How it Works
SonicWALL
Loading...
232-002002-00
User Manual
13 pgs752.06 Kb0

SonicWALL OS Enhanced 5.6.5.1, 232-002002-00 User Manual

SonicOS
SonicOS Enhanced 5.6.5.1 Release Notes
SonicOS Enhanced 5.6.5.1 Release Notes P/N 232-002002-00 Rev B
Platform Compatibility ................................................................................................................................................... 1
Licensing ....................................................................................................................................................................... 2
Key Features ................................................................................................................................................................. 2
Known Issues ................................................................................................................................................................ 5
Resolved Issues ............................................................................................................................................................ 7
Upgrading SonicOS Image Procedures ........................................................................................................................ 8
Related Technical Documentation .............................................................................................................................. 13
Platform Compatibility
The SonicOS 5.6.5.1 release is supported on the following SonicWALL security appliances:
SonicWALL NSA E8500 SonicWALL NSA E7500 SonicWALL NSA E6500 SonicWALL NSA E5500 SonicWALL NSA 5000 SonicWALL NSA 4500 SonicWALL NSA 3500 SonicWALL NSA 2400 SonicWALL NSA 240 SonicWALL TZ 210 / 210 Wireless-N SonicWALL TZ 200 / 200 Wireless-N
This release supports the following Web browsers:
Internet Explorer 8.0 and higher Chrome 4.0 and higher Mozilla 3.0 and higher
Strong SSL and TLS Encryption Required in Your Browser
The internal SonicWALL Web server only supports SSL version 3.0 and TLS with strong ciphers (128 bits or greater) when negotiating HTTPS management sessions. SSL implementations prior to version 3.0 and weak ciphers (symmetric ciphers less than 128 bits) are not supported. This heightened level of HTTPS security protects against potential SSLv2 roll-back vulnerabilities and ensures compliance with the Payment Card Industry (PCI) and other security and risk-management standards.
TIP: By default, Mozilla Firefox 2.0 and Microsoft Internet Explorer 7.0 enable SSL 3.0 and TLS, and disable SSL 2.0. SonicWALL recommends using the most recent Web browser releases. If you are using a previous release of these browsers, you should enable SSL 3.0 and TLS and disable SSL 2.0. In Internet Explorer, go to Tools > Internet Options on the Advanced tab and scroll to the bottom of the Settings menu. In Firefox, go to Tools > Options on the Advanced tab, and then select the Encryption tab.
2
SonicOS Enhanced 5.6.5.1 Release Notes P/N 232-002002-00 Rev B
Licensing
Licensing for the Active/Active Clustering (including Stateful High Availability) and BGP Advanced Routing features is included with the following SonicWALL NSA E-Class appliances, when registered:
SonicWALL NSA E8500 SonicWALL NSA E7500 SonicWALL NSA E6500 SonicWALL NSA E5500
To activate these licenses, register each appliance on MySonicWALL. Even when deployed in a High Availability pair, each unit must be individually registered to activate the licenses.
When available, a SonicOS Expanded License can be purchased for the following SonicWALL appliances to activate the BGP Advanced Routing feature:
SonicWALL NSA 5000 SonicWALL NSA 4500 SonicWALL NSA 3500 SonicWALL NSA 2400 SonicWALL NSA 240 SonicWALL TZ 210 / 210 Wireless-N
SonicWALL TZ 200 / 200 Wireless-N Note: Active/Active Clustering is supported only on SonicWALL NSA E-Class appliances. No free trial is available for the BGP Advanced Routing feature.
Key Features
The following key features are available in SonicOS 5.6.5.1:
Active/Active Clustering High Availability Active/Active Clustering is the most recent addition to the High
Availability feature set in SonicOS. A typical Active/Active Clustering deployment includes four firewalls of the same SonicWALL model configured as two Cluster Nodes, where each node consists of one Stateful High Availability pair. For larger deployments, the cluster can include eight firewalls, configured as four Cluster Nodes.
With Active/Active Clustering, you can assign certain traffic flows to each node in the cluster, providing load sharing in addition to redundancy, and supporting a much higher throughput without a single point of failure. Earlier High Availability features, such as Stateful Synchronization and Active/Active DPI (previously called Active/Active UTM), continue to be supported and are recommended for use in conjunction with Active/Active Clustering.
Active/Active Clustering is supported only on SonicWALL NSA E-Class appliances.
BGP Advanced Routing Border Gateway Protocol (BGP) advanced routing is a large-scale routing protocol
used to communicate routing information between Autonomous Systems (ASs), which are well-defined, separately administered network domains. BGP support allows for SonicWALL security appliances to replace a traditional BGP router on the edge of a network's AS. The current SonicWALL implementation of BGP is most appropriate for "single-provider / single-homed" environments, where the network uses one ISP as their Internet provider and has a single connection to that provider. SonicWALL BGP is also capable of supporting "single­provider / multi-homed" environments, where the network uses a single ISP but has a small number of separate routes to the provider. Because BGP transmits packets in the clear, SonicWALL supports using an IPSec tunnel for secure BGP sessions. The IPSec tunnel is configured independently within the VPN configuration section of the SonicOS Web-based management interface, while BGP is enabled on the Network > Routing page and then configured on the SonicOS Command Line Interface.
BGP Advanced Routing is available on all SonicWALL NSA and TZ appliances supported in SonicOS 5.6.5.1.
3
SonicOS Enhanced 5.6.5.1 Release Notes P/N 232-002002-00 Rev B
Link Aggregation Link Aggregation provides the ability to group multiple Ethernet interfaces to form a trunk
which looks and acts like a single physical interface. SonicOS 5.6.5.1 supports Static Link Aggregation, in which the two ends of the trunk have the same configuration. Up to 4 ports can be grouped to form a single aggregate link. If any of the ports fail, SonicOS continues to pass traffic (at a diminished throughput) while there is at least one active interface.
Link Aggregation is useful in deployments requiring more than 1 Gbps throughput for traffic flowing between two interfaces. This feature is available on all SonicWALL NSA E-Class appliances.
Link Aggregation is supported only on SonicWALL NSA E-Class appliances.
Port Redundancy Port Redundancy provides the ability to configure a second, redundant, physical interface
for any Ethernet interface on a SonicWALL NSA E-Class appliance. When the primary interface is active, it handles all traffic to and from the interface. If the primary interface fails, the backup interface takes over and handles all incoming and outgoing traffic. When the primary interface comes up again, it takes over all the traffic handling duties from the backup interface.
This is very useful in high end deployments to avoid a single point of failure, such as the connection to a switch. With Port Redundancy, a second interface can be connected to the same or another switch to provide an alternate path for the traffic.
Port Redundancy is supported only on SonicWALL NSA E-Class appliances.
The following are the key features supported in all versions of SonicOS 5.6:
Deep Packet Inspection of SSL encrypted data (DPI-SSL) Provides the ability to transparently decrypt
HTTPS and other SSL-based traffic, scan it for threats using SonicWALL’s Deep Packet Inspection technology, then re-encrypt (or optionally SSL-offload) the traffic and send it to its destination if no threats or vulnerabilities are found. This feature works for both client and server deployments. It provides additional security, application control, and data leakage prevention functionality for analyzing encrypted HTTPS and other SSL-based traffic. The following security services and features are capable of utilizing DPI-SSL: Gateway Anti-Virus, Gateway Anti-Spyware, Intrusion Prevention, Content Filtering, Application Firewall, Packet Monitor and Packet Mirror. DPI-SSL is supported on SonicWALL NSA models 240 and higher.
3G and Modem Support SonicOS 5.6 supports 3G and Modem configurations for WAN Load Balancing
(WLB). (3G and Modem support is available on all NSA models except the SonicWALL NSA 2400.)
Command Line Interface Enhancements Provides increased support through the command line
interface to configure and modify Network Address Translation (NAT) Policies, Access Rules, Service Objects, and Service Groups.
Diagnostic Improvements Includes a diagnostic tool which automatically checks the network
connectivity and service availability of several pre-defined functional areas of SonicOS. The tool also returns results and attempts to describe causes, if any exceptions are detected.
Dynamic DNS per Interface Provides the ability to assign a Dynamic DNS (DDNS) profile to a specific
WAN interface. This allows administrators who are configuring WAN Load Balancing to advertise a predictable IP address to the DDNS service.
Increased DPI Connection Support Provides the ability to increase the number of simultaneous
connections on which SonicWALL security appliances can apply Deep Packet Inspection (DPI) services (Intrusion Prevention Service, Application Firewall, Gateway Anti-Virus, and Gateway Anti-Spyware). This feature is intended for high-end (E-Class) customers who need to support a large number of concurrent connections. (Note: There is a slight performance decrease when this option is enabled.)
FairNet for SonicPoint-N Provides the ability to create policies that equally distribute bandwidth for all
wireless users connected to a SonicPoint-N.
4
SonicOS Enhanced 5.6.5.1 Release Notes P/N 232-002002-00 Rev B
MAC-IP Spoof Detection and Prevention Provides additional protection against MAC address and IP
address based spoofing attacks (such as Man-in-the-Middle attacks) through configurable Layer 2 and Layer 3 admission control.
Packet Mirroring Provides the ability to capture copies of specified network packets from other ports.
This is commonly used for network appliances that require monitoring of network traffic, such as an intrusion detection system. Customers can now gather data from one of the other ports on a SonicWALL to look for threats and vulnerabilities and help aid with diagnostics and troubleshooting.
Route-based VPN with Dynamic Routing Support Extends support for advanced routing (either OSPF
or RIP) to VPN networks. This simplifies complex VPN deployments by enabling dynamic routing to determine the best path that traffic should take over a VPN tunnel.
Signature Download through a Proxy Server Provides the ability for SonicWALL security appliances to
download signatures even when they access the Internet through a proxy server. This feature also allows for registration of SonicWALL security appliances through a proxy server without compromising privacy.
Single Sign-on for Terminal Services and Citrix Provides support for transparent authentication of
users logged in from a Terminal Services or Citrix server. This transparent authentication enables Application Firewall and CFS policy enforcement in Terminal Services and Citrix environments.
NOTE: The SonicWALL Terminal Services Agent is not supported in SonicOS 5.6.5.1 due to limitations of current SSO agent functionality that prevent its use with Active/Active Clustering.
SSL VPN Enhancements SonicOS 5.6 provides a number of SSL VPN enhancements:
o Bookmarks for SSH and RDP Provides support for users to create bookmarks on the SSL VPN
Virtual Office to access systems using SSH, RDP, VNC, and Telnet services.
o Granular User Controls Allows network administrators to configure different levels of policy
access for NetExtender users based on user ID.
o One-Time Password Provides additional security by requiring users to enter a randomly
generated, single-use password in addition to the standard user name and password credentials.
o Separate Port and Certificate Control Provides separate port access for SSL VPN and HTTPS
management certificate control, allowing administrators to close HTTPS management while leaving SSL VPN open.
o Virtual Assist Provides a remote assistance tool to SonicWALL security appliance users.
SonicWALL Virtual Assist is a thin client remote support tool provisioned via a Web browser. It
enables a technician to assume control of a customer’s PC or laptop for the purpose of providing
remote technical assistance.
Unbounded Multiple WAN Support Provides the ability to enable any number of WAN Ethernet
interfaces for WAN Load Balancing and Failover on SonicWALL appliances.
VPN Policy Bound to VLAN Interface Allows users to bind a VPN policy to a VLAN interface when
configuring a site-to-site VPN.
WebCFS Server Failover Provides the ability to enable WebCFS server failover, allowing a SonicWALL
security appliance to contact another server for URL rating information if the local server is unavailable. This ensures performance continuity for Web navigation and Web content filtering functionality.
Loading...
+ 9 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use