Cysurance - SonicWall Configuration Guide

Description

Table of Contents

Introduction

This document introduces the events SonicWall will warrant against and provides configuration guidance for success mitigation. Configuration instructions and graphics reflect SonicOS 7.1.2-7019 as of November 7, 2024. This document, dated 23 Oct 2025 2025, specifies the maximum timeframe of 30 days for applying OS updates (unavoidable exceptions to this policy must be addressed with SonicWall and Cysurance on a caseby-case basis).

Minimum Non-Configuration Requirements

Qualifying firewalls must be configured according to this guide. Additional requirements include applying Operating System (OS) updates and patches as soon as possible (but within 30 days of release) and taking an initial ‘snapshot’ of the configured firewall by exporting and saving a Tech Support Report (TSR). This TSR will be required to file a claim, so safeguard it! Finally, a qualifying firewall must be licensed for security services and running, at a minimum, Gateway Anti-Virus, Anti-Spyware, Intrusion Prevention, Geo-IP Filter, and Botnet Filter.

Recommendations

Besides implementing minimum requirements and configurations, consider other strongly advised recommendations. If followed, they should provide additional security for a qualifying firewall and aid in filing a claim if necessary. These recommendations include exporting and archiving Audit and System log files, enabling additional security services, incorporating additional security services, and implementing best practices from SonicWall sources such as Knowledge-Based (KB) articles.

Note: Consider, test, and apply configuration changes carefully, as SonicWall isn’t responsible for the outcome.

Audit & System Log Export and Archives

Current Audit and System logs will be required when filing a claim. Providing additional Audit and System logs that extend the reporting period may improve the chances of filing a successful claim. Doing this requires exporting and archiving Audit and System logs, ideally at a regular cadence (e.g., once a week). Note: Archiving logs may require additional storage capacity or a central repository.

To export Audit logs:

  1. Navigate to Monitor | Logs | Auditing Logs and select Export.

To export System logs:

  1. Navigate to Monitor | Logs | System Logs and select Export. Note: Selecting Configure on the menu bar will allow you to configure what system events are logged, and

Enable Other Security Services

Consider enabling additional security services, such as App Control and Content Filter, to further enhance the firewall’s ability to secure network environments and resources.

App Control

  1. Navigate to Policy | Security Services | App Control, enabling the service configuring the service according to the Firewall Administration Guide.

For guidance on configuring App Control in accordance with SonicWall Managed Security Services recommendations, refer to the App Control section of the MSS Firewall Best Practices: Security Services knowledge base article.

Content Filter

  1. Navigate to Policy | Security Services | Content Filter, enabling the service and configuring the service according to the Firewall Administration Guide.

For guidance on configuring Content Filtering in accordance with SonicWall Managed Security Services recommendations, refer to the Content Filtering section of the MSS Firewall Best Practices: Security Services knowledge base article.

DNS Security

  1. Navigate to Policy | DNS Security | Settings, enabling the service and configuring the service according to the firewall Administration Guide.

Consider Best Practices & Other Published Guidelines

For guidance on configuring Additional Security Services in accordance with SonicWall Managed Security Services recommendations, refer to our MSS Firewall Best Practices - How to Configure (START HERE) knowledge base article.

Operating System (OS) Versions and Updates

To qualify for the embedded warranty, firewalls must run the most current OS, patches, and critical updates (installed as soon as possible but within 30 days of release).

  1. Navigate to Device | Settings | Firmware and Settings | Settings tab. Enable Check for available updates and Download new firmware automatically when available in the UPDATE AVAILABILITY section, and Automatically install downloaded firmware in the AUTOMATIC INSTALLS section to have updates applied automatically. The updates can also be scheduled.

Take & Store a Configuration Snapshot

After initially configuring the firewall according to this configuration guide, configure and export a TSR.

  1. Navigate to Device | Diagnostics | Tech Support Report.
  2. Enable the following options at a minimum under the CONFIGURE section:
    1. ARP Cache
    2. DHCP BIndings
    3. IKE Info
    4. List of current users
    5. DNS Proxy Cache
    6. Inactive users
    7. Detail of users
    8. IP Stack Info
    9. Geo-IP/Botnet Cache
    10. User Name
    11. Debug info in report
    12. IP Report
    13. Application Signatures
  3. Download and save a TSR report by selecting Download Tech Support Report in the ACTIONS section.

License and Enable Security Services

Qualifying firewalls must have a current security services subscription with Gateway Anti-Virus, AntiSpyware, Intrusion Prevention, Geo-IP Filter, and Botnet Filter services enabled, at minimum.

  1. Gateway Anti-Virus: Navigate to Policy | Security Services | Gateway Anti-Virus, enabling the service and setting configuration toggles according to the diagram below.
  2. Anti-Spyware: Navigate to Policy | Security Services | Anti-Spyware, enabling the service and setting configuration toggles according to the diagram below.
  3. Intrusion Prevention: Navigate to Policy | Security Services | Intrusion Prevention, enabling the service and configuring it according to this guide’s Non-Volumetric DDOS Attack section.
  4. Geo-IP Filter: Navigate to Policy | Security Services | Geo-IP Filter, enabling the service and configuring it according to this guide’s Non-Volumetric DDOS Attack section.
  5. Botnet Filter: Navigate to Policy | Security Services | Botnet Filter, enabling the service and configuring it according to this guide’s Non-Volumetric DDOS Attack section.

 


Warrantied Events & Configurations

Unauthorized Remote Access

Unauthorized remote access happens when a threat actor gains access to a computer, network, or system without proper authorization despite correct configuration of SonicWall firewall protocols and requirements.

The firewall will prevent unauthorized remote access to it and protected network resources as long as access is contained within a virtual private network and properly configured according to this guide. To qualify for this warranty, TLS, SSH, or CSE must secure all access to the firewall.

Protected remote firewall and resource access are possible through an SSL/TLS VPN connection (either by a client such as NetExtender or directly to the firewall's IP address). An IPSEC VPN (usually site-to-site) is another means. Finally, Cloud Secure Edge (CSE) can provide remote access connectivity through a client or the firewall’s built-in connector. Regardless of the method, these features and capabilities must be intentionally and carefully configured to mitigate the risk of unauthorized remote access. The following sections provide essential configuration guidance.

SSL/TLS VPN (Client or Clientless – If Applicable)

A SonicWall firewall can be managed directly through a TLS web connection by configuring a browser with the IP address of the firewall appended by the administrative service port. Additionally, users (regardless of any administrative role) can access the firewall and its resources via a firewall-provided portal. This access can be gained through a TLS web connection by configuring a browser with the IP address of the firewall or through a client such as NetExtender. Methods, policies, privileges, and profiles must be carefully considered and configured, regardless of the user account, to reduce the risk of unauthorized remote access.

  1. Ensure the local user password policy is strong (at least 12 characters, a combination of letters, numbers, special characters, unrepeated passwords, etc.).
    1. Navigate to Device | Settings | Administration | Login / Multiple Administrators tab.
    2. Under LOGIN SECURITY, set password parameters and apply them to the appropriate administrator role (Note: These password constraints also apply to local user accounts). Set other account parameters as necessary to ensure strict control and minimal risk of compromise. Enable or populate these options (see the diagram below for minimum requirements for each):
    3. Password must be changed every (days)
    4. Change password after (hours)
    5. Bar repeated passwords for this many changes
    6. New password must contain 8 characters different from the old password
    7. Enforce a minimum password length of
    8. Enforce password complexity
    9. Upper Case Characters
    10. Lower Case Characters ix. Number Characters
    11. Symbolic Characters
    12. Admin/user lockout
    13. Local admin/user account lockout

  1. Configure SSL VPN user profiles to ensure least-privileged network access.
    1. Navigate to Network | SSL VPN | Client Settings | Default Device Profile tab.
    2. Edit the Default Device Profile (unless another profile has been created for applicable users).
    3. Configure appropriate and least-privileged settings, authorized client routes, and client settings in each tab.

  1. Enable Multi-Factor Authentication (MFA): One-Time Password (OTP).
    1. Configure OTP settings under Device | Users | Settings | Authentication tab.
    2. Enable OTP and set its parameters under USER AUTHENTICATION SETTINGS.

  1. Enable OTP for user accounts under Device | Users | Local Users & Groups | Settings tab for each user.

  1. Enable MFA: Smart Cards.
    1. Configure Smart Card settings under Device | Settings | Administration | Login by Certificate tab.

SSH (If Applicable)

A SonicWall firewall can be managed directly through a Secure Shell (SSH) connection. Steps for minimizing remote access risks for these connections are as follows:

1. Enable SSH management (per interface).

  1. Navigate to Network | System | Interfaces | General tab for the interface that should allow SSH communications.
  2. Enable SSH under the MANAGEMENT section.

2. Set the service port if it should differ from the default.

  1. Navigate to Device | Settings | Administration | Management tab.
  2. Set the SSH Port under the SSH MANAGEMENT SETTINGS section.

3. Restrict inbound SSH access to particular hosts or networks through a firewall access rule.

  1. Navigate to Policy | Rules and Policies | Access Rules.
  2. Select +Add at the bottom of the screen.
  3. Create a rule that limits SSH access (the graphic below is only an example).

IPSEC VPN (If Applicable)

This feature is typically used for encrypted site-to-site connectivity and resource sharing, not individual remote access. Nevertheless, it’s crucial to restrict access to just essential networks, ports, protocols, and services to minimize the risk of unauthorized remote access. The best way to do this is through:

  1. Configure strong IPSEC VPN security policies based on specific routes and strong ciphers.
    1. Navigate to Network | IPSec VPN | Rules and Settings.
    2. Select +Add near the top of the screen.
  2. Configure the policy under General, Network, Proposals, and Advanced tabs. NOTE: Tunnel Interfaces offer more ease and flexibility in policy configuration and firewall access rule integration.
    1. Secure the tunnel interfaces with firewall access rules to limit hosts, networks, ports, and protocols.
    2. Navigate to Policy | Rules and Policies | Access Rules.
    3. Create access rules based on VPN zones or interfaces limiting traffic to/from specific hosts, networks, ports, and protocols.

ZTNA with CSE (If Applicable)

SonicWall’s CSE reduces the risk of unauthorized remote access through ZTNA (Zero Trust Network Access), which can be facilitated by a user’s client application or the firewall’s built-in connector. Unlike traditional VPNs, CSE provides least-privilege access based on real-time trust scoring, eliminating the need for device configuration and reducing the risk of over-provisioning. But, as with the other warranted events, CSE itself must be implemented and configured thoughtfully to mitigate the risk of unauthorized remote access effectively. The following offers best practices.

  1. Enable the firewall CSE connector.
    1. Navigate to Network | Cloud Secure Edge | Access Settings | Cloud Secure Edge tab.
    2. Toggle Enable Cloud Secure Edge Connectivity.
  2. Conversely, purchase client licensing and install and configure the CSE client as needed. The client itself can be downloaded at https://getcseapp.sonicwall.com/download/
  3. Specific CSE configurations and use cases can be found here: https://docs.banyansecurity.io/docs/solutions/

Software Vulnerability Exploitation

Many, if not most, security breaches happen because of unapplied security vulnerability patches. An alternative to discreetly patching every system, called ‘virtual patching,’ can mitigate the risk of vulnerability exploitation.

Virtual Patching uses behavioral and signature-based Intrusion Prevention Service (IPS) capabilities to stop exploits before they reach vulnerable systems. Restricting accessible ports, protocols, hosts, and services via firewall access rules also aids in protecting unpatched systems. Enable and configure the IPS and relevant signatures and utilize firewall access rules to protect against unpatched vulnerabilities.

Enable the Intrusion Prevention Service (IPS)

Configuration

  1. Navigate to Policy | Security Services | Intrusion Prevention.
  2. Under IPS GLOBAL SETTINGS, Enable the option Enable IPS.
  3. Enable Prevent and Detect all for High and Medium Priority Attacks.
  4. Enable Detect all for Low Priority attacks.
  5. Click Accept

Enable Relevant IPS Signatures

Configuration

  1. Navigate to Policy | Security Services | Intrusion Prevention.
  2. Enable signatures relevant to the vulnerabilities being mitigated (WEB-ATTACKS category, in this example).

Enable Firewall Access Rules

Configuration

  1. Navigate to Policy | Rules and Policies | Access Rules.
  2. To further mitigate software exploits, create access rules between security zones or interfaces limiting traffic to/from specific hosts, networks, ports, and protocols.

Non-volumetric DDOS Attack

Distributed Denial-of-Service (DDoS) attacks can cripple networks and security devices like firewalls. Not only are networked capabilities potentially diminished during the attacks, but services like those that manage security and access controls can suffer. Results can include unauthorized firewall and resource access (besides unavailable services). There are several types of DDoS attacks, only two of which will be warranted by SonicWall: Protocol and Application.

There are three primary types of DDoS attacks:

  1. Volumetric. This attack sends massive amounts of data to saturate bandwidth and overwhelm service. Because attack (and defense) success depends on variables outside SonicWall’s control, we won’t guarantee total protection against it.
  2. Protocol. This attack targets specific protocols.The firewall is warranted against loss due to business disruption, depending on the firewall configuration and whether an existing IPS signature is deployed.
  3. Application. This attack targets specific applications and service ports to overwhelm and deny access. As with warranting against a Protocol DDoS attack, the firewall is warranted against loss due to business disruption, depending on the firewall configuration and whether an existing IPS signature is deployed.

Enable and configure the following features to minimize the risk of service disruption through DDoS protocol and application attacks: IPS, Control Plane Flood Protection, Data Flood Protection, ICMP Flood Protection, GEO-IP Filtering, and Botnet Filtering. Please remember that flood control is dynamic and should be configured carefully based on the environment and business requirements.

Intrusion Prevention Service (IPS)

Configuration

  1. Navigate to Policy | Security Services | Intrusion Prevention.
  2. Under IPS GLOBAL SETTINGS, Enable the option Enable IPS.
  3. Enable Prevent and Detect all for High and Medium Priority Attacks.
  4. Enable Detect all for Low Priority attacks.
  5. Click Accept

Data Flood Protection

UDP Flood Protection

Configuration

  1. Navigate to Network | Firewall | Flood Protection | UDP tab.
  2. Under UDP FLOOD PROTECTION, enable UDP Flood Protection. Note that this must be enabled to activate the other UDP Flood Protection options.
  3. Set the UDP Flood Attack Threshold. The maximum number of UDP packets allowed per second to be sent to a host, range, or subnet that triggers UDP Flood Protection. Exceeding this threshold triggers ICMP Flood Protection. The minimum value is 50, the maximum is 1000000, and the default value is 1000.
  4. Configure the UDP Flood Attack Protected Destination List. Select Any to apply the Attack Threshold to the sum of UDP packets passing through the firewall.
  5. Click Accept.

Note: Due to the nature of their large UDP packets used for voice and video, traffic for some collaboration products, such as Microsoft Teams, Zoom, etc., might be considered a UDP flood and dropped after configuring UDP flood protection. If you experience this, please exclude traffic for those applications by following the steps in the following KB: https://www.sonicwall.com/support/knowledge-base/microsoftteams-randomly-dropping-video-conferencing-applications/200727073315443

ICMP Flood Protection

Configuration

  1. Navigate to Network | Flood Protection | ICMP tab.
  2. Select Enable ICMP Flood Protection.
  3. Click Accept.

TCP Flood Protection

Configuration

  1. Navigate to Network | Flood Protection | TCP tab.
  2. Click on the Layer 3 SYN Flood Protection – SYN Proxy sub-tab.
  3. Set SYN Flood Protection Mode to Proxy WAN Client Connections when attack is suspected.
  4. Click Accept.

CAUTION: Proxy WAN Connections will block external users who trigger the Flood Protection feature from connecting to internal resources. If there is a chance any user can generate a false positive for this feature, it is recommended to leave TCP Flood Protection in Watch and Report mode.

GEO-IP Filter

Configuration

  1. Navigate to Policy | Security Services | Geo-IP Filter | Settings tab.
  2. Enable Block connections to/from countries selected in the Countries tab.
  3. Navigate to the Countries tab and select the countries to block from the table provided under the Countries—Allowed Countries column. Then, drag and drop the country name to the Blocked Countries column. See below for a list of recommended countries to block.
  4. Click Accept.

GEO-IP Country Recommendations

Consider configuring the GEO-IP Engine to block the following embargoed/untrusted countries:

  • Afghanistan
  • Algeria
  • Azerbaijan
  • Bangladesh
  • Belarus
  • Bosnia and Herzegovina
  • Brazil
  • Burundi
  • Central African Republic
  • China
  • Comoros
  • Congo, The Democratic Republic
  • Cuba
  • Eritrea
  • Guatemala
  • Guinea
  • Guinea-Bissau
  • Haiti
  • India
  • Iran, Islamic Republic of
  • Iraq
  • Korea, Democratic People's Repu
  • Lebanon
  • Mali
  • Moldova, Republic of
  • Montenegro
  • Myanmar
  • Nicaragua
  • Niger
  • Pakistan
  • Russian Federation
  • Saudi Arabia
  • Somalia
  • Sudan
  • Syrian Arab Republic
  • Tajikistan
  • Tunisia
  • Turkey
  • Turkmenistan
  • Ukraine
  • Venezuela
  • Vietnam
  • Yemen
  • Zimbabwe

Botnet Filter

Configuration

  1. Navigate to Policy | Security Services | Botnet Filter | Settings tab.
  2. Enable Block connections to/from Botnet Command and Control Servers.
  3. Click Accept.

Additional Mitigating Requirements

Access/Admin Port Changes

A good security practice is to change the access ports for Firewall Management (MGMT), SSLVPN, and SSH access as follows. Note: Administrative access must only be enabled on specific interfaces or remote-access methods where it’s actually needed!

Management

  1. Navigate to Device | Administration | Management tab and change the HTTPS Port numbers in the WEB MANAGEMENT SETTINGS section (Note: Never manage the firewall over HTTP!).

SSLVPN

  1. Navigate to Network | SSL VPN | Server Settings | SSL VPN SERVER SETTINGS section, and change the SSL VPN Port. Note: Enable Web Management over SSL VPN should only be enabled if absolutely necessary (leave it disabled otherwise)

SSH

  1. Navigate to Device | Administration | Management tab, and change the HTTPS Port numbers in the SSH MANAGEMENT SETTINGS section (Note: Never manage the firewall over HTTP!)

Configuration Backups

Preforming regular backups of configuration files will help ensure there’s an adequate audit trail to prove the firewall configuration meets Cysurance’s requirements. To facilitate backups of your firewall’s configuration, utilize SonicWall Network Security Manager’s (NSM’s) configuration backup feature. To create a daily, weekly or monthly backup schedule in NSM, see: https://www.sonicwall.com/support/technical-documentation/docs/nsm-administration/Content/topics/Device-Backups/about-backups.htm

Periodic Diagnostic Reporting

Enabling Periodic secure diagnostic reporting for support purposes may aid in proving the state of the firewall configuration during a breach. Enable it here: Device | Diagnostics | Tech Support Report and enable Periodic secure diagnostic reporting for support purposes in the TECH SUPPORT REPORT section.

Related Articles

  • MSS Managed Firewall Best Practice Configuration
    Read More
  • NDR: Integration Guide
    Read More
  • NDR: Windows Server Agent
    Read More

Categories

Managed Security Services
Firewall Monitoring and Management
not finding your answers?
Ask the Community