Status page after you have registered your SonicWall Inc. security appliance. Ignore this message.

Configuring Administration Settings

System > Administration

The System Administration page provides settings for the configuration of SonicWall security appliance for secure and remote management. You can manage the SonicWall using a variety of methods, including HTTPS, SNMP or SonicWall Global Management System (SonicWall GMS).

 
* 
NOTE: To apply all changes to the SonicWall appliance, click Accept; a message confirming the update is displayed at the bottom of the browser window.
Topics:

Firewall Name

The Firewall Name uniquely identifies the SonicWall security appliance and defaults to the serial number of the SonicWall. The serial number is also the MAC address of the unit. To change the Firewall Name, type a unique alphanumeric name in the Firewall Name field. It must be at least 8 characters in length and can be up to 63 characters long. An option is available to auto-append the HA/Clustering suffix to the firewall name.

The Firewall’s Domain Name can be private, for internal users, or an externally registered domain name. This domain name is used in conjunction with User Web Login Settings on the Users > Settings page for user authentication redirects.

Administrator Name & Password

The Administrator Name can be changed from the default setting of admin to any word using alphanumeric characters up to 32 characters in length.

To create a new administrator name:
1
Type the new name in the Administrator Name field.
2
Click Accept for the changes to take effect on the SonicWall.

Changing the Administrator Password

To set a new password for SonicOS management interface access:
1
Type the old password in the Old Password field.
2
Type the new password in the New Password field.
3
Type the new password again in the Confirm Password field.
4
Click Accept. Once the SonicWall security appliance has been updated, a message confirming the update is displayed at the bottom of the browser window.
 
* 
TIP: It is recommended you change the default password, password, to your own custom password.

Login Security

The internal SonicWall Web-server now only supports SSL version 3.0 and TLS with strong ciphers (12 -bits or greater) when negotiating HTTPS management sessions. SSL implementations prior to version 3.0 and weak ciphers (symmetric ciphers less than 128-bits) are not supported. This heightened level of HTTPS security protects against potential SSLv2 rollback vulnerabilities and ensures compliance with the Payment Card Industry (PCI) and other security and risk-management standards.

 
* 
TIP: By default, Mozilla Firefox 2.0 and Microsoft Internet Explorer 7.0 enable SSL 3.0 and TLS, and disable SSL 2.0. SonicWall recommends using these most recent Web browser releases. If you are using a previous release of these browsers, you should enable SSL 3.0 and TLS and disable SSL 2.0. In Internet Explorer, go to Tools > Internet Options, click on the Advanced tab, and scroll to the bottom of the Settings menu. In Firefox, go to Tools > Options, click on the Advanced tab, and then click on the Encryption tab.

SonicOS provides password constraint enforcement, which can be configured to ensure that administrators and users are using secure passwords. Password constraint enforcement satisfies the confidentiality requirements as defined by current information security management systems or compliance requirements, such as Common Criteria and the Payment Card Industry (PCI) standard.

Password must be changed every (days) – requires users to change their passwords after the designated number of days has elapsed. When a user attempts to login with an expired password, a pop-up window will prompt the user to enter a new password. The User Login Status window now includes a Change Password button so that users can change their passwords at any time. The default number of days is 90.
Bar repeated passwords for this many changes – requires users to use unique passwords for the specified number of password changes. The default number is 4.
New password must contain 4 characters different from the old password – requires users to change at least 4 alphanumeric characters in their old password when creating a new one.
Enforce a minimum password length of – sets the shortest allowed password.
Enforce password complexity –specifies how complex a user’s password must be to be accepted. The drop-down menu provides these options:
None (default)
Require both alphabetic and numeric characters
Require alphabetic, numeric, and symbolic characters – for symbolic characters, only !, @, #, $, %, ^, &, *, (, and ) are allowed; all others are denied.
Complexity Requirement – When the password complexity option is selected, sets the minimum number of alphanumeric and symbolic characters in a user’s password. The default number for each is 0.
Upper Case Characters
Lower Case Characters
Number Characters
Symbolic Characters
Apply these password constraints for — the check boxes specify to which classes of users the password constraints are applied. By default, all check boxes are selected.
Administrator – refers to the default administrator with the username admin.
Other full administrators
Limited administrators
Other local users
Log out the Administrator after inactivity of (minutes) – sets the length of inactivity time that elapses before you are automatically logged out of the Management Interface. By default, the SonicWall security appliance logs out the administrator after 5 minutes of inactivity. The inactivity timeout can range from 1 to 9999 minutes.
 
* 
TIP: If the Administrator Inactivity Timeout is extended beyond five minutes, you should end every management session by clicking Logout in the upper right corner of the page to prevent unauthorized access to the SonicWall security appliance’s Management Interface.
Enable administrator/user lockout – locks administrators out of accessing the appliance after the specified number of incorrect login attempts. This option is disabled by default.
Failed login attempts per minute before lockout specifies the number of incorrect login attempts within a one-minute time frame that triggers a lockout. The minimum time is 1 minute, the maximum time is 60 minutes, and the default is 5 minutes.
Lockout Period (minutes) specifies the number of minutes that the administrator is locked out. The minimum time is 1 minute, the maximum time is 60 minutes, and the default is 5 minutes.

Multiple Administrators

On preemption by another administrator - Configures what happens when one administrator preempts another administrator using the Multiple Administrators feature. The preempted administrator can either be converted to non-config mode or logged out. For more information on Multiple Administrators, see Multiple Administrator Support Overview.
Drop to non-config mode - Select to allow more than one administrator to access the appliance in non-config mode without disrupting other administrators. This option is selected by default.
Log Out - Select to have the new administrator preempt other sessions.
* 
NOTE: Selecting Log Out disables Non-Config mode and prevents entering Non-Config mode manually.
Allow preemption by a lower priority administrator after inactivity of (minutes) - Enter the number of minutes of inactivity by the current administrator that will allow a lower-priority administrator to preempt.
Enable inter-administrator messaging - Select to allow administrators to send text messages through the management interface to other administrators logged into the appliance. The message will appear in the browser’s status bar.
Messaging polling interval (seconds) - Sets how often the administrator’s browser will check for inter-administrator messages. If there are likely to be multiple administrators who need to access the appliance, this should be set to a reasonably short interval to ensure timely delivery of messages.

Enabling Administrator/User Lockout

You can configure the SonicWall security appliance to lockout an administrator or a user if the login credentials are incorrect.

 
* 
IMPORTANT: If an administrator and a user are logging into the SonicWall using the same source IP address, the administrator is also locked out of the SonicWall. The lockout is based on the source IP address of the user and administrator.
1
In the Login Security section, select the Enable Administrator/User Lockout on login failure checkbox to prevent users from attempting to log into the SonicWall security appliance without proper authentication credentials.
2
Type the number of failed attempts before the user is locked out in the Failed login attempts per minute before lockout field.
3
Type the length of time that must elapse before the user attempts to log into the SonicWall again in the Lockout Period (minutes) field.
4
Click Accept.

Web Management Settings

The SonicWall security appliance can be managed using HTTP or HTTPS and a Web browser. HTTP web-based management is disabled by default. Use HTTPS to log into the SonicOS management interface with factory default settings.

If you wish to use HTTP management, an Allow management via HTTP check box is available to allow you to enable/disable HTTP management globally:

The default port for HTTPS management is 443. You can add another layer of security for logging into the SonicWall security appliance by changing the default port. To configure another port for HTTPS management, type the preferred port number into the Port field, and click Update. For example, if you configure the HTTPS Management Port to be 700, then you must log into the SonicWall using the port number as well as the IP address, for example, <https://192.168.168.1:700> to access the SonicWall.

The default port for HTTP is port 80, but you can configure access through another port. Type the number of the desired port in the Port field, and click Accept. However, if you configure another port for HTTP management, you must include the port number when you use the IP address to log into the SonicWall security appliance. For example, if you configure the port to be 76, then you must type <LAN IP Address>:76 into the Web browser, for example, http://192.168.168.1:76.

The Certificate Selection menu allows you to use a self-signed certificate (Use Self-signed Certificate), which allows you to continue using a certificate without downloading a new one each time you log into the SonicWall security appliance. You can also choose Import Certificate to select an imported certificate from the System > Certificates page to use for authentication to the management interface.

The Delete Cookies button removes all browser cookies saved by the SonicWall appliance. Deleting cookies will cause you to lose any unsaved changes made in the Management interface.

To see the System > Security Dashboard page first when you login, select the Use System Dashboard View as starting page check box.

Topics:

Client Certificate Check with Common Access Card

On the System > Administration page, under Web Management Settings, system administrators can enable a Client Certificate Check for use with or without a Common Access Card (CAC).

A Common Access Card (CAC) is a United States Department of Defense (DoD) smart card used by military personnel and other government and non-government personnel that require highly secure access over the internet. A CAC uses PKI authentication and encryption.

 
* 
NOTE: Using a CAC requires an external card reader that is connected on a USB port.

The Client Certificate Check was developed for use with a CAC; however, it is useful in any scenario that requires a client certificate on an HTTPS/SSL connection. CAC support is available for client certification only on HTTPS connections.

 
* 
NOTE: CACs may not work with browsers other than Microsoft Internet Explorer.

The Enable Client Certificate Check box allows you to enable or disable client certificate checking and CAC support on the SonicWall security appliance.

The Client Certificate Issuer drop-down menu contains a list of the Certification Authority (CA) certificate issuers that are available to sign the client certificate. If the appropriate CA is not in the list, you need to import that CA into the SonicWall security appliance.

The Enable OCSP Checking box allows you to enable or disable the Online Certificate Status Protocol (OCSP) check for the client certificate to verify that the certificate is still valid and has not been revoked.

The OCSP Responder URL field contains the URL of the server that will verify the status of the client certificate. The OCSP Responder URL is usually embedded inside the client certificate and does not need to be entered. If the client certificate does not have an OCSP link, you can enter the URL link. The link should point to the Common Gateway Interface (CGI) on the server side which processes the OCSP checking. For example: http://10.103.63.251/ocsp

If you use the client certificate check without a CAC, you must manually import the client certificate into the browser.

If you use the Client Certificate Check with a CAC, the client certificate is automatically installed on the browser by middleware. When you begin a management session through HTTPS, the certificate selection window displays asking you to confirm the certificate.

After you select the client certificate from the drop-down menu, the HTTPS/SSL connection is resumed, and the SonicWall security appliance checks the Client Certificate Issuer to verify that the client certificate is signed by the CA. If a match is found, the administrator login page is displayed. If no match is found, the browser displays a standard browser connection fail message, such as:

.....cannot display web page!

If OCSP is enabled, before the administrator login page is displayed, the browser performs an OCSP check and displays the following message while it is checking.

Client Certificate OCSP Checking.....

If a match is found, the administrator login page is displayed, and you can use your administrator credentials to continue managing the SonicWall security appliance.

If no match is found, the browser displays the following message:

OCSP Checking fail! Please contact system administrator!

When using the client certificate feature, these situations can lock the user out of the SonicWall security appliance:

Enable Client Certificate Check is checked, but no client certificate is installed on the browser.
Enable Client Certificate Check is checked and a client certificate is installed on the browser, but either no Client Certificate Issuer is selected or the wrong Client Certificate Issuer is selected.
Enable OCSP Checking is enabled, but either the OCSP server is not available or a network problem is preventing the SonicWall security appliance from accessing the OCSP server.

To restore access to a user that is locked out, the following CLI commands are provided:

web-management client-cert disable
web-management ocsp disable

Enabling Client Certificate Checking

To enable client certificate checking and CAC support:
1
On the System > Administration page, under Web Management Settings, select the Enable Client Certificate Check box.
2
From the Client Certificate Issuer drop-down list, select the appropriate CA to sign your client certificate.
3
To enable or disable OCSP checking for the client certificate, select the Enable OCSP Checking box.
4
If you are using a CAC, the URL should already be in the OCSP Responder URL field. If you are not using a CAC, in the OCSP Responder URL field, enter the URL of the server that will verify the status of the client certificate.

Changing the Default Size for SonicOS Management Interface Tables

The SonicOS management interface allows you to control the display of large tables of information across all tables in the management Interface. You can change the default table page size in all tables displayed in the SonicOS management interface from the default 50 items per page to any size ranging from 1 to 5,000 items. Some tables, including Active Connections Monitor, VPN Settings, and Log View, have individual settings for items per page which are initialized at login to the value configured here. Once these pages are viewed, their individual settings are maintained. Subsequent changes made here will only affect these pages following a new login.

To change the default table size:
1
Enter the desired number of items per page in the Default Table Size field.
2
Enter the desired interval for background automatic refresh of Monitor tables (including Process Monitor, Active Connections Monitor, and Interface Traffic Statistics) in seconds in the Auto-updated Table Refresh Interval field.
3
Click Accept.

Configuring Tooltips

Tooltips are small pop-up windows that provide brief information describing for many forms, buttons, table headings and entries. These Tooltips display when you hover your mouse over a UI element. Some UI elements have a small triangle after the element; hovering your mouse over the triangle displays the tooltip.

 
* 
NOTE: Not all UI elements have Tooltips. If a Tooltip does not display after hovering your mouse over an element for a couple of seconds, you can safely conclude that it does not have an associated Tooltip.

The behavior of Tooltips is configured in the Web Management Settings section.

Tooltips are enabled by default. To disable Tooltips, uncheck the Enable Tooltip check box.

The duration of time before Tooltips display can be configured:

Form Tooltip Delay - Duration in milliseconds before Tooltips display for forms (boxes where you enter text). The default value is 2000 milliseconds.
Button Tooltip Delay - Duration in milliseconds before Tooltips display for radio buttons and check boxes. The default value is 3000 milliseconds.
Text Tooltip Delay - Duration in milliseconds before Tooltips display for UI text. The default value is 500 milliseconds.

SSH Management Settings

If you use SSH to manage the SonicWall appliance, you can change the SSH port for additional security. The default SSH port is 22.

Enabling GMS Management

You can configure the SonicWall security appliance to be managed by SonicWall Global Management System (SonicWall GMS).

To configure the SonicWall security appliance for GMS management:
1
Select the Enable Management using GMS check box in the Advanced section on the System > Administration page, then click Configure. The Configure GMS Settings dialog displays.

2
Enter the host name or IP address of the GMS Console in the GMS Host Name or IP Address field.
3
Enter the port in the GMS Syslog Server Port field. The default value is 514.
4
Select Send Heartbeat Status Messages Only to send only heartbeat status instead of log messages.
5
Select GMS behind NAT Device if the GMS Console is placed behind a device using NAT on the network. Type the IP address of the NAT device in the NAT Device IP Address field.
6
Select one of the following GMS modes from the Management Mode menu.
IPSEC Management Tunnel - Selecting this option allows the SonicWall security appliance to be managed over an IPsec VPN tunnel to the GMS management console. The default IPsec VPN settings are displayed. Select GMS behind NAT Device if applicable to the GMS installation, and enter the IP address in the NAT Device IP Address field. The default VPN policy settings are displayed at the bottom of the Configure GMS Settings window.

Existing Tunnel - If this option is selected, the GMS server and the SonicWall security appliance already have an existing VPN tunnel over the connection. Enter the GMS host name or IP address in the GMS Host Name or IP Address field. Enter the port number in the Syslog Server Port field.

HTTPS - If this option is selected, HTTPS management is allowed from two IP addresses: the GMS Primary Agent and the Standby Agent IP address. The SonicWall security appliance also sends encrypted syslog packets and SNMP traps using 3DES and the SonicWall security appliance administrator’s password. The following configuration settings for HTTPS management mode are displayed:

Send Syslog Messages to a Distributed GMS Reporting Server - Sends regular heartbeat messages to both the GMS Primary and Standby Agent IP address. The regular heartbeat messages are sent to the specified GMS reporting server and the reporting server port.
GMS Reporting Server IP Address - Enter the IP address of the GMS Reporting Server, if the server is separate from the GMS management server.
GMS Reporting Server Port - Enter the port for the GMS Reporting Server. The default value is 514.
7
Click OK.

Download URL

The Download URL section provides fields for specifying the URL address of a site for downloading the SonicPoint images. SonicOS Enhanced 5.0 and higher does not contain an image of the SonicPoint firmware. If your SonicWall appliance has Internet connectivity, it will automatically download the correct version of the SonicPoint image from the SonicWall server when you connect a SonicPoint device. If your SonicWall appliance does not have Internet access, or has access only through a proxy server, you must manually specify a URL for the SonicPoint firmware. You do not need to include the http:// prefix, but you do need to include the filename at the end of the URL. The filename should have a .bin extension.

Here are examples using an IP address and a domain name:

192.168.168.10/imagepath/sonicpoint.bin

software.sonicwall.com/applications/sonicpoint/sonicpoint.bin

For more information, refer to Updating SonicPoint Firmware.

* 
CAUTION: It is imperative that you download the corresponding SonicPoint image for the SonicOS firmware version that is running on your SonicWall network security appliance. The MySonicWall web site provides information about the corresponding versions. When upgrading your SonicOS firmware, be sure to upgrade to the correct SonicPoint image.

Selecting UI Language

If your firmware contains languages besides English, they can be selected in the Language Selection drop-down menu.

 
* 
NOTE: Changing the language of the SonicOS UI requires that the SonicWall security appliance be rebooted.

 

Administering SNMP

System > SNMP

This section describes how to configure the SonicWall appliance for SNMP access.

Topics:

What Is SNMP?

SNMP (Simple Network Management Protocol) is a network protocol used over User Datagram Protocol (UDP) that allows you to monitor the status of the SonicWall security appliance and receive notification of critical events as they occur on the network. The SonicWall security appliance supports SNMP v1/v2c/v3 and all relevant Management Information Base II (MIBII) groups except egp and at.

SNMPv3 expands on earlier versions of SNMP and provides secure access to network devices by means of a combination of authenticating and encrypting packets.

Packet security is provided through:

Message Integrity: ensures a packet has not been tampered with in transit

Authentication: verifies a message comes from a valid source

Encryption: encodes packet contents to prevent its being viewed by an unauthorized source.

SNMPv3 provides for both security models and security levels. A security model is an authentication strategy set up between a user and the group in which the user resides. The security level is the permitted level of security within a given security model. The security model and associated security level determine how an SNMP packet will be handled. SNMPv3 provides extra levels of authentication and privacy, as well as additional authorization and access control.

The following table shows how security levels, authentication, and encryption are handled by the different versions of SNMP.

 

SNMP Security Levels, Authentication, and Encryption

Model

Level

Authentication Type

Encryption

Means of Authentication

v1

noAuthNoPriv

Community String

No

Community string match

v2c

noAuthNoPriv

Community String

No

Community string match

v3

noAuthNoPriv

Username

No

Username match

v3

authNoPriv

MD5 or SHA

No

Authentication is based on the HMAC-MD5 or HMSC-SRA algorithms.

v3

authPriv

MD5 or SHA

DES or AES

Provides authentication is based on the HMAC-MD5 or HMSC-SRA algorithms. Provides DES 56-bit encryption in addition to authentication based on the CBC-DES (DES-56) standard, or AES 128-bit encryption, as well.

The SonicWall security appliance replies to SNMP Get commands for MIBII, using any interface, and supports a custom SonicWall MIB for generating trap messages. The custom SonicWall MIB is available for download from the SonicWall Web site and can be loaded into third-party SNMP management software such as HP Openview, Tivoli, or SNMPC.

SNMP settings can be viewed and configured by you. Settings cannot be viewed or modified by the user. SNMPv3 can be modified at the User or Group level. Access Views can be read, write, or both, and can be assigned to users or groups. A single View can have multiple Object IDs (OIDs) associated with it.

The SNMPv3 Asset Number is specified when configuring SNMP. The Engine ID is used to authorize a received SNMP packet. Only matching packet EngineIDs will be processed.

Setting Up SNMP Access

SNMP configuration consists of:

Enabling and Configuring SNMP Access

You can use either SNMPv1/v2 for basic functionality, or configure the appliance to use the more extensive SNMPv3 options.

1
To enable SNMP on the SonicWall security appliance, navigate to the System > SNMP page.

2
Select the Enable SNMP check box, and then click Accept. The Configure button becomes active and the display expands.

3
To configure the SNMP interface, click the Configure button. The Configure SNMP dialog displays with two tabs: General and Advanced.

4
Type the host name of the SonicWall security appliance in the System Name field.
5
Type the network administrator’s name in the System Contact field.
6
Type an e-mail address, telephone number, or pager number in the System Location field.
7
When SNMPv3 configuration is used, an Asset Number field displays on the menu. Enter the asset number of the appliance.
8
Type a name for a group or community of administrators who can view SNMP data in the Get Community Name field. A default name of public is provided.
9
Type a name for a group or community of administrators who can view SNMP traps in the Trap Community Name field.
10
Type the IP address or host name of the SNMP management system receiving SNMP traps in the Host 1 through Host 4 fields. You must configure at least one IP address or host name, but up to four addresses or host names can be used.
11
Click OK.
Requiring SNMPv3 Usage

To get maximum security for SNMP management, require only SNMPv3 access. If this option is enabled, the Engine ID is used to authorize a received SNMP packet, and only packets whose Engine ID matches will be processed.

1
Navigate to System > SNMP.
2
If the Enable SNMP check box is not selected, select it and then click Accept.
3
Click Configure. The Configure SNMP dialog displays with two tabs: General and Advanced.
4
If SNMP has not been configured, configure the General tab as described in Enabling and Configuring SNMP Access.
5
Click the Advanced tab.

6
Select the Mandatorily Require SNMPv3 check box. This option is not selected by default.
7
Enter the Engine ID number in the Engine ID field.This number is matched against received SNMP packets to authorize their processing. By default, the Engine ID of the appliance is provided. If you enter a different Engine ID, it must be in hexadecimal.
8
For efficient system operation, certain operations may take priority over responses to SNMP queries. To ensure the SNMP subsystem always responds and operates at a higher system priority, select the Increase SNMP subsystem priority check box.
 
* 
NOTE: Enabling this option may affect the performance of the overall system.
9
Click OK
10
Click Accept.

The SNMPv3 security options is now used in processing packets.

Setting up SNMPv3 Groups and Access

SNMPv3 allows you to set up and assign groups and access with differing levels of security. Object IDs are associated with various levels of permissions, and a single view can be assigned to multiple objects. The figure below shows how access for groups and users are associated with these different permission levels.

SNMPv3 Group Access with Different Permission Levels

Topics:
What is a View?

A View shows access settings for Users or Groups. You create settings for users and groups; these security settings are not User-modifiable. A View defines the Object IDs (OIDs) and Object ID Groups (OID Groups), and is sometimes known as the SNMPv3 Access Object.

The initial set of default views cannot be changed or deleted. The OIDs for the default views are pre-assigned, and they reflect the most often used views: root, system, IP, interfaces, ICMP, TCP, UDP, and ifMIB.

View Table

The View section of the System > SNMP page lists both default and custom views by name and OID.

Configuring Object IDs for SNMPv3 Views
To create a custom view for specific users and groups:
1
To add a view, under View, click Add. The Add SNMP View dialog displays.

2
Enter a name for the view in the View Name field. The default name is New SNMP View.
3
Enter an unassigned OID in the OID Associated with the View field.
4
Click Add OID. The new view appears in OID List.
5
Add any more new views with associated OIDs by repeating Step 3 and Step 4.
6
Click OK. The new views are added to the view in the View section.
Modifying SNMPv3 Views.
To modify a custom view:
1
To modify a view, under View, click the Edit icon for the view to be modified. The Edit SNMP View dialog displays.

 
* 
NOTE: The name is not be editable.
2
Enter an unassigned OID in the OID Associated with the View field.
3
Click Add OID. The new view appears in OID List.

4
Add any more associated OIDs by repeating Step 2 and Step 3.

To delete an OID, select it in the OID List and then click the Delete button.

5
Click OK. The new OIDs are added to the View table.

Deleting Views

To delete a View, click its check box in the View table, and then click the Delete Selected button.

User/Group Table

The User/Group table lists the Users and Groups to which they belong. For each user, the table displays the Groups and Users by Name, the number of users in each Group, and, for Users, the Security Level (if any), the Authentication mode (if any), and the Privacy mode (if any). There is a default Group of “No Group”, which initially has no Users. You can add Users to this default group or to custom Groups you’ve created.

To display the users in a Group, click the triangle before the Group’s name.

Creating Groups
1
To create a Group, click Add Group under the User/Group table. The Add SNMP Group dialog displays.

2
Enter a name for the Group in the Group Name field. The group name can contain up to 32 alphanumeric characters.
3
Click OK.

The Group is added to the User/Group table:

Deleting Groups

To delete a Group, either:

Select its checkbox and then click Delete Selected.
Click the Delete icon for the Group.
 
* 
NOTE: “No Group” cannot be modified or deleted. A Group that has associated Users cannot be deleted.
Creating Users
To add a user:
1
In the User/Group section, click the Add User button. The Add SNMP User dialog displays.

2
Enter the User Name in the User Name field. The default name is New SNMP User.
3
Select the security level from the Security Level drop-down menu:
None (default)
Authentication – If selected, the options expand and you will be asked for an Authentication Method and Authentication Key.

From the Authentication Method drop-down menu, select from MD5 or SHA1.
In the Authentication Key field, enter the authentication key. The key can be any string of printable characters
Authentication and Privacy – if selected, the options expand and you will be asked for an Encryption Method and Privacy Key as well as the authentication options.

From the Encryption Method drop-down menu, select either AES or DES encryption,
In the Privacy Key field, enter the encryption key. The key can be any string of printable characters, but they will be displayed as bullets in the window.
4
Optionally, select a Group of which the User will be a member from the Group drop-down menu. If you do not select a Group, the user will be associated with the default Group, “No Group”.
5
Click OK when finished.

The user is added to the list and to the appropriate group. If “No Group” is selected as the Group, the user is added as a member of “No Group”.

Deleting Users

To delete a User, click its Delete icon in the Configure column.

* 
NOTE: Before a Group can be deleted, all its Users must be deleted first.
What is an Access Object?

SNMPv3 Access is an object that:

Defines the read/write access rights of an SNMPv3 View
Can be assigned to an SNMPv3 Group.

Multiple groups can be assigned to the same Access object. An Access object can also have multiple views assigned to it.

Access objects are shown in the Access table, which shows this information about each Access object:

Name
Read View
Master Group
Security Level (if any)

Adding Access
To create an access object:
1
Under the Access table, click on the Add button. The Add SNMP Access dialog displays.

2
Enter a name in the Access Name field.
3
Select the Read View from the drop-down menu. The menu lists both default and custom Views.
4
Select a Master SNMPv3 Group from the drop-down menu.
 
* 
NOTE: Access can be assigned to only one SNMPv3 Group, but a Group can be associated with up to three Access objects.
5
Select a security level for the Access Security Level drop-down menu: None, Authentication Only, or Authentication and Privacy.
 
* 
NOTE: If a Group is associated with multiple Access objects, each Access object must have a different Access Security Level. As there are only three Access Security Levels, a Group can be associated with a maximum of three Access objects.
6
When done, click OK. The Access object is added to the Access table.

Modifying an Access Object
To modify an access object:
1
In the Access table, click the Edit icon for the Access object you wish to modify. The Edit SNMP Access dialog displays.

2
Make the necessary changes.
* 
NOTE: Changing an Access Security Level can be done only if the Group does not already have an associated Access with that Access Security Level.
3
Click OK. The Access table is updated.
Deleting Access Objects.

To delete an Access object, click the Delete icon for that Access object.

To delete multiple Access objects, select their check boxes and then click the Delete Selected button under the Access table.

To delete all Access objects, click the check box in the header for the Access table and then click the Delete Selected button under the Access table.

SNMP Logs

SNMP logs can be viewed on the Dashboard > Log Monitor page. Expand the System category to view SNMP-specific logs.

Trap messages are generated only for the alert message categories normally sent by the SonicWall security appliance. For example, attacks, system errors, or blocked Web sites generate trap messages. If none of the categories are selected on the Log > Log Monitor page, then no trap messages are generated.

Configuring SNMP as a Service and Adding Rules

By default, SNMP is disabled on the SonicWall security appliance. To enable SNMP you must first enable SNMP on the System > SNMP page, and then enable it for individual interfaces. To do this, go to the Network > Interfaces page and click on the Configure button for the interface you want to enable SNMP on.

If your SNMP management system supports discovery, the SonicWall security appliance agent automatically discover the SonicWall security appliance on the network. Otherwise, you must add the SonicWall security appliance to the list of SNMP-managed devices on the SNMP management system.

Managing Certificates

System > Certificates

To implement the use of certificates for VPN policies, you must locate a source for a valid CA certificate from a third party CA service. Once you have a valid CA certificate, you can import it into the SonicWall security appliance to validate your Local Certificates. You import the valid CA certificate into the SonicWall security appliance using the System > Certificates page. Once you import the valid CA certificate, you can use it to validate your local certificates.

Topics:

Digital Certificates Overview

A digital certificate is an electronic means to verify identity by a trusted third party known as a Certificate Authority (CA). The X.509 v3 certificate standard is a specification to be used with cryptographic certificates and allows you to define extensions which you can include with your certificate. SonicWall has implemented this standard in its third party certificate support.

You can use a certificate signed and verified by a third party CA to use with an IKE (Internet Key Exchange) VPN policy. IKE is an important part of IPsec VPN solutions, and it can use digital certificates to authenticate peer devices before setting up SAs. Without digital certificates, VPN users must authenticate by manually exchanging shared secrets or symmetric keys. Devices or clients using digital signatures do not require configuration changes every time a new device or client is added to the network.

A typical certificate consists of two sections: a data section and a signature section. The data section typically contains information such as the version of X.509 supported by the certificate, a certificate serial number, information about the user’s public key, the Distinguished Name (DN), validation period for the certificate, and optional information such as the target use of the certificate. The signature section includes the cryptographic algorithm used by the issuing CA, and the CA digital signature.

SonicWall security appliances inter-operate with any X.509v3-compliant provider of Certificates. SonicWall security appliances have been tested with the following vendors of Certificate Authority Certificates:

Entrust
Microsoft
OpenCA
OpenSSL
VeriSign

Certificates and Certificate Requests

The Certificate and Certificate Requests section provides all the settings for managing CA and Local Certificates.

The View Style menu allows you to display your certificates in the Certificates and Certificate Requests table based on the following criteria:

All Certificates - displays all certificates and certificate requests.
Imported certificates and requests - displays all imported certificates and generated certificate requests.
Built-in certificates - displays all certificates included with the SonicWall security appliance.
Include expired and built-in certificates - displays all expired and current built-in certificates.

The Certificates and Certificate Requests table displays the following information about your certificates:

Certificate - the name of the certificate.
Type - the type of certificate, which can include CA or Local.
Validated - the validation information.
Expires - the date and time the certificate expires.
Details - the details of the certificate. Moving the pointer over the icon displays the details of the certificate.
Configure - Displays the Delete and Download icons for deleting or downloading a certificate entry. Current built-in certificates cannot be deleted or downloaded.

Certificate Details

Clicking on the icon in the Details column of the Certificates and Certificate Requests table lists information about the certificate, which may include the following, depending on the type of certificate:

Certificate Issuer
Subject Distinguished Name
Certificate Serial Number
Valid from
Expires On
Status (for Pending requests and local certificates)
CRL Status (for Certificate Authority certificates)

The details shown in the Details mouse-over popup depend on the type of certificate. Certificate Issuer, Certificate Serial Number, Valid from, and Expires On are not shown for Pending requests since this information is generated by the Certificate provider. Similarly, CRL Status information is shown only for CA certificates and varies depending on the CA certificate configuration.

Importing Certificates

After your CA service has issued a Certificate for your Pending request, or has otherwise provided a Local Certificate, you can import it for use in VPN or Web Management authentication. CA Certificates may also be imported to verify local Certificates and peer Certificates used in IKE negotiation.

Topics:

Importing a Certificate Authority Certificate

To import a certificate from a certificate authority:
1
Click Import. The Import Certificate dialog displays.

2
Select Import a CA certificate from a PKCS#7 (*.p7b) or DER (.der or .cer) encoded file. The Import Certificate dialog settings change.

3
Select the path to the certificate file in the Please select a file to import field by clicking the Browse button to locate the certificate file, and then click Open to set the directory path to the certificate.
4
Click Import to import the certificate into the SonicWall security appliance. Once it is imported, you can view the certificate entry in the Certificates and Certificate Requests table.
5
Moving your pointer over the Comment icon in the Details column displays the certificate details information.

Importing a Local Certificate

To import a local certificate:
1
Click Import. The Import Certificate dialog displays.

2
Enter a certificate name in the Certificate Name field.
3
Enter the password used to encrypt the PKCS#12 file in the Certificate Management Password field.
4
In the Please select a file to import field, click Browse to locate the certificate file, and then click Open to set the directory path to the certificate.
5
Click Import to import the certificate into the SonicWall security appliance. Once it is imported, you can view the certificate entry in the Certificates and Certificate Requests table.
6
Moving your pointer to the icon in the Details column displays the certificate details information.

Deleting a Certificate

You can delete a certificate if it has expired or if you decide not to use third party certificates for VPN authentication. Built-in certificates cannot be deleted. Only those certificates with the Delete icon enabled in the Configure column of the table can be deleted.

To delete a certificate:
1
In the row for the certificate, click the Delete icon in the Configure column.
2
Click OK in the confirmation dialog.

Downloading a certificate

Built-in certificates cannot be downloaded. Only those certificates with the Download icon enabled in the Configure column of the table can be downloaded from the appliance.

To download a certificate:
1
In the row for the certificate, click the Download icon in the Configure column.
2
In the Export Certificate dialog, type the password for the certificate into the Certificate Management Password field.

3
Click Export.
4
Select the Save File option and click OK, if prompted by your browser. The certificate is saved to the default location, such as your Downloads folder.

Generating a Certificate Signing Request

 
* 
TIP: You should create a Certificate Policy to be used in conjunction with local certificates. A Certificate Policy determines the authentication requirements and the authority limits required for the validation of a certificate.
To generate a local certificate:
1
Click the New Signing Request button. The Certificate Signing Request dialog displays.

2
In the Generate Certificate Signing Request section, enter an alias name for the certificate in the Certificate Alias field.
3
Select the Request field type from the menu, then enter information for the certificate in the Request fields. As you enter information in the Request fields, the Distinguished Name (DN) is created in the Subject Distinguished Name field.

You can also attach an optional Subject Alternative Name to the certificate such as the Domain Name or E-mail Address.

4
The Subject Key type is preset as an RSA algorithm. RSA is a public key cryptographic algorithm used for encrypting data.
5
Select a subject key size from the Subject Key Size menu.
 
* 
NOTE: Not all key sizes are supported by a Certificate Authority, therefore you should check with your CA for supported key sizes.
6
Click Generate to create a certificate signing request file. Once the Certificate Signing Request is generated, a message describing the result is displayed.
7
Click Export to download the file to your computer, then click Save to save it to a directory on your computer. You have generated the Certificate Request that you can send to your Certificate Authority for validation.

Configuring Simple Certificate Enrollment Protocol

The Simple Certificate Enrollment Protocol (SCEP) is designed to support the secure issuance of certificates to network devices in a scalable manner. There are two enrollment scenarios for SCEP:

SCEP server CA automatically issues certificates
SCEP request is set to PENDING and the CA administrator manually issues the certificate.

More information about SCEP can be found at:

To use SCEP to issue certificates:
1
Generate a signing request as described in Generating a Certificate Signing Request.
2
Scroll to the bottom of the System > Certificates page and click on the SCEP button. The SCEP Configuration dialog displays.

3
In the CSR List drop-down menu, the UI selects a default CSR list automatically. If you have multiple CSR lists configured, you can modify this.
4
In the CA URL field, enter the URL for the Certificate authority.
5
If the Challenge Password field, enter the password for the CA if one is required.
6
In the Polling Interval(S) field, you can modify the default value for duration of time in seconds in between when polling messages are sent.
7
In the Max Polling Time(S) field, you can modify the default value for the duration of time the firewall will wait for a response to a polling message before timing out.
8
Click the Scep button to submit the SCEP enrollment.

The firewall will then contact the CA to request the certificate. The duration of time this will take depends on whether the CA issues certificates automatically or manually. The Log > Log Monitor page will display messages on the status of the SCEP enrollment and issuance of the certificate. After the certificate is issued, it will be displayed in the list of available certificates on the System > Certificates page, under the Imported certificates and requests category.

Configuring Time Settings

System > Time

The System > Time page defines the time and date settings to time stamp log events, to automatically update SonicWall Security Services, and for other internal purposes.

By default, the SonicWall security appliance uses an internal list of public NTP servers to automatically update the time. Network Time Protocol (NTP) is a protocol used to synchronize computer clock times in a network of computers. NTP uses Coordinated Universal Time (UTC) to synchronize computer clock times to a millisecond, and sometimes to a fraction of a millisecond.

Topics:

Setting System Time

To update the time automatically, choose the time zone from the Time Zone menu. Set time automatically using NTP is activated by default to use NTP (Network Time Protocol) servers from an internal list to set time automatically. Automatically adjust clock for daylight saving time is also activated by default to enable automatic adjustments for daylight savings time.

If you want to set your time manually, uncheck Set time automatically using NTP. Select the time in the 24-hour format using the Time (hh:mm:ss) menus and the date from the Date menus.

Selecting Display UTC in logs (instead of local time) specifies the use universal time (UTC) rather than local time for log events.

Selecting Display date in International format displays the date in International format, with the day preceding the month.

Selecting Only use custom NTP servers directs SonicOS to use the manually entered list of NTP servers to set the SonicWall security appliance clock, rather than using the internal list of NTP servers.

After selecting your System Time settings, click Accept.

NTP Settings

Network Time Protocol (NTP) is a protocol used to synchronize computer clock times in a network of computers. NTP uses Coordinated Universal Time (UTC) to synchronize computer clock times to a millisecond, and sometimes, to a fraction of a millisecond.

 
* 
TIP: The SonicWall security appliance uses an internal list of NTP servers so manually entering a NTP server is optional.

Select Set time automatically using NTP if you want to use your local server to set the SonicWall security appliance clock.

To add an NTP server to the SonicWall security appliance configuration:
1
Click Add. The Add NTP Server dialog displays.

2
Type the IP address of an NTP server in the NTP Server field.
3
Click OK.
4
Click Accept on the System > Time page to update the SonicWall security appliance.

To delete an NTP server, highlight the IP address and click Delete. Or, click Delete All to delete all servers.

Setting Schedules

System > Schedules

The System > Schedules page allows you to create and manage schedule objects for enforcing schedule times for a variety of SonicWall security appliance features.

The Schedules table displays all your predefined and custom schedules. In the Schedules table, there are three default schedules: Work Hours, After Hours, and Weekend Hours. You can modify these schedules by clicking on the Edit icon in the Configure column to display the Edit Schedule dialog.

* 
NOTE: You cannot delete the default Work Hours, After Hours, or Weekend Hours schedules.

You apply schedule objects for the specific security feature. For example, if you add an access rule in the Firewall > Access Rules page, the Add Rule dialog provides a drop down menu of all the available schedule objects you created in the System > Schedules page.

A schedule can include multiple day and time increments for rule enforcement with a single schedule. If a schedule includes multiple day and time entries, a right-arrow button appears next to the schedule name. Clicking the button expands the schedule to display all the day and time entries for the schedule.

Topics:

Adding a Schedule

1
To create schedules, click Add. The Add Schedule dialog displays.

2
Enter a descriptive name for the schedule in the Name field.
3
Select one of the following radio buttons for Schedule type:
Once – For a one-time schedule between the configured Start and End times and dates. When selected, the fields under Once become active, and the fields under Recurring become inactive.
Recurring – For schedule that occurs repeatedly during the same configured hours and days of the week, with no start or end date. When selected, the fields under Recurring become active, and the fields under Once become inactive.
Mixed – For a schedule that occurs repeatedly during the same configured hours and days of the week, between the configured start and end dates. When selected, all fields on the page become active.
4
If the fields under Once are active, configure the starting date and time by selecting the Year, Month, Date, Hour, and Minute from the drop-down menus in the Start row. The hour is represented in 24-hour format.
5
Under Once, configure the ending date and time by selecting the Year, Month, Date, Hour, and Minute from the drop-down menus in the End row. The hour is represented in 24-hour format.
6
If the fields under Recurring are active, select the checkboxes for the days of the week to apply to the schedule or select All.
7
Under Recurring, type in the time of day for the schedule to begin in the Start field. The time must be in 24-hour format, for example, 17:00 for 5 p.m.
8
Under Recurring, type in the time of day for the schedule to stop in the Stop field. The time must be in 24-hour format, for example, 17:00 for 5 p.m.
9
Click Add.
10
Click OK to add the schedule to the Schedule List.
11
To delete existing days and times from the Schedule List, select the row and click Delete. Or, to delete all existing schedules, click Delete All.

Deleting Schedules

You can delete custom schedules, but you cannot delete the default Work Hours, After Hours, or Weekend Hours schedules.

Deleting Individual Schedules

To delete individual schedule objects that you created:
1
On the System > Schedules page in the Schedules table, select the check box next to the schedule entry to enable the Delete button.
2
Click Delete.

Deleting All Schedules

To delete all schedule objects you created:
1
On the System > Schedules page in the Schedules table, select the check box next to the Name column header to select all schedules.
2
Click Delete.

Managing SonicWall Security Appliance Firmware

System > Settings

This System > Settings page allows you to manage your SonicWall security appliance’s SonicOS versions and configuration settings. Configuration settings are also referred to as preferences, prefs, or EXP files.

Settings

The Settings section provides the following capabilities:

Import Settings

To import a previously saved preferences file:
1
Click Import Settings. The Import Settings dialog displays.

2
Click Browse to locate the file, which has a *.exp file name extension.
3
Select the preferences file.
4
Click Import. The firewall reboots automatically.

Export Settings

To export configuration settings:
1
Click Export Settings. The Export Settings dialog displays.

2
Click Export.
3
Click Save, and then select a location to save the file. The file is named sonicwall‑<firewall_model>_<version>.exp by default, but can be renamed.
4
Click Save. This process can take up to a minute. The exported preferences file can be imported into the SonicWall security appliance if it is necessary to reset the firmware.

Send Diagnostic Reports

To send system diagnostics to SonicWall Technical Support, click Send Diagnostic Reports to Support. The status bar at the bottom of the screen displays Please wait! while sending the report, then displays Diagnostic reports sent successfully.

Firmware Management

The Firmware Management section provides settings that allow for easy firmware upgrade and preferences management. The Firmware Management section allows you to:

Upload and download firmware images and system settings.
Boot to your choice of firmware and system settings.
Manage system backups.
Easily return your SonicWall security appliance to the previous system state.
* 
NOTE: SonicWall security appliance SafeMode, which uses the same settings as in Firmware Management, provides quick recovery from uncertain configuration states.
Topics:

Firmware Management Table

NSA 2400 and above, and E-Class NSA series appliances have slightly different options available for firmware management than TZ series, SOHO, or NSA 250M series and lower-numbered NSA appliances.

Firmware Management on NSA 2400 and Above

Firmware Management on TZ and other small appliances

The Firmware Management table displays the following information:

Firmware Image - in this column, the following types of firmware images are listed:
Current Firmware - firmware currently loaded on the SonicWall security appliance.
Current Firmware with Factory Default Settings - rebooting using this firmware image resets the SonicWall security appliance to its default IP addresses, username, and password.
Current Firmware with Backup Settings - the current firmware image using the backup settings created by clicking Create Backup Settings. This option is only available on most SonicWall TZ series platforms, the SOHO, and the NSA 220, 240, and 250M platforms that store backup settings, but not a standalone backup firmware image, as the higher platforms do.
* 
NOTE: TZ 100 series and TZ 200 series do not support saving a copy of the settings directly on the unit.
Uploaded Firmware - the latest uploaded firmware version with current configuration settings.
Uploaded Firmware with Factory Default Settings - the latest uploaded firmware version using factory default settings.
Uploaded Firmware with Backup Settings - the newly uploaded firmware image using the backup settings created by clicking Create Backup Settings. This option is only available on most SonicWall TZ platforms, the SOHO, and the NSA 220, 240, and 250M that store backup settings but not a standalone backup firmware image, as the higher platforms do.
* 
NOTE: TZ 100 series and TZ 200 series do not support saving a copy of the settings directly on the unit.
System Backup - the backup firmware image and settings for the appliance, created by clicking Create Backup. This option is only available on SonicWall NSA 2400 and higher platforms, which store a standalone backup firmware image.
* 
NOTE: The date on which System Backup was created and the firmware version in use at the time are listed only in the Note: above the Firmware Management table. The dates in the Date column for each image are the build dates for the firmware images themselves.
* 
IMPORTANT: Although there is a Download button for the System Backup, do not use it. If you download the System Backup file from any appliance, you get a firmware file that cannot be imported into an appliance, nor can it be uploaded like firmware.
Version - the firmware version.
Date - the day, date, and time of downloading the firmware.
Size - the size of the firmware file in Megabytes (MB).
Download - clicking the icon saves the firmware file to a new location on your computer or network. Only uploaded firmware can be saved to a different location.
Boot - clicking the icon reboots the SonicWall security appliance with the firmware version listed in the same row.
* 
CAUTION: Clicking Boot next to any firmware image overwrites the existing current firmware image, making the booted firmware the Current Firmware image.
* 
CAUTION: When uploading firmware to the SonicWall security appliance, you must not interrupt the Web browser by closing the browser, clicking a link, or loading a new page. If the browser is interrupted, the firmware may become corrupted.

Updating Firmware Manually

To update firmware manually:
1
Click Upload New Firmware to upload new firmware to the SonicWall security appliance. The Upload Firmware dialog displays.

2
Click Browse.
3
Browse to the firmware file located on your local drive and select the file.
4
Click Upload to upload the new firmware to the SonicWall security appliance.

Creating a Backup Firmware Image

When you click Create Backup, the SonicOS takes a snapshot of your current system state, firmware, and configuration preferences, and makes it the new System Backup firmware image. Clicking Create Backup overwrites the existing System Backup firmware image as necessary. You use the System Backup file for saving good configurations and booting them if upgrades or configuration changes lead to instability or other serious issues. The System Backup file is saved onboard, which makes it very convenient.

* 
IMPORTANT: Create Backup is supported on the NSA 2400 and above, and on E-Class NSA appliances. Current configuration settings are saved with the firmware. The TZ series, SOHO, NSA 220 series, NSA 240, and NSA 250M series do not support a full firmware image backup.

Creating Backup Settings

SonicWall TZ series (except TZ 100 and TZ 200 series), the SOHO, and the NSA 220 series, 240, and 250M series have the Create Backup Settings button instead of Create Backup. You can use the Create Backup Settings button to save a copy of the current configuration settings locally on the firewall. The saved settings can be used with the current firmware version or with a newly uploaded firmware version.

 
* 
NOTE: The TZ 100 series and TZ 200 series do not support saving a copy of the settings directly on the unit. You can use Export Settings to save them to a file on your computer.

SafeMode – Rebooting the SonicWall Security Appliance

SafeMode allows easy firmware and preferences management as well as quick recovery from uncertain configuration states. To access the SonicWall security appliance using SafeMode, use a narrow, straight object (such as a straightened paper clip or a toothpick) to press and hold the reset button on the back of the security appliance for more than twenty seconds. The reset button is in a small hole next to the console port or next to the power supply.

 
* 
NOTE: Holding the reset button for two seconds will take a diagnostic snapshot to the console. Holding the reset button for six to eight seconds will reboot the appliance in regular mode.

After the SonicWall security appliance reboots, open your Web browser and enter the current IP address of the SonicWall security appliance or the default IP address: 192.168.168.168. The SafeMode page is displayed.

SafeMode allows you to do any of the following:

Upload firmware images to the SonicWall security appliance.
Import and export system settings to/from the SonicWall security appliance.
Boot to your choice of firmware options.
Create a system backup file on platforms that support this option.
Create backup settings on platforms that support this option.
Return your SonicWall security appliance to a previous system state.

System Information

System Information for the SonicWall security appliance is retained and displayed in this section.

Firmware Management

The Firmware Management table in SafeMode has the following columns:

Firmware Image - In this column, five types of firmware images are listed:
Current Firmware, firmware currently loaded on the SonicWall security appliance
Current Firmware with Factory Default Settings, rebooting using this firmware image resets the SonicWall security appliance to its default IP addresses, user name, and password
Current Firmware with Backup Settings - a firmware image created by clicking Create Backup
Uploaded Firmware, the last version uploaded from MySonicWall
Uploaded Firmware with Factory Default Settings, rebooting using this firmware image resets the SonicWall security appliance to its default IP addresses, user name, and password
Uploaded Firmware with Backup Settings - a firmware image created by clicking Create Backup
Version - The firmware version is listed in this column.
Date - The day, date, and time of downloading the firmware.
Size - The size of the firmware file in Megabytes (MB).
Download - Clicking the icon saves the firmware file to a new location on your
computer or network. Only uploaded firmware can be saved to a different location.
Boot - Clicking the icon reboots the SonicWall security appliance with the firmware version listed in the same row.
 
* 
NOTE: Clicking Boot next to any firmware image overwrites the existing current firmware image making it the Current Firmware image.

Click Boot in the firmware row of your choice to restart the SonicWall security appliance.

 
* 
CAUTION: Only select the Boot with firmware diagnostics enabled (if available) option if instructed to by SonicWall technical support.

Firmware Auto-Update

Sonic OS Enhanced 5.2 release introduces the Firmware Auto-Update feature, which helps ensure that your SonicWall security appliance has the latest firmware release.

Firmware Auto-Update contains the following options:

Enable Firmware Auto-Update - Displays an Alert icon when a new firmware release is available. This option is selected by default.
Download new firmware automatically when available - Downloads new firmware releases to the SonicWall security appliance when they become available. By default, this option is not selected.
* 
CAUTION: Firmware updates are available only to registered users with a valid support contract. You must register your SonicWall at https://www.MySonicWall.com/.

One-Touch Configuration Overrides

The One-Touch Configuration Override feature can be thought of as a quick tune-up for your SonicWall appliance’s security settings. With a single click, One-Touch Configuration Override applies over sixty configuration settings over sixteen pages of the SonicWall GUI to implement SonicWall’s recommended best practices. These settings ensure that your appliance is taking advantage of SonicWall’s security features.

There are two sets of One-Touch Configuration Override settings:

DPI and Stateful Firewall Security – For network environments with Deep Packet Inspection (DPI) security services enabled, such as Gateway Anti-Virus, Intrusion Prevention, Anti-Spyware, and App Rules.
Stateful Firewall Security – For network environments that do not have DPI security services enabled, but still want to employ SonicWall’s stateful firewall security best practices.

Both of the One-Touch Configuration Override deployments implement the following configurations:

Configure Administrator security best practices
Enforce HTTPS login and disables ping
Configure DNS Rebinding
Configure Access Rules best practices
Configure Firewall Settings best practices
Configure Firewall Flood Protection best practices
Configure VPN Advanced settings best practices
Configure Log levels
Enable Flow Reporting and Visualization

The DPI and Stateful Firewall Security deployment also configures the following DPI-related configurations:

Enable DPI services on all applicable zones
Enable App Rules
Configure Gateway Anti-Virus best practices
Configure Intrusion Prevention best practices
Configure Anti-Spyware best practices
* 
CAUTION: Be aware that the One-Touch Configuration Override may change the behavior of your SonicWall security appliance. Review the list of configurations before applying One-Touch Configuration Override.

In particular, the following configurations may affect the experience of the administrator:

Administrator password requirements on the System > Administration page
Requiring HTTPS management
Disabling HTTP to HTTPS redirect
Disabling Ping management

The following table lists the configuration settings that are applied as part of One-Touch Configuration Override for both the DPI and Stateful Firewall Security deployment and the Stateful Firewall Security Deployment.

 

One-Touch Configuration Override Configuration Settings

Configuration Setting

DPI and Stateful Firewall Security

Stateful Firewall Security

System > Administration

Password must be changed every 90 days

X

X

Bar repeated password changes for 4 changes

X

X

Enforce password complexity: Require alphabetic, numeric, and symbolic characters

X

X

Apply the above password constraints for all user categories

X

X

Enable administrator/user lockout

X

X

Failed Login attempts per minute before lockout: 7

X

X

Enable inter-administrator messaging

X

X

Inter-administrator Messaging polling interval (seconds): 10

X

X

Network > Interfaces

Any interface allowing HTTP management is replaced with HTTPS Management

X

X

Any setting to Add rule to enable redirect from HTTP to HTTPS is disabled

X

X

Ping Management is disabled on all interfaces

X

X

Network > Zones

Intrusion Prevention is enabled on all applicable default Zones

X

 

Gateway Anti-Virus protection is enabled on all applicable default Zones

X

 

Anti-Spyware protection is enabled on all applicable default Zones

X

 

App Rules is enabled on all applicable default Zones

X

 

SSL Control is enabled on all default Zones

X

 

Network > DNS

Enable DNS Rebinding protection

X

X

DNS Rebinding Action: Log Attack & Drop DNS Reply

X

X

Firewall > Access Rules

Any Firewall policy with an Action of Deny, the Action is changed Discard

X

X

Source IP Address connection limiting with a threshold of 128 connections is enabled for all firewall policies

X

X

Firewall > App Rules

If licensed, the Enable App Rules setting is turned on

X

 

Firewall Settings > Advanced

Turn on Enable Stealth Mode

X

X

Turn on Randomize IP ID

X

X

Turn off Decrement IP TTL for forwarded traffic

X

X

Turn on Never generate ICMP Time-Exceeded packets

X

X

Connections are set to: Recommended for normal deployments with firewall services enabled

X

X

Turn on Enable IP header checksum enforcement

X

X

Turn on Enable UDP checksum enforcement

X

X

Firewall Settings > Flood Protection

Turn on Enforce strict TCP compliance with RFC 793, RFC 1122, and RFC 1323

X

X

Turn on Enable TCP handshake enforcement

X

X

Turn on Enable TCP checksum enforcement

X

X

Turn on Enable TCP handshake timeout

X

X

SYN Flood Protection Mode: Always proxy WAN client connections

X

X

Firewall Settings > Flood Protection

Turn on Enable SSL Control

X

X

Set Action to: Block connection and log the event

X

X

For Configuration, enable all categories

X

X

VPN > Advanced

Turn on Enable IKE Dead Peer Detection

X

X

Turn on Enable Dead Peer Detection for Idle VPN sessions

X

X

Turn on Enable Fragmented Packet Handling

X

X

Turn on Ignore DF (Don't Fragment) Bit

X

X

Turn on Enable NAT Traversal

X

X

Turn on Clean up Active tunnels when Peer Gateway DNS name resolves to a different address

X

X

Turn on Preserve IKE port for Pass Through Connections

X

X

Security Services > Gateway Anti-Virus

If licensed, Enable Gateway Antivirus

X

 

Configure Gateway AV Settings: Turn on Disable SMTP Responses

X

 

Configure Gateway AV Settings: Turn off Disable detection of EICAR test virus

X

 

Configure Gateway AV Settings: Turn on Enable HTTP Byte-Range requests with Gateway AV

X

 

Configure Gateway AV Settings: Turn on Enable FTP REST request with Gateway AV

X

 

Configure Gateway AV Settings: Turn off Do not scan parts of files with high compression ratios

X

 

Configure Gateway AV Settings: Turn off Disable HTTP Clientless Notification Alerts

X

 

Security Services > Intrusion Prevention

If licensed, Enable IPS

X

 

Turn on Prevent All and Detect All for High Priority Attacks

X

 

Turn on Prevent All and Detect All for Medium Priority Attacks

X

 

Turn on Prevent All and Detect All for Low Priority Attacks

X

 

Security Services > Anti-Spyware

If licensed, Enable Anti-Spyware

X

 

Turn on Prevent All and Detect All for High Priority Attacks

X

 

Turn on Prevent All and Detect All for Medium Priority Attacks

X

 

Turn on Prevent All and Detect All for Low Priority Attacks

X

 

Configure Anti-Spyware Settings: Turn on Disable SMTP Responses

X

 

Configure Anti-Spyware Settings: Turn off Disable HTTP Clientless Notification Alerts

X

 

Log > Categories

Set Logging Level: Debug

X

X

Set Alert Level: Warning

X

X

Log > Flow Reporting

Turn on Enable Flow Reporting and Visualization

X

X

Log > Name Resolution

Set Name Resolution Method to: DNS then NetBIOS

X

X

Internal Settings

Turn on Protect against TCP State Manipulation DoS

X

X

Turn on Apply IPS Signatures Bidirectionally

X

 

Enable ability to launch monitor pages in stand-alone browser frames

X

X

Enable Visualization UI for Non-Admin/Config users

X

X

Configuring One-Touch Configuration Override

This procedure describes how to configure One-Touch Configuration Override on your SonicWall network security appliance. For more detailed information on One-Touch Configuration Override, click the Preview applicable changes link next to the buttons to display a page describing the settings configured by One-Touch Configuration Override; for example:

To configure One-Touch Configuration override:
1
Navigate to the System > Settings page of the SonicWall GUI.
2
Scroll down to the One-Touch Configuration Override section.
3
Click either the DPI and Stateful Firewall Security button or the Stateful Firewall Security button.
4
A warning pop-up window reminds you that if you are connected over HTTP, you will have to manually reconnect using HTTPS after the appliance reboots. Click OK.

5
When the configuration has been applied, the Status Bar displays Restart Firewall for changes to take effect. Click Restart.

6
After the appliance restarts, navigate to the management URL of the appliance, and ensure that you are using HTTPS.
7
Login to the appliance.

FIPS

When operating in FIPS (Federal Information Processing Standard) Mode, the SonicWall security appliance supports FIPS 140-2 Compliant security. Among the FIPS-compliant features of the SonicWall security appliance are:

PRNG based on SHA-1
Only FIPS-approved algorithms are supported (DES, 3DES, and AES with SHA-1)
* 
CAUTION: When using the SonicWall security appliance for FIPS-compliant operation, the tamper-evident sticker that is affixed to the SonicWall security appliance must remain in place and untouched.
Topics:

Enable FIPS Mode

To enable the SonicWall security appliance to comply with FIPS:
1
Go to the Systems > Settings page.
2
Scroll to the bottom and select the Enable FIPS Mode option.

The FIPS Mode Verification window appears with an FIPS-mode setting compliance checklist. The checklist displays every setting in your current SonicOS configuration that violates FIPS compliance so you can change these settings. You will need to navigate around the SonicOS management interface to make the changes. The checklist for an appliance with factory default settings is shown in this procedure.

At the bottom of the dialog, the following messages may be displayed:

The SonicWall can not be operated in FIPS mode with the above settings.

Please manually change or disable settings to be compliant with FIPS mode requirement at first.

3
Click OK or Cancel.

To make your firewall compliant for FIPS, use the generated list to configure your firewall by removing configurations that are not allowed and configuring the required settings as listed in the FIPS Mode Setting Verification window.

Return to Non-FIPS Mode

To return to normal operation, clear the Enable FIPS Mode check box and reboot the SonicWall security appliance into non-FIPS mode.

NDPP

A SonicWall network security appliance can be enabled to be compliant with Network Device Protection Profile (NDPP), but certain firewall configurations are not allowed or are required.

NDPP is a part of Common Criteria certification. The security objectives for a device that claims compliance to a Protection Profile are defined as follows:

Compliant TOEs (Targets Of Evaluation) will provide security functionality that address threats to the TOE and implement policies that are imposed by law or regulation.
The security functionality provided includes protected communications to and between elements of the TOE; administrative access to the TOE and its configuration capabilities; system monitoring for detection of security relevant events; control of resource availability; and the ability to verify the source of updates to the TOE.
* 
NOTE: The Enable NDPP Mode check box cannot be enabled at the same time as the Enable FIPS Mode check box, which is also on the System > Settings page.
Topics:

Enable NDPP Mode

To enable NDPP and see a list of which of your current configurations are not allowed or are not present:
1
Go to the Systems > Settings page.
2
Scroll to the bottom and select the Enable NDPP Mode option.

The NDPP Mode Verification window appears with a list of your required and not allowed configurations. The checklist displays every setting in your current SonicOS configuration that violates NDPP compliance so you can change these settings. You will need to navigate around the SonicOS management interface to make the changes. The checklist for an appliance with factory default settings is shown in this procedure.

At the bottom of the window, the following messages may be displayed:

The SonicWall can not be operated in NDPP mode with the above settings.

Please manually change or disable settings to be compliant with NDPP mode requirement at first.

3
Click OK or Cancel.

To make your firewall compliant for NDPP, use the generated list to configure your firewall by removing configurations that are not allowed and configuring the required settings as listed in the NDPP Mode Verification window.

Return to Non-NDPP Mode

To return to normal operation, clear the Enable NDPP Mode check box and reboot the SonicWall security appliance into non-NDPP mode.

Viewing Expansion Module Information

System > Modules

The System > Modules page displays a summary of information on expansion modules that are installed on the SonicWall security appliance.

The SonicWall NSA 2400MX and NSA 250M security appliances support the following optional NSA Expansion Pack modules:

1-Port ADSL (RJ-11) Annex A module
1-Port ADSL (RJ-45) Annex B module
1-Port T1/E1 module
2-Port LAN Bypass module
2-Port SFP module
4-Port Gigabit Ethernet module (SonicWall NSA 2400MX only)

Using the Packet Monitor

System > Packet Monitor

* 
NOTE: For increased convenience and accessibility, the Packet Monitor page can be accessed either from Dashboard > Packet Monitor or System > Packet Monitor. The page is identical regardless of which tab it is accessed through. For information on using Packet Monitor, see Dashboard > Packet Monitor.

Using Diagnostic Tools

System > Diagnostics

The System > Diagnostics page provides several diagnostic tools which help troubleshoot network problems as well as Active Connections, CPU and Process Monitors.

Topics:

Tech Support Report

The Tech Support Report (TSR) generates a detailed report of the SonicWall security appliance configuration and status, and saves it to the local hard disk using the Download Report button. This file can then be e-mailed to SonicWall Technical Support to help assist with a problem.

* 
TIP: You must register your SonicWall security appliance on MySonicWall to receive technical support.

Before emailing the Tech Support Report to the SonicWall Technical Support team, complete a Tech Support Request Form at https://www.MySonicWall.com/. After the form is submitted, a unique case number is returned. Include this case number in all correspondence, as it allows SonicWall Technical Support to provide you with better service.

Generating a Tech Support Report

 
* 
NOTE: To hide or display the Tech Support Report (TSR) options, click the button on the far right of the section.
1
In the Tech Support Report section, select any of the following report options:
Sensitive Keys—saves all keys with sensitive data—such as authentication keys, Ike keys, wireless information, VPN tunnel information—to the report as asterisks (*). By default, this option is not selected.
ARP Cache—saves a table relating IP addresses to the corresponding MAC or physical addresses. By default, this option is not selected.
DHCP Bindings—saves entries from the SonicWall security appliance DHCP server. By default, this option is not selected.
IKE Info—saves current information about active IKE configurations. By default, this option is not selected.
SonicPointN Diagnostics—lists log data if the SonicPoint-N experiences a failure and reboots. By default, this option is not selected.
 
* 
NOTE: This checkbox is only available if the SonicPoint device is enabled. For more information regarding this feature, refer to SonicPoint Diagnostics Enhancement.
List of current users—lists all currently logged in local and remote users.
 
* 
NOTE: For reporting maximum user information, check both List of current users and Detail of users.
Inactive users—lists the users with inactive sessions.
Detail of users—lists additional details of user sessions, including timers, privileges, management mode if managing, group memberships, CFS policies and statistics, VPN client networks, and other information. The Current users report check box must be enabled first to obtain this detailed report.
IPv6 NDP—saves all the NDP information to the report. By default, this option is not selected.
IPv6 DHCP—saves all the DHCP information to the report. By default, this option is not selected.
Geo-IP/Botnet Cache— saves the contents of the Geo-IP/Botnet cache. By default, this option is not selected.
IP Stack Info—saves all IP stack information to the report. By default, this option is not selected.
Debug information in report—specifies whether the downloaded TSR is to contain debug information.

The TSR is organized in an easy-to-read format based off the second-level nodes of the GUI menu categories. You control whether or not to include debug information as a category at the end of the report. Debug information contains miscellaneous information that is not used by the average support engineer, but can be useful in certain circumstances.

The Debug information is enclosed by the #Debug Information_START and #Debug Information_END tags.

2
Click Download Report to save the file to your system. When you click Download Report, a warning message is displayed.
3
Click OK to save the file. Attach the report to your Tech Support Request e-mail.
4
To send the TSR, system preferences, and trace log to SonicWall Engineering (not to SonicWall Technical Support), click Send Diagnostic Reports. The Status indicator at the bottom of the page displays Please wait! while the report is sent, and then displays Diagnostic reports sent successfully. You would normally do this after talking to Technical Support.
5
To periodically send the TSR, system preferences, and trace log to MySonicWall for SonicWall Engineering, select the Enable Periodic Secure Backup of Diagnostic Reports to MySonicWall check box and enter the interval in minutes between the periodic reports in the Time Interval (minutes) field.
6
To include raw data in the TSR report, check Include raw flow table data entries when sending diagnostic report.

Diagnostic Tools

You select the diagnostic tool from the Diagnostic Tool drop-down list in the Diagnostic Tool section of the System > Diagnostics page. The following diagnostic tools are available:

Check Network Settings

Check Network Settings is a diagnostic tool that automatically checks the network connectivity and service availability of several pre-defined functional areas of SonicOS, returns the results, and attempts to describe the causes if any exceptions are detected. This tool helps you locate the problem area when users encounter a network problem.

Specifically, the Check Network Settings tool automatically tests the following functions:

Default Gateway settings
DNS settings
MySonicWall server connectivity
License Manager server connectivity
Content Filter server connectivity

The return data consists of two parts:

Test Results – Provides a summary of the test outcome
Notes – Provides details to help determine the cause if any problems exist

The Check Network Settings tool is dependent on the Network Monitor feature available on the Network > Network Monitor page of the SonicOS management interface. Whenever the Check Network Settings tool is being executed (except during the Content Filter test), a corresponding Network Monitor Policy appears on the Network Monitor page, with a special diagnostic tool policy name in the form diagTestPolicyAuto_<IP_address>_0.

To use the Check Network Settings tool, first select it in the Diagnostic Tools drop-down list and then click the Test button in the row for the item that you want to test. The results are displayed in the same row. A green check mark signifies a successful test, and a red X indicates that there is a problem.

To test multiple items at the same time, select the checkbox for each desired item and then click the Test All Selected button.

If there are any failed probes, you can click the blue arrow to the left of the IP Address field of the failed item to jump to the configuration page to investigate the root cause.

Connections Monitor

Topics:

Active Connections Monitor Settings

You can filter the results to display only connections matching certain criteria. You can filter by Source IP, Destination IP, Destination Port, Protocol, Src Interface, and Dst Interface. Enter your filter criteria in the Active Connections Monitor Settings table.

The fields you enter values into are combined into a search string with a logical AND. For example, if you enter values for Source IP and Destination IP, the search string will look for connections matching:

Source IP AND Destination IP

Check the Group box next to any two or more criteria to combine them with a logical OR. For example, if you enter values for Source IP, Destination IP, and Protocol, and check Group next to Source IP and Destination IP, the search string will look for connections matching:

(Source IP OR Destination IP) AND Protocol

Click Apply Filter to apply the filter immediately to the Active Connections Monitor table. Click Reset Filters to clear the filter and display the unfiltered results again.

You can export the list of active connections to a file. Click Export Results, and select if you want the results exported to a plain text file, or a Comma Separated Value (CSV) file for importing to a spreadsheet, reporting tool, or database. If you are prompted to Open or Save the file, select Save. Then enter a filename and path and click OK.

IPv6 Connections Monitor Settings

For complete information on the SonicOS implementation of IPv6, see About IPv6.

The Connections Monitor Settings are configured the same in IPv6 and IPv4, select the radio buttons to change the view/configuration.

Active Connections Monitor

The Active Connections Monitor displays real-time, exportable (plain text or CSV), filterable views of all connections to and through the SonicWall security appliance. Click on a column heading to sort by that column.

Multi-Core Monitor

The Multi-Core Monitor displays dynamically updated statistics on utilization of the individual cores of the SonicWall security appliances. Core 0 handles the control plane. The control plane processes all web server requests for the SonicOS UI as well as functions like FTP and VoIP control connections. Core 0 usage is displayed in green on the Multi-Core Monitor.

The remaining cores handle the data plane. To maximize processor flexibility, functions are not dedicated to specific cores; instead all cores can process all data plane tasks. Memory is shared across all cores. Firewall processing is displayed in grey for the data plane cores, and all other processing is displayed in blue.

 
* 
NOTE: High utilization on Core 0 is normal while browsing the Web management interface and applying changes. All Web management requests are processed by Core 0 and do not impact the other cores. Traffic handling and other critical, performance-oriented and system tasks are always prioritized by the scheduler, and will never be impacted by web management usage.

Packet ordering and synchronization is maintained by assigning a unique tag to each unique flow. A flow is defined by five pieces of information: source IP address and port number, destination IP address and port number, and the protocol. To ensure that TCP and firewall states are properly maintained, each flow is processed by a single core. Each core can process a separate flow simultaneously, allowing for up to sixteen flows to be processed in parallel.

Core Monitor

The Core Monitor displays dynamically updated statistics on the utilization of a single specified core on the SonicWall NSA E-Class series security appliances. The View Style provides a wide range of time intervals that can be displayed to review core usage.

 
* 
NOTE: High utilization on Core 0 is normal while browsing the Web management interface and applying changes. All Web management requests are processed by Core 0 and do not impact the other cores. Traffic handling and other critical, performance-oriented and system tasks are always prioritized by the scheduler, and will never be impacted by web management usage.

Link Monitor

The Link Monitor displays bandwidth utilization for the interfaces on the SonicWall security appliance. Bandwidth utilization is shown as a percentage of total capacity. The Link Monitor can be configured to display inbound traffic, outbound traffic or both for each of the physical interfaces on the appliance.

Packet Size Monitor

The Packet Size Monitor displays sizes of packets on the interfaces on the SonicWall security appliance. You can select from four time periods, ranging from the last 30 seconds to the last 30 days.

The Packet Size Monitor can be configured to display inbound traffic, outbound traffic or both for each of the physical interfaces on the appliance.

1
Select one of the following from the View Style drop-down list:
Last 30 Seconds
Last 30 Minutes
Last 24 Hours
Last 30 Days
2
Select the physical interface to view from the Interface Name drop-down list.
3
In the Direction drop-down list, select one of the following:
Both – Select for packets traveling both inbound and outbound
Ingress – Select for packets arriving on the interface
Egress – Select for packets departing from the interface

The packets are displayed in the Average Packet Size graph, where the X axis specifies when the packets crossed the interface and the Y axis specifies the average packet size at that time. Ingress packets are displayed in green, and egress packets are displayed in red.

DNS Name Lookup

The SonicWall security appliance has a DNS lookup tool that returns the IP address of a domain name. Or, if you enter an IP address, it returns the domain name for that address.

To perform a DNS name lookup:
1
Enter the host name or IP address in the Look up name field. Do not add http to the host name.
2
The SonicWall security appliance queries the DNS Server and displays the result in the Result section. It also displays the IP address of the DNS Server used to perform the query.

The DNS Name Lookup section also displays the IP addresses of the DNS Servers configured on the SonicWall security appliance. If there is no IP address or IP addresses in the DNS Server fields, you must configure them on the Network > Settings page.

IPv6 DNS Name Lookup

For complete information on the SonicOS implementation of IPv6, see About IPv6.

The IPv6 DNS Name Lookup tool will lookup the IPv6 address for a domain name. Or, if you enter an IPv6 address, it will lookup the domain name for that address.

When performing IPv6 DNS Lookup or IPv6 Reverse Name Lookup, you must enter the DNS server address. Either an IPv6 or IPv4 address can be used.

To use the IPv6 DNS Name Lookup tool:
1
Enter either an IPv4 DNS server address in the DNS Server(V4) field or an IPv6 DNS server address in the DNS Server(V6) field.
2
In the Reverse Lookup the IP Address field, enter either the domain name that you want to know the IPv6 address for or the IPv6 address that you want to know the domain name for.
3
Click Go.

The appliance returns the matching pair of IPv6 address and domain name.

Find Network Path

Find Network Path indicates if an IP host is located on the LAN or WAN ports. This can diagnose a network configuration problem on the SonicWall security appliance. For example, if the SonicWall security appliance indicates that a computer on the Internet is located on the LAN, then the network or Intranet settings may be misconfigured.

Find Network Path can be used to determine if a target device is located behind a network router and the Ethernet address of the target device. It also displays the gateway the device is using and helps isolate configuration problems.

Ping

The Ping test bounces a packet off a machine on the Internet and returns it to the sender. This test shows if the SonicWall security appliance is able to contact the remote host. If users on the LAN are having problems accessing services on the Internet, try pinging the DNS server, or another machine at the ISP location. If the test is unsuccessful, try pinging devices outside the ISP. If you can ping devices outside of the ISP, then the problem lies with the ISP connection.

1
Select Ping from the Diagnostic Tool menu.

2
Enter the IP address or host name of the target device and click Go.
3
In the Interface drop-down menu, select which WAN interface you want to test the ping from. Selecting ANY allows the appliance to choose among all interfaces—including those not listed in the drop-down menu.
4
If the test is successful, the SonicWall security appliance returns a message saying the IP address is alive and the time to return in milliseconds (ms).

Ping for IPv6

For complete information on the SonicOS implementation of IPv6, see About IPv6.

The ping tool includes a Prefer IPv6 networking option.

When pinging a domain name, it uses the first IP address that is returned and shows the actual pinging address. If both an IPv4 and IPv6 address are returned, by default, the firewall pings the IPv4 address.

If the Prefer IPv6 networking option is enabled, the firewall will ping the IPv6 address.

Core 0 Process Monitor

The Core 0 Process Monitor shows the individual system processes on core 0, their CPU utilization, and their system time. The Core 0 process monitor is only available on the multi-core NSA E-Class appliances.

Real-Time Black List Lookup

The Real-Time Black List Lookup tool allows you to test SMTP IP addresses, RBL services, or DNS servers. Enter an IP address in the IP Address field, a FQDN for the RBL in the RBL Domain field and DNS server information in the DNS Server field. Click Go.

Reverse Name Resolution

The Reverse Name Resolution tool is similar to the DNS name lookup tool, except that it looks up a server name, given an IP address.

Enter an IP address in the Reverse Lookup the IP Address field, and it checks all DNS servers configured for your security appliance to resolve the IP address into a server name.

IPv6 Reverse Name Resolution

For complete information on the SonicOS implementation of IPv6, see the About IPv6.

The IPv6 Reverse Name Resolution tool looks up the server name for a given IPv6 address.

To use the tool:
1
Enter either an IPv4 DNS server address in the DNS Server(V4) field or an IPv6 DNS server address in the DNS Server(V6) field.
2
Enter the IPv6 address that you want to know the server name for in the Reverse Lookup the IP Address field.
3
Click Go.

The appliance will return the server name for the IPv6 address.

Connection Limit TopX

The Connection Limit TopX tool lists the top 10 connections by the source and destination IP addresses:

From Zone
To Zone
Priority
Source
Destination
Service
Users Incl. (Included)
Users Excl. (Excluded)
Comment

The listed Access Rules are those policies that are enabled and on which source or destination IP address connections limit is enabled.

 
* 
NOTE: Before you can use this tool, you must enable source IP limiting and/or destination IP limiting for your appliance. Navigate to the Firewall > Access Rules page and enable connection limiting on the desired access rules.

Check GEO Location and BOTNET Server Lookup

The Geo-IP and Botnet Filtering features allow you to block connections to or from a geographic location based on IP address, and to or from Botnet command and control servers. Additional functionality for these features are available on the Security Services > Geo-IP and Botnet Filter pages. For full details, see Security Services > Geo-IP Filter and Security Services > Botnet Filter.

MX Lookup and Banner Check

The MX Lookup and Banner Check tool allows you to look up a domain or IP address. Your configured DNS servers are displayed in the DNS Server 1/2/3 fields, but are not editable. After you type a domain name, such as “google.com” into the Lookup name or IP field and click Go, the output is displayed under Result. The results include the domain name or IP address that you entered, the DNS server from your list that was used, the resolved email server domain name and/or IP address, and the banner received from the domain server or a message that the connection was refused. The contents of the banner depends on the server you are looking up.

Trace Route

Trace Route is a diagnostic utility to assist in diagnosing and troubleshooting router connections on the Internet. By using Internet Connect Message Protocol (ICMP) echo packets similar to Ping packets, Trace Route can test interconnectivity with routers and other hosts that are farther and farther along the network path until the connection fails or until the remote host responds.

1
Select Trace Route from the Diagnostic Tool menu.

2
Type the IP address or domain name of the destination host in the TraceRoute this host or IP address field.
3
In the Interface drop-down menu, select which interface you want to test the trace route from. Selecting ANY allows the appliance to choose among all interfaces—including those not listed in the drop-down menu.
4
Click Go.

A second window displays with each hop to the destination host. By following the route, you can diagnose where the connection fails between the SonicWall security appliance and the destination.

TraceRoute for IPv6

For complete information on the SonicOS implementation of IPv6, see the About IPv6.

The TraceRoute tool includes a Prefer IPv6 networking option.

When testing interconnectivity with routers and other hosts, it uses the first IP address that is returned and shows the actual TraceRoute address. If both an IPv4 and IPv6 address are returned, by default, the firewall will TraceRoute the IPv4 address.

If the Prefer IPv6 networking option is enabled, the firewall will TraceRoute the IPv6 address.

PMTU Discovery

PMTU Discovery is a diagnostic tool that determines the maximum transmission unit (MTU) on the network path between the SonicWall security appliance and a remote host. It is used to avoid IP fragmentation of traffic between the two hosts.

For IPv4 packets, Path MTU Discovery works by setting the "Don't Fragment" (DF) option bit in the IP headers of outgoing packets. When the DF option bit is set for a packet, and the packet traverses a device with an MTU smaller than the packet size, the device drops the packet and sends back an ICMP Fragmentation Needed message containing its MTU, allowing the source host to reduce its Path MTU appropriately. The process repeats until the MTU is small enough to traverse the entire path without fragmentation. IPv6 functions similarly, but the DF option bit is not required. IPv6 devices automatically send an ICMPv6 Packet Too Big message if the packet exceeds the devices MTU size.

By determining the MTU size on a network path and configuring the MTU for your SonicWall security appliance below the path MTU size, you avoid the potential delay caused by negotiation of the MTU size and other MTU-related network issues.

To configure Path MTU Discovery:
1
On the System > Diagnostics page, select PMTU Discovery for the Diagnostic Tool.

2
In the Path MTU Discovery to this host or IP address, enter the IP address or host name that you want to measure the Path MTU for. This can be either an IPv4 or IPv6 address.
3
Optionally, in the Interface drop-down menu, you can select one of the configured WAN interfaces on the appliance to check the Path MTU for that interface. When the Interface drop-down menu is set to ANY, the appliance chooses among all of its interfaces.
4
Click Go. The Path MTU Discovery results are displayed in a pop-up window.
 
* 
NOTE: If you do not see this window, ensure your browser allows pop-ups for the SonicWall GUI.

The following example shows the Path MTU Discovery for the route between 192.168.168.168 and 58.63.236.236. The smallest MTU is 1492 bytes between 9.9.9.8 and 0.103.48.1.

Web Server Monitor

The Web Server Monitor tool displays the CPU utilization of the Web server over several periods of time. The time frame of the Web Server Monitor can be changed by selecting one of the following options in the View Style drop-down menu: last 30 seconds, last 30 minutes, last 24 hours, or last 30 days.

User Monitor

The User Monitor tool displays details on all user connections to the SonicWall security appliance.

The following options can be configured to modify the User Monitor display:

View Style – Select whether to display the Last 30 Minutes, the Last 24 Hours, or the Last 30 Days.
Vertical Axis – Select whether the scale of the vertical axis should be set for 10, 100, or 1000 users.
Show – Select whether to show All Users, All Non-Guest Users, Users Authenticated by Single-Sign-On, Remote Users via SSL VPN, Remote Users with GVC/L2TP Client, Users Authenticated by Web Login, or Guest Users.

 

Restarting the SonicWall Appliance

System > Restart

The SonicWall security appliance can be restarted from the Web Management interface.

1
Navigate to the System > Restart page.

2
Click Restart…. A confirmation message displays.
3
Click Yes to confirm the restart.

The SonicWall security appliance takes approximately 60 seconds to restart, and the yellow Test light is lit during the restart. During the restart time, Internet access is momentarily interrupted on the LAN.