Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

Initial and Advanced Firewall Setup for high security environments

09/15/2021 3 People found this article helpful 89,206 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    This article covers how to setup firewall initial and advanced configuration when configuring in environments that requires top security compliance, military environments and closed environments.

    Resolution

    Resolution for SonicOS 7.X

    This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.


    Interfaces Configuration:

    After collecting all necessary infrastructure-related information such as the relevant service IP networks,addresses, and so on, you can begin the basic configuration. To complete the basic configuration, complete the following steps:

    1. Log in to the default LAN interface X0, using the default IP:192.168.168.168.
    2. Go to Network |System | Interfaces.

           Image

    3. Under the Interface Settings section, click the Configure icon and assign relevant IP addresses to the interfaces in the trusted and untrusted zones.

                             Image

    4. Based on the information previously collected, assign the IP address to the interfaces in the correct subnet, you can use the default network as well.
    5. Enable HTTPS management and user management on the interfaces.
    6. Enable the desired protocols on the LAN and WAN interfaces.
    7. Configure the management interface with the appropriate IP addresses, net masks, and gateways, This is used only for controlling traffic management to the firewall.
    8. Disable DHCP server: Uncheck ‘Enable DHCP Server’ under Network | System | DHCP Server > DHCPv4 Server Settings.

            Image


    9. Set Firewall Host and Domain Names, Navigate to Device | Settings | Administration with Firewall Administration
      i.  Enter the firewall Name in the ‘Firewall Name’ box
      ii. Enter the firewall Domain Name (i.e. mydomain.net) in the ‘Firewall's Domain Name’ box and click Accept.

      Image

    Admintrator Settings:

    1. Set Administrator Account Properties:
      a. Under Firewall Administrator| Administrator Name & Password: Verify Administrator Name and set the password.
      b. Under Device | Settings | Administration with Login/Multiple Administrators

      i. Check ‘Password Must be Changed Every (days)
      ii. Check ‘Bar repeated passwords for this many changes’ – set to ‘10’
      iii. Select ‘New password must contain 8 characters different from the old password’
      iv. Set ‘Enforce a minimum password length of:’ to ‘16’
      v. Set ‘Enforce password complexity’ to ‘Require alphabetic, numeric, and symbolic characters’ (from the drop-down box choices)
      vi. Set ‘Complexity Requirement’ to ‘2’ in each box
      vii. Check all ‘Apply the above password constraints for:’ boxes
      viii. Set the ‘Log out the administrator after inactivity of (minutes)’ timer to ‘10’
      ix. Check the ‘Enable the administrator/user lockout’ checkbox

      1. Set ‘Failed login attempts per minute before lockout’ to ‘3’
      2. Set ‘Lockout Period (minutes)’ to ‘30’
      x. Set ‘Max login attempts through CLI’ to ‘3’
      1. Click ‘Accept’ (may require a reboot).

                 Image

      xi. Under ‘Multiple Administrators’ – Select ‘Enable Multiple Administrative Roles’

            Image

      xii. Under Audit/Sonic OS API, ‘Enhanced Audit Logging Support’ – Select ‘Enable Enhanced Audit Logging’, click Accept.

               Image


    User Configuration:

    Force a new login session after a password change and display user login information since last login:
    Navigate to Device | Users | Settings and Select ‘Force Relogin After Password Change’, Select ‘Display User Login Info Since Last Login’ and Click ‘Accept’.

          Image


    Advanced Configuration:

    For Advanced configurations in the firewall, complete the following additional steps:

    1. If a closed system is necessary, go to the Backend Server Communication section 12 and disable the Prevent communication with Backend servers option after the licensing protocol synchronizes, See the SonicOS Administration Guide for more information on manually updating these signatures.
    2. Under Diag page settings,In internal settings:
      1. Go to the Security Services Settings section, click Apply IPS Signatures Bidirectionally.
      2. Go to the ICMP Settings section, disable both ICMP packet settings.
      3. Under the VPN Settings section, enable the Trust Built-in CA certificates for IKE authentication and Local certificate import option.
      4. Click Close.
    3. Navigate to Device>Diagnostics and deselect “Periodic Secure Diagnostic Reporting for Support Purposes” and “Automatic Secure Crash Analysis Reporting”, the click “Accept”.
    4. Restart the firewall.
    5. Disable Advanced Networking:
      a. In Network| System | Dynamic Routing and disable Advanced Routing.

             Image

    6. Change IKEv2 Dynamic Client Proposal in IPSec VPN Advanced Settings to require at least DH Group 14,AES-256 encryption, and SHA-256 authentication:
      a. In IPSec VPN / Advanced, navigate to ‘IKEv2 Settings’ and click the ‘IKEv2 Dynamic Client Proposal’ button
      b. Change ‘DH Group’ to ‘14’ as appropriate
      c. Change ‘Encryption’ to ‘AES-256’
      d. Change ‘Authentication’ to ‘SHA-256’
      e. Click ‘Accept’ and then ‘Accept’ again

                     Image

    Setting configuration:

    1. Turn off SSH and SNMP Management (not allowed 1 in FIPS mode):
      a. Navigate to Network | System | Interfaces and select the configuration icon for X0 (this assumes it’ the only interface that SSH or SNMP management might be  enabled on; turn off for any others configured for SSH and/or SNMP management)
      b. Deselect SSH or SNMP as appropriate.
      c. Click  'Ok'.

             Image

    2. Set session quota for each management IP (NOTE: This applies to both IPv4 and IPv6):
      a. Using the browser, navigate to the diag.html page https://<IP address> /sonicui/7/m/Mgmt/settings to https://<IP address>/sonicui/7/m/Mgmt/settings/diag.
      b. Check the box labeled ‘Set Connection Limitation of Management Policies’ and accept and exit internal settings.

      i. NOTE: This will require an automatic reboot

             Image

    3. Enable "Drop and log network packets whose source or destination address is 3 reserved by RFC"
      a. In Network | Firewall | Advanced> IPV6 settings,  navigate to the ‘IPv6 Advanced Configuration’ section
      b. Check the option ‘Drop and log network packets whose source or destination address is reserved by RFC’ and accept it.

              Image


    172220  Log alert when the log buffer is 75% full
    Log -> Settings -> Log category -> General -> Logs at 75% of maximum:  set the priority to Alert

           Image

    172218 Minimum number of characters changed for password should be eight (8)
    Device>Settings> Administration > Login/Multiple Administrators:


          Image


    172221 Login history during a user defined time period
    Diag settings, new checkbox to set the time interval for login history. Note: The system -> Status the login history is displayed. The text in the display still shows as “since system restart” but it is actually since the organizationally defined time period in the below setting.

             Image

    Sample output:
    • Last successful login timestamp 04/11/2016 17:30:32.000.
    • Number of all user successful login attempts since system reset is 1.

    Note: Login history for CAC user with LDAP

    Login History for a CAC user with credentials imported from LDAP will be recorded only when the user accounts are imported from LDAP locally onto the firewall. In order for the firewall to track history of the account the user account information should be available locally on the firewall.
    If using CAC with LDAP , import the LDAP user accounts locally by clicking the “Import Users” and clicking “save”.

    172219 Minimum password lifetime
    Device>Settings> Administration > Login/Multiple Administrators:

    Image


    172223 Password complexity requirements should be applicable to OTP
    Device> User -> Settings -> checkbox to apply password constraints to OTP

            Image


    171473 Indefinite lockout of a user for wrong password(Device>Settings> Administration > Login/Multiple Administrators:)
    172217 Enforce a limit of number of invalid consecutive logons within a time period

                 Image


    Resolution for SonicOS 6.5

    This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.








    Interfaces Configuration:

    After collecting all necessary infrastructure-related information such as the relevant service IP networks,addresses, and so on, you can begin the basic configuration. To complete the basic configuration, complete the following steps:

    1. Log in to the default LAN interface X0, using the default IP:192.168.168.168.
    2. Go to Manage |Network| Interfaces.

          Image

    3. Under the Interface Settings section, click the Configure icon and assign relevant IP addresses to the interfaces in the trusted and untrusted zones.

               Image

    4. Based on the information previously collected, assign the IP address to the interfaces in the correct subnet, you can use the default network as well.
    5. Enable HTTPS management and user management on the interfaces.
    6. Enable the desired protocols on the LAN and WAN interfaces.
    7. Configure the management interface with the appropriate IP addresses, net masks, and gateways, This is used only for controlling traffic management to the firewall.
    8. Disable DHCP server: Uncheck ‘Enable DHCP Server’ under Manage | Network| DHCP Server > DHCPv4 Server Leases Scopes.

      Image

    9. Set Firewall Host and Domain Names, Navigate to Manage| Appliance | Base Settings  with Firewall Administration
      i.  Enter the firewall Name in the ‘Firewall Name’ box
      ii. Enter the firewall Domain Name (i.e. mydomain.net) in the ‘Firewall's Domain Name’ box and click Accept.

      Image


    Admintrator Settings:

    1. Set Administrator Account Properties:
      a. Under Administrator Name & Password: Verify Administrator Name and set the password.
      b. Under Administration / Login Security with Login/Multiple Administrators

      i. Check ‘Password Must be Changed Every (days)
      ii. Check ‘Bar repeated passwords for this many changes’ – set to ‘10’
      iii. Select ‘New password must contain 8 characters different from the old password’
      iv. Set ‘Enforce a minimum password length of:’ to ‘16’
      v. Set ‘Enforce password complexity’ to ‘Require alphabetic, numeric, and symbolic characters’ (from the drop-down box choices)
      vi. Set ‘Complexity Requirement’ to ‘2’ in each box
      vii. Check all ‘Apply the above password constraints for:’ boxes
      viii. Set the ‘Log out the administrator after inactivity of (minutes)’ timer to ‘10’
      ix. Check the ‘Enable the administrator/user lockout’ checkbox

      1. Set ‘Failed login attempts per minute before lockout’ to ‘3’
      2. Set ‘Lockout Period (minutes)’ to ‘30’
      x. Set ‘Max login attempts through CLI’ to ‘3’
      1. Click ‘Accept’ (may require a reboot).

              Image

      xi. Under ‘Multiple Administrators’ – Select ‘Enable Multiple Administrative Roles’.

             Image

      xii. Under ‘Enhanced Audit Logging Support’ – Select ‘Enable Enhanced Audit Logging’, click Accept.

                         Image

    User Configuration:

    Force a new login session after a password change and display user login information since last login:
    Navigate to Manage | Users | Settings and Select ‘Force Relogin After Password Change’, Select ‘Display User Login Info Since Last Login’ and Click ‘Accept’.

                Image

    Advanced Configuration:

    For Advanced configurations in the firewall, complete the following additional steps:

    1. If a closed system is necessary, go to the Backend Server Communication section 12 and disable the Prevent communication with Backend servers option after the licensing protocol synchronizes, See the SonicOS Administration Guide for more information on manually updating these signatures.
    2. Under Diag page settings, In internal settings:
      1. Go to the Security Services Settings section, click Apply IPS Signatures Bidirectionally.
      2. Go to the ICMP Settings section, disable both ICMP packet settings.
      3. Under the VPN Settings section, enable the Trust Built-in CA certificates for IKE authentication and Local certificate import option.
      4. Click Accept and exit the internal settings.
    3. Navigate to Device>Diagnostics and deselect “Periodic Secure Diagnostic Reporting for Support Purposes” and “Automatic Secure Crash Analysis Reporting”, the click “Accept”.
    4. Restart the firewall.
    5. Disable Advanced Networking:
      a.In Network / Routing, change ‘Advanced Routing’ to ‘Simple RIP Advertisement’

       Image

    6. Change IKEv2 Dynamic Client Proposal in IPSec VPN Advanced Settings to require at least DH Group 14,AES-256 encryption, and SHA-256 authentication:
      a. In IPSec VPN / Advanced, navigate to ‘IKEv2 Settings’ and click the ‘IKEv2 Dynamic Client Proposal’ button
      b. Change ‘DH Group’ to ‘14’ as appropriate
      c. Change ‘Encryption’ to ‘AES-256’
      d. Change ‘Authentication’ to ‘SHA-256’
      e. Click ‘Ok’ and then ‘Accept’ again.

            Image

    Setting configuration:

    1. Turn off SSH and SNMP Management (not allowed 1 in FIPS mode):
      a. Navigate to Network | System | Interfaces and select the configuration icon for X0 (this assumes it’ the only interface that SSH or SNMP management might be  enabled on; turn off for any others configured for SSH and/or SNMP management)
      b. Deselect SSH or SNMP as appropriate.
      c. Click  'Ok'.

                   Image

    2. Set session quota for each management IP (NOTE: This applies to both IPv4 and IPv6):
      a. Using the browser, navigate to the diag.html page (<IP address of host>/diag.html)
      b. Check the box labeled ‘Set Connection Limitation of Management Policies’

      i. NOTE: This will require an automatic reboot

      Image

    3. Enable "Drop and log network packets whose source or destination address is 3 reserved by RFC"
      a. In Firewall Settings >Advanced Settings,  navigate to the ‘IPv6 Advanced Configuration’ section
      b. Check the option ‘Drop and log network packets whose source or destination address is reserved by RFC’ and accept it.

               Image

    172220  Log alert when the log buffer is 75% full
    Log -> Base setup -> Log category -> General -> Logs at 75% of maximum:  set the priority to Alert

                   Image


    172218 Minimum number of characters changed for password should be eight (8)
    Manage>Appliance> Base settings > Login security:

               Image

    172221 Login history during a user defined time period
    Diag settings, new checkbox to set the time interval for login history. Note: The system -> Status the login history is displayed. The text in the display still shows as “since system restart” but it is actually since the organizationally defined time period in the below setting.

             Image


    Sample output:
    • Last successful login timestamp 04/11/2016 17:30:32.000.
    • Number of all user successful login attempts since system reset is 1.

    Note: Login history for CAC user with LDAP

    Login History for a CAC user with credentials imported from LDAP will be recorded only when the user accounts are imported from LDAP locally onto the firewall. In order for the firewall to track history of the account the user account information should be available locally on the firewall.
    If using CAC with LDAP , import the LDAP user accounts locally by clicking the “Import Users” and clicking “save”.

    172219 Minimum password lifetime
    Manage>Appliance> Base settings > Login security:

        Image


    172223 Password complexity requirements should be applicable to OTP
    Manage> Users -> Settings -> checkbox to apply password constraints to OTP

         Image


    171473 Indefinite lockout of a user for wrong password(Manage>Appliance> Base settings > Login security:)
    172217 Enforce a limit of number of invalid consecutive logons within a time period

          Image


    Related Articles

    • How to disable TOTP for a Local User with admin privileges via CLI.
    • Parserror on Event logs.
    • Switch from the Policy mode to classic mode on Gen 7 appliances

    Categories

    • Firewalls > NSa Series > Networking
    • Firewalls > TZ Series > Networking
    • Firewalls > SonicWall SuperMassive 9000 Series > Networking

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2022 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
    Scroll to top
    Trace:4ee82ce2006b54d95245027ae7978e4a-89