en-US
search-icon

SonicOS 6.2 Admin Guide

System

Viewing Status Information

System > Status

The System > Status page provides system information such as firmware version and system up time, security services license status, per firewall blade alert messages, and network interface zone assignments and link status.

This status page includes information about your SonicWall Security Appliance organized into five sections: System Messages, System Information, Security Services, Latest Alerts, and Network Interfaces.

Topics:  

System Messages

This is the first section and has an icon, such as a yellow triangular alert icon. Any information considered relating to possible problems with configurations on the SonicWall Security Appliance such as password, log messages, as well as notifications of SonicWall Security Services offers, new firmware notifications, and upcoming Security Service s expirations are displayed in the System Messages section. If the Display user login info since last login option on Users > Settings is enabled, this section also displays user login information: last successful login timestamp, number of all user successful login attempts, unsuccessful login attempts, and administrator privilege changes.

System Information

Information displayed in this section:

Model - Type of SonicWall Security Appliance product.
Product Code - The numeric code for the model of SonicWall Security Appliance.
Serial Number - Also the MAC address of the SonicWall Security Appliance.
Authentication Code - The alphanumeric code used to authenticate the SonicWall Security Appliance on the registration database at https://www.mysonicwall.com.
Firmware Version - The firmware version loaded on the SonicWall Security Appliance.
Safemode Version - The SafeMode firmware version loaded on the SonicWall Security Appliance.
ROM Version - Indicates the ROM version.
CPUs - Displays the average CPU usage over the last 10 seconds and the type of the SonicWall Security Appliance processor. Clicking the Link icon displays the Dashboard > Multi-core Monitor page.
Total Memory - Indicates the amount of RAM and flash memory.
System Time - The time registered on the internal clock on the SonicWall Security Appliance.
Up Time - The length of time, in days, hours, and seconds that the SonicWall Security Appliance is active.
Connections - Displays the maximum number of network connections the SonicWall Security Appliance can support, the peak number of concurrent connections, and the current number of connections. Clicking on the Question Mark icon displays a pop-up window with links to the AppFlow > Flow Reporting page and the Firewall Settings > Advanced pages. To close the window, click close in the upper right corner.

Connection Usage - The percentage of the maximum number of connections that are currently established (that is, this percentage is the current number of connections divided by the maximum number of connections).
Last Modified By - The IP address of the user who last modified the system and the time stamp of the last modification.
Registration Code - The registration code is generated when your SonicWall Security Appliance is registered at http://www.mysonicwall.com.

Security Services

If your SonicWall Security Appliance is not registered at mysonicwall.com, the following message is displayed in the Security Services section: Your SonicWall Security Appliance is not registered. Click here to Register your SonicWall Security Appliance. You need a mysonicwall.com account to register your SonicWall Security Appliance or activate security services. You can create a mysonicwall.com account directly from the SonicWall management interface.

If your SonicWall Security Appliance is registered, a list of available SonicWall Security Services are listed in this section with the status of Licensed or Not Licensed. If Licensed, the Status column displays the number of licenses and the number of licenses in use. Clicking the Link icon displays the System > Licenses page. SonicWall Security Services and SonicWall Security Appliance registration is managed by mysonicwall.com.

Refer to Security Services for more information on SonicWall Security Services and activating them on the SonicWall Security Appliance.

Latest Alerts

Any messages relating to system errors or attacks are displayed in this section. Attack messages include AV Alerts, forbidden Email attachments, fraudulent certificates. System errors include WAN IP changed and encryption errors. Clicking the Link icon displays the Dashboard > Log Monitor page.

For more information on SonicWall Security Appliance logging, see Dashboard > Log Monitor and Log > Settings.

Network Interfaces

Network Interfaces displays information about the interfaces for your firewall. Clicking the Link icon displays the Network > Interfaces page for configuring your Network settings. The available interfaces displayed in the Network Interfaces section depend on the model of the SonicWall Security Appliance.

 

Managing SonicWall Licenses

System > Licenses

* 
CAUTION: By design, the SonicWall License Manager cannot be configured to use a third-party proxy server. Networks that direct all HTTP and HTTPS traffic through a third-party proxy server may experience License Manager issues.

The System > Licenses page provides links to activate, upgrade, or renew SonicWall Security Services licenses. From this page in the SonicWall Management Interface, you can manage all the licenses for your SonicWall Security Appliance. The information listed in the Security Services Summary table is updated from your mysonicwall.com account. The System > Licenses page also includes links to FREE trials of SonicWall Security Services.

Topics:  

Node License Status

A node is a computer or other device connected to your LAN with an IP address.

If your firewall is licensed for unlimited nodes, the Node License Status section displays the message: The SonicWall is licensed for unlimited Nodes/Users. No other settings are displayed.

If your SonicWall security appliance is not licensed for unlimited nodes, the Node License Status table lists how many nodes your security appliance is licensed to have connected at any one time, how many nodes are currently connected, and how many nodes you have in your Node License Exclusion List.

The Currently Licensed Nodes table lists details on each node connected to your security appliance. The table is not displayed if no nodes are connected.

Excluding a Node

When you exclude a node, you block it from connecting to your network through the security appliance. Excluding a node creates an address object for that IP address and assigns it to the Node License Exclusion List address group.

To exclude a node:
1
Select the node you want to exclude in the Currently Licensed Nodes table on the System > Licenses page, and click the Edit icon in the Exclude column for that node.
2
A warning displays, saying that excluding this node will create an address object for it and place it in the License Exclusion List address group. Click OK to exclude the node.

You can manage the License Exclusion List group and address objects in the Network > Address Objects page of the management interface. Click the Node License Exclusion List link to jump to the Network > Address Objects page. See Network > Address Objects for instructions on managing address objects.

Security Services Summary

The Security Services Summary tables list the available and activated security services and support services on the SonicWall security appliance.

Topics:  

Security Services Table

The table contains these columns:

Security Service — lists all the available SonicWall Security Services and upgrades available for the SonicWall Security Appliance.
Status — indicates is the security service is activated (Licensed), available for activation (Not Licensed), or no longer active (Expired).
Count — displays the number of nodes/users allowed for the license is displayed.
Expiration — displays the expiration date for any Licensed Security Service.

The information listed in the Security Services Summary table is updated from your mysonicwall.com account the next time the SonicWall Security Appliance automatically synchronizes with your mysonicwall.com account (once a day) or you can click the Synchronize button after Synchronize licenses with mysonicwall.com in the Manage Security Services Online panel.

For more information on SonicWall Security Services, see Security Services.

Support Services Table

The Support Service table displays a summary of the current status of support services for the SonicWall security appliance. The Support Service table lists all support services for the appliance (such as Dynamic Support), their current status, and their expiration date.

Managing Security Services

When you have established your Internet connection, it is recommended you register your SonicWall security appliance, which provides the following benefits:

Try a FREE 30-day trial of SonicWall Intrusion Prevention Service, SonicWall Gateway Anti-Virus, Content Filtering Service, and Client Anti-Virus
Activate SonicWall Anti-Spam
Activate SonicWall security services and upgrades
Access SonicOS firmware updates
Get SonicWall technical support
Topics:  

Registering Your SonicWall Appliance

Instructions for creating a MySonicWall Account and for registering your appliance can be found in the Getting Started Guide for your appliance. When you log in to your primary appliance for the first time, a Software Transaction Agreement (STA) form displays for your acceptance before you can proceed. If you are using a CLI, you must type (or select) Yes before proceeding. When you have accepted the STA, it is not shown for upgrades of either firmware or software.

* 
NOTE: mysonicwall.com registration information is not sold or shared with any other company.

The Getting Started Guide also contains instructions for applying licenses manually, synchronizing licenses manually, and upgrading firmware.

Managing Security Services Online

To synchronize your mysonicwall.com account with the Security Services Summary table, click the Synchronize button after Synchronize licenses with www.mysonicwall.com.

To activate, upgrade, or renew services, click the link in To Activate, Upgrade, or Renew services, click here.

When you click the click here link, the Licenses > License Management page displays a login dialog for MySonicWall.

Enter your MySonicWall account username and password in the MySonicWall username/email and Password fields and then click Submit.
The Services Management page is displayed. Scroll down to the Applicable Services section and locate the service you want to activate.
Click the Try, Buy, or Activate button for it and then follow the prompts to activate the service license. After completion, you are returned to the System > Licenses page in the SonicOS management interface.

To manage your licenses, click the link in To Manage your licenses go to www.mysonicwall.com.

When you click the mysonicwall.com link, the full MySonicWall login page displays.

p

Enter your MySonicWall account username and password in the User Name/Email and Password fields and then click Login.
* 
NOTE: If you do not have a MySonicWall account, click Register Now and follow the prompts to create an account. See the Getting Started Guide for your platform for more information.

Manual Upgrade

Manual Upgrade allows you to activate your services by typing the service activation key supplied with the service subscription not activated on mysonicwall.com. Type the activation key from the product into the Enter keyset field and click Submit.

p

Manual Upgrade for Closed Environments

If your SonicWall Security Appliance is deployed in a high-security environment that does not allow direct Internet connectivity from the SonicWall Security Appliance, you can enter the encrypted license key information from http://www.mysonicwall.com manually on the System > Licenses page in the SonicWall Management Interface.

* 
NOTE: Manual upgrade of the encrypted License Keyset is only for Closed Environments. If your firewall is connected to the Internet, it is recommended you use the automatic registration and Security Services upgrade features of your appliance.
Topics:  
From a Computer Connected to the Internet
1
Make sure you have an account at http://www.mysonicwall.com and your SonicWall Security Appliance is registered to the account before proceeding.
2
After logging into www.mysonicwall.com, click on your registered SonicWall Security Appliance listed in Registered SonicWall Products.
3
Click the View License Keyset link. The scrambled text displayed in the text box is the License Keyset for the selected SonicWall Security Appliance and activated Security Services. Copy the Keyset text for pasting into the System > Licenses page or print the page if you plan to manually type in the Keyset into the SonicWall Security Appliance.
From the Management Interface of your SonicWall Security Appliance
1
Make sure your SonicWall Security Appliance is running the latest version of SonicOS.
2
Paste (or type) the Keyset (from the step 3) into the Keyset field in the Manual Upgrade section of the System > Licenses page (SonicOS).
3
Click the Submit or the Apply button to update your SonicWall Security Appliance. The status field at the bottom of the page displays The configuration has been updated.
4
You can generate the System > Diagnostics > Tech Support Report to verify the upgrade details.
* 
NOTE: After the manual upgrade, the System > Licenses page does not contain any registration and upgrade information.
* 
CAUTION: If the warning message: “SonicWall Registration Update Needed. Please update your registration information on the System > Status page after you have registered your SonicWall Security Appliance” appears. Ignore this message.

Activating the Gateway Anti-Virus, Anti-Spyware, and IPS License

Your appliance must be registered on MySonicWall to use these security services. See your Getting Started Guide for information on creating a MySonicWall account and registering your appliance.

Because SonicWall Anti-Spyware is part of SonicWall Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service, the Activation Key you receive is for all three services on your SonicWall security appliance.

If you do not have a SonicWall Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service license activated on your SonicWall security appliance, you must purchase it from a SonicWall reseller or through your mySonicWall.com account (limited to customers in the USA and Canada).

Activating FREE TRIALs

You can try FREE TRIAL versions of SonicWall Gateway Anti-Virus, SonicWall Anti-Spyware, and SonicWall Intrusion Prevention Service. For information about activating a free trial of any or all of the Security Services, see the Getting Started Guide for your appliance.

Registering SonicPoint Units

For SonicPoint ACi, ACi, or N2 units purchased in:

The United States or Japan, after your SonicPoint is connected to a registered SonicWall network security appliance, SonicOS registers the SonicPoint on MySonicWall automatically, if connected to the Internet. It may take up to 24 hours for your SonicPoint to be registered automatically. Optionally, you can register your SonicPoint on MySonicWall manually by logging into your account at: http://www.mysonicwall.com.
Other countries, after your SonicPoint is connected to a SonicWall network security appliance, SonicOS displays a Register button on the SonicPoint > SonicPoints page. Clicking Register brings up a dialog in which you can select your Country Code. For more information about choosing the country code, see Japanese and International SonicPoint Support. SonicPoint wireless access points include an initial subscription to SonicWall 24x7 Support. To receive technical support, your SonicPoint must have an active Support subscription.

 

Configuring Administration Settings

System > Administration

The System > Administration page provides settings for the configuration of the SonicWall Security Appliance for secure and remote management.

You can manage the firewall using a variety of methods, including HTTPS, SNMP or SonicWall Global Management System (SonicWall GMS).

* 
NOTE: To apply all changes to the SonicWall appliance, click Accept; a message confirming the update is displayed at the bottom of the browser window.
Topics:  

Firewall Name

Firewall Name—Uniquely identifies the SonicWall Security Appliance and defaults to the serial number of the SonicWall network security appliance. The serial number is also the MAC address of the unit. To change the Firewall Name, type a unique alphanumeric name in the Firewall Name field. It must be at least 8 characters in length and can be up to 63 characters long.
Auto-Append HA/Clustering suffix to Firewall Name – To facilitate recognition of the primary/secondary firewalls in the Log Monitor log, appends an appropriate suffix automatically to the firewall name in the Dashboard > Log Monitor:
Primary
Secondary
Primary Node <n>
Secondary Node <n>

This option is not selected by default.

Firewall’s Domain Name—Can be private, for internal users, or an externally registered domain name. This domain name is used in conjunction with User Web Login Settings on the Users > Settings page for user-authentication redirects.

Administrator Name & Password

Topics:  

Changing the Administrator Name

The Administrator Name can be changed from the default setting of admin to any word using alphanumeric characters up to 32 characters in length.

To create a new administrator name:
1
Type the new name in the Administrator Name field.
2
Click Accept for the changes to take effect on the firewall.

Changing the Administrator Password

To set a new password for SonicWall Management Interface access:
1
Type the old password in the Old Password field.
2
Type the new password in the New Password field.
3
Type the new password again in the Confirm Password field.
4
Click Accept. Once the firewall has been updated, a message confirming the update is displayed at the bottom of the browser window.
* 
TIP: It is recommended you change the default password, password, to your own custom password.

Login Security

The internal SonicOS Web-server now supports TLS 1.1 and above with strong ciphers (128 bits or greater) when negotiating HTTPS management sessions. SSL implementations are not supported. This heightened level of HTTPS security protects against potential SSLv2 rollback vulnerabilities and ensures compliance with the Payment Card Industry (PCI) and other security and risk-management standards.

* 
TIP: SonicOS uses advanced browser technologies such as HTML5, which are supported in most recent browsers. SonicWall recommends using the latest Chrome, Firefox, Internet Explorer (9.0 or above), or Safari (does not operate on Windows platforms) browsers for administration of SonicOS. Mobile device browsers are not recommended for SonicWall appliance system administration.

SonicOS password constraint enforcement configuration ensures that administrators and users are using secure passwords. This password constraint enforcement can satisfy the confidentiality requirements as defined by current information security management systems or compliance requirements, such as Common Criteria and the Payment Card Industry (PCI) standard.

Password must be changed every (days) – Requires users to change their passwords after the designated number of days has elapsed. When a user attempts to login with an expired password, a pop-up window will prompt the user to enter a new password. The User Login Status window now includes a Change Password button so users can change their passwords at any time. The default number of days is 90, the minimum is 1 day, and the maximum is 9999. This option is not selected by default.
Password cannot be changed in (hours) since the last change – Specifies the minimum length of time, in hours, between password changes. The minimum – and default – time is 1 hour; the maximum is 9999 hours. This option is not selected by default.
Bar repeated passwords for this many changes – Requires users to use unique passwords for the specified number of password changes. The default number is 4.
New password must contain 4 characters different from the old password – Requires users to change at least 4 alphanumeric characters in their old password when creating a new one.
Enforce a minimum password length of – Sets the shortest allowed password.
Enforce password complexity – Specifies how complex a user’s password must be to be accepted. The drop-down menu provides these options:
None (default)
Require both alphabetic and numeric characters
Require alphabetic, numeric, and symbolic characters – for symbolic characters only !, @, #, $, %, ^, &, *, (, and ) are allowed; all others are denied
Complexity Requirement – When the password complexity option is selected, sets the minimum number of alphanumeric and symbolic characters in a user’s password. The default number for each is 0.
Upper Case Characters
Lower Case Characters
Number Characters
Symbolic Characters
Apply these password constraints for – the checkboxes specify to which classes of users the password constraints are applied. By default, all checkboxes are selected.
Administrator – Refers to the default administrator with the username admin.
Other full administrators
Limited administrators
Guest administrators
Other local users
Log out the Administrator after inactivity of (minutes) – Sets the length of inactivity time that elapses before you are automatically logged out of the Management Interface. By default, the SonicWall Security Appliance logs out the administrator after 5 minutes of inactivity. The inactivity timeout can range from 1 to 9999 minutes.
* 
TIP: If the Administrator Inactivity Timeout is extended beyond five minutes, you should end every management session by clicking Logout in the upper right corner of the page to prevent unauthorized access to the firewall’s Management Interface.
Enable administrator/user lockout – locks administrators and users out of accessing the appliance after the specified number of incorrect login attempts. This option is disabled by default. See Enable Administrator/User Lockout.
Failed login attempts per minute before lockout – Specifies the number of incorrect login attempts within a one-minute time frame that triggers a lockout. The minimum number is 1, the maximum number is 9999, and the default is 5.
Lockout Period (minutes) – Specifies the number of minutes that the administrator or user is locked out. The minimum time is 1 minute, the maximum time is 60 minutes, and the default is 5 minutes.
Max login attempts through CLI – Specifies the number of incorrect login attempts from the command line interface (CLI) within a time frame that triggers a lockout. The minimum number is 1, the maximum number is 9999, and the default is 5.

Multiple Administrators

On preemption by another administrator - Configures what happens when one administrator preempts another administrator using the Multiple Administrators feature. The preempted administrator can either be converted to non-config mode or logged out. For more information on Multiple Administrators, see Multiple Administrator Support Overview.
Drop to non-config mode - Select to allow more than one administrator to access the appliance in non-config mode without disrupting other administrators. This option is selected by default.
Log Out - Select to have the new administrator preempt other sessions.
* 
NOTE: Selecting Log Out disables Non-Config mode and prevents entering Non-Config mode manually.
Allow preemption by a lower priority administrator after inactivity of (minutes) - Enter the number of minutes of inactivity by the current administrator that will allow a lower-priority administrator to preempt. The default is 10 minutes.
Enable inter-administrator messaging - Select to allow administrators to send text messages through the management interface to other administrators logged into the appliance. The message will appear in the browser’s status bar.
Messaging polling interval (seconds) - Sets how often an administrator’s browser checks for inter-administrator messages. This should be set to a reasonably short interval to ensure timely delivery of messages, especially if there are likely to be multiple administrators who need to access the appliance. The default is 10 seconds.
Enable Multiple Administrator Roles – Enables access by System Administrators, Cryptographic (Crypto) Administrators, and Audit Administrators. This option is disabled by default. When this option is disabled, the three administrators cannot access the system and all related user groups and information about them are hidden.

Enable Administrator/User Lockout

You can configure the SonicWall security appliance to lockout an administrator or a user if the login credentials are incorrect.

* 
CAUTION: If the administrator and a user are logging into the firewall using the same source IP address, the administrator is also locked out of the firewall. The lockout is based on the source IP address of the user or administrator.
1
In the Login Security section, select the Enable Administrator/User Lockout on login failure checkbox to prevent users from attempting to log into the SonicWall security appliance without proper authentication credentials.
2
Type the number of failed attempts before the user is locked out in the Failed login attempts per minute before lockout field.
3
Type the length of time that must elapse before the user attempts to log into the firewall again in the Lockout Period (minutes) field.
4
Click Accept.

Enhanced Audit Logging Support

Enable Enhanced Audit Logging – Enables logging of all configuration changes in the Log > Log Monitor page. The log entry contains the parameter changed and user name.

Web Management Settings

Topics:  

Managing via HTTP

The SonicWall security appliance can be managed using HTTP or HTTPS and a Web browser. HTTP web-based management is disabled by default. Use HTTPS to log into the SonicOS management interface with factory default settings.

If you wish to use HTTP management, an Allow management via HTTP checkbox is available to allow you to enable/disable HTTP management globally.

The default port for HTTPS management is 443. You can add another layer of security for logging into the SonicWall security appliance by changing the default port. To configure another port for HTTPS management, type the preferred port number into the Port field, and click Update. For example, if you configure the HTTPS Management Port to be 700, then you must log into the SonicWall using the port number as well as the IP address, for example, https://192.168.168.1:700 to access the SonicWall.

The default port for HTTP is port 80, but you can configure access through another port. Type the number of the desired port in the Port field, and click Accept. However, if you configure another port for HTTP management, you must include the port number when you use the IP address to log into the SonicWall security appliance. For example, if you configure the port to be 76, then you must type <LAN IP Address>:76 into the Web browser, for example, http://192.168.168.1:76.

The Certificate Selection menu allows you to use a self-signed certificate (Use Self-signed Certificate), which allows you to continue using a certificate without downloading a new one each time you log into the SonicWall security appliance. You can also choose Import Certificate to select an imported certificate from the System > Certificates page to use for authentication to the management interface.

The Delete Cookies button removes all browser cookies saved by the SonicWall appliance. Deleting cookies will cause you to lose any unsaved changes made in the Management interface.

To see the Dashboard > Threat Reports page first when you login, select the Use System Dashboard View as starting page checkbox.

Changing the Default Size for Management Interface Tables

The SonicWall Management Interface allows you to control the display of large tables of information across all tables in the management Interface. You can change the default table page size in all tables displayed in the Management Interface from the default 50 items per page to any size ranging from 1 to 5,000 items. Some tables, including Active Connections Monitor, VPN Settings, and Log View, have individual settings for items per page which are initialized at login to the value configured here. After these pages are viewed, their individual settings are maintained. Subsequent changes made here affect these pages only following a new login.

To change the default table size:
1
Enter the desired number of items per page in the Default Table Size field.
2
Enter the desired interval for background automatic refresh of Monitor tables (including Process Monitor, Active Connections Monitor, and Interface Traffic Statistics) in seconds in the Auto-updated Table Refresh Interval field.
3
Click Accept.

Managing Tooltips

SonicOS introduced embedded tool tips for many elements in the SonicOS UI. These Tooltips are small pop-up windows that are displayed when you hover your mouse over a UI element. They provide brief information describing the element. Tooltips are displayed for many forms, buttons, table headings and entries.

* 
NOTE: Not all UI elements have Tooltips. If a Tooltip does not display after hovering your mouse over an element for a couple of seconds, you can safely conclude that it does not have an associated Tooltip.

When applicable, Tooltips display the minimum, maximum, and default values for form entries. These entries are generated directly from the SonicOS firmware, so the values will be correct for the specific platform and firmware combination you are using.

Tooltips are enabled by default. To disable Tooltips, clear the Enable Tooltip checkbox. You can configure the duration of time before Tooltips display:

Form Tooltip Delay - Duration in milliseconds before Tooltips display for forms (boxes where you enter text). The default is 2000 ms.
Button Tooltip Delay - Duration in milliseconds before Tooltips display for radio buttons and checkboxes. The default is 3000 ms.
Text Tooltip Delay - Duration in milliseconds before Tooltips display for UI text. The default is 500 ms.

Enforcing TLS

SonicOS supports versions 1.1 and 1.2 of the Transport Layer Security (TLS) protocol. To enforce use of TLS versions 1.1 and above, select the Enforce TLS 1.1 and Above checkbox.

Front-Panel Administrative Interface

* 
NOTE: This section appears only for SuperMassive appliances, which have an LCD panel in the front.

You can enable or disable access to the Configuration Menu in the front-panel administrative interface on those appliances that support the feature.

* 
TIP: This feature is enabled automatically when the appliance is first installed.
To allow access to the Configuration Menu in the front-panel administrative interface:
1
Select the Enable Front-Panel Administrative Interface checkbox. This setting is selected by default.
2
Select whether a PIN must be used to access the Configuration Menu access by checking the Require PIN for Configuration Menu access checkbox. This setting is selected by default.
a
Enter a PIN number in the PIN field.
b
Enter the same PIN number in the Confirm PIN field.
3
Select whether the PIN is masked in the PIN and Confirm PIN fields by checking the Mask PIN checkbox. If you mask the pin, it is displayed as a series of bullets. If this field is unchecked (not selected) the PIN is visible. This setting is selected by default.

Client Certificate Check

On the System > Administration page, the Client Certificate Check section enables you to configure certificate verification with or without a Common Access Card (CAC).

Topics:  

About Common Access Card

A Common Access Card (CAC) is a United States Department of Defense (DoD) smart card used by military personnel and other government and non-government personnel who require highly secure access over the internet. A CAC uses PKI authentication and encryption.

* 
NOTE: Using a CAC requires an external card reader connected on a USB port.

The Client Certificate Check was developed for use with a CAC; however, it is useful in any scenario that requires a client certificate on an HTTPS/SSL connection. CAC support is available for client certification only on HTTPS connections.

* 
NOTE: CACs may not work with browsers other than Microsoft Internet Explorer.

Options

* 
NOTE: By default, all options are disabled and unavailable.
Enable Client Certificate Check – Enables or disables client certificate checking and CAC support on the SonicWall security appliance. If you enable this option, all other options become available.
Enable Client Certificate Cache – Activates the certification cache, which expires in 24 hours after being enabled.
User Name Field – Specifies from which certificate field the user name is obtained:
Subject: Common Name (default)
Sub Alt: Email
Sub Alt: Microsoft Universal Principal Name
Client Certificate Issuer – Lists the Certification Authority (CA) certificate issuers available to sign the client certificate. The default is ComSign CA.
* 
NOTE: If the appropriate CA is not listed, you need to import that CA into the SonicWall security appliance.
CAC user group memberships retrieve method – Select how to obtain the CAC user group membership and, thus, determine the correct user privilege:
Local Configured (default) – If selected, you should create local user groups with proper memberships.
From LDAP – If selected, you need to configure the LDAP server on the Users > Settings page.
Enable OCSP Checking – Enables or disables the Online Certificate Status Protocol (OCSP) check for the client certificate to verify the certificate is still valid and has not been revoked. When this option is enabled, the OCSP Responder URL field displays.
OCSP Responder URL – Enter the URL of the OSCP server that verifies the status of the client certificate.

The OCSP Responder URL is usually embedded inside the client certificate and does not need to be entered. If the client certificate does not have an OCSP link, you can enter the URL link. The link should point to the Common Gateway Interface (CGI) on the server side, which processes the OCSP checking. For example: http://10.103.63.251/ocsp.

Enable periodic OCSP Check – Enables or disables a periodic OCSP check for the client certificate to verify that the certificate is still valid and has not been revoked.
OCSP check interval 1~72 (in hours) – Enter the interval between OCSP checks, in hours. The minimum interval is 1 hour, the maximum is 72 hours, and the default is 24 hours.

Using the Client Certificate Check

If you use the client certificate check without a CAC, you must manually import the client certificate into the browser.

If you use the Client Certificate Check with a CAC, the client certificate is automatically installed on the browser by middleware. When you begin a management session through HTTPS, the certificate selection window is displayed asking you to confirm the certificate.

After you select the client certificate from the drop-down menu, the HTTPS/SSL connection is resumed, and the SonicWall security appliance checks the Client Certificate Issuer to verify that the client certificate is signed by the CA. If a match is found, the administrator login page is displayed. If no match is found, the browser displays a standard browser connection fail message, such as:

.....cannot display web page!

If OCSP is enabled, before the administrator login page is displayed, the browser performs an OCSP check and displays the following message while it is checking.

Client Certificate OCSP Checking.....

If a match is found, the administrator login page is displayed, and you can use your administrator credentials to continue managing the SonicWall security appliance.

If no match is found, the browser displays the following message:

OCSP Checking fail! Please contact system administrator!

Troubleshooting User Lock Out

When using the client certificate feature, these situations can lock the user out of the SonicWall security appliance:

Enable Client Certificate Check is checked, but no client certificate is installed on the browser.
Enable Client Certificate Check is checked and a client certificate is installed on the browser, but either no Client Certificate Issuer is selected or the wrong Client Certificate Issuer is selected.
Enable OSCP Checking is enabled, but either the OSCP server is not available or a network problem is preventing the SonicWall security appliance from accessing the OSCP server.

To restore access to a user who is locked out, the following CLI commands are provided:

web-management client-cert disable
web-management ocsp disable
* 
NOTE: For a complete listing and description of CLI commands, see the SonicOS 6.2 CLI Reference Guide.

Check Certificate Expiration Settings

Enable periodic certificate expiration check – Activates periodic checks of certificate’s expiration. When enabled, the Certificate expiration alert interval option becomes available.
Certificate expiration alert interval: 1 - 168 (in hours) – Sets the interval between certificate checks, in hours. The minimum time is 1 hour, the maximum is 168 hours, and the default is 168.

SSH Management Settings

If you use SSH to manage the firewall, you can change the SSH port for additional security. The default SSH port is 22.

Advanced Management

Enable management using GMS – Determines whether the SonicWall Security Appliance is managed using SNMP or SonicWall Global Management System (GMS). This option is disabled by default, which means management is by SNMP. For how to configure GMS management, see Enabling GMS Management.
Out of Band Management on the management port – Enables automatic creation of a management interface address object for the MGMT interface, which works as an out-of-band interface, and configures a route policy for the newly created address object.
* 
IMPORTANT: To avoid confliction for delete/create route policies, updating this option to create a management interface address object and configure route policy causes system reboot.

This management interface provides a trusted interface to the management appliance. Network connections to this interface is very limited. If the NTP, DNS, and SYSLOG servers are configured in the MGMT subnet, the appliance uses the MGMT IP as the source IP and creates MGMT address object and route policies automatically. All traffic from the management interface is routed by this policy. Created routes display on the Network > Routing page.

The MGMT address object and route policies are create/update IPv4 management IP. As the IPv6 management IP address object is created by default, this feature doesn't work on IPv6 management IP address object creation

Topics:  

For more information on SonicWall Global Management System, go to http://www.sonicwall.com.

Enabling GMS Management

You can configure the firewall to be managed by SonicWall Global Management System (SonicWall GMS).

To configure the firewall for GMS management:
1
On the System > Administration page, scroll to the Advanced Management section.
2
Select the Enable Management using GMS checkbox. The Configure button becomes available.
3
Click Configure. The Configure GMS Settings dialog displays.

4
Enter the host name or IP address of the GMS Console in the GMS Host Name or IP Address field.
5
Enter the port in the GMS Syslog Server Port field. The default value is 514.
6
Optionally, select Send Heartbeat Status Messages Only to send only heartbeat status instead of log messages. This option is disabled by default.
7
Select GMS behind NAT Device if the GMS Console is placed behind a device using NAT on the network. This option is disabled by default.
a
Enter the IP address of the NAT device in the NAT Device IP Address field.
8
Select one of the following GMS modes from the Management Mode drop-down menu.
 

IPSEC Management Tunnel

Allows the firewall to be managed over an IPsec VPN tunnel to the GMS management console. The default IPsec VPN settings are displayed. Select GMS behind NAT Device if applicable to the GMS installation, and enter the IP address in the NAT Device IP Address field. The default VPN policy settings are displayed at the bottom of the Configure GMS Settings dialog.

Existing Tunnel

The GMS server and the firewall already have an existing VPN tunnel over the connection. Enter the GMS host name or IP address in the GMS Host Name or IP Address field. Enter the port number in the Syslog Server Port field.

HTTPS

Allows HTTPS management from two IP addresses: the GMS Primary Agent and the Standby Agent IP address. The SonicWall firewall also sends encrypted syslog packets and SNMP traps using 3DES and the firewall administrator’s password.

9
Click OK.

Download URL

The Download URL section provides a field for specifying the URL address of a site for downloading SonicPoint images.

If your firewall:

Has internet connectivity, it will automatically download the correct version of the SonicPoint image from the SonicWall server when you connect a SonicPoint device.
Does not have Internet access, or has access only through a proxy server, you must manually specify a URL for the SonicPoint firmware. You do not need to include the
http:// prefix, but you do need to include the filename at the end of the URL. The filename should have a .bin extension. Here are examples using an IP address and a domain name:

192.168.168.10/imagepath/sonicpoint.bin
software.sonicwall.com/applications/sonicpoint/sonicpoint.bin

For more information see Updating SonicPoint Firmware.

* 
CAUTION: It is imperative that you download the corresponding SonicPoint image for the SonicOS firmware version that is running on your firewall. The mysonicwall.com Web site provides information about the corresponding versions. When upgrading your SonicOS firmware, be sure to upgrade to the correct SonicPoint image.

Select the type of image or images to download by clicking on the appropriate checkbox and entering the image download location in the associated field:

Manually specify SonicPoint-N image URL (http://)
Manually specify SonicPoint-Ni/Ne image URL (http://)
Manually specify SonicPoint-NDR image URL (http://)
Manually specify SonicPoint-ACe/ACi/N2 image URL (http://)

Language

If your firmware contains other languages besides English, they can be selected in the Language Selection drop-down menu.

* 
NOTE: Changing the language of the SonicOS UI requires that the firewall be rebooted.

Administering SNMP

System > SNMP

You can manage the SonicWall security appliance using SNMP or SonicWall Global Management System (GMS). This section describes how to configure the SonicWall for management using SNMP.

Topics:  

About SNMP

SNMP (Simple Network Management Protocol) is a network protocol used over User Datagram Protocol (UDP) that allows network administrators to monitor the status of the SonicWall security appliance and receive notification of critical events as they occur on the network. The SonicWall security appliance supports SNMP v1/v2c/v3 and all relevant Management Information Base II (MIB-II) groups except egp and at.

SNMPv3 expands on earlier versions of SNMP and provides secure access to network devices by means of a combination of authenticating and encrypting packets.

Packet security is provided through:

Message Integrity: ensures a packet has not been tampered with in transit
Authentication: verifies a message comes from a valid source
Encryption: encodes packet contents to prevent its being viewed by an unauthorized source.

SNMPv3 provides for both security models and security levels. A security model is an authentication strategy set up between a user and the group in which the user resides. The security level is the permitted level of security within a given security model. The security model and associated security level determine how an SNMP packet will be handled. SNMPv3 provides extra levels of authentication and privacy, as well as additional authorization and access control.

Security level, authentication and encryption based on SNMP version shows how security levels, authentication, and encryption are handled by the different versions of SNMP.

 

Security level, authentication and encryption based on SNMP version

Model

Level

Authentication Type

Encryption

Means of Authentication

v1

noAuthNoPriv

Community String

No

Community string match

v2c

noAuthNoPriv

Community String

No

Community string match

v3

noAuthNoPriv

Username

No

Username match

v3

authNoPriv

MD5 or SHA

No

Authentication is based on the HMAC-MD5 or HMSC-SRA algorithms.

v3

authPriv

MD5 or SHA

DES or AES

Provides authentication is based on the HMAC-MD5 or HMSC-SRA algorithms. Provides DES 56-bit encryption in addition to authentication based on the CBC-DES (DES-56) standard, or AES 128-bit encryption, as well.

The SonicWall security appliance replies to SNMP Get commands for MIB-II, using any interface, and supports a custom SonicWall MIB for generating trap messages. The custom SonicWall MIB is available for download from the SonicWall Web site and can be loaded into third-party SNMP management software such as HP Openview, Tivoli, or SNMPC.

SNMP settings can be viewed and configured by the administrator. Settings cannot be viewed or modified by the user. SNMPv3 can be modified at the User or Group level. Access Views can be read, write, or both, and can be assigned to users or groups. A single View can have multiple Object IDs (OIDs) associated with it.

SNMPv3 settings for the SNMPv3 Engine ID are configurable Under the General Settings menu. The Engine ID is used to authorize a received SNMP packet. Only matching packet EngineIDs will be processed.

Setting Up SNMP Access

SNMP configuration consists of:

Enabling and Configuring SNMP Access

You can use either SNMPv1/v2 for basic functionality, or configure the appliance to use the more extensive SNMPv3 options.

Topics:  
Configuring Basic Functionality
To enable SNMP:
1
Navigate to the System > SNMP page.

2
Select the Enable SNMP checkbox. By default, SNMP is disabled.
3
Click Accept. The SNMP information is populated on the SNMP page.

4
To configure the SNMP interface, click on the Configure button. The Configure SNMP dialog is displayed.

5
In the General tab, enter the host name of the SonicWall security appliance in the System Name field.
6
Enter the network administrator’s name in the System Contact field.
7
Enter an email address, telephone number, or pager number in the System Location field.
8
If the SNMPv3 configuration option is used, enter an asset number in the Asset Number field.
9
Enter a name for a group or community of administrators who can view SNMP data in the Get Community Name field.
10
Enter a name for a group or community of administrators who can view SNMP traps in the Trap Community Name field.
11
Enter the IP address(es) or host name(s) of the SNMP management system receiving SNMP traps in the Host 1 through Host n fields. You must configure at least one IP address or host name, but up to the maximum number of addresses or host names for your system can be used.
12
Click OK.
Configuring SNMPv3 Engine IDs

If SNMPv3 is used, you can configure the SNMPv3 Engine ID and SNMP priority. Configuring the SNMPv3 Engine ID provides maximum security for SNMP management.

To configure SNMPv3 engine IDs:
1
If you have not configured SNMP for your system, follow Step 1 through Step 11 in Configuring Basic Functionality.
2
Click the Advanced tab.

3
Select the Mandatory Require SNMPv3 checkbox. This disables SNMPv1/v2 and allows only SNMPv3 access, which provides maximum security for SNMP management.
4
Enter the hexadecimal Engine ID number in the Engine ID field. This number will be matched against received SNMP packets to authorize their processing; only packets whose Engine ID matches this number will be processed.
5
Optionally, select the Increase SNMP subsystem priority checkbox.

For efficient system operation, certain operations may take priority over responses to SNMP queries. Enabling this option will cause the SNMP subsystem to always respond and operation at a higher system priority.

* 
NOTE: Enabling this option may affect the performance of the overall system.
6
Click OK. The SNMPv3 security options are now used in processing packets.

Setting up SNMPv3 Groups and Access

SNMPv3 allows you to set up and assign groups and access with differing levels of security. Object IDs are associated with various levels of permissions, and a single view can be assigned to multiple objects. SNMPv3 group and user access shows how access for groups and users are associated with these different permission levels.

SNMPv3 group and user access

Configuring Object IDs for SNMPv3 Views

The SNMPv3 Views show access settings for Users or Groups. You create settings for users and groups and these security settings are not User-modifiable. The SNMPv3 View defines the Object IDs (OID) and Object ID Groups, and is sometimes known as the SNMPv3 Access Object.

The SNMP View defines a collection of OIDs and OID groups. The initial set of default views cannot be changed or deleted. The default views reflect the most often used views, such as the root view, system view, IP, interfaces. The OIDs for these views are pre-assigned.

Additionally, you can create a custom view for specific users and groups.

You can modify views you create. You cannot modify the ones the system creates.

To configure OIDs for SNMPv3 views:
1
Navigate to System > SNMP.
2
To add a view, in the View section, click the Add button. The Add SNMP View dialog displays.

3
Enter a meaningful name in the View Name field. The default name is New SNMP View.
* 
NOTE: If editing an existing view, the name is not editable.
4
Enter an unassigned OID in the OID Associated with the View field.
5
Click Add OID.

The new view appears in the OID List. To delete an OID from the OID List, select the OID and click the Delete button.

6
Add any more new views with associated OIDs.
7
Click OK. The new views are added to the list on the SNMP page.

Creating Groups and Adding Users
Topics:  
Creating a Group
To create a group:
1
Navigate to System > SNMP.
2
To create a Group, click the Add Group button under the User/Group table. The Add SNMP Group dialog displays.

3
Enter a friendly name in the Group Name field. The group name can contain up to 32 alphanumeric characters.
4
Click OK.
Adding Users
To add users:
1
Navigate to System > SNMP.
2
To add a user, click the Add User button under the User/Group table. The Add SNMP User dialog displays.

3
Enter the user name in the User Name field.
4
Select a security level from the Security Level drop-down menu:
None (default)
Authentication – Two new options appear:

Authentication Method – Select one of these authentication methods: MD5 or SHA1.
Authentication Key – Enter an authentication key in the field. The key can be any string of 8 to 32 printable characters.
Authentication and Privacy – More options appear:

Authentication Method – See above.
Authentication Key – See above.
Select an encryption method from the Encryption Method drop-down menu: AES or DES.
Enter the encryption key in the Privacy Key field. The key can be any string of 8 to 32 printable characters.
5
Select a group from the Group drop-down menu. The default is *No Group*.
6
Click OK when finished. The user is added to the list and added to the appropriate group (including *No Group*).

Adding Access

SNMPv3 Access is an object that:

Defines the read/write access rights of an SNMPv3 View.
Can be assigned to an SNMPv3 Group.

Multiple groups can be assigned to the same Access object. An Access object can also have multiple views assigned to it.

To create an access object:
1
Navigate to System > SNMP.
2
Under the Access table, click the Add button. The Add SNMP Access dialog displays.

3
Enter a friendly name in the Access Name field.
* 
NOTE: Existing names are non-editable.
4
From the Read view drop-down menu, select a view from the list of available views.
5
From the Master SNMPv3 Group drop-down menu, select a group from the list of available groups. Access cannot be given to *No Group*.
* 
NOTE: Access can be assigned to only one SNMPv3 groups., but a group can be associated with multiple Access objects.
6
From the Access Security Level drop-down menu, select a security level:
None
Authentication Only
Authentication and Privacy
7
Click OK. The Access object is added to the Access table.

Configuring SNMP as a Service and Adding Rules

By default, SNMP is disabled on the SonicWall security appliance. To enable SNMP, you must first enable SNMP on the System > SNMP page, and then enable it for individual interfaces. To do this, go to the Network > Interfaces page and click on the Configure button for the interface you want to enable SNMP on.

If your SNMP management system supports discovery, the SonicWall security appliance agent automatically discover the SonicWall security appliance on the network. Otherwise, you must add the SonicWall security appliance to the list of SNMP-managed devices on the SNMP management system.

SNMP Logs

SNMP logs can be viewed on the Dashboard > Log Monitor page. Expand the System category to view SNMP-specific logs.

Trap messages are generated only for the alert message categories normally sent by the SonicWall security appliance. For example, attacks, system errors, or blocked Web sites generate trap messages. If none of the categories are selected on the Dashboard > Log Monitor page, then no trap messages are generated.

Managing Certificates

System > Certificates

To implement the use of certificates for VPN policies, you must locate a source for a valid CA certificate from a third party CA service. Once you have a valid CA certificate, you can import it into the firewall to validate your Local Certificates. You import the valid CA certificate into the firewall using the System > Certificates page. Once you import the valid CA certificate, you can use it to validate your local certificates.

Topics:  

About Digital Certificates

A digital certificate is an electronic means to verify identity by a trusted third party known as a Certificate Authority (CA). The X.509 v3 certificate standard is a specification to be used with cryptographic certificates and allows you to define extensions which you can include with your certificate. SonicWall has implemented this standard in its third party certificate support.

You can use a certificate signed and verified by a third party CA to use with an IKE (Internet Key Exchange) VPN policy. IKE is an important part of IPsec VPN solutions, and it can use digital certificates to authenticate peer devices before setting up SAs. Without digital certificates, VPN users must authenticate by manually exchanging shared secrets or symmetric keys. Devices or clients using digital signatures do not require configuration changes every time a new device or client is added to the network.

A typical certificate consists of two sections: a data section and a signature section. The data section typically contains information such as the version of X.509 supported by the certificate, a certificate serial number, information about the user’s public key, the Distinguished Name (DN), validation period for the certificate, and optional information such as the target use of the certificate. The signature section includes the cryptographic algorithm used by the issuing CA, and the CA digital signature.

SonicWall Security Appliances interoperate with any X.509v3-compliant provider of Certificates. SonicWall Security Appliances have been tested with the following vendors of Certificate Authority Certificates:

Entrust
Microsoft
OpenCA
OpenSSL and TLS
VeriSign

Certificates and Certificate Requests

Topics:  

Certificate and Certificate Requests Section

The Certificate and Certificate Requests section provides all the settings for managing CA and Local Certificates.

The View Style menu allows you to display your certificates in the Certificates and Certificate Requests table based on the following criteria:

All Certificates - displays all certificates and certificate requests.
Imported certificates and requests - displays all imported certificates and generated certificate requests.
Built-in certificates - displays all certificates included with the SonicWall Security Appliance.
Include expired and built-in certificates - displays all expired and built-in certificates.

Certificates and Certificates Requests Table

The Certificates and Certificate Requests table displays the following information about your certificates:

Certificate - the name of the certificate.
Type - the type of certificate, which can include CA or Local.
Validated - the validation information.
Expires - the date and time the certificate expires.
Details - the details of the certificate. Moving the pointer over the Comment icon displays the details of the certificate. For information about certificate details, see Certificate Details.
Configure - Displays the
Delete icon deleting a certificate entry
Import icon to import either certificate revocation lists (for CA certificates) or signed certificates (for Pending requests).

Certificate Details

Clicking on the comment icon in the Details column of the Certificates and Certificate Requests table lists information about the certificate, which may include the following, depending on the type of certificate:

Signature Algorithm
Certificate Issuer
Subject Distinguished Name
Public Key Algorithm
Certificate Serial Number
Valid from
Expires On
Status (for Pending requests and local certificates)

The details shown in the Details mouseover popup depend on the type of certificate. Certificate Issuer, Certificate Serial Number, Valid from, and Expires On are not shown for Pending requests as this information is generated by the Certificate provider.

Importing Certificates

After your CA service has issued a Certificate for your Pending request, or has otherwise provided a Local Certificate, you can import it for use in VPN or Web Management authentication. CA Certificates may also be imported to verify local Certificates and peer Certificates used in IKE negotiation.

Topics:  

Importing a Certificate Authority Certificate

To import a certificate from a certificate authority:
1
Click Import. The Import Certificate dialog is displayed.

2
Select Import a CA certificate from a PKCS#7 (*.p7b) or DER (.der or .cer) encoded file. The Import Certificate dialog settings change.

3
Click Browse to locate the certificate file.
4
Click Open to set the directory path to the certificate.
5
Click Import to import the certificate into the firewall. When it is imported, you can view the certificate entry in the Certificates and Certificate Requests table.
6
Moving your pointer to the Comment icon in the Details column displays the certificate details information.

Importing a Local Certificate

To import a local certificate:
1
Click Import. The Import Certificate window is displayed.

2
Enter a certificate name in the Certificate Name field.
3
Enter the password used by your Certificate Authority to encrypt the PKCS#12 file in the Certificate Management Password field.
4
Click Browse to locate the certificate file.
5
Click Open to set the directory path to the certificate.
6
Click Import to import the certificate into the firewall. When it is imported, you can view the certificate entry in the Certificates and Certificate Requests table.
7
Moving your pointer to the Comment icon in the Details column displays the certificate details information.
* 
NOTE: If the certificate was uploaded successfully, the Status in the mouseover popup is Verified.

Creating PKCS-12 Formatted Certificate File

PKCS12 formatted certificate file can be created using Linux system with OpenSSL. To create a PKCS-12 formatted certificate file, one needs to have two main components of the certificate:

Private key (typically a file with .key extension or the word key in the filename)
Certificate with a public key (typically a file with .crt extension or the word cert as part of filename).

For example, the Apache HTTP server on Linux has its private key and certificate in the following locations:

/etc/httpd/conf/ssl.key/server.key
/etc/httpd/conf/ssl.crt/server.crt

With these two files available, run the following command:

openssl pkcs12 -export -out out.p12 -inkey server.key -in server.crt

In this example out.p12 become the PKCS-12 formatted certificate file and server.key and server.crt are the PEM formatted private key and the certificate file respectively.

After the above command, you are be prompted for the password to protect/encrypted the file. After the password is chosen, the creation of PKCS-12 formatted certificate file is complete, and it can be imported into the appliance.

Deleting a Certificate

To delete the certificate, click the Delete icon. You can delete a certificate if it has expired or if you decide not to use third party certificates for VPN authentication.

Generating a Certificate Signing Request

* 
TIP: You should create a Certificate Policy to be used in conjunction with local certificates. A Certificate Policy determines the authentication requirements and the authority limits required for the validation of a certificate.
To generate a certificate signing request:
1
Click the New Signing Request button. The Certificate Signing Request dialog displays.

2
In the Generate Certificate Signing Request section, enter an alias name for the certificate in the Certificate Alias field.
3
Select the Request field types from the drop-down menus, then enter information for the certificate in the associated fields.
* 
NOTE: For each Request, you can select your country from the associated drop-down menu; for all other Requests, enter the information in the associated text field.
 

Request field menu

Request field types

Country

Country (default)

State

Locality or County

Company or Organization

State

Country

State (default)

Locality, City, or County

Company or Organization

Department

Locality, City, or County

Locality, City, or County (default)

Company or Organization

Department

Group

Team

Company or Organization

Company or Organization (default)

Department

Group

Team

Common Name

Serial Number

E-Mail Address

Department

Department (default)

Group

Team

Common Name

Serial Number

E-Mail Address

Group

Group (default)

Team

Common Name

Serial Number

E-Mail Address

Team

Team (default)

Common Name

Serial Number

E-Mail Address

Common Name

Common Name (default)

Serial Number

E-Mail Address

As you enter information in the Request fields, the Distinguished Name (DN) is created in the Subject Distinguished Name field.

4
Optionally, you can also attach a Subject Alternative Name to the certificate after selecting the type from the drop-down menu:
Domain Name
Email Address
IPv4 Address
5
The Subject Key type is preset as an RSA algorithm. RSA is a public key cryptographic algorithm used for encrypting data.
6
Select a signature algorithm from the Signature algorithm drop-down menu:
MDS
SHA1 (default)
SHA256
SHA384
SHA512
7
Select a subject key type from the Subject Key Type drop-down menu:
RSA (default)
ECDSA
8
Select a subject Key size from the Subject Key Size drop-down menu.
* 
NOTE: Not all key sizes are supported by a Certificate Authority, therefore, you should check with your CA for supported key sizes.
1024 bits (default)
1536 bits
2048 bits
4096 bits
9
Click Generate to create a certificate signing request file.

When the Certificate Signing Request is generated, a message describing the result is displayed in the Status area at the bottom of the browser window and a new entry appears in the Certificates and Certificate Requests table with the type Pending request.

10
Click the Export icon. The Export Certificate dialog displays.

11
Click Export to download the file to your computer. An Opening <certificate> dialog displays.
12
Click OK to save the file to a directory on your computer.

You have generated the Certificate Request that you can send to your Certificate Authority for validation.

Configuring Simple Certificate Enrollment Protocol

The Simple Certificate Enrollment Protocol (SCEP) is designed to support the secure issuance of certificates to network devices in a scalable manner. There are two enrollment scenarios for SCEP:

SCEP server CA automatically issues certificates
SCEP request is set to PENDING and the CA administrator manually issues the certificate.

More information about SCEP can be found at: http://tools.ietf.org/html/draft-nourse-scep-18 (Cisco Systems' Simple Certificate Enrollment Protocol draft-nourse-scep-18).

To use SCEP to issue certificates:
1
Generate a signing request as described above in Generating a Certificate Signing Request.
2
Scroll to the bottom of the System > Certificates page and click on the SCEP button. The SCEP Configuration dialog displays.

3
In the CSR List drop-down menu, the UI will automatically select a default CSR list. If you have multiple CSR lists configured, you can modify this.
4
In the CA URL field, enter the URL for the Certificate authority.
5
If the Challenge Password(optional) field, enter the password for the CA if one is required.
6
In the Request Count field, enter the number of requests. The default value is 256.
7
In the Polling Interval(S) field, you can modify the default value for duration of time, in seconds, between the sending of polling messages. the default value is 30 seconds.
8
In the Max Polling Time(S) field, you can modify the default value for the duration of time, in seconds, the firewall will wait for a response to a polling message before timing out. The default value is 28800 seconds (8 hours).
9
Click the Scep button to submit the SCEP enrollment.

The firewall will then contact the CA to request the certificate. The duration of time this will take depends on whether the CA issues certificates automatically or manually. After the certificate is issued, it will be displayed in the list of available certificates on the System > Certificates page, under the Imported certificates and requests or All certificates category.

 

Configuring Time Settings

System > Time

The System > Time page defines the time and date settings to time stamp log events, to automatically update SonicWall Security Services, and for other internal purposes.

By default, the SonicWall Security Appliance uses an internal list of public NTP servers to automatically update the time. Network Time Protocol (NTP) is a protocol used to synchronize computer clock times in a network of computers. NTP uses Coordinated Universal Time (UTC) to synchronize computer clock times to a millisecond, and sometimes to a fraction of a millisecond.

Topics:  

System Time

To select automatically update the time, choose the time zone from the Time Zone menu. Set time automatically using NTP is activated by default to use NTP (Network Time Protocol) servers from an internal list to set time automatically. Automatically adjust clock for daylight saving time is also activated by default to enable automatic adjustments for daylight savings time.

If you want to set your time manually, clear Set time automatically using NTP. Select the time in the 24-hour format using the Time (hh:mm:ss) menus and the date from the Date menus.

Selecting Display UTC in logs (instead of local time) specifies the use universal time (UTC) rather than local time for log events.

Selecting Display date in International format displays the date in International format, with the day preceding the month.

Selecting Only use custom NTP servers directs SonicOS to use the manually entered list of NTP servers to set the firewall clock, rather than using the internal list of NTP servers.

After selecting your System Time settings, click Accept.

NTP Settings

Network Time Protocol (NTP) is a protocol used to synchronize computer clock times in a network of computers. NTP uses Coordinated Universal Time (UTC) to synchronize computer clock times to a millisecond, and sometimes, to a fraction of a millisecond.

* 
TIP: The SonicWall Security Appliance uses an internal list of NTP servers, so manually entering a NTP server is optional.

Select Use NTP to set time automatically if you want to use your local server to set the firewall clock. You can also configure Update Interval (minutes) for the NTP server to update the firewall. The default value is 60 minutes.

Topics:  

Adding an NTP Server

To add an NTP server to the firewall configuration
1
Click Add. The Add NTP Server dialog displays.

2
Type the IP address of the remote NTP server in the NTP Server field.
3
Select the authentication type from the NTP Auth Type drop-down menu:
No Auth – Authentication is not required and the following three options are dimmed. Go to Step 7.
MD5 – Authentication is required and the following three options are active.
4
Enter the Trust Key number in the Trust Key No field.
5
Enter the Key number in the Key Number field.
6
Enter the password in the Password field.
7
Click OK. The NTP Server section shows the server.

Editing an NTP Server Entry

To edit an NTP server entry:
1
Click the entry’s Edit icon. The Edit NTP Server dialog displays.
2
Make the changes.
3
Click OK.

Deleting NTP Server Entries

To delete an NTP server entry:
1
Click its Delete icon.
To delete all servers:
2
Click Delete All.

Setting Schedules

System > Schedules

The System > Schedules page allows you to create and manage schedule objects for enforcing schedule times for a variety of SonicWall Security Appliance features.

The Schedules table displays all your predefined and custom schedules. In the Schedules table, there are three default schedules: Work Hours, After Hours, and Weekend Hours. You can modify these schedules by clicking on the Edit icon in the Configure column to display the Edit Schedule dialog.

* 
NOTE: You cannot delete the default Work Hours, After Hours, or Weekend Hours schedules.

You apply schedule objects for the specific security feature. For example, if you add an access rule in the Firewall > Access Rules page, the Add Rule window provides a drop down menu of all the available schedule objects you created in the System > Schedules page.

A schedule can include multiple day and time increments for rule enforcement with a single schedule. If a schedule includes multiple day and time entries, a right-arrow button appears next to the schedule name. Clicking the Expand icon expands the schedule to display all the day and time entries for the schedule.

Topics:  

Adding a Schedule

To create schedules:
1
On the System > Schedules page, click Add. The Add Schedule dialog displays.

2
Enter a descriptive name for the schedule in the Name field.
3
Select one of the following radio buttons for Schedule type:
Once – For a one-time schedule between the configured Start and End times and dates. When selected, the fields under Once become active, and the fields under Recurring become inactive.
Recurring – For schedule that occurs repeatedly during the same configured hours and days of the week, with no start or end date. When selected, the fields under Recurring become active, and the fields under Once become inactive.
Mixed – For a schedule that occurs repeatedly during the same configured hours and days of the week, between the configured start and end dates. When selected, all fields on the page become active.
4
If the fields under Once are active, configure the starting date and time by selecting the Year, Month, Date, Hour, and Minute from the drop-down lists in the Start row. The hour is represented in 24-hour format.
5
Under Once, configure the ending date and time by selecting the Year, Month, Date, Hour, and Minute from the drop-down lists in the End row. The hour is represented in 24-hour format.
6
If the fields under Recurring are active, select the checkboxes for the days of the week to apply to the schedule or select All.
7
Under Recurring, type in the time of day for the schedule to begin in the Start field. The time must be in 24-hour format, for example, 17:00 for 5 p.m.
8
Under Recurring, type in the time of day for the schedule to stop in the Stop field. The time must be in 24-hour format, for example, 17:00 for 5 p.m.
9
Click Add.
10
Click OK to add the schedule to the Schedule List.
11
To delete existing days and times from the Schedule List, select the row and click Delete. Or, to delete all existing schedules, click Delete All.

Deleting Schedules

You can delete custom schedules, but you cannot delete the default Work Hours, After Hours, or Weekend Hours schedules.

Deleting Individual Schedules

To delete individual schedule objects that you created:
1
On the System > Schedules page, in the Schedules table, select the checkbox next to the schedule entry to enable the Delete button.
2
Click Delete.

Deleting All Schedules

To delete all schedule objects you created:
1
On the System > Schedules page, in the Schedules table, select the checkbox next to the Name column header to select all schedules.
2
Click Delete.

Managing SonicWall Security Appliance Firmware

System > Settings

Topics:  

Settings

Topics:  

Import Settings

To import a previously saved preferences file into the firewall:
1
Click Import Settings to import a previously exported preferences file into the firewall. The Import Settings dialog displays.

2
Click Browse to locate the file, which has a *.exp file name extension.
3
Select the preferences file.
4
Click Import. The firewall restarts automatically.

Export Settings

To export configuration settings from the firewall:
1
Click Export Settings. The Export Settings dialog displays.

2
Click Export.
3
Click Save, and then select a location to save the file. The file is named sonicwall‑appliance_model-firmware_version.exp, but can be renamed.
4
Click Save. This process can take up to a minute. The exported preferences file can be imported into the firewall if it is necessary to reset the firmware.

Send Diagnostic Reports to Support

Click Send Diagnostic Reports to Support to send system diagnostics to SonicWall Technical Support. The status bar at the bottom of the screen displays Please wait! while sending the report; this can take up to a minute. When the report has been sent successfully, the status bar displays Diagnostic reports sent successfully.

Send by FTP

You can send firewall configuration settings (perfs) and/or tech support reports (TSRs, or detailed reports of firewall configuration and status) to a specific FTP server on a one-time or scheduled basis. By scheduling when these reports are sent to the FTP server, you can create and manage schedule objects and enforce schedule times.

To send perfs and/or TSRs to an FTP server:
1
Navigate to System > Settings.
2
Click Send by FTP. The Schedule Reports popup dialog displays.

3
Click Set Schedule. The Edit Schedule dialog displays.

The Schedule Name is TSR Report Hours and cannot be changed. All other aspects of the schedule can be changed.

4
Configure the schedule. For how to configure a schedule, see Adding a Schedule.
5
Click OK.
6
To send TSRs by FTP, select the Send Tech Report by FTP. This option is not selected by default.
7
To send perfs by FTP, select Send Settings by FTP. This option is not selected by default.
8
When either or both of the Actions settings are selected, the server fields become available. Make changes as necessary.
a
Enter the server’s IP address in the FTP Server field. The default is 0.0.0.0.
b
Enter the user name associated with the server in the User name field. The default is admin.
c
Enter the password associated with the user name in the Password field. The default is password.
d
Enter the directory where the reports are to be sent in the Directory field. The default is reports.
9
Click Apply.

Firmware Management

The Firmware Management section provides settings that allow for easy firmware upgrade and preferences management. The Firmware Management section allows you to:

Upload and download firmware images and system settings.
Boot to your choice of firmware and system settings.
Manage system backups.
Easily return your SonicWall Security Appliance to the previous system state.
* 
NOTE: SonicWall Security Appliance SafeMode, which uses the same settings used Firmware Management, provides quick recovery from uncertain configuration states.
Topics:  

Firmware Management Table

The Firmware Management table displays the following information:

Firmware Image - in this column, the following types of firmware images are listed:
Current Firmware - firmware currently loaded on the firewall.
Current Firmware with Factory Default Settings - rebooting using this firmware image resets the firewall to its default IP addresses, username, and password.
Current Firmware with Backup Settings - a firmware image created by clicking the Create Backup Settings button.
Uploaded Firmware - the latest uploaded version from mysonicwall.com.
Uploaded Firmware with Factory Default Settings - the latest version uploaded with factory default settings.
System Backup - the backup firmware image and backup settings for the appliance.
Version - the firmware version.
Date - the day, date, and time of downloading the firmware.
Size - the size of the firmware file in Megabytes (MB).
Download - clicking the icon saves the firmware file to a new location on your computer or network. Only uploaded firmware can be saved to a different location.
Boot - clicking the Boot icon reboots the firewall with the firmware version listed in the same row.
* 
CAUTION: Clicking Boot next to any firmware image overwrites the existing current firmware image making it the Current Firmware image.
* 
CAUTION: When uploading firmware to the firewall, you must not interrupt the Web browser by closing the browser, clicking a link, or loading a new page. If the browser is interrupted, the firmware may become corrupted.

Updating Firmware Manually

To update firmware manually:
1
Click the Upload New Firmware... button. The Upload Firmware dialog displays.

2
Browse to the firmware file located on your local drive.
3
Click the Upload New Firmware button to upload the new firmware to the SonicWall Security Appliance.
4
Click the Upload button. The Firmware Management table displays the new firmware.

5
Click the Download icon for the version of the uploaded firmware you want. The Opening <filename> dialog displays.
6
Click OK. A success message displays in the Status bar.

7
Click the Boot icon for the firmware you just downloaded. A warning message displays.

8
Click OK. A information message about the time to boot the firmware displays.

9
Click OK. An information message about the boot status displays in the Status bar.

Another message displays.

10
Log back in when the log in dialog displays. Both the System > Status and System > Settings pages reflect the firmware update.

Creating a Backup Firmware Image

When you click the Create Backup Settings button, the SonicWall Security Appliance takes a “snapshot” of your current system state, firmware and configuration preferences, and makes the snapshot the new System Backup firmware image. Clicking Create Backup Settings overwrites the existing System Backup firmware image as necessary.

* 
NOTE: For TZ series appliances, the System Backup file is a small settings file that can be booted with either Current or Uploaded firmware. It does not contain a firmware image.

Use the System Backup file for saving good configurations and then booting them if upgrades or future configurations cause instability or other serious issues. The file is conveniently saved onboard. The date and time the file was created as well as the firmware version in use at the time is displayed in the NOTE above the Firmware Management table. The dates for each item listed in the Firmware Management table are the build dates for the firmware images themselves.

To create a backup file:
1
Click the Create Backup button. A warning message displays.

2
Click OK. It may take a few minutes to create the backup file. When the file has been created, the Note above the Firmware Management table displays the date and time of the file was created.

Using SafeMode to Upgrade Firmware

* 
NOTE: For how to use SafeMode to upgrade firmware for the SuperMassive 9800, see Using SafeMode to Upgrade Firmware for the SuperMassive 9800.

If you are unable to connect to the SonicOS management interface, you can restart the security appliance in SafeMode. The SafeMode feature allows you to recover quickly from uncertain configuration states with a simplified management interface that includes the same settings available on the System > Settings page.

To use SafeMode to upgrade firmware:
1
Connect your computer to the MGMT port on the appliance and configure your IP address with an address on the 192.168.1.0/24 subnet, such as 192.168.1.20.
2
To force the appliance into SafeMode, use a narrow, straight object, like a straightened paper clip or a toothpick, to press and hold the Reset button on the front of the SonicWall appliance for at least twenty seconds, until the Test light begins blinking.
3
The Test light begins to blink when the SonicWall security appliance has rebooted into SafeMode.
4
Enter 192.168.1.254 into your computer’s Web browser to access the SafeMode management interface.
5
Click Upload New Firmware, and then browse to the location where you saved the SonicOS firmware image, select the file and click the Upload button.
6
Select the Boot icon in the row for one of the following:
Uploaded Firmware - New!Use this option to restart the appliance with your current configuration settings.
Uploaded Firmware with Factory Default Settings- New!Use this option to restart the appliance with default configuration settings.
7
In the confirmation dialog, click OK to proceed.
8
To connect to SonicOS through the LAN or WAN interface of the firewall, disconnect your computer from the MGMT port, and reconfigure it to automatically obtain an IP address and DNS server address, or reset it to its normal static values.
9
Connect your computer to the local network and point your browser to the LAN or WAN IP address of the SonicWall appliance.
10
After successfully booting the firmware, the log-in screen displays. If you restarted with factory default settings, enter the default user name and password (admin/password) to access the SonicOS management interface.

Using SafeMode to Upgrade Firmware for the SuperMassive 9800

If you are unable to connect to the SonicOS management interface, you can restart the security appliance in SafeMode. The SafeMode feature allows you to recover quickly from uncertain configuration states with a simplified management interface that includes the same settings available on the System > Settings page.

* 
IMPORTANT: It is highly recommended you export the settings before upgrading the firmware using SafeMode. For how to export settings, see Export Settings.
To use SafeMode to upgrade firmware on the firewall:
* 
CAUTION: Placing the firewall in SafeMode may make it available to other subnets and, therefore, accessible by non-authenticated users. Disable the SafeMode feature immediately after upgrading the firmware.
1
Navigate to Network > Interfaces.
2
In the Network Settings table, click the Edit icon for the MGMT interface. The Edit Interface – MGMT dialog displays.

3
Ensure you have recorded the chassis IP address for:
A firewall from the Chassis IP Address field.
An HA pair, the primary and secondary HA units from the Chassis IP Address (Primary) and Chassis IP Address (Secondary) fields.
4
For Chassis Management, ensure these checkboxes are selected: HTTP, Ping, SSH.
5
Click OK.
6
Open a web browser.
7
Enter the chassis IP address (or chassis IP address for the primary) in the browser. The Chassis management page displays.

8
Click Upload New Firmware, and then browse to the location where you saved the SonicOS firmware image.
9
Select the file, and click the Upload button.
10
Select the Boot icon in the row for one of the following:
Uploaded Firmware - New! – Use this option to restart the appliance with your current configuration settings.
Uploaded Firmware with Factory Default Settings- New! – Use this option to restart the appliance with default configuration settings.
11
In the confirmation dialog, click OK to proceed.
12
After successfully booting the firmware, the log in screen displays. If you restarted with factory default settings, enter the default user name and password (admin/password) to access the SonicOS management interface.
13
Navigate to Network > Interface.
14
In the Network Settings table, click the Edit icon for the MGMT interface.
15
In Chassis Management, ensure these checkboxes are cleared: HTTP, Ping, SSH.
16
Click OK.

Firmware Auto-Update

* 
NOTE: Firmware updates are available only to registered users with a valid support contract. You must register your SonicWall at https://www.mysonicwall.com.

SonicOS supports the Firmware Auto-Update feature, which helps ensure that your SonicWall Security Appliance has the latest firmware release. Firmware Auto-Update contains the following options:

Enable Firmware Auto-Update - Displays an Alert icon when a new firmware release is available. This setting is enabled by default.
Download new firmware automatically when available - Downloads new firmware releases to the SonicWall Security Appliance when they become available. This option is not selected by default.

One-Touch Configuration

The One-Touch Configuration Override feature is configured on the System > Settings page. It can be thought of as a quick tune-up for your SonicWall network security appliance’s security settings. With a single click, One-Touch Configuration Override applies over sixty configuration settings to implement SonicWall’s recommended best practices. These settings ensure that your appliance is taking advantage of SonicWall’s security features.

 
* 
NOTE: A system restart is required for the updates to take full effect.

There is a set of One-Touch Configuration Overrides buttons:

DPI and Stateful Firewall Security – For network environments with Deep Packet Inspection (DPI) security services enabled, such as Gateway Anti-Virus, Intrusion Prevention, Anti-Spyware, and App Rules.
Stateful Firewall Security – For network environments that do not have DPI security services enabled, but still want to employ SonicWall’s stateful firewall security best practices.

Both of the One-Touch Configuration Override deployments implement the following configurations:

Configure Administrator security best practices
Enforce HTTPS login and disables ping
Configure DNS Rebinding
Configure Access Rules best practices
Configure Firewall Settings best practices
Configure Firewall Flood Protection best practices
Configure VPN Advanced settings best practices
Configure Log levels
Enable Flow Reporting and Visualization

The DPI and Stateful Firewall Security deployment also configures the following DPI-related configurations:

Enable DPI services on all applicable zones
Enable App Rules
Configure Gateway Anti-Virus best practices
Configure Intrusion Prevention best practices
Configure Anti-Spyware best practices

To see exactly which settings are reconfigured, click on the Preview applicable changes link next to each button. A page displays with a list of each setting and the value to which it will be set.

* 
CAUTION: Be aware that the One-Touch Configuration Override may change the behavior of your SonicWall security appliance. Review the list of configurations before applying One-Touch Configuration Override. In particular, these configurations may affect your experience:
Administrator password requirements on the System > Administration page
Requiring HTTPS management
Disabling HTTP to HTTPS redirect
Disabling Ping management

FIPS

When operating in FIPS (Federal Information Processing Standard) Mode, the SonicWall appliance supports FIPS 140-2 Compliant security. Among the FIPS-compliant features of the SonicWall appliance include PRNG-based on SHA-1 and only FIPS-approved algorithms are supported (DES, 3DES, and AES with SHA‑1).

* 
NOTE: FIPS in SonicOS 6.2.5.1 and above supports FIPS 2K certificate signing support (112 bits of security strength; 2048-bit key) while maintaining backward compatibility with previous signature modes.
To enable FIPs and see a list of which of your current configurations are not allowed or are not present:
* 
NOTE: The Enable FIPS Mode checkbox cannot be enabled at the same time as the Enable NDPP Mode checkbox, which is also on the Setting page.
1
Go to the Systems > Settings page.
2
Scroll to the bottom to the FIPS section.

3
Select the Enable FIPS Mode option. This option is not selected by default. The FIPS Mode Verification dialog appears with a list of your required and not allowed configurations.

4
If your SonicWall appliance:
Complies with the checklist, go to Step 5.
Does not comply with the checklist, manually change or disable settings to be compliant with FIPS mode requirement.
* 
TIP: Leave the checklist dialog open while you make the configuration changes. If you click OK before all required changes are complete, the Enable FIPS Mode checkbox is cleared automatically upon closing the verification dialog. Select the checkbox again to see what configuration changes are still needed for FIPS compliance.
5
Click OK to reboot the security appliance in FIPS mode. A second warning displays.
6
Click Yes to continue rebooting. To return to normal operation, clear the Enable FIPS Mode checkbox and reboot the firewall in non-FIPS mode.
* 
CAUTION: When using the SonicWall Security Appliance for FIPS-compliant operation, the tamper-evident sticker that is affixed to the SonicWall Security Appliance must remain in place and untouched.

NDPP

A SonicWall network security appliance can be enabled to be compliant with Network Device Protection Profile (NDPP), but certain firewall configurations are either not allowed or are required.

* 
NOTE: NDPP is a part of Common Criteria (CC) certification. However, NDPP in SonicOS is not currently certified.

The security objectives for a device that claims compliance to a Protection Profile are defined as follows:

Compliant TOEs (Targets Of Evaluation) will provide security functionality that address threats to the TOE and implement policies that are imposed by law or regulation. The security functionality provided includes protected communications to and between elements of the TOE; administrative access to the TOE and its configuration capabilities; system monitoring for detection of security relevant events; control of resource availability; and the ability to verify the source of updates to the TOE.

You enable NDPP by selecting the Enable NDPP Mode option on the System > Settings page. Once you do this, a popup message displays with the NDPP mode setting compliance checklist. The checklist displays every setting in your current SonicOS configuration that violates NDPP compliance so that you can change these settings. You need to navigate around the SonicOS management interface to make the changes. The checklist for an appliance with factory default settings is shown in the following procedure.

To enable NDPP and see a list of which of your current configurations are not allowed or are not present:
* 
NOTE: The Enable NDPP Mode checkbox cannot be enabled at the same time as the Enable FIPS Mode checkbox, which is also on the System > Settings page.
1
Go to the Systems > Settings page.
2
Scroll to the bottom to the NDPP section.

3
Select the Enable NDPP Mode option. The NDPP Mode Setting Verification message appears with a list of your required and not allowed configurations.

4
If your SonicWall appliance:
Complies with the checklist, go to Step 5.
Does not comply with the checklist, manually change or disable settings to be compliant with NDPP mode requirement.
* 
TIP: Leave the checklist dialog open while you make the configuration changes. If you click OK before all required changes are complete, the Enable NDPP Mode checkbox is cleared automatically upon closing the checklist dialog. Select the checkbox again to see what configuration changes are still needed for NDPP compliance.
5
Click OK or Cancel.

 

Using the Packet Monitor

System > Packet Monitor

* 
NOTE: For increased convenience and accessibility, the Packet Monitor page can be accessed either from Dashboard > Packet Monitor or System > Packet Monitor. The page is identical regardless of which page it is accessed through. For information on using Packet Monitor and Packet Mirror, see Monitoring Individual Data Packets.

 

Using Diagnostic Tools

System > Diagnostics

Non-SuperMassive 9800 firewalls

SuperMassive 9800 firewall

The System > Diagnostics page provides several diagnostic tools, which help troubleshoot network problems, as well as Active Connections, CPU, and Process Monitors.

Topics:  

Tech Support Report

The Tech Support Report generates a detailed report of the SonicWall Security Appliance configuration and status and saves it to the local hard disk using the Download Report button. This file can then be emailed to SonicWall Technical Support to help assist with a problem.

* 
TIP: You must register your SonicWall Security Appliance on mysonicwall.com to receive technical support.
Topics:  

Completing a Tech Support Request

Before emailing the Tech Support Report to the SonicWall Technical Support team, complete a Tech Support Request Form at https://www.mysonicwall.com. After the form is submitted, a unique case number is returned. Include this case number in all correspondence, as it allows SonicWall Technical Support to provide you with better service.

Generating a Tech Support Report

Non-SuperMassive 9800 firewalls

SuperMassive 9800 firewall

* 
TIP: If you do not need to generate a report, click the Collapse button to provide more room for the diagnostic tools.
To generate a Tech Support Report (TSR):
1
In the Tech Support Report section, select any of the following report options:
Sensitive Keys - saves shared secrets, encryption, and authentication keys to the report. This option is not selected by default.
ARP Cache - saves a table relating IP addresses to the corresponding MAC or physical addresses. This option is not selected by default.
DHCP Bindings - saves entries from the firewall DHCP server. This option is not selected by default.
IKE Info - saves current information about active IKE configurations. This option is not selected by default.
Wireless Diagnostics - lists log data if the SonicPoint or internal wireless radio experiences a failure and reboots. Selected by default.
* 
NOTE: This checkbox is only available if the SonicPoint device is enabled or the appliance has an internal wireless radio. For more information regarding this feature for SonicPoints, refer to SonicPoint Diagnostics Enhancement.

This feature is not available for the SuperMassive 9800.

List of current users - lists all currently logged in active local and remote users. Selected by default.
* 
NOTE: For reporting maximum user information, select both List of current users and Detail of users checkboxes.
Inactive users - lists the users with inactive sessions. Selected by default.
Detail of users - lists additional details of user sessions, including timers, privileges, management mode if managing, group memberships, CFS policies, VPN client networks, and other information. The Current users report checkbox must be enabled first to obtain this detailed report. Selected by default.
IP Stack Info - This option is not selected by default.
DNS Proxy Cache - This option is not selected by default.
IPv6 NDP - This option is not selected by default.
IPv6 DHCP - This option is not selected by default.
Geo-IP/Botnet Cache - saves the currently cached Geo-IP and Botnet information. This option is not selected by default.
Vendor Name Resolution - This option is not selected by default.
Debug information in report - specifies whether the downloaded TSR is to contain debug information. Selected by default.

The TSR is organized in an easy-to-read format. You control whether to include debug information as a category, enclosed by the #Debug Information_START and #Debug Information_END tags, at the end of the report. Debug information contains miscellaneous information that is not used by the average support engineer, but can be useful in certain circumstances.

2
Click Download Report to save the file to your system. When you click Download Report, a warning message is displayed.
3
Click OK to save the file. Attach the report to your Tech Support Request email.
4
On the SuperMassive 9800 only, to download the chassis log, click the Download Chassis Log button. A warning message displays.
5
Click OK to save the file. Attach the report to your Tech Support Request email.
6
On the SuperMassive 9800 only, to download the SSO Auth log, click the Download SSOAUTH Log button. A warning message displays.
7
Click OK to save the file. Attach the report to your Tech Support Request email.
8
To send the TSR, system preferences, and trace log to SonicWall Engineering (not to SonicWall Technical Support), click Send Diagnostic Reports to Support.
* 
NOTE: Last trace logs are not supported on TZ series appliances. Current logs, however, are preserved across reboots, but not power cycles. Current logs for TZ series appliances contain information similar to Last logs on NSA and higher appliances.

The Status indicator at the bottom of the page displays Please wait! while the report is sent, and then displays Diagnostic reports sent successfully. You would normally do this after talking to Technical Support.

9
To send diagnostic files to SonicWall Tech Support for crash analysis, select the Automatic secure crash analysis reporting checkbox. This option is selected by default.
10
To periodically send the TSR, system preferences, and trace log to MySonicWall for SonicWall Engineering:
a
Select the Periodic Secure diagnostic reporting for support purposes checkbox. This option is selected by default.
b
Enter the interval in minutes between the periodic reports in the Time Interval (minutes) field. The default is 1440 minutes (24 hours).
11
To include flow table data in the TSR, select the Include raw flow table data entries when sending diagnostic report checkbox. This option is not selected by default.
* 
NOTE: This option is not available on the SuperMassive 9800.

Diagnostic Tools

You select the diagnostic tool from the Diagnostic Tool drop-down menu in the Diagnostic Tool section of the System > Diagnostics page:

Check Network Settings

Check Network Settings is a diagnostic tool that automatically checks the network connectivity and service availability of several pre-defined functional areas of SonicOS, returns the results, and attempts to describe the causes if any exceptions are detected. This tool helps you locate the problem area when users encounter a network problem.

Specifically, the Check Network Settings tool automatically tests the following functions:

Default Gateway settings
DNS settings
MySonicWall server connectivity
License Manager server connectivity
Content Filter server connectivity

The return data consists of two parts:

Test Results – Provides a summary of the test outcome
Notes – Provides details to help determine the cause if any problems exist

The Check Network Settings tool is dependent on the Network Monitor feature available on the Network > Network Monitor page of the SonicOS management interface. Whenever the Check Network Settings tool is being executed (except during the Content Filter test), a corresponding Network Monitor Policy appears on the Network > Network Monitor page, with a special diagnostic tool policy name in the form diagTestPolicyAuto_<IP_address/Domain_name>_0.

* 
NOTE: There are log messages that show the up/down status of some of these special network objects. These objects, however, live for only three seconds and then are deleted automatically.

To use the Check Network Settings tool, first select it in the Diagnostic Tools drop-down list and then click the Test button in the row for the item that you want to test. The results are displayed in the same row. A green check mark signifies a successful test, and a red X indicates that there is a problem.

To test multiple items at the same time, select the checkbox for each desired item and then click the Test All Selected button.

If there are any failed probes, you can click the blue arrow to the left of the IP Address field of the failed item to jump to the configuration page to investigate the root cause.

IPv6 Check Network Settings

The IPv6 Check Network Settings is a diagnostic tool that tests whether the firewall supports IPv6.

The tool checks various connections, such as the General Network Connection and Security Management, and displays the results:

Server
IP Address
Test Results
Notes
Timestamp
Progress
To test for IPv6 settings:
1
Select IPv6 check Network Settings from the Diagnostic Tool drop-down menu.
2
To test:
A connection, click its Test button.
Two or more connections from any or all tables, select the checkboxes for the connections and then click Test All Selected.

Connections Monitor

The Connections Monitor displays real-time, exportable (plain text or CSV), filterable views of all connections to and through the firewall.

Topics:  

Connections Monitor Settings

You can filter the results to display only connections matching certain criteria. You can filter by Source Address, Destination Address, Destination Port, Protocol, Flow Type, Src Interface, and Dst Interface. Enter your filter criteria in the Connections Monitor Settings table.

The fields you enter values into are combined into a search string with a logical AND. For example, if you enter values for Source IP and Destination IP, the search string looks for connections matching:

Source IP AND Destination IP

Check the Group Filters box next to any two or more criteria to combine them with a logical OR. For example, if you enter values for Source Address, Destination Address, and Protocol, and check Group Filters next to Source Address and Destination Address, the search string looks for connections matching:

(Source IP OR Destination IP) AND Protocol

Click Apply Filter to apply the filter immediately to the Active Connections Monitor table. Click Reset Filters to clear the filter and display the unfiltered results again.

You can export the list of active connections to a file. Click Export Results, and select if you want the results exported to a plain text file, or a Comma Separated Value (CSV) file for importing to a spreadsheet, reporting tool, or database. If you are prompted to Open or Save the file, select Save. Then enter a filename and path and click OK.

Active Connections Monitor

The Active Connection Monitor table shows information about all the active connections: Src IP, Src Port, Dst IP, Dst Port, Protocol, Src Iface, Dst Iface, Flow Type, IPS Category, Expiry (sec), TX Bytes, Rx Bytes, Tx Pkts, Rx Pkts. Click on a column heading to sort by that column. You can filter the results to display only connections matching certain criteria, as described in Connections Monitor Settings.

To refresh the data, click the Refresh icon above the table.

You can flush an individual connection by clicking its Delete icon in the Flush column. To flush all the connections, click the Flush All button at the bottom of the table.

Multi-Core Monitor

* 
NOTE: For increased convenience and accessibility, the Multi-Core Monitor also can be accessed either from the Dashboard > Multi-Core Monitor, Dashboard > Real-Time Monitor, or System > Diagnostics page. The Multi-Core Monitor display on the System > Diagnostics page is identical to that of the Dashboard > Multi-Core Monitor. Both monitors display information about single cores. The Dashboard > Real-Time Monitor shows the information either for combined data in flow chart format or for individual cores in bar chart format.

The Multi-Core Monitor displays dynamically updated statistics on utilization of the individual cores of the SonicWall Security Appliance. For more information about the Multi-Core Monitor, see Dashboard > Multi-Core Monitor.

Multi-Core Monitor Display for High Availability

If your system is configured for high availability, the cores for both the Primary and Secondary firewalls are displayed; see High Availability display. To view the two monitors side by side, click the small triangle in the header of the first monitor; see High Availability display side-by-side.

High Availability display

High Availability display side-by-side

Core Monitor

The Core Monitor displays dynamically updated statistics on the utilization of a single specified core on the SonicWall Security Appliances. The View Style provides a wide range of time intervals that can be displayed to review core usage.

Link Monitor

The Link Monitor displays bandwidth utilization for the interfaces on the firewall. Bandwidth utilization is shown as a percentage of total capacity. The Link Monitor can be configured to display inbound traffic, outbound traffic or both for each of the physical interfaces on the appliance.

Packet Size Monitor

The Packet Size Monitor displays sizes of packets on the interfaces on the firewall. You can select from four time periods, ranging from the last 30 seconds to the last 30 days. The Packet Size Monitor can be configured to display inbound traffic, outbound traffic or both for each of the physical interfaces on the appliance.

To configure the Packet Size Monitor:
1
Select one of the following from the View Style drop-down menu:
Last 30 Seconds
Last 30 Minutes
Last 24 Hours
Last 30 Days
2
Select the physical interface to view from the Interface Name drop-down menu.
3
In the Direction drop-down menu, select one of the following:
Both – Select for packets traveling both inbound and outbound
Ingress – Select for packets arriving on the interface
Egress – Select for packets departing from the interface

The packets are displayed in the Average Packet Size graph, where the X axis specifies when the packets crossed the interface and the Y axis specifies the average packet size at that time. Ingress packets are displayed in green, and egress packets are displayed in red.

DNS Name Lookup

The DNS lookup tool returns the IPv4 and/or IPv6 IP address of a domain name or the IP address of a domain. If you enter an IPv4 and/or IPv6 IP address, the tool returns the domain name for that address. If you enter a domain name, the tool returns the DNS server used and the resolved address.

With the DNS Server radio buttons, you can select either a System or Customized DNS server. The options change, depending on which you choose.

The IPv4/IPv6 DNS Server fields display the IP addresses of the DNS Servers configured on the firewall. If there is no IP address (0.0.0.0 for IPv4 or :: for IPv6) in the fields, you must configure them on the Network > Settings page.

The Type drop-down menu allows you to specify:

IPv4, the default, which resolves only IPv4 domain names.
IPv6, which resolves only IPv6 domain names.
All, which resolves both types of domain names.
* 
IMPORTANT: When specifying a domain name, do not add http or https to the name.

The firewall queries the DNS Server and displays the results in the Result section.

Topics:  

Resolving a System DNS Server

To resolve a system DNS Server:
1
Select System for the DNS Server.

2
In the Lookup name or IP field, enter either the domain name or the IP address to be resolved.
3
Select the type of IP DNS server from the Type drop-down menu:
IPv4 (default)
IPv6
All (both IPv4 and IPv6)
4
Click Go. The firewall returns the matching pair of addresses and domain names.

Resolving a Customized DNS Server

To resolve a customized DNS Server:
1
Select Customized as the DNS Server.

2
If the DNS Server IP address has not been populated, enter it in the IPv4 or IPv6 field.
3
In the Lookup name or IP field, enter either the domain name or the IP address to be resolved.
4
Select the type of IP DNS server from the Type drop-down menu:
IPv4 (default)
IPv6
All (both IPv4 and IPv6)
5
Click Go. The firewall returns the same information as for a System DNS Server.

Find Network Path

Enter an IP address to determine the network path is located on a specific network interface, reached a router gateway IP address, and reached through an Ethernet address.

Ping

The Ping test bounces a packet off a machine on the Internet and returns it to the sender. This test shows if the firewall is able to contact the remote host. If users on the LAN are having problems accessing services on the Internet, try pinging the DNS server, or another machine at the ISP location. If the test is unsuccessful, try pinging devices outside the ISP. If you can ping devices outside of the ISP, then the problem lies with the ISP connection.

1
Select Ping from the Diagnostic Tool menu.
2
Enter the IP address or host name of the target device and click Go.
3
In the Interface drop-down menu, select which WAN interface you want to test the ping from. Selecting ANY allows the appliance to choose among all interfaces—including those not listed in the drop-down menu. If the test is successful, the firewall returns a message, stating that the IP address is alive and showing the time to return in milliseconds (ms).

Ping for IPv6

For complete information on the SonicOS implementation of IPv6, see IPv6. The ping tool includes a new Prefer IPv6 networking option.

When pinging a domain name, it uses the first IP address that is returned and shows the actual pinging address. If both an IPv4 and IPv6 address are returned, by default, the firewall pings the IPv4 address.

If the Prefer IPv6 networking option is enabled, the firewall will ping the IPv6 address.

Core 0 Process Monitor

The Core 0 Process Monitor shows the individual system processes on core 0, their CPUutilization, and their system time. The Core 0 process monitor is available on the multi-core SuperMassive 9000 series and multi-core NSA series appliances.

Real-Time Black List Lookup

The Real-Time Black List Lookup tool allows you to test SMTP IP addresses, RBL services, or DNS servers. Enter an IP address in the IP Address field, a FQDN for the RBL in the RBL Domain field and DNS server information in the DNS Server field. Click Go.

Reverse Name Resolution

The Reverse Name Resolution tool is similar to the DNS name lookup tool, except that it looks up a server name, given an IP address.

Enter an IP address in the Reverse Lookup the IP Address field, and it checks all DNS servers configured for your security appliance to resolve the IP address into a server name.

Connection Limit TopX

The Connection Limit TopX tool lists the top 10 connections by the source and destination IP addresses. Before you can use this tool, you must enable source IP limiting and/or destination IP limiting for your appliance. If these are not enabled, the page displays a message to inform you that you can enable them on the Firewall > Advanced page.

Check GEO Location and BOTNET Server Lookup

* 
NOTE: This diagnostic is not available on the SuperMassive 9800.

The Geo-IP and Botnet Filtering feature allows you to block connections to or from a geographic location based on IP address and to or from Botnet command and control servers. Additional functionality for this feature is available on the Security Services > Geo-IP and Botnet Filter page. For full details, see Security Services > Geo-IP Filter and Configuring Botnet Filters.

To troubleshoot with GEO Location and BOTNET Server Lookup:
1
Select GEO Location and BOTNET Server Lookup from the Diagnostic Tool drop-down menu.
2
Type the IP address or domain name of the destination host in the Lookup IP field.
3
Click Go. The result displays underneath the Lookup IP field.

Trace Route

Trace Route is a diagnostic utility that assists in diagnosing and troubleshooting router connections on the Internet. By using Internet UDP packets similar to Ping packets, Trace Route can test interconnectivity with routers and other hosts that are farther and farther along the network path until the connection fails or until the remote host responds.

The TraceRoute tool includes a Prefer IPv6 networking option. For complete information on the SonicOS implementation of IPv6, see IPv6.

When testing interconnectivity with routers and other hosts, SonicOS uses the first IP address that is returned and shows the actual TraceRoute address. If both IPv4 and IPv6 addresses are returned, by default, the firewall will TraceRoute the IPv4 address. If the Prefer IPv6 networking option is enabled, the firewall will TraceRoute the IPv6 address.

To troubleshoot with Trace Route:
1
Select TraceRoute from the Diagnostic Tool drop-down menu.
2
Type the IP address or domain name of the destination host in the TraceRoute this host or IP address field.
3
In the Interface drop-down menu, select which WAN-specific interface you want to test the trace route from. Selecting ANY, the default, allows the firewall to choose among all interfaces—including those not listed in the drop-down menu.
4
To TraceRoute for IPv6, select the Prefer IPv6 networking checkbox.
5
Click Go. Depending on the route, this may take a few minutes. A popup table displays with each hop to the destination host. By following the route, you can diagnose where the connection fails between the firewall and the destination.

PMTU Discovery

PMTU Discovery is a diagnostic tool that uses a standardized technique for determining the maximum transmission unit (MTU) size on the network path between two Internet Protocol (IP) hosts, usually with the goal of avoiding IP fragmentation. PMTU Discovery works with both IPv4 and IPv6.

To troubleshoot with PMTU Discovery:
1
Select PMTU Discovery from the Diagnostic Tool drop-down menu.
2
Type the IP address or domain name of the destination host in the Path MTU Discovery to this host or IP address field.
3
In the Interface drop-down menu, select which WAN-specific interface you want to test the trace route from. Selecting ANY, the default, allows the firewall to choose among all interfaces—including those not listed in the drop-down menu.
4
Click Go. Depending on the route, this may take a few minutes. A popup table displays with each hop to the destination host. By following the route, you can diagnose where the connection fails between the firewall and the destination.

Web Server Monitor

Non-SuperMassive 9800 firewalls

SuperMassive 9800 firewall

The Web Server Monitor tool displays the CPU utilization of the Web server over time.

To troubleshoot with Web Server Monitor:
1
Select Web Server Monitor from the Diagnostic Tool drop-down menu.
2
For SuperMassive 9800 only, select the blade from the Blade drop-down menu: 1 (default) or 2.
3
From the View Style drop-down menu, select the time period displayed:
Last 30 seconds (default)
Last 30 minutes
Last 24 hours
Last 30 days

User Monitor

The User Monitor tool displays the number users of logged in over time.

To troubleshoot with User Monitor:
1
Select User Monitor from the Diagnostic Tool drop-down menu.
2
For SuperMassive 9800 only, select the blade from the Blade drop-down menu: 1 (default) or 2.
3
From the View Style drop-down menu, select the time period displayed:
Last 30 seconds (default)
Last 30 minutes
Last 24 hours
Last 30 days
4
From the Vertical Axis drop-down menu, select the maximum number of users for the vertical axis.
5
To specify the types of users to display, click the Configure icon. A popup menu displays.

* 
NOTE: The types of users displayed depend on how your users log in. For example, if you do not use SSL VPN, that option does not display.
a
Select the checkboxes of the user types to be displayed.
b
Clear the checkboxes of the user types to hide.
c
Click OK.

Switch Diagnostics

The Switch Diagnostics tool displays the status of and counters of a switch associated with an interface.

To troubleshoot with Switch Diagnostics:
1
Select Switch Diagnostics from the Diagnostic Tool drop-down menu.
2
Select the interface from the Interface Name drop-down menu.

Chassis Usage – SuperMassive 9800 Only

The Chassis Usage tool displays information about usage of the hard disk, memory, and CPU.

To troubleshoot with Chassis Usage:
1
Select Chassis Usage from the Diagnostic Tool drop-down menu.

 

Restarting the System

System > Restart

* 
NOTE: The System > Restart page and procedure for the SuperMassive 9800 is different than the other firewalls. To restart a SuperMassive 9800, seeSystem > Restart for the SuperMassive 9800.

The SonicWall Security Appliance can be restarted from the Web Management interface.

To restart the firewall:
1
Go to the System > Restart page.
2
Click Restart.

The firewall takes approximately 60 seconds to restart. During the restart time, all users are disconnected and internet access is momentarily interrupted on the LAN.

System > Restart for the SuperMassive 9800

* 
NOTE: The System > Restart page and procedure for the SuperMassive 9800 is different than the other firewalls. To restart a SuperMassive Series, NSA Series, or TZ Series firewall, seeSystem > Restart.

* 
CAUTION: Restarting either the firewall or SonicOS disconnects all users and restarting the chassis also disrupts access to the chassis.

The System > Restart page allows you to:

Restart SonicOS: Restarting SonicOS
Restart ChassisOS: Restarting ChassisOS
Shutdown the system: Shutting Down the System

Restarting SonicOS

* 
IMPORTANT: Restarting SonicOS disconnects all users.
* 
IMPORTANT: If you made any changes to the settings, you must apply them before you restart.
To restart SonicOS:
1
Ensure any changes to settings have been applied.
2
Go to the System > Restart page.
3
Click Restart SonicOS.

SonicOS takes approximately 60 seconds to restart. During the restart time, all users are disconnected and internet access is momentarily interrupted on the LAN.

Restarting ChassisOS

* 
IMPORTANT: Restarting ChassisOS disconnects all users.
* 
IMPORTANT: If you made any changes to the settings, you must apply them before you restart.
To restart ChassisOS:
1
Ensure any changes to settings have been applied.
2
Go to the System > Restart page.
3
Click Restart Chassis.

The firewall takes a few minutes to power cycle. During this time, all users are disconnected, internet access is interrupted, and access to the chassis is disrupted.

Shutting Down the System

* 
IMPORTANT: Shutting down the system disconnects all users.
* 
IMPORTANT: To start the firewall, you must power cycle the system.
To shutdown the system:
1
Go to System > Restart.
2
Click Shutdown System.

Shutting down the system disconnects all users and disrupts access to the firewall. To restart, you must power cycle the system.

Accessing Legal Information

System > Legal Information

You can access the SonicWall End User Product Agreement (EUPA) as well as other legal information from the System > Legal Information page.