Sonicwall NSA E8500 Getting Started Guide

NSA E8500 Getting Started Guide

SonicWALL NSA E8500 Getting Started Guide

Welcome to Dynamic Security for the Global Network™.

The SonicWALL® E-Class Network Security Appliance (NSA) E8500 is designed to be the most scalable, reliable, and best performing multifunction threat appliance in its class.

This Getting Started Guide provides instructions for basic installation and configuration of the SonicWALL NSA E8500.

Setup

Step Procedure Est. Time

Pre-Configuration Tasks - page 3

Registering Your Appliance - page 13

Deployment Scenarios - page 19

Additional Deployment Configuration - page 41

Rack Mounting Instructions - page 59

Additional Configuration and Information

• Support and Training Options - page 51

• Product Safety and Regulatory Information - page 65

SonicWALL NSA E8500 Getting Started Guide Page 1

SonicWALL NSA E8500

Network Security Appliance

I o

E8500

Note: Always observe proper safety and regulatory guidelines when removing administrator-serviceable parts from the SonicWALL

NSA E8500. Proper guidelines can be found in the Product Safety and Regulatory Information section, on page 65 of this guide.

Page 2 SonicWALL NSA E8500

Pre-Configuration Tasks

In this Section:

This section provides pre-configuration information. Review this section before setting up your SonicWALL NSA E8500.

• Check Package Contents - page 4

• Obtain Configuration Information - page 5

• The Front Panel - page 6

• The Back Panel - page 7

• Front Bezel Control Features - page 8

• LAN IP Configuration Example - page 12

SonicWALL NSA E8500 Getting Started Guide Page 3

Check Package Contents

Before setting up your SonicWALL NSA E8500, verify that your package contains the following parts:

SonicWALL NSA E8500

Rack Kit

DB9 -> RJ45 (CLI) Cable

Standard Power Cord (2)*

Ethernet Cable

Red Crossover Cable

Getting Started Guide

Any Items Missing?

If any items are missing from your package, please contact SonicWALL support.

A listing of the most current support options is available online at:

<http://www.sonicwall.com/us/support.html>

*The included power cord is intended for use in North America only. The power cord is for AC mains installation only. Field conversion DC power cable is different, see “Safety and Regulatory Information” on page 66 for more information. For European Union (EU) customers, a power cord is not included.

Page 4 Check Package Contents

Network Security Appliance

(x2)

76543

E8500

Obtain Configuration Information

Please record and keep for future reference the following setup information:

Registration Information

Serial Number:

Authentication Code:

Networking Information

LAN IP Address:

. . .

Subnet Mask:

. . .

Ethernet WAN IP Address:

. . .

Record the serial number found on the bottom panel of your SonicWALL appliance.

Record the authentication code found on the bottom panel of your SonicWALL appliance.

Select a static IP address for your SonicWALL appliance that is within the range of your local subnet. If you are unsure, you can use the default IP address (192.168.168.168).

Record the subnet mask for the local subnet where you are installing your SonicWALL appliance.

Select a static IP address for your Ethernet WAN. This setting only applies

if you are already using an ISP that assigns a static IP address.

Administrator Information

Admin Name:

Admin Password:

Select an administrator account name. (default is admin)

Select an administrator password. (default is password)

Obtain Internet Service Provider (ISP) Information

Record the following information about your current Internet service:

If You connect using

DHCP No information is usually required: Some providers

Static IP IP Address: . . .

Please record

may require a Host name:

Subnet Mask: . . .

Default Gateway: . . .

Primary DNS: . . .

DNS 2 (optional): . . .

DNS 3 (optional): . . .

Note: If you are not using one of the network configurations

above, refer to the Guide <http://www.sonicwall.com/us/support.html>.

SonicOS Enhanced Administrator’s

SonicWALL NSA E8500 Getting Started Guide Page 5

The Front Panel

Console Port

Access the SonicOS Command Line Interface (CLI) via the DB9 -> RJ45 cable

Control Buttons

Navigate the LCD screen

LCD Screen

interface to display status, make conﬁguration changes, restart the appliance or boot into SafeMode

X4-X7 (SFP)

Hot-pluggable “small form-factor pluggable transceiver” interfaces for high speed ﬁber or copper Ethernet communication

HA Port

High Availability primary/secondary Gigabit Ethernet port

Page 6 The Front Panel

Network Security Appliance

USB Ports (2)

For future feature extensions

Reset Button

Press and hold for several seconds to manually reset the appliance

LED Indicators (left to right)

Power (2): Blue: Indicates power supplies are operating correctly,

yellow: Indicates an unconnected power supply or failure Test: Quick blinking: Initializing, slow blinking: SafeMode solid: test mode.

Alarm: alarm condition HD: Future extension

E8500

X0-X3 (Copper)

High speed Gigabit Ethernet ports

Bypass Status LED

Lit: Indicates when fail to wire bypass mode is armed

The Back Panel

Fans (2)

Dual auto-throttling fans for system temperature control

Expansion Bay

For SonicWall approved expansion modules

Power Supplies (2)

Dual power supplies for redundant AC power and added reliability Field conversion is available to convert to DC mains DC power supplies use different input connector and power cables

Note: See the Safety and Regulatory Information section, on page 66 for important additional information on power supply

requirements for the NSA E8500 appliance.

SonicWALL NSA E8500 Getting Started Guide Page 7

Front Bezel Control Features

Network Security Appliance

The SonicWALL Network Security Appliance E-Class is equipped with a front panel bezel interface that allows an administrator to customize certain aspects of the appliance or simply monitor its status without having to log into it through a separate terminal.

LCD Control Buttons

The LCD interface is controlled by a D-pad, consisting of four buttons: up, down, left, right. The table below describes the functions of the buttons:

Button Navigation Features Up/Down Selects options and navigates up and

down lists.

Left Cancels changes and returns to the

previous menu.

Right Confirms choices and enters menus.

Also sets the appliance to screen-saver mode when used from the main menu.

Icon Feature Description

LCD Screen

Control Buttons

Displays the front panel bezel interface which can be used to display status information, perform basic configurations, restart the appliance or boot the appliance in SafeMode.

Up, Down, Left and Right buttons, used to navigate the LCD menu system.

Note: Using the front bezel for configuration purposes prior to

completing initial setup will bypass the Setup Wizard’s automatic launch at startup.

Page 8 Front Bezel Control Features

Main Menu

Status

Upon booting the LCD display will initially show the Main Menu. The menu is made up of four options:

Contains basic status values including system resources, connections and port configuration values.

Allows configuration of basic system values including X0 (LAN) and X1 (WAN) port configuration. Requires system pin for access, default: 76642.

Provides the ability to restart the appliance. Requires system pin for access.

Provides the ability to restart and boot the appliance into SafeMode. Requires system pin for access.

Use the Up and Down button to select the menu you wish to enter and click the Right button to enter it.

The Status menu allows you to view specific aspects of the appliance. Once selected, the LCD displays the Status List. This list is navigated using the Up and Down buttons. Status options available include:

• Appliance serial number

• Firmware / ROM versions

• Appliance name

• Date and Time

• Uptime

• CPU statistical readings

• Current number of connections

• Interface (X0, X1) network settings

• Interface (X0, X1) data transfer statistics

The X1 DNS1-3 entries will only be displayed if they have been set from the Configure menu. If their value is still 0.0.0.0 (default value), they will not appear in the Status List.

SonicWALL NSA E8500 Getting Started Guide Page 9

Configure

The Configure Menu allows you to configure specific aspects of the appliance. Once selected, the LCD will display a PIN request.

Note: The Default PIN is 76642. This number spells SONIC

on a phone keypad. The PIN number can be changed from the System > Administration page.

All numbers are inputted using the 4 buttons. Select the individual digit field using the Left and Right button and select the desired number using the Up and Down Button. Digits increase incrementally from 0 to 9. Press the Right button to confirm your PIN and enter the Configuration Menu.

The appliance allows the user to navigate in and out of the Configuration Menu without having to re-enter the PIN. However, once the appliance enters Screen-Saver Mode, whether from the 6 second time out or from pressing the Left button from the Main Menu, the PIN number must be re-entered again to access the Configuration Menu.

After entering a new value for a setting in the configuration menu, you are asked if you want to commit changes. Using the 4-way D-pad, press the Right button for yes or the Left button for no.

If you choose yes, the screen notifies you that the settings are updated.

Page 10 Front Bezel Control Features

Configuration Options

Restart

This option allows you to configure network port settings for the appliance. Once selected, the LCD displays a list of configurable options. Status options available include:

• X0 IP and subnet

• X1 Mode

• X1 IP and subnet

• X1 Gateway

• X1 DNS settings (3 available)

• Restore defaults

The X1 Mode can be set to Static (default option) or to DHCP. If DHCP is selected, manual configuration options are not shown for X1 IP, subnet, gateway and DNS.

The Restore Defaults option will reset the appliance to default factory settings. If selected it will prompt for confirmation twice before restoring defaults.

If an option is selected but not modified, the appliance will display a message stating that no changes were made and will return the user to the edit value screen. If a change was made, it will prompt the user for confirmation before effecting the change.

This option allows you to safely restart without resorting to power cycling the appliance. Once selected, the LCD will display a confirmation prompt. Select Y for yes and press the Right button to confirm. The appliance will reboot.

SafeMode

This option will set the appliance to SafeMode. Once selected, the LCD will display a confirmation prompt. Select Y for yes and press the Right button to confirm. The appliance will change to SafeMode. Once SafeMode is enabled, the SonicWALL NSA E8500 must be controlled from the Web management interface.

Screen-Saver

If no button is pressed for over 60 seconds, or if the Left button is pressed from the Main Menu, the appliance will enter ScreenSaver mode. In this mode, the Status List will cycle, displaying every entry for a few seconds.

If the Up or Down button is pressed while in Screen-Saver mode, the appliance will display the adjacent status entry.

To exit Screen-Saver mode, press the Right button.

SonicWALL NSA E8500 Getting Started Guide Page 11

LAN IP Configuration Example

The SonicWALL NSA E8500 is assigned the default LAN IP of

192.168.168.168. The following example provides steps for changing the default IP address to 192.168.168.10.

1. Press Right to exit screen-saver mode if not at the root menu.

2. Press Down to select the Configuration entry.

3. Press Right to enter Configuration Mode.

4. Input PIN (76642 by default; SONIC on a phone keypad.)

a. Press Up or Down until the cursor displays 7,

press Right.

b. Continue this process until all of the numbers are

entered.

c. Press Right to commit changes.

5. Press Down until X1 IP is selected (four times).

6. Press Right to configure X1 IP.

7. Edit X1 IP: a. Press Right ten times to select the tenth digit.

b. Press UP or Down until the cursor displays 0. c. Press Right once to select the next digit. d. Press UP or Down until the cursor displays 1. e. Press Right once to select the next digit. f. Press Up or Down until the cursor displays 0.

g. Press Right to finish editing the X1 IP. h. Press Right again to confirm changes.

Page 12 LAN IP Configuration Example

Registering Your Appliance

In this Section:

This section provides instructions for registering your SonicWALL NSA E8500.

• Before You Register - page 14

• Creating a mysonicwall.com Account - page 15

• Registering and Licensing Your Appliance on mysonicwall.com - page 15

• Licensing Security Services and Software - page 16

• Registering a Second Appliance as a Backup - page 18

Note: Registration is an important part of the setup process and is necessary in order to receive the benefits of SonicWALL security

services, firmware updates, and technical support.

SonicWALL NSA E8500 Getting Started Guide Page 13

Before You Register

You need a mysonicwall.com account to register the SonicWALL NSA E8500. You can create a new mysonicwall.com account on <http://www.sonicwall.com> or directly from the SonicWALL management interface. This section describes how to create an account by using the Web site.

You can use mysonicwall.com to register your SonicWALL appliance and activate or purchase licenses for Security Services, ViewPoint Reporting and other services, support, or software before you even connect your device. This allows you to prepare for your deployment before making any changes to your existing network.

For a High Availability configuration, you must use mysonicwall.com to associate a backup unit that can share the Security Services licenses with your primary SonicWALL.

Note: Your SonicWALL NSA E8500 does not need to be

powered on during account creation or during the mysonicwall.com registration and licensing process.

Note: After registering a new SonicWALL appliance on

mysonicwall.com, you must also register the appliance from the SonicOS management interface. This allows the unit to synchronize with the SonicWALL License Server and to share licenses with the associated appliance, if any. See Accessing the Management

Interface - page 26.

Page 14 Before You Register

Creating a mysonicwall.com Account

To create a mysonicwall.com account, perform the following steps:

1. In your browser, navigate to

<http://www.mysonicwall.com>.

2. In the login screen, click If you are not a registered user,

Click here.

3. Complete the Registration form and then click Register.

4. Verify that the information is correct and then click Submit.

5. In the screen confirming that your account was created, click Continue.

Registering and Licensing Your Appliance on mysonicwall.com

This section contains the following subsections:

• Product Registration - page 15

• Licensing Security Services and Software - page 16

• Registering a Second Appliance as a Backup - page 18

• Registration Next Steps - page 18

Product Registration

You must register your SonicWALL security appliance on mysonicwall.com to enable full functionality.

1. Login to your mysonicwall.com account. If you do not have an account, you can create one at

<http://www.mysonicwall.com>.

2. On the main page, in the Register A Product field, type the appliance serial number and then click Next.

3. On the My Products page, under Add New Product, type the friendly name for the appliance, select the Product Group if any, type the authentication code into the appropriate text boxes, and then click Register.

4. On the Product Survey page, fill in the requested information and then click Continue.

SonicWALL NSA E8500 Getting Started Guide Page 15

Licensing Security Services and Software

The Service Management - Associated Products page in mysonicwall.com lists security services, support options, and software such as ViewPoint that you can purchase or try with a free trial. For details, click the Info button. Your current licenses are indicated in the Status column with either a license key or an expiration date. You can purchase additional services now or at a later time.

The following products and services are available for the SonicWALL NSA E8500:

• Service Bundles:

• Client/Server Anti-Virus Suite

• Comprehensive Gateway Security Suite

• Gateway Services:

• Gateway AV / Anti-Spyware/Intrusion Prevention Service / Application Firewall

• Content Filtering: Premium Edition

• Stateful High Availability (HA) Upgrade

• Application Firewall

• Desktop and Server Software:

• Enforced Client Anti-Virus and Anti-Spyware

• Global VPN Client

• Global VPN Client Enterprise

• VPN Policy Upgrade (for site-to-site VPN)

• Global Management System

• ViewPoint

• Support Services:

• Dynamic Support 24x7

• Software and Firmware Updates

• Consulting Services:

• Implementation Service

• GMS Preventive Maintenance Service

Page 16 Registering and Licensing Your Appliance on mysonicwall.com

To manage your licenses, perform the following tasks:

1. In the mysonicwall.com Service Management - Associated Products page, check the Applicable Services table for services that your SonicWALL appliance is already licensed for. Your initial purchase may have included security services or other software bundled with the appliance. These licenses are enabled on mysonicwall.com when the SonicWALL appliance is delivered to you.

2. If you purchased a service subscription or upgrade from a sales representative separately, you will have an Activation Key for the product. This key is emailed to you after online purchases, or is on the front of the certificate that was included with your purchase. Locate the product on the Services Management page and click Enter Key in that row.

3. In the Activate Service page, type or paste your key into the Activation Key field and then click Submit. Depending on the product, you will see an Expire date or a license key string in the Status column when you return to the Service Management page.

4. To license a product of service, do one of the following:

• To try a Free Trial of a service, click Try in the Service Management page. A 30-day free trial is immediately activated. The Status page displays relevant information including the activation status, expiration date, number of licenses, and links to installation instructions or other documentation. The Service Management page is also updated to show the status of the free trial.

• To purchase a product or service, click Buy Now.

5. In the Buy Service page, type the number of licenses you want in the Quantity column for either the 1 year, 2 year, or 3 year license row and then click Add to Cart.

6. In the Checkout page, follow the instructions to complete your purchase.

The mysonicwall.com server will generate a license key for the product. The key is added to the license keyset. You can use the license keyset to manually apply all active licenses to your SonicWALL appliance.

SonicWALL NSA E8500 Getting Started Guide Page 17

Registering a Second Appliance as a Backup

To ensure that your network stays protected if your SonicWALL appliance has an unexpected failure, you can associate a second SonicWALL with the first in a high availability (HA) pair. You can associate the two appliances as part of the registration process on mysonicwall.com. The second SonicWALL will automatically share the Security Services licenses of the primary appliance.

6. On the Service Management - Associated Products page, scroll down to the Associated Products section to verify that your product registered successfully. You should see the HA Primary unit listed in the Parent Product section, as well as a Status value of 0 in the Associated Products / Child Product Type section.

To return to the Service Management - Associated Products page, click the serial number link for this appliance.

To register a second appliance and associate it with the primary, perform the following steps:

1. Login to your mysonicwall.com account.

2. On the main page, in the Register A Product field, type the appliance serial number and then click Next.

4. On the Product Survey page, fill in the requested information and then click Continue. The Create Association Page is displayed.

5. On the Create Association Page, click the radio button to select the primary unit for this association, and then click Continue. The screen only displays units that are not already associated with other appliances.

Page 18 Registering and Licensing Your Appliance on mysonicwall.com

Registration Next Steps

Your SonicWALL NSA E8500 or E8500 HA Pair is now registered and licensed on mysonicwall.com. To complete the registration process in SonicOS and for more information, see:

• Accessing the Management Interface - page 26

• Activating Licenses in SonicOS - page 28

• Enabling Security Services in SonicOS - page 48

• Applying Security Services to Zones - page 48

Deployment Scenarios

In this Section:

This section provides detailed overviews of advanced deployment scenarios as well as configuration instructions for connecting your SonicWALL NSA E8500.

• Selecting a Deployment Scenario - page 20

• Scenario A: NAT/Route Mode Gateway - page 21

• Scenario B: State Sync Pair in NAT/Route Mode - page 22

• Scenario C: L2 Bridge Mode - page 23

• Initial Setup - page 24

• Configuring a State Sync Pair in NAT/Route Mode - page 32

• Configuring L2 Bridge Mode - page 39

Tip: Before completing this section, fill out the information in Obtain Configuration Information - page 5. You will need to enter this

information during the Setup Wizard.

SonicWALL NSA E8500 Getting Started Guide Page 19

Selecting a Deployment Scenario

Before continuing, select a deployment scenario that best fits your network scheme. Reference the table below and the diagrams on the following pages for help in choosing a scenario.

Current Gateway Configuration New Gateway Configuration Use Scenario

No gateway appliance Single SonicWALL NSA as a primary gateway. A - NAT/Route Mode Gateway

Pair of SonicWALL NSA appliances for high availability.

Existing Internet gateway appliance SonicWALL NSA as replacement for an existing

gateway appliance.

SonicWALL NSA in addition to an existing gateway appliance.

Existing SonicWALL gateway appliance SonicWALL NSA in addition to an existing

SonicWALL gateway appliance.

B - NAT with State Sync Pair

A - NAT/Route Mode Gateway

C - L2 Bridge Mode

B - NAT with State Sync Pair

Network Security Appliance

E8500

SonicPoint

Network Security Appliance

Scenario A: NAT/Route Mode Gateway - page 21 Scenario B: State Sync Pair in NAT/Route Mode - page 22 Scenario C: L2 Bridge Mode - page 23

Page 20 Selecting a Deployment Scenario

Network Security Appliance

E8500

Network Security Appliance

E8500

SonicPoint

E8500

Scenario A: NAT/Route Mode Gateway

For new network installations or installations where the SonicWALL NSA E8500 is replacing the existing network gateway.

In this scenario, the SonicWALL NSA E8500 is configured in NAT/Route mode to operate as a single network gateway. Two Internet sources may be routed through the SonicWALL appliance for load balancing and failover purposes. Because only a single SonicWALL appliance is deployed, the added benefits of high availability with a stateful synchronized pair are not available.

To set up this scenario, follow the steps covered in:

• Initial Setup - page 24

• Additional Deployment Configuration - page 41

Next... Be sure to follow the steps in the Initial Setup

section, on page 24 before completing Additional Deployment Configurations.

DMZ Zone

SonicWALL NSA E-Class

Network Security Appliance

SonicPoint

WLAN Zone

LAN Zone

E8500

ISP 1

Internet

SonicWALL NSA E8500 Getting Started Guide Page 21

Scenario B: State Sync Pair in NAT/Route Mode

For network installations with two SonicWALL NSA E-Series appliances configured as a stateful synchronized pair for redundant high-availability networking.

In this scenario, one SonicWALL NSA E8500 operates as the primary gateway device and the other SonicWALL NSA E8500 is in passive mode. All network connection information is synchronized between the two devices so that the backup appliance can seamlessly switch to active mode without dropping any connections if the primary device loses connectivity.

SonicWALL HA/Failover Pair

SonicWALL NSA E-Class 1

Network Security Appliance

SonicWALL NSA E-Class 2

Network Security Appliance

HA Link

E8500

To set up this scenario, follow the steps covered in:

• Initial Setup - page 24

• Configuring a State Sync Pair in NAT/Route Mode page 32

• Additional Deployment Configuration - page 41

Next... Be sure to follow the steps in the Initial Setup

section, on page 24 before completing State Sync Pair setup.

Page 22 Selecting a Deployment Scenario

Local Network

Scenario C: L2 Bridge Mode

For network installations where the SonicWALL NSA E8500 is running in tandem with an existing network gateway.

In this scenario, the original gateway is maintained. The SonicWALL NSA E8500 is integrated seamlessly into the existing network, providing the benefits of deep packet inspection and comprehensive security services on all network traffic.

L2 Bridge Mode employs a secure learning bridge architecture, enabling it to pass and inspect traffic types that cannot be handled by many other methods of transparent security appliance integration. Using L2 Bridge Mode, a SonicWALL security appliance can be non-disruptively added to any Ethernet network to provide in-line deep-packet inspection for IPv4 TCP and UDP traffic.

To set up this scenario, follow the steps covered in:

• Initial Setup - page 24

• Configuring L2 Bridge Mode - page 39

• Additional Deployment Configuration - page 41

Next... Be sure to follow the steps in the Initial Setup

section, on page 24 before completing L2 Bridge Mode setup.

Third Party Gateway

SonicWALL NSA E-Class

Network Security Appliance

SonicPoint

WLAN Zone

L2 Bridge Link

LAN Zone

Internet or

LAN Segment 2

E8500

SonicWALL NSA E8500 Getting Started Guide Page 23

Initial Setup

This section provides initial configuration instructions for connecting your SonicWALL NSA E8500. Follow these steps if you are setting up Scenario A, B, or C.

This section contains the following sub-sections:

Accepted Browser

Internet Explorer 6.0 or higher

Firefox 2.0 or higher

Browser Version Number

• System Requirements - page 24

• Connecting the WAN Port - page 24

• Connecting the LAN Port - page 25

• Applying Power - page 25

• Accessing the Management Interface - page 26

• Using the Setup Wizard - page 26

• Connecting to Your Network - page 27

• Testing Your Connection - page 27

• Activating Licenses in SonicOS - page 28

• Upgrading Firmware on Your SonicWALL - page 29

System Requirements

Before you begin the setup process, check to verify that you have:

• An Internet connection

• A Web browser supporting Java Script and HTTP uploads

Page 24 Initial Setup

Netscape 9.0 or higher

Opera 9.10 or higher for

Windows

Safari 2.0 or higher for MacOS

Connecting the WAN Port

1. Connect one end of an Ethernet cable to your Internet connection.

2. Connect the other end of the cable to the X1 (WAN) port on your SonicWALL NSA E8500.

SonicWALL NSA E8500

Network Security Appliance

Management

Station

E8500

Internet

Connecting the LAN Port

1. Connect one end of the provided Ethernet cable to the computer you are using to manage the SonicWALL NSA E8500.

2. Connect the other end of the cable to the X0 port on your SonicWALL NSA E8500.

The Link LED above the X0 (LAN) port will light up in green or amber depending on the link throughput speed, indicating an active connection:

- Amber indicates 1 Gbps

- Green indicates 100 Mbps

- Unlit while the right (activity) LED is illuminated

indicates 10 Mbps

Applying Power

1. Connect the power cords from the NSA E8500 into appropriate power outlets. For further information on power requirements, see the Safety and Regulatory Information section, on page 66 of this document.

2. Turn on both power switches on the rear of the appliance next to the power cords.

The Power LEDs on the front panel light up blue when you plug in the SonicWALL NSA E8500. The Alarm LED may light up and the Test LED will light up and may blink while the appliance performs a series of diagnostic tests.

When the Power LEDs are lit and the Test LED is no longer lit, the SonicWALL NSA E8500 is ready for configuration. This typically occurs within a few minutes of applying power to the appliance.

Alert: When disconnecting power, be sure to remove both

power cords from the unit.

Note: Only one power supply is required for the appliance to

operate.

Note: If the Test or Alarm LEDs remain lit after the

SonicWALL NSA E8500 has booted, restart the appliance by cycling power.

SonicWALL NSA E8500 Getting Started Guide Page 25

Accessing the Management Interface

Using the Setup Wizard

The computer you use to manage the SonicWALL NSA E8500 must be set up to accept a dynamic IP address, or it must have an unused IP address on the 192.168.168.x/24 subnet, such as

192.168.168.20.

To access the SonicOS Enhanced Web-based management interface:

1. Start your Web browser.

2. Disable pop-up blocking software or add the management IP address http://192.168.168.168 to your pop-up blocker’s allow list.

3. Enter http://192.168.168.168 (the default LAN management IP address) in the Location or Address field.

4. The SonicWALL Setup Wizard launches and guides you through the configuration and setup of your SonicWALL NSA E8500.

Note: The Setup Wizard launches automatically only upon

initial loading of the SonicWALL NSA E8500 management interface.

5. Follow the on-screen prompts to complete the Setup Wizard.

Depending on the changes made during your setup configuration, the SonicWALL may restart.

If you cannot connect to the SonicWALL NSA E8500 or the Setup Wizard does not display, verify the following configurations:

• Did you correctly enter the SonicWALL NSA E8500 management IP address in your Web browser?

• Are the Local Area Connection settings on your computer set to use DHCP or set to a static IP address on the

192.168.168.x/24 subnet?

• Do you have the Ethernet cable connected to your computer and to the X0 (LAN) port on your SonicWALL?

• Is the connector clip on your network cable properly seated in the port of the security appliance?

• Some browsers may not launch the Setup Wizard automatically. In this case:

• Log into SonicWALL NSA E8500 using “admin” as the

user name and “password” as the password.

• Click the Wizards button on the System > Status

page.

• Select Setup Wizard and click Next to launch the

Setup Wizard.

• Some pop-up blockers may prevent the launch of the

Setup Wizard. You can temporarily disable your popup blocker, or add the management IP address of your SonicWALL (192.168.168.168 by default) to your popup blocker's allow list.

Page 26 Initial Setup

Connecting to Your Network

SonicWALL NSA E8500

Network Security Appliance

DMZ Zone

WLAN Zone

SonicPoint

The SonicWALL NSA E8500 ships with the internal DHCP server active on the LAN port. However, if a DHCP server is already active on your LAN, the SonicWALL will disable its own DHCP server to prevent conflicts.

As shown in the illustration on this page, ports X1 and X0 are preconfigured as WAN and LAN respectively. The remaining ports (X2-X7) can be configured to meet the needs of your network. In the graphical example on this page, the zones are: X1: WAN, X0: LAN, X2: WLAN, X7: DMZ.

The above example is only for reference, your own port to zone assignments depend on your networking goals and needs. Refer to the SonicOS Enhanced Administrator’s Guide for more advanced configuration deployments.

LAN Zone

E8500

Internet

Testing Your Connection

1. After you exit the Setup Wizard, the login page reappears.

Log back into the Management Interface and verify your IP and WAN connection.

2. Ping a site outside of your local network, such as:

<http://www.sonicwall.com>.

3. Open another Web browser and navigate to:

<http://www.sonicwall.com>.

If you can view the SonicWALL home page, you have configured your SonicWALL NSA E8500 correctly.

If you cannot view the SonicWALL home page, renew your management station DHCP address.

4. If you still cannot view a Web page, try one of these

solutions:

• Restart your Management Station to accept new network settings from the DHCP server in the SonicWALL security appliance.

• Restart your Internet Router to communicate with the DHCP Client in the SonicWALL security appliance.

SonicWALL NSA E8500 Getting Started Guide Page 27

Activating Licenses in SonicOS

After completing the registration process in SonicOS, you must perform the following tasks to activate your licenses and enable your licensed services from within the SonicOS user interface:

• Activate licenses

• Enable security services

• Apply services to network zones

This section describes how to activate your licenses. For instructions on how to enable security services and apply services to network zones, see the following sections:

• Enabling Security Services in SonicOS - page 48

• Applying Security Services to Zones - page 48

To activate licensed services in SonicOS, you can enter the license keyset manually, or you can synchronize all licenses at once with mysonicwall.com.

The Setup Wizard automatically synchronizes all licenses with mysonicwall.com if the appliance has Internet access during initial setup. If initial setup is already complete, you can synchronize licenses from the System > Licenses page.

Manual upgrade using the license keyset is useful when your appliance is not connected to the Internet. The license keyset includes all license keys for services or software enabled on mysonicwall.com. It is available on mysonicwall.com at the top of the Service Management page for your SonicWALL appliance.

To activate licenses in SonicOS:

1. Navigate to the System > Licenses page.

2. Under Manage Security Services Online do one of the following:

• Enter your mysonicwall.com credentials, then click the

Synchronize button to synchronize licenses with mysonicwall.com.

• Paste the license keyset into the Manual Upgrade

Keyset field.

3. Click Submit.

Page 28 Initial Setup

Upgrading Firmware on Your SonicWALL

Saving a Backup Copy of Your Preferences

The following procedures are for upgrading an existing SonicOS Enhanced image to a newer version:

• Obtaining the Latest Firmware - page 29

• Saving a Backup Copy of Your Preferences - page 29

• Upgrading the Firmware - page 30

• Using SafeMode to Upgrade Firmware - page 30

Obtaining the Latest Firmware

1. To obtain a new SonicOS Enhanced firmware image file for your SonicWALL security appliance, connect to your mysonicwall.com account at

<http://www.sonicwall.com>.

2. Copy the new SonicOS Enhanced image file to a convenient location on your management station.

Before beginning the update process, make a system backup of your SonicWALL security appliance configuration settings. The backup feature saves a copy of the current configuration settings on your SonicWALL security appliance, protecting all your existing settings in the event that it becomes necessary to return to a previous configuration state.

In addition to using the backup feature to save your current configuration state to the SonicWALL security appliance, you can export the configuration preferences file to a directory on your local management station. This file serves as an external backup of the configuration preferences, and can be imported back into the SonicWALL security appliance.

Perform the following procedures to save a backup of your configuration settings and export them to a file on your local management station:

1. On the System > Settings page, click Create Backup. Your configuration preferences are saved. The System Backup entry is displayed in the Firmware Management table.

2. To export your settings to a local file, click Export Settings. A popup window displays the name of the saved file.

SonicWALL NSA E8500 Getting Started Guide Page 29

Upgrading the Firmware

Using SafeMode to Upgrade Firmware

Perform the following steps to upload new firmware to your SonicWALL appliance and use your current configuration settings upon startup.

Tip: The appliance must be properly registered before it can

be upgraded. Refer to Registering and Licensing Your

Appliance on mysonicwall.com - page 15 for more

information.

1. Download the SonicOS Enhanced firmware image file from mysonicwall.com and save it to a location on your local computer.

2. On the System > Settings page, click Upload New Firmware.

3. Browse to the location where you saved the SonicOS Enhanced firmware image file, select the file and click the Upload button.

4. On the System > Settings page, click the Boot icon in the row for Uploaded Firmware or Uploaded Firmware with Factory Default Settings.

5. In the confirmation dialog box, click OK. The SonicWALL restarts and then displays the login page.

6. Enter your user name and password. Your new SonicOS Enhanced image version information is listed on the System > Settings page.

If you are unable to connect to the SonicWALL security appliance’s management interface, you can restart the SonicWALL security appliance in SafeMode. The SafeMode feature allows you to recover quickly from uncertain configuration states with a simplified management interface that includes the same settings available on the System > Settings page.

To use SafeMode to upgrade firmware on the SonicWALL security appliance, perform the following steps:

1. Connect your computer to the X0 port on the SonicWALL appliance and configure your IP address with an address on the 192.168.168.0/24 subnet, such as 192.168.168.20.

2. To configure the appliance in SafeMode, perform one of the following methods:

• Use a narrow, straight object, like a straightened paper

clip or a toothpick, to press and hold the reset button on the front of the security appliance for at least twenty seconds. See The Front Panel section, on page 6 to locate the reset button.

• Use the LCD control buttons on the front bezel to set

the appliance to SafeMode. Once selected, the LCD displays a confirmation prompt. Select Y and press the Right button to confirm. The SonicWALL security appliance changes to SafeMode.

The Test light starts blinking when the SonicWALL security appliance has rebooted into SafeMode.

Page 30 Initial Setup

3. Point the Web browser on your computer to

192.168.168.168. The SafeMode management interface displays.

4. If you have made any configuration changes to the security appliance, select the Create Backup On Next Boot checkbox to make a backup copy of your current settings. Your settings will be saved when the appliance restarts.

5. Click Upload New Firmware, and then browse to the location where you saved the SonicOS Enhanced firmware image, select the file and click the Upload button.

6. Select the boot icon in the row for one of the following:

• Uploaded Firmware - New!

Use this option to restart the appliance with your current configuration settings.

• Uploaded Firmware with Factory Defaults - New!

Use this option to restart the appliance with default configuration settings.

7. In the confirmation dialog box, click OK to proceed.

8. After successfully booting the firmware, the login screen is displayed. If you booted with factory default settings, enter the default user name and password (admin / password) to access the SonicWALL management interface.

Next... Use the table below to complete setup for your

scenario. Look for this “Next” icon to guide you to the next section.

If You Are Following Scenario...

A - NAT/Route Mode

Gateway

B - NAT with State Sync Pair

C - L2 Bridge Mode

Proceed to Section:

Additional Deployment Configuration - page 41

Configuring a State Sync Pair in NAT/Route Mode - page 32

Configuring L2 Bridge Mode -

page 39

SonicWALL NSA E8500 Getting Started Guide Page 31

Configuring a State Sync Pair in NAT/Route Mode

This section provides instructions for configuring a pair of SonicWALL NSA E8500 appliances for high availability (HA). This section is relevant to administrators following deployment scenario B.

This section contains the following sub-sections:

• Initial High Availability Setup - page 32

• Configuring High Availability - page 33

• Configuring Advanced HA Settings - page 33

• Synchronizing Settings - page 35

• Adjusting High Availability Settings - page 36

• Synchronizing Firmware - page 36

• HA License Configuration Overview - page 37

• Associating Pre-Registered Appliances - page 38

SonicWALL

HA / Failover Pair

SonicWALL NSA E-Class 1

Network Security Appliance

SonicWALL NSA E-Class 2

Network Security Appliance

HA Link

E8500

Local Network

E8500

Internet

Initial High Availability Setup

Before you begin the configuration of HA on the Primary SonicWALL security appliance, perform the following setup:

• On the bottom panel of the Backup SonicWALL security appliance, locate the serial number and write the number down. You need to enter this number in the High Availability > Settings page.

• Verify that the Primary SonicWALL and Backup SonicWALL security appliances are registered, running the same SonicOS Enhanced versions.

• Make sure the Primary SonicWALL and Backup SonicWALL security appliances’ LAN, WAN and other interfaces are properly configured for failover.

• Connect the HA ports on the Primary SonicWALL and Backup SonicWALL appliances with a CAT6-rated crossover cable (red crossover cable). The Primary and Backup SonicWALL security appliances must have a dedicated connection using the HA interface. SonicWALL recommends cross-connecting the two together using a CAT 6 crossover Ethernet cable, but a connection using a dedicated 100Mbps hub/switch is also valid.

• Power up the Primary SonicWALL security appliance, and then power up the Backup SonicWALL security appliance.

• Do not make any configuration changes to the Primary’s HA interface; the High Availability configuration in an upcoming step takes care of this issue. When done, disconnect the workstation.

Page 32 Configuring a State Sync Pair in NAT/Route Mode

Configuring High Availability

The first task in setting up HA after initial setup is configuring the High Availability > Settings page on the Primary SonicWALL security appliance. Once you configure HA on the Primary SonicWALL security appliance, it communicates the settings to the Backup SonicWALL security appliance.

To configure HA on the Primary SonicWALL, perform the following steps:

1. Navigate to the High Availability > Settings page.

2. Select the Enable High Availability checkbox.

3. Under SonicWALL Address Settings, type in the serial number for the Backup SonicWALL appliance.

You can find the serial number on the back of the SonicWALL security appliance, or in the System > Status screen of the backup unit. The serial number for the Primary SonicWALL is automatically populated.

4. Click Apply to retain these settings.

Configuring Advanced HA Settings

1. Navigate to the High Availability > Advanced page.

2. To configure Stateful HA, select Enable Stateful Synchronization. A dialog box is displayed with recommended settings for the Heartbeat Interval and Probe Interval fields. The settings it shows are minimum recommended values. Lower values may cause unnecessary failovers, especially when the SonicWALL is under a heavy load. You can use higher values if your SonicWALL handles a lot of network traffic. Click OK.

3. To backup the firmware and settings when you upgrade the firmware version, select Generate/Overwrite Backup Firmware and Settings When Upgrading Firmware.

4. Select the Enable Virtual MAC checkbox. Virtual MAC allows the Primary and Backup appliances to share a single MAC address. This greatly simplifies the process of updating network ARP tables and caches when a failover occurs. Only the WAN switch that the two appliances are connected to needs to be notified. All outside devices will continue to route to the single shared MAC address.

5. Optionally adjust the Heartbeat Interval to control how often the two units communicate. The default is 5000 milliseconds; the minimum recommended value is 1000 milliseconds. Less than this may cause unnecessary failovers, especially when the SonicWALL is under a heavy load.

6. Set the Probe Level for the interval in seconds between communication with upstream or downstream systems. SonicWALL recommends that you set the interval for at

SonicWALL NSA E8500 Getting Started Guide Page 33

least 5 seconds. You can set the Probe IP Address(es) on the High Availability > Monitoring screen.

7. Typically, SonicWALL recommends leaving the Failover

Trigger Level (missed heart beats), Election Delay Time (seconds), and Dynamic Route Hold-Down Time

fields to their default settings. These fields can be tuned later as necessary for your specific network environment.

- The Failover Trigger Level sets the number of heartbeats that can be missed before failing over.

- The Election Delay Time is the number of seconds allowed for internal processing between the two units in the HA pair before one of them takes the primary role.

- The Dynamic Route Hold-Down Time setting is used when a failover occurs on a HA pair that is using either RIP or OSPF dynamic routing. When a failover occurs, Dynamic Route Hold-Down Time is the number of seconds the newly-active appliance keeps the dynamic routes it had previously learned in its route table. During this time, the newly-active appliance relearns the dynamic routes in the network. When the Dynamic Route Hold-Down Time duration expires, it deletes the old routes and implements the new routes it has learned from RIP or OSPF. The default value is 45 seconds. In large or complex networks, a larger value may improve network stability during a failover.

8. Click the Include Certificates/Keys checkbox to have the appliances synchronize all certificates and keys.

9. Click Synchronize Settings to synchronize the settings between the Primary and Backup appliances.

10. Click Synchronize Firmware if you previously uploaded new firmware to your Primary unit while the Secondary unit was offline, and it is now online and ready to upgrade to the new firmware. Synchronize Firmware is typically used after taking your Secondary appliance offline while you test a new firmware version on the Primary unit before upgrading both units to it.

11. Click Apply to retain the settings on this screen.

Page 34 Configuring a State Sync Pair in NAT/Route Mode

Synchronizing Settings

Once you have configured the HA setting on the Primary SonicWALL security appliance, click the Synchronize Settings button. You should see a HA Peer Firewall has been updated message at the bottom of the management interface page. Also note that the management interface displays Logged Into: Primary SonicWALL Status: (green ball) Active in the upperright-hand corner.

By default, the Include Certificate/Keys setting is enabled. This specifies that Certificates, CRLs and associated settings (such as CRL auto-import URLs and OCSP settings) are synchronized between the Primary and Backup units. When Local Certificates are copied to the Backup unit, the associated Private Keys are also copied. Because the connection between the Primary and Backup units is typically protected, this is generally not a security concern.

Tip: A compromise between the convenience of

synchronizing Certificates and the added security of not synchronizing Certificates is to temporarily enable the Include Certificate/Keys setting and manually synchronize the settings, and then disable Include Certificate/Keys.

To verify that Primary and Backup SonicWALL security appliances are functioning correctly, wait a few minutes, then power off the Primary SonicWALL device. The Backup SonicWALL security appliance should quickly take over.

From your management workstation, test connectivity through the Backup SonicWALL by accessing a site on the public Internet – note that the Backup SonicWALL, when active, assumes the complete identity of the Primary, including its IP addresses and Ethernet MAC addresses.

Log into the Backup SonicWALL’s unique LAN IP address. The management interface should now display Logged Into: Backup SonicWALL Status: (green ball) Active in the upperright-hand corner.

Now, power the Primary SonicWALL back on, wait a few minutes, then log back into the management interface. If stateful synchronization is enabled (automatically disabling preempt mode), the management GUI should still display

Logged Into: Backup SonicWALL Status: (green ball) Active in the upper-right-hand corner.

If you are using the Monitor Interfaces feature, experiment with disconnecting each monitored link to ensure correct configuration.

SonicWALL NSA E8500 Getting Started Guide Page 35

Adjusting High Availability Settings

Synchronizing Firmware

On the High Availability > Settings page, there are four userconfigurable timers that can be adjusted to suit your network’s needs:

• Heartbeat Interval (seconds) – This timer is the length of time between status checks. By default this timer is set to 5 seconds; using a longer interval will result in the SonicWALL taking more time to detect when/if failures have occurred.

• Failover Trigger Level (missed heart beats) – This timer is the number of heartbeats the SonicWALL will miss before failing over. By default, this time is set to 5 missed heart beats.This timer is linked to the Heartbeat Interval timer – for example, if you set the Heartbeat Interval to 10 seconds, and the Failover Trigger Level timer to 5, it will be 50 seconds before the SonicWALL fails over.

• Probe Interval – This timer controls the path monitoring speed. Path monitoring sends pings to specified IP addresses to monitor that the network critical path is still reachable. The default is 20 seconds, and the allowed range is from 5 to 255 seconds.

• Election Delay Time – This timer can be used to specify an amount of time the SonicWALL will wait to consider an interface up and stable, and is useful when dealing with switch ports that have a spanning-tree delay set.

Checking the Synchronize Firmware Upload and Reboot checkbox allows the Primary and Backup SonicWALL security appliances in HA mode to have firmware uploaded on both devices at once, in staggered sequence to ensure security is always maintained. During the firmware upload and reboot, you are notified via a message dialog box that the firmware is loaded on the Backup SonicWALL security appliance, and then the Primary SonicWALL security appliance. You initiate this process by clicking on the Synchronize Firmware button.

Page 36 Configuring a State Sync Pair in NAT/Route Mode

HA License Configuration Overview

You can configure HA license synchronization by associating two SonicWALL security appliances as HA Primary and HA Secondary on mysonicwall.com. Note that the Backup appliance of your HA pair is referred to as the HA Secondary unit on mysonicwall.com.

You must purchase a single set of security services licenses for the HA Primary appliance. To use Stateful HA, you must first activate the Stateful High Availability Upgrade license for the primary unit in SonicOS. This is automatic if your appliance is connected to the Internet. See Registering and Licensing Your

Appliance on mysonicwall.com - page 15.

License synchronization is used during HA so that the Backup appliance can maintain the same level of network protection provided before the failover. To enable HA, you can use the SonicOS UI to configure your two appliances as a HA pair in Active/Idle mode.

mysonicwall.com provides several methods of associating the two appliances. You can start by registering a new appliance, and then choosing an already-registered unit to associate it with. You can associate two units that are both already registered. Or, you can select a registered unit and then add a new appliance with which to associate it.

Note: After registering new SonicWALL appliances on

mysonicwall.com, you must also register each appliance from the SonicOS management interface by clicking the registration link on the System > Status page. This allows each unit to synchronize with the SonicWALL license server and share licenses with the associated appliance.

SonicWALL NSA E8500 Getting Started Guide Page 37

Associating Pre-Registered Appliances

To associate two already-registered SonicWALL security appliances so that they can use HA license synchronization, perform the following steps:

1. Login to mysonicwall.com.

2. In the left navigation bar, click My Products.

3. On the My Products page, under Registered Products, scroll down to find the appliance that you want to use as the parent, or primary, unit. Click the product name or serial number.

4. On the Service Management - Associated Products page, scroll down to the Associated Products section.

5. Under Associated Products, click HA Secondary.

6. On the My Product - Associated Products page, in the text boxes under Associate New Products, type the serial number and the friendly name of the appliance that you want to associate as the child/secondary/backup unit.

7. Select the group from the Product Group drop-down list. The product group setting specifies the mysonicwall users who can upgrade or modify the appliance.

8. Click Register.

Next... Continue to the Additional Deployment

Configuration section, on page 41.

Page 38 Configuring a State Sync Pair in NAT/Route Mode

Configuring L2 Bridge Mode

This section provides instructions to configure the SonicWALL NSA E8500 appliance in tandem with an existing Internet gateway device. This section is relevant to users following deployment scenario C.

This section contains the following sub-sections:

• Connection Overview - page 39

• Configuring the Primary Bridge Interface - page 39

• Configuring the Secondary Bridge Interface - page 40

Connection Overview

Connect the X1 port on your SonicWALL NSA E8500 to the LAN port on your existing Internet gateway device. Then connect the X0 port on your SonicWALL to your LAN resources.

Network Gateway

E8500

LAN

L2 Bridge Link

Internet or

LAN Segment 2

SonicWALL NSA E-Class

Network Security Appliance

Network Resources

Configuring the Primary Bridge Interface

The primary bridge interface is your existing Internet gateway device. The only step involved in setting up your primary bridge interface is to ensure that the WAN interface is configured for a static IP address. You will need this static IP address when configuring the secondary bridge.

Note: The primary bridge interface must have a static IP

assignment.

SonicWALL NSA E8500 Getting Started Guide Page 39

Configuring the Secondary Bridge Interface

Complete the following steps to configure the SonicWALL appliance:

1. Navigate to the Network > Interfaces page from the navigation panel.

2. Click the Configure icon in the right column of the X0 (LAN) interface.

3. In the IP Assignment drop-down, select Layer 2 Bridged Mode.

4. In the Bridged to drop-down, select the X1 interface.

5. Configure management options (HTTP, HTTPS, Ping, SNMP, SSH, User logins, or HTTP redirects).

Note: Do not enable Never route traffic on the bridge-pair

unless your network topology requires that all packets entering the L2 Bridge remain on the L2 Bridge segments. You may optionally enable the Block all non-IPv4 traffic setting to prevent the L2 bridge from passing non-IPv4 traffic.

Next... Continue to the Additional Deployment

Configuration section, on page 41

Page 40 Configuring L2 Bridge Mode

Additional Deployment Configuration

In this Section:

This section provides basic configuration information to begin building network security policies for your deployment. This section also contains several SonicOS diagnostic tools and a deployment configuration reference checklist.

• An Introduction to Zones and Interfaces - page 42

• Creating Network Access Rules - page 42

• Creating a NAT Policy - page 45

• Enabling Security Services in SonicOS - page 48

• Applying Security Services to Zones - page 48

• Troubleshooting Diagnostic Tools - page 49

SonicWALL NSA E8500 Getting Started Guide Page 41

An Introduction to Zones and Interfaces

Creating Network Access Rules

Zones split a network infrastructure into logical areas, each with its own set of usage rules, security services, and policies. Most networks include multiple definitions for zones, including those for trusted, untrusted, public, encrypted, and wireless traffic.

Some basic (default) zone types include:

WAN - Untrusted resources outside your local network

LAN - Trusted local network resources

WLAN - Local wireless network resources originating from

SonicWALL wireless enabled appliances such as SonicPoints.

DMZ - Local network assets that must be accessible from the WAN zone (such as Web and FTP servers)

VPN - Trusted endpoints in an otherwise untrusted zone, such as the WAN

The security features and settings configured for the zones are enforced by binding a zone to one or more physical interfaces (such as, X0, X1, or X2) on the SonicWALL UTM appliance.

The X1 and X0 interfaces are preconfigured as WAN and LAN respectively. The remaining ports can be configured to meet the needs of your network, either by using basic zone types (WAN, LAN, WLAN, DMZ, VPN) or configuring a custom zone type to fit your network requirements (for example: Gaming Console Zone, Wireless Printer Zone, Wireless Ticket Scanner Zone).

A Zone is a logical grouping of one or more interfaces designed to make management, such as the definition and application of access rules, a simpler and more intuitive process than following a strict physical interface scheme.

By default, the SonicWALL security appliance’s stateful packet inspection allows all communication from the LAN to the Internet, and blocks all traffic from the Internet to the LAN. The following behaviors are defined by the “Default” stateful inspection packet access rule enabled in the SonicWALL security appliance:

Originating Zone Destination Zone Action

LAN, WLAN WAN, DMZ

DMZ WAN

WAN DMZ

WAN and DMZ LAN or WLAN

Allow

Deny

Page 42 An Introduction to Zones and Interfaces

To create an access rule:

1. On the Firewall > Access Rules page in the matrix view,

click the arrow connecting the two zones that need a rule.

2. On the Access Rules page, click Add.

The access rules are sorted from the most specific at the top to the least specific at the bottom of the table. At the bottom of the table is the Any rule.

3. In the Add Rule page in the General tab, select Allow | Deny | Discard from the Action list to permit or block IP traffic.

SonicWALL NSA E8500 Getting Started Guide Page 43

• Select the from and to zones from the From Zone and To Zone menus.

• Select the service or group of services affected by the access rule from the Service list. If the service is not listed, you must define the service in the Add Service window. Select Create New Service or Create New

Group to display the Add Service window or Add Service Group window.

• Select the source of the traffic affected by the access rule from the Source list. Selecting Create New Network displays the Add Address Object window.

• Select the destination of the traffic affected by the access rule from the Destination list. Selecting

Create New Network displays the Add Address Object window.

• From the Users Allowed menu, add the user or user group affected by the access rule.

• Select a schedule from the Schedule menu. The default schedule is Always on.

• Enter any comments to help identify the access rule in the Comments field.

4. Click on the Advanced tab.

• If you would like for the access rule to timeout after a different period of TCP inactivity, set the amount of time, in minutes, in the TCP Connection Inactivity Timeout (minutes) field. The default value is 60 minutes.

• If you would like for the access rule to timeout after a different period of UDP inactivity, set the amount of time, in minutes, in the UDP Connection Inactivity Timeout (minutes) field. The default value is 30 minutes.

• Specify the number of connections allowed as a percent of maximum number of connections allowed by the SonicWALL security appliance in the Number

of connections allowed (% of maximum connections) field.

• Select Create a reflexive rule if you want to create a matching access rule to this one in the opposite direction--from your destination zone or address object to your source zone or address object.

Page 44 Creating Network Access Rules

5. Click on the QoS tab if you want to apply DSCP or 802.1p Quality of Service coloring/marking to traffic governed by this rule. See the SonicOS Enhanced Administrator’s Guide for more information on managing QoS marking in access rules.

6. Click OK to add the rule.

Creating a NAT Policy

The Network Address Translation (NAT) engine in SonicOS Enhanced allows users to define granular NAT policies for their incoming and outgoing traffic. By default, the SonicWALL security appliance has a preconfigured NAT policy to allow all systems connected to the LAN interface to perform Many-toOne NAT using the IP address of the WAN interface, and a policy to not perform NAT when traffic crosses between the other interfaces.

You can create multiple NAT policies on a SonicWALL running SonicOS Enhanced for the same object – for instance, you can specify that an internal server use one IP address when accessing Telnet servers, and to use a totally different IP address for all other protocols. Because the NAT engine in SonicOS Enhanced supports inbound port forwarding, it is possible to hide multiple internal servers off the WAN IP address of the SonicWALL security appliance. The more granular the NAT Policy, the more precedence it takes.

Before configuring NAT Policies, you must create all Address Objects associated with the policy. For instance, if you are creating a One-to-One NAT policy, first create Address Objects for your public and private IP addresses.

Address Objects are one of four object classes (Address, User, Service and Schedule) in SonicOS Enhanced. These Address Objects allow for entities to be defined one time, and to be reused in multiple referential instances throughout the SonicOS interface. For example, take an internal Web server with an IP address of 67.115.118.80. Rather than repeatedly typing in the IP address when constructing Access Rules or NAT Policies, Address Objects allow you to create a single entity called “My Web Server” as a Host Address Object with an IP address of

67.115.118.80. This Address Object, “My Web Server”, can then be easily and efficiently selected from a drop-down menu in any configuration screen that employs Address Objects as a defining criterion.

Since there are multiple types of network address expressions, there are currently the following Address Objects types:

• Host – Host Address Objects define a single host by its IP address.

• Range – Range Address Objects define a range of contiguous IP addresses.

• Network – Network Address Objects are like Range objects in that they comprise multiple hosts, but rather than being bound by specified upper and lower range delimiters, the boundaries are defined by a valid netmask.

SonicWALL NSA E8500 Getting Started Guide Page 45

• MAC Address – MAC Address Objects allow for the identification of a host by its hardware address or MAC (Media Access Control) address.

• FQDN Address – FQDN Address Objects allow for the identification of a host by its Fully Qualified Domain Names (FQDN), such as www.sonicwall.com.

SonicOS Enhanced provides a number of Default Address Objects that cannot be modified or deleted. You can use the Default Address Objects when creating a NAT policy, or you can create custom Address Objects to use. All Address Objects are available in the drop-down lists when creating a NAT policy.

Configuring Address Objects

The Network > Address Objects page allows you to create and manage your Address Objects. You can view Address Objects in the following ways using the View Style menu:

• All Address Objects - displays all configured Address Objects.

• Custom Address Objects - displays Address Objects with custom properties.

• Default Address Objects - displays Address Objects configured by default on the SonicWALL security appliance.

To add an Address Object:

1. Navigate to the Network > Address Objects page.

2. Below the Address Objects table, click Add.

3. In the Add Address Object dialog box, enter a name for the Address Object in the Name field.

4. Select the zone to assign to the Address Object from the Zone Assignment drop-down list.

5. Select Host, Range, Network, MAC, or FQDN from the Type menu.

- If you selected Host, enter the IP address in the IP

Address field.

- If you selected Range, enter the starting and ending IP

addresses in the Starting IP Address and Ending IP Address fields.

- If you selected Network, enter the network IP address

and netmask in the Network and Netmask fields.

- If you selected MAC, enter the MAC address and

netmask in the Network and MAC Address field.

- If you selected FQDN, enter the domain name for the

individual site or range of sites (with a wildcard) in the FQDN field.

6. Click OK.

Page 46 Creating a NAT Policy

Configuring NAT Policies

NAT policies allow you to control Network Address Translation based on matching combinations of Source IP address, Destination IP address and Destination Services. Policy-based NAT allows you to deploy different types of NAT simultaneously. The following NAT configurations are available in SonicOS Enhanced:

• Many-to-One NAT Policy

• Many-to-Many NAT Policy

• One-to-One NAT Policy for Outbound Traffic

• One-to-One NAT Policy for Inbound Traffic (Reflexive)

• One-to-Many NAT Load Balancing

• Inbound Port Address Translation via One-to-One NAT Policy

• Inbound Port Address Translation via WAN IP Address

This section describes how to configure a One-to-One NAT policy. One-to-One is the most common NAT policy used to route traffic to an internal server, such as a Web Server. Most of the time, this means that incoming requests from external IPs are translated from the IP address of the SonicWALL security appliance WAN port to the IP address of the internal web server.

For other NAT configurations, see the SonicOS Enhanced Administrator’s Guide.

An example configuration illustrates the use of the fields in the Add NAT Policy procedure. To add a One-to-One NAT policy that allows all Internet traffic to be routed through a public IP address, two policies are needed: one for the outbound traffic, and one for the inbound traffic. To add both parts of a One-toOne NAT policy, perform the following steps:

1. Navigate to the Network > NAT Policies page. Click Add. The Add NAT Policy dialog box displays.

2. For Original Source, select Any.

3. For Translated Source, select Original.

4. For Original Destination, select X0 IP.

5. For Translated Destination, select Create new address object and create a new address object using WAN for Zone Assignment and Host for Type.

6. For Original Service, select HTTP.

7. For Translated Service, select Original.

8. For Inbound Interface, select X0.

9. For Outbound Interface, select Any.

10. For Comment, enter a short description.

11. Select the Enable NAT Policy checkbox.

12. Select the Create a reflexive policy checkbox if you want a matching NAT Policy to be automatically created in the opposite direction. This will create the outbound as well as the inbound policies.

13. Click OK.

SonicWALL NSA E8500 Getting Started Guide Page 47

Enabling Security Services in SonicOS

Applying Security Services to Zones

You must enable each security service individually in the SonicOS user interface. See the following procedures to enable and configure the following three basic security services:

Gateway Anti-Virus

Intrusion Prevention

Anti-Spyware

For more information on configuring your security services, refer to the SonicOS Administrator’s Guide.

A network zone is a logical group of one or more interfaces to which you can apply security rules to regulate traffic passing from one zone to another zone.

Security services such as Gateway Anti-Virus are automatically applied to the LAN and WAN network zones when you activate the license and enable the service. To protect other zones such as the DMZ or Wireless LAN (WLAN), you must apply the security services to the network zones. For example, you can configure SonicWALL Intrusion Prevention Service for incoming and outgoing traffic on the WLAN zone to add more security for internal network traffic.

To apply services to network zones:

1. Navigate to the Network > Zones page.

2. In the Zone Settings table, click the Configure icon for the zone where you want to apply security services.

3. In the Edit Zone dialog box on the General tab, select the checkboxes for the security services to enable on this zone.

4. On the Edit Zone page, select the checkboxes for the security services that you want to enable.

5. Click OK.

6. To enable security services on other zones, repeat steps 2 through 4 for each zone.

Page 48 Enabling Security Services in SonicOS

Troubleshooting Diagnostic Tools

SonicOS provides a number of diagnostic tools to help you maintain your network and troubleshoot problems. Several tools can be accessed on the System > Diagnostics page, and others are available on other screens.

This section contains the following subsections:

• Using Packet Monitor - page 49

• Using Ping - page 50

• Using the Active Connections Monitor - page 50

Using Packet Monitor

Packet Monitor allows you to monitor and examine the contents of individual data packets that traverse your SonicWALL firewall appliance. The packets contain both data and addressing information.

On the System > Packet Monitor page, click the Configure button to edit the monitoring and/or mirroring criteria, display settings and file export settings, and displays the packets.

Click Start/Stop Capture or Start/Stop Mirror to use these features. Captured packet information and HEX dumps are displayed in the bottom portion of the Packet Monitor screen.

SonicWALL NSA E8500 Getting Started Guide Page 49

Using Ping

Using the Active Connections Monitor

Ping is available on the System > Diagnostics page.

The Ping test bounces a packet off a machine on the Internet and returns it to the sender. This test shows if the SonicWALL security appliance is able to contact the remote host. If users on the LAN are having problems accessing services on the Internet, try pinging the DNS server, or another machine at the ISP location. If the test is unsuccessful, try pinging devices outside the ISP. If you can ping devices outside of the ISP, then the problem lies with the ISP connection.

The Active Connections Monitor displays real-time, exportable (plain text or CSV), filterable views of all connections to and through the SonicWALL security appliance. This tool is available on the Systems > Diagnostics page.

You can filter the results to display only connections matching certain criteria. You can filter by Source IP, Destination IP, Destination Port, Protocol, Src Interface and Dst Interface. Enter your filter criteria in the Active Connections Monitor Settings table.

The fields you enter values into are combined into a search string with a logical AND. Select the Group Filters box next to any two or more criteria to combine them with a logical OR.

Page 50 Troubleshooting Diagnostic Tools

Support and Training Options

In this Section:

This section provides overviews of customer support and training options for the SonicWALL NSA E8500.

• Customer Support - page 52

• Knowledge Portal - page 52

• User Forums - page 53

• Training - page 54

• Related Documentation - page 55

• Dynamic Tooltips - page 56

• SonicWALL Live Product Demos - page 56

• SonicWALL Secure Wireless Network Integrated Solutions Guide - page 57

SonicWALL NSA E8500 Getting Started Guide Page 51

Customer Support

Knowledge Portal

Designed for customers with SonicWALL E-Class solutions, SonicWALL E-Class Support 24x7 delivers the enterprise-class support features and quality of service that enterprise companies require to keep their networks running smoothly and efficiently. SonicWALL E-Class Support 24x7 is an around-theclock support service that includes phone, email and Webbased technical support, software and firmware updates and upgrades and Advance Exchange hardware replacement. Please Note: Continuous support is required on all E-Class products.

For further information, visit:

<http://www.sonicwall.com/us/support.html>

The Knowledge Portal is a resource which allows users to search for SonicWALL documents based on the following types of search tools:

• Browse

• Search for keywords

• Full-text search

For further information, visit:

<http://www.sonicwall.com/us/support/kb.asp>

Page 52 Customer Support

User Forums

The SonicWALL User Forums is a resource that provides users the ability to communicate and discuss a variety of security and appliance subject matters. In this forum, the following categories are available for users:

• Content Security Manager topics

• Continuous Data Protection topics

• Email Security related topics

• Firewall related topics

• Network Anti-Virus related topics

• Security Services and Content Filtering topics

• GMS and ViewPoint related topics

• SonicPoint and Wireless related topics

• SSL VPN related topics

• TZ 190 / Wireless WAN - 3G Capability

• VPN Client related topics

• VPN site-to-site and interoperability topics

For further information, visit:

<https://forum.sonicwall.com/>

SonicWALL NSA E8500 Getting Started Guide Page 53

Training

SonicWALL offers an extensive sales and technical training curriculum for Network Administrators, Security Experts and SonicWALL Medallion Partners who need to enhance their knowledge and maximize their investment in SonicWALL Products and Security Applications. SonicWALL Training provides the following resources for its customers:

• E-Training

• Instructor-Led Training

• Custom Training

• Technical Certification

• Authorized Training Partners

For further information, visit:

<http://training.sonicwall.com/>

Page 54 Training

Dynamic Tooltips

SonicWALL Live Product Demos

SonicOS features a dynamic tooltips that appear over various elements of the GUI when the mouse hovers over them. Elements that display these tooltips include text fields, radio buttons, and checkboxes.

The SonicWALL Live Demo Site provides free test drives of SonicWALL security products and services through interactive live product installations:

• Unified Threat Management Platform

• Secure Cellular Wireless

• Continuous Data Protection

• SSL VPN Secure Remote Access

• Content Filtering

• Secure Wireless Solutions

• Email Security

• SonicWALL GMS and ViewPoint

For further information, visit: <http://livedemo.sonicwall.com/>

Page 56 Dynamic Tooltips

SonicWALL Secure Wireless Network Integrated Solutions Guide

Looking to go wireless? Have questions about what it takes to build a truly “secure” wireless network? Check out the SonicWALL Secure Wireless Network Integrated Solutions Guide. This book is the official guide to SonicWALL’s marketleading wireless networking and security devices.

This title is available in hardcopy at fine book retailers everywhere, or by ordering directly from Elsevier Publishing at: <http://www.elsevier.com>

SonicWALL NSA E8500 Getting Started Guide Page 57

Page 58 SonicWALL Secure Wireless Network Integrated Solutions Guide

Rack Mounting Instructions

In this Section:

This section provides illustrated rack mounting instructions for the SonicWALL NSA E8500.

• Rack Mounting Instructions - page 60

Note: For more information on rack mounting requirements, see the Safety and Regulatory Information section, on page 66.

SonicWALL NSA E8500 Getting Started Guide Page 59

Rack Mounting Instructions

Fasten 4 screws to the rail.

Assemble the Slide Rail

Page 60 Rack Mounting Instructions

M4 SCREW*8 WASHERS*8

Assemble the Slide Rail

Fasten two-sided screws to the rail.

M5 SCREW*8 M5 Nut*8

SonicWALL NSA E8500 Getting Started Guide Page 61

Assemble Inner Rail to Chassis

Fasten 6 screws to attach the inner channel onto the chassis.

M4 SCREW*6

Page 62 Rack Mounting Instructions

Slide inner channel into rails.

Insert Chassis to Frame

Push hook down to separate.

SonicWALL NSA E8500 Getting Started Guide Page 63

Page 64 Rack Mounting Instructions

Product Safety and Regulatory Information

In this Section:

This section provides regulatory along with trademark and copyright information.

• Safety and Regulatory Information - page 66

• Copyright Notice - page 69

• Trademarks - page 69

SonicWALL NSA E8500 Getting Started Guide Page 65

Safety and Regulatory Information

Regulatory Model/Type Product Name

1RK15-085 NSA E8500

Rack Mounting the SonicWALL

The above SonicWALL appliances are designed to be mounted in a standard 19inch rack mount cabinet. The following conditions are required for proper installation:

• Use the mounting hardware recommended by the rack manufacturer and ensure that the rack is adequate for the application.

• Four mounting screws, compatible with the rack design, must be used and hand tightened to ensure secure installation. Choose a mounting location where all four mounting holes line up with those of the mounting bars of the 19-inch rack mount cabinet.

• Mount in a location away from direct sunlight and sources of heat. A maximum ambient temperature of 104º F (40º C) is recommended.

• Route cables away from power lines, fluorescent lighting fixtures, and sources of noise such as radios, transmitters and broadband amplifiers.

• The included power cord is intended for use in North America AC mains installation only. For European Union (EU) customers, and DC mains a power cord is not included.

• Ensure that no water or excessive moisture can enter the unit.

• Allow unrestricted airflow around the unit and through the vents on the side of the unit. A minimum of 1 inch (25.44mm) clearance is recommended.

• Mount the SonicWALL appliances evenly in the rack in order to prevent a hazardous condition caused by uneven mechanical loading.

• Consideration must be given to the connection of the equipment to the supply circuit. The effect of overloading the circuits has minimal impact on overcurrent protection and supply wiring. Appropriate consideration of equipment nameplate ratings must be used when addressing this concern.

• DC configuration includes input cable with protective earthing conductor (Green and Yellow wire). This conductor is required to be connected to safety earth ground of circuit.

• Never remove or install a power supply with the AC power cord attached to the power supply being removed or installed.

• A suitably rated and approved branch circuit breaker shall be provided as part of the building installation. Follow local code when purchasing materials or components.

• This product is not intended to be installed and used in a home or public area accessible to the general population. When installed in schools this equipment must be installed in secure location accessible only by trained personnel.

• DC rating includes tolerances. Do not operate product outside of range shown on product label.

• This model is shipped as AC mains configuration with standard 3 conductor appliance couplers. A field conversion is available to change to DC mains. The DC mains connector is a keyed square 6 conductor with two blank locations. Do not connect AC configured product to DC mains, and do not connect DC configured product to AC. Detailed instructions are provided with the DC conversion kit. Product must be configured as all DC or AC.

• Thumbscrews should be tightened with a tool after both installation and subsequent access to the rear of the product.

• Reliable grounding of rack-mounted equipment must be maintained. Particular attention must be given to power supply connections other than direct connections to the branch circuits such as power strips.

• If installed in a closed or multi-unit rack assembly, the operating ambient temperature of the rack environment may be greater than room ambient. Therefore, consideration should be given to installing the equipment in an environment compatible with the maximum recommended ambient temperature shown above.

Lithium Battery Warning

The Lithium Battery used in the SonicWALL Internet security appliance may not be replaced by the user. The SonicWALL must be returned to a SonicWALL authorized service center for replacement with the same or equivalent type recommended by the manufacturer. If, for any reason, the battery or SonicWALL Internet security appliance must be disposed of, do so following the battery manufacturer's instructions.

Cable Connections

All Ethernet and RS232 (Console) cables are designed for intra-building connection to other equipment. Do not connect these ports directly to communication wiring or other wiring that exits the building where the SonicWALL is located.

Page 66 Safety and Regulatory Information

Weitere Hinweise zur Montage

Das SonicWALL Modell ist für eine Montage in einem standardmäßigen 19-ZollRack konzipiert. Für eine ordnungsgemäße Montage sollten die folgenden Hinweise beachtet werden:

• Vergewissern Sie sich, dass das Rack für dieses Gerät geeignet ist und verwenden Sie das vom Rack-Hersteller empfohlene Montagezubehör.

• Dieses Produkt ist nicht dafür entwickelt, um in Bereichen mit öffentlichem Zugriff betrieben zu werden. Wenn es in Schulen betrieben wird stellen Sie sicher, dass sich das Gerät in einem abgeschlossenen Raum installier wird, der nur von speziell ausgebildetem Personal betrieben werden kann.

• Verwenden Sie für eine sichere Montage vier passende Befestigungsschrauben, und ziehen Sie diese mit der Hand an. Wählen Sie einen Ort im 19-Zoll-Rack, wo alle vier Befestigungen der Montageschien verwendet werden.

• Eine sichere Erdung der Geräte im Rack muss gewährleistet sein. Insbesondere muss auf nicht direkte Anschlüsse an Stromquellen geachtet werden wie z. B. bei Verwendung von Mehrfachsteckdosen.

• Ein angemessen dimensionierter und geprüfte Sicherung, sollte Bestandteil der Haus-Installation sein. Bitte folgen die den lokalen Richtlinien beim Einkauf von Material oder Komponenten.

• Die Gleichstrom Konfiguration beinhaltet einen Anschlusskabel mit Erdung (Grün-Gelbes Kabel). Diese Kabel muss an den Erdungsschaltkreis angeschlossen werden.

• Wählen Sie für die Montage einen Ort, der keinem direkten Sonnenlicht ausgesetzt ist und sich nicht in der Nähe von Wärmequellen befindet. Die Umgebungstemperatur darf nicht mehr als 40 °C betragen.

• Achten Sie darauf, das sich die Netzwerkkabel nicht in der unmittelbaren Nähe von Stromleitungen, Leuchtstoffröhren und Störquellen wie Funksendern oder Breitbandverstärkern befinden.

• Das beigefügte Netzkabel ist nur für den Gebrauch in Nordamerikas vorgesehen. Für Kunden in der Europäischen Union ist kein Kabel beigefügt.

• Stellen Sie sicher, dass das Gerät vor Wasser und hoher Luftfeuchtigkeit geschützt ist.

• Stellen Sie sicher, dass die Luft um das Gerät herum zirkulieren kann und die Lüftungsschlitze an der Seite des Gehäuses frei sind. Hier ist ein Belüftungsabstand von mindestens 26 mm einzuhalten.

• Bringen Sie die SonicWALL waagerecht im Rack an, um mögliche Gefahren durch ungleiche mechanische Belastung zu vermeiden.

• Prüfen Sie den Anschluss des Geräts an die Stromversorgung, damit der Überstromschutz sowie die elektrische Leitung nicht von einer eventuellen Überlastung der Stromversorgung beeinflusst werden. Prüfen Sie dabei sorgfältig die Angaben auf dem Aufkleber des Geräts.

• Gleichstrom akzeptiert Toleranzen. Betreiben Sie das Gerät nicht außerhalb des Bereiches, der auf dem Aufkleber des Gerätes angegeben ist.

• Die Wechselstrom Konfiguration verwendet standardisierte Kaltgerätekabel. Sie können einem Umbaukit für Gleichstrom bestellen. Der

Gleichstromanschluss ist ein quadratischer 6-adriger Anschluss mit zwei blinden Punkten. Schließen Sie kein Wechselstrom konfiguriertes Produkt an Gleichstrom an. Und schließen Sie kein Gleichstrom konfiguriertes Produkt an Wechselstrom an. Das Umbaukit beinhaltet eine detaillierte Beschreibung. Das Gerät muss komplett mit Gleichstrom oder Wechselstrom konfiguriert sein.

• Vergewissern Sie sich, dass die Schrauben nach dem Austausch mit entsprechendem Werkzeug fest anngezogen werden.

• Wenn Sie das Netzteil wechseln, entfernen Sie unbedingt die Stromversorgung von dem zu wechselnden Netzteil.

• Wenn das Gerät in einem geschlossenen 19"-Gehäuse oder mit mehreren anderen Geräten eingesetzt ist, wird die Temperatur in der Gehäuse höher sein als die Umgebungstemperatur. Achten Sie darauf, daß die Umgebungstemperatur nicht mehr als 40° C beträgt.

• Die NSA E8500 wird mit zwei Wechselstrom-Netzteilen als redundant Stromversorgung zur erhöhten Verfügbarkeit ausgeliefert. Ein Umbaukit in Gleichstromversorgung ist verfügbar

Hinweis zur Lithiumbatterie

Die in der Internet Security Appliance von SonicWALL verwendete Lithiumbatterie darf nicht vom Benutzer ausgetauscht werden. Zum Austauschen der Batterie muss die SonicWALL in ein von SonicWALL autorisiertes Service-Center gebracht werden. Dort wird die Batterie durch denselben oder entsprechenden, vom Hersteller empfohlenen Batterietyp ersetzt. Beachten Sie bei einer Entsorgung der Batterie oder der SonicWALL Internet Security Appliance die diesbezüglichen Anweisungen des Herstellers.

Kabelverbindungen

Alle Ethernet- und RS232-C-Kabel eignen sich für die Verbindung von Geräten in Innenräumen. Schließen Sie an die Anschlüsse der SonicWALL keine Kabel an, die aus dem Gebäude in dem sich das Gerät befindet ,herausgeführt werden.

SonicWALL NSA E8500 Getting Started Guide Page 67

FCC Part 15 Class A Notice

NOTE: This equipment was tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy. And if not installed and used in accordance with the instruction manual, the device may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference in which case the user is required to correct the interference at his own expense.

Caution: Modifying this equipment or using this equipment for purposes not shown

in this manual without the written consent of SonicWALL, Inc. could void the user’s authority to operate this equipment.

BMSI Statement

Complies with EN 55022 Class A and CISPR22 Class A

Warning: This is a class A product. In a domestic environment, this product may cause radio interference in which case the user may be required to take adequate measures.

Declaration of Conformity

Application of council Directive 2004/108/EC (EMC) and 2006/95/EC (LVD) Standards to which conformity is declared EN 55022 (2006) Class A EN 55024 (1998) +A1 (2001), +A2 (2003) EN 61000-3-2 (2006) EN 61000-3-3 (1995) +A1 (2001), +A2 (2005)

EN 60950-1 (2006) National Deviations: AR, AT, AU, BE, BR, CA, CH, CN, CZ, DE, DK, FI, FR, GB, GR, HU, IL, IN, IT, JP, KE, KR, MY, NL, NO, PL, SE, SG, SI, SK, US

Regulatory Information for Korea

Ministry of Information and Telecommunication Certification Number SWL-1RK15-085

VCCI Statement

Canadian Radio Frequency Emissions Statement

This Class A digital apparatus complies with Canadian ICES-003. Cet appareil numérique de la classe A est conforme à toutes la norme NMB-003 du Canada.

Page 68 Safety and Regulatory Information

All products with country code “A” and “J” are made in the USA. All products with country code “B” are made in China. All products with country code "C" or "D" are made in Taiwan R.O.C. All certificates held by Secuwide, Corps.

Copyright Notice

Under the copyright laws, this manual or the software described within, cannot be copied, in whole or part, without the written consent of the manufacturer, except in the normal use of the software to make a backup copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed to the original. This exception does not allow copies to be made for others, whether or not sold, but all of the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under the law, copying includes translating into another language or format.

Specifications and descriptions subject to change without notice.

Trademarks

SonicWALL is a registered trademark of SonicWALL, Inc.

Microsoft Windows 98, Windows Vista, Windows 2000, Windows XP, Windows Server 2003, Internet Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation.

Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems Incorporated in the U.S. and/or other countries.

Firefox is a trademark of the Mozilla Foundation.

Other product and company names mentioned herein may be trademarks and/or registered trademarks of their respective companies and are the sole property of their respective manufacturers.

SonicWALL NSA E8500 Getting Started Guide Page 69

Notes

Page 70

SonicWALL, Inc.

2001 Logic Drive T +1 4 0 8. 74 5. 96 0 0 w ww . so ni c wa l l. co m

San Jose CA 95124-3452 F +1 408.745.9300

PN: 232-001891-51 Rev A 05/10

©2010 Sonic WALL, Inc. is a registered tr ademark of SonicWALL , Inc. Other produc t names mentioned h erein may be trademar ks and/or registere d trademarks of th eir respective com panies. Speci ﬁcations and descr iptions subject to ch ange without notice.

Sonicwall NSA E8500 Getting Started Guide

Specifications and Main Features

Frequently Asked Questions

User Manual

Setup

Additional Configuration and Information

SonicWALL NSA E8500

Pre-Configuration Tasks

Check Package Contents

Any Items Missing?

Obtain Configuration Information

Registration Information

Networking Information

Administrator Information

Obtain Internet Service Provider (ISP) Information

The Front Panel

The Back Panel

Front Bezel Control Features

LCD Control Buttons

Main Menu

Status

Configure

Configuration Options

Restart

SafeMode

Screen-Saver

LAN IP Configuration Example

Registering Your Appliance

Before You Register

Creating a mysonicwall.com Account

Registering and Licensing Your Appliance on mysonicwall.com

Product Registration

Licensing Security Services and Software

Registering a Second Appliance as a Backup

Registration Next Steps

Deployment Scenarios

Selecting a Deployment Scenario

Scenario A: NAT/Route Mode Gateway

Scenario B: State Sync Pair in NAT/Route Mode

For network installations with two SonicWALL NSA E-Series appliances configured as a stateful synchronized pair for redundant high-availability networking.

Scenario C: L2 Bridge Mode

Initial Setup

System Requirements

Connecting the WAN Port

Connecting the LAN Port

Applying Power

Accessing the Management Interface

Using the Setup Wizard

Connecting to Your Network

Testing Your Connection

Activating Licenses in SonicOS

Upgrading Firmware on Your SonicWALL

Saving a Backup Copy of Your Preferences

Obtaining the Latest Firmware

Upgrading the Firmware

Using SafeMode to Upgrade Firmware

Configuring a State Sync Pair in NAT/Route Mode

Initial High Availability Setup

Configuring High Availability

Configuring Advanced HA Settings

Synchronizing Settings

Adjusting High Availability Settings

Synchronizing Firmware

HA License Configuration Overview

Associating Pre-Registered Appliances

Configuring L2 Bridge Mode

Connection Overview

Configuring the Primary Bridge Interface

Configuring the Secondary Bridge Interface

Additional Deployment Configuration

An Introduction to Zones and Interfaces

Creating Network Access Rules

Creating a NAT Policy

Configuring Address Objects

Configuring NAT Policies

Enabling Security Services in SonicOS

Applying Security Services to Zones

Gateway Anti-Virus

Intrusion Prevention

Anti-Spyware