SonicOS Packet flow in Global and Policy Mode

Description

This document covers a detailed view of SonicOS packet flow. This includes both the classic mode and the policy mode of firewall operation

Global Mode Packet Flow
This diagram illustrates the packet processing workflow through various firewall services in Global Mode(also called as Classic Mode), This also incorporates the latest features and updates introduced in SonicOS 7.1.1.
Global Mode represents the traditional configuration experience for SonicWall firewalls. It utilizes an object-based policy structure, where administrators define security policies based on specific objects like interfaces, addresses, and services. These policies dictate how the firewall handles incoming and outgoing traffic.

Supported Models:

All Gen7 Firewall models except NSsp15700

Key Features of Global Mode:

  • Object-based policies: Policies are built by defining rules based on network objects like interfaces, IP addresses, address groups, ports, protocols, and services.
  • Familiar interface: Long-time SonicWall users will find the interface familiar and intuitive.

Image

Policy Mode (Simple View - Security Rule)
Packet Flow in this mode is similar to global mode except around Access Rule lookup. It is enhanced to do a full access rule lookup with additional details such as apps, web category, geo-ip and users compared to global mode.

  • In Policy mode Access Rules is renamed as Security Rules since we include full security services (IPS, GAV, ASPY, Botnet plus content actions) as part of the rule enforcements.
  • Security Policy rule has three parts-
    • Match Criteria - Zones, IP addresses, Interfaces, Ports, Protocols, Countries, User, Apps, Web Categories, Websites and URLs and Patterns
    • Action - Allow, Deny and Discard
    • Security Rule Action -
      • Security services (IPS/GAV/ASPY, Botnet)
      • Content Filter User Actions and additional content related actions
      • BWM and QoS
      • Log and Block Page
      • Advanced/Miscellaneous 
        • VoIP
        • TCP timeouts
        • Users
        • Fragmentation

Supported Models:

  • NSv 270/470/870
  • NSsp 15700

Image

Related Articles

  • How to block ICMP (Ping ) using Application control
    Read More
  • SonicWall GEN8 TZ and NSa Firewalls FAQ
    Read More
  • How to configure Link Aggregation
    Read More

Categories

Firewalls
NSa Series
Firewalls
NSsp Series
Firewalls
NSv Series
not finding your answers?
Ask the Community