SonicWALL 4500, 3500, NSA 5000 User Manual

Getting Started Guide

SonicWALL Network Security Appliances

NETWORK SECURITY

NSA 5000/4500/3500

SonicWALL NSA

123

4

5

66

Getting Started Guide

This Getting Started Guide provides instructions for basic
installation and configuration of the SonicWALL Network
Security Appliance (NSA) 5000/4500/3500 running SonicOS
Enhanced. After you complete this guide, computers on your
Local Area Network (LAN) will have secure Internet access.

Document Contents

This document contains the following sections:

Pre-Configuration Tasks - page 3

Registering Your Appliance on mysonicwall.com - page 9

Deployment Scenarios - page 15

Additional Deployment Configuration - page 37

Support and Training Options - page 59

Product Safety and Regulatory Information - page 65

SonicWALL NSA 5000/4500/3500 Getting Started Guide Page 1

SonicWALL NSA Series

I
o

PML

Front

Back

1U rack-mountable
17 x 13.25 x 1.75 in

43.18 x 33.65 x 4.44 cm

11.30 lbs/5.14 kg

11.30 lbs/5.14 kg

Form Factor
Dimensions

Weight

WEEE Weight

NetworkSecurity Appliance

NSA

Note: Always observe proper safety and regulatory guidelines when removing administrator-serviceable parts from the SonicWALL

NSA appliance. Proper guidelines can be found in the Safety and Regulatory Information section, on page 66 of this guide.

Page 2 SonicWALL NSA Series

Pre-Configuration Tasks

1

In this Section:

This section provides pre-configuration information. Review this section before setting up your SonicWALL NSA Series appliance.

• Check Package Contents - page 4

• Obtain Configuration Information - page 5

• The Front Panel - page 6

• The Back Panel - page 7

SonicWALL NSA 5000/4500/3500 Getting Started Guide Page 3

Check Package Contents

NSA Appliance
DB9 -> RJ45 (CLI) Cable
Standard Power Cord*
Ethernet Cable
Red Crossover Cable

1

2

3

4

5

Release Notes
Global Support Services Guide
Thank You Card
Getting Started Guide

6

7

8

999

Any Items Missing?

If any items are missing from your package, please contact
SonicWALL support.

A listing of the most current support options is available online at:

<http://www.sonicwall.com/us/support.html>

*The included power cord is intended for use in North America only. For
European Union (EU) customers, a power cord is not included.

1

SonicOS Release Notes

Contents

4 5

2

3

9

67

8

Thank You

NetworkSecurity Appliance

Before setting up your SonicWALL NSA appliance, verify that your
package contains the following parts:

Page 4 Check Package Contents

SonicWALL Network Security Appliances

NETWORK SECURITY

NSA 5000/4500/3500

Getting Started Guide

Obtain Configuration Information

Please record and keep for future reference the following setup
information:

Registration Information

Serial Number:

Authentication Code:

Networking Information

LAN IP Address:

. . .

Subnet Mask:

. . .

Ethernet WAN IP
Address:

. . .

Record the serial number found on the
bottom panel of your SonicWALL
appliance.

Record the authentication code found on
the bottom panel of your SonicWALL
appliance.

Select a static IP address for your
SonicWALL appliance that is within the
range of your local subnet. If you are
unsure, you can use the default IP
address (192.168.168.168).

Record the subnet mask for the local
subnet where you are installing your
SonicWALL appliance.

Select a static IP address for your
Ethernet WAN. This setting only applies

if you are already using an ISP that
assigns a static IP address.

Administrator Information

Admin Name:

Admin Password:

Select an administrator account name.
(default is admin)

Select an administrator password.
(default is password)

Obtain Internet Service Provider (ISP) Information

Record the following information about your current Internet service:

If you connect
using

DHCP No information is usually required: Some providers

Static IP IP Address:

Please record

ma y requi re a Hos t na me:

. . .

Subnet Mask: . . .

Default Gateway: . . .

Primary DNS: . . .

DNS 2 (optional): . . .

DNS 3 (optional): . . .

Note: If you are not using one of the network configurations

above, refer to the SonicOS Enhanced Administrator’s
Guide. You can locate this document online at

<http://www.sonicwall.com/us/support.html>.

SonicWALL NSA 5000/4500/3500 Getting Started Guide Page 5

The Front Panel

A

Network Security Appliance

A

B

D

E

C

Icon Feature Description

Console Port Used to access the SonicOS Command Line Interface (CLI) via the DB9 -> RJ45 cable.

USB Ports (2) Future extension.

Reset Button Press and hold the button for a few seconds to manually reset the appliance using SafeMode.

LED (from left to right) -Power LED: Indicates the SonicWALL NSA appliance is powered on.

X0-X5 (Copper) Gigabit Ethernet ports.

-Test LED: Flickering: Indicates the appliance is initializing. Steady blinking: Indicates the
appliance is in SafeMode. Solid: Indicates that the appliance is in test mode.

-Alarm LED: Indicates an alarm condition.

Page 6 The Front Panel

The Back Panel

I

o

A

B

Icon Feature Description

Fans (2) The SonicWALL NSA Series includes two fans for system temperature control.

Power Supply The SonicWALL NSA Series power supply.

SonicWALL NSA 5000/4500/3500 Getting Started Guide Page 7

Page 8 The Back Panel

Registering Your Appliance on mysonicwall.com

2

In this Section:

This section provides instructions for registering your SonicWALL NSA Series appliance.

• Before You Register - page 10

• Creating a mysonicwall.com Account - page 11

• Registering and Licensing Your Appliance on mysonicwall.com - page 11

• Licensing Security Services and Software - page 12

Registering a Second Appliance as a Backup - page 14

•

Note: Registration is an important part of the setup process and is necessary in order to receive the benefits of SonicWALL security

services, firmware updates, and technical support.

SonicWALL NSA 5000/4500/3500 Getting Started Guide Page 9

Before You Register

You need a mysonicwall.com account to register the
SonicWALL NSA appliance. You can create a new
mysonicwall.com account on www.mysonicwall.com or directly
from the SonicWALL management interface. This section
describes how to create an account by using the Web site.

You can use mysonicwall.com to register your SonicWALL
appliance and activate or purchase licenses for Security
Services, ViewPoint Reporting and other services, support, or
software before you even connect your device. This allows you
to prepare for your deployment before making any changes to
your existing network.

For a High Availability configuration, you must use
mysonicwall.com to associate a backup unit that can share the
Security Services licenses with your primary SonicWALL.

Note: Your SonicWALL NSA appliance does not need to be

powered on during account creation or during the
mysonicwall.com registration and licensing process.

Note: After registering a new SonicWALL appliance on

mysonicwall.com, you must also register the appliance
from the SonicOS management interface. This allows
the unit to synchronize with the SonicWALL License
Server and to share licenses with the associated
appliance, if any. See Accessing the Management

Interface - page 22.

If you already have a mysonicwall.com account, go to

Registering and Licensing Your Appliance on mysonicwall.com

to register your appliance on mysonicwall.com.

Page 10 Before You Register

Creating a mysonicwall.com Account

To create a mysonicwall.com account, perform the following
steps:

1. In your browser, navigate to www.mysonicwall.com.

2. In the login screen, If you are not a registered user, click

Not a registered user?

3. Complete the Registration form and then click Register.

4. Verify that the information is correct and then click Submit.

5. In the screen confirming that your account was created,
click Continue.

Registering and Licensing Your Appliance on mysonicwall.com

This section contains the following subsections:

• Product Registration - page 11

• Licensing Security Services and Software - page 12

• Registering a Second Appliance as a Backup - page 14

• Registration Next Steps - page 14

Product Registration

You must register your SonicWALL security appliance on
mysonicwall.com to enable full functionality.

1. Login to your mysonicwall.com account. If you do not have
an account, you can create one at sonicwall.com

<http://www.sonicwall.com/us/support.html>.

2. On the main page, in the Register A Product field, type
the appliance serial number and then click Next.

3. On the My Products page, under Add New Product,
type the friendly name for the appliance, select the
Product Group if any, type the authentication code into
the appropriate text boxes, and then click Register.

4. On the Product Survey page, fill in the requested
information and then click Continue.

SonicWALL NSA 5000/4500/3500 Getting Started Guide Page 11

Licensing Security Services and Software

The Service Management - Associated Products page in

www.mysonicwall.com lists security services, support options,

and software such as ViewPoint that you can purchase or try
with a free trial. For details, click the Info button. Your current
licenses are indicated in the Status column with either a license
key or an expiration date. You can purchase additional services
now or at a later time.

The following products and services are available for the
SonicWALL NSA Series:

• Service Bundles:

• Client/Server Anti-Virus Suite

• Comprehensive Gateway Security Suite

• Gateway Services:

• Gateway AV/ Anti-Spyware/ Intrusion Prevention/
Application Firewall

• Content Filtering: Premium Edition

• Stateful High Availability Upgrade (Standard for NSA
5000/4500 appliances, subscription upgrade required
for NSA 3500 Appliances)

• Desktop and Server Software:

• Enforced Client Anti-Virus and Anti-Spyware

• Global VPN Client/ Global VPN Client Enterprise

• Global Management System

•ViewPoint

• Support Services:

• Dynamic Support 8x5

• Dynamic Support 24x7

• Software and Firmware Updates

Page 12 Registering and Licensing Your Appliance on mysonicwall.com

To manage your licenses, perform the following tasks:

1. In the mysonicwall.com Service Management - Associated
Products page, check the Applicable Services table for
services that your SonicWALL appliance is already
licensed for. Your initial purchase may have included
security services or other software bundled with the
appliance. These licenses are enabled on
mysonicwall.com when the SonicWALL appliance is
delivered to you.

2. If you purchased a service subscription or upgrade from a
sales representative separately, you will have an
Activation Key for the product. This key is emailed to you
after online purchases, or is on the front of the certificate
that was included with your purchase. Locate the product
on the Services Management page and click Enter Key in
that row.

3. In the Activate Service page, type or paste your key into the
Activation Key field and then click Submit. Depending on
the product, you will see an Expire date or a license key
string in the Status column when you return to the Service
Management page.

4. To license a product of service, do one of the following:

• To try a Free Trial of a service, click Try in the Service
Management page. A 30-day free trial is immediately
activated. The Status page displays relevant
information including the activation status, expiration
date, number of licenses, and links to installation
instructions or other documentation. The Service
Management page is also updated to show the status
of the free trial.

• To purchase a product or service, click Buy Now.

5. In the Buy Service page, type the number of licenses you
want in the Quantity column for either the 1 year, 2 year, or
3 year license row and then click Add to Cart.

6. In the Checkout page, follow the instructions to complete
your purchase.

The mysonicwall.com server will generate a license key for the
product. The key is added to the license keyset. You can use
the license keyset to manually apply all active licenses to your
SonicWALL appliance.

SonicWALL NSA 5000/4500/3500 Getting Started Guide Page 13

Registering a Second Appliance as a Backup

To ensure that your network stays protected if your SonicWALL
appliance has an unexpected failure, you can associate a
second SonicWALL of the same model as the first in a high
availability (HA) pair. You can associate the two appliances as
part of the registration process on mysonicwall.com. This
feature is enabled on the NSA 5000 and NSA 4500 appliances,
but requires a separate license to be enabled on the NSA 3500.
The second SonicWALL will automatically share the Security
Services licenses of the primary appliance.

To register a second appliance and associate it with the
primary, perform the following steps:

1. Login to your mysonicwall.com account.

2. On the main page, in the Register A Product field, type
the appliance serial number and then click Next.

3. On the My Products page, under Add New Product, type
the friendly name for the appliance, select the Product
Group if any, type the authentication code into the
appropriate text boxes, and then click Register.

4. On the Product Survey page, fill in the requested
information and then click Continue. The Create
Association Page is displayed.

5. On the Create Association Page, click the radio button to
select the primary unit for this association, and then click
Continue. The screen only displays units that are not
already associated with other appliances.

6. On the Service Management - Associated Products page,
scroll down to the Associated Products section to verify
that your product registered successfully. You should see
the HA Primary unit listed in the Parent Product section, as
well as a Status value of 0 in the Associated Products /
Child Product Type section.

7. Although the Stateful High Availability Upgrade and all the
Security Services licenses can be shared with the HA
Primary unit, you must purchase a separate ViewPoint
license for the backup unit. This will ensure that you do not
miss any reporting data in the event of a failover. Under
DESKTOP & SERVER SOFTWARE, click Buy Now for
ViewPoint. Follow the instructions to complete the
purchase.

To return to the Service Management - Associated Products
page, click the serial number link for this appliance.

Registration Next Steps

Your SonicWALL NSA HA Pair is now registered and licensed
on mysonicwall.com. To complete the registration process in
SonicOS and for more information, see:

• Accessing the Management Interface - page 22

• Activating Licenses in SonicOS - page 24

• Enabling Security Services in SonicOS - page 44

• Applying Security Services to Network Zones - page 48

Page 14 Registering and Licensing Your Appliance on mysonicwall.com

Deployment Scenarios

3

In this Section:

This section provides detailed overviews of advanced deployment scenarios as well as configuration instructions for connecting your
SonicWALL NSA Series.

• Selecting a Deployment Scenario - page 16

• Scenario A: NAT/Route Mode Gateway - page 17

• Scenario B: State Sync Pair in NAT/Route Mode - page 18

• Scenario C: L2 Bridge Mode - page 19

• Initial Setup - page 20

• Upgrading Firmware on Your SonicWALL - page 25

• Configuring a State Sync Pair in NAT/Route Mode - page 28

• Configuring L2 Bridge Mode - page 35

Tip: Before completing this section, fill out the information in Obtain Configuration Information - page 5. You will need to enter this

information during the Setup Wizard.

SonicWALL NSA 5000/4500/3500 Getting Started Guide Page 15

Selecting a Deployment Scenario

B

NetworkSecurityAppliance

NSA

A

NetworkSecurityAppliance

NSA

SonicPoint

C

Before continuing, select a deployment scenario that best fits your network scheme. Reference the table below and the diagrams on the
pages for help in choosing a scenario.

Current Gateway Configuration New Gateway Configuration Use Scenario

No gateway appliance Single SonicWALL NSA as a primary gateway.

Pair of SonicWALL NSA appliances for high
availability.

Existing Internet gateway appliance SonicWALL NSA as replacement for an existing

gateway appliance.

SonicWALL NSA in addition to an existing
gateway appliance.

Existing SonicWALL gateway appliance SonicWALL NSA in addition to an existing

SonicWALL gateway appliance.

A - NAT/Route Mode Gateway

B - NAT with State Sync Pair

A - NAT/Route Mode Gateway

C - L2 Bridge Mode

B - NAT with State Sync Pair

Scenario A: NAT/Route Mode Gateway - page 17 Scenario B: State Sync Pair in NAT/Route Mode - page 18 Scenario C: L2 Bridge Mode - page 19

Page 16 Selecting a Deployment Scenario

Scenario A: NAT/Route Mode Gateway

A

SonicWALL NSA

Internet

ISP 1

NetworkSecurityAppliance

NSA

For new network installations or installations where the
SonicWALL NSA Series is replacing the existing network
gateway.

In this scenario, the SonicWALL NSA Series is configured in
NAT/Route mode to operate as a single network gateway. Two
Internet sources may be routed through the SonicWALL
appliance for load balancing and failover purposes. Because
only a single SonicWALL appliance is deployed, the added
benefits of high availability with a stateful synchronized pair are
not available.

To set up this scenario, follow the steps covered in the Initial

Setup section. If you have completed setup procedures in that

section, continue to the Additional Deployment Configuration
section, on page 37 to complete configuration.

SonicWALL NSA 5000/4500/3500 Getting Started Guide Page 17

Scenario B: State Sync Pair in NAT/Route Mode

SonicWALL NSA 1

SonicWALL NSA 2

B

NetworkSecurityAppliance

NSA

Local Network

SonicWALL

HA / Failover Pair

Internet

HA Link

For network installations with two SonicWALL NSA Series appliances of the same model configured as a stateful synchronized pair for redundant high-availability networking.

In this scenario, one SonicWALL NSA Series operates as the
primary gateway device and the other SonicWALL NSA Series
is in passive mode. All network connection information is
synchronized between the two devices so that the backup
appliance can seamlessly switch to active mode without
dropping any connections if the primary device loses
connectivity.

To set up this scenario, follow the steps covered in the Initial

and the Configuring a State Sync Pair in NAT/Route

Setup
Mode

sections. If you have completed setup procedures in

those sections, continue to the Additional Deployment

Configuration section, on page 37 to complete configuration.

Page 18 Selecting a Deployment Scenario

Scenario C: L2 Bridge Mode

SonicWALL NSA

Third Party Gateway

Internet or

LAN Segment 2

L2 Bridge Link

C

NetworkSecurityAppliance

NSA

For network installations where the SonicWALL NSA Series is
running in tandem with an existing network gateway.

In this scenario, the original gateway is maintained. The
SonicWALL NSA Series is integrated seamlessly into the
existing network, providing the benefits of deep packet
inspection and comprehensive security services on all network
traffic.

L2 Bridge Mode employs a secure learning bridge architecture,
enabling it to pass and inspect traffic types that cannot be
handled by many other methods of transparent security
appliance integration. Using L2 Bridge Mode, a SonicWALL
security appliance can be non-disruptively added to any
Ethernet network to provide in-line deep-packet inspection for
all traversing IPv4 TCP and UDP traffic. L2 Bridge Mode can
pass all traffic types, including IEEE 802.1Q VLANs, Spanning
Tree Protocol, multicast, broadcast and IPv6.

To set up this scenario, follow the steps covered in the Initial

and the Configuring L2 Bridge Mode sections. If you

Setup

have completed setup procedures in those sections, continue to
the Additional Deployment Configuration section, on page 37 to
complete configuration.

SonicWALL NSA 5000/4500/3500 Getting Started Guide Page 19

Initial Setup

NetworkSecurity Appliance

SonicWALL NSA

Management

Station

X0

X1

Internet

NetworkSecurity Appliance

NSA

This section provides initial configuration instructions for
connecting your SonicWALL NSA Series. Follow these steps if
you are setting up Scenario A, B, or C.

This section contains the following sub-sections:

Accepted
Browser

Internet Explorer 6.0 or higher

Firefox 2.0 or higher

Browser Version
Number

• System Requirements - page 20

• Connecting the WAN Port - page 20

• Connecting the LAN Port - page 21

• Applying Power - page 21

• Accessing the Management Interface - page 22

• Accessing the Setup Wizard - page 22

• Connecting to Your Network - page 23

• Testing Your Connection - page 23

• Activating Licenses in SonicOS - page 24

System Requirements

Before you begin the setup process, check to verify that you
have:

• An Internet connection

• A Web browser supporting Java Script and HTTP uploads

Page 20 Initial Setup

Netscape 9.0 or higher

Opera 9.10 or higher for

Windows

Safari 2.0 or higher for MacOS

Connecting the WAN Port

1. Connect one end of an Ethernet cable to your Internet
connection.

2. Connect the other end of the cable to the X1 (WAN) port on
your SonicWALL NSA Series appliance.

Connecting the LAN Port

To p ower

source

I
o

1. Connect one end of the provided Ethernet cable to the
computer you are using to manage the
SonicWALL NSA Series.

2. Connect the other end of the cable to the X0 port on your
SonicWALL NSA Series.

The Link LED above the X0 (LAN) port will light up in green
or amber depending on the link throughput speed,
indicating an active connection:

- Amber indicates 1 Gbps

- Green indicates 100 Mbps

- Unlit while the right (activity) LED is illuminated

indicates 10 Mbps

Applying Power

1. Plug the power cord into an appropriate power outlet.

2. Turn on the power switch on the rear of the appliance next
to the power cords.

The Power LEDs on the front panel light up blue when you
plug in the SonicWALL NSA . The Alarm LED may light up
and the Test LED will light up and may blink while the
appliance performs a series of diagnostic tests.

When the Power LEDs are lit and the Test LED is no longer lit,
the SonicWALL NSA is ready for configuration. This typically
occurs within a few minutes of applying power to the appliance.

Note: If the Test or Alarm LEDs remain lit after the

SonicWALL NSA appliance has been booted, restart
the appliance by cycling power.

SonicWALL NSA 5000/4500/3500 Getting Started Guide Page 21

Accessing the Management Interface

The computer you use to manage the SonicWALL NSA Series
must be set up to accept a dynamic IP address, or it must have
an unused IP address on the 192.168.168.x/24 subnet, such as

192.168.168.20.

To access the SonicOS Enhanced Web-based management
interface:

1. Start your Web browser.

Note: Disable pop-up blocking software or add the

management IP address http://192.168.168.168 to your
pop-up blocker’s allow list.

2. Enter http://192.168.168.168 (the default LAN
management IP address) in the Location or Address field.

3. The SonicWALL Setup Wizard launches and guides you
through the configuration and setup of your SonicWALL
NSA appliance.

The Setup Wizard launches only upon initial loading of the
SonicWALL NSA management interface.

4. Follow the on-screen prompts to complete the Setup
Wizard.

Depending on the changes made during your setup
configuration, the SonicWALL may restart.

Accessing the Setup Wizard

If you cannot connect to the SonicWALL NSA appliance or the
Setup Wizard does not display, verify the following
configurations:

• Did you correctly enter the management IP address in your
Web browser?

• Are the Local Area Connection settings on your computer
set to use DHCP or set to a static IP address on the

192.168.168.x/24 subnet?

• Do you have the Ethernet cable connected to your
computer and to the X0 (LAN) port on your SonicWALL?

• Is the connector clip on your network cable properly seated
in the port of the security appliance?

• Some browsers may not launch the Setup Wizard
automatically. In this case:

• Log into SonicWALL NSA appliance using “admin” as

the user name and “password” as the password.

• Click the Wizards button on the System > Status

page.

• Select Setup Wizard and click Next to launch the

Setup Wizard.

• Some pop-up blockers may prevent the launch of the

Setup Wizard. You can temporarily disable your pop­up blocker, or add the management IP address of your
SonicWALL (192.168.168.168 by default) to your pop­up blocker's allow list.

Page 22 Initial Setup