SonicOSX 7 Match Objects

Download PDF
Technical Documentation > SonicOSX 7 Match Objects > Zones

Zones

A zone is a logical grouping of one or more interfaces designed to make management, such as the definition and application of Access Rules, a simpler and more intuitive process than following strict physical interface scheme. Zone-based security is a powerful and flexible method of managing both internal and external network segments, allowing the administrator to separate and protect critical internal network resources from unapproved access or attack.

A network security zone is simply a logical method of grouping one or more interfaces with friendly, user-configurable names, and applying security rules as traffic passes from one zone to another zone. Security zones provide an additional, more flexible, layer of security for the firewall. With the zone-based security, the administrator can group similar interfaces and apply the same policies to them, instead of having to write the same policy for each interface. For more information on configuring interfaces, navigate toNetwork > Interfaces.

SonicOSX zones allows you to apply security policies to the inside of the network. This allows you to do this by organizing network resources to different zones, and allowing or restricting traffic between those zones. This way, access to critical internal resources, such as payroll servers or engineering code servers, can be strictly controlled.

Zones also allow full exposure of the NAT table to allow you control over the traffic across the interfaces by controlling the source and destination addresses as traffic crosses from one zone to another. This means that NAT can be applied internally, or across VPN tunnels, which is a feature that users have long requested. Firewalls can also drive VPN traffic through the NAT policy and zone policy, because VPNs are now logically grouped into their own VPN zone.

How Zones Work

An easy way to visualize how security zones work is to imagine a large new building, with several rooms inside the building, and a group of new employees that do not know their way around the building. This building has one or more exits, which can be thought of as the WAN interfaces. The rooms within the building have one or more doors, which can be thought of as interfaces. These rooms can be thought of as zones inside each room are a number of people. The people are categorized and assigned to separate rooms within the building. People in each room going to another room or leaving the building, must talk to a door person on the way out of each room. This door person is the inter-zone/intra-zone security policy, and the door person’s job to consult a list and make sure that the person is allowed to go to the other room, or to leave the building. If the person is allowed (for example, the security policy allows them in), they can leave the room through the door (the interface).

Upon entering the hallway, the person needs to consult with the hallway monitor to find out where the room is, or where the door out of the building is located. This hallway monitor provides the routing process because the monitor knows where all the rooms are located, and how to get in and out of the building. The monitor also knows the addresses of any of the remote offices, which can be considered the VPNs. If the building has more than one entrance/exit (WAN interfaces), the hallway monitor can direct people to use the secondary entrance/exit, depending upon how they have been told to do so (for example, only in an emergency, or to distribute the traffic in and out of the entrance/exits). This function can be thought of as WAN Load Balancing.

There are times that the rooms inside the building have more than one door, and times when there are groups of people in the room who are not familiar with one another. In this example, one group of people uses only one door, and another group uses the other door, even though groups are all in the same room. Because they also do not recognize each other, in order to speak with someone in another group, the users must ask the door person (the security policy) to point out which person in the other group is the one with whom they wish to speak. The door person has the option to not let one group of people talk to the other groups in the room. This is an example of when zones have more than one interface bound to them, and when intra-zone traffic is not allowed.

Sometimes, people want to visit remote offices, and people might arrive from remote offices to visit people in specific rooms in the building. These are the VPN tunnels. The hallway and doorway monitors check to see if this is allowed or not, and allow traffic through. The door person can also elect to force people to put on a costume before traveling to another room, or to exit, or to another remote office. This hides the true identity of the person, masquerading the person as someone else. This process can be thought of as the NAT policy.

Predefined Zones

The predefined zones on your firewall depend on the device.

The predefined security zones on the SonicWall Security Appliance are not modifiable:

This Zone Has this function
LAN Consist of multiple interfaces, depending on your network design. Even though each interface has a different network subnet attached to it, when grouped together, they can be managed as a single entity.
WAN Can consist of multiple interfaces. If you are using the Security Appliance’s WAN failover capability, you need to add the second Internet interface to the WAN zone.
MGMT Used for appliance management and includes only the MGMT interface. Interfaces in other zones can also be enabled for SonicOS management, but the MGMT zone/interface provides the added security of a separate zone just for management.
DMZ Normally used for publicly accessible servers and can consist of one to four interfaces, depending on your network design.
VPN A virtual zone used for simplifying secure, remote connectivity.
SSLVPN Used for secure remote access using the SonicWall NetExtender client.
MULTICAST Provides support for IP multicasting, which is a method for sending IN packets from a single source simultaneously to multiple hosts.
WLAN

Provides support to SonicWall SonicPoints and SonicWaves. When assigned to the Opt port, it enforces SonicPoint Enforcement, automatically dropping all packets received from non-SonicPoint devices. The WLAN zone supports:

  • Discovery Protocol (SDP) to automatically poll for and identify attached SonicPoints and SonicWaves
  • SonicWall Simple Provisioning Protocol to configure SonicPoints and SonicWaves using profiles
  • Wireless and guest service configurations

Even though you can group interfaces together into one security zone, this does not preclude you from addressing a single interface within the zone.

Security Types

The security types of a zone depend on the device.

Each zone has a security type, which defines the level of trust given to that zone.

Trusted Provides the highest level of trust—meaning that the least amount of scrutiny is applied to traffic coming from trusted zones. Trusted security can be thought of as being on the LAN (protected) side of the Security Appliance. The LAN zone is always Trusted.
Management Unique to the MGMT zone and MGMT interface and also provides the highest level of trust.
Encrypted Used exclusively by the VPN and SSLVPN zones. All traffic to and from an Encrypted zone is encrypted.
Public Offers a higher level of trust than an Untrusted zone, but a lower level of trust than a Trusted zone. Public zones can be thought of as being a secure area between the LAN (protected) side of the Security Appliance and the WAN (unprotected) side. The DMZ, for example, is a Public zone because traffic flows from it to both the LAN and the WAN. By default, traffic from DMZ to LAN is denied, but traffic from LAN to ANY is allowed. This means only LAN-initiated connections have traffic between DMZ and LAN. The DMZ only has default access to the WAN, not the LAN.
Untrusted Represents the lowest level of trust. It is used by both the WAN and the virtual Multicast zone. An Untrusted zone can be thought of as being on the WAN (unprotected) side of the Security Appliance. By default, traffic from Untrusted zones is not permitted to enter any other zone type without explicit rules, but traffic from every other zone type is permitted to Untrusted zones.
Wireless Applied to the WLAN zone or any zone where the only interface to the network consists of SonicWall SonicPoint and SonicWave devices. Wireless security type is designed specifically for use with SonicPoints and SonicWaves. Placing an interface in a Wireless zone activates SDP (SonicWall Discovery Protocol) and SSPP (SonicWall Simple Provisioning Protocol) on that interface for automatic discovery and provisioning of SonicPoints and SonicWaves. Only traffic that passes through a SonicPoint or SonicWaveis allowed through a Wireless zone; all other traffic is dropped.

Allow Interface Trust

The Allow Interface Trust setting in the Add Zone dialog automates the creation of Access Rules to allow traffic to flow between the interface of a zone instance. For example, if the LAN zone has both the LAN and X3 interfaces assigned to it, checking Allow Interface Trust on the LAN zone creates the necessary Access Rules to allow hosts on these interfaces to communicate with each other.

Enabling SonicWall Security Services on Zones

You can enable SonicWall Security Services for traffic across zones. For example, you can enable SonicWall Intrusion Prevention Service for incoming and outgoing traffic on the WLAN zone to add more security for internal network traffic. You can enable these SonicWall Security Services on zones:

Enable Client AV Enforcement Service Enforces anti-virus protection on multiple interfaces in the same Trusted and Public security types for WLAN zones.
Enable DPI-SSL Enforcement Service Enforces enhanced NGAV (Next Generation AV) such as DPI-SSL Enforcement or SentinelOne AV enforcement in the same Trusted and Public security types for WLAN zones.
Enable SSLVPN Access Enables SSLVPN secure remote access on the zone.
Create Group VPN Creates a Group VPN policy for the zone, which is displayed in the VPN Policies table on Network > SSL VPN > Server Settings. You can customize the GroupVPN policy on Network > SSL VPN > Server Settings. If you have unselected Create Group VPN, the Group VPN policy is removed from Network > SSL VPN > Server Settings. For more information about creating VPN policies, see SonicOS 7 Connectivity.
Enable SSL Control Enables SSL Control on the zone. All new SSL connections initiated from that zone are now subject to inspection. SSL Control must first be enabled globally Policy > Firewall > SSL Control. For more information about SSL Control, see SonicOS 7 Security Configuration.
Enable Gateway Anti-Virus Service Enforces gateway anti-virus protection on multiple interfaces in the same Trusted and Public security types for WLAN zones.
Enable IPS Enforces intrusion detection and prevention on multiple interfaces in the same Trusted and Public security types for WLAN zones.
Enable Anti-Spyware Service Enforces anti-spyware detection and prevention on multiple interfaces in the same Trusted and Public security types for WLAN zones.
Enable App Control Service Enforces application control policy services on multiple interfaces in the same Trusted and Public security types for WLAN zones.
Enable SSL Client Inspection Enables granular DPI-SSL on a per-zone basis rather than globally for DPI-SSL clients.
Enable SSL Server Inspection Enable granular DPI-SSL on a per-zone basis rather than globally for DPI-SSL servers.

Effect of Wireless and Non-Wireless Controller Modes

Effects of Enabling Non-Wireless Controller Mode

Enabling Non-Wireless Controller Mode affects the Object > Match Objects > Zones page. Attempts to enable or delete the affected features are denied.

  • The Edit and Delete icons for wireless zones become dimmed on the Object > Match Objects > Zones page.

  • Internal wireless zones are disabled.

Effects of Enabling Wireless Controller Mode

Enabling Wireless Controller Mode affects the Object > Match Objects > Zones page. Attempts to enable or delete the affected features are denied.

  • The Edit and Delete icons for VPN and SSL VPN zones become dimmed on the Object > Match Objects > Zones page.

  • Any attempt to enable a zone with VPN and/or SSL VPN results in an error.

The Zone Settings Table

The Zone Settings table displays a listing of all the SonicWall Security Appliance’s default predefined zones as well as any zones you create. The table displays the following status information about each zone configuration:

Name Name of the zone. The predefined LAN, WAN, WLAN, VPN, SSLVPN, MGMT, MULTICAST, and Encrypted zone names cannot be changed.
Security Type Security type: Trusted, Untrusted, Public, Wireless, or Encrypted.
Member Interfaces Interfaces that are members of the zone.
Interface Trust Check mark indicates the Allow Interface Trust setting is enabled for the zone.
Client AV Check mark indicates SonicWall Client Anti-Virus is enabled for traffic coming in and going out of the zone. SonicWall Client Anti-Virus manages an anti-virus client application on all clients on the zone.
Client CF Check mark indicates Client Content Filtering services are enabled.
Gateway AV Check mark indicates SonicWall Gateway Anti-Virus is enabled for traffic coming in and going out of the zone. SonicWall Gateway Anti-Virus manages the anti-virus service on the firewall.
Anti-Spyware Check mark indicates SonicWall Anti-Spyware detection and prevention is enabled for traffic through interfaces in the zone.
IPS Check mark indicates SonicWall Intrusion Prevention Service is enabled for traffic coming in and going out of the zone.
App Control Check mark indicates App Control Service is enabled for traffic coming in and going out the zone.
SSL Control Check mark indicates SSL Control is enabled for traffic coming in and going out the zone. All new SSL connections initiated from that zone is now subject to inspection.
SSL VPN Access Check mark indicates SSL VPN secure remote access is enabled for traffic coming in and going out the zone.
DPI-SSL Client Check mark indicates granular DPI-SSL on a per-zone basis rather than a global basis for DPI-SSL clients.
DPI-SSL Server Check mark indicates granular DPI-SSL on a per-zone basis rather than global basis for DPI-SSL servers.
Configure Clicking the Edit icon displays the Zone Settings dialog. Clicking the Delete icon deletes the zone. The delete icon is dimmed for the predefined zones; you cannot delete these zones.

Adding a New Zone

To add a new zone

  1. Navigate to Object > Match Objects > Zones.

  2. Click the Add icon.

  3. Type a name for the new zone in the Name field.

  4. From Security Type, select:

    Trusted Zones with the highest level of trust, such as internal LAN segments.
    Public Zones with a lower level of trust requirements, such as a DMZ interface.
    Wireless WLAN interface.
    SSLVPN

    Interfaces on which Content Filtering, Client AV enforcement, and Client CF services are enabled.

    Selecting this security type disables the Enable SSLVPN Access and Create Group VPN options on this dialog.

  5. To allow intra-zone communications, select Allow Interface Trust. An Access Rule allowing traffic to flow between the interfaces of a Zone instance is created automatically. This option is not selected by default.

  6. To have SonicOS automatically generate access rules to allow traffic between this zone and other zones of equal trust, select Auto-generate Access Rules to allow traffic between zones of the same trust level. For example, CUSTOM_LAN -> CUSTOM _LAN or CUSTOM_LAN -> LAN. This option is selected by default.

    For this option and the following Access Rules options, see SonicOS Policies for information about Access Rules.

  7. To have SonicOS automatically generate access rules to allow traffic between this zone and other zones of lower trust, select Auto-generate Access Rules to allow traffic to zones with lower trust level. For example, CUSTOM_LAN -> WAN or CUSTOM_LAN -> DMZ. This option is selected by default.

  8. To have SonicOS automatically generate access rules to allow traffic between this zone and other zones of higher trust, select Auto-generate Access Rules to allow traffic from zones with higher trust level. For example, LAN -> CUSTOM_DMZ or CUSTOM_LAN -> CUSTOM_DMZ. This option is selected by default.

  9. To have SonicOS automatically generate access rules to deny traffic between this zone and zones of lower trust, select Auto-generate Access Rules to deny traffic from zones with lower trust level. For example, WAN -> CUSTOM_LAN or DMZ -> CUSTOM_LAN. This option is selected by default.

  10. To enforce managed Client Anti-Virus protection on clients connected to multiple interfaces in the same Trusted, Public, or WLAN zones using the Client Anti-Virus client on your network hosts, select Enable Client AV Enforcement Service. This option is not selected by default.

    This option is dimmed and unavailable until you select a security type from Security Type. For this option and the following Security Services options, see SonicOS Security Configuration for more information about these services.

  11. To enforce enhanced NGAV (Next Generation AV) such as DPI-SSL Enforcement or SentinelOne AV enforcement, select Enable DPI-SSL Enforcement Service. This option is not selected by default. For more information about NGAV, see SonicOS Security Configuration.

  12. To enable SSLVPN secure remote access on the zone, select Enable SSLVPN Access. This option is not selected by default.

    This option is dimmed if SSLVPN is selected for Security Type.

  13. To create a SonicWall Group VPN Policy for this zone automatically, select Create Group VPN. You can customize the Group VPN Policy in Network > SSLVPN > Server Settings. This option is not selected by default. This option is available until SSLVPN is selected for Security Type, but after the Security Type is changed to one of the other types, it remains dimmed and unavailable.

    Disabling Create Group VPN removes any corresponding Group VPN policy.

    This option is dimmed if SSLVPN is selected for Security Type. For this and other connectivity options, see SonicOS Connectivity for more information.

    Disabling Group VPN for WAN/WLAN VPN policies, deletes all VPN policies. Re-enabling the Create Group VPN option automatically creates a new, enabled VPN policy. Disabling VPN policies globally does not also delete auto-rules. If you do not want to VPN polices at all, globally disable VPN, and then delete all policies that correlate with VPN.

    GroupVPN policies appear in the VPN Policies table located in Network > SSLVPN > Server Settings. WAN/WLAN GroupVPN policies are disabled by default when the firewall is booted with the factory default.

  14. To enable SSL Control on the zone, select Enable SSL Control. All new SSL connections initiated from that zone are now subject to inspection. This option is not selected by default.

    SSL Control must first be enabled globally on Policy > Firewall > SSL Control.

  15. To enforce gateway anti-virus protection on your Security Appliance for all clients connecting to this zone, select Enable Gateway Anti-Virus Service. SonicWall Gateway Anti-Virus manages the anti-virus service on the Security Appliance. This option is not selected by default.

  16. To enforce intrusion detection and prevention on multiple interfaces in the same Trusted, Public, or WLAN zones. select Enable IPS. This option is not selected by default.

  17. To enforce anti-spyware detection and prevention on multiple interfaces in the same Trusted or Public security type for WLAN zones, select Enable Anti-Spyware Service. This option is not selected by default.

  18. To enforce application control policy services on multiple interfaces in the same Trusted or Public security type for WLAN zones, select Enable App Control Service. This option is not selected by default. For more information about App Control, see SonicOS Policies.

  19. To enable granular DPI-SSL on a per-zone basis rather than globally for DPI-SSL clients, select Enable SSL Client Inspection. This option is not selected by default.

  20. To enable granular DPI-SSL on a per-zone basis rather than globally for DPI-SSL servers, select Enable SSL Server Inspection. This option is not selected by default.

  21. Click Save. The new zone is now added to the Security Appliance.

Configuring a Zone for Guest Access

You cannot configure an Untrusted, Encrypted, SSL VPN, or Management zone for guest access.

SonicWall User Guest Services provides an easy solution for creating wired and wireless guest passes and/or locked-down Internet-only network access for visitors or untrusted network nodes. This functionality can be extended to wireless or wired users on the WLAN, LAN, DMZ, or public/semi-public zone of your choice.

To configure Guest Services feature

  1. Navigate to Object > Match Objects > Zones.

  2. Click Edit for the zone you wish to add Guest Services to. The Zone Settings dialog displays.

  3. Click Guest Services tab.

  4. Select Enable Guest Services option. All other options become available, but are not selected by default.

  5. Select from the following configuration options for Guest Services:

    Enable inter-guest communication Allows guests to communicate directly with other users who are connected to this zone.
    Bypass AV Check for Guests Allows guest traffic to bypass Anti-Virus protection.
    Bypass Client CF Check for Guests Allows guest traffic to bypass Client CF enforcement.
    Bypass DPI-SSL Enforcement Check for Guests Allows guest traffic to bypass DPI-SSL enforcement.
    Enable External Guest Authentication

    Requires guests connecting from the device or network you select to authenticate before gaining access. Selecting this option makes CONFIGURE available.

    When this option is selected, the following four options become dimmed and unavailable.
    Enable Captive Portal Authentication Allows you to create a customized login page with RADIUS authentication. Selecting this option makes Configure available. For information about configuring this option, see Configuring a Zone for Captive Portal Authentication with Radius.
    Enable Policy Page without authentication Directs users to a guest services usage policy page when they first connect to a SonicPoint or SonicWave in the WLAN zone. Guest users are authenticated by accepting the policy instead of providing a user name and password. Selecting this option makes Configure available. To set up an HTML customizable policy usage page, click Configure. For information about configuring this option, see Configuring a Zone for a Customized Policy Message.
    Custom Authentication Page Redirects users to a custom authentication page when they first connect to the network. Selecting this option makes Configure available. To set up the custom authentication page, click Configure. For information about configuring this option, see Configuring a Zone for a Customized Login Page.
    Post Authentication Page Directs users to the specified page immediately after successful authentication. Selecting this option makes its field available. Enter a URL for the post-authentication page in the field.
    Bypass Guest Authentication

    Allows the Guest Services feature to integrate into environments already using some form of user-level authentication. This feature automates the authentication process, allowing wireless users unrestricted wireless Guest Services without requiring authentication. When selected, this option’s drop-down menu becomes available; select:

    • All MAC Addresses (default)
    • An Address Object
    • An Address Group
    • Create new MAC object

    This feature should only be used when unrestricted Guest Service access is desired, or when another device upstream is enforcing authentication.
    Redirect SMTP traffic to

    Redirects SMTP traffic incoming on this zone to an SMTP server you specify. When selected, this option’s drop-down menu becomes available; select:

    • An Address Object
    • Create new address object
    Deny Networks

    Blocks traffic to the networks you name. When selected, this option’s drop-down menu becomes available; select:

    • An Address Object
    • An Address Object group
    • Create new address object
    • Create new address object group
    Pass Networks

    Allows traffic through the Guest Service-enabled zone to the selected networks automatically. When selected, this option’s drop-down menu becomes available; select:

    • An Address Object
    • An Address Object group
    • Create new address object
    • Create new address object group
    Max Guests Specifies the maximum number of guest users allowed to connect to this zone. The minimum number is 1, the maximum number is 4500, and the default setting is 10.
    Wireless Zone Guest Services Options Displays only for the WLAN zone or for a custom zone with a Security Type of Wireless.
    Enable Dynamic Address Translation Grants access to non-DHCP guests. This option is not selected by default.

  6. Click Save to apply these settings to this zone.

    For information about creating Address Objects and Address Object Groups, see SonicOS Match Objects > Addresses.

Configuring a Zone for Open Authentication and Social Login

SonicOS supports Open Authentication (OAuth) and Social Login:

  • Oauth assists users in sharing data between applications.

  • Social Login simplifies the login process for various social media

Configuring a Zone for Captive Portal Authentication with Radius

To configure captive portal authentication with RADIUS

  1. On the Zone Settings dialog, click Guest Services tab.

  2. Select Enable Guest Services option. The options become available.

  3. Select Enable Captive Portal Authentication. Configure becomes available.

  4. Click Configure.

  5. In the Custom Portal Authentication Settings section:

    1. Enter the internal captive portal vendor’s URL in the Internal Captive Portal Vendor URl field.

    2. Enter the external captive portal vendor’s URL in the External Captive Portal Vendor URl field.

  6. In the Radius Server Attributes Settings section:

    1. Select the source for the captive portal welcome URL from Captive Portal Welcome URL Source:

      • From Radius (default); go to Step c

      • Custom; the next option becomes available

    2. Enter the welcome URL in the Custom Captive Portal Welcome URL field.

    3. Select the source for the session timeout limit from Session Timeout Source:

      • From Radius (default); go to Step f

      • Custom; the next option becomes available

    4. Select the type of session timeout duration from Custom Session Timeout:

      • Minutes

      • Hours

      • Days (default)

    5. Enter the limit in the field.

    6. Select the source for the idle timeout from Idle Timeout Source:

      • From Radius (default); go to Step 7

      • Custom; the next option becomes available

    7. Select the type of idle timeout duration from Custom Session Timeout:

      • Minutes

      • Hours

      • Days (default)

    8. Enter the limit of the duration in the field.

  7. In the Radius Authentication Settings section, select the authentication method from Radius Authentication Method:

    • CHAP (default)

    • PAP – Encrypted

    • PAP – ClearText

  8. Click Save.

Configuring a Zone for a Customized Policy Message

To configure a customized policy message

  1. On the Zone Settings dialog, click Guest Services tab.

  2. Select Enable Guest Services option. The options become available.

  3. Select Enable Policy Page without authentication. Configure becomes available.

  4. Click Configure.

  5. Enter your policy for guest usage in the Guest Usage Policy field. The text may include HTML formatting.

  6. To preview your policy message, click Preview.

  7. To specify an idle timeout, enter the timeout value in the Idle Timeout field.

  8. Select the type of timeout:

    • Seconds

    • Minutes (default)

    • Hours

    • Days

  9. Select Auto Accept Policy Page. This option is not selected by default.

  10. Click Save.

Configuring a Zone for a Customized Login Page

To configure a customized login page

  1. On the Zone Settings dialog, click Guest Services tab.

  2. Select Enable Guest Services option. The options become available.

  3. Select Custom Authentication Page option.

  4. Click Configure button.

  5. For Custom Header Content Type, select:

    • URL
    • Text

  6. Enter the URL or text in the Content field.

  7. For Custom Footer Content Type, select:

    • URL
    • Text

  8. Enter the URL or text in the Content field.

  9. Click Save.

Configuring the WLAN Zone

  1. Navigate to Object > Match Objects > Zones.

  2. If you are configuring:

    • A new zone, click Add.

    • An existing zone, click the Edit icon for the WLAN zone.

    The Zone Settings dialog displays

    Depending on the zone, there also may be views available for Guest Services, Wireless, and Radius Server. How to configure the General view is described in Adding a New Zone.

  3. If creating a new zone, select Wireless from Security Type. Guest Services, Wireless, and Radius Server appear.

  4. To automate the creation of Access Rules to allow traffic to flow between the interfaces of a zone instance, select Allow Interface Trust. For example, if the LAN zone has both the LAN and X3 interfaces assigned to it, enabling Allow Interface Trust on the LAN zone creates the necessary Access Rules to allow hosts on these interfaces to communicate with each other. This option is not selected by default.

  5. Click Wireless tab.

  6. In the Wireless Settings section, to require that all traffic that enters into the WLAN zone be authenticated through a SonicWall SSL VPN appliance, select SSLVPN Enforcement. Selecting this option makes the following two options available. This option is not selected by default.

  7. From SSL VPN server, select an address object to direct traffic to the SonicWall SSL VPN appliance or create a new one. For information about creating Address Objects and Address Object Groups, see SonicOS Policies.

  8. From SSL VPN service, select the service or group of services to allow clients authenticated through the SSL VPN.

  9. In the SonicPoint/SonicWave Settings section, select the SonicPoint/SonicWave Provisioning Profile to apply to all SonicPoints/SonicWaves connected to this zone. Whenever a SonicPoint/SonicWave connects to this zone, it is provisioned automatically by the settings in the SonicPoint/SonicWave Provisioning Profile, unless you have individually configured it with different settings. For information SonicPoint/SonicWave provisioning profiles, see SonicOS Connectivity.

    For the following four settings, optionally select Auto provisioning to allow SonicPoints/SonicWaves attached to the profile to be provisioned automatically when the profile is modified. This option is not selected by default.

  10. Select the SonicPointN/Ni/Ne Provisioning Profile when you want to apply to all SonicPointN/Ni/Nes connected to this zone. Whenever a SonicPointN/Ni/Ne connects to this zone, it is automatically provisioned by the settings in the SonicPoint Provisioning Profile, unless you have individually configured it with different settings. The default provisioning profile is SonicPointN.

  11. Select SonicPoint N Dual Radio Provisioning Profile when you want to apply to all SonicPointNDRs connected to this zone. Whenever a SonicPointNDR connects to this zone, it is automatically provisioned by the settings in the SonicPointNDR Provisioning Profile, unless you have individually configured it with different settings. The default provisioning profile is SonicPointNDR.

  12. Select SonicPointACe/ACi/N2 Provisioning Profile when you want to apply to all SonicPointACe/ACi/N2s connected to this zone. Whenever a SonicPointACe/ACi/N2 connects to this zone, it is automatically provisioned by the settings in the SonicPointACe/ACi/N2 Provisioning Profile, unless you have individually configured it with different settings. The default provisioning profile is SonicPointACe/ACi/N2.

  13. Select SonicWave Provisioning Profile when you want to apply to all SonicPointNDRs connected to this zone. Whenever a SonicPointNDR connects to this zone, it is automatically provisioned by the settings in the SonicPointNDR Provisioning Profile, unless you have individually configured it with different settings. The default provisioning profile is SonicWave.

  14. Select Only allow traffic generated by a SonicPoint/SonicWave to allow only traffic from SonicWall SonicPoints to enter the WLAN zone interface. This allows maximum security of your WLAN. This option is selected by default. Clear this option if you want to allow any traffic on your WLAN zone regardless of whether the traffic is from a wireless connection.

    To allow any traffic on your WLAN zone regardless of whether it is from a wireless connection, clear Only allow traffic generated by a SonicPoint / SonicPointN.

    For Guest Services configuration information, see Configuring a Zone for Guest Access. For RADIUS server configuration information, see Configuring the RADIUS Server.

  15. Optionally, select Prefer SonicPoint/SonicWave 2.4Hz Auto Channel Selection to be 1.6 and 11 only. This option is not selected by default.

    Enable this option only when SonicPointN/AC 2.4Hz Auto Channel selection is preferred to be 1, 6, and 11.

  16. Select Enforce SonicWave license activation from secure trusted license manager.

    This option enforces license activation from a secure trusted license manager; manual license keyset input is not allowed. Change this setting only under the direction of Technical Support.

  17. Select Disable SonicPoint/SonicWave management to disable all management capabilities on this WLAN.

  18. To:

Configuring the RADIUS Server

The Radius Server tab is enabled or disabled based on the device.

  1. Navigate to Object > Match Objects > Zones.

  2. If you are configuring:

    • A new zone, click Add.

    • An existing zone, click the Edit icon for the WLAN zone.

    The Zone Settings dialog displays.

    Depending on the zone, there also may be views available for Guest Services, Wireless, and Radius Server. How to configure the General view is described inAdding a New Zone .

  3. If creating a new zone, select Wireless from Security Type. Guest Services, Wireless, and Radius Server appear.

  4. Click Radius Server tab.

  5. Select Enable Local Radius Server. The other options become available.

  6. Enter the number of RADIUS servers numbers per interface in Server Numbers Per Interface. The minimum number is 1, the maximum is 512, and the default is 2.

  7. Enter the port for the RADIUS server in the Radius Server Port field. The default is 1812.

  8. Enter the password for the RADIUS client in the Radius Client Password field.

  9. Optionally, select Enable Local Radius Server TLS Cache lifetime. This option is not selected by default. The Cache Lifetime(h) field becomes available.

    • Enter the lifetime, in hours, in the Cache Lifetime(h) field. The minimum and default is 1 hour; the maximum is 99999 hours.

  10. Choose the database access method from Database Access Settings:

    • LDAP Server – More options appear; go to Step 11.

    • Active Directory – More options appear; go to Step 18.

  11. Enter the name or IP address of the LDAP server in the Name or IP address field.

  12. Enter the base distinguished name in the Base DN field.

  13. Enter the Identity distinguished name in the Identity DN field.

  14. Enter the distinguished name password in the Identity DN Password field.

  15. To enable LDAP Transport Layer Security (TLS), select Enable Ldap TLS. This option is not selected by default.

  16. To enable LDAP cache, select Enable Ldap Cache. The Ldap Cache Lifetime(s) field becomes active.

    • Enter the lifetime, in seconds in the Ldap Cache Lifetime(s) field; the minimum is 1, the maximum is 99999, and the default is 86400.

  17. Go to Step 22.

  18. Enter the domain name in the Domain field.

  19. Enter the full name of the Active Directory in the Full Name field.

  20. Enter the user name of the administrator user in the Admin User Name field.

  21. Enter the password of the administrator user in the Admin User Password field.

  22. Click Save.

Configuring DPI-SSL Granular Control per Zone

DPI-SSL granular control allows you to enable DPI-SSL on a per-zone basis rather than globally. You can enable both DPI-SSL Client and DPI-SSL Server per zone. For further information, see SonicOS Security Configuration.

Enabling Automatic Redirection to the User-Policy Page

SonicOS allows you to redirect a guest automatically to your guest-user policy page. If you enable this feature, also known as the zero-touch policy page redirection, the guest user is redirected automatically to your guest-user policy page. If you disable the feature, the guest must click Accept.

To enable automatic redirection to the user-policy page:

  1. Navigate to Object > Match Objects > Zones.

  2. Click either the:

    • Add icon to add a new zone.

    • Edit icon of an existing zone.

    The Zone Settings dialog displays.

  3. Type a name for the new zone in the Name field.

  4. Select a Security Type from the drop-down.

  5. Click Guest Services tab.

  6. Click Enable Guest Services option.

  7. Click Enable Policy Page without authentication option.

  8. Click Configure button. The Custom Login Page Settings dialog displays.

  9. Select Auto Accept Policy Pageoption. This option is not selected by default.

  10. Click Save.

Deleting a Zone

To delete a user-created zone

  1. Navigate to Object > Match Objects > Zones.

    The Delete icon is unavailable for predefined zones. You cannot delete these zones. Any zones that you create can be deleted.

  2. Click the Delete icon in the zone’s Configure column which you want to delete.

To delete one or more user-created zones:

  1. Navigate to Object > Match Objects > Zones.

    The checkboxes are unavailable for predefined zones. You cannot delete these zones. Any zones that you create can be deleted.

  2. Select the checkboxes of zones to delete and click Delete Zones.

Was This Article Helpful?

Help us to improve our support portal

Yes! Not Really

Techdocs Article Helpful form

  • Hidden
  • Hidden

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.
  • Hidden
  • Hidden