One-Touch Configuration Override
Description
The One-Touch Configuration Override, this feature can be thought of as a quick tune-up for SonicWall network security appliance’s security settings.
With a single click, One-Touch Configuration Override applies over sixty configuration settings to implement SonicWall’s recommended best practices. This is applicable for both DPI and Stateful Firewall Security and Stateful Firewall security.
Resolution
There is a set of One-Touch Configuration Override option available on the SonicWall.It can be thought of us as a quick tune-up for your SonicWall appliance's security settings. With a single click, One-Touch Configuration Override applies over sixty configuration settings over sixteen pages of the SonicWall GUI to implement SonicWall's recommended best practices. These settings ensure that your appliance is taking advantage of SonicWall's security features.
There are two sets of One-Touch Configuration Override settings:
- DPI and Stateful Firewall Security For network environments with Deep Packet Inspection (DPI) security services enabled, such as Gateway Anti-Virus, Intrusion Prevention, Anti-Spyware, and App Rules.
- Stateful Firewall Security For network environments that do not have DPI security services enabled, but still want to employ SonicWall's Stateful firewall security best practices.
To see details of the settings that will be impacted, click on the Preview applicable changes link next to each button. A page displays with a list of each setting and the value to which it will be set.
Navigate to Manage|Firmware & Backups| Settings
CAUTION: A system restart is required for the updates to take full effect. The Administrator should review the settings before applying it on appliance.
RESOLUTION FOR SONICOS 5.9.X
Navigate to the System | Settings page
Click on either DPI and Stateful Firewall Security or Stateful Firewall Security.
CAUTION: A system restart is required for the updates to take full effect. The Administrator should review the settings before applying it on appliance.
Listed here are the configuration changes made to the system after clicking on either of the above:
| One-Touch Configuration Overrides - configurations made to the system. | DPI and Stateful Firewall Security | Stateful Firewall Security |
| System>Administration | ||
| 1. Password must be changed every 90 days | YES | YES |
| 2. Bar repeated password changes for 4 changes | YES | YES |
| 3. Enforce password complexity: Require alphabetic, numeric and symbolic characters | YES | YES |
| 4. Apply the above password constraints for: all user categories | YES | YES |
| 5. Enable administrator/user lockout | YES | YES |
| 6. Failed Login attempts per minute before lockout: 7 | YES | YES |
| 7. Enable inter-administrator messaging | YES | YES |
| 8. Inter-administrator Messaging polling interval (seconds): 10 | YES | YES |
| Network>Interfaces | ||
| 9. Any interface allowing HTTP management is replaced with HTTPS Management | YES | YES |
| 10. Any setting to 'Add rule to enable redirect from HTTP to HTTPS' is disabled | YES | YES |
| 11. Ping Management is disabled on all interfaces | YES | YES |
| Network>Zones | ||
| 12. Intrusion Prevention is enabled on all applicable default Zones | YES | Disabled |
| 13. Gateway Anti-Virus protection is enabled on all applicable default Zones | YES | Disabled |
| 14. Anti-Spyware protection is enabled on all applicable default Zones | YES | Disabled |
| 15. App Rules is enabled on all applicable default Zones | YES | Disabled |
| 16. SSL Control is enabled on all default Zones | YES | NO |
| Network>DNS | ||
| 17. Enable DNS Rebinding protection | YES | YES |
| 18. DNS Rebinding Action: Log Attack & Drop DNS Reply | YES | YES |
| Firewall>Access Rules | ||
| 19. Any Firewall policy with an Action of Deny, the Action is changed Discard | YES | YES |
| 20. Source IP Address connection limiting with a threshold of 128 connections is enabled for all firewall policies | YES | YES |
| Firewall>App Rules | ||
| 21. If licensed, the Enable App Rules setting is turned on | YES | Disabled |
| Firewall Settings>Advanced | ||
| 22. Turn on Enable Stealth Mode | YES | YES |
| 23. Turn on Randomize IP ID | YES | YES |
| 24. Turn off Decrement IP TTL for forwarded traffic | YES | YES |
| 25. Connections are set to: | DPI services enabled with additional performance optimizations | Max SPI (DPI services disabled)* |
| 26. Turn on Enable IP header checksum enforcement | YES | YES |
| 27. Turn on Enable UDP checksum enforcement | YES | YES |
| Firewall Settings>Flood Protection | ||
| 28. Turn on Enforce strict TCP compliance with RFC 793 and RFC 1122 | YES | YES |
| 29. Turn on Enable TCP handshake enforcement | YES | YES |
| 30. Turn on Enable TCP checksum enforcement | YES | YES |
| 31. Turn on Enable TCP handshake timeout | YES | YES |
| 32. SYN Flood Protection Mode: Always proxy WAN client connections | YES | YES |
| Firewall Settings>SSL Control | ||
| 33. Turn on Enable SSL Control | YES | YES |
| 34. Set Action to: Block connection and log the event | YES | YES |
| 35. For Configuration, enable all categories | YES | YES |
| VPN>Advanced | ||
| 36. Turn on Enable IKE Dead Peer Detection | YES | YES |
| 37. Turn on Enable Dead Peer Detection for Idle VPN sessions | YES | YES |
| 38. Turn on Enable Fragmented Packet Handling | YES | YES |
| 39. Turn on Ignore DF (Don't Fragment) Bit | YES | YES |
| 40. Turn on Enable NAT Traversal | YES | YES |
| 41. Turn on Clean up Active tunnels when Peer Gateway DNS name resolves to a different address | YES | YES |
| 42. Turn on Preserve IKE port for Pass Through Connections | YES | YES |
| Security Services>Gateway Anti-Virus | ||
| 43. If licensed, Enable Gateway Antivirus | YES | Disabled |
| 44. Configure Gateway AV Settings: Turn on Disable SMTP Responses | YES | N/A |
| 45. Configure Gateway AV Settings: Turn off Disable detection of EICAR test virus | YES | N/A |
| 46. Configure Gateway AV Settings: Turn on Enable HTTP Byte-Range requests with Gateway AV | YES | N/A |
| 47. Configure Gateway AV Settings: Turn on Enable FTP REST request with Gateway AV | YES | N/A |
| 48. Configure Gateway AV Settings: Turn off Enable HTTP Clientless Notification Alerts | YES | N/A |
| Security Services>Intrusion Prevention | ||
| 49. If licensed, Enable IPS | YES | Disabled |
| 50. Turn on Prevent All and Detect All for High Priority Attacks | YES | N/A |
| 51. Turn on Prevent All and Detect All for Medium Priority Attacks | YES | N/A |
| 52. Turn on Prevent All and Detect All for Low Priority Attacks | YES | N/A |
| Security Services>Anti-Spyware | ||
| 53. If licensed, Enable Anti-Spyware | YES | Disabled |
| 54. Turn on Prevent All and Detect All for High Priority Attacks | YES | N/A |
| 55. Turn on Prevent All and Detect All for Medium Priority Attacks | YES | N/A |
| 56. Turn on Prevent All and Detect All for Low Priority Attacks | YES | N/A |
| 57. Configure Anti-Spyware Settings: Turn on Disable SMTP Responses | YES | N/A |
| 58. Configure Anti-Spyware Settings: Turn off Enable HTTP Clientless Notification Alerts | YES | N/A |
| AppFlow>Flow Reporting | ||
| 59. Turn on Send AppFlow To Local Collector | YES | YES |
| 60. Turn on Enable Real-Time Data Collection | YES | YES |
| Log>Log Monitor | ||
| 61. Set Logging Level: Debug | YES | YES |
| Log>Name Resolution | ||
| 62. Set Name Resolution Method to: DNS then NetBIOS | YES | YES |
| Internal Settings | ||
| 63. Turn on Protect against TCP State Manipulation DoS | YES | YES |
| 64. Turn on Apply IPS Signatures Bidirectionally | YES | N/A |
| 65. Allow launching of AppFlow Monitor in a stand-alone browser frame | YES | YES |
| 66. Enable Visualization UI for Non-Admin/Config users | YES | YES |
* When Stateful Firewall Security is selected, DPI services like App Rules, App Control Advanced, IPS, GAV, Anti-spyware are disabled.
NOTE: Be aware that the One-Touch Configuration Override may change the behavior of your SonicWall security appliance. Review the list of configurations before applying One-Touch Configuration Override.
In particular, the following configurations may affect the experience of the administrator:
- Administrator password requirements on the System | Administration page.
- Requiring HTTPS management.
- Disabling HTTP to HTTPS redirect.
- Disabling Ping management.