en-US
search-icon

SonicOS 5.9 Admin Guide

Wizards

Configuring Internet Connectivity

Wizards > Setup Wizard

The first time you log into your SonicWall appliance, the Setup Wizard is launched automatically. To launch the Setup Wizard at any time from the management interface, click Wizards in the top right corner, and select Setup Wizard.

* 
TIP: You can also configure all your WAN and network settings on the Network > Settings page of the SonicOS management interface

Using the Setup Wizard

The Setup Wizard helps you configure the following settings:

WAN networking mode and WAN network configuration
3G or Analog Modem configuration (SonicWall TZ series)
LAN network configuration
Wireless LAN network configuration (wireless devices)

Configuring a Static IP Address with NAT Enabled

Using NAT to set up your SonicWall eliminates the need for public IP addresses for all computers on your LAN. It is a way to conserve IP addresses available from the pool of IPv4 addresses for the Internet. NAT also allows you to conceal the addressing scheme of your network. If you do not have enough individual IP addresses for all computers on your network, you can use NAT for your network configuration.

Essentially, NAT translates the IP addresses in one network into those for a different network. As a form of packet filtering for firewalls, it protects a network from outside intrusion from hackers by replacing the internal (LAN) IP address on packets passing through a SonicWall with a “fake” one from a fixed pool of addresses. The actual IP addresses of computers on the LAN are hidden from outside view.

This section describes configuring the SonicWall appliance in the NAT mode. If you are assigned a single IP address by your ISP, follow the instructions below.

* 
TIP: Be sure to have your network information including your WAN IP address, subnet mask, and DNS settings ready. This information is obtained from your ISP.

Start the Setup Wizard

1
Click Wizard on the top right corner of the SonicOS management interface. The Configuration Wizard Welcome page displays.

* 
NOTE: The Wireless Wizard displays only on wireless appliances.
2
Select Setup Wizard.
3
Click Next.
4
If you have:
A TZ wireless appliance, the Deployment Scenario page displays; go to Select Deployment Scenario (TZ Wireless Series Appliance only)
Any other appliance, the Change Administrator Password page displays; go to Change Administrator Password

Select Deployment Scenario (TZ Wireless Series Appliance only)

1
On a SonicWall TZ wireless appliance, select the appropriate deployment scenario for your network:
No Wireless – The wireless radio is turned off.
Office Gateway - Provides secure access for wired and wireless users.
Wireless Client Bridge – Operates in Wireless Client Bridge mode to securely bridge two networks.
Secure or Open Access Point - Adds secure wireless access to an existing wired network. When selecting this mode, the wizard skips the steps for configuring the LAN interface.
2
Click Next. The Change Administrator Password page displays.

Change Administrator Password

* 
NOTE: Changing your password is optional, but recommended. To skip this page, click Next.

1
Enter your existing password in the Old Password field.
2
Enter a new password in the New Password and Confirm fields. The password should be a combination of letters and numbers of up to 32 characters.
* 
TIP: It is very important to choose a password that cannot be easily guessed by others.
3
Click Next. The Change Time Zone page displays.

Change Time Zone

* 
NOTE: Changing the time is optional. You can always change the time later on the System > Time page. To skip this page, click Next.
1
Select the appropriate time zone from the Time Zone menu. The SonicWall’s internal clock is set automatically by a Network Time Server on the Internet.
2
To have the time adjusted for Daylight Saving Time, click Automatically adjust clock for daylight saving time. This option is selected by default.
3
Click Next.

Configure Modular Device Type

1
If you are setting up
A SonicWall TZ series appliance that supports 3G/4G devices for Wireless WAN connection over cellular networks, or supports analog modem devices for dial-up WAN connection, select the type of device:
Any other SonicWall appliance, select None (default) and then go to WAN Network Mode
Configure 3G/4G (SonicWall TZ Series Appliance only)

1
If you are setting up a SonicWall TZ series appliance that supports 3G/4G devices for Wireless WAN connection over cellular networks, select how you will use the 3G/4G device:
Yes, I will use 3G/4G for primary or backup Internet connectivity.
No, I will not use 3G/4G at this time.
2
Click Next.
3
If you selected:
WAN Failover 3G/4G/Modem Connection

1
If you chose to use the 3G/4G, select the Country, Service Provider, and Plan Type information for the 3G/4G device from the respective drop-down menus. If you do not see an appropriate country, service provider, or plan type, you must select Other.
* 
NOTE: The Plan Type options change with the Service Provider selected, and the Service Provider options change with the Country selected.
2
Click Next.
3
If, in Step 1, you selected:
A country, service provider, and plan type, you are asked to verify your account information.

* 
NOTE: If you do not know this information at this time, you can configure it later from the
If you selected Other for country, service provider, or plan, you are asked to complete your account information.

4
Click NEXT.
5
Configure Modem (SonicWall TZ Series Appliance only)

1
If you are setting up a SonicWall TZ series appliance that supports analog modem devices for dial-up WAN connection, select how you will use the modem:
As your primary internet connection: select Yes - I will use a dialup account as a primary or backup Internet connection.
Not use the modem (default): select No - I will not use the modem at this time and then go to Step 2.
2
Click Next.
3
If you selected:
No, the WAN Network Mode page displays; go to WAN Network Mode.
Yes, the WAN Failover Dialup Connection page displays.
WAN Failover Dialup Connection

1
Enter the WAN Failover Dialup Connection information in these fields: Profile Name, Phone Number, User Name, Password, and Confirm Password.
* 
NOTE: You can configure this information later.
2
Click Next.
WAN Network Mode

1
Confirm that you have the proper network information necessary to configure the SonicWall to access the Internet.
* 
TIP: Click the underlined hyperlinks for definitions of the networking terms.

You can choose:

Static IP (router-based connection) if your ISP assigns you a specific IP address or group of addresses. As every IP on your network must be unique, do not assign your SonicWall appliance an IP address that is used by another device on your network.
DHCP (cable/modem-based connection) if your ISP automatically assigns you a dynamic IP address.
PPPoE (DSL connection) if your ISP provided you with client software, a user name, and a password to connect to the internet.
PPTP (VPN connection) if your ISP provided you with a server IP address, a user name, and password to connect to the internet.
2
Click NEXT.
3
Depending on your connection type, go to the corresponding section:
 

Connection Type

Go to this section

Static IP

WAN Network Mode: NAT Enabled

DHCP

WAN Network Mode: NAT with DHCP Client

PPPoE

WAN Network Mode: NAT with PPPoE Client

PPTP

WAN Network Mode: NAT with PPTP Client

WAN Network Mode: NAT Enabled

* 
NOTE: The Setup Wizard populates the fields automatically. You can retain these settings or change them.
1
Enter the public IP address provided by your ISP in the SonicWall WAN IP Address field.
2
Fill in the rest of the fields: WAN Subnet Mask, Gateway (Router) Address, and DNS Server Address and, optionally, DNS Server Address #2.
3
If HTTPS will be used on the specified WAN interface, select Allow HTTPS on this WAN Interface. This option is enabled by default.
* 
CAUTION: Allowing HTTPS management from the WAN is a potential vulnerability. If you enable this option, be sure to enter a strong password in the Password Setup Wizard.
4
If Ping will be used on the specified WAN interface, select Allow Ping on the WAN Interface. This option is enabled by default.
5
Click Next.
6
Proceed to LAN Settings.
WAN Network Mode: NAT with DHCP Client

DHCP is a networking mode that allows you to obtain an IP address for a specific length of time from a DHCP server. The length of time is called a lease, which is renewed by the DHCP server typically after a few days. When the lease is ready to expire, the client contacts the server to renew the lease. This is a common network configuration for customers with cable or DSL modems. You are not assigned a specific IP address by your ISP.

The WAN Network Mode: NAT with DHCP Client page states that the SonicWall’s DHCP Clients will attempt to dynamically obtain an IP address from the SonicWall.

1
If HTTPS will be used on the specified WAN interface, select Allow HTTPS on this WAN Interface. This option is enabled by default.
* 
CAUTION: Allowing HTTPS management from the WAN is a potential vulnerability. If you enable this option, be sure to enter a strong password in the Password Setup Wizard.
2
If Ping will be used on the specified WAN interface, select Allow Ping on the WAN Interface. This option is enabled by default.
3
Click Next.
4
WAN Network Mode: NAT with PPPoE Client

NAT with PPPoE Client is a network protocol that uses Point to Point Protocol over Ethernet to connect with a remote site using various Remote Access Service products. This protocol is typically found when using a DSL modem with an ISP requiring a user name and password to log into the remote server. The ISP may then allow you to obtain an IP address automatically or give you a specific IP address.

1
Select the type of PPPoE server detection:
To have the SonicWall appliance detect the presence of a PPPoE server on the WAN automatically by selecting the Obtain an IP Address Automatically check box. This option is enabled by default.
To specify a particular PPPoE server, select the Use the following IP Address check box and then enter the IP address in the field.
Enter the user name and password provided by your ISP into the PPPoE User Name and PPPoE Password fields.
Optionally, to have the server disconnect after a specific period of inactivity, select the Inactivity Disconnect (minutes) check box and then specify the time in the field. The default time is 10 minutes. This option is disabled by default.
2
If HTTPS will be used on the specified WAN interface, select Allow HTTPS on this WAN Interface. This option is enabled by default.
* 
CAUTION: Allowing HTTPS management from the WAN is a potential vulnerability. If you enable this option, be sure to enter a strong password in the Password Setup Wizard.
3
If Ping will be used on the specified WAN interface, select Allow Ping on the WAN Interface. This option is enabled by default.
4
Click Next.
5
Proceed to LAN Settings.
WAN Network Mode: NAT with PPTP Client

NAT with PPTP Client mode uses Point to Point Tunneling Protocol (PPTP) to connect to a remote server. It supports older Microsoft implementations requiring tunneling connectivity.

1
Enter the PPTP Server IP Address, PPTP User Name, and PPTP Password in their respective fields.
2
Select how the appliance should obtain an IP address:
Automatically; click the Obtain an IP Address Automatically radio button. This is enabled by default.
From a specific IP address; do the following:
Click the Use the following IP Address radio button.
Enter the SonicWall WAN IP Address, WAN Subnet Mask and Gateway (Router) Address) in their respective fields.
3
If HTTPS will be used on the specified WAN interface, select Allow HTTPS on this WAN Interface. This option is enabled by default.
* 
CAUTION: Allowing HTTPS management from the WAN is a potential vulnerability. If you enable this option, be sure to enter a strong password in the Password Setup Wizard.
4
If Ping will be used on the specified WAN interface, select Allow Ping on the WAN Interface. This option is enabled by default.
5
Click Next.

LAN Settings

* 
NOTE: On a SonicWall TZ series appliance, the LAN Settings and LAN DHCP Server settings are displayed only if you selected the Office Gateway deployment scenario.

The LAN Settings page allows the configuration of the SonicWall LAN IP Addresses and the LAN Subnet Mask.The SonicWall LAN IP Addresses are the private IP address assigned to the LAN port of the SonicWall. The LAN Subnet Mask defines the range of IP addresses on the LAN.

1
The default values provided by the SonicWall work for most networks. If you do not use the default settings, enter your preferred private IP address and subnet mask in the SonicWall LAN IP Address and LAN Subnet Mask fields.
2
Click Next.
LAN DHCP Settings

The LAN DHCP Settings page configures the SonicWall DHCP Server. If enabled, the SonicWall appliance configures the IP settings of computers on the LAN automatically.

1
To enable the DHCP server, select Enable DHCP Server on LAN, and in the LAN Address Range fields specify the range of IP addresses that are assigned to computers on the LAN.
* 
NOTE: If you disable the DHCP server by deselecting Enable DHCP Settings, you must configure each computer on your network with a static IP address on your LAN.
2
Click Next.

Ports Assignment (TZ Series and NSA 220/240/2400 MX Appliances only)

TZ Series and NSA 220/240 Appliances

NSA 2400 MX Appliances

3
Optionally, you can configure the initial PortShield group assignments for your appliance or you can do it later with the PortShield Interface Wizard. For how to configure the initial PortShield group assignments, see Step 4 in Using the PortShield Interface Wizard.
* 
NOTE: To see the current ports on the appliance for the Use Current option, mouse over the Information icon to display a tooltip. The ports listed depend on the appliances’s configuration.

If you click on the radio button for any other option, the configuration for the appliance is displayed at the bottom of the page. The display differs by option and appliance.

Select one of the PortShield group options:

Use Current
WAN/LAN Only (NSA 2400 MX)
Default WAN/LAN Switch or WAN/LAN Switch (NSA 2400 MX)
WAN/DMZ/LAN Switch Only (NSA 2400 MX)
WAN/OPT/LAN Switch or WAN/DMZ/LAN Switch (NSA 2400 MX)
WAN/LAN/LAN2 Switch
MX Mode
4
Click Next. SonicWall Configuration Summary
* 
NOTE: This page displays how you have configured your appliance.

SonicWall Configuration Summary

1
The Configuration Summary page displays the configuration defined using the Setup Wizard. If the configuration is correct, click Apply.
* 
NOTE: To modify any of the settings, click Back to return to the Connecting to the Internet page.

The SonicWall appliance stores the network settings. A message appears while the configuration is being updated.

When the configuration has been updated, the Setup Wizard Complete page displays.

2
Click Close to return to the SonicOS management interface.

Configuring PortShield Assignment (TZ Series, NSA 220/240, NSA 2400 MX Only)

Using the PortShield Interface Wizard

You use the PortShield Interface Wizard to select the initial ports assignment in integrated managed LAN switch of the SonicWall appliance.

To select the ports assignment:
1
Click Wizards in the upper right corner of the SonicWall management interface. The Wizard Welcome page displays.

2
Select the PortShield Interface Guide by clicking the PortShield Interface Wizard radio button.
3
Click Next. The Ports Assignment page displays. The options on this page depend on your appliance.
TZ Series and NSA 220/240 Appliances

NSA 2400 MX Appliances

4
Select how ports are to be assigned:
Use Current – This setting keeps your current settings. This option is selected by default.

To see the current port settings, mouse over the Information icon. A popup tooltip displays the current port assignments:

* 
NOTE: for the rest of the options, the port configuration displays after the last option. The configuration varies by appliance for each option.
WAN/LAN Only (NSA 2400 MX only)

Basic WAN/LAN Switch

WAN/LAN Switch (NSA 2400 MX only)

WAN/DMZ/LAN Only (NSA 2400 MX only)

WAN/OPT/LAN Switch

WAN/DMZ/LAN Switch (NSA 2400 MX only)

WAN/LAN/LAN2 Switch

MX Mode (NSA 2400 MX only)

5
Click Next. The SonicWall Configuration Summary page displays.

If the configuration is correct, click Apply.

* 
NOTE: To modify the settings, click Back to return to the Ports Assignment page.
6
Click Apply.

The SonicWall appliance stores the network settings. A message appears while the configuration is being updated.

When the configuration has been updated, the PortShield Wizard Complete page displays.

7
Click Close to return to the SonicOS management interface.

 

Providing Public Access to an Internal Server

Wizards > Public Server Wizard

Configuring a Public Server

1
Click Wizard on the top right corner of the SonicOS management interface. The Configuration Wizard Welcome dialog displays.

2
Select Public Server Wizard.
3
Click Next. The Public Server Type page displays.

4
Select the type of server from the Server Type drop-down menu. Selecting a server type displays only the services commonly associated with that server type.
 

Server Types and Associated Services

Server Type

Services

Web Server

HTTP (TCP 80)

HTTPS (TCP 443)

FTP Server

FTP (TCP 21)

Mail Server

SMTP (TCP 25)

POP3 (TCP 110)

MAP (TCP 143)

Terminal Services Server

Microsoft RDP (TCP 3389)

Citrix ICA (TCP 1494)

Other

Select a service from a drop-down menu:

5
The Public Server Wizard enables the all associated services automatically. You can disable services you don’t want by deselecting them.
* 
NOTE: At least one service must be selected. If a desired service is not listed for a particular server type, select Other for Server Type. You can create a new service or define a service group that encompasses all your needs. See Creating a New Service or Creating a New Group.
6
Click Next. The Server Private Network Configuration page displays.

7
Enter the name of the server in the Server Name field.
8
Enter the private IP address of the server in the Server Private IP Address field. Specify an IP address in the range of addresses assigned to the zone where you want to put this server. The Public Server Wizard assigns the server automatically to the zone in which its IP address belongs.
9
Optionally, add a comment in the Server Comment field.
10
Click Next. The Server Public Information page displays.

11
Enter the public IP address of the server in the Server Public IP Address field. The default is the WAN public IP address. If you enter a different IP, the Public Server Wizard creates an address object for that IP address and binds the address object to the WAN zone.
12
Click Next. The Public Server Configuration Summary page displays a summary of the configuration you selected in the wizard.

Server Address Objects - The Public Server Wizard creates the address object for the new server. Because the IP address of the server added in the example is in the IP address range assigned to the DMZ, the Public Server Wizard binds the address object to the DMZ zone and names the object the name you specified for the server plus _private. If you specify an IP in the range of another zone, the Public Server Wizard binds the address object to that zone. If you specify an IP address out of the range of any zone you have configured, the Public Server Wizard binds the address object to the LAN zone.

Because the server in the example used the default WAN IP address for the Server Public IP Address, the Public Server Wizard states that it will use the existing WAN address object when constructing policies between the new server and the WAN. If you specify another address, the server creates an object for that address bound to the WAN zone and assigns the new address object the name you specified for the server plus _public.

Server Service Group Object - The Public Server Wizard creates a service group object for the services used by the new server. Because the server in the example is a Web server, the service group includes HTTP and HTTPS. This way, you have a convenient group to refer to when creating or editing access policies for this server.
Server NAT Policies - The Public Server Wizard creates a NAT policy to translate the destination addresses of all incoming packets with one of the services in the new service group and addressed to the WAN address to the address of the new server. Therefore, in this example, if a packet with service type of HTTPS comes in addressed to the WAN interface (10.0.93.43), the NAT policy translates its address to 172.22.2.44.

The Public Server Wizard also creates a Loopback NAT policy to translate HTTP and HTTPS traffic from inside your network addressed to the WAN IP address back to the address of the mail server.

Server Access Rules - The Public Server Wizard creates an access policy allowing all mail traffic service traffic from the WAN zone to the DMZ.
13
Review the settings.
14
Click Accept in the Public Server Configuration Summary page to complete the Public Server Wizard and apply the configuration to your SonicWall appliance.
* 
TIP: The new IP address used to access the new server, internally and externally is displayed in the Public Server Wizard Complete page.

The SonicWall appliance stores the network settings. A message appears while the configuration is being updated.

When the configuration has been updated, the Public Server Wizard Complete page displays.

15
Click Close to close the Public Server Wizard.

Creating a New Service

1
In the Public Server Type page of the Public Server Wizard, select Other from the Server Type drop-down menu. The page changes to display the Services drop-down menu.

2
Select Create new service… from the Services drop-down menu. The Add Service dialog displays.

3
Enter the name for the new service in the Name field.
4
Select a protocol from the Protocol drop-down menu.

5
If you selected Custom IP Type for a protocol, you must specify a custom IP protocol sub type in the subsequent field, then go to Step 8.
6
If you selected TCP(6) or UDP(17) for a protocol, specify a port range in the Port Range fields. For all other protocols, the Port Range fields are dimmed; for some protocols, the Public Server Wizard populates the range fields.
7
For those protocols that:
Do not require a sub type, the Sub Type drop-down menu is dimmed and displays None. Go to Step 8.
Require a sub type, the Sub Type drop-down menu becomes available. The sub types change, depending on the protocol selected. Select a protocol.

8
Click OK.
9
Finish configuring the Public Server Wizard.

Creating a New Group

1
In the Public Server Type page of the Public Server Wizard, select Other from the Server Type drop-down menu. The page changes to display the Services drop-down menu.

2
Select Create new group… from the Services drop-down menu. The Add Service Group dialog displays.

3
Enter a friendly name for the new service group in the Name field.
4
Select the service or services for the new group from the left column. You can select the services:
One by one
As a group by selecting the first service in the group, holding down the Shift key, and then selecting the last in the group (for example, all the Echo services)
As a group by selecting one service, holding down the Ctrl key, and then selecting other services.
5
Click the Right Arrow button.

To remove one or more services from the group, select the service(s) and then click the Left Arrow button. To remove all services from the group, click the Remove All button.

6
Click OK.
7
Finish configuring the Public Server Wizard.

Configuring VPN Policies

Wizards > VPN Wizard

The VPN Policy Wizard walks you step-by-step through the configuration of GroupVPN on the SonicWall. After the configuration is completed, the wizard creates the necessary VPN settings for the selected VPN policy. You can use the SonicOS management interface for optional advanced configuration options.

Topics:

Using the VPN Policy Wizard

1
Click Wizard on the top right corner of the SonicOS management interface. The Configuration Wizard Welcome page displays.

2
Select VPN Wizard.
3
Click Next. The VPN Policy Type page displays.

4
Select WAN GroupVPN.
5
Click Next. The IKE Phase 1 Key Method page displays.

6
Select the authentication key to use for this VPN policy:
Use default key: All your Global VPN Clients automatically use the default key generated by the SonicWall to authenticate with the SonicWall.
Use this preshared key: You must distribute the key you enter in this field to every VPN Client because the user is prompted for this key when connecting to the SonicWall network security appliance. A default key is generated by the VPN Wizard.
* 
NOTE: If you select Use this preshared key, and leave the default key as the value, you must still distribute the key to your VPN clients.
7
Click Next. The Security Settings page displays.

8
Select the security settings for IKE Phase 2 negotiations and for the VPN tunnel. You can use the defaults settings.
DH Group: The Diffie-Hellman (DH) group are the group of numbers used to create the key pair. Each subsequent group uses larger numbers to start with. You can choose Group 1, Group 2 (default) , Group 5, or Group 14. The VPN uses this during IKE negotiation to create the key pair.
Encryption: This is the method for encrypting data through the VPN Tunnel. DES is the least secure and the and takes the least amount of time to encrypt and decrypt. AES-256 is the most secure and takes the longest time to encrypt and decrypt. You can choose. DES, 3DES (default), AES-128, AES-256, or AES-192. The VPN uses this for all data through the tunnel.
* 
CAUTION: The SonicWall Global VPN Client version 1.x is not capable of AES encryption, so if you chose this method, only SonicWall Global VPN Client versions 2.x and higher will be able to connect.
Authentication: This is the hashing method used to authenticate the key, once it is exchanged during IKE negotiation. You can choose MD5, SHA-1 (default), SHA256, SHA384, or SHA512.
Life Time (seconds): This is the length of time the VPN tunnel stays open before needing to re-authenticate. The default is eight hours (28800).
9
Click Next. The User Authentication page displays.

10
Select if you want to require the VPN users to authenticate with the firewall when they connect. If you select Enable User Authentication, you must select the user group that contains the VPN users. For this example, leave Enable User Authentication unchecked.
* 
NOTE: If you enable user authentication, the users must be entered in the SonicWall database for authentication. Users are entered into the SonicWall database on the Users > Local Users page, and then added to groups in the Users > Local Groups page.
11
If you:
Select Enable User Authentication, select a user group object from the Authentication User Group Object drop-down menu. The default is Trusted Users.
Disable Enable User Authentication, select a local network from the Allow Unauthenticated VPN Client Access drop-down menu. The default is Firewalled Subnets.
12
Click Next. The Configure Virtual IP Adapter page displays.

13
Select whether you want to use theSonicWall’s internal DHCP server to assign each VPN client IP address from the LAN zone’s IP range. Therefore, when a user connects, it appears that the user is inside the LAN. Check the Use Virtual IP Adapter check box.
14
Click Next. The WAN GroupVPN Configuration Summary page displays, detailing the settings that will be pushed to the SonicWall when you apply the configuration.

15
Verify the settings.
16
Click Accept to create your GroupVPN and apply the configuration to your SonicWall appliance.

The SonicWall appliance stores the settings. A message appears while the configuration is being updated.

When the configuration has been updated, the VPN Wizard Complete page displays.

17
Click Close.

Connecting the Global VPN Clients

Remote SonicWall Global VPN Clients install the Global VPN Client software. When the application is installed, they use a connection wizard to setup their VPN connection. To configure the VPN connection, the client must have the following information:

A public IP address (or domain name) of the WAN port for your SonicWall
The shared secret if you selected a custom preshared secret in the VPN Wizard.
The authentication username and password.

Configuring a Site-to-Site VPN using the VPN Wizard

To use the VPN Policy Wizard to create a site-to-site VPN policy:
1
Click Wizard on the top right corner of the SonicOS management interface. The Configuration Wizard Welcome page displays.

2
Select VPN Wizard.
3
Click Next. The VPN Policy Type page displays.

4
Select Site-to-Site.
5
Click Next. The Create Site-to-Site Policy page displays.

6
Enter the following information:
Policy Name: Enter a name you can use to refer to the policy. For example, Boston Office.
Preshared Key: Enter a character string to use to authenticate traffic during IKE Phase 1 negotiation. You can use the default SonicWall generated Preshared Key.
I know my Remote Peer IP Address (or FQDN): If you check this option, this SonicWall appliance can initiate the contact with the named remote peer.

If you do not check this option, the peer must initiate contact to create a VPN tunnel. This device will use aggressive mode for IKE negotiation.

For this example, leave the option unchecked.

Remote Peer IP Address (or FQDN): If you checked the option above, enter the IP address or Fully Qualified Domain Name (FQDN) of the remote peer (For example, boston.yourcompany.com).
7
Click Next. The Network Selection page displays.

8
Select the local and destination resources this VPN will be connecting:
Local Networks: Select the local network resources protected by this SonicWall that you are connecting with this VPN. You can select any address object or group on the device, including networks, subnets, individual servers, and interface IP addresses. The default is Firewalled Subnets.

If the object or group you want has not been created yet, select Create new Address Object or Create new Address Group. Create the new object or group in the dialog box that pops up. Then select the new object or group. For this example, select LAN Subnets.

Destination Networks: Select the network resources on the destination end of the VPN Tunnel. If the object or group does not exist, select Create new Address Object or Create new Address Group. For example:
a)
Select Create new Address Group.

b)
In the Name field, enter DMZ-LAN Group.
c)
In the list on the left, select LAN Subnets and click the Right Arrow button. Do the same for DMZ Subnets,
d)
Click OK to create the group and return to the Network Selection page.
9
In the Destination Networks field, select the newly created group.
10
Click Next. The Security Settings page displays.

11
Select the security settings for IKE Phase 2 negotiations and for the VPN tunnel. You can use the default settings.
DH Group: The Diffie-Hellman (DH) group are the group of numbers used to create the key pair. Each subsequent group uses larger numbers to start with. You can choose Group 1, Group 2 (default), Group 5, or Group 14. The VPN Uses this during IKE negotiation to create the key pair.
Encryption: This is the method for encrypting data through the VPN Tunnel. DES is the least secure and the and takes the least amount of time to encrypt and decrypt. AES-256 is the most secure and takes the longest time to encrypt and decrypt. You can choose. DES, 3DES (default), AES-128, AES-256, or AES-192. The VPN uses this for all data through the tunnel
Authentication: This is the hashing method used to authenticate the key, once it is exchanged during IKE negotiation. You can choose MD5, SHA-1 (default), SHA256, SHA384, or SHA512.
Life Time (seconds): This is the length of time the VPN tunnel stays open before needing to re-authenticate. The default is eight hours (28800 seconds).
12
Click Next.The Configuration Summary page displays, detailing the settings that will be pushed to the security appliance when you apply the configuration.

13
Verify the settings.
14
Click Accept to create the VPN and apply the configuration to your SonicWall appliance.

The SonicWall appliance stores the network settings. A message appears while the configuration is being updated.

When the configuration has been updated, the VPN Wizard Complete page displays.

15
Click Close.

Configuring the WLAN Radio Interface
(TZ Wireless Appliances)

Wizards > Wireless Wizard

The Wireless Wizard provides an easy way to configure WLAN 802.11n, WLAN security, and WLAN VAP settings.

To use the Wireless Wizard to configure the WLAN radio interface:
1
Click Wizard on the top right corner of the SonicOS management interface. The Configuration Wizard Welcome dialog displays.

2
Select the Wireless Wizard radio button
3
Click Next. The Wireless LAN Settings dialog displays.

4
Select the IP assignment from the IP Assignment drop-down menu:
Static
Layer 2 Bridged Mode
5
If you selected:
Layer 2 Bridged Mode, go to Configuring Layer 2 Bridged Pair.
Configuring Static Assignment
1
Enter the default gateway WLAN IP address in the WLAN IP Address field. The Wireless Wizard creates a default IP address that you can change.
2
Enter the default WLAN IP address of the subnet mask in the WLAN Subnet Mask field. The Wireless Wizard creates a default IP address that you can change.
Configuring Layer 2 Bridged Pair

The options change of the Wireless LAN Settings page.

1
Select the bridged-pair interface from the Bridged to drop-down menu.
2
Click Next. An information message displays regarding the interface bridge not changing zone.

3
Click OK. The message closes.
Configuring WLAN Radio Settings
1
Click Next. A information message recommending maintaining wireless drivers displays.

2
Click OK.
3
Click Next. The WLAN Radio Settings page displays.

4
Enter the Service Set ID (SSID), which serves as the primary identifier for your wireless network, in the SSID field. The SSID may be up to 32 alphanumeric characters long and is case sensitive.
5
Select the desired radio mode and channel of operation from these drop-down menus:
Radio Mode – Select from these options”
2.4GHz 802.11n/g/g Mixed (default)
2.4GHz 802.11n Only
2.4GHz 802.11g/g Mixed
2.4GHz 802.11g Only
County Code – Options change depending on the agency specified in the Regulatory Domain.
* 
NOTE: The user is responsible for complying to al laws prescribed by the governing regulatory domain and locale.
Radio Band – Select from
Auto (default)
Standard - 30 MHz Channel
Wide - 40 MHz Channel
* 
NOTE: The Primary Channel and Secondary Channel change, depending on what you select for Radio Band.
Primary Channel – Select from:
Auto (default) – This is the only choice if you selected Auto for Radio Band.
A list of channels.
* 
NOTE: If you selected Standard for Radio Band, this option changes to Standard Channel.
Secondary Channel – Select from:
Auto (default) – This is the only choice if you selected Auto for Radio Band or Primary Channel.
A list of channels.
* 
NOTE: If you selected Standard for Radio Band, this option does not display.
6
Optionally, select Enable Short Guard Interval. This option is not selected by default.
7
Optionally, select Enable Aggregation. This option is not selected by default.
8
Click Next. The WLAN Security Settings page displays.

9
Select a security model:
WPA/WPA2 Mode – Wi-Fi Protected Access (WPA) is the security wireless protocol based on 802.11i standard. It is the recommended protocol if your wireless clients also support WPA.
Connectivity
* 
CAUTION: This mode offers no encryption or access controls and allows unrestrained wireless access to the device.
10
Click Next.
11
if you selected:
WPA/WPA2 Mode, the WPA Mode Settings page displays; go to WPA Mode Settings.
WPA Mode Settings

1
Configure the authentication type from the Authentication Type drop-down menu:

WPA-PSK

WPA2-PAK

WPA2-AUTO-PSK

WPA-EAP

WPA2-EAP

WPA2-AUTO-EAP

* 
NOTE: The options change depending on the authentication type you choose.
2
Configure the WPA/WPA2 settings for your SonicWall appliance from these drop-down menus:
Cipher Type: AES (default), TKIP, Auto
Group Key Update: By Timeout (default), Disabled
3
Enter a time in the Interval (seconds) field. The default is 86400.
4
If you chose
WPA-PSK, WPA2-PSK, or WPA-AUTO-PSK, enter the Preshared Key Settings (PSK) in the Passphrase field. The passphrase must be at least eight alphanumeric characters.
WPA-EAP, WPA2-EAP, or WPA-AUTO-EAP, enter the Extensible Authentication Protocol Settings (EAP) settings in these fields:
Radius Server 1 IP and its Port
Radius Server 1 Secret
Optionally, Radius Server 2 IP and its Port
Optionally, Radius Server 2 Secret
5
Click Next.

If you entered EAP settings, a message displays about updating the firewall access rule for the Radius server automatically.

The WLAN LAP (Virtual Access Point) Settings page displays.

WLAN LAP (Virtual Access Point) Settings

At this point, you have created one SSID with the displayed name. You can create up to seven VAP SSIDs.

1
If you:
Do not want to create a VAP SSID (you can always create more later), click Next.
Want to create another VAP SSID, select the Yes, I want to create another virtual access point checkbox. More options are displayed.

2
Enter a name for the VAP in the VAP NAME field.
3
Enter an SSID for the VAP in the VAP SSID field.
4
Select one of the security modes:
WPA/WPA2 Mode
Connectivity
* 
CAUTION: This mode offers no encryption or access controls and allows unrestrained wireless access to the device.
5
Click Next. The WLAN VAP (Virtual Access Point) Settings second page displays.

6
Enter a VLAN tag in the WLAN VLAN TAG field. This tag is a number with a range of 1 - 4094.
7
Enter an IP address in the WLAN IP address field. The default is 0.0.0.0.
8
Optionally, enter a subnet mask in the WLAN Subnet Mask field. The default is 255.255.255.0.
9
Optionally, select a zone from the WLAN Zone drop-down menu.
10
Optionally, to create a new zone, select the Create a new zone and bound the new subnet to it check box.
Enter the zone name in the New Zone Name field.
11
Click Next. The WLAN VAP (Virtual Access Point) Settings page redisplays.
12
If you:
Want to create more VAP SSIDs, repeat Step 1 through Step 11 for each VAP SSID up to a total of seven.
Have created all the VAP SSIDs you want, click Next. The Wireless Configuration Summary page displays.
Wireless Configuration Summary
* 
NOTE: What is displayed on the Wireless Configuration Summary page depends on how you configured the settings.

1
Verify the settings.
2
Make any changes by clicking Back to the appropriate page.
3
Click Accept to apply the configuration to your SonicWall appliance.

The SonicWall appliance stores the wireless settings. A message appears while the configuration is being updated.

When the configuration has been updated, the Wireless Wizard Complete page displays.

4
Click Finish.

 

Configuring Application-Level Network Traffic Policies

Wizards > Application Firewall Wizard

The Application Firewall Wizard provides safe configuration for many common use cases, but not for everything. If at any time during the Application Firewall Wizard you are unable to find the options that you need, you can click Cancel and proceed using manual configuration.

To use the Application Firewall Wizard to configure application firewall:
1
Click Wizard on the top right corner of the SonicOS management interface. The Configuration Wizard Welcome dialog displays.

2
Select the Application Firewall Wizard radio button.
3
Click Next. The Application Firewall Wizard Introduction page displays.

4
Click Next. The Application Firewall Policy Type page displays.

5
Select a policy type, which will apply only to the type of traffic that you select:
I would like to apply a policy to SMTP email
I would like to apply a policy to POP3 email
I would like to apply a policy to Web Access
I would like to apply a policy to FTP file transfer
* 
NOTE: The options on the next page depend on your choice here.
6
Click Next. The Select <your choice> Rules for Application Firewall page displays.
7
Depending on your choice in the previous step, this page is one of four possible screens:
Select SMTP Rules for Application Firewall Policy
Select POP3 Rules for Application Firewall Policy
Select Web Access Rules for Application Firewall Policy
Select FTP Rules for Application Firewall Policy

Select a policy rule from the choices supplied.

8
Click Next. The page displayed here varies depending on your choice of policy rule in Step 5. For the following policy rules, the wizard displays the Set Application Firewall Object Content screen on which you can select the traffic direction to scan, and the content or keywords to match.
All SMTP policy rule types except Specify maximum email size
All POP3 policy rule types
All Web Access policy rule types
All FTP policy types except Make all FTP access read-only and Disallow usage of SITE command

In the Set Application Firewall Object Content screen, perform the following steps:

a
In the Direction drop-down list, select the traffic direction to scan from the drop-down list. Select one of Incoming, Outgoing, or Both.
b
Do one of the following:
* 
NOTE: If you selected a choice with the words except the ones specified in the previous step, content that you enter here will be the only content that does not cause the action to occur.
In the Content field, type or paste a text or hexadecimal representation of the content to match, and then click Add. Repeat until all content is added to the List field.
To import keywords from a predefined text file that contains a list of content values, one per line, click Load From File.
9
Click Next.

If you selected a policy type in the previous step that did not result in the Set Application Firewall Object Content page with the standard options, the wizard displays a page that allows you to select the traffic direction, and certain other choices depending on the policy type.

In the Direction drop-down menu, select the traffic direction to scan.
SMTP: In the Set Maximum Email Size page, in the Maximum Email Size field, enter the maximum number of bytes for an email message.
Web Access: In the special-case Set Application Firewall Object Content page, the Content field has a drop-down menu with a limited number of choices, and no Load From File button is available. Select a browser from the drop-down menu.
FTP: In the special-case Set Application Firewall Object Content page, you can only select the traffic direction to scan.
10
Click Next.
11
In the Application Firewall Action Type page, select the action to take when matching content is found in the specified type of network traffic.
12
Click Next.

You will see one or more of the following choices depending on the policy type, which is shown in parentheses here for reference:

Blocking Action - block and send custom email reply (SMTP)
Blocking Action - block without sending email reply (SMTP)
Blocking Action - disable attachment and add custom text (POP3)
Blocking Action - custom block page (Web Access)
Blocking Action - redirect to new location (Web Access)
Blocking Action - reset connection (Web Access, FTP)
Blocking Action - add block message (FTP)
Add Email Banner (append text at the end of email) (SMTP)
Log Only (SMTP, POP3, Web Access, FTP)
13
In the Application Firewall Action Settings page (if it is displayed), in the Content field, type the text or URL that you want to use.
14
Click Next.

The Application Firewall Action Settings page is only displayed when you selected an action in the previous step that requires additional text. For a Web Access policy type, if you selected an action that redirects the user, you can type the new URL into the Content field.

15
In the Select Name for Application Firewall Policy page, in the Policy Name field, type a descriptive name for the policy.
16
Click Next.
17
In the Confirm New Application Firewall Policy Settings page, review the displayed values for the new policy and do one of the following:
To create a policy using the displayed configuration values, click Accept.
To change one or more of the values, click Back.
18
In the Application Firewall Policy Wizard Complete page, to exit the wizard, click Close.

Configuring WAN Acceleration

Wizards > WXA Setup Wizard

The WXA Setup Wizard guides you through each step of the initial setup and configuration of the NSA or TZ series appliance so that, when coupled with a WXA series appliance, it can deliver WAN Acceleration to the local users.

The following should be considered before using the WXA Setup Wizard:

The NSA or TZ series appliance must be setup, configured, and licensed.
The WXA series appliance is not set up in a routing or layer 2 bridge mode. Although this configuration can be used with the WXA series appliance, it is not supported by the WXA Setup Wizard. Only site-to-site Virtual Private Networks (VPN) are compatible with this wizard.
IPv6 is not supported.
Using the WXA Setup Wizard overwrites any existing configuration.
The WXA series appliance should not be powered up before using the WXA Setup Wizard. You are directed to power up the appliance as you are guided through the WXA Setup Wizard.

To use the WXA Setup Wizard, perform the steps in the following sections:

Interface

The Interface page guides you though the process of configuring the interface on the NSA/TZ series appliance, that the WXA series appliance is connecting to.

To configure an interface:
1
Select an unused interface from the Interface drop-down menu.
* 
NOTE: If the interface has previously been configured and the settings are suitable, an option to preserve the existing settings is available.
2
Select the desired zone from the Zone drop-down menu.
3
Enter the desired IP address and netmask in the IP Address and Netmask text-fields. This IP address is usually from one of the private ranges not already used locally or on the VPNs.
4
Click the Next button.

Connect the WXA

The Connect the WXA page guides you through the process of connecting the WXA series appliance to the NSA/TZ series appliance.

When you have connected the appliance, powered it up, and finished the reboot, click the Next button to continue.

Enable Acceleration

The Enable Acceleration page notifies you that the WAN Acceleration service is going to be enabled and a static lease will be created for the WXA series appliance.

For virtual WXAs (WXA 5000 Virtual Appliance and WXA 500 Live CD), a license is required. At this stage, if the NSA/TZ series appliance does not have the license for WAN Acceleration, a License page will appear.

Enter the proper licensing information, then click the Next button to continue.

Acceleration Components

The Acceleration Components page is used to enable or disable the individual components of the WAN Acceleration service:

Perform the following:

1
Select or deselect the checkbox(s) for the desired acceleration components:
TCP Acceleration
WFS (Unsigned SMB)
WFS (Support Signed SMB—this requires additional setup)
Web Cache
* 
NOTE: If a component was previously enabled, it’s check box will already be selected.
2
If you would like to configure support for Signed SMB traffic, click the Launch the WFS Configuration wizard to configure support for Signed SMB traffic check box.

The WFS Setup Wizard will automatically launch after you complete the WXA Setup Wizard.

3
Click the Next button to continue.

VPNs

The VPNs page displays a list of all the IPv4 VPNs. If acceleration is already permitted on a VPN, the check box next to the VPN policy name will be checked.

Perform the following:

1
Select the check box next to the VPN policy name, for the policies you want to permit acceleration.
2
Click the Next button to continue.

Done

The Done page confirms that you have successfully completed the WXA Setup Wizard.

If you chose to use WFS Acceleration with support for Signed SMB, the WFS Setup Wizard will now display. To complete the WFS Setup Wizard, refer to the WFS Setup Wizard.

Click the Close button to exit the WXA Setup Wizard.

WFS Setup Wizard

The WFS Setup Wizard guides you through the configuration of the WXA series appliance on the Windows Domain in order to support Signed SMB. After the appliance has joined the domain, you will have the opportunity to configure the shares on the remote servers that you would like to be included in the WFS Acceleration process. It is strongly recommended that you configure the WXA series appliances at the sites where the file servers are located before configuring the WXA series appliances at the branch sites requiring remote access to the shares.

To use the WXA Setup Wizard, perform the steps in the following sections:

Enable WFS

The Enable WFS page displays the enable status of WFS Acceleration with support for Signed SMB. It also guides you through selecting the WFS Acceleration Address, which is the IP address of the WXA series appliance on the LAN whose traffic is being accelerated. The address can be that of the WXA series appliance itself or the NSA/TZ series appliance (most common). If the IP Address is that of the NSA/TZ series appliance, NAT will be used to redirect appropriate traffic to the WXA series appliance.

Perform the following:

1
Click the WFS Acceleration Address drop-down menu, then select the IP address of the WXA series appliance on the LAN.
2
Click the Next button to enable WFS Acceleration with support for Signed SMB using the selected address.

Domain Details

The Domain Details page displays the following information after the WXA series appliance has determined the local domain:

Domain
WXA Hostname
Default Hostname
Kerberos Server
Joined Domain (status)

Click the Next button to continue.

If the Local Domain is not discovered, you have the option to choose between troubleshooting why no domain was discovered or manually configuring a domain.

Troubleshoot

To troubleshoot why a domain was not discovered, select the troubleshoot why no domain has been discovered option and click the Next button. See Troubleshoot Domain Discovery for details.

Manual Configuration

To manually configure a domain, select the Manually configure a domain option and click the Next button. Perform the steps in the following sections:

Troubleshoot Domain Discovery

The Troubleshoot Domain Discovery page displays the results of the troubleshooting process. Follow the directions displayed on this page, then click the Next button to continue.

Configure the Domain

The Configure the Domain page lets you manually enter the name of the domain that you want the WXA series appliance to join.

Perform the following:

1
In the Fully Qualified Domain Name text-field, enter the name of the domain that you want the WXA series appliance to join.
2
Click the Next button to continue.

Specify the WXA Hostname

The Specify the WXA Hostname page gives you the option to enter a WXA Hostname or use the default.

* 
IMPORTANT: If you are configuring a WXA 5000 Virtual Appliance or WXA 500 Live CD, you are required to enter a WXA Hostname; no default is provided.

Perform the following:

1
In the WXA Hostname text-field, enter a hostname for the WXA appliance or use the default.
2
Click the Next button to continue.

Select a Kerberos Server

The Select a Kerberos Server page lets you configure a Kerberos server manually if one has not been automatically discovered.

Perform the following:

1
Select a method to configure the Kerberos server:
Allow automatic choice of a discovered Kerberos server.
Manually enter the Kerberos server.
Select a discovered Kerberos server.
2
Click the Next button to continue.

Join the Domain

The Join the Domain page has you enter your Administrator’s credentials so the WXA series appliance can join the domain.

* 
NOTE: Depending on the current status and configuration, there may be options to “unjoin the domain” or “rejoin the domain” if the WXA has previously been joined to a domain.

Perform the following:

1
In the Username and Password text-fields, enter your Administrator’s credentials.

2
Click the Join Domain button.

The Join Domain process begins. Please be patient, this may take some time. When the process is finished, the Join Domain Results are displayed.

3
Click the Next button to continue.

Configure Shares

The Configure Shares page gives you options to select where you would like to configure shares based on the location of the WXA series appliance and your network configuration.

Perform the following:

1
Select one of these options by clicking the radio button next to it:
Configure Local File Servers—This WXA is at the “Head Office” and I would like to configure local file servers so that users at remote sites can benefit from the accelerated file operations when accessing these.

Refer to Configure Local File Servers

WXA Local Deployment

Configure Remote File Servers—This WXA is at a “Branch Office” and I would like to configure file servers located at remote sites so that branch office users can get accelerated access to shares on those remote servers by going via a “next hop” WXA.

Refer to Configure Remote File Servers

WXA Remote Deployment

Configure Local and Remote file servers—There are file servers on the local area network (LAN) that are accessed by users at remote sites. In addition, the users on the LAN access file servers at remote sites. Therefore, I would like to configure both local and remote servers.

Refer to Configure Local File Servers and then Configure Remote File Servers

WXA Deployment

Skip the Server and Share Configuration—I do not wish to configure servers and shares at the current time so skip this section.
2
Click the Next button to continue.

Configure Local File Servers

The Configure Local File Servers page list the discovered local file servers, which you can select and add to the WXA series appliance’s configuration.

Perform the following:

1
Click the File Server Name drop-down menu, then select a local file server to add to the WXAs configuration.
2
Click the Add Server and Shares button.

File operations to all of the server’s shared folders and documents from remote sites will be accelerated. If you wish to limit WFS Acceleration (Signed SMB) to specific shares, this can be configured on the WAN Acceleration > WFS Acceleration > Shares page in Advanced mode.

3
Click the Next button to continue.

Configure Remote File Servers

The Configure Remote Servers page gives you the options to select a remote file server and enter a local WXA name. The remote file server should be a Windows file server hosting shared folders and files. The WXA will attempt to discover the “next-hop” WXA configured to provide accelerated access to that server.

Perform the following:

1
Click the Remote File Server Name drop-down menu, then select a remote file server to add to the WAXs configuration.
2
In the Local WXA Name text-field, enter a unique name or alias for the local WXA series appliance. Entering a dot after the local WXA name will auto-complete the name with that of the domain.
* 
IMPORTANT: This is the name that should then be used in paths to folder and files on the remote server in order for the file sharing operations to benefit from WFS Acceleration.
3
Click the Add Server and Shares button.

File operations to all of the server’s shared folders and documents will be accelerated. If you wish to limit WFS Acceleration (Signed SMB) to specific shares, this can be configured on the WAN Acceleration > WFS Acceleration > Shares page in Advanced mode.

4
Click the Next button to continue.

Add Domain Records

The Add Domain Records page displays the remote server names, the local WXA names, and their status. It allows you to add domain records to the remote servers and local WXAs in your configuration.

Perform the following:

1
Review the listed remote servers and local WXAs, then click the Next button.

2
In the Username and Password text-fields, enter your Administrator’s credentials.

The Summary of Results is displayed:

3
Click the Next button to continue.

Done

The Done page confirms that you have successfully completed the WFS Setup Wizard.

If returning to the main WFS Acceleration pages, you should refresh the current page for it to be updated with changes made from within this wizard.

Click the Close button to exit the WFS Setup Wizard.