Sonicwall NSA E8500 Getting Started Guide

NSA E8500 Getting Started Guide

SonicWALL NSA E8500 Getting Started Guide

Welcome to Dynamic Security for the Global Network™.

The SonicWALL® E-Class Network Security Appliance (NSA) E8500 is designed to be the most scalable, reliable, and best performing multifunction threat appliance in its class.

This Getting Started Guide provides instructions for basic installation and configuration of the SonicWALL NSA E8500.

Setup

Step Procedure Est. Time

Pre-Configuration Tasks - page 3

Registering Your Appliance - page 13

Deployment Scenarios - page 19

Additional Deployment Configuration - page 41

Rack Mounting Instructions - page 59

Additional Configuration and Information

• Support and Training Options - page 51

• Product Safety and Regulatory Information - page 65

SonicWALL NSA E8500 Getting Started Guide Page 1

SonicWALL NSA E8500

Network Security Appliance

I o

E8500

Note: Always observe proper safety and regulatory guidelines when removing administrator-serviceable parts from the SonicWALL

NSA E8500. Proper guidelines can be found in the Product Safety and Regulatory Information section, on page 65 of this guide.

Page 2 SonicWALL NSA E8500

Pre-Configuration Tasks

In this Section:

This section provides pre-configuration information. Review this section before setting up your SonicWALL NSA E8500.

• Check Package Contents - page 4

• Obtain Configuration Information - page 5

• The Front Panel - page 6

• The Back Panel - page 7

• Front Bezel Control Features - page 8

• LAN IP Configuration Example - page 12

SonicWALL NSA E8500 Getting Started Guide Page 3

Check Package Contents

Before setting up your SonicWALL NSA E8500, verify that your package contains the following parts:

SonicWALL NSA E8500

Rack Kit

DB9 -> RJ45 (CLI) Cable

Standard Power Cord (2)*

Ethernet Cable

Red Crossover Cable

Getting Started Guide

Any Items Missing?

If any items are missing from your package, please contact SonicWALL support.

A listing of the most current support options is available online at:

<http://www.sonicwall.com/us/support.html>

*The included power cord is intended for use in North America only. The power cord is for AC mains installation only. Field conversion DC power cable is different, see “Safety and Regulatory Information” on page 66 for more information. For European Union (EU) customers, a power cord is not included.

Page 4 Check Package Contents

Network Security Appliance

(x2)

76543

E8500

Obtain Configuration Information

Please record and keep for future reference the following setup information:

Registration Information

Serial Number:

Authentication Code:

Networking Information

LAN IP Address:

. . .

Subnet Mask:

. . .

Ethernet WAN IP Address:

. . .

Record the serial number found on the bottom panel of your SonicWALL appliance.

Record the authentication code found on the bottom panel of your SonicWALL appliance.

Select a static IP address for your SonicWALL appliance that is within the range of your local subnet. If you are unsure, you can use the default IP address (192.168.168.168).

Record the subnet mask for the local subnet where you are installing your SonicWALL appliance.

Select a static IP address for your Ethernet WAN. This setting only applies

if you are already using an ISP that assigns a static IP address.

Administrator Information

Admin Name:

Admin Password:

Select an administrator account name. (default is admin)

Select an administrator password. (default is password)

Obtain Internet Service Provider (ISP) Information

Record the following information about your current Internet service:

If You connect using

DHCP No information is usually required: Some providers

Static IP IP Address: . . .

Please record

may require a Host name:

Subnet Mask: . . .

Default Gateway: . . .

Primary DNS: . . .

DNS 2 (optional): . . .

DNS 3 (optional): . . .

Note: If you are not using one of the network configurations

above, refer to the Guide <http://www.sonicwall.com/us/support.html>.

SonicOS Enhanced Administrator’s

SonicWALL NSA E8500 Getting Started Guide Page 5

The Front Panel

Console Port

Access the SonicOS Command Line Interface (CLI) via the DB9 -> RJ45 cable

Control Buttons

Navigate the LCD screen

LCD Screen

interface to display status, make conﬁguration changes, restart the appliance or boot into SafeMode

X4-X7 (SFP)

Hot-pluggable “small form-factor pluggable transceiver” interfaces for high speed ﬁber or copper Ethernet communication

HA Port

High Availability primary/secondary Gigabit Ethernet port

Page 6 The Front Panel

Network Security Appliance

USB Ports (2)

For future feature extensions

Reset Button

Press and hold for several seconds to manually reset the appliance

LED Indicators (left to right)

Power (2): Blue: Indicates power supplies are operating correctly,

yellow: Indicates an unconnected power supply or failure Test: Quick blinking: Initializing, slow blinking: SafeMode solid: test mode.

Alarm: alarm condition HD: Future extension

E8500

X0-X3 (Copper)

High speed Gigabit Ethernet ports

Bypass Status LED

Lit: Indicates when fail to wire bypass mode is armed

The Back Panel

Fans (2)

Dual auto-throttling fans for system temperature control

Expansion Bay

For SonicWall approved expansion modules

Power Supplies (2)

Dual power supplies for redundant AC power and added reliability Field conversion is available to convert to DC mains DC power supplies use different input connector and power cables

Note: See the Safety and Regulatory Information section, on page 66 for important additional information on power supply

requirements for the NSA E8500 appliance.

SonicWALL NSA E8500 Getting Started Guide Page 7

Front Bezel Control Features

Network Security Appliance

The SonicWALL Network Security Appliance E-Class is equipped with a front panel bezel interface that allows an administrator to customize certain aspects of the appliance or simply monitor its status without having to log into it through a separate terminal.

LCD Control Buttons

The LCD interface is controlled by a D-pad, consisting of four buttons: up, down, left, right. The table below describes the functions of the buttons:

Button Navigation Features Up/Down Selects options and navigates up and

down lists.

Left Cancels changes and returns to the

previous menu.

Right Confirms choices and enters menus.

Also sets the appliance to screen-saver mode when used from the main menu.

Icon Feature Description

LCD Screen

Control Buttons

Displays the front panel bezel interface which can be used to display status information, perform basic configurations, restart the appliance or boot the appliance in SafeMode.

Up, Down, Left and Right buttons, used to navigate the LCD menu system.

Note: Using the front bezel for configuration purposes prior to

completing initial setup will bypass the Setup Wizard’s automatic launch at startup.

Page 8 Front Bezel Control Features

Main Menu

Status

Upon booting the LCD display will initially show the Main Menu. The menu is made up of four options:

Contains basic status values including system resources, connections and port configuration values.

Allows configuration of basic system values including X0 (LAN) and X1 (WAN) port configuration. Requires system pin for access, default: 76642.

Provides the ability to restart the appliance. Requires system pin for access.

Provides the ability to restart and boot the appliance into SafeMode. Requires system pin for access.

Use the Up and Down button to select the menu you wish to enter and click the Right button to enter it.

The Status menu allows you to view specific aspects of the appliance. Once selected, the LCD displays the Status List. This list is navigated using the Up and Down buttons. Status options available include:

• Appliance serial number

• Firmware / ROM versions

• Appliance name

• Date and Time

• Uptime

• CPU statistical readings

• Current number of connections

• Interface (X0, X1) network settings

• Interface (X0, X1) data transfer statistics

The X1 DNS1-3 entries will only be displayed if they have been set from the Configure menu. If their value is still 0.0.0.0 (default value), they will not appear in the Status List.

SonicWALL NSA E8500 Getting Started Guide Page 9

Configure

The Configure Menu allows you to configure specific aspects of the appliance. Once selected, the LCD will display a PIN request.

Note: The Default PIN is 76642. This number spells SONIC

on a phone keypad. The PIN number can be changed from the System > Administration page.

All numbers are inputted using the 4 buttons. Select the individual digit field using the Left and Right button and select the desired number using the Up and Down Button. Digits increase incrementally from 0 to 9. Press the Right button to confirm your PIN and enter the Configuration Menu.

The appliance allows the user to navigate in and out of the Configuration Menu without having to re-enter the PIN. However, once the appliance enters Screen-Saver Mode, whether from the 6 second time out or from pressing the Left button from the Main Menu, the PIN number must be re-entered again to access the Configuration Menu.

After entering a new value for a setting in the configuration menu, you are asked if you want to commit changes. Using the 4-way D-pad, press the Right button for yes or the Left button for no.

If you choose yes, the screen notifies you that the settings are updated.

Page 10 Front Bezel Control Features

Configuration Options

Restart

This option allows you to configure network port settings for the appliance. Once selected, the LCD displays a list of configurable options. Status options available include:

• X0 IP and subnet

• X1 Mode

• X1 IP and subnet

• X1 Gateway

• X1 DNS settings (3 available)

• Restore defaults

The X1 Mode can be set to Static (default option) or to DHCP. If DHCP is selected, manual configuration options are not shown for X1 IP, subnet, gateway and DNS.

The Restore Defaults option will reset the appliance to default factory settings. If selected it will prompt for confirmation twice before restoring defaults.

If an option is selected but not modified, the appliance will display a message stating that no changes were made and will return the user to the edit value screen. If a change was made, it will prompt the user for confirmation before effecting the change.

This option allows you to safely restart without resorting to power cycling the appliance. Once selected, the LCD will display a confirmation prompt. Select Y for yes and press the Right button to confirm. The appliance will reboot.

SafeMode

This option will set the appliance to SafeMode. Once selected, the LCD will display a confirmation prompt. Select Y for yes and press the Right button to confirm. The appliance will change to SafeMode. Once SafeMode is enabled, the SonicWALL NSA E8500 must be controlled from the Web management interface.

Screen-Saver

If no button is pressed for over 60 seconds, or if the Left button is pressed from the Main Menu, the appliance will enter ScreenSaver mode. In this mode, the Status List will cycle, displaying every entry for a few seconds.

If the Up or Down button is pressed while in Screen-Saver mode, the appliance will display the adjacent status entry.

To exit Screen-Saver mode, press the Right button.

SonicWALL NSA E8500 Getting Started Guide Page 11

LAN IP Configuration Example

The SonicWALL NSA E8500 is assigned the default LAN IP of

192.168.168.168. The following example provides steps for changing the default IP address to 192.168.168.10.

1. Press Right to exit screen-saver mode if not at the root menu.

2. Press Down to select the Configuration entry.

3. Press Right to enter Configuration Mode.

4. Input PIN (76642 by default; SONIC on a phone keypad.)

a. Press Up or Down until the cursor displays 7,

press Right.

b. Continue this process until all of the numbers are

entered.

c. Press Right to commit changes.

5. Press Down until X1 IP is selected (four times).

6. Press Right to configure X1 IP.

7. Edit X1 IP: a. Press Right ten times to select the tenth digit.

b. Press UP or Down until the cursor displays 0. c. Press Right once to select the next digit. d. Press UP or Down until the cursor displays 1. e. Press Right once to select the next digit. f. Press Up or Down until the cursor displays 0.

g. Press Right to finish editing the X1 IP. h. Press Right again to confirm changes.

Page 12 LAN IP Configuration Example

Registering Your Appliance

In this Section:

This section provides instructions for registering your SonicWALL NSA E8500.

• Before You Register - page 14

• Creating a mysonicwall.com Account - page 15

• Registering and Licensing Your Appliance on mysonicwall.com - page 15

• Licensing Security Services and Software - page 16

• Registering a Second Appliance as a Backup - page 18

Note: Registration is an important part of the setup process and is necessary in order to receive the benefits of SonicWALL security

services, firmware updates, and technical support.

SonicWALL NSA E8500 Getting Started Guide Page 13

Before You Register

You need a mysonicwall.com account to register the SonicWALL NSA E8500. You can create a new mysonicwall.com account on <http://www.sonicwall.com> or directly from the SonicWALL management interface. This section describes how to create an account by using the Web site.

You can use mysonicwall.com to register your SonicWALL appliance and activate or purchase licenses for Security Services, ViewPoint Reporting and other services, support, or software before you even connect your device. This allows you to prepare for your deployment before making any changes to your existing network.

For a High Availability configuration, you must use mysonicwall.com to associate a backup unit that can share the Security Services licenses with your primary SonicWALL.

Note: Your SonicWALL NSA E8500 does not need to be

powered on during account creation or during the mysonicwall.com registration and licensing process.

Note: After registering a new SonicWALL appliance on

mysonicwall.com, you must also register the appliance from the SonicOS management interface. This allows the unit to synchronize with the SonicWALL License Server and to share licenses with the associated appliance, if any. See Accessing the Management

Interface - page 26.

Page 14 Before You Register

Creating a mysonicwall.com Account

To create a mysonicwall.com account, perform the following steps:

1. In your browser, navigate to

<http://www.mysonicwall.com>.

2. In the login screen, click If you are not a registered user,

Click here.

3. Complete the Registration form and then click Register.

4. Verify that the information is correct and then click Submit.

5. In the screen confirming that your account was created, click Continue.

Registering and Licensing Your Appliance on mysonicwall.com

This section contains the following subsections:

• Product Registration - page 15

• Licensing Security Services and Software - page 16

• Registering a Second Appliance as a Backup - page 18

• Registration Next Steps - page 18

Product Registration

You must register your SonicWALL security appliance on mysonicwall.com to enable full functionality.

1. Login to your mysonicwall.com account. If you do not have an account, you can create one at

<http://www.mysonicwall.com>.

2. On the main page, in the Register A Product field, type the appliance serial number and then click Next.

3. On the My Products page, under Add New Product, type the friendly name for the appliance, select the Product Group if any, type the authentication code into the appropriate text boxes, and then click Register.

4. On the Product Survey page, fill in the requested information and then click Continue.

SonicWALL NSA E8500 Getting Started Guide Page 15

Licensing Security Services and Software

The Service Management - Associated Products page in mysonicwall.com lists security services, support options, and software such as ViewPoint that you can purchase or try with a free trial. For details, click the Info button. Your current licenses are indicated in the Status column with either a license key or an expiration date. You can purchase additional services now or at a later time.

The following products and services are available for the SonicWALL NSA E8500:

• Service Bundles:

• Client/Server Anti-Virus Suite

• Comprehensive Gateway Security Suite

• Gateway Services:

• Gateway AV / Anti-Spyware/Intrusion Prevention Service / Application Firewall

• Content Filtering: Premium Edition

• Stateful High Availability (HA) Upgrade

• Application Firewall

• Desktop and Server Software:

• Enforced Client Anti-Virus and Anti-Spyware

• Global VPN Client

• Global VPN Client Enterprise

• VPN Policy Upgrade (for site-to-site VPN)

• Global Management System

• ViewPoint

• Support Services:

• Dynamic Support 24x7

• Software and Firmware Updates

• Consulting Services:

• Implementation Service

• GMS Preventive Maintenance Service

Page 16 Registering and Licensing Your Appliance on mysonicwall.com

To manage your licenses, perform the following tasks:

1. In the mysonicwall.com Service Management - Associated Products page, check the Applicable Services table for services that your SonicWALL appliance is already licensed for. Your initial purchase may have included security services or other software bundled with the appliance. These licenses are enabled on mysonicwall.com when the SonicWALL appliance is delivered to you.

2. If you purchased a service subscription or upgrade from a sales representative separately, you will have an Activation Key for the product. This key is emailed to you after online purchases, or is on the front of the certificate that was included with your purchase. Locate the product on the Services Management page and click Enter Key in that row.

3. In the Activate Service page, type or paste your key into the Activation Key field and then click Submit. Depending on the product, you will see an Expire date or a license key string in the Status column when you return to the Service Management page.

4. To license a product of service, do one of the following:

• To try a Free Trial of a service, click Try in the Service Management page. A 30-day free trial is immediately activated. The Status page displays relevant information including the activation status, expiration date, number of licenses, and links to installation instructions or other documentation. The Service Management page is also updated to show the status of the free trial.

• To purchase a product or service, click Buy Now.

5. In the Buy Service page, type the number of licenses you want in the Quantity column for either the 1 year, 2 year, or 3 year license row and then click Add to Cart.

6. In the Checkout page, follow the instructions to complete your purchase.

The mysonicwall.com server will generate a license key for the product. The key is added to the license keyset. You can use the license keyset to manually apply all active licenses to your SonicWALL appliance.

SonicWALL NSA E8500 Getting Started Guide Page 17

Registering a Second Appliance as a Backup

To ensure that your network stays protected if your SonicWALL appliance has an unexpected failure, you can associate a second SonicWALL with the first in a high availability (HA) pair. You can associate the two appliances as part of the registration process on mysonicwall.com. The second SonicWALL will automatically share the Security Services licenses of the primary appliance.

6. On the Service Management - Associated Products page, scroll down to the Associated Products section to verify that your product registered successfully. You should see the HA Primary unit listed in the Parent Product section, as well as a Status value of 0 in the Associated Products / Child Product Type section.

To return to the Service Management - Associated Products page, click the serial number link for this appliance.

To register a second appliance and associate it with the primary, perform the following steps:

1. Login to your mysonicwall.com account.

2. On the main page, in the Register A Product field, type the appliance serial number and then click Next.

4. On the Product Survey page, fill in the requested information and then click Continue. The Create Association Page is displayed.

5. On the Create Association Page, click the radio button to select the primary unit for this association, and then click Continue. The screen only displays units that are not already associated with other appliances.

Page 18 Registering and Licensing Your Appliance on mysonicwall.com

Registration Next Steps

Your SonicWALL NSA E8500 or E8500 HA Pair is now registered and licensed on mysonicwall.com. To complete the registration process in SonicOS and for more information, see:

• Accessing the Management Interface - page 26

• Activating Licenses in SonicOS - page 28

• Enabling Security Services in SonicOS - page 48

• Applying Security Services to Zones - page 48

Deployment Scenarios

In this Section:

This section provides detailed overviews of advanced deployment scenarios as well as configuration instructions for connecting your SonicWALL NSA E8500.

• Selecting a Deployment Scenario - page 20

• Scenario A: NAT/Route Mode Gateway - page 21

• Scenario B: State Sync Pair in NAT/Route Mode - page 22

• Scenario C: L2 Bridge Mode - page 23

• Initial Setup - page 24

• Configuring a State Sync Pair in NAT/Route Mode - page 32

• Configuring L2 Bridge Mode - page 39

Tip: Before completing this section, fill out the information in Obtain Configuration Information - page 5. You will need to enter this

information during the Setup Wizard.

SonicWALL NSA E8500 Getting Started Guide Page 19

Selecting a Deployment Scenario

Before continuing, select a deployment scenario that best fits your network scheme. Reference the table below and the diagrams on the following pages for help in choosing a scenario.

Current Gateway Configuration New Gateway Configuration Use Scenario

No gateway appliance Single SonicWALL NSA as a primary gateway. A - NAT/Route Mode Gateway

Pair of SonicWALL NSA appliances for high availability.

Existing Internet gateway appliance SonicWALL NSA as replacement for an existing

gateway appliance.

SonicWALL NSA in addition to an existing gateway appliance.

Existing SonicWALL gateway appliance SonicWALL NSA in addition to an existing

SonicWALL gateway appliance.

B - NAT with State Sync Pair

A - NAT/Route Mode Gateway

C - L2 Bridge Mode

B - NAT with State Sync Pair

Network Security Appliance

E8500

SonicPoint

Network Security Appliance

Scenario A: NAT/Route Mode Gateway - page 21 Scenario B: State Sync Pair in NAT/Route Mode - page 22 Scenario C: L2 Bridge Mode - page 23

Page 20 Selecting a Deployment Scenario

Network Security Appliance

E8500

Network Security Appliance

E8500

SonicPoint

E8500

Scenario A: NAT/Route Mode Gateway

For new network installations or installations where the SonicWALL NSA E8500 is replacing the existing network gateway.

In this scenario, the SonicWALL NSA E8500 is configured in NAT/Route mode to operate as a single network gateway. Two Internet sources may be routed through the SonicWALL appliance for load balancing and failover purposes. Because only a single SonicWALL appliance is deployed, the added benefits of high availability with a stateful synchronized pair are not available.

To set up this scenario, follow the steps covered in:

• Initial Setup - page 24

• Additional Deployment Configuration - page 41

Next... Be sure to follow the steps in the Initial Setup

section, on page 24 before completing Additional Deployment Configurations.

DMZ Zone

SonicWALL NSA E-Class

Network Security Appliance

SonicPoint

WLAN Zone

LAN Zone

E8500

ISP 1

Internet

SonicWALL NSA E8500 Getting Started Guide Page 21

+ 50 hidden pages