Network Security Manager Saas Administration Guide

Technical Documentation>  VPN Topology>  Defining Global Settings
Table of Contents

Defining Global Settings

This screen displays all the settings that can be changed or modified to the VPN Topology. The screen is categorized based on different options available for each section.

To define global settings

  1. Navigate to Manager View | Home > VPN Topology > Global Settings page.

  2. Define the global VPN settings.

    Enable VPN This option is enabled by the default. If you disable this option, VPN functionality will be turned off and you do not get options to define VPN settings.
    Enable Fragmented Packet Handling

    This option is enabled by the default. If you disable this option, fragmented traffic will get dropped.
    Ignore DF(Don't Fragment) Bit

    This option is available only when Enable Fragmented Packet Handling is enabled and it is disabled by the default. Enabling this option ignores the option and fragment the packet.

  3. Define Dead Peer Detection settings to detect the dead Internet Key Exchange (IKE) peer.

    Enable IKE Dead Peer Detection This option is enabled by the default. If you disable this option, detecting the dead Internet Key Exchange (IKE) functionality will be turned off and other settings get disabled.
    Dead Peer Detection Interval (seconds)

    Enter the timeout interval (in seconds) between heartbeats to detect a dead Internet Key Exchange (IKE) peer.

    The default value is 60 seconds. You can enter a value between 3 and 120.
    Failure Trigger Level (missed heartbeats)

    Enter the number of missed heartbeats that will trigger the SonicWall appliance to drop the VPN connection. If the trigger level is reached, the VPN connection is dropped by the security appliance.

    The default value is 3. You can enter a value between 3 and 10.
    Enable Dead Peer Detection for Idle VPN sessions

    Enable this option to drop the idle VPN connections by the security appliance after the time value defined in the Dead Peer Detection Interval for Idle VPN Sessions (seconds) field.

    This option is disabled by the default.
    Dead Peer Detection Interval for Idle VPN sessions (seconds)

    Enter the interval for Idle VPN sessions for Dead Peer Protection.

    This field is available only if the Enable Dead Peer Detection for Idle VPN session is enabled.

    The default value is 600 seconds (10 minutes). You can enter a value between 60 and 3600.

  4. Define IKEV2 Settings.

    • Enable Send IKEv2 cookie notify to sends cookies to IKEv2 peers as an authentication tool. This option is disabled by the default.
    • Enable Send IKEv2 SPF notify to send an invalid Security Parameter Index (SPI) notification to IKEv2 peers when an active IKE security association (SA) exists.

    • SonicOS provides IKEv2 Dynamic Client Support, which provides a way to configure the Internet Key Exchange (IKE) attributes rather than using the default settings. Click Configure to set the IKE attributes.

      The encryption: AESGCM16-XXX is only applicable to firewalls running firmware version SonicOS 7.0.1-5135 and higher. Authentication method is not applicable for AESGCM16-XXX instead PRF Algorithm is applicable.

      DH Group Encryption Authentication PRF Algorithm
      Group 1
      Group 2
      Group 5
      Group 14

      256-bit Random ECP Group

      384-bit Random ECP Group
      521-bit Random ECP Group

      192-bit Random ECP Group

      224-bit Random ECP Group      		 DES
      3DES
      AES-128
      AES-192
      AES-256      		 MD5
      SHA1
      SHA256
      SHA384
      SHA512      		 Not Applicable

      AESGCM16-128

      AESGCM16-192

      AESGCM16-256

      		 Not Applicable

      PRF_HMAC_MD5

      PRF_HMAC_SHA1

      PRF_HMAC_SHA256

      PRF_HMAC_SHA384

      PRF_HMAC_SHA512

  5. Define other settings.

    Clean up Active tunnels when Peer Gateway DNS name resolves to a different IP Address

    Enable this option to break down SAs associated with old IP addresses and reconnects to the peer gateway.

    This is option is enabled by the default.
    Send VPN Tunnel Traps only when tunnel status changes

    Enable this option to reduce the number of VPN tunnel traps that are sent by only sending traps when the tunnel status changes.

    This is option is disabled by the default.
    For XAUTH, use a RADIUS mode that allows users to change expired passwords

    When using RADIUS to authenticate VPN client users, RADIUS will be used in its MSCHAP (or MSCHAPv2) mode. The primary reason for choosing to do this would be so that VPN client users can make use of the MSCHAP feature to allow them to change expired passwords at login time.

    This option is disabled by the default.
    RADIUS Mode

    Select the Radius mode between MSCHAP and MSCHAPv2.

    DNS and WINS Server Settings for VPN client

    Click Configure to define additional settings:

    • DNS Servers: Selecting this option automatically populates the DNS and WINS settings. This option is selected by the default.
    • Specify Manually: If you do not want to use the SonicWall security appliance network settings, select Specify Manually, and type the IP address of your DNS Server in the DNS Server 1 field. You can specify two additional DNS servers.
    • WINS Server: Configure a WINS server in the WINS Server 1 field. You can configure a second WINS server, also.

    Click Accept.
  6. Click Save.