One-Touch Configuration Override

05/26/2020 25 People found this article helpful 488,516 Views

Description

The One-Touch Configuration Override, this feature can be thought of as a quick tune-up for SonicWall network security appliance’s security settings.
With a single click, One-Touch Configuration Override applies over sixty configuration settings to implement SonicWall’s recommended best practices. This is applicable for both DPI and Stateful Firewall Security and Stateful Firewall security.

Resolution

There is a set of One-Touch Configuration Override option available on the SonicWall.It can be thought of us as a quick tune-up for your SonicWall appliance's security settings. With a single click, One-Touch Configuration Override applies over sixty configuration settings over sixteen pages of the SonicWall GUI to implement SonicWall's recommended best practices. These settings ensure that your appliance is taking advantage of SonicWall's security features.

There are two sets of One-Touch Configuration Override settings:

DPI and Stateful Firewall Security For network environments with Deep Packet Inspection (DPI) security services enabled, such as Gateway Anti-Virus, Intrusion Prevention, Anti-Spyware, and App Rules.
Stateful Firewall Security For network environments that do not have DPI security services enabled, but still want to employ SonicWall's Stateful firewall security best practices.

To see details of the settings that will be impacted, click on the Preview applicable changes link next to each button. A page displays with a list of each setting and the value to which it will be set.

Navigate to Manage|Firmware & Backups| Settings

CAUTION: A system restart is required for the updates to take full effect. The Administrator should review the settings before applying it on appliance.

RESOLUTION FOR SONICOS 5.9.X

Navigate to the System | Settings page

Click on either DPI and Stateful Firewall Security or Stateful Firewall Security.

CAUTION: A system restart is required for the updates to take full effect. The Administrator should review the settings before applying it on appliance.

Listed here are the configuration changes made to the system after clicking on either of the above:

One-Touch Configuration Overrides - configurations made to the system.	DPI and Stateful Firewall Security	Stateful Firewall Security

System>Administration

1. Password must be changed every 90 days	YES	YES
2. Bar repeated password changes for 4 changes	YES	YES
3. Enforce password complexity: Require alphabetic, numeric and symbolic characters	YES	YES
4. Apply the above password constraints for: all user categories	YES	YES
5. Enable administrator/user lockout	YES	YES
6. Failed Login attempts per minute before lockout: 7	YES	YES
7. Enable inter-administrator messaging	YES	YES
8. Inter-administrator Messaging polling interval (seconds): 10	YES	YES

Network>Interfaces

9. Any interface allowing HTTP management is replaced with HTTPS Management	YES	YES
10. Any setting to 'Add rule to enable redirect from HTTP to HTTPS' is disabled	YES	YES
11. Ping Management is disabled on all interfaces	YES	YES

Network>Zones

12. Intrusion Prevention is enabled on all applicable default Zones	YES	Disabled
13. Gateway Anti-Virus protection is enabled on all applicable default Zones	YES	Disabled
14. Anti-Spyware protection is enabled on all applicable default Zones	YES	Disabled
15. App Rules is enabled on all applicable default Zones	YES	Disabled
16. SSL Control is enabled on all default Zones	YES	NO

Network>DNS

17. Enable DNS Rebinding protection	YES	YES
18. DNS Rebinding Action: Log Attack & Drop DNS Reply	YES	YES

Firewall>Access Rules

19. Any Firewall policy with an Action of Deny, the Action is changed Discard	YES	YES
20. Source IP Address connection limiting with a threshold of 128 connections is enabled for all firewall policies	YES	YES

Firewall>App Rules

21. If licensed, the Enable App Rules setting is turned on	YES	Disabled

Firewall Settings>Advanced

22. Turn on Enable Stealth Mode	YES	YES
23. Turn on Randomize IP ID	YES	YES
24. Turn off Decrement IP TTL for forwarded traffic	YES	YES
25. Connections are set to:	DPI services enabled with additional performance optimizations	Max SPI (DPI services disabled)^*
26. Turn on Enable IP header checksum enforcement	YES	YES
27. Turn on Enable UDP checksum enforcement	YES	YES

Firewall Settings>Flood Protection

28. Turn on Enforce strict TCP compliance with RFC 793 and RFC 1122	YES	YES
29. Turn on Enable TCP handshake enforcement	YES	YES
30. Turn on Enable TCP checksum enforcement	YES	YES
31. Turn on Enable TCP handshake timeout	YES	YES
32. SYN Flood Protection Mode: Always proxy WAN client connections	YES	YES

Firewall Settings>SSL Control

33. Turn on Enable SSL Control	YES	YES
34. Set Action to: Block connection and log the event	YES	YES
35. For Configuration, enable all categories	YES	YES

VPN>Advanced

36. Turn on Enable IKE Dead Peer Detection	YES	YES
37. Turn on Enable Dead Peer Detection for Idle VPN sessions	YES	YES
38. Turn on Enable Fragmented Packet Handling	YES	YES
39. Turn on Ignore DF (Don't Fragment) Bit	YES	YES
40. Turn on Enable NAT Traversal	YES	YES
41. Turn on Clean up Active tunnels when Peer Gateway DNS name resolves to a different address	YES	YES
42. Turn on Preserve IKE port for Pass Through Connections	YES	YES

Security Services>Gateway Anti-Virus

43. If licensed, Enable Gateway Antivirus	YES	Disabled
44. Configure Gateway AV Settings: Turn on Disable SMTP Responses	YES	N/A
45. Configure Gateway AV Settings: Turn off Disable detection of EICAR test virus	YES	N/A
46. Configure Gateway AV Settings: Turn on Enable HTTP Byte-Range requests with Gateway AV	YES	N/A
47. Configure Gateway AV Settings: Turn on Enable FTP REST request with Gateway AV	YES	N/A
48. Configure Gateway AV Settings: Turn off Enable HTTP Clientless Notification Alerts	YES	N/A

Security Services>Intrusion Prevention

49. If licensed, Enable IPS	YES	Disabled
50. Turn on Prevent All and Detect All for High Priority Attacks	YES	N/A
51. Turn on Prevent All and Detect All for Medium Priority Attacks	YES	N/A
52. Turn on Prevent All and Detect All for Low Priority Attacks	YES	N/A

Security Services>Anti-Spyware

53. If licensed, Enable Anti-Spyware	YES	Disabled
54. Turn on Prevent All and Detect All for High Priority Attacks	YES	N/A
55. Turn on Prevent All and Detect All for Medium Priority Attacks	YES	N/A
56. Turn on Prevent All and Detect All for Low Priority Attacks	YES	N/A
57. Configure Anti-Spyware Settings: Turn on Disable SMTP Responses	YES	N/A
58. Configure Anti-Spyware Settings: Turn off Enable HTTP Clientless Notification Alerts	YES	N/A

AppFlow>Flow Reporting

59. Turn on Send AppFlow To Local Collector	YES	YES
60. Turn on Enable Real-Time Data Collection	YES	YES

Log>Log Monitor

61. Set Logging Level: Debug	YES	YES

Log>Name Resolution

62. Set Name Resolution Method to: DNS then NetBIOS	YES	YES

Internal Settings

63. Turn on Protect against TCP State Manipulation DoS	YES	YES
64. Turn on Apply IPS Signatures Bidirectionally	YES	N/A
65. Allow launching of AppFlow Monitor in a stand-alone browser frame	YES	YES
66. Enable Visualization UI for Non-Admin/Config users	YES	YES

^* When Stateful Firewall Security is selected, DPI services like App Rules, App Control Advanced, IPS, GAV, Anti-spyware are disabled.

NOTE: Be aware that the One-Touch Configuration Override may change the behavior of your SonicWall security appliance. Review the list of configurations before applying One-Touch Configuration Override.

In particular, the following configurations may affect the experience of the administrator:

- Administrator password requirements on the System | Administration page.
- Requiring HTTPS management.
- Disabling HTTP to HTTPS redirect.
- Disabling Ping management.

Not Finding Your Answers?

ASK THE COMMUNITY

Was This Article Helpful?

YES NO

One-Touch Configuration Override

Description

Resolution

RESOLUTION FOR SONICOS 5.9.X

Related Articles

Categories

Not Finding Your Answers?

Was This Article Helpful?

Article Helpful Form

Article Not Helpful Form

Follow Us

Subscribe to newsletter

Stay In Touch