SonicWALL OS 2.x User Manual

SonicWALL

SonicOS 2.x Enhanced
Quick Start Guide

Rev 1.1
February 2004

Sonic OS 2.x Quick Start Guide

)

0.0.0.1 /

Introduction

This guide walks you through the steps required to configure a typical customer network using the
new SonicOS 2.x Enhanced firmware. If you are familiar with Sonicwall’s existing products and
firmware, this guide will help you make the transition from those products to the next generation of
Sonicwall firmware.

The example network used throughout this guide is illustrated below:

T1
Router IP: 208.48.32.1 / 29

WAN 1 (X1)

208.48.32.2 / 29

192.168.168.168 /

LAN (X0)

192.168.168.1 / 24
Default Gateway

192.168.168.168

WAN 2 (X2)

PPPoE DSL

SonicWALL

PRO 4060

1

DMZ (X3

Mail Server

192.168.168.4 / 24

24

Remote User with Global
VPN Client

WAN

PPPoE DSL

LAN

192.168.1.1 / 24
Default Gateway

10.0.0.1 / 24
Default Gateway 10.0.0.1

Public WWW Server

10.0.0.2 / 24 (208.48.32.3)

SonicWALL

TZ 170e

192.168.1.1/24

1

Sonic OS 2.x Quick Start Guide

Basic WAN & LAN Configuration

Refer to the Sonicwall Quick Start Guide included on the product CD.

Security Zones and Objects

There are several new concepts introduced with SonicOS 2.x Enhanced firmware. In this section,
we’ll discuss the Security Zones and Objects. When configuring the new products, you will need to
define your Security Zones early in the setup process so that your rules, NAT entries, and objects
will be easier to work with.

Security Zones - Overview

Sonicwall’s fourth generation appliances extend the previous architecture beyond the LAN, WAN,
and DMZ. The new products, when loaded with the Enhanced firmware, have six user-definable
interfaces. The first two interfaces (X0 and X1) are fixed interfaces, permanently bound to the LAN
and WAN zones, respectively. The remaining four interfaces, X2-X5, can be configured and bound
to any Zone.

The multiple interfaces allow the user to segment their network into a more manageable, secure
infrastructure. It also allows the user to have multiple physical segments grouped together.
This concept of multiple segments, or interfaces, logically grouped together is called Security
Zones. The Security Zone permits the user to name the Zone in a user-friendly way and to write
security rules that apply to all the segments in a Zone, without needing to address each physical
interface individually. In our example, we have two interfaces (X1 and X2), used for WAN load­balancing and failover. If we group the two interfaces in the WAN Zone, we will only need to write
one set of firewall rules that will apply regardless of which interface is active. This greatly
simplifies the firewall rule base. The pre-defined Security Zones are not modifiable and are defined
as follows:

WAN – This Zone can consist of either one or two interfaces. If using the WAN-WAN

capability, you need to add the second Internet interface to the WAN Zone.

LAN – This Zone can consist of one to five interfaces, depending on your network design.

Even though each interface will have a different network subnet attached to it, when
grouped together they can be managed as a single entity.

DMZ – This is the Demilitarized Zone you are probably familiar with from the existing

Sonicwall product line. This Zone is normally used for publicly accessible servers.
This Zone can consist of one to four interfaces, depending on you network design.

VPN - This predefined Zone is used for simplifying secure, remote connectivity. It is the

only Zone that does not have an assigned physical interface.

NOTE – Even though you may group interfaces together into one Security Zone, this does not

preclude you from addressing a single interface within the Zone.

2

Sonic OS 2.x Quick Start Guide

Creating a Custom Zone

There are four fixed Zone types: Trusted, Untrusted, Public and Encrypted. Only the number of
interfaces limits the number of Zone instances for
Zone type (i.e. the WAN) is reserved for the WAN interface(s). The
special system Zone comprising all VPN traffic and doesn’t have any associated interface.

To create a custom zone, proceed as follows:

1. Select the Zones option under the Network
button of the GUI.

2. Click the Add button and the Add Zone
pop-up is displayed.

3. Name your Zone as desired.

4. Select whether the Zone is Trusted or
Public.

5. If Content Filtering is desired, select the
checkbox.

Trusted and Public Zone types. The Untrusted

Encrypted Zone type is a

6. If AV enforcement is desired, select the
checkbox.

7. If multiple interfaces are assigned to this
zone, selecting the Allow Interface Trust
option automatically adds the required access rules to allow hosts on those interfaces to
communicate with one another.

8. Click OK to save your settings. The new custom Zone is displayed in the Zones window.

3

Sonic OS 2.x Quick Start Guide

Security Zones - Configuration

The following will guide you through the process of configuring and assigning interfaces to
Security Zones:

1. We start out with the LAN and WAN interfaces as previously defined.

2. Click the configure icon (

) associated with the X2 interface.

3. Select the ZONE as WAN and the IP
assignment as PPPoE.

4. Add the User Name and Password
assigned to the PPPoE DSL account.

5. Enter a Comment if desired.

6. Decide if you want to allow
Management and User Logins on
this interface.

7. If the ISP provided you with a Static
IP address, select ‘Specify IP
Address’ and enter the assigned
Static IP.

8. If you want to set your own DNS
servers, as opposed to the DNS
servers automatically provided by
the PPPoE connection, click ‘

Specify

DNS Servers’ and enter the values.
Select th

9. e Ethernet tab.

NOTE – Even though the Sonicwall auto-negotiates the Ethernet settings, you should make it a

habit to force the settings to match the connected network equipment.

0. Select the ‘Force’ checkbox and enter the

1

appropriate values for the DSL modem
connected to the X2 interface.

11. te changes to

If required, make the appropria

the MTU and fragment settings based on your
configuration. For normal installations,
changes should not be required.

12. , enter the

If using Bandwidth Management

available bandwidth for this DSL connection

13.

Click OK to save your settings. The new

WAN interface is displayed in the settings

14. r

We will also need a DMZ configured for ou

installation. Click the configure icon associate with the X3 interface.

.

:

d

4

15.

Select the Zone as DMZ.

Sonic OS 2.x Quick Start Guide

16. Enter the IP address assign

ed to the X3 interface. Enter the network mask assigned to the

interface.

17. Enter your comments as applicable.

18. Decide if you want to allow Managem

19. Select the Ethernet tab. As above, make the appropriate entries based on the e

ent and User Logins on this interface.

quipment to be

installed on the DMZ Zone.

20. Click OK to save your settings. The new DMZ interface is displayed in the settings.

Objects/Groups - Overview

S of Objects to your security policy. Objects are either

onic OS Enhanced introduces the concept
pre-defined or user-defined elements that can be used by themselves or in groups. Objects relate t
network elements (hosts, subnets or ranges), users, and services. Throughout the new Enhanced
firmware, we will need to define objects and groups in order to create the desired security policy.

Example 1 - We want to write firewall rules to allow mail in to and out from our mail server.
Instead of just using the mail server’s IP address, we’ll create an Address Object called ‘Mail
Server’ and write our firewall rules using this object. If we ever change the address of our mail
server, just a simple change of the object will ensure that the address is changed wherever it may be
in use.

Exampl

e 2 – We would like to block users from accessing Instant Messengers during work hours.
We know that the IM services need to connect to certain servers and we know what the IP address
ranges are for those servers. The problem is, there are a lot of ranges! The solution: create address
objects for each of the IP ranges. Add those address objects to a group called ‘Instant Messengers’,
and write a rule that denies all access to the Instant Messenger group. You’ll see later on that this
will result in a single firewall rule, instead of the six or more that would have been required without
groups.

The sam

e concept of creating an IP address object or group also works for Users and Services.

o

5