en-US
search-icon

SonicOS 6.2 Admin Guide

Wizards

Using SonicWall Configuration Guides (Wizards)

About the Guides

* 
NOTE: The terms guide and wizard are interchangeable.

SonicOS provides easy-to-use configuration guides (wizards) to assist you with initial policy creation. Launch the SonicWall Configuration Guide by clicking Wizards on the top-right corner of the SonicOS management interface.

Topics:  

Configuring a Static IP Address with NAT Enabled

Using NAT to set up your SonicWall eliminates the need for public IP addresses for all computers on your LAN. It is a way to conserve IP addresses available from the pool of IPv4 addresses for the Internet. NAT also allows you to conceal the addressing scheme of your network. If you do not have enough individual IP addresses for all computers on your network, you can use NAT for your network configuration.

Essentially, NAT translates the IP addresses in one network into those for a different network. As a form of packet filtering for firewalls, it protects a network from outside intrusion from hackers by replacing the internal (LAN) IP address on packets passing through a SonicWall with a “fake” one from a fixed pool of addresses. The actual IP addresses of computers on the LAN are hidden from outside view.

This section describes configuring the SonicWall network security appliance in the NAT mode. If you are assigned a single IP address by your ISP, follow the instructions below.

* 
TIP: Be sure to have your network information including your WAN IP address, subnet mask, and DNS settings ready. This information is obtained from your ISP.

Launching the Guides

SonicOS provides easy to use configuration guides to assist with initial policy creation. The first time you log into your SonicWall appliance, the Setup Guide is launched automatically. To launch the SonicWall Configuration Guides any other time, click Wizards on the top-right banner of the SonicOS management interface. The Welcome page displays.

* 
NOTE: The PortShield Guide appears only for TZ series appliances. Other guides require a valid license to display, such as the App Rule Guide, which requires a valid App Control license to display.

From this page, you select one of these Guides:

Using the WXA Setup Guides (Wizards) (this guide is available only for systems with WXA series appliances)

 

Using the Setup Guide (Wizard)

Wizards > Setup Guide

The first time you log into your SonicWall appliance, an initial Setup Wizard is launched automatically. To launch the Setup Wizard at any time from the management interface, click Wizards in the top right corner, and select Setup Wizard.

* 
TIP: You can also configure all your WAN and network settings on the Network > Settings page of the SonicWall Management Interface
* 
IMPORTANT: The Setup Wizards for the TZ series appliances are different from the Setup Wizards for other series appliances.
Topics:  

TZ Series and SOHO W Appliances Only Guides

Topics:  

Using the Initial TZ/SOHO W Startup Guide

* 
NOTE: This Initial Startup Guide (wizard) appears only when you first activate your TZ series appliance. After you have initially set up your appliance through the Startup Guide, the regular Setup Wizard (Guide) appears when you click Wizards in the upper right corner of the SonicOS management interface.

You can move backwards and forwards through the dialogs by clicking the Back and Next keys respectively. As you complete steps and progress through the Setup Guide, the color of the completed dialog title changes color and a checkmark appears.

You can exit the guide at any time by clicking the Exit Guide button. If you exit before completing the configuration, a dialog displays requesting confirmation of exiting without saving any settings:

Click OK to exit the wizard, No to continue the configuration.

To perform an initial set up of your appliance:
1
Log in to your appliance, which comes with factory default settings. An introductory dialog asks how you will configure the appliance.

2
Click the link in To launch the SonicWall Setup Wizard, click here. The Welcome page displays.

3
Click Next. The Credentials page displays.

* 
IMPORTANT: Each appliance comes with a default username of admin and a default password of password. You cannot change the default username, but it is highly recommended that you change the password.

If the Old Password field is not dimmed, you need to enter password in it.

4
Enter your password in the New Password field and again in the Confirm Password field. The password can be up to 32 characters.
* 
TIP: Enter a strong password that is difficult to guess. A strong password should have at least one uppercase letter, one lowercase letter, one number, and one special character. For example, MyP@ssw0rd.
5
Click Next. A Running DHCP detection message displays.

When the IP configuration of the DHCP server is detected, the Setup Guide populates the IP Configuration page with the IP information and displays the page.

* 
NOTE: If you have not connected your appliance to a WAN interface, the following message displays.

Click OK. The IP Configuration – Manual Configuration dialog displays so you can configure the interface manually; see Configuring the WAN Interface Manually.

* 
TIP: Record the IP configuration for future use.

Every IP address on your network must be unique. Therefore, do not assign your SonicWall an IP address that is used by another device on your network.

* 
NOTE: If you want to customize the WAN settings, click the Manual Config button. The IP Configuration – Manual Configuration dialog displays. For the manual configuration procedure, see Configuring the WAN Interface Manually.
6
Click Next. The IP Configuration page displays.

You now have internet access and basic settings for your appliance.

7
Click Done. A message displays saying you are being connected to a secure login page before the login page displays.

You can continue configuring your appliance by clicking Wizards in the upper right corner of the SonicOS management interface. A good place to start is the Setup Guide, which is different from the Initial Setup Guide.

Configuring the WAN Interface Manually

If you have not set up a WAN interface or want to customize the settings and clicked Manual Config, the IP Configuration – Manual Configuration page displays.

To manually configure the WAN interface:
1
Optionally, click the Retry button.
2
From the drop-down menu, select the WAN network mode:
* 
NOTE: The options change, depending on the mode you choose.
Static (default) – Use a Static IP address or a range of IP addresses for router-based connections. An IP address is a number that identifies each device on your network. An IP address consists of four numbers, separated by periods, ranging from 0 to 254 in value. Examples of IP addresses are 192.168.168.1, 10.0.0.1, or 216.217.36.130.

Every IP address on your network must be unique. Therefore, do not assign your SonicWall an IP address that is used by another device on your network.

Go to Static WAN Mode.

PPPoE – Use PPPoE for ISP client authentication software with DSL connections. Point-to-Point Protocol over Ethernet (PPPoE) is a widely-deployed solution to manage DSL and cable broadband services. PPPoE requires user name and password authentication to connect to the Internet.

Go to PPPoE WAN Mode.

PPTP – Use PPTP for encrypted VPN connections. Point-to-Point Tunneling Protocol (PPTP) is used to tunnel Point to Point Protocol (PPP) through an IP network. PPTP requires Server IP address, user name and password authentication to connect to the Internet.

Go to PPTP WAN Mode.

Static WAN Mode

1
Enter the WAN IP address in the WAN IP Address field.
2
Enter the WAN subnet mask in the WAN Subnet Mask field.
3
Enter the router address in the Gateway (Router) Address field.
4
Enter the DNS server address in the DNS Server Address field.
5
Optionally, enter a second DNS server address in the DNS Server Address #2 (optional) field.
PPPoE WAN Mode

1
Select how the IP address is obtained:
Obtain an IP Address Automatically
Use the following IP Address
If you select this option, the field becomes active; enter the IP Address to be used.
2
Enter the PPPoE user name in the PPPoE User Name field.
3
Enter the PPPoE password in the PPPoE Password field.
4
Optionally, if the user is to be disconnected after a certain period of activity, select the Inactivity Disconnect (minutes) checkbox; the field becomes active.
Enter the number of minutes a user’s session is inactive before being disconnected in the field.
PPTP WAN Mode

1
Enter the PPTP server IP address in the PPTP Server IP Address field.
2
Enter the PPTP user name in the PPTP User Name field.
3
Enter the PPTP password in the PPTP Password field.
1
Select how the IP address is obtained:
Obtain an IP Address Automatically – the following fields become dimmed.
Use the following IP Address
2
Enter the WAN IP address in the WAN IP Address field.
3
Enter the WAN subnet mask in the WAN Subnet Mask field.
4
Enter the router address in the Gateway (Router) Address field.

Using the TZ Series/SOHO W Setup Guide

* 
NOTE: The TZ Series and SOHO W Setup Guide is not the same as the Initial TZ and SOHO W Setup Guide.

The TZ Series and SOHO W Setup Guide helps you configure the following settings:

Administrator password and time zone
Type of modular device
WAN networking mode and WAN network configuration
LAN network configuration
Wireless LAN network configuration (wireless devices)
LAN DHCP settings
To configure settings with the Setup Guide:
1
Click Wizard on the top-right corner of the SonicOS management interface.

The Welcome page displays.

* 
NOTE: Only wireless appliances (TZ W Series and SOHO W) have the Wireless guide.

2
Select the Setup Wizard (default).
3
Click Next. If you have a:
Wireless appliance, the Deployment Scenario page displays; see Deployment Scenario.
Wired appliance, the Change Administrator Password page displays; see Change Administrator Password.
Deployment Scenario

1
Select one of the following deployment scenarios:
* 
TIP: Clicking on the names of the scenarios displays a graphic of a typical deployment. For example, clicking on No Wireless displays:

* 
NOTE: The pages that are displayed for configuration change with the type of deployment you select.
No Wireless (default) – The wireless radio is turned off.
Office Gateway – Provides secure access for both wired and wireless users.
Wireless Client Bridge – Operates in Wireless Client Bridge mode to securely bridge two networks.
Secure or Open Access Point – Adds secure wireless access to an existing wired network.
2
Click Next. The Change Administrator Password page displays.
Change Administrator Password

* 
IMPORTANT: Each appliance comes with a default username of admin and a default password of password. You cannot change the default username, but it is highly recommended that you change the password.
1
Enter the old password in the Old Password field.
* 
NOTE: If you have not changed the original password, password, this field is dimmed.
2
Enter a new password in the New Password and Confirm New Password fields.
* 
IMPORTANT: Enter a strong password that cannot be easily guessed by others. A strong password should have at least one uppercase letter, one lowercase letter, one number, and one special character. For example MyP@ssw0rd.
3
Click Next. The Time Zone page displays.
Time Zone

1
Select the appropriate Time Zone from the Time Zone drop-down menu. The SonicWall’s internal clock is set automatically to the correct time for this time zone by a Network Time Server on the Internet.
2
Optionally, select Automatically adjust clock for daylight savings time. This is selected by default.
3
Click Next.
4
If you have a:
TZ Series wireless appliance, the Configure 3G/4G page displays. To to 3G/4G Modem > Configure 3G/4G.
TZ Series wired or SOHO W wireless appliance, the page that is displayed depends on the type of deployment you selected:
No Wireless, the Configure Modular Device Type page displays. Go to 3G/4G Modem > Configure Modular Device Type
Office Gateway or Secure or Open Access Point, the page that displays depends on your appliance:
SOHO W appliance, the Configure Modular Device Type page displays. Go to 3G/4G Modem > Configure Modular Device Type
TZ Series appliance, the Configure 3G/4G page displays. Go to 3G/4G Modem > Configure 3G/4G
Wireless Client Bridge, the LAN Settings page displays. Go to LAN Settings
3G/4G Modem > Configure Modular Device Type

1
Select a device type from the Device Type drop-down menu:
None (default)
3G/4G/Mobile
Analog Modem
2
Click Next. The page that displays next depends on your device type selection:
None – The WAN Network Mode page displays; go to WAN Mode: WAN Network Mode.
3G/4G/Mobile — The Configure 3G/4G page displays; go to 3G/4G Modem > Configure 3G/4G.
Analog Modem — The 3G/4G Modem > Configure Modem page displays; go to 3G/4G Modem > Configure Modem
3G/4G Modem > Configure 3G/4G

1
Specify how to configure the 3G/4G device:
For primary or backup internet connectivity, select Yes – I will use 3G/4G for primary or backup internet connectivity. This is the default.
If the device is not used at this time, select No – I will not use 3G/4G at this time.
2
Click Next.
3
If you selected:
No – The WAN Network Mode page displays; go to WAN Mode: WAN Network Mode.
Yes – The 3G/4G Modem > WAN Failover 3G/4G/Modem Connection page displays. Go to 3G/4G Modem > WAN Failover 3G/4G/Modem Connection (page 1).
3G/4G Modem > WAN Failover 3G/4G/Modem Connection (page 1)
* 
NOTE: You must complete this page to continue configuring your appliance.
NOTE: For TZ Series wireless appliances, this page is titled WAN Failover 3G/4G Connection, but otherwise it is the same.

1
Select your country from the Country drop-down menu.
2
Select your service provider from the Service Provider drop-down menu. Options depend on the Country you selected.
3
Select your plan type from the Plan Type drop-down menu. Options depend on the Service Provider you selected.
4
Click Next. If you have a:
TZ wired or SOHO W wireless appliance, the second WAN Failover 3G/4G/Modem Connection page displays with the options populated according to your choices for country, service provider, and plan type
TZ wireless appliance, the WAN Failover 3G/4G Connection page displays; except for the name, this is the same as the WAN Failover 3G/4G/Modem Connection page
3G/4G Modem > WAN Failover 3G/4G/Modem Connection (page 2)

* 
NOTE: If you selected Other for Country, Plan Type or Service Provider, the second page is not populated with information and you must enter the required information. Go to 3G/4G Modem > WAN Failover 3G/4G/Modem Connection (page 2—Other Country).
1
Verify the displayed information.
2
If any optional settings have not been populated, you can enter them now.
3
Click Next. The WAN Mode dialog displays.
3G/4G Modem > WAN Failover 3G/4G/Modem Connection (page 2—Other Country)

1
If you selected Other for Country, Service Provider, or Plan Type, the second page is not populated with information, and you must provide the required information:
Profile Name – Enter a friendly name for the profile in this field; the default is My Connection Profile.
Connection Type – Select the connection type from the drop-down menu.
Dialed Number – Enter the dialup number the appliance uses to connect to the internet in this field.
User Name (optional) – Enter your ISP user name in this field.
Password (optional) – Enter your ISP password in this field.
Confirm Password (optional) – Reenter your ISP password in this field.
2
Click Next. The WAN Mode page displays.
3G/4G Modem > Configure Modem

1
Specify how to configure the modem:
For primary or backup internet connectivity, select Yes – I will use dialup account as primary or backup internet connection. This is the default.
If the modem is not used at this time, select No – I will not use the modem at this time.
2
Click Next.
3
If you selected:
No – The WAN Mode page displays; go to WAN Mode: WAN Network Mode.
Yes – The 3G/4G Modem > WAN Failover Dialup Connection page displays.
3G/4G Modem > WAN Failover Dialup Connection

1
Enter the following settings:
* 
TIP: If you do not know the phone number, user name, password or other settings, consult your ISP and configure the modem later from the Modem > Settings page.
Profile Name – A friendly name for the profile; the default is My Connection Profile.
Phone Number – The phone number used for dialup.
User Name – Your ISP user name.
Password – Your ISP password.
Confirm Password – Reenter your ISP password.
APN – Your ISP Access Point Name.
2
Click Next. The WAN Network Mode page displays.
WAN Mode: WAN Network Mode

* 
TIP: If you click on the protocol name, a window displays that describes the protocol and why you would use it. For example, if you click on DHCP, a description of DHCP displays:

1
Select the WAN network mode:
Router-based Connections – Use a Static IP address or a range of IP addresses. – An IP address is a number that will identify each device on your network. An IP address consists of four numbers, separated by periods, ranging from 0 to 254 in value. Examples of IP addresses are 192.168.168.1, 10.0.0.1, or 216.217.36.130. This is the default for TZ Series wired and wireless appliances. This option is selected by default.

Every IP address on your network must be unique. Therefore, do not assign your SonicWall an IP address that is used by another device on your network.

Cable/Modem-based Connections – Use DHCP assigned dynamic IP addresses. DHCP stands for Dynamic Host Configuration Protocol. It is used to distribute TCP/IP settings automatically. This is the default for SOHO W wireless appliances.

SonicWall appliances contain both a DHCP client and a DHCP server. The client is used so that the SonicWall can be configured automatically from the network through its WAN link (for instance, a cable modem network). Your ISP may require you to use the DHCP client to obtain an address from their DHCP server.

DSL Connections — Use PPPoE for ISP client authentication software. – Point-to-Point Protocol over Ethernet (PPPoE) is a widely-deployed solution to manage DSL and cable broadband services. PPPoE requires user name and password authentication to connect to the Internet.
VPN Connections – Use PPTP for encrypted connections. – Point-to-Point Tunneling Protocol (PPTP) is used to tunnel Point to Point Protocol (PPP) through an IP network. PPTP requires Server IP address, user name and password authentication to connect to the Internet.
2
Click Next. What displays next depends on your WAN network mode selection.
3
if you selected:
Router-based Connections, go to WAN Settings > WAN Network Mode: NAT Enabled
Cable/Modem-based Connections, go to WAN Settings > WAN Network Mode: NAT with DHCP Client.
WAN Settings > WAN Network Mode: NAT Enabled

1
The settings have been populated based on your system. Verify they are correct.
* 
NOTE: If you are unsure of this information, contact your internet service provider (ISP).
SonicWall WAN IP Address – An IP address is a number that identifies each device on your network. An IP address consists of four numbers, separated by periods, ranging from 0 to 254 in value. Examples of IP addresses are 192.168.168.1, 10.0.0.1, or 216.217.36.130.

Every IP address on your network must be unique. Therefore, do not assign your SonicWall an IP address used by another device on your network.

WAN Subnet Mask – The subnet mask defines which IP addresses are located on your local network and which IP addresses are located on the Internet. For example, if you assign your computer the IP address 192.168.168.200 and the subnet mask 255.255.255.0, then your computer will believe that all 192.168.168.X addresses are on the local network, and all other addresses are located on the Internet.

The WAN Subnet Mask should be assigned by your ISP. If you do not know your WAN Subnet Mask, use the subnet mask assigned to your computer or contact your ISP.

Gateway Router Address – The WAN gateway (router) address is the IP address of the router that bridges your network to the Internet. The WAN router may be attached directly to the SonicWall appliance's WAN port or indirectly through a cable or DSL modem.

The WAN Gateway (router) address must be in the same subnet as the SonicWall appliance WAN IP address. The WAN gateway (router) address often ends with the numbers .1 or .254. So, if your WAN IP address is 216.0.36.128, then your gateway might be 216.0.36.1 or 216.0.36.254. If you do not know your gateway address, contact your ISP.

DNS Server Address – The DNS server address is the IP address of the DNS server.
DNS Server Address #2 (optional) – If there is a second DNS server address, enter it in this field.
2
To allow HTTPS, select Allow HTTPS on this WAN Interface. This is selected by default.
* 
CAUTION: Allowing HTTPS management from the WAN creates a potential vulnerability. If you enable this setting, ensure you have entered a strong password either on the Password page of this Guide or through the Password Setup wizard.
3
To allow ping, select Allow Ping on this WAN Interface. This is selected by default.
4
Click NEXT. The page that displays next depends on the type of appliance:
TZ Series wired appliances, the LAN Settings page displays. Go to LAN Settings.
TZ series wireless or SOHO W wireless appliances, the Regulatory Domain Registration page displays. Go to Regulatory Domain Registration
WAN Settings > WAN Network Mode: NAT with DHCP Client

1
To allow HTTPS, select Allow HTTPS on this WAN Interface. This is selected by default.
* 
CAUTION: Allowing HTTPS management from the WAN creates a potential vulnerability. If you enable this setting, ensure you have entered a strong password either on the Password page of this Guide or through the Password Setup wizard.
2
To allow ping, select Allow Ping on this WAN Interface. This is selected by default.
3
Click NEXT. The page that displays next depends on the type of appliance:
TZ Series wired appliances, the LAN Settings page displays. Go to LAN Settings.
TZ series wireless or SOHO W wireless appliances, the Regulatory Domain Registration page displays. Go to Regulatory Domain Registration
WAN Settings > WAN Network Mode – NAT with PPPoE Client

1
Choose how to obtain an IP address:
Automatically – Select Obtain an IP Address Automatically; this is the default. Go to Step 2.
Manually – Select Use the following IP Address. The field becomes active.
a)
Enter the PPPoE IP address in the Use the following IP Address field.
2
Enter your PPPoE user name in the PPPoE User Name field.
3
Enter your PPPoE password in the PPPoE Password field.
* 
NOTE: The password is case sensitive. Enter a strong password that cannot be easily guessed by others. A strong password should have at least one uppercase letter, one lowercase letter, one number, and one special character. For example MyP@ssw0rd.
4
Optionally, to disconnect after a period of inactivity, select Inactivity Disconnect (minutes). By default, this is not selected. When this option is selected, the field becomes active.
Enter the maximum inactivity time, in minutes, before disconnect in the Inactivity Disconnect (minutes) field; the default is 10.
5
To allow HTTPS, select Allow HTTPS on this WAN Interface. This is selected by default.
* 
CAUTION: Allowing HTTPS management from the WAN creates a potential vulnerability. If you enable this setting, ensure you have entered a strong password either on the Password page of this Guide or through the Password Setup wizard.
6
To allow ping, select Allow Ping on this WAN Interface. This is selected by default.
7
Click NEXT. The LAN Settings page displays.
8
Click NEXT. The page that displays next depends on the type of appliance:
TZ Series wired appliances, the LAN Settings page displays. Go to LAN Settings.
TZ series wireless or SOHO W wireless appliances, the Regulatory Domain Registration page displays. Go to Regulatory Domain Registration
WAN Settings > WAN Network Mode – NAT with PPTP Client
* 
NOTE: You must supply a PPTP server IP address, user name, and password to continue.

1
Enter the iP address of your PPTP server in the PPTP Server IP Address field.

An IP address is a number that identifies each device on your network. An IP address consists of four numbers, separated by periods, ranging from 0 to 254 in value. Examples of IP addresses are 192.168.168.1, 10.0.0.1, or 216.217.36.130.

Every IP address on your network must be unique. Therefore, do not assign your SonicWall an IP address used by another device on your network.

2
Enter your PPTP server user name in the PPTP User Name field.
3
Enter your PPTP server password in the PPTP Password field.
4
Choose how to obtain an IP address:
Automatically – Select Obtain an IP Address Automatically; this is the default. Go to Step 8.
Manually – Select Use the following IP Address.
5
Enter the appliance’s WAN address in the SonicWall WAN IP Address field.
6
Enter the WAN subnet mask in the WAN Subnet Mask field.

The subnet mask defines which IP addresses are located on your local network and which IP addresses are located on the Internet. For example, if you assign your computer the IP address 192.168.168.200 and the subnet mask 255.255.255.0, then your computer believes that all 192.168.168.X addresses are on the local network, and all other addresses are located on the Internet.

The WAN subnet mask is assigned by your ISP. If you do not know your WAN Subnet Mask, use the subnet mask assigned to your computer or contact your ISP.

7
Enter the Gateway (router) address in the Gateway (Router) Address field.
8
To allow HTTPS, select Allow HTTPS on this WAN Interface. This is selected by default.
* 
CAUTION: Allowing HTTPS management from the WAN creates a potential vulnerability. If you enable this setting, ensure you have entered a strong password either on the Password page of this Guide or through the Password Setup wizard.
9
To allow ping, select Allow Ping on this WAN Interface. This is selected by default.
10
Click NEXT. The page that displays next depends on the type of appliance:
TZ Series wired appliances or TZ Series wireless or SOHO W wireless appliances operating in No Wireless mode, the LAN Settings page displays. Go to LAN Settings.
TZ series wireless or SOHO W wireless appliances, the Regulatory Domain Registration page displays. Go to Regulatory Domain Registration
LAN Settings

The Setup Wizard populates the LAN Settings fields automatically, based on the supplied settings.

1
Verify the LAN IP Address and LAN subnet mask are correct.
SonicWall LAN IP Address – The IP address of the SonicWall LAN. Every IP address on your network must be unique. Therefore, do not assign your SonicWall an IP address that is used by another device on your network.
LAN Subnet Mask – The subnet mask defines which IP addresses are located on your local network and which IP addresses are located on the Internet. For example, if you assign your computer the IP address 192.168.168.200 and the subnet mask 255.255.255.0, then your computer believes that all 192.168.168.X addresses are on the local network, and all other addresses are located on the Internet.

The LAN subnet mask defines the size of your local network. The LAN subnet mask 255.255.255.0 works for most networks.

2
Click Next. The LAN DHCP Settings page displays.
LAN DHCP Settings

1
Select Enable DHCP Server on LAN checkbox. This is checked by default.

DHCP (Dynamic Host Configuration Protocol) is used to distribute TCP/IP settings automatically. A DHCP server simplifies network address management and avoids the time-consuming task of configuring each computer's IP settings.

* 
IMPORTANT: SonicWall appliances contain both a DHCP client and a DHCP server. It is important not to get them confused:
The server is used to configure computers which are located on inside interfaces. Its use is optional.
By contrast, the client is used so that the SonicWall appliance can be configured automatically from the network through its WAN link (for instance, a cable modem network).
2
The Setup Wizard populates the LAN Address Range fields automatically. Verify the addresses are correct.

Enter a range of IP addresses for your network devices on the LAN. The address range must be in the same subnet as the SonicWall Web Management address. SonicWall's default gateway address is currently set according to the IP address that have been configured.

3
Click Next. The Port Assignment page displays. Go to Ports Assignment.
Regulatory Domain Registration

* 
IMPORTANT: You are responsible for complying with all laws prescribed by the governing regulatory domain and/or locale regarding radio operations.
* 
NOTE: The regulatory domain is generated automatically from the Country Code.
1
Select a country from the Country Code drop-down menu.
* 
IMPORTANT: For international (non USA or Japan) TZ Series wireless and SOHO W wireless appliances, be sure to select the country code for the country in which the appliance will be deployed, even if you are not in that country. For appliances deployed in the USA and Japan, the regulatory domain and country code are selected automatically and cannot be changed.
* 
IMPORTANT: If you select the country code for Canada, it cannot be changed except by contacting SonicWall Support.
2
Click Next. An information message about maintaining up-to-date wireless drivers on your client computers displays.

3
Click OK. The WLAN Radio Settings page displays.
WLAN Radio Settings

1
Enter a SSID (Service Set ID) in the SSID field. The SSID serves as the primary identifier for your wireless network. You can specify up to 32 alphanumeric characters; the SSID is case sensitive. The appliance generates a default SSID of sonicwall- plus the last four characters of the BSSID (Broadcast Service Set ID); for example, sonicwall becomes sonicwall-F2DS.
2
Select your preferred radio mode from the Radio Mode drop-down menu. The wireless security appliance supports the modes shown in Radio mode choices.
* 
NOTE: The available options change depending on the mode selected. If the wireless radio is configured for a mode that:
Supports 802.11n (except 5GHz 802.11n/a/ac Mixed), the following options are displayed: Radio Band, Primary Channel, Secondary Channel.
Does not support 802.11n, only the Channel option is displayed.
Supports 5GHz 802.11n/a/ac Mixed or 5GHz 802.11ac Only, the Radio Band and Channel options are displayed.
* 
TIP: For optimal throughput speed solely for 802.11n clients, SonicWall recommends the 802.11n Only radio mode. Use the 802.11n/b/g Mixed radio mode for multiple wireless client authentication compatibility.

For optimal throughput speed solely for 802.11ac clients, SonicWall recommends the 802.11ac Only radio mode. Use the 802.11ac/n/a Mixed radio mode for multiple wireless client authentication compatibility.

Radio mode choices

2.4GHz

5Ghz

Definition

2.4GHz 802.11n Only

5GHz 802.11n Only

Allows only 802.11n clients access to your wireless network. 802.11a/ac/b/g clients are unable to connect under this restricted radio mode.

2.4GHz 802.11n/g/b Mixed

This is the default.

5GHz 802.11n/a Mixed

Supports 802.11a, 802.11b, 802.11g, and 802.11n clients simultaneously. If your wireless network comprises multiple types of clients, select this mode.

2.4GHz 802.11g Only

 

If your wireless network consists only of 802.11g clients, you might select this mode for increased 802.11g performance. You might also select this mode if you wish to prevent 802.11b clients from associating.

2.4GHz 802.11g/b Mixed

 

If your wireless network consists of both 802.11b and 802.11g clients, you might select this mode for increased performance.

 

5GHz 802.11a Only

Select this mode if only 802.11a clients access your wireless network.

 

5GHz 802.11n/a/ac Mixed

Supports 802.11a, 802.11ac, and 802.11n clients simultaneously. If your wireless network comprises multiple types of clients, select this mode.

 

5GHz 802.11ac Only

Select this mode if only 802.11ac clients access your wireless network.

3
If the mode you selected supports:
802.11a Only, 802.11g only, or 80211g/b Mixed, go to Step 4
5GHz802.11ac Only and 5GHz 802.11n/a/ac Mixed, go to Step 6
802.11n Only or 802.11n Mixed (except for 5GHz 802.11n/a/ac Mixed), go to Step 8
4
Only for 802.11a/g: Select the channel for the radio from the Channel drop-down menu:
Auto - Allows the appliance to automatically detect and set the optimal channel for wireless operation based on signal strength and integrity. Use Auto unless you have a specific reason to use or avoid specific channels.
Specific channel: Select a single channel (see Step ) within the range of your regulatory domain. Selecting a specific a channel can also help with avoiding interference with other wireless networks in the area.
* 
NOTE: Available channels depend on the type of radio in the appliance.
 

802.11g/802.11a channels

802.11g/802.11a Channels

802.11a/ac Channels

None 1

None

Channel 1 (2412 MHz) 2

Channel 36 (5180 MHz) 3

Channel 2 (2417 MHz)

Channel 40 (5200 Mhz)

Channel 3 (2422 MHz)

Channel 44 (5220 Mhz)

Channel 4 (2427 MHz)

Channel 48 (5240 Mhz)

Channel 5 (2432 MHz)

Channel 149 (5745 Mhz)

Channel 6 (2437 MHz)

Channel 153 (5765 Mhz)

Channel 7 (2442 MHz)

Channel 157 (5785 Mhz)

Channel 8 (2447MHz)

Channel 161 (5805 Mhz)

Channel 9 (2452 MHz)

Channel 165 (5825 Mhz)

Channel 10 (2457 MHz)

 

Channel 11 (2462 MHz)

 


1
Default value for 802.11a and 802.11g on the SOHO W appliances.

2
Default value for 802.11g on the TZ Series wireless appliances.

3
Default value for 802.11a and 802.11ac on the TZ Series wireless appliances.

5
Go to Step 11.
6
For 802.11ac, the Radio Band and Channel/Standard Channel options display.

From the Radio Band drop-down menu, select the radio band for the 802.11a or 802.11ac radio:

Auto - Allows the appliance to automatically detect and set the optimal channel for wireless operation based on signal strength and integrity.
The Channel drop-down menu is set to Auto and cannot be changed.
Standard - 20 MHz Channel - Specifies that the 802.11ac radio uses only the standard 20 MHz channel. This is the default setting.
a)
When this option is selected, from the Channel drop-down menu, select a single channel within the range of your regulatory domain. Selecting a specific a channel can also help with avoiding interference with other wireless networks in the area. For the available channels, see 802.11g/802.11a channels. The default channel is Channel 36 (5180MHz).
Wide - 40 MHz Channel - Specifies that the 802.11ac radio uses only the wide 40 MHz channel. When this option is selected, the Channel drop-down menu is displayed. See Step a above for selecting a channel.
Wide - 80 MHz Channel - Specifies that the 802.11n radio uses only the wide 80 MHz channel. When this option is selected, the Channel drop-down menu is displayed. See Step a above for selecting a channel.
7
Go to Step 11.
8
For: 802.11n only or 802.11n mixed, the Radio Band, Primary Channel, and Secondary Channel settings are displayed:

From the Radio Band drop-down menu, select the band for the 802.11n or 802.11ac radio:

Auto - Allows the appliance to automatically detect and set the optimal channel for wireless operation based on signal strength and integrity. This is the default setting.
The Primary Channel and Secondary Channel drop-down menus are set to Auto and cannot be changed.
Standard - 20 MHz Channel - Specifies that the 802.11n radio will use only the standard 20 MHz channel. When this option is selected, the Channel drop-down menu is displayed instead of the Primary Channel and Secondary Channel drop-down menus.
Standard Channel - By default, this is set to Auto, which allows the appliance to set the optimal channel based on signal strength and integrity. Optionally, you can select a single channel within the range of your regulatory domain. Selecting a specific a channel can also help with avoiding interference with other wireless networks in the area. The available channels are the same as for 802.11g in Step 4.
Wide - 40 MHz Channel - Specifies that the 802.11n radio will use only the wide 40 MHz channel. When this option is selected, the Primary Channel and Secondary Channel drop-down menus are displayed:
Primary Channel - By default, this is set to Channel 36 (5180MHz). Optionally, you can specify a specific another channel or Auto. The available channels are the same as for 802.11a in Step 4
Secondary Channel - The configuration of this drop-down menu is set to Auto regardless of the primary channel setting.
9
Optionally, select the Enable Short Guard Interval checkbox to specify a short guard interval of 400ns as opposed to the standard guard interval of 800ns. This setting is not selected by default.
* 
NOTE: This option is not available if 5GHz 802.11g/b Mixed, 5GHz 802.11a Only, or 2.4GHz 802.11g Only mode is selected.

A guard interval is a set amount of time between transmissions that is designed to ensure distinct transmissions do not interfere with one another. The guard interval introduces immunity to propagation delays, echoes, and reflections. An AP identifies any signal content received inside this interval as unwanted inter-symbol interference, and rejects that data. The guard interval is a pause in transmission intended to avoid data loss from interference or multipath delays.

The 802.11n standard specifies two guard intervals: 400ns (short) and 800ns (long). Enabling a short guard interval can decrease network overhead by reducing unnecessary idle time on each AP. A short guard interval of 400 nanoseconds (ns) will work in most office environments as distances between points of reflection, as well as between clients, are short. Most reflections will be received quickly. The shorter the guard interval, the more efficiency there is in the channel usage, but a shorter guard interval also increases the risk of interference

Some outdoor deployments, may, however, require a longer guard interval. The need for a long guard interval of 800 ns becomes more important as areas become larger, such as in warehouses and in outdoor environments, as reflections and echoes become more likely to continue after the short guard interval would be over.

10
Optionally, to enable 802.11n frame aggregation, which combines multiple frames to reduce overhead and increase throughput, select the Enable Aggregation checkbox.
* 
NOTE: This option is not available if 5GHz 802.11g/b Mixed, 5GHz 802.11a Only, or 2.4GHz 802.11g Only mode is selected.

Data over wireless networks are sent as a stream of packets known as data frames. Frame aggregation takes these packets and combines them into fewer, larger packets, thereby allowing an increase in overall performance. Frame aggregation was added to the 802.11n specification to allow for an additional increase in performance. Frame aggregation is a feature that only 802.11ac and 802.11n clients can take advantage of as legacy systems are not able to understand the new format of the larger packets.

* 
TIP: The Enable Short Guard Interval and Enable aggregation options can slightly improve throughput. They both function best in optimum network conditions where users have strong signals with little interference. In networks that experience less than optimum conditions (interference, weak signals, and so on), these options may introduce transmission errors that eliminate any efficiency gains in throughput.
11
Click Next. The WLAN Security Settings page displays.
WLAN Security Settings

1
Select a security mode:
WPA/WPA2 Mode – Wi-Fi Protected Access (WPA) mode is the security wireless protocol based on the 802.11i standard. It is the recommended protocol if your wireless clients support WPA/WPA protocol also.
Connectivity (default) – This mode allows unrestrained wireless access to the device.
* 
CAUTION: This mode does not offer encryption or access controls.
2
Click Next. The WLAN VAP (Virtual Access Point) Settings page displays.
WLAN VAP (Virtual Access Point) Settings

1
One SAP SSID is created automatically (see WLAN Radio Settings). To create another VAP, select the Yes, I want to create another virtual access point checkbox. More options display.

2
Enter a name for the VAP in the VAP SSID field.
3
Select a security mode:
WPA/WPA2 Mode – Wi-Fi Protected Access (WPA) mode is the security wireless protocol based on the 802.11i standard. It is the recommended protocol if your wireless clients support WPA/WPA protocol also.
Connectivity (default) – This mode allows unrestrained wireless access to the device.
* 
CAUTION: This mode does not offer encryption or access controls.
4
To specify up to six more VAPs, repeat Step 2 and Step 3.
5
Click Next. The Ports Assignment page displays.
Ports Assignment

1
Select how ports are to be assigned:
Use Current – This setting keeps your current settings. This option is selected by default.
a)
To see the current port settings, mouse over the Information icon. A popup tooltip displays the current port assignments:

Default WAN/LAN Switch – This option displays the port configuration at the bottom of the page:

WAN/OPT/LAN Switch – This option displays the port configuration at the bottom of the page:

WAN/LAN/HA – This option displays the port configuration at the bottom of the page:

WAN/LAN/LAN2 Switch – This option displays the port configuration at the bottom of the page:

2
Click Next. The Summary page displays.
Summary

* 
NOTE: What is displayed on the SonicWall Configuration Summary depends on the settings you entered. If you have configured a TZ Series wireless or SOHO W wireless appliance, but selected No Wireless on the Deployment Scenario page, No Wireless is displayed:

3
Verify the configuration settings are what you want.
4
Click Apply. A message displays indicating the configuration is being updated:

After the configuration has updated, the Setup Complete page displays.

Setup Guide Complete

5
If you have not registered your appliance, you can do so now by clicking one of the two links in the sentence, Next, you should click here or visit SonicWall’s Web Site to register your unit. The Setup Wizard closes, and you are redirected to the appropriate location.
6
Click Close.

Using the PortShield Interface Guide

You use the PortShield Interface Guide to select the initial ports assignment in integrated managed LAN switch of the SonicWall appliance.

To select the ports assignment:
1
Click Wizards in the upper right corner of the SonicWall management interface. The Wizard Welcome page displays.

2
Select the PortShield Interface Guide by either:
Clicking the PortShield Interface Guide radio button.
Selecting it from the Select a guide drop-down menu.
3
Click Next. The Port Assignment page displays.

1
Select how ports are to be assigned:
Use Current – This setting keeps your current settings. This option is selected by default.
a)
To see the current port settings, mouse over the Information icon. A popup tooltip displays the current port assignments:

Basic WAN/LAN Switch – This option displays the port configuration at the bottom of the dialog:

WAN/OPT/LAN Switch – This option displays the port configuration at the bottom of the dialog:

WAN/LAN/HA – This option displays the port configuration at the bottom of the dialog:

WAN/LAN/LAN2 Switch – This option displays the port configuration at the bottom of the dialog:

2
Click Next. The Summary page displays.

3
Click Apply. A message displays indicating the configuration is being updated:

After the configuration has updated, the Complete dialog displays.

4
Click Close.

Using the Public Server Guide

The Public Server Guide allows you to quickly configure your SonicWall appliance to provide public access to an internal server.

To configure public access to an internal server:
1
Click Wizards in the upper right corner of the SonicWall management interface. The Wizard Welcome page displays.

2
Select the Public Server Guide by either:
Clicking the Public Server Guide radio button.
Selecting it from the Select a guide drop-down menu.
3
Click Next. The Server Type page displays.

4
Select the server type from the Server Type drop-down menu:
Web Server (default)
FTP Server
Mail Server
Terminal Services Server
Other
5
Select the services to use from the Services options. The choices depend on the server type. You can select more than one service except for FTP Server and Other. By default, all services are selected, except if Other is selected as a Server Type.
 

Server type

Choices

Web Server

HTTP (TCP 80)
HTTPS (TCP 443)
CAUTION: Allowing HTTPS management from the WAN creates a potential vulnerability.

FTP Server

FTP (TCP 21)

Mail Server

SMTP (TCP 25)
POP3 (TCP 110)
IMAP (TCP 143)

Terminal Services Server

Microsoft RDP (TCP 3389)
Citrix ICA (TCP 1494)

Other

Select a service from the Services drop-down menu.

6
Click Next. The Private Network page displays.

7
Enter a friendly name in the Server Name field.
8
Enter the server’s IP address in the Server Private IP Address field. Specify an IP address in the range of addresses assigned to the zone where you want to put this server. The Public Server Wizard assigns the server automatically to the zone in which its IP address belongs.
* 
NOTE: If you enter an IP address that matches an existing Network Object, that object is renamed with the Server Name you specify here.
9
Optionally, enter a comment to further identify the public server in the Server Comment field.
10
Click Next. The Server Public Information page displays.

11
Specify the server's public (external) IP address in the Server Public IP Address field. The default value is that of your SonicWall appliance's WAN public IP address.
* 
IMPORTANT: You should change the public IP address of this server only if it is accessed over the Internet by a different address.

If you enter a different IP, the Public Server Wizard will create an address object for that IP address and bind the address object to the WAN zone.

If you are uncertain of this address, you are encouraged to leave it at the default.

12
Click Next. The Summary page displays.

13
The Summary page displays a summary of the configuration you selected in the wizard. Verify the settings.
Server Address Objects - The wizard creates the address object for the new server. Because the IP address of the server added in the example is in the IP address range assigned to the DMZ, the wizard binds the address object to the DMZ zone. It gives the object a name of the name you specified for the server plus _private. If you specify an IP in the range of another zone, it will bind the address object to that zone. If you specify an IP address out of the range of any zone you have configured, the wizard will bind the address object to the LAN zone.

Because the server in the example used the default WAN IP address for the Server Public IP Address, the wizard states that it will use the existing WAN address object when constructing policies between the new server and the WAN. If you specify another address, the server will create an object for that address bound to the WAN zone and assign the new address object a name of the name you specified for the server plus _public.

Server Service Group Object - The wizard creates a service group object for the services used by the new server. Because the server in the example is a Web server, the service group includes HTTP and HTTPS. This way, you have a convenient group to refer to when creating or editing access policies for this server.
Server NAT Policies - The wizard creates a NAT policy to translate the destination addresses of all incoming packets with one of the services in the new service group and addressed to the WAN address to the address of the new server. Therefore, in this example, if a packet with service type of HTTPS comes in addressed to the WAN interface (10.0.93.43), the NAT policy will translate its address to 172.22.2.44.
The wizard also creates a Loopback NAT policy to translate HTTP and HTTPS traffic from inside your network addressed to the WAN IP address back to the address of the mail server.
Server Access Rules - The wizard creates an access policy allowing all mail traffic service traffic from the WAN zone to the DMZ.
14
Click Apply. A message displays indicating the configuration is being updated:

After the configuration has updated, the Public Server Wizard Complete page displays.

* 
TIP: The new IP address used to access the new server, internally and externally is displayed in the URL field of the Congratulations window.
15
Click Close.

Using the VPN Guide

The VPN Guide steps you through creating a new site-to-site VPN Policy or configuring the WAN GroupVPN to accept connections from the Global VPN Client.

To create a new VPN policy or configure a WAN GroupVPN:
1
Click Wizards in the upper right corner of the SonicWall management interface. The Wizard Welcome page displays.

2
Select the VPN Guide by either:
Clicking the VPN Guide radio button.
Selecting it from the Select a guide drop-down menu.
3
Click Next. The Policy Type page displays.

4
Select the type of VPN policy to configure:
Site-to-Site – Configure a site-to-site VPN connection to another SonicWall device. This is the default selection.
WAN GroupVPN – Configure a WAN GroupVPN to accept incoming VPN connections from Global VPN Client.
5
Click Next. The dialog that displays depends on your choice of VPN policy type:
Site-to-Site – The Site-to-Site dialog displays. Go to Site-to-Site.
WAN GroupVPN – The IKE Key Method dialog displays. Go to IKE Key Method.
Site-to-Site

1
In the Policy Name field, enter a unique, friendly name to assign to this site-to-site VPN Policy.
2
In the Preshared Key field, enter the preshared key to use for the tunnel. The VPN Guide generates a default key.
3
Optionally, if you know the remote peer IP address or fully-qualified domain name (FQDN), select the I know my Remote Peer IP Address (or FQDN) checkbox.
a
Enter the address or FQDN in the Remote Peer IP Address (or FQDN) field.
4
Click Next. The Network Selection page displays.

* 
TIP: If you have not already created the network objects for each side of the VPN tunnel, you can select the Create new Address Object…/Create new Address Group… options in the Local Networks and Destination Networks drop-down menus to create new objects.

If you need to access more than one IP subnet on each side of the VPN tunnel, create a group of subnet objects and specify the group as the local/destination networks.

5
From the Local Networks drop-down menu, select the local networks to be accessible through this site-to-site VPN tunnel. The default is Firewalled Subnets.
6
From the Destination Networks drop-down menu, select the destination networks.
7
Click Next. The Security Settings page displays.

8
Select the security settings to use for IKE Phase 1 and IPSEC Phase 2:
* 
TIP: If you require more specific security settings, you can adjust the new site-to-site VPN policy after this wizard finishes.
DH Group: The Diffie-Hellman (DH) group is the group of numbers used to create the key pair. Each subsequent group uses larger numbers to start with. The VPN Uses the DH group during IKE negotiation to create the key pair. You can choose:
 
Group 1
256-bit Random ECP Group
Group 2 (default)
384-bit Random ECP Group
Group 5
521-bit Random ECP Group
Group 14
192-bit Random ECP Group

 

224-bit Random ECP Group
Encryption: This is the method for encrypting data through the VPN Tunnel. The methods are listed in order of security. DES is the least secure and the and takes the least amount of time to encrypt and decrypt. AES-256 is the most secure and takes the longest time to encrypt and decrypt.The VPN uses this for all data through the tunnel.

You can choose: DES, 3DES (default), AES-128, AES-256, or AES-192.

* 
IMPORTANT: The SonicWall Global VPN Client version 1.x is not capable of AES encryption, so if you chose this method, only SonicWall Global VPN Client versions 2.x and higher will be able to connect.
Authentication: This is the hashing method used to authenticate the key, once it is exchanged during IKE negotiation. You can choose MD5 or SHA-1 (default), SHA-256, SHA-384, or SHA-512.
Life Time (seconds): This is the length of time the VPN tunnel stays open before needing to re-authenticate. The default is eight hours (28800).
9
Click Next. The Site-to-Site VPN Policy Configuration Summary page displays.

10
Click Apply. A message displays indicating the configuration is being updated:

After the configuration has updated, the VPN Wizard Complete page displays.

11
Click Close.
IKE Key Method

1
Select a key method:
Use default key (selected by default)
Use this preshared key
* 
NOTE: If you choose this latter, all Global VPN Clients are prompted for this key when connecting to the WAN GroupVPN'
a)
Enter a preshared key in the Use this preshared key field. A default value is given.
2
Click Next. The Security Settings page displays.

3
Select the security settings to use for IKE Phase 1 and IPSEC Phase 2:
* 
TIP: If you require more specific security settings, you can adjust the new site-to-site VPN policy after this wizard finishes.
DH Group: The Diffie-Hellman (DH) group is the group of numbers used to create the key pair. Each subsequent group uses larger numbers to start with. The VPN Uses the DH group during IKE negotiation to create the key pair. You can choose:
 
Group 1
256-bit Random ECP Group
Group 2 (default)
384-bit Random ECP Group
Group 5
521-bit Random ECP Group
Group 14
192-bit Random ECP Group

 

224-bit Random ECP Group
Encryption: This is the method for encrypting data through the VPN Tunnel. The methods are listed in order of security. DES is the least secure and the and takes the least amount of time to encrypt and decrypt. AES-256 is the most secure and takes the longest time to encrypt and decrypt.The VPN uses this for all data through the tunnel.

You can choose: DES, 3DES (default), AES-128, AES-256, or AES-192.

* 
IMPORTANT: The SonicWall Global VPN Client version 1.x is not capable of AES encryption, so if you chose this method, only SonicWall Global VPN Client versions 2.x and higher are able to connect.
Authentication: This is the hashing method used to authenticate the key, once it is exchanged during IKE negotiation. You can choose MD5 or SHA-1 (default), SHA-256, SHA-384, or SHA-512.
Life Time (seconds): This is the length of time the VPN tunnel stays open before needing to re-authenticate. The default is eight hours (28800).
4
Click Next. The User Authentication page displays.

5
Specify whether user authentication for all incoming VPN connections from Global VPN Clients is enabled or disabled:
To enable user authentication:
a)
Select the Enable User Authentication checkbox. This is selected by default.

The user must enter a valid username and password before connecting to the SonicWall appliance. Users are authenticated against the internal user database User Group object members specified in the Authenticate User Group Object drop-down menu.

b)
Select the user group to authenticate from the Authenticate User Group Object drop-down menu. The default is Trusted Users.
To disable user authentication and allow unauthenticated VPN Clients access:
a)
Unselect the Enable User Authentication checkbox, which is selected by default.
b)
Select the address group or address object allowed access from the Allow Unauthenticated VPN Client Access drop-down menu. The default is Firewalled Subnets.
6
Click Next. The Virtual IP Adapter page displays.

7
Configure the virtual IP adapter by clicking the Use Virtual IP Adapter checkbox. This setting is not selected by default.

The Global VPN Client has an optional virtual adapter that can obtain a special IP Address when it connects to the SonicWall, thereby allowing it to appear to be on the internal X0 interface network when communicating with internal devices. The virtual IP address can be obtained from the internal DHCP server of the SonicWall appliance or from an existing DHCP server located on the SonicWall appliance’s X0 interface.

* 
NOTE: If the virtual adapter is enabled, the internal DHCP server is used with the existing range on interface X0.
8
Click Next. The WAN GroupVPN Configuration Summary page displays.

9
Verify the settings.
10
Click Apply. A message displays indicating the configuration is being updated:

After the configuration has updated, the VPN Wizard Complete page displays.

11
Click Close.

Using the Wireless Guide

The Wireless Guide steps you through configuring the network settings and security features of the WLAN radio interface.

To configure network settings and security features:
1
Click Wizards in the upper right corner of the SonicWall management interface. The Wizard Welcome page displays.

2
Select the Wireless Guide by either:
Clicking the Wireless Guide radio button.
Selecting it from the Select a guide drop-down menu.
3
Click Next. The Regulatory Domain Registration page displays.
Regulatory Domain Registration

* 
IMPORTANT: You are responsible for complying with all laws prescribed by the governing regulatory domain and/or locale regarding radio operations.
* 
NOTE: The regulatory domain is generated automatically from the Country Code.
1
Select a country from the Country Code drop-down menu.
* 
IMPORTANT: For international (non USA or Japan) TZ Series wireless and SOHO W wireless appliances, be sure to select the country code for the country in which the appliance will be deployed, even if you are not in that country. For appliances deployed in the USA and Japan, the regulatory domain and country code are selected automatically and cannot be changed.
* 
IMPORTANT: If you select the country code for Canada, it cannot be changed except by contacting SonicWall Support.
2
Click Next. An information message about maintaining up-to-date wireless drivers on your client computers displays.

3
Click OK. The Wireless LAN Settings page displays.
Wireless LAN Settings

1
Select the type of IP assignment from the IP Assignment drop-down menu:
Static (default)
Layer 2 Bridged Mode
2
If you chose:
Static:
a)
Enter a WLAN IP address in the WLAN IP Address field. The default is 172.16.31.1.
b)
Enter a WLAN subnet mask in the WLAN Subnet Mask field. The default is 255.255.255.0.
Layer 2 Bridged Mode, a message displays the zone of the interface bridge and the options change:

a)
Click OK on the message.
b)
Select a bridged-to interface from the Bridged to drop-down menu.
3
Click Next. A message regarding keeping the wireless drivers on client computers up to date displays.
4
Click OK. The WLAN Radio Settings page displays.
WLAN Radio Settings

1
Enter a SSID (Service Set ID) in the SSID field. The SSID serves as the primary identifier for your wireless network. You can specify up to 32 alphanumeric characters; the SSID is case sensitive. The appliance generates a default SSID of sonicwall- plus the last four characters of the BSSID (Broadcast Service Set ID); for example, sonicwall- becomes sonicwall-F2DS. sonicwall-F2DS.
2
Select your preferred radio mode from the Radio Mode drop-down menu. The wireless security appliance supports the modes shown in Radio mode choices in WLAN Radio Settings.
* 
NOTE: The available options change depending on the mode selected. If the wireless radio is configured for a mode that:
Supports 802.11n (except 5GHz 802.11n/a/ac Mixed), the following options are displayed: Radio Band, Primary Channel, Secondary Channel.
Does not support 802.11n, only the Channel option is displayed.
Supports 5GHz 802.11n/a/ac Mixed or 5GHz 802.11ac Only, the Radio Band and Channel options are displayed.
* 
TIP: For optimal throughput speed solely for 802.11n clients, SonicWall recommends the 802.11n Only radio mode. Use the 802.11n/b/g Mixed radio mode for multiple wireless client authentication compatibility.

For optimal throughput speed solely for 802.11ac clients, SonicWall recommends the 802.11ac Only radio mode. Use the 802.11ac/n/a Mixed radio mode for multiple wireless client authentication compatibility.

3
If the mode you selected supports:
802.11a Only, 802.11g only, or 80211g/b Mixed, go to Step 4
5GHz802.11ac Only and 5GHz 802.11n/a/ac Mixed, go to Step 6
802.11n Only or 802.11n Mixed (except for 5GHz 802.11n/a/ac Mixed), go to Step 8
4
Only for 802.11a/g: Select the channel for the radio from the Channel drop-down menu:
Auto - Allows the appliance to automatically detect and set the optimal channel for wireless operation based on signal strength and integrity. Use Auto unless you have a specific reason to use or avoid specific channels.
Specific channel: Select a single channel (see 802.11g/802.11a channels in WLAN Radio Settings) within the range of your regulatory domain. Selecting a specific a channel can also help with avoiding interference with other wireless networks in the area.
* 
NOTE: Available channels depend on the type of radio in the appliance.
5
Go to Step 11.
6
For 802.11ac, the Radio Band and Channel/Standard Channel options display.

From the Radio Band drop-down menu, select the radio band for the 802.11a or 802.11ac radio:

Auto - Allows the appliance to automatically detect and set the optimal channel for wireless operation based on signal strength and integrity.
The Channel drop-down menu is set to Auto and cannot be changed.
Standard - 20 MHz Channel - Specifies that the 802.11ac radio uses only the standard 20 MHz channel. This is the default setting.
a)
When this option is selected, from the Channel drop-down menu, select a single channel within the range of your regulatory domain. Selecting a specific a channel can also help with avoiding interference with other wireless networks in the area. For the available channels, see 802.11g/802.11a channels in WLAN Radio Settings. The default channel is Channel 36 (5180MHz).
Wide - 40 MHz Channel - Specifies that the 802.11ac radio uses only the wide 40 MHz channel. When this option is selected, the Channel drop-down menu is displayed. See Step a above for selecting a channel.
Wide - 80 MHz Channel - Specifies that the 802.11n radio uses only the wide 80 MHz channel. When this option is selected, the Channel drop-down menu is displayed. See Step a above for selecting a channel.
7
Go to Step 11.
8
For 802.11n only or 802.11n mixed, the Radio Band, Primary Channel, and Secondary Channel settings are displayed:

From the Radio Band drop-down menu, select the band for the 802.11n or 802.11ac radio:

Auto - Allows the appliance to automatically detect and set the optimal channel for wireless operation based on signal strength and integrity. This is the default setting.
The Primary Channel and Secondary Channel drop-down menus are set to Auto and cannot be changed.
Standard - 20 MHz Channel - Specifies that the 802.11n radio will use only the standard 20 MHz channel. When this option is selected, the Channel drop-down menu is displayed instead of the Primary Channel and Secondary Channel drop-down menus.
Standard Channel - By default, this is set to Auto, which allows the appliance to set the optimal channel based on signal strength and integrity. Optionally, you can select a single channel within the range of your regulatory domain. Selecting a specific a channel can also help with avoiding interference with other wireless networks in the area. The available channels are the same as for 802.11g in Step 4.
Wide - 40 MHz Channel - Specifies that the 802.11n radio will use only the wide 40 MHz channel. When this option is selected, the Primary Channel and Secondary Channel drop-down menus are displayed:
Primary Channel - By default, this is set to Channel 36 (5180MHz). Optionally, you can specify a specific another channel or Auto. The available channels are the same as for 802.11a in Step 4
Secondary Channel - The configuration of this drop-down menu is set to Auto regardless of the primary channel setting.
9
Optionally, select the Enable Short Guard Interval checkbox to specify a short guard interval of 400ns as opposed to the standard guard interval of 800ns. This setting is selected by default. For information about the guard interval, see WLAN Radio Settings.
* 
NOTE: This option is not available if 5GHz 802.11g/b Mixed, 5GHz 802.11a Only, or 2.4GHz 802.11g Only mode is selected.
10
Optionally, to enable 802.11n frame aggregation, which combines multiple frames to reduce overhead and increase throughput, select the Enable Aggregation checkbox. This setting is selected by default. For information about aggregation, see WLAN Radio Settings.
* 
NOTE: This option is not available if 5GHz 802.11g/b Mixed, 5GHz 802.11a Only, or 2.4GHz 802.11g Only mode is selected.
* 
TIP: The Enable Short Guard Interval and Enable aggregation options can slightly improve throughput. They both function best in optimum network conditions where users have strong signals with little interference. In networks that experience less than optimum conditions (interference, weak signals, and so on), these options may introduce transmission errors that eliminate any efficiency gains in throughput.
11
Click Next. The WLAN Security Settings page displays.
WLAN Security Settings

1
Select a security mode:
WPA/WPA2 Mode – Wi-Fi Protected Access (WPA) mode is the security wireless protocol based on the 802.11i standard. It is the recommended protocol if your wireless clients support WPA/WPA protocol also.
Connectivity (default) – This mode allows unrestrained wireless access to the device.
* 
CAUTION: This mode does not offer encryption or access controls.
2
Click Next. What page displays depends on the security mode you selected.
3
If you selected:
WPA/WPA2Mode, the WPA Mode Settings page displays. Go to WPA Mode Settings.
Connectivity, the WLAN VAP (Virtual Access Point) Settings page displays. Go to WLAN VAP (Virtual Access Point) Settings.
WPA Mode Settings

* 
NOTE: For a description of the various authentication types, cipher types, and shared keys, see WPA-PSK / WPA2-PSK Encryption Settings, WPA-EAP / WPA2-EAP Encryption Settings, Virtual Access Point Profile Settings, and About Authentication.
1
From the Authentication Type drop-down menu, select the encryption mode. The options that display depend on the mode you select.
2
From the Cipher Type drop-down menu, select:
AES (default)
TKIP
Auto
3
From the Group Key Update drop-down menu select either:
By Timeout (default)
Disabled; the Interval field does not display.
4
In the Interval (seconds) field, enter the time until timeout. The default is 86400.
5
If you selected:
PSK mode, go to Step 6.
EAP mode, go to Step 9.
6
In the Passphrase field, enter the passphrase from which the key is generated.
7
Click Next. The WLAN VAP (Virtual Access Point Settings page displays.
9
The Passphrase field is replaced by the Extensible Authentication Protocol Settings (EAP) fields.

10
In the Radius Server 1 IP and Port fields, enter the IP address and port number for your primary RADIUS server.
11
In the Radius Server 1 Secret field, enter the password for access to Radius Server
12
Optionally, in the Radius Server 2 IP and Port fields, enter the IP address and port number for your secondary RADIUS server, if you have one.
13
Optionally, in the Radius Server 2 Secret field, enter the password for access to Radius Server
14
Click Next. If you selected an EAP mode, a message about updating the firewall access rule is displayed.

15
Click OK. The WLAN VAP (Virtual Access Point Settings page displays.
WLAN VAP (Virtual Access Point) Settings

1
If you:
Do not want to create a WLAN VAP, go to Step 2.
2
Click Next. The Wireless Configuration Summary page displays.
WLAN VAP (Virtual Access Point) Settings — Create VAP

1
One SAP SSID is created automatically; more may have been added during setup. You can create up to six VAPs.To create another VAP, select the Yes, I want to create another virtual access point checkbox. More options display.

2
Enter a name for the VAP in the VAP SSID field.
3
Select a security mode:
WPA/WPA2 Mode – Wi-Fi Protected Access (WPA) mode is the security wireless protocol based on the 802.11i standard. It is the recommended protocol if your wireless clients support WPA/WPA protocol also.
Connectivity (default) – This mode allows unrestrained wireless access to the device.
* 
CAUTION: This mode does not offer encryption or access controls.
4
To specify more VAPs, repeat Step 2 and Step 3.
5
Click Next. The WLAN VAP (Virtual Access Point) Settings > WLAN Subnet and Zone page displays.
WLAN VAP (Virtual Access Point) Settings > WLAN Subnet and Zone

1
Enter a unique VLAN tag in the WLAN VLAN TAG field. The tag should be one number from 1 to 4094.
2
Enter a unique IP address in the WLAN IP address field.
3
Enter the WLAN subnet mask in the WLAN Subnet Mask field.
4
Select a zone from the WLAN Zone drop-down menu. The default is WLAN.
5
Optionally, create a new zone:
a
Click the Create a new zone drop-down menu.
b
Enter the name of the new zone in the Create a new zone field.

This new zone is used instead of any zone specified from the WLAN Zone drop-down menu.

6
Click Next. The WLAN VAP (Virtual Access Point) Settings page displays again.
7
To:
Create another WLAN VAP, see WLAN VAP (Virtual Access Point) Settings.
Continue without creating a WLAN VAP, click Next. The Wireless Configuration Summary page displays.
Wireless Configuration Summary

1
Verify the settings are correct.
a
To correct any setting, click Back until you reach the appropriate page.
b
Make the changes.
c
Click Next until you reach the Wireless Configuration Summary page.
2
Click Apply. A message displays indicating the configuration is being updated:

After the configuration has updated, the Wireless Wizard Complete page displays.

3
Click Finish.

Using the App Rule Guide

The App Rule Guide steps you through configuring the security features for App Rule.

To configure App Rule security features:
1
Click Wizards in the upper right corner of the SonicWall management interface. The Wizard Welcome page displays.

2
Select the App Rule Guide by either:
Clicking the App Rule Guide radio button.
Selecting it from the Select a guide drop-down menu.
3
Click Next. The App Rule Wizard Introduction page displays, which describes the purpose of the App Rule Guide.

4
Click Next. The Rule Creation page displays.

5
Select the type of network application to configure:
I would like to apply a policy to SMTP e-mail (default)
I would like to apply a policy to incoming POP3 e-mail
I would like to apply a policy to Web Access
I would like to apply a policy to an FTP file transfer
6
Click Next. The dialog that displays depends on your choice of policy type:
Rule Creation — Select SMTP Rules for App Rule

1
Select an SMTP rule that determines where to look in an email:
Look for content found in the e-mail subject (default)
Look for content found in e-mail body
Look for content found in e-mail attachment
Specify maximum e-mail size allowed
Look for specific attachment extensions
Look for specific attachment names
Look for all attachment extensions, except the ones specified
Look for all attachment names, except the ones specified
2
Click Next. The page that displays depends on the SMTP rule you selected:
If you selected Specify maximum e-mail size allowed, the Rule Creation — SMTP > App Rule Object E-mail Size page displays; go to Rule Creation — SMTP > App Rule Object E-mail Size.
All other SMTP rules, the Rule Creation — App Rule Object Keyword and Policy Direction page displays; go to Rule Creation — SMTP > App Rule Object Keyword and Policy Direction.
Rule Creation — SMTP > App Rule Object E-mail Size

1
Select the email direction from the Direction drop-down menu:
Incoming (default)
Outgoing
Both
2
Enter the maximum size for emails, in bytes, in the Maximum E-mail Size (Bytes) field. The default is 0.
3
Click Next. The Rule Creation — App Rule Action Type dialog displays; go to Rule Creation — App Rule Action Type.
Rule Creation — SMTP > App Rule Object Keyword and Policy Direction

1
Select the email direction from the Direction drop-down menu:
Incoming (default)
Outgoing
Both
2
Enter the content to match in the Content field. Each entry must be on a separate line, multiple entries on one line are considered a single entry.
* 
NOTE: You must enter at least one value.
3
To enter the content into the List table, click the Add button.

To modify an entry in the List table:

a
Select the entry in the List table. The entry is displayed in the Content field.
b
Change the entry in the Content field.
c
Click the Update button.

To delete all entries in the List table, click the Remove All button.

To delete an entry in the List table:

a
Select the entry.
b
Click the Remove button.
4
Repeat Step 2 through Step 3 for each entry.
* 
TIP: To import content from a predefined text file containing multiple entries (each entry on its own line) for an application object to match, click the Load From File button. The Upload Object Values dialog displays.

1
Click the Browse button to locate the desired file.
2
Select the file.
3
Click the Upload button.
5
Click Next. the Rule Creation — App Rule Action Type dialog displays.
Rule Creation — App Rule Action Type

1
Select the type of action the App Rule is to enforce:
Blocking Action - block and send custom e-mail reply (default)
Blocking Action - block without sending e-mail reply
Add E-mail Banner (append text at the end of email)
Log Only
Bypass DPI
2
Click Next. The dialog that displays depends on the type of action selected:
For Blocking Action - block and send custom e-mail reply and Add E-mail Banner action types, the Rule Creation — App Rule Action Settings page displays; go to Rule Creation — App Rule Action Settings.
For all other action types, the Rule Creation — Select name for App Rule Policy page displays; go to Rule Creation — Select name for App Rule Policy
Rule Creation — App Rule Action Settings

1
Enter a message to be displayed when an email message is blocked in the Content field.
2
Click Next. The Rule Creation — Select name for App Rule Policy dialog displays.
Rule Creation — Select name for App Rule Policy

1
Enter a friendly name for the App Rule policy in the Policy Name field.
2
Click Next. The Confirm Policy Settings page displays.

3
Click Apply. A message displays indicating the configuration is being updated:

After the configuration has updated, the App Rule Policy Complete page displays.

4
Click Close.
Rule Creation — Select POP3 Rules for App Rule

1
Select the rule to govern POP3 email attachments, names, and subject contents:
Look for specific attachment extensions (default)
Look for specific attachment names
Look for all attachment extensions, except the ones specified
Look for all attachment names, except the ones specified
Look for content found in e-mail subject
2
Click Next. The Rule Creation — App Rule Object Keywords and Policy Direction dialog displays.

1
Select the email direction from the Direction drop-down menu:
Incoming (default)
Outgoing
Both
2
Enter the content to match for inclusion or exclusion in the Content field. Each entry must be on a separate line, multiple entries on one line are considered a single entry.
* 
NOTE: You must enter at least one value.
3
To enter the content into the List table, click the Add button.

To modify an entry in the List table:

a
Select the entry in the List table. The entry is displayed in the Content field.
b
Change the entry in the Content field.
c
Click the Update button.

To delete all entries in the List table, click the Remove All button.

To delete an entry in the List table:

a
Select the entry.
b
Click the Remove button.
4
Repeat Step 2 through Step 3 for each entry.
* 
TIP: To import content from a predefined text file containing multiple entries (each entry on its own line) for an application object to match, click the Load From File button. The Upload Object Values dialog displays.

1
Click the Browse button to locate the desired file.
2
Select the file.
3
Click the Upload button.
5
Click Next. the Rule Creation — App Rule Action Settings page displays.

1
Select the type of action the App Rule is to enforce:
Blocking Action - disable attachment and add custom text (default)
Bypass DPI
Log Only
2
Click Next. The page that displays depends on the type of action selected:
For Blocking Action - block and send custom e-mail reply and Add E-mail Banner action types, the Rule Creation — App Rule Action Settings page displays; go to Rule Creation — App Rule Action Settings (Page 2).
For all other action types, the Rule Creation — Select name for App Rule Policy page displays; go to Rule Creation — Select name for App Rule Policy
Rule Creation — App Rule Action Settings (Page 2)

1
Enter a message to be displayed when an email message is blocked in the Content field.
2
Click Next. The Rule Creation — Select name for App Rule Policy page displays.
Rule Creation — Select name for App Rule Policy

1
Enter a friendly name for the App Rule policy in the Policy Name field.
2
Click Next. The Confirm Policy Settings page displays.
* 
NOTE: What is displayed reflects the settings you chose and the values you entered.

3
Click Apply. A message displays indicating the configuration is being updated:

After the configuration has updated, the App Rule Policy Complete page displays.

4
Click Close.
Rule Creation — Select Web Access Rules for App Rule

1
Select the rule to govern web access:
Look for download of files with specific file extensions (default)
Look for access to specific URLs
Look for usage of certain web browsers
Look for usage of any web browser, except the ones specified
Look for attachment name uploaded to a web mail account
Look for attachment extension uploaded to a web mail account
2
Click Next. The page that displays depends of the rule selected:
For Look for usage of certain web browsers and Look for usage of any web browser, except the ones specified rules, the Rule Creation — App Rule Object Settings page displays; go to Rule Creation — App Rule Object Settings (Browser).
For all other rules, the Rule Creation — App Rule Object Keywords and Policy Direction page displays; go to Rule Creation — App Rule Object Keywords and Policy Direction.
Rule Creation — App Rule Object Settings (Browser)

1
Select the email direction from the Direction drop-down menu:
Incoming (default)
Outgoing
Both
2
Select a browser from the Content drop-down menu:
* 
NOTE: You must select at least one browser.
Netscape (default)
MSIE (Microsoft Internet Explorer)
Firefox
Safari (does not operate on Windows platforms)
Chrome
3
To enter the browser into the List table, click the Add button.

To modify an entry in the List table:

a
Select the entry in the List table. The entry is displayed in the Content field.
b
Change the entry in the Content field.
c
Click the Update button.

To delete all entries in the List table, click the Remove All button.

To delete an entry in the List table:

a
Select the entry.
b
Click the Remove button.
4
Repeat Step 2 through Step 3 for each entry.
5
Click Next. The Rule Creation — App Rule Action Settings page displays; go to Rule Creation — App Rule Action Settings > Attachments.
Rule Creation — App Rule Object Keywords and Policy Direction

1
Select the email direction from the Direction drop-down menu:
Incoming (default)
Outgoing
Both
2
Enter the content to match for inclusion or exclusion in the Content field. Each entry must be on a separate line, multiple entries on one line are considered a single entry.
* 
NOTE: You must enter at least one value.

If you are entering filename extensions, omit the dot (.).

3
To enter the content into the List table, click the Add button.

To modify an entry in the List table:

a
Select the entry in the List table. The entry is displayed in the Content field.
b
Change the entry in the Content field.
c
Click the Update button.

To delete all entries in the List table, click the Remove All button.

To delete an entry in the List table:

a
Select the entry.
b
Click the Remove button.
4
Repeat Step 2 through Step 3 for each entry.
5
Click Next. The dialog that displays depends on your Access Rule selection on the Rule Creation — Select Web Access Rules for App Rule dialog:
For Look for attachment name uploaded to a web mail account and Look for attachment extension uploaded to a web mail account access rules, the Rule Creation — App Rule Action Settings > Attachments displays.
All other access rules, the Rule Creation — App Rule Action Settings displays.
Rule Creation — App Rule Action Settings > Attachments

1
Select the type of action the App Rule is to enforce:
Blocking Action - reset connection (default)
Bypass DPI
Log Only
Rule Creation — App Rule Action Settings

1
Select the type of action the App Rule is to enforce:
Blocking Action - custom block page (default)
Blocking Action - redirect to new location
Bypass DPI
Log Only
2
Click Next. The page that displays depends on the type of action selected:
For blocking actions, the Rule Creation — App Rule Action Settings (Page 2) displays.
For all other actions, the Rule Creation — Select name for App Rule Policy page displays; go to Rule Creation — Select name for App Rule Policy.
Rule Creation — App Rule Action Settings (Page 2)

1
Enter a message to be displayed when a web page is blocked in the Content field.
2
Click Next. The Rule Creation — Select name for App Rule Policy page displays.
Rule Creation — Select name for App Rule Policy

1
Enter a friendly name for the App Rule policy in the Policy Name field.
2
Click Next. The Summary page displays.
* 
NOTE: What is displayed reflects the settings you chose and the values you entered.

3
Click Apply. A message displays indicating the configuration is being updated:

After the configuration has updated, the App Rule Policy Complete page displays.

4
Click Close.
Rule Creation — Select FTP Rules for App Rule

1
Select the rule to govern FTP file transfers:
Inspect transfer of files with specified file content (default)
Inspect download (reading) of files with specified filename
Inspect uploading (writing) of files with specified filename
Inspect uploading (writing) of files with specified file extension
Look for attachment name uploaded to a web mail account
Make all FTP access read-only (no uploads)
Disallow usage of SITE command
2
Click Next. The Rule Creation — App Rule Object Keywords and Policy Direction page displays.

3
Select the email direction from the Direction drop-down menu:
Incoming (default)
Outgoing
Both
* 
NOTE: If you selected an FTP rule of Make all FTP access read-only (no uploads) or Disallow usage of SITE command, the Direction drop-down menu is the only option available. After making your selection, go to Step 7.
4
Enter the content to match for inclusion or exclusion in the Content field. Each entry must be on a separate line, multiple entries on one line are considered a single entry.
* 
NOTE: You must enter at least one value.
5
To enter the content into the List table, click the Add button.

To modify an entry in the List table:

a
Select the entry in the List table. The entry is displayed in the Content field.
b
Change the entry in the Content field.
c
Click the Update button.

To delete all entries in the List table, click the Remove All button.

To delete an entry in the List table:

a
Select the entry.
b
Click the Remove button.
6
Repeat Step 2 through Step 3 for each entry.
* 
TIP: To import content from a predefined text file containing multiple entries (each entry on its own line) for an application object to match, click the Load From File button. The Upload Object Values dialog displays.

1
Click the Browse button to locate the desired file.
2
Select the file.
3
Click the Upload button.
7
Click Next. The Rule Creation — App Rule Action Settings dialog displays.

8
Select the type of action the App Rule is to enforce:
Blocking Action - Add Block Message (default)
* 
NOTE: If you selected an FTP rule of Make all FTP access read-only (no uploads) or Disallow usage of SITE command, the Direction drop-down menu is the only option available, and it cannot be unselected.

If you selected the FTP rule, Inspect transfer of files with specified file content, this option is Blocking Action - Reset Connection (default).

Bypass DPI
Log Only
9
Click Next. The Rule Creation — Select name for App Rule Policy page displays.

1
Enter a friendly name for the App Rule policy in the Policy Name field.
2
Click Next. The Confirm Policy Settings page displays.
* 
NOTE: What is displayed reflects the settings you chose and the values you entered.

3
Click Apply. A message displays indicating the configuration is being updated:

After the configuration has updated, the App Rule Policy Complete page displays.

4
Click Close.

Using the WXA Setup Guide

The WXA Setup Guide configures the coupled WXA series appliance for WAN Acceleration.

For information about WAN Acceleration, WXA series appliances, and how to configure the WXA series appliance to work with your TZ Series wired and wireless appliances or your SOHO W wireless appliance, see the SonicWall WXA Clustering 1.3 Administration Guide and the most current SonicWall WXA for SonicOS 6.2 Administration Guide.

NSA and SuperMassive Appliances Wizards

Topics:  

Using the Setup Wizard

The Setup Wizard helps you configure these settings:

WAN networking mode and WAN network configuration
LAN network configuration
Wireless LAN network configuration (wireless devices)

Starting the Setup Wizard

1
Click Wizard on the top-right corner of the SonicOS management interface. The Welcome page displays.

2
Select the Setup Wizard.
3
Click Next. The Change Administrator Password page displays.
Change Administrator Password

1
To set the password, first, enter the old password in the Old Password field.
2
Enter a new password in the New Password and Confirm New Password fields.
* 
IMPORTANT: Choose a password that cannot be easily guessed by others.
3
Click Next. The Change Time Zone page displays.
Change Time Zone

1
Select the appropriate Time Zone from the Time Zone menu. The SonicWall’s internal clock is set automatically by a Network Time Server on the Internet.
2
Click Next. What is displayed next depends on whether the firewall contains a 3G/4G device: If the firewall:
Contains a 3G/4G device, the Configure 3G/4G page displays; go to Configure 3G/4G.
* 
NOTE: 3G/4G devices are not supported on the SuperMassive 9800.
Does not contain a 3G/4G device go to WAN Mode: WAN Network Mode.
Configure 3G/4G
* 
NOTE: 3G/4G devices are not supported on the SuperMassive 9800.

1
Select whether you will use the 3G/4G device.
2
Click Next. What is displayed next depends on the option selected:
Yes: The WAN Failover 3G/4G Connection guide displays. Go to WAN Failover 3G/4G Connection.
No: The WAN Network Mode page displays. Go to WAN Network Mode.
WAN Failover 3G/4G Connection
* 
NOTE: 3G/4G devices are not supported on the SuperMassive 9800.

1
Select a country from the Country drop-down menu.
2
Select your ISP from the Service Provider drop-down menu.
* 
NOTE: The providers listed depend on the country you selected.
3
Select your plan from the Plan Type drop-down menu.
* 
NOTE: The plans listed depend on the ISP you selected.
4
Click Next. A second WAN Failover 3G/4G Connection page displays. Which one depends on whether you selected Optional for either Service Provider or Plan Type. If you selected:
Other for either parameter, go to WAN Failover 3G/4G Connection > Other.
WAN Failover 3G/4G Connection > ISP and Plan
* 
NOTE: 3G/4G devices are not supported on the SuperMassive 9800.

1
The options on the page are populated according to your selection for Service Provider and Plan Type. Verify the information.
2
Optionally enter the user name for accessing the network in the User Name field if it is blank or different from the populated one.
3
Optionally enter the password for accessing the network in the Password and Confirm Password fields if it is blank or different from the populated one.
4
Click Next. The WAN Network Mode page displays. Go go WAN Network Mode.
WAN Failover 3G/4G Connection > Other
* 
NOTE: 3G/4G devices are not supported on the SuperMassive 9800.

1
Enter a name for your connection profile in the Profile Name field. The default is My Connection Profile.
2
Select a connection type from the Connection Type drop-down menu.
CDMA/EVDO
GPRS/EDGE/HSDPA
3
The Dialed Number field is populated according to the Connection Type you selected. Optionally, change this to what you use if it is different.
4
Optionally enter the user name for accessing the network in the User Name field.
5
Optionally enter the password for accessing the network in the Password and Confirm Password fields.
6
Click Next. The WAN Network Mode page displays.
WAN Network Mode

All wizards except for the SuperMassive 9800

SuperMassive 9800 wizard

1
Confirm that you have the proper network information necessary to configure the SonicWall to access the Internet. For SonicWall network security appliances, the WAN network mode is set to Router-based Connections - Use a Static IP address or a range of IP addresses by default.
2
Click Next. The page that displays depends on the mode you selected:
Router-based Connections, go to WAN Settings > WAN Network Mode: NAT Enabled.
* 
NOTE: WAN Network Mode – NAT Enabled is the only mode supported on the SuperMassive 9800.
Cable/Modem-based Connections, go to WAN Settings > WAN Network Mode: NAT with DHCP Client.
WAN Settings > WAN Network Mode: NAT Enabled

1
The settings have been populated based on your system. Verify they are correct.
* 
NOTE: If you are unsure of this information, contact your internet service provider (ISP).
SonicWall WAN IP Address – An IP address is a number that identifies each device on your network. An IP address consists of four numbers, separated by periods, ranging from 0 to 254 in value. Examples of IP addresses are 192.168.168.1, 10.0.0.1, or 216.217.36.130.

Every IP address on your network must be unique. Therefore, do not assign your SonicWall an IP address used by another device on your network.

WAN Subnet Mask – The subnet mask defines which IP addresses are located on your local network and which IP addresses are located on the Internet. For example, if you assign your computer the IP address 192.168.168.200 and the subnet mask 255.255.255.0, then your computer will believe that all 192.168.168.X addresses are on the local network, and all other addresses are located on the Internet.

The WAN Subnet Mask should be assigned by your ISP. If you do not know your WAN Subnet Mask, use the subnet mask assigned to your computer or contact your ISP.

Gateway Router Address – The WAN gateway (router) address is the IP address of the router that bridges your network to the Internet. The WAN router may be attached directly to the SonicWall appliance's WAN port or indirectly through a cable or DSL modem.

The WAN Gateway (router) address must be in the same subnet as the SonicWall appliance WAN IP address. The WAN gateway (router) address often ends with the numbers .1 or .254. So, if your WAN IP address is 216.0.36.128, then your gateway might be 216.0.36.1 or 216.0.36.254. If you do not know your gateway address, contact your ISP.

DNS Server Address – The DNS server address is the IP address of the DNS server.
DNS Server Address #2 (optional) – If there is a second DNS server address, enter it in this field.
2
To allow HTTPS, select Allow HTTPS on this WAN Interface. This is selected by default.
* 
CAUTION: Allowing HTTPS management from the WAN creates a potential vulnerability. If you enable this setting, ensure you have entered a strong password either on the Password page of this Guide or through the Password Setup wizard.
3
To allow ping, select Allow Ping on this WAN Interface. This is selected by default.
4
Click Next. The LAN Settings page displays; go to LAN Settings.
WAN Settings > WAN Network Mode: NAT with DHCP Client

1
To allow HTTPS, select Allow HTTPS on this WAN Interface. This is selected by default.
* 
CAUTION: Allowing HTTPS management from the WAN creates a potential vulnerability. If you enable this setting, ensure you have entered a strong password either on the Password page of this Guide or through the Password Setup wizard.
2
To allow ping, select Allow Ping on this WAN Interface. This is selected by default.
3
Click NEXT. The LAN Settings page displays; go to LAN Settings.
WAN Settings > WAN Network Mode – NAT with PPPoE Client
* 
NOTE: WAN Network Mode – NAT with PPPoE client is not supported on the SuperMassive 9800.

1
Choose how to obtain an IP address:
Automatically – Select Obtain an IP Address Automatically; this is the default. Go to Step 2.
Manually – Select Use the following IP Address. The field becomes active.
a)
Enter the PPPoE IP address in the Use the following IP Address field.
2
Enter your PPPoE user name in the PPPoE User Name field.
3
Enter your PPPoE password in the PPPoE Password field.
* 
NOTE: The password is case sensitive. Enter a strong password that cannot be easily guessed by others. A strong password should have at least one uppercase letter, one lowercase letter, one number, and one special character. For example MyP@ssw0rd.
4
Optionally, to disconnect after a period of inactivity, select Inactivity Disconnect (minutes). By default, this is not selected. When this option is selected, the field becomes active.
Enter the maximum inactivity time, in minutes, before disconnect in the Inactivity Disconnect (minutes) field; the default is 10.
5
To allow HTTPS, select Allow HTTPS on this WAN Interface. This is selected by default.
* 
CAUTION: Allowing HTTPS management from the WAN creates a potential vulnerability. If you enable this setting, ensure you have entered a strong password either on the Password page of this Guide or through the Password Setup wizard.
6
To allow ping, select Allow Ping on this WAN Interface. This is selected by default.
7
Click NEXT. The LAN Settings page displays; go to LAN Settings.
WAN Settings > WAN Network Mode – NAT with PPTP Client
* 
NOTE: You must supply a PPTP server IP address, user name, and password to continue.
* 
NOTE: WAN Network Mode – NAT with PPTP client is not supported on the SuperMassive 9800

1
Enter the iP address of your PPTP server in the PPTP Server IP Address field.

An IP address is a number that identifies each device on your network. An IP address consists of four numbers, separated by periods, ranging from 0 to 254 in value. Examples of IP addresses are 192.168.168.1, 10.0.0.1, or 216.217.36.130.

Every IP address on your network must be unique. Therefore, do not assign your SonicWall an IP address used by another device on your network.

2
Enter your PPTP server user name in the PPTP User Name field.
3
Enter your PPTP server password in the PPTP Password field.
4
Choose how to obtain an IP address:
Automatically – Select Obtain an IP Address Automatically; this is the default. Go to Step 8.
Manually – Select Use the following IP Address.
5
Enter the appliance’s WAN address in the SonicWall WAN IP Address field.
6
Enter the WAN subnet mask in the WAN Subnet Mask field.

The subnet mask defines which IP addresses are located on your local network and which IP addresses are located on the Internet. For example, if you assign your computer the IP address 192.168.168.200 and the subnet mask 255.255.255.0, then your computer believes that all 192.168.168.X addresses are on the local network, and all other addresses are located on the Internet.

The WAN subnet mask is assigned by your ISP. If you do not know your WAN Subnet Mask, use the subnet mask assigned to your computer or contact your ISP.

7
Enter the Gateway (router) address in the Gateway (Router) Address field.
8
To allow HTTPS, select Allow HTTPS on this WAN Interface. This is selected by default.
* 
CAUTION: Allowing HTTPS management from the WAN creates a potential vulnerability. If you enable this setting, ensure you have entered a strong password either on the Password page of this Guide or through the Password Setup wizard.
9
To allow ping, select Allow Ping on this WAN Interface. This is selected by default.
10
Click NEXT. The LAN Settings page that displays.
LAN Settings

The Setup Wizard populates the LAN Settings fields automatically, based on the supplied settings.

1
Verify the LAN IP Address and LAN subnet mask are correct.
SonicWall LAN IP Address – The IP address of the SonicWall LAN. Every IP address on your network must be unique. Therefore, do not assign your SonicWall an IP address that is used by another device on your network.
LAN Subnet Mask – The subnet mask defines which IP addresses are located on your local network and which IP addresses are located on the Internet. For example, if you assign your computer the IP address 192.168.168.200 and the subnet mask 255.255.255.0, then your computer believes that all 192.168.168.X addresses are on the local network, and all other addresses are located on the Internet.

The LAN subnet mask defines the size of your local network. The LAN subnet mask 255.255.255.0 works for most networks.

2
Click Next. The LAN DHCP Settings page displays.
LAN DHCP Settings

1
Select Enable DHCP Server on LAN checkbox. This is checked by default.

DHCP (Dynamic Host Configuration Protocol) is used to distribute TCP/IP settings automatically. A DHCP server simplifies network address management and avoids the time-consuming task of configuring each computer's IP settings.

* 
IMPORTANT: SonicWall appliances contain both a DHCP client and a DHCP server. It is important not to get them confused:
The server is used to configure computers which are located on inside interfaces. Its use is optional.
By contrast, the client is used so that the SonicWall appliance can be configured automatically from the network through its WAN link (for instance, a cable modem network).
2
The Setup Wizard populates the LAN Address Range fields automatically. Verify the addresses are correct.

Enter a range of IP addresses for your network devices on the LAN. The address range must be in the same subnet as the SonicWall Web Management address. SonicWall's default gateway address is currently set according to the IP address that have been configured.

3
Click Next. The SonicWall Configuration Summary page displays.
SonicWall Configuration Summary
* 
NOTE: The Port Assignment page does not display for NSA Series or SuperMassive Series firewalls.

1
The SonicWall Configuration Summary page displays the configuration defined using the Installation Wizard. Verify the information. To modify any of the settings, click Back to return to the appropriate page.
2
Click Apply. A message displays indicating the configuration is being updated:

After the configuration has updated, the Setup Complete dialog displays.

Setup Complete

3
If you have not registered your appliance, you can do so now by clicking the link in the sentence, Next, you should click here or visit SonicWall’s Web Site to register your unit. The Setup Wizard closes, and you are redirected to the appropriate location.
4
Click Close.

 

Using the Public Server Guide (Wizard)

Wizards > Public Server Wizard

To configure public access to an internal server with the Public Server Wizard:
1
Click the Wizard button on the top-right corner of the SonicOS management interface. In the Welcome page, select the Public Server Wizard.

2
Click Next. The Public Server Type page displays.

Public Server Type

1
Select the server type from the Server Type drop-down menu:
Web Server (default)
FTP Server
Mail Server
Terminal Services Server
Other
2
Select the services to use from the Services options. The choices depend on the server type. You can select more than one service except for FTP Server and Other. By default, all services are selected, except if Other is selected as a Server Type.
 

Server type

Choices

Web Server

HTTP (TCP 80)
HTTPS (TCP 443)
CAUTION: Allowing HTTPS management from the WAN creates a potential vulnerability.

FTP Server

FTP (TCP 21)

Mail Server

SMTP (TCP 25)
POP3 (TCP 110)
IMAP (TCP 143)

Terminal Services Server

Microsoft RDP (TCP 3389)
Citrix ICA (TCP 1494)

Other

Select a service from the Services drop-down menu.

3
Click Next. The Private Network dialog displays.

Private Network

1
Enter a friendly name in the Server Name field.
2
Enter the server’s IP address in the Server Private IP Address field. Specify an IP address in the range of addresses assigned to the zone where you want to put this server. The Public Server Wizard assigns the server automatically to the zone in which its IP address belongs.
* 
NOTE: If you enter an IP address that matches an existing Network Object, that object is renamed with the Server Name you specify here.
3
Optionally, enter a comment to further identify the public server in the Server Comment field.
4
Click Next. The Server Public Information dialog displays.

Server Public Information

1
Specify the server's public (external) IP address in the Server Public IP Address field. The default value is that of your SonicWall appliance's WAN public IP address.
* 
IMPORTANT: You should change the public IP address of this server only if it is accessed over the Internet by a different address.

If you enter a different IP, the Public Server Wizard will create an address object for that IP address and bind the address object to the WAN zone.

If you are uncertain of this address, you are encouraged to leave it at the default.

2
Click Next. The Summary page displays.

Public Server Configuration Summary

1
The Summary page displays a summary of the configuration you selected in the wizard. Verify the settings.
Server Address Objects - The wizard creates the address object for the new server. Because the IP address of the server added in the example is in the IP address range assigned to the DMZ, the wizard binds the address object to the DMZ zone. It gives the object a name of the name you specified for the server plus _private.

If you specify an IP in the range of another zone, it will bind the address object to that zone. If you specify an IP address out of the range of any zone you have configured, the wizard will bind the address object to the LAN zone.

Because the server in the example used the default WAN IP address for the Server Public IP Address, the wizard states that it will use the existing WAN address object when constructing policies between the new server and the WAN. If you specify another address, the server will create an object for that address bound to the WAN zone and assign the new address object a name of the name you specified for the server plus _public.

Server Service Group Object - The wizard creates a service group object for the services used by the new server. Because the server in the example is a Web server, the service group includes HTTP and HTTPS. This way, you have a convenient group to refer to when creating or editing access policies for this server.
Server NAT Policies - The wizard creates a NAT policy to translate the destination addresses of all incoming packets with one of the services in the new service group and addressed to the WAN address to the address of the new server. Therefore, in this example, if a packet with service type of HTTPS comes in addressed to the WAN interface (10.0.93.43), the NAT policy will translate its address to 172.22.2.44.
The wizard also creates a Loopback NAT policy to translate HTTP and HTTPS traffic from inside your network addressed to the WAN IP address back to the address of the mail server.
Server Access Rules - The wizard creates an access policy allowing all mail traffic service traffic from the WAN zone to the DMZ.
2
Click Apply. A message displays indicating the configuration is being updated:

After the configuration has updated, the Public Server Wizard Complete page displays.

* 
TIP: The new IP address used to access the new server, internally and externally is displayed in the URL field of the Congratulations window.
3
Click Close to close the wizard.

 

Using the VPN Guide (Wizard)

VPN Guide

The VPN Guide walks you step-by-step through creating a new site-to-site VPN policy or configuring the WAN GroupVPN to accept connections from the Global VPN Client. After the configuration is completed, the wizard creates the necessary VPN settings for the selected VPN policy. You can use the SonicWall Management Interface for optional advanced configuration options.

Topics:  

Creating a WAN GroupVPN

The VPN Guide allows you to quickly configure the WAN GroupVPN to accept incoming VPN connections from a Global VPN Client.

To create a WAN GroupVPN:
1
Click Wizards on the top-right corner of the SonicOS management interface. The Welcome page displays.

2
In the Welcome page, select VPN Guide.
3
Click Next. The VPN Policy Type page displays.

VPN Policy Type

1
Select WAN GroupVPN.
2
Click Next. The IKE Phase 1 Key Method page displays.

IKE Phase 1 Key Method

1
In the IKE Phase 1 Key Method page, you select the authentication key to use for this VPN policy:
Use default key: – All Global VPN Clients automatically use the default key generated by the firewall to authenticate with the SonicWall.
Use this preshared key: You must distribute the key to every Global VPN Client because the user is prompted for this key when connecting to the WAN GroupVPN. Specify a custom preshared key in the Use this preshared key field; a default custom key is generated by the firewall, such ECE38B6AB8188A5D,
* 
NOTE: If you select Use this preshared key and leave the generated value as the custom key, you must still distribute the key to your Global VPN clients.
2
Click Next. The Security Settings page displays.

Security Settings

1
In the Security Settings page, you select the security settings for IKE Phase 1 and IPSEC Phase 2. You can use the default settings. If you require more specific security settings, you can adjust the WAN GroupVPN VPN policy after this wizard is completed.
DH Group: The Diffie-Hellman (DH) group are the group of numbers used to create the key pair. Each subsequent group uses larger numbers to start with. You can choose:
Group 1
Group 2 (default)
Group 5
Group 14

The VPN uses this during IKE negotiation to create the key pair.

Encryption: This is the method for encrypting data through the VPN Tunnel. The methods are listed in order of security:
DES – The least secure, but takes the least amount of time to encrypt and decrypt.
3DES (default)
AES-128
AES-192
AES-256 – The most secure, but takes the longest time to encrypt and decrypt.

The VPN uses this for all data through the tunnel.

* 
IMPORTANT: The SonicWall Global VPN Client version 1.x is not capable of AES encryption, so if you chose an AES method, only SonicWall Global VPN Client versions 2.x and higher will be able to connect.
Authentication: This is the hashing method used to authenticate the key, when it is exchanged during IKE negotiation. You can choose:
MD5
SHA-1 (default)
SHA256
SHA384
SHA512
Life Time (seconds): This is the length of time the VPN tunnel stays open before needing to re-authenticate. The default is eight hours (28800).
2
Click Next. The User Authentication page displays.

User Authentication

1
To require VPN Users to authenticate with the firewall when they connect, select the Enable User Authentication checkbox; this option is selected by default.
* 
NOTE: If you enable user authentication, the users must be entered in the SonicWall database for authentication. Users are entered into the SonicWall database on the Users > Local Users page, and then added to groups in the Users > Local Groups page.
2
If you:
Selected (enable) Enable User Authentication, you must select the user group which contains the VPN users from the Authenticate User Group Object drop-down menu. The default is Trusted Users.
Deselected (disabled) Enable User Authentication, you must select an address object or address group from the Allow Unauthenticated VPN Client Access drop-down menu. The default is Firewalled Subnets.
3
Click Next. The Configure Virtual IP Adapter page displays.

Configure Virtual IP Adapter

1
To use the SonicWall’s internal DHCP server to assign each VPN client IP address from the LAN zone’s IP range, select the User Virtual IP Adapter checkbox. This option is not selected by default.

The Global VPN Client has an optional virtual adapter that can obtain a special IP Address when it connects to the firewall. If this option is enabled, when a user connects, it appears that the user is on the internal X0 interface network when communicating with internal devices.

The virtual IP address can be obtained from the internal DHCP server of the firewall or from an existing DHCP server located on the firewall’s X0 interface.

* 
NOTE: If the virtual adapter is enabled, the internal DHCP server is used, and a new DHCP range is created on interface X0 for 192.168.168.1-192.168.168.167.
2
Click Next. The WAN GroupVPN Configuration Summary page displays.

WAN GroupVPN Configuration Summary

1
The Configuration Summary page details the settings you configured for the GroupVPN. To modify any of the settings, click Back to return to the appropriate page.
2
Click Apply to complete the wizard and create your GroupVPN. A Storing SonicWall Configuration… message displays before the VPN Wizard Complete page displays.

VPN Wizard Complete

1
Click Close to close the wizard.

Connecting the Global VPN Clients

Remote SonicWall Global VPN Clients install the Global VPN Client software. After the application is installed, they use a connection wizard to setup their VPN connection. To configure the VPN connection, the client must have the following information:

A public IP address (or domain name) of the WAN port for your SonicWall
The shared secret if you selected a custom preshared secret in the VPN Wizard.
The authentication username and password.

Configuring a Site-to-Site VPN

You use the VPN Guide to create the site-to-site VPN policy.

To configure a site-to-site VPN:
1
Click Wizards on the top-right corner of the SonicOS management interface. The Welcome page displays.

2
Select VPN Guide. This is selected by default.
3
Click Next. The VPN Policy Type page displays.

VPN Policy Type

1
Select Site-to-Site.
2
Click Next. The Create Site-to-Site Policy page displays.

Create Site-to-Site Policy

1
Enter the following information:
Policy Name –Enter a name you can use to refer to the policy. For example, Boston Office.
Preshared Key – Enter a character string to use to authenticate traffic during IKE Phase 1 negotiation. You can use the default SonicWall-generated Preshared Key.
I know my Remote Peer IP Address (or FQDN) – If you check this option, this SonicWall can initiate the contact with the named remote peer. This option is not selected by default.

If you do not check this option, the peer must initiate contact to create a VPN tunnel and the firewall will use aggressive mode for IKE negotiation.

Remote Peer IP Address (or FQDN) – If you selected the I know my Remote Peer IP Address (or FQDN) option, enter the IP address or Fully Qualified Domain Name (FQDN) of the remote peer (For example, boston.yourcompany.com).
2
Click Next. The Network Selection page displays.

Network Selection

1
Select the local and destination resources to which this VPN will be connecting:
Local Networks – Select the local network resources protected by this SonicWall that you are connecting with this VPN. You can select any address object or group on the device, including networks, subnets, individual servers, and interface IP addresses. The default is Firewalled Subnets.

If the object or group you want has not been created yet, select Create Object or Create Group. Create the new object or group in the dialog box that pops up. Then select the new object or group.

Destination Networks – Select the network resources on the destination end of the VPN Tunnel from the drop-down menu. If the object or group does not exist, select Create new Address Object or Create new Address Group. For example:
a)
Select Create new Address Group. The Add Address Object Group dialog displays.

b)
In the Name field, enter LAN Group.
c)
In the list on the left, select LAN Subnets and click the Right Arrow button.
d)
Click OK to create the group and return to the Network Selection page.
e)
From the Destination Networks drop-down menu, select the newly created group.
2
Click Next. The Security Settings page displays.

Security Settings

1
In the Security Settings page, you select the security settings for IKE Phase 1 and IPSEC Phase 2. You can use the default settings. If you require more specific security settings, you can adjust the WAN GroupVPN VPN policy after this wizard is completed.
DH Group: The Diffie-Hellman (DH) group are the group of numbers used to create the key pair. Each subsequent group uses larger numbers to start with. You can choose:
Group 1
Group 2 (default)
Group 5
Group 14

The VPN uses this during IKE negotiation to create the key pair.

Encryption: This is the method for encrypting data through the VPN Tunnel. The methods are listed in order of security:
DES – The least secure, but takes the least amount of time to encrypt and decrypt.
3DES (default)
AES-128
AES-192
AES-256 – The most secure, but takes the longest time to encrypt and decrypt.

The VPN uses this for all data through the tunnel.

* 
IMPORTANT: The SonicWall Global VPN Client version 1.x is not capable of AES encryption, so if you chose an AES method, only SonicWall Global VPN Client versions 2.x and higher will be able to connect.
Authentication: This is the hashing method used to authenticate the key, when it is exchanged during IKE negotiation. You can choose:
MD5
SHA-1 (default)
SHA256
SHA384
SHA512
Life Time (seconds): This is the length of time the VPN tunnel stays open before needing to re-authenticate. The default is eight hours (28800).
2
Click Next. The Site-to-site Policy Configuration Summary page displays.

Site-to-site Policy Configuration Summary

1
The Site-to-site VPN Policy Configuration Summary page displays the configuration defined using the VPN Wizard. To modify any of the settings, click Back to return to the appropriate page.
2
Click Apply to complete the wizard and create your VPN policy. A Storing SonicWall Configuration… message displays before the VPN Wizard Complete page displays.

VPN Wizard Complete

1
Click Close to close the wizard.

Using the App Rule Guide (Wizard)

Wizards > App Rule Guide

The App Rule Guide provides safe configuration of App Rules for many common use cases, but not for everything. If at any time during the guide you are unable to find the options that you need, you can click Cancel and proceed using manual configuration. See About App Rules and App Control Advanced, for more information on manual configuration.

* 
NOTE: When configuring manually, you must remember to configure all components, including match objects, actions, email address objects if required, and finally, a policy that references them.
To use the wizard to configure app rules:
1
Login to the SonicWall security appliance.
2
In the SonicWall banner at the top of the page, click the Wizards icon. The Welcome page displays.

3
Select the App Rule Guide radio button.
4
Click Next. The App Rule Wizard Introduction page displays.

5
Click Next. The App Rule Policy Type page displays.

App Rule Policy Type

1
Select the type of network application to configure:
I would like to apply a policy to SMTP e-mail (default)
I would like to apply a policy to incoming POP3 e-mail
I would like to apply a policy to Web Access
I would like to apply a policy to an FTP file transfer
2
Click Next.
3
The next page varies depending on your choice of policy type. If you chose I would like to apply a policy to:

Select SMTP/POP3 Rules for Application Firewall

The POP3 rules are a subset of the SMTP rules.

Select SMTP Rules for App Rule

Select Pop3 Rules for App Rule

1
From the choices supplied (see SMTP and POP3 rules for Application Firewall), select:
Where to look in the email (SMTP).
The POP3 attachment filename, extension, or email subject content to examine.
 

SMTP and POP3 rules for Application Firewall

Rule

SMTP

POP3

Look for content found in the email subject

(default)

Look for content found in the email body

 

Look for content found in the email attachment

 

Specify maximum e-mail size allowed

 

Look for specific attachment extensions

(default)

Look for specific attachment names

Look for all attachment extensions, except the ones specified

Look for all attachment names, except the ones specified

2
Click Next.
3
The next page varies depending on your choice of rules. If you chose:
All SMTP and POP3 policy rule types except Specify maximum e-mail size allowed, go to Set Application Firewall Object Keywords and Policy Direction.
Specify maximum e-mail size allowed, go to Application Firewall Object Email Size.

Select Web Access Rules for Application Firewall

1
Select the rule to govern web access:
Look for download of files with specific file extensions
Look for access to specific URIs
Look for usage of certain web browsers
Look for usage of any web browsers, except the ones specified
Look for attachment name uploaded to a web mail account
Look for attachment extension uploaded to a web mail account
2
Click Next.
3
The page that displays depends of the rule selected:
For Look for usage of certain web browsers and Look for usage of any web browser, except the ones specified rules, the Rule Creation — App Rule Object Settings page displays; go to Application Firewall Action Type/Settings.
For all other rules, the Rule Creation — App Rule Object Keywords and Policy Direction page displays; go to Set Application Firewall Object Keywords and Policy Direction.
Select FTP Rules for Application Firewall

1
Select the FTP filename, extension, or content from the choices supplied:
Inspect transfer of files with specified file content
Inspect download (reading) of files with specified filename
Inspect download (reading) of files with specified file extension
Inspect uploading (writing) of files with specified filename
Inspect uploading (writing) of files with specified file extension
Make all FTP access read-only (no uploads)
Disallow usage of SITE command
2
Click Next.
Set Application Firewall Object Keywords and Policy Direction

1
In the Direction drop-down menu, select the traffic direction to scan from:
Incoming (default)
Outgoing
Both
* 
NOTE: If you selected an FTP rule of Make all FTP access read-only (no uploads) or Disallow usage of SITE command, the Direction drop-down menu is the only option available. After making your selection, go to Step 4.
2
If you chose:
All policy rule types except these FTP types, go to Step 3:
Make all FTP access read-only (no uploads)
Disallow usage of SITE command
One of these two FTP types, go to
3
Do one of the following:
* 
NOTE: If you selected a SMTP or POP3 rule with the words except the ones specified, content that you enter here are the only content that does not cause the action to occur.
Manually add content:
a)
In the Content field, type or paste a text or hexadecimal representation of the content to match.
b)
Click Add.
c)
Repeat until all content is added to the List field.
Import keywords from a predefined text file that contains a list of content values:
* 
NOTE: The values must be one per line in the file.
a)
Click Load From File. The Upload Object Values dialog displays.

b)
Select the file containing the object values.
c)
Click Upload.
4
Click Next.
Application Firewall Object Email Size

1
In the Direction drop-down menu, select the traffic direction to scan.
Incoming
Outgoing
Both
2
in the Maximum Email Size (Bytes) field, enter the maximum number of bytes for an email message.
3
Click Next.
Application Firewall Action Type/Settings

The options available on this page depend on the policy type you specify: SMTP, POP3, Web Access, or FTP file transfer.

1
From the choices supplied, select the action to be performed; see Application Firewall Actions.
* 
NOTE: Not all action types/settings are available for each access rule.
 

Application Firewall Actions

Action type/setting

SMTP

POP3

Web Access

FTP

Blocking Action —

 

 

 

 

block and send custom email reply

1

 

 

 

block without sending email reply

 

 

 

disable attachment and add custom text

 

a

 

 

custom block page

 

 

a

 

redirect to new location

 

 

 

Reset Connection

 

 

a

Add Block Message

 

 

 

Add Email Banner (append text at then end of email)