en-US
search-icon

SonicOS 6.2 Admin Guide

Security Services

Managing SonicWall Security Services

SonicWall Security Services

SonicWall offers a variety of subscription-based security services to provide layered security for your network. SonicWall security services are designed to integrate seamlessly into your network to provide complete protection.

The following subscription-based security services are listed in Security Services on the firewall’s management interface:

SonicWall Content Filtering Service
SonicWall Client Anti-Virus
SonicWall Gateway Anti-Virus
SonicWall Intrusion Prevention Service
SonicWall Anti-Spyware
SonicWall RBL Filter
SonicWall Geo-IP Filter
SonicWall Botnet Filter
* 
TIP: After you register your firewall, you can try FREE TRIAL versions of SonicWall Content Filtering Service, SonicWall Client Anti-Virus, SonicWall Gateway Anti-Virus, SonicWall Intrusion Prevention Service, and SonicWall Anti-Spyware.

You can activate and manage SonicWall security services directly from the SonicWall management interface or from https://www.mysonicwall.com.

Security Services Summary

The top portion of the Security Services > Summary page lists the security services that are available with a short description of the service.

The bottom portion of the Security Services > Summary page has five panels:

Synchronize Licenses
Security Services Settings
Signature Downloads Through a Proxy Server
Security Services Information
Update signatures manually

Configuring Security Services

The following sections describe global configurations that are done on the panels of the Security Services > Summary page:

Synchronize Licenses

 

To synchronize your mysonicwall.com account with the Security Services Summary table, click the Synchronize button after Synchronize licenses with www.mysonicwall.com.

To manage your licenses, click the link in To Manage your licenses go to www.mysonicwall.com.

Security Services Settings

The Security Services Settings section provides the following options for fine-tuning SonicWall security services:

Security Services Settings - This drop-down menu specifies whether SonicWall security services are applied to maximize security or to maximize performance:
Maximum Security (Recommended) - Inspect all content with any threat probability (high/medium/low). For additional performance capacity in this maximum security setting, utilize SonicOS HA Clustering.
Performance Optimized - Inspect all content with a high or medium threat probability. Consider this performance optimized security setting for bandwidth or CPU intensive gateway deployments or utilize SonicOS HA Clustering.

The Maximum Security setting provides maximum protection. The Performance Optimized setting utilizes knowledge of the currently known threats to provide high protection against active threats in the threat landscape.

Reduce Anti-Virus traffic for ISDN connections - Select this feature to enable the SonicWall Anti-Virus to check only once a day (every 24 hours) for updates and reduce the frequency of outbound traffic for users who do not have an “always on” Internet connection.
Drop all packets while IPS, GAV and Anti-Spyware database is reloading - Select this option to instruct the firewall to drop all packets whenever the IPS, GAV, and Anti-Spyware database is updating.
HTTP Clientless Notification Timeout for Gateway AntiVirus and AntiSpyware - Set the timeout duration after which the firewall notifies users when GAV or Anti-Spyware detects an incoming threat from an HTTP server. The default timeout is one day (86400 seconds).

Signature Downloads and Registration Through a Proxy Server

This section provides the ability for SonicWall network security appliances that operate in networks where they must access the Internet through a proxy server to download signatures. This feature also allows for registration of SonicWall network security appliances through a proxy server without compromising privacy.

To enable signature download or appliance registration through a proxy server:
1
Select the Download Signatures through a Proxy Server checkbox.
2
In the Proxy Server Name or IP Address field, enter the host name or IP address of the proxy server.
3
In the Proxy Server Port field, enter the port number used to connect to the proxy server.
4
Select the This Proxy Server requires Authentication checkbox if the proxy server requires a username and password.
5
If the appliance has not been registered with MySonicWall.com, two additional fields are displayed:
MySonicWall Username - Enter the username for the MySonicWall.com account that the appliance is to be registered to.
MySonicWall Password - Enter the MySonicWall.com account password.
6
Click Accept at the top of the page.

Security Services Information

This panel is not currently used.

Update Signature Manually

The Manual Signature Update feature is intended for networks where reliable, broadband Internet connectivity is either not possible or not desirable (for security reasons). The Manual Signature Update feature provides a method to update the latest signatures at the network administrator’s discretion. The network administrator first downloads the signatures from http://www.MySonicWall.com to a separate computer, a USB drive, or other media. Then the network administrator uploads the signatures to the firewall. The same signature update file can be used on all SonicWall network security appliances that meet these requirements:

Devices that are registered to the same MySonicWall.com account
Devices that belong to the same class of SonicWall network security appliances.
To manually update signature files, complete the following steps:
1
On the Security Services > Summary page, scroll to the Update Signatures Manually heading at the bottom of the page. Record the Signature File ID for the device.

2
Log on to http://www.MySonicWall.com using the MySonicWall.com account that was used to register the SonicWall network security appliance.
* 
NOTE: The signature file can only be used on firewalls that are registered to the MySonicWall.com account that downloaded the signature file.
3
Click on Download Signatures under the Downloads heading.
4
In the pull down window next to Signature ID:, select the appropriate SFID for your firewall.
5
Download the signature update file by clicking on Click here to download the Signature file.
* 
NOTE: The remaining steps can be performed while disconnected from the Internet.
6
Return to the Security Services > Summary page on the firewall management interface.
7
Click the Import Signatures button.
8
In pop-up dialog that appears, click the browse button and navigate to the location of the signature update file.
9
Click Import. The signatures are uploaded for the security services that are enabled on the firewall.

Configuring Content Filtering Service

Security Services > Content Filter

* 
NOTE: Content Filtering Service (CFS) content is not supported in Wire Mode.

You can activate Content Filter Objects and configure SonicWall Content Filtering Service (SonicWall CFS) as well as Websense Enterprise, a third-party Content Filtering product, from the Security Services > Content Filter page.

Topics:  

About CFS 4.0

The SonicWall™ Content Filtering Service (CFS) release 4.0 is supported in SonicOS 6.2.6 and above. CFS 4.0 delivers content filtering enforcement for educational institutions, businesses, libraries, and government agencies. With content filter objects, you can control the websites students and employees can access using their IT-issued computers while behind the organization’s firewall.

* 
NOTE: For more a detailed description of the CFS release 4.0 as well as how to license and install it, see the SonicWall™ SonicOS 6.2.6.0 Release Notes, the SonicWall™ Content Filtering Service (CFS) 4.0 Feature Guide, and the SonicWall™ Content Filtering Service Upgrade Guide. Also, for how to create Content Filter Objects for CFS policies, see Configuring Content Filter Objects.

CFS 4.0 compares requested websites against a massive cloud database that contains millions of rated URIs, IP addresses, and websites. It also provide you with the tools to create and apply policies that allow or deny access to sites based on individual or group identity and/or by time of day.

CFS 4.0 has been redesigned to improve performance, ease of use, and central management while providing more accurate filtering options.

Topics:  

About Threat API

* 
IMPORTANT: Before configuring Threat API, you must enable it. For further information about Threat API and how to enable it, see the Threat API Reference Manual.
* 
NOTE: SonicOS Threat API requires that the firewall has a Content Filtering System (CFS) license.

SonicOS 6.2.7 introduces support for the Threat API feature. The SonicOS Threat API provides API access to SonicWall firewall services. Compared with current firewall GUI/CLI user interfaces, Threat API is simple and makes good use of the standard HTTP protocol. With the trend toward cloud deployment, Threat API can more easily be used than traditional SonicOS GUI/CLI.

Malicious threats can originate from URLs or IP addresses. Lists of these threats can be large and change frequently. SonicOS can already block custom lists of URLs and IP addresses, but it’s inconvenient because you have to log in and update the lists by hand. Using an API interface makes it much easier.

The Threat list is sent to SonicOS using the Threat API feature. Threats can be added in either of the following formats:

URLs (https://malicious123.example.com/malware)
IP addresses (10.10.1.25)

Third parties can generate the threat list and pass it to the firewall using Threat API.

For IP addresses in the threat list, SonicOS initially creates a default Threat API Address Group and then creates an Address Object (AO) for each IP address in the threat list. The you configure Firewall Access Rules that reference that Address Group and block the IP addresses.

SonicOS adds the URLs to its CFS Threat URI list. You enable Threat API Enforcement in the associated CFS Profile and configure a Content Filtering System (CFS) policy to block the URLs in the threat list. When a threat is blocked by CFS, the user sees a block message in their browser.

About CFS Policies

A CFS policy determines whether a packet is filtered (by applying the configured CFS Action) or simply allowed through to the user. A CFS policy defines the filtering conditions to which a packet is compared:

 
Name
Source Zone
Destination Zone
Source Address
User/Group
Schedule

If a packet matches all the defined conditions, the packet is filtered according to the corresponding CFS Profile, and the CFS Action is applied.

* 
NOTE: If authentication data for User/Group is not available during matching, no match is made for this condition. This strategy prevents performance issues, especially when Single Sign-On is in use.

Each CFS policy has a priority level, and policies with higher priorities are checked first.

CFS uses a policy table internally to manage all the configured policies. For each policy element, the table is constructed by the configuration data and runtime data. The configuration data includes parameters that define the policy from the user interface, such as policy name, properties and others. The runtime data includes the parameters used for packet handling.

CFS also uses a policy lookup table to accelerate runtime policy lookup for matching conditions:

 
Source zone
Destination zone
IPv4 AO
IPv6 AO.

About Content Filter Objects

CFS 4.0 uses Content Filter Objects in CFS Policies to identify URIs and domains for filtering and to specify the type of action to be taken when filtering. For more information about Content Filter Objects, see Configuring Content Filter Objects.

Under the new CFS rating design, a domain may be resolved to one of four ratings; from highest to lowest priority, the ratings are:

1
Block
2
Passphrase
3
Confirm
4
BWM (bandwidth management)

If the URL is not categorized into any of these ratings, then the operation will be allowed.

How CFS Works

1
A packet arrives and is examined by CFS.
2
CFS checks it against the configured exclusion addresses and allows it through if a match is found.
3
CFS checks its policies to find the first policy that matches these conditions in the packet:
Source zone
Destination zone
Address object
Users/group
Schedule
Enabled state
4
CFS uses the CFS Profile defined in the matching policy to do the filtering and returns the corresponding action for this packet.
* 
NOTE: If no policy is matched, the packet is passed through without any action by CFS.
5
CFS performs the action defined in the CFS Action Object for the matching policy.

About CFS Logs

In Log > Settings, a new subcategory, Content Filter, has been added to the Security Services category. This new subcategory lists these logs:

CFS Alert
Website Accessed
Website Blocked

For information about configuring these logs, see Configuring Log Settings.

Enabling CFS

* 
IMPORTANT: Before enabling CFS and configuring your CFS policies, configure your Content Filter Objects as described in Configuring Content Filter Objects.
To enable CFS:
1
Navigate to the Security Services > Content Filter page.

2
Choose the content filtering service from the Content Filter Type drop-down menu:
SonicWall CFS (default)
Websense Enterprise
3
In the Global Settings section, specify the maximum URL entries that can be cached in the Max URL Caches (entries) field. The default is 51200.

In CFS 4.0, the URL rating is saved with a cached URL entry, which speeds processing of known URLs.

4
To enable content filter for all packets, select the Enable Content Filtering Service checkbox. This option is selected by default. To bypass content filtering for all packets, deselect this option.
5
To enable content filtering for HTTPS sites, select the Enable HTTPS content filtering checkbox. This option is not selected by default.

When this option is enabled, CFS performs URL rating look up in this order:

a
Searches the client hello for the Server Name, which CFS uses to obtain the URL rating.
b
If the Server Name is not available, searches the SSL certificate for the Common Name, which CFS uses to obtain the URL rating.
c
If neither Server Name nor Common Name is available, CFS uses the IP address to obtain the URL rating.
6
To limit the time for obtaining a rating request when filtering, select the Block if CFS Server Is Unavailable checkbox. This option is not selected by default.
a
When this option is selected, the Server Timeout field becomes available. Enter the maximum time, in seconds, the CFS service has to respond to rating requests. The minimum is 2 seconds, the maximum is 10 seconds, and the default is 5 seconds.
7
To bypass content filtering for all requests from an account with administrator privileges, select the Exclude Administrator checkbox. This option is selected by default.
8
To bypass content filtering for all requests from a category of address objects, choose the address object from the Excluded Address drop-down menu. The default is None. You can also create a new address object by choosing Create new address object; for information about creating an address object, see Firewall > Address Objects.
9
Click Accept.

Configuring CFS Policies

This section describes the CFS Policy table and provides instructions for configuring, editing, and deleting a CFS policy.

Topics:  

About the CFS Policy Table

 

Name

Name of the CFS policy.

Source Zone

Source zone for the CFS policy.

Destination Zone

Destination zone for the CFS policy.

Source Address

Source address object for the CFS policy.

User/Group

User or group to which the CFS policy applies.

Schedule

Time that the CFS policy is in effect.

Profile

CFS profile object used by the CFS policy. Mousing over the CFS profile object name displays the particulars of the CFS profile:

Action

CFS action object used by the CFS policy. Mousing over the CFS action object name displays the particulars of the CFS action:

Priority

Clicking the Priority for a CFS Policy displays the Change Policy Priority popup menu:

The priority of the CFS policy is displayed after From. You can change to priority by entering it in the To field. The highest priority is 1; 0 is the lowest priority.

Enable

To enable the CFS policy, select its checkbox. The default policy, CFS Default Policy, is enabled by default.

Configure

Displays these icons for each policy:

Statistics; mousing over this icon displays the Policy Statistics popup dialog.

 

Clear Statistics; clicking this icon (broom) clears all statistics for the CFS policy. A confirmation dialog displays.

 

Edit; clicking this icon displays the Edit CFS Policy dialog.

 

Delete; clicking this icon deletes the CFS policy. A confirmation dialog displays.

Click OK.

NOTE: The default CFS policy, CFS Default Policy cannot be deleted, and the icon is dimmed.

You can access all CFS objects by clicking the link under the policy table to navigate to the Firewall > Content Filter Objects page.

Searching the CFS Policy Table

You can search a long table for a specific IP address by:

1
Entering an IP address in the Lookup Policies by Address field. The IP address can be in either format:
192.168.168.168
fe80::c2ea:e4ff:fe59:a634
2
Clicking the Search (magnifying glass) icon.

Configuring a CFS Policy

To configure a CFS policy:
1
Navigate to the CFS Policies section of Security Systems > Content Filtering.

2
Click Add. The Add CFS Policy dialog displays.

3
In the Name field, enter a friendly, meaningful name for the new policy.
4
From the Source Zone drop-down menu, choose a zone.
5
From the Destination Zone drop-down menu, choose a zone.
6
From the Source Address drop-down menu, choose an address. The default is Any. You also can create a new address object by choosing Create new Address; for information about creating an address object, see Firewall > Address Objects.
7
From the User/Group drop-down menu, choose the user or group to which the policy applies. The default is All.
8
From the Schedule drop-down menu, choose when the policy is in effect. The default is Always On. You also can create a customized schedule by choosing Create new Schedule; for information about creating a schedule, see Configuring Time Settings.
9
From the Profile drop-down menu, choose a CFS profile object. You also can create a new CFS profile object by choosing Create new Profile; for information about creating a CFS profile object, see Configuring CFS Profile Objects.
10
From the Action drop-down menu, choose a CFS action object. You also can create a new CFS action object by choosing Create new Action; for information about creating a CFS action object, see Configuring CFS Action Objects.
11
Click Add.
12
To create more CFS policies, repeat Step 3 through Step 11 for each policy.
13
Click Close.

Editing a CFS Policy

To edit a CFS policy:
1
Click the Edit icon for the CFS Policy to be edited. The Edit CFS Policy dialog displays. This dialog is the same as the Add CFS Policy dialog.
* 
NOTE: You cannot edit the default policy, CFS Default Policy. Its Edit icon is dimmed.
2
To make your changes, follow the appropriate procedures in Configuring CFS Policies.

Deleting CFS Policies

To delete CFS policies:
1
Do one of these:
Click the Delete icon for the CFS Policy to be deleted.
* 
NOTE: You cannot delete the default policy, CFS Default Policy. Its Delete icon is dimmed.
Click the checkbox for one or more CFS Policies to be deleted. The Delete button becomes active; click it.
To delete all CFS Policies:
1
Click the Delete All button. All CFS Policies are deleted except for the default policy, CFS Default Policy.

Configuring CFS Custom Categories

This section describes the CFS Custom Category table and provides instructions for configuring, editing, and deleting CFS custom categories. Importing and exporting the custom category table are also described.

Topics:  

About the CFS Custom Category Table

 

Domain

IP address of the domain to which the custom category applies.

Categories

Categories selected for the custom category.

Configure

Displays the Edit and Delete icons for each domain.

Searching the CFS Custom Category Table

You can search a long table for a specific IP address by:

1
Entering an IP address in the Lookup Policies by Address field. The IP address can be in either format:
192.168.168.168
fe80::c2ea:e4ff:fe59:a634
2
Clicking the Search (magnifying glass) icon.
Requesting a Rating Review

If you believe that a web site is rated incorrectly or you wish to submit a new URL, you submit a request to the SonicWall Content Filtering Service by:

Clicking on the link at the bottom of the CFS Custom Category table, If you believe that a Web site is rated incorrectly or you wish to submit a new URL, click here.

The CFS URl Rating Review Request form displays.

Configuring a CFS Custom Category

You can customize ratings for certain URLs. Up to 5,000 valid entries are supported. Custom categories are processes like those categories provided by the backend server. When CFS checks the ratings for one URL, it checks the user rating first and then the rating from the backend server.

Topics: :
Enabling Custom Categories

Before you can use custom categories, you must enable the service.

To enable custom categories:
1
Navigate to the CFS Custom Categories section of Security Services > Content Filter.

2
Select the Enable CFS Custom Category checkbox. This option is not selected by default.
3
Click Accept.
Configuring a Custom Category
To define a custom category:
1
Navigate to the CFS Custom Categories section of Security Services > Content Filter.

2
Click Add. The Add CFS Custom Category dialog displays.

3
In the Domain field, enter the IP address or domain name of the domain for which the custom category applies:
The IP address can be either of these formats:
192.168.168.168
fe80::c2ea:e4ff:fe59:a634
Omit the www. prefix for a domain name. If you include it, a confirmation message displays; when you click OK, the prefix is removed from the domain name in the Domain field:

4
Select up to four categories from the list.
5
Click Add.
6
To create more CFS custom categories, repeat Step 3 through Step 5 for each policy.
* 
NOTE: Each custom category you create is a separate entry in the CFS Custom Category table; they are not concatenated.
7
Click Close. The CFS Custom Category table is updated.

Exporting the CFS Custom Category Table

You can export the CFS Custom Category table to a .wri file you can edit and save for importing.

To export the CFS Custom Category table:
1
Navigate to the CFS Custom Categories section of Security Services > Content Filter.

2
Click Export. The Opening cfsCustomCategoryData.wri dialog displays.

3
You can either open the file (default program is Notepad) or save it. If you:
Open the file.
Save the file, it is downloaded to your Downloads folder with the file name, cfsCustomCaegoryData.wri; new line characters are added after each entry.
* 
NOTE: The file consists of all the CFS Custom Category table entries, all on one line.
4
Click OK.

Importing a CFS Custom Category Table

You can import a file of CFS Custom Category table entries. The entries in this file will overwrite the existing entries in the table.

The file should contain entries in this format:

DomainName/IPAddress: Rating1[, Rating2[, Rating3[, Rating4]]] Separator
 

Token

Definition

DomainName

A domain name, such as SonicWall. If you include the www. prefix, it is ignored.

IPAddress

A standard or IPv6 IP address, such as:

192.168.168.168
fe80::c2ea:e4ff:fe59:a634

Rating

A category rating from 1-64, as shown in the Add CFS Custom Category dialog. You can specify up to 4 ratings for each category.

Separator

A carriage return or new line separator:

To import a custom category table:
1
Navigate to the CFS Custom Categories section of Security Services > Content Filter.

2
Click Import. A confirmation dialog displays.

All current entries in the CFS Custom Category table are replaced with the entries in the file. Any entries you want to keep should be in the file.

* 
TIP: Export the CFS Custom Category table and make any changes to the exported file before importing table entries.
3
Click OK.

Editing a CFS Custom Category

To edit a CFS custom category:
1
Click the Edit icon for the CFS custom category to be edited. The Edit CFS Custom Category dialog displays. This dialog is the same as the Add CFS Custom Category dialog.
2
To make your changes, follow the appropriate procedures in Configuring a CFS Custom Category.

Deleting CFS Custom Categories

To delete CFS custom categories:
1
Do one of these:
Click the Delete icon for the CFS custom categories to be deleted.
Click the checkbox for one or more CFS custom categories to be deleted. The Delete button becomes active; click it.

A confirmation message displays.

2
Click OK.
To delete all CFS custom categories:
1
Click the Delete All button.

2
Click OK. All CFS custom categories are deleted.

 

Activating SonicWall Client Anti-Virus

Security Services > Client AV Enforcement

By their nature, anti-virus products typically require regular, active maintenance on every PC. When a new virus is discovered, all anti-virus software deployed within an organization must be updated with the latest virus definition files. Failure to do so severely limits the effectiveness of anti-virus software and disrupts productive work time. With more than 50,000 known viruses and new virus outbreaks occurring regularly, the task of maintaining and updating virus protection can become unwieldy. Unfortunately, many small to medium businesses do not have adequate IT staff to maintain their anti-virus software. The resulting gaps in virus defenses may lead to data loss and decreased employee productivity.

The widespread outbreaks of viruses, such as NIMDA and Code Red, illustrate the problematic nature of virus defense for small and medium businesses. Users without the most current virus definition files allow these viruses to multiply and infect many other users and networks. SonicWall Client Anti-Virus prevents occurrences like these and offers a new approach to virus protection. The SonicOS constantly monitors the version of the virus definition file and automatically triggers download and installation of new virus definition files to each user’s computer. In addition, the firewall restricts each user’s access to the Internet until they are protected, therefore acting as an enforcer of the company’s virus protection policy. This new approach ensures the most current version of the virus definition file is installed and active on each PC on the network, preventing a rogue user from disabling the virus protection and potentially exposing the entire organization to an outbreak.

* 
NOTE: You must purchase an Anti-Virus subscription to enforce Anti-Virus through the firewall’s management interface.

SonicOS supports both McAfee and Kaspersky client anti-virus for client AV enforcement. These services are licensed separately, allowing you to purchase the desired number of each license for your deployment.

Configuring Client Anti-Virus Service

For information on activating Network Anti-Virus Service, see Activating the Gateway Anti-Virus, Anti-Spyware, and IPS License.

Topics:  

Client AV Status

The Client AV Status section:

Displays information about whether the firewall is licensed, the number of licenses, and the date the license expires.
Contains a link to login to MySonicWall for managing and reviewing detailed system and network information. Clicking this link displays the Licenses > License Management page for MySonicWall login.
Contains a link to the Network > Zones page for configuring Client AV on a per-zone basis.

Client Anti-Virus Policies

The following features are available in the Client Anti-Virus Policies section:

Disable policing from Trusted to Public - Cleared, this option enforces anti-virus policies on computers located on Trusted zones. Choosing this option allows computers on a trusted zone (such as a LAN) to access computers on public zones (such as DMZ), even if anti-virus software is not installed on the LAN computers.
Switch McAfee AV to Kaspersky AV for clients on Kaspersky enforcement list - When selected, uses Kaspersky AV for clients on the Kaspersky enforcement list instead of McAfee AV.
Days before forcing update - This feature defines the maximum number of days of access to the Internet before the SonicWall requires the latest virus date files to be downloaded. Select from 0 to 5 days; 5 is the default.
Force update on alert - SonicWall broadcasts virus alerts to all SonicWall appliances with an Anti-Virus subscription. Three levels of alerts are available, and you may select more than one. When an alert is received with this option selected, users are upgraded to the latest version of VirusScan ASaP before they can access the Internet. This option overrides the maximum number of days allowed before forcing update selection. In addition, every virus alert is logged, and an alert message is sent to the administrator.
Low Risk - A virus that is not reported in the field and is considered unlikely to be found in the field in the future has a low risk. Even if such a virus includes a very serious or unforeseeable damage payload, its risk is still low. This option is not selected by default.
Medium Risk - If a virus is found in the field, and if it uses a less common infection mechanism, it is considered to be medium risk. If its prevalence stays low and its payload is not serious, it can be downgraded to a low risk. Similarly it can be upgraded to high risk if the virus becomes more and more widespread. This option is selected by default.
High Risk - To be assigned a high risk rating, it is necessary that a virus is reported frequently in the field. Additionally, the payload must have the ability to cause at least some serious damage. If it causes very serious or unforeseeable damage, high risk may be assigned even with a lower level of prevalence. This option is selected by default.

Anti-Virus Enforcement

The Client Anti-Virus Enforcement table has two entries, both with a Type of Group:

Third-party Client AV Enforcement List (where Third-party is McAfee or Kaspersky, depending on which you use)
Excluded from Client AV Enforcement List

To see the IP addresses associated with each entry, click the Expand icon. The Address Detail, Type, and Zone for each entry displays. If you have not configured the enforcement list, clicking the Expand icon displays No Entries.

To hide the IP addresses, click the Collapse icon.

You can edit or add to these two entries, but you cannot delete them.

Topics:  
Creating the Client AV Enforcement List
* 
NOTE: Predefined Address Objects, such as interface IPs or the Default Gateway cannot be edited or deleted individually; their Edit and Delete icons are dimmed. You remove a predefined Address Object from the Client AV Enforcement List through editing the List itself. You can, however, edit or delete any Address Object you have defined.

You need to configure the client AV enforcement list with the IP address of the address objects that are to have Client AV enforced.

You can define ranges of IP addresses to receive Anti-Virus enforcement by creating an Address Object containing a range of IP addresses. Any computer requiring enforcement needs a static IP address within the specified range of IP addresses. Up to 64 IP address ranges can be entered for enforcement.

To create the client AV enforcement list from existing Address Objects:
1
Scroll to the Client Anti-Virus Enforcement section.
2
Click the Edit icon for the Third-party Client AV Enforcement List. The Edit Address Object Group dialog displays.

3
Select the IP address(es) to have client AV enforcement from the list on the left.
4
Click the Right Arrow button to move the entries to the list on the right.
5
When finished adding Address Objects, click OK.
To add an Address Object to the Client AV Enforcement List:
1
Scroll to the client Anti-Virus Enforcement section.
2
Click the Add icon for the Third-party Client AV Enforcement List. The Add Address Object dialog displays.

3
Enter a friendly name in the Name field.
4
Select the zone from the Zone Assignment drop-down menu.
5
Select the type from the Type drop-down menu.
6
Enter the IP address of the Address Object in the IP Address field.
7
Click OK.
Excluding Address Objects from the Client AV Enforcement List

SonicWall Client Anti-Virus currently supports Windows platforms. To access the internet, computers with other operating systems must be exempt from Anti-Virus policies.

* 
CAUTION: To ensure full network protection from virus attacks, it is recommended that only servers and unsupported machines be excluded from protection and that third-party anti-virus software is installed on each machine before excluding that machine from Anti-Virus enforcement.
* 
NOTE: Predefined Address Objects, such as interface IPs or the Default Gateway cannot be edited or deleted individually; their Edit and Delete icons are dimmed. You remove a predefined Address Object from the Excluded from Client AV Enforcement List through editing the List itself. You can, however, edit or delete any Address Object you have defined.
To define excluded Address Objects:
1
Scroll to the client Anti-Virus Enforcement section.
2
Click the Edit icon for the Excluded from Client AV Enforcement List. The Edit Address Object Group displays.

3
Select the Address Object(s) to be excluded from the list on the left.
4
Click the Right Arrow to move the objects to the list on the right.
5
When finished excluding Address Objects, click OK.
To add an Address Object to the Excluded Client AV Enforcement List:
1
Scroll to the client Anti-Virus Enforcement section.
2
Click the Add icon for the Excluded from Client AV Enforcement List. The Add Address Object dialog displays.

3
Enter a friendly name in the Name field.
4
Select the zone from the Zone Assignment drop-down menu.
5
Select the type from the Type drop-down menu.
6
Enter the IP address of the Address Object in the IP Address field.
7
Click OK.
To add an Address Object to the Excluded from Client AV Enforcement List:
1
Scroll to the client Anti-Virus Enforcement section.
2
Click the Add icon for the Excluded from Client AV Enforcement List. The Add Address Object dialog displays.

3
Enter a friendly name in the Name field.
4
Select the zone from the Zone Assignment drop-down menu.
5
Select the type from the Type drop-down menu.
6
Enter the IP address of the Address Object in the IP Address field.
7
Click OK.
Protecting Computers Not In Either List

For those computers not included in either enforcement list, you can specify the type of default enforcement to be applied to them.

To specify a default enforcement to computers not in an enforcement list:
1
Scroll to the bottom of the Security Services > Client AV Enforcement page.
2
Select the type of default enforcement from the For computers whose addresses do not fall in any of the above lists, the default enforcement is drop-down menu:
None (default)
Third-party anti-virus program (McAfee or Kaspersky, depending on your system)

Configuring Client CF Enforcement

Security Services > Client CF Enforcement

SonicWall Client CF Enforcement provides protection and productivity policy enforcement for businesses, schools, libraries and government agencies. SonicWall has created a revolutionary content filtering architecture, utilizing a scalable, dynamic database to block objectionable and unproductive Web content.

Client CF Enforcement provides the ideal combination of control and flexibility to ensure the highest levels of protection and productivity. Client CF Enforcement prevents individual users from accessing inappropriate content while reducing organizational liability and increasing productivity. Web sites are rated according to the type of content they contain. The Content Filtering Service (CFS) blocks or allows access to these web sites based on their ratings and the policy settings for a user or group.

Businesses can typically control web surfing behavior and content when the browsing is initiated within the perimeter of the security appliance by setting filter policies on the appliance. But when the same device exits the perimeter, the control is lost. Client CF Enforcement kicks into action to address this gap, by blocking objectionable and unproductive Web content outside the security appliance perimeter.

SonicWall security appliances working in conjunction with Client CF Enforcement automatically and consistently ensure all endpoints have the latest software updates for the ultimate network protection. The client is designed to work with both Windows and Mac PCs.

Client CF Enforcement consists of the following three main components:

A Network Security Appliance running SonicOS whose role is to facilitate and verify licencing of CFS and to enable or disable enforcement and configure exclusions and other settings.
Automatic triggering to install the Client CF Enforcement of any client attempting to access the Internet without the client software installed will be blocked from accessing Websites until it is installed.
Administration of client policies and client groups using the cloud-based EPRS server accessed from MySonicWall or from SonicOS running on the appliance.
Topics:  

Enabling and Configuring Client CF Enforcement

This section describes how to enable and configure settings for Client CF Enforcement in SonicOS.

Client CF Enforcement must be enabled on the SonicWall appliance before users will be presented with a Website block page, which prompts the user to install the Client CF Enforcement.

* 
NOTE: If the Content Filtering Client (CFS) is not activated on MySonicWall, you must activate it to enforce client content filtering polices on client systems.

Configuring Client CF Enforcement in Security Services

To configure settings for Client CF Enforcement:
1
Log in to your SonicWall security appliance.
2
Navigate to the Security Services > Client CF Enforcement page.

3
Under the Client CF Enforcement Policies section, select the number of days from the drop-down list for the Grace Period during which CFS enforcement policies remain valid.

The Client CF Enforcement Lists section contains a table including the Client CFS Enforcement List and the Excluded from Client CF Enforcement List.

To configure either of these tables, click the Configure icon for the list you wish to configure. The Edit Address Object Group dialog displays. Select from the available list the values to include/not include for the group.

4
For the Client CF Enforcement List and Excluded from Client CF Enforcement List. If you have made any entries in these lists, you can click the arrow next to the list title to display the entries. To add entries to either list, click the Configure icon in that row.
5
For the field labeled For computers whose addresses do not fall in any of the above lists, the default enforcement is, select Client CF Enforcement from the drop-down list. This is located below the Client CF Enforcement Lists section. Selecting this will prompt all other computers connecting to the Internet through the appliance to install the Enforced Client. You can select None from the drop-down list if you only want to enforce the service on computers that you have configured.
6
Click Accept.

Enabling Client CFS in Network Zones

Client Content Filtering is enforced on a per-zone basis by performing the following steps:

1
On the Security Services > Summary page, click the Network > Zones link in the Note.

The Network > Zones page displays.

2
Click the Configure button for the zone on which you want to enforce the Client Content Filtering Service. The Add Zone dialog appears.

3
Select the Enable Client CF Service checkbox.
4
Click OK.

Managing SonicWall Gateway Anti‑Virus Service

Security Services > Gateway Anti-Virus

SonicWall Gateway Anti-Virus (GAV) delivers real-time virus protection directly on the SonicWall security appliance by using SonicWall’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the SonicWall gateway. Building on SonicWall’s reassembly-free architecture, SonicWall GAV inspects multiple application protocols, as well as generic TCP streams, and compressed traffic. Because SonicWall GAV does not have to perform reassembly, there are no file-size limitations imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a single-pass, per-packet basis.

SonicWall GAV delivers threat protection by matching downloaded or e-mailed files against an extensive and dynamically updated database of threat virus signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are created and added to the database by a combination of SonicWall’s SonicAlert Team, third-party virus analysts, open source developers, and other sources.

SonicWall GAV can be configured to protect against internal threats as well as those originating outside the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer applications, and dozens of other stream-based protocols, to provide you with comprehensive network threat prevention and control. Because files containing malicious code and viruses can also be compressed and therefore inaccessible to conventional anti-virus solutions, SonicWall GAV integrates advanced decompression technology that automatically decompresses and scans files on a per-packet basis.

Topics:  

SonicWall GAV Multi-Layered Approach

SonicWall GAV delivers comprehensive, multi-layered anti-virus protection for networks at the desktop, the network, and at remote sites; see SonicWall GAV multi-layer approach. SonicWall GAV enforces anti-virus policies at the gateway to ensure all users have the latest updates and monitors files as they come into the network.

SonicWall GAV multi-layer approach

Topics:  

Remote Site Protection

Remove site protection

1
Users send typical e-mail and files between remote sites and the corporate office.
2
SonicWall GAV scans and analyses files and e-mail messages on the SonicWall security appliance.
3
Viruses are found and blocked before infecting remote desktop.
4
The virus is logged, and an alert is sent to the administrator.

Internal Network Protection

Internal network protection

1
Internal user contracts a virus and releases it internally.
2
All files are scanned at the gateway before being received by other network users.
3
If a virus is found, the file is discarded.
4
The virus is logged, and an alert is sent to the administrator.

HTTP File Downloads

HTTP file downloads

1
Client makes a request to download a file from the Web.
2
The file is downloaded through the Internet.
3
The file is analyzed the SonicWall GAV engine for malicious code and viruses.
4
If a virus is found, the file 8is discarded.
5
The virus is logged, and an alert is sent to the administrator.

Server Protection

Server protection

1
Outside user sends an incoming email.
2
The email is analyzed by the SonicWall GAV engine for malicious code and viruses before being received by the email server.
3
If a virus is found, the threat is prevented.
4
The email is returned to the sender, the virus is logged, and an alert sent to the administrator.

Cloud Anti-Virus Database

The Cloud Gateway Anti-Virus feature introduces an advanced malware scanning solution that compliments and extends the existing Gateway Anti‑Virus scanning mechanisms present on SonicWall firewalls to counter the continued growth in the number of malware samples in the wild.

Cloud Gateway Anti-Virus expands the Reassembly Free Deep Packet Inspection engine capabilities by consulting with the datacenter-based malware analysis servers. This approach keeps the foundation of RFDPI-based malware detection by providing a low-latency, real-time solution that is capable of scanning unlimited numbers of files of unlimited size on all protocols that are presently supported without adding any significant incremental processing overhead to the appliances themselves. With this additional layer of security, SonicWall’s Next Generation Firewalls are able to extend their current protection to cover multiple millions of pieces of malware.

SonicWall GAV Architecture

SonicWall GAV is based on SonicWall's high performance DPIv2.0 engine (Deep Packet Inspection version 2.0) engine, which performs all scanning directly on the SonicWall security appliance. SonicWall GAV includes advanced decompression technology that can automatically decompress and scan files on a per-packet basis to search for viruses and malware; see SonicWall GAV architecture. The SonicWall GAV engine can perform base64 decoding without ever reassembling the entire base64 encoded mail stream. Because SonicWall's GAV does not have to perform reassembly, there are no file-size limitations imposed by the scanning engine. Base64 decoding and ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a single-pass, per-packet basis. Reassembly free virus scanning functionality of the SonicWall GAV engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without ever buffering any of the bytes within the stream.

SonicWall GAV architecture

Building on SonicWall's reassembly-free architecture, GAV has the ability to inspect multiple application protocols, as well as generic TCP streams, and compressed traffic. SonicWall GAV protocol inspection is based on high performance state machines which are specific to each supported protocol. SonicWall GAV delivers protection by inspecting over the most common protocols used in today's networked environments, including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols. This closes potential backdoors that can be used to compromise the network while also improving employee productivity and conserving Internet bandwidth.

* 
TIP: If your SonicWall security appliance is connected to the Internet and registered at mySonicWall.com, you can activate a 30-day FREE TRIAL of SonicWall Gateway Anti-Virus, SonicWall Anti-Virus, and SonicWall Intrusion Prevention Service separately from the Security Services > Gateway Anti-Virus, Security Services > Anti-Spyware, and Security Services > Intrusion Prevention pages in the management interface.

Activating the Gateway Anti-Virus, Anti-Spyware, and IPS License

Your appliance must be registered on MySonicWall to use these security services. See your Getting Started Guide for information on creating a MySonicWall account and registering your appliance. For information about upgrading the services in a closed environment, see Manual Upgrade for Closed Environments.

Because SonicWall Anti-Spyware is part of SonicWall Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service, the Activation Key you receive is for all three services on your SonicWall security appliance.

If you do not have a SonicWall Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service. license activated on your SonicWall security appliance, you must purchase it from a SonicWall reseller or through your mySonicWall.com account (limited to customers in the USA and Canada).

Activating FREE TRIALs

You can try FREE TRIAL versions of SonicWall Gateway Anti-Virus, SonicWall Anti-Spyware, and SonicWall Intrusion Prevention Service. For information about activating a free trial of any or all of the Security Services, see the Getting Started Guide for your appliance.

Setting Up SonicWall Gateway Anti-Virus Protection

Activating the SonicWall Gateway Anti-Virus license on your SonicWall security appliance does not automatically enable the protection.

To configure SonicWall Gateway Anti-Virus:
1
Enable SonicWall Gateway Anti-Virus.
2
Apply SonicWall Gateway Anti-Virus Protection to zones.
* 
NOTE: For complete instructions on setting up SonicWall Gateway Anti-Virus, refer to the SonicWall Gateway Anti-Virus Administration Guide.
Topics:  

Security Services > Gateway Anti‑Virus Page

The Security Services > Gateway Anti-Virus page provides the settings for configuring SonicWall GAV on your SonicWall security appliance as well as displays both the anti-virus status and the anti-virus signatures.

Enabling SonicWall GAV

You must select Enable Gateway Anti-Virus checkbox in the Gateway Anti-Virus Global Settings section to enable SonicWall GAV on your SonicWall security appliance.

You must specify the zones you want SonicWall GAV protection on the Network > Zones page.

Applying SonicWall GAV Protection on Zones

You apply SonicWall GAV to zones when you add or edit a zone on the Network > Zones page. From the Security Services > Gateway Anti‑Virus page, you can quickly display the Network > Zones page by clicking the link in the Note: Enable the Gateway Anti‑Virus per zone from the Network > Zones page. in the Gateway Anti‑Virus Status section.

* 
NOTE: For instructions on applying SonicWall GAV protection to zones, refer to Applying SonicWall GAV Protection on Zones.

Viewing SonicWall GAV Status Information

The Gateway Anti-Virus Status section shows the state of the anti-virus signature database, including the database's timestamp, and the time the SonicWall signature servers were last checked for the most current database version. The SonicWall security appliance automatically attempts to synchronize the database on startup, and once every hour.

Topics:  
Checking the SonicWall GAV Signature Database Status

The Gateway Anti-Virus Status section displays the following information:

Signature Database indicates whether the signature database needs to be downloaded or has been downloaded.
Signature Database Timestamp displays the last update to the SonicWall GAV signature database, not the last update to your SonicWall security appliance.
Last Checked indicates the last time the SonicWall security appliance checked the signature database for updates. The SonicWall security appliance automatically attempts to synchronize the database on startup, and once every hour.
Gateway Anti-Virus Expiration Date indicates the date when the SonicWall GAV service expires. If your SonicWall GAV subscription expires, the SonicWall IPS inspection is stopped and the SonicWall GAV configuration settings are removed from the SonicWall security appliance. These settings are automatically restored after renewing your SonicWall GAV license to the previously configured state.

The Gateway Anti-Virus Status section displays Note: Enable the Gateway Anti-Virus per zone from the Network > Zones page. Clicking on the Network > Zones link displays the Network > Zones page for applying SonicWall GAV on zones.

* 
NOTE: For instructions on applying SonicWall GAV protection to zones, refer to Applying SonicWall GAV Protection on Zones.
Updating SonicWall GAV Signatures

By default, the SonicWall security appliance running SonicWall GAV automatically checks the SonicWall signature servers once an hour. There is no need for an administrator to constantly check for new signature updates. You can also manually update your SonicWall GAV database at any time by clicking the Update button located in the Gateway Anti-Virus Status section.

SonicWall GAV signature updates are secured. The SonicWall security appliance must first authenticate itself with a pre-shared secret, created during the SonicWall Distributed Enforcement Architecture licensing registration. The signature request is transported through HTTPS, along with full server certificate verification.

Specifying Protocol Filtering

Application-level awareness of the type of protocol that is transporting the violation allows SonicWall GAV to perform specific actions within the context of the application to gracefully handle the rejection of the payload.

Topics:  
Enabling Inbound Inspection

By default, SonicWall GAV inspects all inbound HTTP, FTP, IMAP, SMTP and POP3 traffic. Generic TCP Stream can optionally be enabled to inspect all other TCP based traffic, such as non-standard ports of operation for SMTP and POP3, and IM and P2P protocols.

Within the context of SonicWall GAV, the Enable Inbound Inspection protocol traffic handling refers to the following; see the Inspection of inbound traffic: SMTP vs. all other traffic table:

Non-SMTP traffic initiating from a Trusted, Wireless, or Encrypted zone destined to any zone.
Non-SMTP traffic from a Public zone destined to an Untrusted zone.
SMTP traffic initiating from a non-Trusted zone destined to a Trusted, Wireless, Encrypted, or Public zone.
SMTP traffic initiating from a Trusted, Wireless, or Encrypted zone destined to a Trusted, Wireless, or Encrypted zone.
 

Inspection of inbound traffic: SMTP vs. all other traffic

SMTP traffic

 

To

Trusted

Encrypted

Wireless

Public

Untrusted

From

 

 

 

 

 

 

Trusted

 

 

Encrypted

 

 

Wireless

 

 

Public

Untrusted

 

 

 

 

 

 

 

All other traffic

 

To

Trusted

Encrypted

Wireless

Public

Untrusted

From

 

 

 

 

 

 

Trusted

Encrypted

Wireless

Public

 

 

 

 

Untrusted

 

 

 

 

 

Enabling Outbound Inspection

The Enable Outbound Inspection feature is available for HTTP, FTP, SMTP, and TCP traffic.

Restricting File Transfers

For each protocol, except TCP Stream, you can restrict the transfer of files with specific attributes by clicking on the Settings button under the protocol in the Gateway Anti-Virus Global Settings section.

Topics:  
FTP Settings

These restrict-transfer FTP Settings include:

Restrict Transfer of password-protected Zip files - Disables the transfer of password protected ZIP files over any enabled protocol. This option only functions on protocols (for example, HTTP, FTP, SMTP) that are enabled for inspection.
Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) - Disables the transfers of any MS Office 97 and above files that contain VBA macros.
Restrict Transfer of packed executable files (UPX, FSG, etc.) - Disables the transfer of packed executable files.

Packers are utilities that compress and sometimes encrypt executables. Although there are legitimate applications for these, they are also sometimes used with the intent of obfuscation, so as to make the executables less detectable by anti-virus applications. The packer adds a header that expands the file in memory, and then executes that file.

SonicWall Gateway Anti-Virus currently recognizes the most common packed formats: UPX, FSG, PKLite32, Petite, and ASPack. Additional formats are dynamically added along with SonicWall GAV signature updates.

Exclusion Settings
Drop-down menu – Excludes the selected address object from the restrict-transfer FTP settings.
Resetting Gateway AV Settings
1
To reset all Gateway Anti-Virus (AV) settings to factory default values, click the Reset Gateway AV Settings button. A confirmation message displays.

2
Click OK.

Configuring Gateway AV Settings

Clicking the Configure Gateway AV Settings button at the bottom of the Gateway Anti-Virus Global Settings section displays the Gateway AV Config View dialog, which allows you to configure clientless notification alerts and create a SonicWall GAV exclusion list.

Topics:  
Configuring Gateway AV Settings

To configure Gateway AV options:
1
To suppress the sending of e-mail messages (SMTP) to clients from SonicWall GAV when a virus is detected in an e-mail or attachment, select the Disable SMTP Responses checkbox. This option is not selected by default.
2
The EICAR Standard Anti-Virus Test file is a special virus simulator file that checks and confirms the correct operation of the SonicWall Gateway AV service. To suppresses the detection of the EICAR, select the Disable detection of EICAR test virus checkbox. This setting is selected by default.
3
To allow the sending of byte serving, the process of sending only a portion of an HTTP message or file, select the Enable HTTP Byte-Range requests with Gateway AV checkbox. This setting is selected by default.

The SonicWall Gateway Anti-Virus (GAV) security service, by default, suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly of potentially malicious content. This is done by terminating the connection and thus preventing the user from receiving the malicious payload. By enabling this setting you override this default behavior.

4
To allow the use of the FTP REST request to retrieve and reassemble sectional messages and files, select the Enable FTP ‘REST’ requests with Gateway AV checkbox. This setting is selected by default.

The SonicWall GAV, by default, suppresses the use of the FTP 'REST' (restart) request to prevent the sectional retrieval and reassembly of potentially malicious content. This is done by terminating the connection and thus preventing the user from receiving the malicious payload. By enabling this setting you override this default behavior.

5
To suppresses the scanning of files, or parts of files, that have high compression rates, select the Do not scan parts of files with high compression rates checkbox. This setting is selected by default.
6
To block files containing multiple levels of zip and/or gzip compression, select the Block files with multiple levels of zip/gzip compression checkbox. This setting is not selected by default.
7
To have the Gateway AV service in detection-only mode, which only detects and logs virus traffic without stopping such traffic, select the Enable detection-only mode checkbox. This setting is not selected by default.
Configuring HTTP Clientless Notification

The HTTP Clientless Notification feature notifies users when GAV detects an incoming threat from an HTTP server.

If this feature is disabled, when GAV detects an incoming threat from an HTTP server, GAV blocks the threat and the user receives a blank HTTP page. Typically, users will attempt to reload the page because they are not aware of the threat. The HTTP Clientless Notification feature informs the user that GAV detected a threat from the HTTP server.

* 
TIP: The HTTP Clientless Notification feature is also available for SonicWall Anti-Spyware.
To configure this feature.
1
Select the Enable HTTP Clientless Notification Alerts checkbox. This option is selected by default.

2
Optionally, enter a message in the Message to Display when Blocking field. The default message is This request is blocked by the Firewall Gateway Anti-Virus Service.
* 
TIP: You can configure a timeout for the HTTP Clientless Notification on the Security Services > Summary page under the Security Services Summary heading.
Configuring a SonicWall GAV Exclusion List

Any IP addresses listed in the exclusion list bypass virus scanning on their traffic.The Gateway AV Exclusion List section provides the ability to either select an Address Object or define a range of IP addresses whose traffic will be excluded from SonicWall GAV scanning.

* 
CAUTION: Use caution when specifying exclusions to SonicWall GAV protection.
To add an IP address range for exclusion, perform these steps:

1
Select the Enable Gateway AV Exclusion List checkbox in the Gateway AV Exclusion List section to enable the exclusion list.
2
Select one of these:
Use Address Object radio button
a)
Select an address object from the drop-down menu.
b)
Go to Step 3.
Use Address Range radio button.
a)
Click the Add button. The Add GAV Range Entry dialog displays.

 

b)
Enter the IP address range in the IP Address From and IP Address To fields.
c)
Click OK. Your IP address range appears in the Gateway AV Exclusion List table.
* 
NOTE: To change an entry, click the Edit icon in the Configure column or to delete an entry, click the Delete icon. To delete all entries in the exclusion list, click the Delete All button.
3
Click OK.

Configuring Cloud Gateway AV

To enable the Cloud Gateway Anti-Virus feature:

1
Select the Enable Cloud Anti-Virus Database checkbox. This option is selected by default.

Optionally, certain cloud-signatures can be excluded from being enforced to alleviate false positive problems or to enable downloading specific virus files as necessary.

To configure the exclusion list:
1
Click Cloud AV DB Exclusion Settings. The Add Cloud AV Exclusion dialog displays.

2
Enter the signature ID in the Cloud AV Signature ID field. The ID must be a numeric value.
3
Click the Add button.
4
Repeat Step 2 and Step 3 for each signature ID to be added.
5
Optionally, to update a signature ID:
a
Select the signature ID in the List field.
b
Enter the updated signature in the Cloud AV Signature ID field.
c
Click Update.
6
Optionally, to delete:
A signature ID, select the ID in the List field, and then click the Remove button.
All signatures, click the Remove All button.
7
Optionally, to view the latest information on a signature, select the signature ID in the list and click the Sig Info button. The information for the signature is displayed on the SonicALERT website.
8
Click OK when you have finished configuring the Cloud AV exclusion list.

Viewing SonicWall GAV Signatures

The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWall GAV signature database. All the entries displayed in the Gateway Anti-Virus Signatures table are from the SonicWall GAV signature database downloaded to your SonicWall security appliance. The number of malware family signature is displayed above the table.

 
* 
NOTE: Signature entries in the database change over time in response to new threats.
Topics:  

Displaying Signatures

You can display the signatures in a variety of views:

* 
TIP: When you filter the signature, the number of signatures found is displayed along with the total number of signatures in the database.
View Style – Select one of these from the First Letter drop-down menu:
All Signatures - Displays all the signatures in the table, 50 to a page.
09 - Displays signature names beginning with the number you select from the menu.
AZ - Displays signature names beginning with the letter you select from menu.
Search String - Displays signatures containing a specific string:
a
Enter the string in the Lookup Signatures Containing String field.
b
Click the Magnifying Glass icon.

Navigating the Gateway Anti-Virus Signatures Table

The SonicWall GAV signatures are displayed fifty to a page in the Gateway Anti-Virus Signatures table. The Items field displays the table number of the first signature. For information about navigating through the table, see Navigating the Management Interface.

Searching the Gateway Anti-Virus Signature Database

You can search the signature database by entering a search string in the Lookup Signatures Containing String field, then clicking the Search icon.

Only the signatures that match the specified string are displayed in the Gateway Anti-Virus Signatures table.

Activating Intrusion Prevention Service

Security Services > Intrusion Prevention Service

Topics:  

Intrusion Prevention Service Overview

Intrusion Prevention Service (IPS) delivers a configurable, high performance Deep Packet Inspection engine for extended protection of key network services such as Web, Email, file transfer, Windows services and DNS. SonicWall IPS is designed to protect against application vulnerabilities as well as worms, Trojans, and peer-to-peer, spyware and back-door exploits. The extensible signature language used in SonicWall’s Deep Packet Inspection engine also provides proactive defense against newly discovered application and protocol vulnerabilities. SonicWall IPS off loads the costly and time-consuming burden of maintaining and updating signatures for new hacker attacks through SonicWall’s industry-leading Distributed Enforcement Architecture (DEA). Signature granularity allows SonicWall IPS to detect and prevent attacks based on a global, attack group, or per-signature basis to provide maximum flexibility and control false positives.

Topics:  

SonicWall Deep Packet Inspection

Deep Packet Inspection looks at the data portion of the packet. The Deep Packet Inspection technology includes intrusion detection and intrusion prevention. Intrusion detection finds anomalies in the traffic and alerts the administrator. Intrusion prevention finds the anomalies in the traffic and reacts to it, preventing the traffic from passing through.

Deep Packet Inspection is a technology that allows a firewall to classify passing traffic based on rules. These rules include information about layer 3 and layer 4 content of the packet as well as the information that describes the contents of the packet’s payload, including the application data (for example, an FTP session, an HTTP Web browser session, or even a middleware database connection). This technology allows the administrator to detect and log intrusions that pass through the firewall, as well as prevent them (i.e. dropping the packet or resetting the TCP connection). SonicWall’s Deep Packet Inspection technology also correctly handles TCP fragmented byte stream inspection as if no TCP fragmentation has occurred.

How SonicWall’s Deep Packet Inspection Works

Deep Packet Inspection technology enables the firewall to investigate farther into the protocol to examine information at the application layer and defend against attacks targeting application vulnerabilities. This is the technology behind SonicWall Intrusion Prevention Service. SonicWall’s Deep Packet Inspection technology enables dynamic signature updates pushed from the SonicWall Distributed Enforcement Architecture.

The following steps describe how the SonicWall Deep Packet Inspection Architecture works; see SonicWall deep packet inspection architecture:

1
Pattern Definition Language Interpreter uses signatures that can be written to detect and prevent against known and unknown protocols, applications and exploits.
2
TCP packets arriving out-of-order are reassembled by the Deep Packet Inspection framework.
3
Deep Packet Inspection engine preprocessing involves normalization of the packet’s payload. For example, a HTTP request may be URL encoded and thus the request is URL decoded in order to perform correct pattern matching on the payload.
4
Deep Packet Inspection engine postprocessors perform actions which may either simply pass the packet without modification, or could drop a packet or could even reset a TCP connection.
5
SonicWall’s Deep Packet Inspection framework supports complete signature matching across the TCP fragments without performing any reassembly (unless the packets are out of order). This results in more efficient use of processor and memory for greater performance.

SonicWall deep packet inspection architecture

SonicWall IPS Terminology

Stateful Packet Inspection - looking at the header of the packet to control access based on port, protocol, and IP address.
Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate farther into the protocol to examine information at the application layer and defend against attacks targeting application vulnerabilities.
Intrusion Detection - a process of identifying and flagging malicious activity aimed at information technology.
False Positive - a falsely identified attack traffic pattern.
Intrusion Prevention - finding anomalies and malicious activity in traffic and reacting to it.
Signature - code written to detect and prevent intrusions, worms, application exploits, and Peer-to-Peer and Instant Messaging traffic.

Configuring Intrusion Prevention Service

Intrusion Prevention Service (IPS) is configured on the Security Services > Intrusion Prevention page, which is divided into three panels:

IPS Status
IPS Global Settings
IPS Policies

Topics:  

IPS Status

The IPS Status panel displays status information for the signature database and your SonicWall IPS license.

The IPS Status panel displays the following information:

Signature Database indicates whether the signature database is being downloaded, has been downloaded, or needs to be downloaded. The signature database is updated automatically about once an hour. You can also manually update your IPS database at any time by clicking the Update button located in the IPS Status section.
Signature Database Timestamp displays the last update to the IPS signature database, not the last update to your SonicWall security appliance.
Last Checked indicates the last time the SonicWall security appliance checked the signature database for updates. The SonicWall security appliance automatically attempts to synchronize the database on startup, and once every hour.
IPS Service Expiration Date indicates the date when the IPS service expires. If your IPS subscription expires, the SonicWall IPS inspection is stopped and the IPS configuration settings are removed from the SonicWall security appliance. After renewing your IPS license, these settings are automatically restored to the previously configured state.
Note: Enable the Intrusion Prevention Service per zone from the Network > Zones page.

If you click on Network > Zones in this note, it displays the Network > Zones page where you can configure IPS on zones. See Configuring IPS Protection on Zones.

IPS Global Settings

The IPS Global Settings panel provides the key settings for enabling SonicWall IPS on your firewall.

SonicWall IPS is activated by globally enabling IPS on your firewall and selecting the class of attacks. Optionally, you can configure an IPS Exclusion List as well.

Topics:  
Enabling IPS
To enable IPS on your firewall:
1
Go to the Security Services > Intrusion Prevention page.
2
Go to the IPS Global Settings panel.

3
Select Enable IPS.
4
Select the action that you want (Prevent All, Detect All, or both) for each of the Signature Groups:
High Priority Attacks
Medium Priority Attack
Low Priority Attacks
 
* 
NOTE: To activate intrusion prevention on the firewall, you must specify a Prevent All action for at least one of the Signature Groups. If no Prevent All actions are checked, no intrusion prevention occurs on the firewall.
* 
NOTE: Selecting both Prevent All and Detect All for all of the Signature Groups protects your network against the most dangerous and disruptive attacks.
Configuring an IPS Exclusion List
(Optional) To configure an IPS Exclusion List:
1
Go to the Security Services > Intrusion Prevention page.
2
Go to the IPS Global Settings panel.

3
Select Enable IPS.
4
Click the Configure IPS Settings button.

The IPS Exclusion List dialog appears.

5
Select Enable IPS Exclusion List.
6
Select either the Use Address Object option or the Use Address Range option.
7
If you selected the Use Address Object option, select the address object you want to exclude from the menu.
8
If you selected the Use Address Range option, click the Add button.

The Add IPS Range Entry dialog appears.

9
Enter the IP address range to exclude in the IP Address From and the IP Address To boxes.
10
Click OK.
Resetting the IPS Settings and Policies
To reset the IPS Settings and Policies:
1
Go to the Security Services > Intrusion Prevention page.
2
In the IPS Global Settings panel, click the Reset IPS Settings & Policies button.

The following message is displayed.

3
Click OK.

The following message appears at the bottom of the screen: Status: The configuration has been updated.

Configuring IPS Protection on Zones

You apply SonicWall IPS to zones on the Network > Zones page to enforce SonicWall IPS not only between each network zone and the WAN, but also between internal zones. For example, enabling SonicWall IPS on the LAN zone enforces SonicWall IPS on all incoming and outgoing LAN traffic.

In the IPS Status section of the Security Services > Intrusion Prevention Service page, click the Network > Zones link to access the Network > Zones page. You apply SonicWall IPS to a zone listed on the Network > Zones page.

To enable SonicWall on a zone:
1
Go to Network > Zones or from the IPS Status section on the Security Services > Intrusion Prevention page, click the Network > Zones link. The Network > Zones page is displayed.
2
In the Configure column in the Zone Settings table, click the Edit icon for the zone you want to apply SonicWall IPS. The Edit Zone window is displayed.
3
Click the Enable IPS checkbox. A checkmark appears. To disable SonicWall IPS, clear the box.
4
Click OK.

You also enable SonicWall IPS protection for new zones you create on the Network > Zones page. Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit Zone window.

IPS Policies

The IPS Policies panel allows you to view SonicWall IPS signatures and configure the handling of signatures by category groups or on a signature by signature basis. Categories are signatures grouped together based on the type of attack.

You can view the signatures in these ways:

Viewing and Configuring Category Settings

In the View Style row, the Category menu lets you choose the categories or signatures you want to display in the Category column. You can choose All categories, All signatures, or an individual category, such as ACTIVEX or DNS. If you choose an individual category, the signatures for that category are displayed.

The Category column allows you to sort categories and signatures in ascending or descending order by clicking the up or down arrow next to the column heading.

 

To view or change the IPS category settings for a particular category:
1
Select All categories from the Category menu.
2
Click the Edit icon in the Configure column for that category. The Edit IPS Category dialog appears.

3
From the Prevention and Detection menus, select Use Global Setting, Enable, or Disable. If you select Use Global Setting, the values configured in the IPS Global Settings section are used, but you can override the IPS Global Settings by selecting Enable or Disable from these menus.
4
From the remaining menus, select the values that you want.
5
For the Log Redundancy Filter (seconds) option, if you want to use the values that you configured in the IPS Global Settings section, select Use Global Settings.
6
Click OK.
Viewing and Configuring Signature Settings
To view or change the IPS signature settings for a particular signature:
1
Select All signatures from the Category menu.
2
Click the Edit icon in the Configure column for that signature. The Edit IPS Signature dialog appears.

The first five boxes are grayed and contain non-configurable data for that signature.

3
From the Prevention and Detection menus, select Enable or Disable. The Use Category Setting option is disabled.
4
From the remaining menus, select the values that you want.
5
For the Log Redundancy Filter (seconds) option, if you want to use the values that you configured in the IPS Global Settings section, select Use Category Settings.
6
Click OK.
Viewing and Configuring Signatures for Specific Categories
To view and configure signatures for specific categories:
1
Select one of the individual categories from the Category menu. The signatures for that category are displayed.
2
Click the Edit icon in the Configure column for that signature. The Edit IPS Signature dialog appears.

The first five boxes are grayed and contain non-configurable data for that signature.

3
From the Prevention and Detection menus, select Enable or Disable. The Use Category Setting option is disabled.
4
From the remaining menus, select the values that you want.
5
For the Log Redundancy Filter (seconds) option, if you want to use the values that you configured in the IPS Global Settings section, select Use Category Settings.
6
Click OK.
Priority Menu

The Priority menu lets you specify the priority of the signatures you want to display.

To specify the priority of the signatures you want to display:

Select one of the following priorities from the Priority menu:
All
High
Medium
Low
Lookup Signature ID

You can use the Lookup Signature ID box to view or change the IPS signature settings for a particular signature.

To view or change the IPS signature settings for a particular signature:
1
Enter the signature ID in the Lookup Signature ID box.

2
Click the Lookup icon next to the box. The Edit IPS Signature dialog appears.

The first five boxes are grayed and contain non-configurable data for that signature.

3
From the Prevention and Detection menus, select Enable or Disable. The Use Category Setting option is disabled.
4
From the remaining menus, select the values that you want.
5
For the Log Redundancy Filter (seconds) option, if you want to use the values that you configured in the IPS Global Settings section, select Use Category Settings.
6
Click OK.

Activating Anti-Spyware Service

Security Services > Anti-Spyware

Topics:  

Anti-Spyware Overview

SonicWall Anti-Spyware is part of the SonicWall Gateway Anti-Virus, Anti-Virus and Intrusion Prevention Service solution that provides comprehensive, real-time protection against viruses, worms, Trojans, spyware, and software vulnerabilities.

The SonicWall Anti-Spyware Service protects networks from intrusive spyware by cutting off spyware installations and delivery at the gateway and denying previously installed spyware from communicating collected information outbound. SonicWall Anti-Spyware works with other anti-spyware programs, such as programs that remove existing spyware applications from hosts. You are encouraged to use or install host-based anti-spyware software as an added measure of defense against spyware.

SonicWall Anti-Spyware analyzes inbound connections for the most common method of spyware delivery, ActiveX-based component installations. It also examines inbound setup executables and cabinet files crossing the gateway, and resets the connections that are streaming spyware setup files to the LAN. These file packages may be freeware bundled with adware, keyloggers, or other spyware.

If spyware has been installed on a LAN workstation prior to installing the Anti-Spyware service, the service will examine outbound traffic for streams originating at spyware infected clients and reset those connections. For example, when spyware has been profiling a user's browsing habits and attempts to send the profile information home, the firewall identifies that traffic and resets the connection.

The SonicWall Anti-Spyware Service provides the following protection:

Blocks spyware delivered through auto-installed ActiveX components, the most common vehicle for distributing malicious spyware programs.
Scans and logs spyware threats that are transmitted through the network and alerts administrators when new spyware is detected and/or blocked.
Stops existing spyware programs from communicating in the background with hackers and servers on the Internet, preventing the transfer of confidential information.
Provides granular control over networked applications by enabling administrators to selectively permit or deny the installation of spyware programs.
Prevents Emailed spyware threats by scanning and then blocking infected Emails transmitted either through SMTP, IMAP or Web-based Email.

Activating Anti-Spyware Service Protection

The Security Services > Anti-Spyware page displays the configuration settings for managing the service on your SonicWall security appliance.

The Security Services > Anti-Spyware page is divided into three sections:

Anti-Spyware Status – displays status information on the state of the signature database, your SonicWall Anti-Spyware license, and other information.
Anti-Spyware Global Settings – provides the key settings for enabling SonicWall Anti-Spyware on your SonicWall security appliance, specifying global SonicWall Anti-Spyware protection based on three classes of spyware, and other configuration options.
Anti-Spyware Policies – allows you to view SonicWall Anti-Spyware signatures and configure the handling of signatures by category groups or on a signature by signature basis. Categories are signatures grouped together based on the product or manufacturer.
* 
NOTE: After activating your SonicWall Anti-Spyware license, you must enable and configure Anti-Spyware on the SonicWall management interface before anti-spyware policies are applied to your network traffic.
Topics:  

Anti-Spyware Status

The Anti-Spyware Status section shows the state of the signature database, including the database's timestamp, and the time the SonicWall signature servers were last checked for the most current signatures. The SonicWall security appliance automatically attempts to synchronize the database on startup, and once every hour.

Signature Database – indicates the signature database has been downloaded to the SonicWall security appliance.
Signature Database Timestamp – displays the date and time the signature database was last updated. The Signature Database Timestamp is a timestamp for updates to the SonicWall Anti- Spyware signature database, not the last update to the SonicWall security appliance.
Last Checked – displays the last time the SonicWall security appliance checked for signature updates.
Anti-Spyware Expiration Date – displays your SonicWall Anti-Spyware license expiration date. If your SonicWall Anti-Spyware subscription expires, the SonicWall Anti-Spyware inspection is stopped and the SonicWall Anti-Spyware configuration settings are removed from the SonicWall security appliance. These settings are automatically restored after renewing your SonicWall Anti- Spyware license to the previously configured state.

The following note contains a link to the Network > Zones page where you can configure
Anti-Spyware on individual zones:

Note: Enable the Anti-Spyware per zone from the Network > Zones page.

Anti-Spyware Global Settings

The Anti-Spyware Global Settings panel enables you to globally prevent and/or detect attacks based on the following attack levels:

High Danger Level Spyware – These spyware applications are the most dangerous to your network, such as keyloggers or porn dialers, or may contain security vulnerabilities. Removal may be extremely difficult or impossible.
Medium Danger Level Spyware – These spyware applications can cause disruption to your network, such as increased network traffic that slows down performance. Removal may be extremely difficult.
Low Danger Level Spyware – These spyware applications are characterized by less intrusive activity and are not an immediate threat. They may profile users and usually are simple to remove.
* 
TIP: SonicWall recommends enabling Prevent All for High Danger Level Spyware and Medium Danger Level Spyware to provide network protection against the most damaging spyware.

Anti-Spyware protection provides two methods for managing global spyware threats: detection (Detect All) and prevention (Prevent All). You must specify a Prevent All action in the Signature Groups panel for anti-spyware to occur on a global level on the SonicWall security appliance.

When Prevent All is enabled for a signature group in the Signature Groups panel, the SonicWall security appliance automatically drops and resets the connection to prevent the traffic from reaching its destination.

When Detect All is enabled for a signature group in the Signature Groups panel, the SonicWall security appliance logs and alerts any traffic that matches any signature in the group, but does not take any action against the traffic. The connection proceeds to its intended destination. You view the SonicWall log on the Log > View page as well as configure how alerts are handled by the SonicWall security appliance in the Log > Automation page.

* 
CAUTION: Be careful when selecting only Detect All. Selecting only Detect All logs and sends alerts on traffic that matches any signature in the group, but it does not take any action against the traffic. The traffic proceeds to its intended destination.

When Detect All and Prevent All are both enabled for a signature group in the Signature Groups panel, the SonicOS logs and sends alerts on traffic that matches any signature in the group, and automatically drops and resets the connection to prevent the traffic from reaching its destination.

Enabling Inspection of Outbound Spyware Communication

The Enable Inspection of Outbound Spyware Communication option is available for scanning outbound traffic for spyware communication.

Applying Anti-Spyware Protection on Zones

If your firewall is running SonicOS, you can apply SonicWall Anti-Spyware to zones on the Network > Zones page to enforce Anti-Spyware not only between each network zone and the WAN, but also between internal zones. For example, enabling Anti-Spyware on the LAN zone enforces Anti-Spyware on all incoming and outgoing LAN traffic.

In the Anti-Spyware Status section of the Security Services> Anti-Spyware Service page, click the Network > Zones link to access the Network > Zones page. You apply Anti-Spyware to one of the zones listed on the Network > Zones page.

To enable Anti-Spyware on a zone:
1
In the firewall management interface, select Network > Zones. (Or from the Anti-Spyware Status section, on the Security Services > Intrusion Prevention page, click the Network > Zones link.) The Network > Zones page is displayed.
2
In the Configure column in the Zone Settings panel, click the Edit icon for the zone you want to apply SonicWall Anti-Spyware. The Edit Zone window is displayed.
3
Click the Enable Anti-Spyware checkbox. A checkmark appears. To disable SonicWall Anti-Spyware, clear the box.
4
Click OK.

You can also enable SonicWall Anti-Spyware protection for new zones you create on the Network > Zones page. Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit Zone window.

Anti-Spyware Policies

The Anti-Spyware Policies section allows you to view and manage how SonicWall Anti-Spyware handles signatures by category groups or on a signature by signature basis. Categories are signatures grouped together by product or manufacturer, and they are listed in the View Style menu.

Entries listed in the Anti-Spyware Policies panel are from the SonicWall Anti-Spyware signature database downloaded to your firewall. Categories and signatures are dynamically updated by the Anti-Spyware Service. Categories and signatures dynamically change over time in response to new threats.

You can display the signatures in a variety of views using the View Style menu. This menu allows you to specify the categories or signatures to display in the Anti-Spyware Policies panel. You can select All Signatures, or you can select the first letter or number in the spyware name.

Selecting All Signatures from the menu displays all of the signatures by category. The Anti-Spyware Policies panel displays all the categories and their signatures. The category headers divide the signature entries. These headers display Global in the Prevent and Detect columns, indicating the global settings that you defined in the Anti-Spyware Global Settings section.

Topics:  
Anti-Spyware Policies Panel

The Anti-Spyware Policies panel displays the following information about each signature entry:

Product - Displays the spyware name or manufacturer.
Name - Displays the name of the spyware as a link. Clicking the name link displays the SonicAlert information about the spyware.
ID - The SonicWall database ID number of signature.
Prevent - A check mark in this column indicates prevention is enabled. A green check mark appears in the Detect column any time you make a change from the global or category prevention settings.
Detect - A check mark in this column indicates detection is enabled. A green check mark appears in the Detect column any time you make a change from the global or category detection settings.
Danger Level - Defines the attack signature as Low, Medium, or High as defined for the Signature Groups panel.
Comments - Displays a brief description of the policy.
Configure - Clicking the edit icon in the Configure column of the category header displays the Edit Anti-Spyware Category window. Clicking the edit icon in the Configure column for an individual signature displays the Edit Anti-Spyware Signature window. These windows allow you to define a different action from the global settings for the specific category or signature.
Displaying Spyware Information

In the Anti-Spyware Policies panel, clicking on the spyware name link in Name column, displays a SonicALERT page that provides detailed information about the spyware.

Navigating the Anti-Spyware Policies Panel

The Items field displays the panel number of the first category or signature. If you are displaying the first page of a panel, the entry might be Items 1 to 50 (of 58). You can enter a number in the Items field to go directly to a specific entry or use the navigation buttons to navigate the panel.

The SonicWall Anti-Spyware signatures are displayed fifty to a page in the Anti-Spyware Policies panel.

* 
NOTE: You can change the default, 50 entries per panel, on the System > Administration page in the Web Management Settings section.
Searching the Signature Database

You can search the signature database by entering a search string in the Lookup Signatures Containing String field, then clicking icon.

Sorting Category or Signature Entries

Clicking on the Anti-Spyware Policies panel headings (Name, ID, Prevent, Detect, or Danger Level) sorts the panel entries according to the heading. An up arrow by the column header name indicates the entries are sorted in descending order. A down arrow by the column header name indicates the entries are sorted in ascending order.

Configuring Category Policies

You can choose to override the global prevention and detection settings on a category-by-category basis. The global Prevent All and Detect All settings, which include High Danger Level Spyware, Medium Danger Level Spyware, and Low Danger Level Spyware are configured in the Anti-Spyware Global Settings section. Categories can include any combination of Danger Levels as defined in the Signature Groups panel.

The available signature categories are listed in the View Style menu in the Anti-Spyware Policies section. Configuring the prevent and detect behaviors on a category basis affects all the signatures in the category, regardless of the global attack priority settings (Low, Medium, or High)

Topics:  
Overriding Global Prevent and Detect Settings by Category
1
Select All categories or an individual category from the Category menu.
2
If you select All Categories, click on the Edit icon in the Configure column for the category you want to change. the Edit Anti-Spyware Category dialog is displayed.
3
If you select an individual category, click on the Edit icon to the right of the Category menu. The Edit Anti-Spyware Category dialog displays.
4
If you want to change the Global Setting for Prevention, select Enable or Disable from the Prevention menu.
5
If you want to change the Global Setting for Detection, select Enable or Disable from the Detection menu.
6
If you want to change the Global Settings for both detection and prevention, select Enable or Disable from the Detection and Prevention menu.
7
The following settings allow you to select specific users/groups, IP address ranges, and schedule objects to be included or excluded from this SonicWall Anti-Spyware category:
Included Users/Groups - select the Users/Groups you want included in this SonicWall Anti-Spyware category. The default is All.
Excluded Users/Groups - select the Users/Groups you want excluded from this SonicWall Anti-Spyware category. The default None.
Included IP Address Range - select the IP address range you want included in this SonicWall Anti-Spyware category. The default All.
Excluded IP Address Range - select the IP address range you want excluded from this SonicWall Anti-Spyware category. The default None.
Schedule - select the scheduled time you want for the activation of this SonicWall Anti-Spyware category. The default Always on.
8
If you want to change the Log Redundancy Filter setting from the default global setting, uncheck the Use Category Settings box for Log Redundancy Filter (seconds) and enter a time value in seconds.
9
Click OK to save your changes.
* 
TIP: If you select All signatures from the Category menu, all the categories and their signatures are displayed in the Anti-Spyware Policies panel, allowing you to configure both the category and signatures within the category.
Resetting SonicWall Anti-Spyware Configuration to Default

You can remove all custom category and signature settings you created as well as reset global Prevent All and Detect All settings and Log Redundancy Filter (seconds) settings by clicking the Reset Anti-Spyware Settings & Policies button in the Anti-Spyware Global Settings section.

Configuring Signature Policies

Selecting All signatures from the Category menu displays all of the signatures organized within categories. The All signatures option displays every signature in the Anti-Spyware database.

If global Prevent All and Detect All settings are in effect for the category, Global is displayed in the Prevent and Detect columns for the category and all of its signatures.

Selecting a specific signature category, displays the signatures in that category.

* 
NOTE: You cannot import your own customized signatures into SonicWall Anti-Spyware or delete a signature entry.
* 
CAUTION: Use caution when overriding global High Danger Level Spyware and Medium Danger Level Spyware signature behaviors because you can create vulnerabilities. If you make changes and want to restore the default global signature settings, click the Reset Anti-Spyware Settings & Policies button to restore the default settings.
Topics:  
Overriding Category Detect and Prevent Settings for a Signature
To override category detect and prevent attributes for signatures:
1
In the Anti-Spyware Policies panel, display the signature you want to change. Click the Edit icon in the Configure column for the entry to display the Edit Anti-Spyware dialog.
2
If you want to change the Category Setting for Prevention, select Enable or Disable from the Prevention menu.
3
If you want to change the Category Setting for Detection, select Enable or Disable from the Detection menu.
4
If you want to change the Category Setting for both detection and prevention, select Enable or Disable from the Detection and Prevention menu.
5
The following settings allow you to select specific users/groups, IP address ranges, and schedule objects to be included or excluded from this SonicWall Anti-Spyware signature:
Included Users/Groups - select the Users/Groups you want included in this SonicWall Anti-Spyware signature. The default is All.
Excluded Users/Groups - select the Users/Groups you want excluded from this SonicWall Anti-Spyware signature. The default None.
Included IP Address Range - select the IP address range you want included in this SonicWall Anti-Spyware signature. The default All.
Excluded IP Address Range - select the IP address range you want excluded from this SonicWall Anti-Spyware signature. The default None.
Schedule - select the scheduled time you want for the activation of this SonicWall Anti-Spyware signature. The default Always on.
6
If you want to change the Log Redundancy Filter setting from the Category setting, uncheck the Use Category Settings box for Log Redundancy Filter (seconds) and enter a time value in seconds.
7
Click OK to save your changes.
Resetting SonicWall Anti-Spyware Settings to Default

You can remove all custom category and signature settings you created as well as reset global Prevent All and Detect All settings and Log Redundancy Filter (seconds) settings by clicking the Reset Anti-Spyware Settings & Policies button in the Anti-Spyware Global Settings section.

Configuring SonicWall Real-Time Blacklist

Security Services > RBL Filter

Topics:  

Real-Time Black List Filtering

SMTP Real-Time Black List (RBL) is a mechanism for publishing the IP addresses of SMTP spammers use. There are a number of organizations that compile this information both for free: http://www.spamhaus.org, and for profit: https://ers.trendmicro.com/.

* 
NOTE: SMTP RBL is an aggressive spam filtering technique that can be prone to false-positives because it is based on lists compiled from reported spam activity. The SonicOS implementation of SMTP RBL filtering provides a number of fine-tuning mechanisms to help ensure filtering accuracy.

RBL list providers publish their lists using DNS. Blacklisted IP addresses appear in the database of the list provider's DNS domain using inverted IP notation of the SMTP server in question as a prefix to the domain name. A response code from 127.0.0.2 to 127.0.0.9 indicates some type of undesirability:

For example, if an SMTP server with IP address 1.2.3.4 has been blacklisted by RBL list provider sbl-xbl.spamhaus.org, then a DNS query to 4.3.2.1.sbl-xbl.spamhaus.org will provide a 127.0.0.4 response, indicating that the server is a known source of spam, and the connection will be dropped.

* 
NOTE: Most spam today is known to be sent from hijacked or zombie machines running a thin SMTP server implementation.Unlike legitimate SMTP servers, these zombie machines rarely attempt to retry failed delivery attempts. Once the delivery attempt is blocked by RBL filter, no subsequent delivery attempts for that same piece of spam will be made.

Configuring the RBL Filter

Topics:  

Enabling RBL Blocking

When Enable Real-time Black List Blocking is enabled in the Real-time Black List Settings section on the RBL Filter page, inbound connections from hosts on the WAN or outbound connections to hosts on the WAN are checked against each enabled RBL service with a DNS request to the DNS servers configured under RBL DNS Servers.

The RBL DNS Servers menu allows you to specify the DNS servers. You can choose Inherit Settings from WAN Zone or Specify DNS Servers Manually. If you select Specify DNS Servers Manually, enter the DNS server addresses in the DNS Server fields.

When you have finished, click Accept.

The DNS responses are collected and cached. If any of the queries result in a blacklisted response, the server will be filtered. Responses are cached using TTL values, and non-blacklisted responses are assigned a cache TTL of 2 hours. If the cache fills up, then cache entries are discarded in a FIFO (first-in-first-out) fashion.

The IP address check uses the cache to determine if a connection should be dropped. Initially, IP addresses are not in the cache and a DNS request must be made. In this case the IP address is assumed innocent until proven guilty, and the check results in the allowing of the connection. A DNS request is made and results are cached in a separate task. When subsequent packets from this IP address are checked, if the IP address is blacklisted, the connection will be dropped.

Adding RBL Services

You can add additional RBL services in the Real-time Black List Services section.

To add an RBL service, click the Add button. In the Add RBL Domain window, you specify the RBL domain to be queried, enable it for use, and specify its expected response codes. Most RBL services list the responses they provide on their Web site, although selecting Block All Responses is generally acceptable.

Statistics are maintained for each RBL Service in the RBL Service table, and can be viewed with a mouseover of the (statistics) icon to the right on the service entry.

Configuring User-Defined SMTP Server Lists

The User Defined SMTP Server Lists section allows for Address Objects to be used to construct a white-list (explicit allow) or black-list (explicit deny) of SMTP servers. Entries in this list will bypass the RBL querying procedure.

 
* 
NOTE: To see entries in the RBL User White List and RBL User Black List, click the arrow to the right of the checkbox for that list.
Topics:  
Configuring a White List

For example, to ensure that you always receive SMTP connections from a partner site's SMTP server:

1
Create an Address Object for the server using the Add Servers: Add… button. the Add Address Object window appears.

2
Configure the Address Object.
3
Click OK. The Address Object will be added to the RBL User White List in the User-Defined SMTP Server Lists table.
4
Click the edit icon in the Configure column of the RBL User White List row. The Edit Address Object window displays.

5
Add the Address Object by selecting it and clicking the right arrow.
6
Click OK.

The table will be updated, and that server will always be allowed to make SMTP exchanges.

Configuring a Black List
1
Click the Edit icon in the Configure column of the RBL User Black List row. The Edit Address Object window displays.

2
Add the Address Object by selecting it and clicking the right arrow.
3
Click OK.

Testing SMTP IP Addresses

The System > Diagnostics page also provides a Real-time Black List Lookup feature that allows for SMTP IP addresses (or RBL services, or DNS servers) to be specifically tested.

For a list of known spam sources to use in testing, refer to: http://www.spamhaus.org/sbl/latest/.

Configuring Geo-IP Filters

* 
NOTE: The Geo-IP Filtering feature is available on TZ300 series and above appliances.

Security Services > Geo-IP Filter

The Geo-IP Filter feature allows you to block connections to or from a geographic location. The SonicWall firewall uses the IP address to determine to the location of the connection. The GEO-IP Filter feature also allows you to create custom country lists that affect the identification of an IP address.

The Geo-IP Filter feature also allows you to create a custom message when you block a web site.

You can also use the Geo-IP Filter Diagnostics tool to show resolved locations, monitor Geo-IP cache statistics, custom countries statistics, and look up GEO-IP servers.

Topics:  

Configuring Geo-IP Filtering

To configure Geo-IP Filtering:
1
Navigate to Security Services > Geo-IP Filter page.

2
To block all connections to and from specific countries, select the Block connections to/from countries listed in the table below checkbox. This option is selected by default.

If this option is enabled, all connections to/from the selected list of countries are blocked. You can specify an exclusion list to exclude this behavior for selected IPs, as described below in Step 9.

When this option is selected, the next two options become available.

3
Select one of the following two modes for Geo-IP Filtering:
All Connections: All connections to and from the firewall are filtered. This option is selected by default.
Firewall Rule-Based Connections: Only connections that match an access rule configured on the firewall are filtered for blocking.
4
To block all connections to public IPs when the Geo-IP database is not downloaded, select the Block all connections to public IPs if GeoIP DB is not downloaded option. This option is not selected by default.
5
To enable your custom list, select the Enable Custom List checkbox. This option is not selected by default.

If the Enable Custom List checkbox is:

Not selected, then only the firewall’s country database is searched. Go to Step 6.
Selected, the Override Firewall Countries By Custom List checkbox becomes available.

Enabling a custom list by selecting the Enable Custom List checkbox can affect country identification for an IP address. If the Override Firewall Countries By Custom List is:

Not selected also, then country identification is done in this order:
1)
The firewall country database is searched. If the identification is not resolved, then:
2)
The custom country list is searched.
Also selected, then country identification is done in this order:
1)
The custom country database is searched. If the identification is not resolved, then:
2)
The firewall country list is searched.

In either case, action is taken according to the resolution.

6
To log Geo-IP Filter-related events, select Enable logging. This option is not selected by default.
7
Under Countries, in the Blocked Country table, select the countries to be blocked. By default, no countries are blocked.

* 
TIP: Selecting the checkbox next to Blocked Country at the top of the table selects all countries, and then you can select countries to be excluded from blocking by deselecting them.
* 
NOTE: Blocked countries are highlighted.
8
If you want to block any countries that are not listed, select the Block All UNKNOWN countries option. All connections to unknown public IPs are blocked. This option is not selected by default.
9
Optionally, you can configure an exclusion list of all connections to approved IP addresses by doing one of these:
Select an address object or address group from the Geo-IP Exclusion Object drop-down menu. The default is Default Geo-IP and Botnet Exclusion Group.
Create a new address object or address group by selecting Create new address object… or Create new address group… from the Geo-IP Exclusion Object drop-down menu.

The Geo-IP Exclusion Object is a network address object group that specifies a group or a range of IP addresses to be excluded from the Geo-IP filter blocking. All IP addresses in the address object or group are allowed, even if they are from a blocked country.

For example, if all IP addresses coming from Country A are set to be blocked and an IP address from Country A is detected, but it is in the Geo-IP Exclusion Object list, then traffic to and from this IP address is allowed to pass.

For this feature to work correctly, the country database must be downloaded to the firewall. The Status indicator at the top right of the page turns yellow if this download fails. Green status indicates that the database has been successfully downloaded. Click the Status button to display more information.

For the country database to be downloaded, the firewall must be able to resolve the address, utmgbdata.global.sonicwall.com.

When a user attempts to access a web page that is from a blocked country, a block page message is displayed on the user’s web browser.

* 
NOTE: If a connection to a blocked country is short-lived and the firewall does not have a cache for the IP address, then the connection may not be blocked immediately. As a result, connections to blocked countries may occasionally appear in the App Flow Monitor. However, additional connections to the same IP address are blocked immediately.
10
Click the Accept button at the top of the page to enable your changes.

Creating a Custom Country List

 

Address Object

Name given to the address object.

Country

Flag icon (if known) and name of country.

Comments

Comment made when address object was created.

Configure

Contains an Edit icon and a Delete icon.

Total

Displays the number of entries in the Custom List.

An IP address can be associated with a wrong country. This kind of misclassification can cause incorrect/unwanted filtering of an IP address. Having a custom country list can solve this problem by overriding the firewall country associated with a particular IP address.

Topics:  

Creating a Custom List

* 
IMPORTANT: For the firewall to use the custom country list, you must enable it as described in Configuring Geo-IP Filtering.
To create a custom country list:
1
Navigate to Security Services > Geo-IP Filter.

2
Click the Custom List tab.

3
Click Add. The Add Custom List dialog displays.

4
Select an IP address object or create a new address object from the IP Address drop-down menu:
* 
IMPORTANT: An address object cannot overlap any other address objects in the custom country list. Different address objects, however, can have the same country ID.
Create new address object… – the Add Address Object dialog displays.

You create a new address object as described in Adding an Address Object, with these restrictions:

Allowed types are
Host
Range
Network
A group of any combination of these types

All other types are disallowed types and cannot be added to the custom country list.

Create new address group… – the Add Address Object Group dialog displays.

You create a new address object as described in Creating Group Address Objects

Already defined address object or address group
5
Select a country from the Country drop-down menu.
6
Optionally, add a comment in the Comment field.
7
Click OK.

Editing a Custom List Entry

To edit a custom list entry:
1
On the Custom List tab, click the Edit icon in the Configure column for the entry to be edited. The Add Custom List dialog displays with the IP address and any comment about the entry.

2
Select the country from the Country drop-down menu and make any other changes.
3
Click OK. The Custom List table is updated.

Deleting Custom List Entries

To delete a custom list entry:
1
Do one of these:
Click the Delete icon in the Configure column for the entry.
Select the checkbox for the entry and then click the Delete button.

A confirmation message displays.

2
Click OK.
To delete multiple entries:
1
Select the checkboxes of the entries to be deleted. The Delete button becomes available.
2
Click the Delete button. A confirmation message displays.

3
Click OK.
To delete all entries:
1
Click the checkbox in the table header.
2
Click the Delete button. A confirmation message displays.

3
Click OK.

Customizing Web Block Page Settings

The Geo-IP Filter has a default message that is displayed when a user attempts to access a blocked page. You can have the message display detailed information, such as the reason why this IP address is blocked as well as the IP address and the country from which it was detected. You also can create a custom message and include a custom logo.

To create a custom web-block message:
1
Navigate to the Security Services > Geo-IP Filter page.

2
Click the Web Block Page tab.

3
Ensure the Include Geo-IP Filter Block Details option is selected. When enabled, this option shows block details such as reason for the block, IP address, and country. When disabled, no information is displayed. By default, this option is selected. This option is selected by default.
4
Do one of the following:
To use the default message displayed in the Alert text field, This site has been blocked by the network administrator., click the Default Blocked Page button and then go to Step 6.
Specify a custom message to be displayed in the Geo-IP Filter Block page in the Alert text field. Your message can be up to 100 characters long.
5
Optionally, in the Base64-encoded Logo Icon field, you can specify a Base 64-encoded GIF icon to be displayed instead of the default SonicWall logo.
* 
NOTE: Ensure the icon is valid and make the size as small as possible. The recommended size is 400 x 65.
6
To see a preview of your customized message and logo (or the default message and logo), click the Preview button. A warning message displays.

7
Click OK. The Web Site Blocked message displays.

8
Close the Web Site Blocked message.
9
Click the Accept button.

Using Geo-IP Filter Diagnostics

The Security Services > Geo-IP Filter page has a Diagnostics tab with several tools:

Show Resolved Locations

When you click the Show Resolved Locations button, a pop-up table of resolved IP addresses displays this information:

Index
IP Address
Country

Geo-IP Cache Statistics

The Geo-IP Cache Statistics table contains this information:

Location Server IP
Resolved Entries
Unresolved Entries
Current Entry Count
Max. Entry Count
Location Map Count

Custom Countries Statistics

The Custom Countries Statistics table contains this information about the number of entries in the list and the number of times lookups have occurred for the entries:

No of Entries
No of Times Called
No of Times Not Looked-up
No of Times Resolved

Check GEO Location Server Lookup

The Geo-IP Filter also provides the ability to look up IP addresses to determine:

Domain name or IP address
The country of origin and whether it is classified as a Botnet server
* 
NOTE: The similar Botnet Location Server Lookup tool can also be accessed from the System Services > Botnet Filter page.

The Geo Location and Botnet Server Lookup tool can also be accessed from the System > Diagnostics page.

To look up a GEO server:
1
Go to the Check GEO Location Server Lookup section at the bottom of the Diagnostics tab.

2
Enter the IP address in the Lookup IP field.
3
Click Go. Details on the IP address are displayed below the Result heading.

Incorrectly Marked Address

If you think an address is marked as part of a country incorrectly, you can report the issue by clicking on the Geo-IP Status Lookup link in the Note at the bottom of the Security Services > Geo-IP Filter page. The link displays the Submit IP for Geolocation Review page.

 

Configuring Botnet Filters

* 
NOTE: The Botnet Filtering feature is available on TZ300 series and above appliances.

Security Services > Botnet Filter

The Botnet Filtering feature allows you to block connections to or from Botnet command and control servers and to make custom Botnet lists.

The Botnet Filtering feature also allows you to create a custom message when you block a web site.

You can also use the Botnet Filtering Diagnostics tool to show Botnets, monitor Botnet cache statistics, custom Botnet statistics, and look up Botnet servers.

Topics:  

Configuring Botnet Filtering

To configure Botnet filtering:
1
Navigate to the Security Services > Botnet Filter page.

2
To block all servers that are designated as Botnet command and control servers, select the Block connections to/from Botnet Command and Control Servers option. All connection attempts to/from Botnet command and control servers will be blocked. This option is not selected by default.

If this option is selected, the radio buttons and the Block all connections to public IPs if BOTNET DB is not downloaded option become available.

To exclude selected IPs from this blocking behavior, use exclusion lists as described in the following steps and/or create a custom Botnet list as described in Creating a Custom Botnet List.

3
If Block connections to/from Botnet Command and Control Servers is selected, these options become available:
a
Select one of the following two modes for Botnet Filtering:
All Connections: All connections to and from the firewall are filtered. This is the default Botnet block mode.
Firewall Rule-Based Connections: Only connections that match an access rule configured on the firewall are filtered.
b
If you want to block all connections to public IPs when the Botnet database is not downloaded, select the Block all connections to public IPs if BOTNET DB is not downloaded. This option is not selected by default.
4
To enable the Custom Botnet List, select the Enable Custom Botnet List checkbox. This option is not selected by default.

If the Enable Custom Botnet List checkbox is not selected, then only the firewall’s Botnet database is searched. Go to Step 5.

Enabling a custom list by selecting the Enable Custom Botnet List checkbox can affect country identification for an IP address:

a
During Botnet identification, the custom Botnet list is searched first.
b
If the IP address is not resolved, the firewall’s Botnet database is searched.

If an IP address is resolved from the custom Botnet list, it can be identified as either a Botnet IP address or a non-Botnet IP address, and action taken accordingly.

5
Select Enable logging to log Botnet Filter-related events.
6
Optionally, you can configure an exclusion list of all IPs belonging to the configured address object/address group. All IPs belonging to the list are excluded from being blocked. To enable an exclusion list, select an address object or address group from the Botnet Exclusion Object drop-down menu.

The default exclusion object is Default Geo-IP and Botnet Exclusion Group. You can create your own address object or address group object. as described in Configuring Address Objects.

7
Click the Accept button at the top of the page to enable your changes.

Creating a Custom Botnet List

 

Address Object

Name of the address object or address group object.

Botnet

Icon indicating whether the entry was defined as a Botnet when created. A black circle indicates a Botnet, a white circle a non-Botnet.

Comments

Any comments you added about the entry.

Configure

Contains Edit and Delete icons for the entry.

Total

Displays the number of entries in the Custom Botnet List.

An IP address can be wrongly marked as Botnet. This kind of misclassification can cause incorrect/unwanted filtering of an IP address. Having a custom Botnet list can solve this problem by overriding the Botnet tag for a particular IP address.

Topics:  

Creating a Custom Botnet List

* 
IMPORTANT: For the firewall to use the custom Botnet list, you must enable it as described in Configuring Botnet Filtering.
To create a custom Botnet list:
1
Navigate to Security Services > Botnet Filter.

2
Click the Custom Botnet List tab.

3
Click the Add button. The Add Custom Botnet List dialog displays.

4
Select an IP address object or create a new address object from the A Botnet IP Address drop-down menu:
* 
IMPORTANT: An address object cannot overlap any other address objects in the custom country list. Different address objects, however, can have the same country ID.
Create new address object… – the Add Address Object dialog displays.

You create a new address object as described in Adding an Address Object, with these restrictions:

Allowed types are
Host
Range
Network
A group of any combination of the first three types

All other types are disallowed types and cannot be added to the custom Botnet list.

Create new address group… – the Add Address Object Group dialog displays.

You create a new address object as described in Creating Group Address Objects

Already defined address object or address group
5
If this address object is a known Botnet, select a the Botnet checkbox.
6
Optionally, add a comment in the Comment field.
7
Click OK.

Editing a Custom Botnet List Entry

To edit a custom Botnet list entry:
1
On the Custom Botnet List tab, click the Edit icon in the Configure column for the entry to be edited. The Add Custom Botnet List dialog displays the entry.

2
Make your changes.
3
Click OK. The Custom Botnet List table is updated.

Deleting Custom Botnet List Entries

To delete a custom Botnet list entry:
1
Do one of these:
Click the Delete icon in the Configure column for the entry.
Select the checkbox for the entry and then click the Delete button.

A confirmation message displays.

2
Click OK.
To delete multiple entries:
1
Select the checkboxes of the entries to be deleted. The Delete button becomes available.
2
Click the Delete button. A confirmation message displays.

3
Click OK.
To delete all entries:
1
Click the checkbox in the table header.
2
Click the Delete button. A confirmation message displays.

3
Click OK.

Customizing Web Block Page Settings

The Botnet Filter has a default message that is displayed when a page is blocked. You can customize this message and include your own logo.

To create a custom message and include a custom logo:
1
Navigate to the Security Services > Botnet Filter page.

 

2
Ensure the Include Botnet Filter Block Details option is selected. This option is selected by default.

When enabled, this option shows block details such as reason for the block, IP address, and country. When disabled, this option hides all information.

3
Do one of the following:
To use the default message displayed in the Alert text field, This site has been blocked by the network administrator., click the Default Blocked Page button and then go to Step 4.
Specify a custom message to be displayed in the Geo-IP Filter Block page in the Alert text field. Your message can be up to 100 characters long.
4
Optionally, in the Base64-encoded Logo Icon field, you can specify a Base 64-encoded GIF icon to be displayed as well.
* 
NOTE: Ensure the icon is valid and make the size as small as possible. The recommended size is 400 x 65.
5
To see a preview of your customized message and logo (or the default message and logo), click the Preview button. A warning message displays.

6
Click OK. The Web Site Blocked message displays.

7
Close the Web Site Blocked message.
8
Click the Accept button.

Using Botnet Filter Diagnostics

The Security Services > Botnet Filter page has a Diagnostics tab with several tools:

Show Resolved Botnet Locations

When you click on the Show Botnets button, a table of resolved IP addresses displays with this information:

Index
IP Address – IP address of the Botnet

Botnet Cache Statistics

The Botnet Cache Statistics table contains this information:

Location Server IP
Resolved Entries
Unresolved Entries
Current Entry Count
Max. Entry Count
Botnets Detected

Custom Botnets Statistics

The Custom Botnets Statistics table contains this information about the number of entries in the list and the number of times lookups have occurred for the entries:

No of Entries
No of Times Called
No of Times Not Looked-up
No of Times Resolved

Check Botnet Server Lookup

The Botnet Filter also provides the ability to look up IP addresses to determine:

Domain name or IP address
Country of origin and whether the server is classified as a Botnet server
* 
NOTE: The Botnet Server Lookup tool can also be accessed from the System > Diagnostics page.
To look up a Botnet server:
1
Go to the Check BOTNET Server Lookup section at the bottom of the Diagnostics tab.

2
Enter the IP address in the Lookup IP field,
3
Click Go. Details on the IP address are displayed below the Result heading.

Incorrectly Marked Address

If you believe that a certain address is marked as a botnet incorrectly, or if you believe an address should be marked as a botnet, report this issue at the SonicWall Botnet IP Status Lookup tool by either clicking on the link in the Note at the bottom of the Security Services > Botnet Filter page or going to: SonicWall Botnet IP Status Lookup.