How it Works
SonicWall
Loading...
SonicOSX 7
User Manual
51 pgs41.53 Mb0
Administration Guide
101 pgs2.95 Mb0
Administration Guide
81 pgs3.97 Mb0
Administration Guide
12 pgs1.74 Mb0
Administration Guide
31 pgs517.41 Kb0
Administration Guide
39 pgs641.4 Kb0
Administration Guide
45 pgs669.78 Kb0
Table of contents
Loading...

SonicWall SonicOSX 7 User Manual

SonicOSX 7
Getting Started Guide
for the NSsp Series
Contents
Product Overview 4
Enterprise Class High-performance Firewall 4
Feature Summary 4
Simplified Management and Reporting 5 Advanced Threat Protection 5 Capture Cloud Platform 5 Deep Packet Inspection of SSL/TLS (DPI-SSL) 5 Content Filtering Service 5 Intrusion Prevention Service 5 Application Control 6 Unified Policy Configuration and Management 6 Multiple Instances / High Availability 6
System Architecture 6
Hardware Overview 7
Front Panel 7 Rear Panel 8 LEDs 9 Specifications 9
System Setup 11
Default Settings 11
System Startup 12
HTTPS Management via X0 12 HTTPS Management via MGMT Port 12
SonicOS/X Basic Configuration 13
Connecting LAN and WAN Interfaces 14
Network Configuration 14
Registration and Licensing 15
Instance Licenses 15 Latest Firmware 15
Configuring Multiple Instances 16
Enabling Multi-Instances 17
Configuring Multi-Instances 19
Adding an Instance 19 Editing an Instance 21 Uploading Instance Firmware 22
Licenses for Multiple Instances 23
Surveying Multiple Instances 23
Contents
2
Instance Registration 24
Instance License Update 24
Deactivating an Instance 24
Instance HA Pair on a Standalone NSsp Node 24
Configuring High Availability 29
High Availability Overview 29
Setting Up Unit-to-Unit HA 29
Prerequisites 29
Configuring Advanced Settings 31
Checking High Availability Status 32
High Availability Status 32 High Availability Configuration 33 High Availability Licenses 33
Monitoring High Availability 33
Configuring Multi-Appliance Instance-Level HA 35
CLI Bring-up 37
Access the Console Port 37
At the ChassisOS Prompt 38
To Change to the Console Port of Another Physical Blade 39
Check Network Address Settings 40
Commands at ChassisOS Prompt 40
Show Commands at ChassisOSPrompt 41
Configure IP Addresses from the CLI 44
Restart SonicOSX from the CLI 44
To Access SonicOSX Console 44
Using the SafeMode GUI 46
Accessing SafeMode 46
Rebooting the System 47
Upgrading Firmware 47
Diagnostics 48
System Information 48 Hardware Sensors 48 Switch Port Counters 48 Switch Port SFP Information 49
SonicWall Support 50
About This Document 51
Contents
3

Product Overview

This section introduces key features of the NSsp 15700.
Topics:
l Enterprise Class High-Performance Firewall l Feature Summary l System Architecture l Hardware Overview

Enterprise Class High-performance Firewall

1
Firewalls must evolve and adapt to support dynamic ITenvironments. Firewall limitations can present major IT operations bottlenecks.
The SonicWall Network Security services platform NSsp 15700 is a next-generation firewall with high port density and Multi-Gigabit interfaces, that can process several million connections while checking for zero­day and advanced threats. Designed for large enterprise, higher education, government agencies and MSSPs, the NSsp eliminates attacks in real time without slowing performance. It is designed to be highly reliable and deliver uninterrupted services.

Feature Summary

Topics:
l Simplified Management and Reporting
l Advanced Threat Protection
l Capture Cloud Platform
l Deep Packet Inspection of SSL/TLS (DPI-SSL)
l Content Filtering Service
l Intrusion Prevention Service
l Application Control
l Unified Policy Configuration and Management
l Multiple Instances / High Availability
Product Overview
4

Simplified Management and Reporting

Ongoing management, monitoring and reporting of network activity are handled through the SonicWall on­premises Network Security Manager (NSM) or cloud-based Capture Security Center (CSC).

Advanced Threat Protection

Every business day, SonicWall encounters and catalogs over 140,000 new and updated forms of malware. These variants are updated frequently to bypass static filters in a variety of devices and services. Furthermore, many attackers build or outsource components, such as evasion tactics or runners in order to make their malware more powerful and difficult to detect.
SonicWall Capture Advanced Threat Protection™ (Capture ATP) is used by over 150,000 customers across the world through a variety of solutions and it helps to discover and stop over 1,200 new forms of malware each business day. Furthermore, for compliance and performance-sensitive customers, the NSsp 15700 integrates with Capture Security Appliance (CSa), a local device based on the memory-based file analysis technology, and Real-Time Deep Memory Inspection™ (RTDMI).

Capture Cloud Platform

SonicWall's Capture Cloud Platform delivers cloud-based threat prevention and network management plus reporting and analytics for organizations of any size. The platform consolidates threat intelligence gathered from multiple sources including our award-winning multi-engine network sandboxing service, Capture Advanced Threat Protection, as well as more than 1.1 million SonicWall sensors located around the globe.

Deep Packet Inspection of SSL/TLS (DPI-SSL)

l The NSsp 15700 provides inspection for over millions of simultaneous TLS/SSL and SSH encrypted
connections regardless of port or protocol.
l Support for TLS 1.3

Content Filtering Service

Allows security administrators to create and apply policies that allow or deny access to sites based on individual or group identity, or by time of day, for over 50 pre-defined categories.

Intrusion Prevention Service

The extensible signature language provides proactive defense against newly discovered application and protocol vulnerabilities.
Product Overview
5

Application Control

The NSsp 15700 catalogs thousands of applications through App Control and monitors their traffic for anomalous behavior through the on-board Application Firewall.

Unified Policy Configuration and Management

The NSsp 15700 enables organizations to intuitively configure and enforce policies by combining network, application and web filtering security in one place.

Multiple Instances / High Availability

NSsp 15700 architecture allows multiple independent firewalls to share hardware resources to support MSSPs, or provide flexible resources for evolving organizations. These independent firewalls may also be configured as high-availability (HA) pairs, either within one NSsp, or across multiple NSsp. Unlike other high performance firewall systems, the NSsp operates through containers rather than shared hardware resources. Software containers along with NUMAarchitecture assure identical operation for all instances on the NSsp 15700.
The NSsp 15700 supports three kinds of High Availability:
l Standalone HA — Instances on one NSsp from high availability pairs. See Instance HA Pair on a
Standalone NSsp Node.
l Multi-appliance instance-level HA — Instances on different NSsp 15700 appliances form HA pairs.
See Configuring Multi-Appliance Instance-Level HA.
l Appliance-level HA — Two NSsp appliances ,are paired as Primary Active and Secondary Standby.
See Setting Up Unit-to-Unit HA.

System Architecture

The NSsp 15700 centers on four Intel Xeon processors on two cards, or physical blades, linked by a 3.2 Terabits per second switch fabric. This enables the support of multiple independent firewalls with direct access to the NSsp's high-performance hardware. Non-Unified Memory Access architecture combined with software containers maximizes security and performance.
There are two logical blades, or CPUs, per physical blade. These logical blades are allocated to a Root Instance firewall, or to tenant instances. Each logical blade offers the nine cores available on each Xeon minus one devoted to system software. At the time of this writing, the Root Instance requires a minimum two logical blades, and a maximum of two logical blades are available to support virtual firewalls.
Virtual firewall instances are confined to software containers, consequently providing the highest security and predictable performance.
Virtual firewalls require an allocation of at least two CPU cores: one Control Plane (CP) and one Data Plane (DP). Up to two CP cores and seven DPcores can support a virtual firewall. Cores supporting a virtual firewall must reside on one logical blade.
Product Overview
6

Hardware Overview

The NSsp is a rack-mounted 2U enterprise firewall capable of supporting multiple virtual firewalls on a single high-performance, high-reliability platform. It can support multiple firewall instances for MSSPs or redundant virtual firewalls for high-availability applications.
Topics:
l Front Panel l Rear Panel l LEDs l Specifications

Front Panel

X0 - X15 10Gb SFP+ Ports (16)
These ports support small form-factor pluggable (SFP) modules and 10Gb Base-T copper modules.
X16 - X19 40Gb QSFP+ Ports (4)
These 40Gb ports also support 10Gb interface connectivity.
X20 - X25 100Gb QSFP28 Ports (6)
Serial Console Port
MGMT Port – 1GbE
LED Indicators
LEDs from top: Power, Alarm, System Status, MGMT Port
Product Overview
7
SSD Drives – 480GB (4)
LCD Screen

Rear Panel

AUX MGMT Ports (2) – 1GbE
Provides management access for SonicWall Technical Support
Power Switches and Status LEDs (2)
Press and release to power on
LED status:
l Off – Power is off for the compute blade
l Blinking Blue – Compute blade is in powering-up stage
l Solid Blue – Power is on and compute blade is up and ready
Power Alarm Cutoff Button
Press to stop alarm after power supply failure
Power Supplies (2) - 1200W each
Fully redundant, field replaceable
Ground
Fans (10)
Key Compartment
Contains keys to unlock SSD handles for removal/replacement
Product Overview
8

LEDs

LED Name LED Color Description
10Gb SFP+ Link LEDs,
X0-X15
40Gb QSFP+ Link LEDs,
X16-X19
100Gb QSFP28 Link LEDs,
X20-X25
MGMT Port Link LED Off
All Activity LEDs,
X0-X25, MGMT
Power
Alarm
System Status
Off
Solid Green
Off
Solid Green
Off
Solid Green
Solid Green
Solid Amber
Off
Blinking Green
Off
Green
Off
Green
Red
Off
No link
Link is up
No link
Link is up
No link
Link is up
No link
100Mbps
1Gbps
No traffic
Traffic present
Power is off for the compute blade
Power is on for the compute blade
No alarm activity
Minor system alarm
Major/critical system alarm (thermal, fan, etc.)
No compute blade or no power
MGMT Port
Amber
Green
Off
Blinking Amber
Compute blade is not ready
Compute blade is ready
No activity
Traffic present

Specifications

NOTE: For a list of qualified SFP+/QSFP transceivers, contact SonicWall Technical Support.
NSSP 15700 SPECIFICATIONS
Feature Detail
Number of Compute Blades 2
Number of CPUs 4
100G QSFP28 6
40G QSFP+ 4
9
Product Overview
Feature Detail
10G SFP+ 16
SSD in Compute Blade (1 per Blade) 240GB
Front SSDs for Blade #1 (Top) 480GB
RAID Configuration RAID 1
Front SSDs for Blade #2 (Bottom) 480GB
RAID Configuration RAID 1
Compact Flash 32GB 2
USB USB 2.0 Type A
Console RS232 RJ45
Management Port 1GbE RJ45
4056 Fan 10
Redundant Power Supplies 2
Power 1200 Watts
Product Overview
10
Topics:
l Default Settings
l System Startup
l SonicOS/X Basic Configuration
l Connecting LAN and WAN Interfaces
l Network Configuration
l Registration and Licensing
2

System Setup

Default Settings

Port IP Address / Login / Password
Serial number on nameplate; in initial firmware
Authentication code
Registration code from MySonicWall.com
Maintenance key from MySonicWall.com
Console Serial port: baud rate: 115200; data: 8; parity none; stop 1; flow control; none
X0
X1 Not set by default
Management (Blade 1)
Management (Blade 2)
SafeMode
Available in GUI on Dashboard with system information
Login = techsupport / sonicwall-<buildnum>
10.10.10.10
192.168.168.168
192.168.168.167
https://192,168,168.168:65443
(admin; password)
1
System Setup
11
Port IP Address / Login / Password
MySonicWall.com register on MySonicWall.com to establish login and password
1
SafeMode is accessed through the Management (Blade 1) port which is by default 192.168.168.168.
This value may be changed in ChassisOS. For details, see Access the Console Port and Configure
IP Addresses from the CLI
NOTE: The login credentials are admin/password if SonicOS/X is unavailable; otherwise the
administrator’s SonicOS/X credentials work. See Using the SafeMode GUI.

System Startup

SonicOS/X comes up a few minutes after connecting the SonicOS/X to a power source. You can configure your SonicOS/X from either the X0 or MGMT interface:
l HTTPS Management via X0
l HTTPS Management via MGMT Port

HTTPS Management via X0

The X0 interface can be configured as a static, transparent, or Layer 2 Bridged Mode interface.
1.
Connect your management computer to the SonicOS/X X0 interface and configure your computer with a static IP address on the LAN subnet (default subnet: 10.10.10.0/24)
2.
In your browser, enter the default IP address https://10.10.10.10 and log in using the default credentials:
3. Username: admin
Password: password
4.
Continue with SonicOS/X Basic Configuration.

HTTPS Management via MGMT Port

The MGMT port is a dedicated 1 Gigabit Ethernet interface for appliance management and SafeMode access.
1.
Connect your management computer to the SonicOS/X MGMT interface and configure your computer with a static IP address on the MGMT subnet (default subnet: 192.168.168.0/24).
2.
In your browser, enter the default IP address https://192.168.168.166 and log in using the default credentials:
3. Username: admin
Password: password
4.
Continue with SonicOS/X Basic Configuration.
If the services are enabled, you can access SafeMode, SSH, or ping via the MGMT port. From SafeMode, you can upgrade firmware, boot backup images and more.
System Setup
12
Using SafeMode
SafeMode is accessed on HTTPS port 65443. This is accessed via MGMT (Blade 1) configured in user interface settings. The default is 192.168.168.168. Log in using the default MGMT SafeMode credentials:
l Username: admin
l Password: password
SafeMode is also accessed through the aux MGMT port. For more information on SafeMode, see Using the
SafeMode GUI.
Using CLI
From SSH, you can access the SonicOS/X command line interface (CLI) for configuration and to view logs and settings. Log in with default SonicOS/X credentials:
l Username: admin
l Password: password
For more on using the CLI, see CLI Bring-Up.

SonicOS/X Basic Configuration

Use the following steps to complete a basic system configuration.
1.
Navigate to POLICY | Rules and Policies to create security rules for handling traffic. There are no default rules, so no traffic can be passed until rules are created.
IMPORTANT: Without policy rules, the SonicOS/X only allows management traffic on X0 or the
MGMT port. No other traffic is allowed until policy rules are created by the administrator.
2.
Navigate to NETWORK | System > Interfaces to configure the X1 WAN interface.
l Static – Configures the appliance for a network that uses static IP addresses.
l DHCP – Configures the appliance to request IP settings from a DHCP server in the network.
WAN connectivity is needed for product registration and licensing. Be sure to configure DNS for the WAN interface.
3.
Configure the administrator username and password.
4.
Connect the X0 interface to your LAN network and connect X1 to the Internet, as described in
Connecting LAN and WAN Interfaces.
5.
Register SonicOS/X as described in Registration and Licensing.
6.
For network configuration considerations, refer to Network Configuration.
System Setup
13

Connecting LAN and WAN Interfaces

After the initial setup is complete, physically connect the LAN and WAN interfaces to the network devices in your environment for access to your networks or the Internet.
To connect the interfaces:
1.
Using a Twinax cable or a fiber SFP+ module with a fiber cable, connect the appliance LAN interface (X0) to your local network 10G switch or device.
2.
Using a Twinax cable or a fiber SFP+ module with a fiber cable, connect the appliance WAN interface (X1) to your Internet connection.

Network Configuration

Although the X0, X1 ...X15 front panel interfaces support up to 10Gb SFP+ operation, they may be setup for 1Gb operation.
The Root Instance for multibladed operation has reserved use of X0 through X3. Interface ports X4 and up can be reserved for multiinstances. Note that to reach the license manager and receive a DHCP address, the instances must have their own path to the Internet.
Each instance can support up to 8 virtual ports: X0...X7. X1 on each instance needs to connect to a front panel port with access to a DHCP server or assign static IP address. While adding a new instance, on the interface configuration tab, configure the instance X1 so that it is mapped to a front panel port and VLANID that is setup with WANaccess. This is necessary for both cases (Static and Dynamic IP address assignment).
For static IP configuration, choose an IP in the LAN network that is not in use. For example, if the DHCP server uses a start range from 10.206.52.10 to 10.206.52.200, then use an IP below the range or above the range, but not the Broadcast (10.206.52.255) or Gateway IP (for example, 10.206.52.100) address.
System Setup
14
For details on configuring management IP addresses, see Configure IP Addresses from the CLI. The X0 and X1 ports can be configured through SonicOS/X GUI at NETWORK | System > Interface > Interface
Settings.
NOTE: SafeMode access is through the top AUX MGMT port to the Management (Blade 1) port. Refer
to the illustration in Rear Panel.

Registration and Licensing

To register SonicOS/X, you can click Register in the SonicOS/X web management interface, then enter your MySonicWall credentials. Or you can log in to MySonicWall at https://www.mysonicwall.com from a browser and register SonicOS/X there, then synchronize from within SonicOS/X.
Registration in MySonicWall requires your SonicOS/X serial number and authentication code, which you can find on the appliance label or on the DEVICE | Settings > Status page of the SonicOS/X web interface.
You can purchase additional Security Service licenses by clicking Licenses in the row for your SonicOS/X on the My Products page in MySonicWall.

Instance Licenses

When you register the SonicOS/X and license security services on it, additional license keys are automatically created for a Multi-Instance deployment. These Instance licenses have unique serial numbers and authentication codes. All security services licensed on the SonicOS/X are inherited by each Instance. Each Instance license is separate and independent, allowing each Instance to have a unique configuration.

Latest Firmware

After product registration, be sure to download the latest firmware and upgrade your SonicOS/X. You can run different SonicOS/X firmware versions on each Instance, if desired. The Instance firmware images are available for download along with the main firmware in MySonicWall.
NOTE: Enabling Multi-Instance requires a chassis reboot, which can take up to 15 minutes.
System Setup
15
3

Configuring Multiple Instances

Topics:
l Enabling Multi-Instances
l Configuring Multi-Instances
l Licenses for Multiple Instances
l Deactivating an Instance
l Instance HA Pair on a Standalone NSsp Node
This feature allows the NSsp security appliance to launch multiple firewall instances, each serving as an independent firewall. The Root Instance (RI) configures and launches each instance. After the instances are up and running, their X0...X7 interfaces allow access for detailed network configuration.
Navigate to DEVICE | Multi-Instance to find configuration and monitoring screens.
NAVIGATING TO MULTI-INSTANCE OPTIONS
Each instances’s X0, X1, X2... X7 interfaces are mapped to a VLAN on the front panel port (X0 to X25) by the RI. Each instance can be configured with up to eight ports. Each instance port is mapped to a front panel port and tagged with a VLAN ID.
Configuring Multiple Instances
16
Loading...
+ 35 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use