Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

How can I configure a PortShield interface (LAN,DMZ,etc.) working in transparent mode?

07/28/2022 388 People found this article helpful 220,093 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    Transparent Mode works by defining a Transparent Range which will retain their original source IP address (will not be NAT'd) when egress from the WAN interface. While, a PortShield interface is a virtual interface with a set of ports assigned to it. These interfaces in the PortShield group will shared the same network subnet.

    PortShield interface can work in two modes (Static and Transparent). This article covers the feature how to configure a PortShield interface in transparent mode.

    Resolution

    Resolution for SonicOS 7.X

    This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

    We are going to configure PortShield for Transparent mode.

    Image

    1. Assume, We have X1 interface configured as WAN with IP 1.1.1.2/24 IP subnet.
    2. We need to configure X2 and X3interfaces in a PortShield group with a transparent IP range (1.1.1.3 to 1.1.1.5).
    3. We need to connect SMTP server with IP as 1.1.1.3/24 to interface X2, two servers (one FTP server with IP 1.1.1.4/24 and one Web server with IP 1.1.1.5/24) connected to interface X3.

      To configure the PortShield interface in transparent mode, please complete the following steps.

    Create Address Object for DMZ Range:

    1. Login to your SonicWall management page and click Object tab on top of the page.
    2. Navigate to Match Object | Address page. On right Side, Click Address objects tab and select View as Custom.
    3. Click  Add button under Address Objects, to get Add Address Object Window.
    4. Create an address object as below.
      Image

          NOTE: the address range must be within the WAN zone and must not include the WAN interface and WAN gateway IP address.

          Configure Transparent Mode:

          NOTE: WAN interface IP address must be static assigned when configuring transparent mode

    1. Login to your SonicWall management page and click Network tab on top of the page.
    2. Navigate to System | Interfaces page. configure X2 interface as below.
    3. Zone: DMZ
    4. Mode /IP Assignment: Transparent IP Mode (Splice L3 Subnet).
    5. Transparent Range: DMZ IP (Created in Step 1).
    6. Comment: DMZ (Any useful information for the interface)
    7. Click OK.
      Image


              Configure PortShield Mode:
               1. Login to your SonicWall management page and click Manage tab on top of the page.
               2. Navigate to Network | Interfaces page. configure X3 interface as below.

      • Zone: DMZ.
      • Mode /IP Assignment: PortShield Switch Mode.
      • PortShield to: X2
      • Click OK.
        Image

         NOTE:  PortShield can also be configured through page Network | PortShield Groups.

        Configuring the servers connected to the PortShield interfaces X2 and X3.
      • The servers connected to the interfaces X2 and X3 should be configured with the IP addresses within the Transparent Range. The default gateway could either be the upstream ISP router address or the SonicWall WAN interface IP. Once the servers are configured appropriately they will be able to go online with the IP address assigned to them without being NAT'ed.
        Image
      • At the moment, if you need to reach the servers with the IP addresses assigned to them from the WAN side of SonicWall.

        Access Rule from WAN to DMZ

        1. Login to your SonicWall management page and click Policy tab on top of the page
        2. Navigate to Rules and Policies| Access Rules.
        3. Modify the default access rule from WAN to DMZ zone as below to allow all traffic.
          Image

          Check the configuration from the WAN side.

          • Ping Server 3.3.3.3 connected to X9.

    Resolution for SonicOS 6.5

    This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

    We are going to configure PortShield for Transparent mode.

    Image

    • Assume, We have X1 interface configured as WAN with IP 1.1.1.2/24 IP subnet.
    • We need to configure X2 and X3interfaces in a PortShield group with a transparent IP range (1.1.1.3 to 1.1.1.5).
    • We need to connect SMTP server with IP as 1.1.1.3/24 to interface X2, two servers (one FTP server with IP 1.1.1.4/24 and one Web server with IP 1.1.1.5/24) connected to interface X3.

    To configure the PortShield interface in transparent mode, please complete the following steps.


    Create Address Object for DMZ Range:

    1. Login to your SonicWall management page and click Manage tab on top of the page.
    2. Navigate to Objects | Address Objects page. On right Side, Click Address objects tab and select View as Custom.
    3. Click  Add button under Address Objects, to get Add Address Object Window.
    4. Create an address object as below.
       Image

       NOTE: the address range must be within the WAN zone and must not include the WAN interface and WAN gateway IP address.

    Configure Transparent Mode:

    1. Login to your SonicWall management page and click Manage tab on top of the page.
    2. Navigate to Network | Interfaces page. configure X2 interface as below.

      • Zone: DMZ.
      • Mode /IP Assignment: Transparent IP Mode (Splice L3 Subnet).
      • Transparent Range: DMZ IP (Created in Step 1).
      • Comment: DMZ (Any useful information for the interface)
    3. Click OK.
      Image

       NOTE: WAN interface IP address must be static assigned when configuring transparent mode.

      Image

    Configure PortShield Mode:

    1. Login to your SonicWall management page and click Manage tab on top of the page.
    2. Navigate to Network | Interfaces page. configure X2 interface as below.

      • Zone: DMZ.
      • Mode /IP Assignment: PortShield Switch Mode.
      • PortShield to: X2
    3. Click OK.
      Image


       NOTE:  PortShield can also be configured through page Network | PortShield Groups.
      Image

     Configuring the servers connected to the PortShield interfaces X2 and X3. 

    1. The servers connected to the interfaces X2and X3 should be configured with the IP addresses within the Transparent Range. The default gateway could either be the upstream ISP router address or the SonicWall WAN interface IP. Once the servers are configured appropriately they will be able to go online with the IP address assigned to them without being NAT'ed.Image
    2. At the moment, if you need to reach the servers with the IP addresses assigned to them from the WAN side of the SonicWall.

     Access Rule from WAN to DMZ

    1. Login to your SonicWall management page and click Manage tab on top of the page
    2. Navigate to Rules| Access Rules. 
      2) Modify default access rule from WAN to DMZ zone as below to allow all traffic.
      Image

    Check the configuration from the WAN side.

    • Ping Server 3.3.3.3 connected to X10.

    Resolution for SonicOS 6.2 and Below

    The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.

    We are going to configure PortShield for Transparent mode.

    • Assume, We have X1 interface configured as WAN with IP 3.3.3.1/24 IP subnet.
    • We need to configure X9 and X10 interfaces in a PortShield group with a transparent IP range (3.3.3.2 to 3.3.3.4).
    • We need to connect SMTP server with IP as 3.3.3.2/24 to interface X9, two servers (one FTP server with IP 3.3.3.3/24 and one Web server with IP 3.3.3.4/24) connected to interface X10.

    To configure the PortShield interface in transparent mode, please complete the following steps.


    1. Navigate to Network | Address Objects to create an address object (IP Range: 3.3.3.2 to 3.3.3.4) for transparent mode configure.
       Image

      NOTE: The address range must be within the WAN zone and must not include the WAN interface and WAN gateway IP address.

    2. Navigate to Network | Interfaces page, click Edit button of interface X9 and do the following configuration.

      • Zone: DMZ.
      • Mode /IP Assignment: Transparent IP Mode (Splice L3 Subnet).
      • Transparent Range: DMZ IP (Created in Step 1).
      • Comment: DMZ (Any useful information for the interface)
        Image

        NOTE: WAN interface IP address must be static assigned when configuring transparent mode.

    3. Navigate  to Network | Interfaces page, click the Edit button of interface X10 and do the following configuration.

      • Zone: DMZ.
      • Mode /IP Assignment: PortShield Switch Mode.
      • PortShield to: X9 ( interfaces in the same Zone will be displayed for selection)
      Image

      NOTE: PortShield can also be configured through page Network | PortShield Groups.

    4. Navigate  to Network | Interfaces or Network | PortShield Group page to check the configuration.

      TIP: If you cannot see the PortShield interface , you can click the button Show PortShield Interfaces on the top left of Network | Interfaces page.

    5. Configuring the servers connected to the PortShield interfaces X9 and X10. The servers connected to the interfaces X9 and X10 should be configured with the IP addresses within the Transparent Range. The default gateway could either be the upstream ISP router address or the SonicWall WAN interface IP. Once the servers are configured appropriately they will be able to go online with the IP address assigned to them without being NAT'ed.

      At the moment, if you need to reach the servers with the IP addresses assigned to them from the WAN side of the SonicWall, please navigate to Firewall | Access Rules page.

      • Select radio button Matrix .
      • Select from WAN to DMZ.
      • Click Add button.
        Image
      • Click OK.
    6. Check the configuration from the WAN side. Ping Server 3.3.3.3 connected to X10.

    Related Articles

    • Bandwidth usage and tracking in SonicWall
    • How to force an update of the Security Services Signatures from the Firewall GUI
    • Configure Guest VLAN in the TZ firewall, for guest users to access Internet only.

    Categories

    • Firewalls > NSa Series > Networking
    • Firewalls > TZ Series > Networking

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2023 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
    Scroll to top