SonicWALL TELE3 SP Administrator's Manual

Download

SONICWALL

The TELE3 SP Administrator's Guide

Contents

About this Guide .................................................... ............................. 8

SonicWALL Technical Support ............................................... ............... 9

1 Introduc ti on .................... ... ...................... ... .................................. ... .10

Your SonicWALL TELE3 SP (Smart Path) Internet Security Appli ance .....10

SonicWALL TELE3 SP Internet Securit y Appliance Features ...................11

2 Genera l and Ne twork Settings ............ ........... ... ...................... ... .......14

Network ........ .............. ....... ....... .............. ....... .............. ....... ....... ....... 1 4

Network Settings ..................................... ..........................................14

Standard Configuration ............................................................... .......17

NAT with DHCP Client Configuration ....................... ............................2 0

Setting the Time and Date .. ...............................................................23

Setting the Administrator Password ....................................................24

3 Managin g Your SonicWALL TEL E3 SP ......... ... ........... ... .....................25

Status .................. ....... ....... .............. ....... .............. ....... ....... ..............2 7

CLI Support and Remote Management ................................................2 8

4 Logging and Alerts ............................................................................30

SonicWALL Log Messages ..................................................................31

Log Settings ........................................................................ ..............32

Log Categories ..................................................................................34

Alert Categories .......................................................................... .......35

Reports ............................................................................................35

5 Content F i lteri n g and Bloc k ing ........... ...................... ... .....................37

Configuring SonicWALL Content Filtering .............................................38

Restrict Web Features .......................................................... ..............38

URL List ...................... ......................................................................39

Customizing the Content Filte ring List .................................................41

Consent ............................................................................................43

Configuring N2H2 Internet Filteri n g ....................................................45

Restrict Web Features .......................................................... ..............46

Configuring Websense En t erprise Content Filter ...................................49

Restrict Web Features .......................................................... ..............49

Configuring Websense Content Filter List ............................................51

Websense Server Status ....................................................................51

Settings ............................................................................................51

URL Cache ............................................................ ............................5 2

Contents Page 1

6 Web Management Tools ...................................................................53

Preferences ... ....... .............. ....... .............. ....... ....... .............. ....... .......54

Exporting the Settings File ................................................................. 55

Importing the Settings File .................................................................56

Restoring Factory Default Settings ......................................................56

Updating Firmware Manually ..............................................................59

Upgrade Features ..............................................................................60

Diagnostic Tools ................. ...............................................................61

DNS Name Lookup ............................................................................61

Ping .................................................................................................62

Packet Trace ....................................................................... ..............63

Tech Support Report ...................................... ...................................66

Trace Route ....................... ...............................................................67

7 Network Access Rules .......................................................................69

Viewing Network Access Rules ............................................................70

Services ........ ................................... ............................ .....................7 0

Windows Networking (NetB IO S) Broad c ast Pa ss Th rou g h .............. .......71

Detection Prevention ... ......................................................................71

Network Connection Inactivity Timeout ...............................................7 1

Add Service ............................... ........................................................72

Rules ............ ................................... ............................ ..................... 73

Understanding the Access Rule Hierarchy ............................................78

Examples ..........................................................................................79

HTTPS Management of the SonicWALL ........................................ .......80

Users ................... .............. .............. ..................... .............. .............. 8 1

User Login Changes ...........................................................................8 4

RADIUS ............................................................................................85

SonicWALL Management ................................ ...................................86

SonicWALL Remote Management ........................................................ 87

8 Advanced Features ...... ............ .. ....................... ... ........... ... ...............90

Proxy Relay ... ...................................................................... ..............90

Intranet ............................................................................................92

Intranet Configurat ion ....................................................................... 92

Routes .......... .............. ..................... .............. ..................... ..............9 4

One-to-One NAT ......... ......................................................................95

The Ethernet Tab ........................................... ...................................97

Bandwidth Management ....................................................................98

Introduction to Bandwidth Management ..............................................98

Page 2 SonicWALL TELE3 SP Administrator’s Guide

9 DHCP Server .... .. ........... ... ....................... .. ....................... ... .............102

Setup .............................................................................................102

Enable DHCP Server .... ................................................. ...................103

Deleting Dynamic Ranges and Static Ent ries ......................................104

DHCP over VPN ............................................................ ...................105

DHCP Status ................................................................ ...................109

10 SonicWALL VPN ............................................................................110

NAT Traversal Support .....................................................................111

The VPN Interface ....... ....................................................................112

SonicWALL VPN Client for Remote Access and Managemen t ...............113

The Configure Tab ............................................................... ............114

VPN Advanced Settings ............................................................... .....117

Advanced Settings for VPN Configurations .........................................121

Enabling Group VPN on the Son icWALL ..... ........................................122

Group VPN Client Configuration ........................................................124

Manual Key Configuration for a SonicWALL and VPN Client .................127

Installing the VPN Client Software ..... ...............................................128

VPN for Two SonicWALLs .................. ...............................................135

Manual Key for Two SonicWALLs ..................... .................................135

Example of Manual Key Configuration for Two SonicWALLs ................138

IKE Configuration for Two SonicWALLs .............................................141

Example: Linking Two SonicWALLs using IKE ....................................144

VPN Third Party Digital Certificate Support ................................... .....147

Overview of Third Party Digital Certificate Support .............................148

Creating a Certificate Signing Req uest ...............................................150

Testing a VPN Tunnel Connection Using PING ....................... ............154

Configuring Windows Networking .....................................................155

Adding, Modifying and Deleting De st inat ion Networks ........................157

SonicWALL Enhanced VPN Logging ...................................................158

Disabling Security Associations .........................................................159

Basic VPN Terms and Concepts ........................................................160

11 High Availability .................................. ........ ... ... ........ ... ... ........ ... ... 163

Getting Started with High Availability ................................................164

Before Configuring High Availability ..................................................164

Network Configuration for High Availab il ity Pair .................................164

Configuring High Availabilit y on the Primary SonicWALL ......... ............165

High Availability Status .............. ......................................................168

Contents Page 3

High Availability Status Window ........................................................168

E-mail Alerts Indicating Stat us Cha nge ........................... ...................170

View Log ......................................... ...............................................170

Configuration Notes .........................................................................171

12 SonicW ALL Options and Upgrad es ................................................172

SonicWALL VPN Client for Windows ........................ ..........................172

SonicWALL Network Anti-Virus ................. ........................................172

Content Filter List Subscription .........................................................173

Vulnerability Scanning Service ..........................................................173

SonicWALL Authentication Service ................................. ...................173

SonicWALL ViewPoint Reportin g . ................................................. .....173

SonicWALL Global Manageme nt Syste m ........... .................................174

13 Hardware Description ...................................................................175

SonicWALL TELE3 SP Front Panel ............. ........................................175

SonicWALL TELE3 SP Front Panel Description ................. ...................175

SonicWALL TELE3 SP Back Panel .......................................... ............176

The SonicWALL TELE3 SP Back Panel Descrip tion ..............................176

14 Troubleshooting Guide ..................................................................178

The Link LED is off. ..... ....................................................................178

A computer on the LAN cannot access th e Int ernet . ...........................178

The SonicWALL does not es tabl ish au t he n ticat ed sessions. .................178

The SonicWALL does not save changes that you have made. ..............179

Duplicate IP address errors ........ ......................................................17 9

Machines on the WAN are not reachable. ..........................................179

15 Appendices .................................................................................... 180

Appendix A - Technical Specifications ................................................180

Appendix B - SonicWALL Support Solutions ...... .................................182

Appendix C - Introduction to Networking ................. ..........................189

Appendix D - IP Port Numbers ..........................................................194

Appendix E - Configuring TCP/IP Settings ..........................................195

Appendix F - Erasing the Firmware ...................................................197

Appendix G - Configuring RADIUS and ACE Servers ...........................198

Appendix H - Regulatory Compliance ................................................203

Notes .............................................................................................205

Page 4 SonicWALL TELE3 SP Administrator’s Guide

Under the copyright laws, this manual or the software described within, can not be copied, in whole or part, without the written c onsent of the ma nufacturer, ex cept in the normal us e of the software to make a backup copy. The same propri etary and copyright notices must be affixed to any permitted copies as were affixe d to the original . This exception does not allow copies to be made for others, whether or not sold, but all of the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under the law, copying includes translating into another language or format.

SonicWALL is a registered trademark of SonicWALL, Inc. Other product and company names mentioned herein can be trademarks and/or registered

trademarks of their respective companies. Specifications and descriptions subject to change witho ut notice.

LIMITED WARRANTY

SonicWALL, Inc. warrants the SonicWALL Internet Security Appliance (the Product) for one (1) year from the date of purchase against defects in materials and workmanship. If there is a defect in the hardware, Soni cWALL will replace the product at no charge, provided that it is returned to SonicWALL with trans portation c harges prepaid. A Return Materials Authorization (RMA) number must be displayed on the outside of the package for the product being returned for replacement or the product will be refused. The RMA number can be obtained by calling SonicWALL Customer Service between the hours of 8:30 AM and 5:30 PM Pacific Standard Time, Monday through Friday.

Phone:(408) 752-7819 Fax:(408) 745-9300 Web: <http://www.sonicwall.com/support> This warranty does not apply if the Product has been damaged by accident, abuse, misuse, or

misapplication or has been modified without the written permission of SonicWALL. In no event shall SonicWALL, Inc. or its suppliers be liable for any damages whatsoever

(including, without limitation, damages for loss of profits, business interruption, loss of information, or other pecuniary loss) arising out of the use of or inability to use the Product.

Some states do not allow the exclusion or limitation of implied warranties or liability for incidental or consequential damages, so the above limitation or exclusion can not apply to you. Wher e liability can not be limited under applicable law, the SonicWALL li abilit y sha ll be limited to the amount you paid for the Product. This warranty gives you specific legal rights, and you can have other rights which vary from state to state.

By using this Product, you agree to these limitations of liability.

Page 5

preface.fm Page 6 Wednesday, June 12, 2002 10:48 AM

THIS WARRANTY AND THE REMEDIES SET FORTH ABOVE ARE EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES, ORAL OR WRITTEN, EXPRESS OR IMPLIED.

No dealer, agent, or employee of SonicWALL is authorized to make any extension or addition to this warranty.

About this Guide

Thank you for purchasing the SonicWALL SonicWALL Internet Security appliance. The SonicWALL protects your PC from attacks and intrusions, filters objectional Web sites, provides private VPN connections to business partners and remote offices, and offers a centrallymanaged defense against software viruses.

This manual covers the configuration of the SonicWALL Internet Security appliance features. For complete installation information, refer to the SonicWALL Internet Security Appliance Installation Guide.

Organization of This Guide

Chapter 1, Introduction, describes the features and applications of the SonicWALL.

Chapter 2, Managing Your SonicWALL, provides a brief overview of the SonicWALL Web Management Interface.

Chapter 3, Network Settings, describes the configuration of the SonicWALL IP settings, time, and password.

Chapter 4, Logging and Alerting, illustrates the SonicWALL logging, alerting, and reporting features.

Chapter 5, Content Filtering and Blocking, describes SonicWALL Web content filtering, including subscription updates and customized Web blocking.

Chapter 6, Web Management Tools, provides directions to restart the SonicWALL, import and export settings, upload new firmware, and perform diagnostic tests.

Chapter 7, Network Access Rules, explains how to permit and block traffic through the SonicWALL, set up servers, and enable remote management.

Chapter 8, Advanced Features, describes advanced SonicWALL settings, such as One-to-One NAT and Automatic Web Proxying.

Chapter 9, DHCP Server, describes the configuration and setup of the SonicWALL DHCP server.

Chapter 10, SonicWALL VPN, explains how to create a VPN tunnel between two SonicWALLs and creating a VPN tunnel from the VPN client to the SonicWALL.

Chapter 11, High Availabilty, describes the configuration and setup of two SonicWALL Internet security appliances (primary and backup) for a High Availibility pair. SonicWALL High Availability eliminates network downtime by allowing the configuration of two SonicWALLs (one primary and one backup) as a High Availability pair.

Page 6 SonicWALL TELE3 SP Administrator’s Guide

preface.fm Page 7 Wednesday, June 12, 2002 10:48 AM

Chapter 12, SonicWALL Options and Upgrades, presents a brief summary of the SonicWALL's subscription services, firmware upgrades and other options.

Chapter 13, Hardware, provides a description of the front and back of the TELE3 SP, including LED lights and ports.

Chapter 14,Troubleshooting Guide, shows solutions to commonly encountered problems.

Appendix A, Technical Specifications, lists the SonicWALL specifications.

Appendix B, SonicWALL Support Solutions, descriptions of available support packages from SonicWALL.

Appendix C, Introduction to Networking, provides an overview of the Internet, TCP/IP settings, IP security, and other general networking topics.

Appendix D, IP Port Numbers, offers information about IP port numbering.

Appendix E, Configuring TCP/IP Settings, provides instructions for configuring your Management Station's IP address.

Appendix F, Erasing the Firmware, describes the firmware erase procedure.

Appendix G, Configuring RADIUS and ACE Servers, vendor-specific configuration instructions for RADIUS and ACE servers. The appendix also includes a RADIUS Attributes Dictionary.

Appendix H, Regulatory Compliance, presents important emissions standards approvals and EMC information.

SonicWALL Technical Support

For fast resolution of technical questions, please visit the SonicWALL Tech Support Web site at <http://www.sonicwall.com/support>. There, you will find resources to resolve most technical issues and a Web request form to contact one of the SonicWALL Technical Support engineers.

Page 7

1 Introduction

Your SonicWALL TELE3 SP (Smart Path) Internet Security Appliance

The SonicWALL TELE3 SP (Smart Path) provides a complete security solution that protects your network from attacks, intrusions, and malicious tampering. In addition, the SonicWALL filters objectionable Web content and logs security threats. SonicWALL VPN provides secure, encrypted com munications to business p artners and branch offi ce s.

The SonicWALL TELE3 SP uses stateful packet inspection to ensure secure firewall filtering. Stateful packet inspection is widely considered to be the most effective method of filtering IP traffic. MD5 authentication is used to encrypt communications between your Management Station and the SonicWALL Web Management Interface. MD5 Authentication prevents unauthorized users from detecting and stealing the SonicWALL password as it is sent over your network.

SonicWALL Internet Security Appliance Functional Diagram

The following figure illustrates the SonicWALL Internet Security Appliance functions.

Page 8 Son icWALLTELE3 SP Administrat o r ’s Guide

By default, the SonicWALL TELE3 SP allows outbound access from the LAN to the Internet and blocks inbound access from the Internet to the LAN. Users on the Internet are restricted from accessing resources on the LAN unless they are authorized remote users or Network Access Rules were created to allow inbound access.

SonicWALL TELE3 SP Internet Security Appliance Features

Internet Security

• ICSA-Certified Firewall After undergoing a rigorous suite of tests to expose security vulnerabilities, SonicWALL

Internet security appliances have received Firewall Certification from ICSA, the internationally -accepted authori ty on network security. The S onic WALL uses s tatef ul packet inspection, the most effective method of packet filtering, to protect your LAN from hackers and vandals on the Internet.

• Hacker Attack Prevention The SonicWALL automatically detects and thwarts Den ial of Service (DoS) attacks such as

Ping of Death, SYN Flood, LAND Attack, and IP Spoofing.

• Network Address Translation (NAT) Network Address Translation (NAT) transl ates the IP addresses used on your private LAN to

a single, public IP address that is used on the Internet. NAT allows multiple computers to access the Internet, even if only one IP address has been provided by your ISP.

• Network Access Rules The default Network Access Rules allow traffi c from the LAN to the Internet and block traffic

from the Internet to the LAN. You can create additional Network Access Rules that allow inbou nd tr af f ic t o netw or k ser v er s, su ch as Web and mai l se rvers, or that r estr i ct outbound traffic to certain destinations on the Internet.

• AutoUpdate The SonicWALL maintains the highest level of security by automa tically notifying you when

new firmware is released. When new firmware is available, the SonicWALL Web Management Interface displays a link to download and install the latest firmware. The SonicWALL also sends an e-mail with firmware release notes.

• WAN Failover using a V.90 Modem Port The WAN Failover feature provides an alternate means of accessing the Internet when your

“always on” broadband connection loses its connection. This unique feature allows the SonicWALL TELE3 SP to failover to a dial-up Internet connection when the WAN Ethernet connection loses its connectivity.

• SNMP Support SNMP (Simple Network Management Protocol) is a network protocol used over User

Datagram Protocol (UDP) that allows network administrators to monitor the status o f the SonicWALL Internet Security appliances and receive notification of any critical events as they occur on the network.

Introduction Page 9

Content Filtering

• SonicWALL Content Filtering Overview

You can use the SonicWALL Web content filtering to enforce your company's Internet access policies. The SonicWALL blocks specified categories, such as violence or nudity, using an optional Co nte nt Filter List. Users on your network can bypass the C ontent Filter List by authenticating with a unique user name an d passw ord.

• Content Filter List Updates (optional)

Since content on the Internet is constantly changing, the SonicWALL automatically updates the optional Content Filter List every week to ensure that access restrictions to new and relocated Websites and newsgroups are properly enforced.

• Log and Block or Log Only

You can configure the SonicWALL to log and block access to objectional Web sites, or to log inappropriate usage without blocking Web access.

• Filter Protocols

In addition to filtering access to Web sites, the SonicWALL can also block Newsgroups, ActiveX, Java, Cookies, and Web Proxies.

Logging and Reporting

• Log Categories

You can s elect the info rmation you wish to di splay in the SonicW ALL event log. You ca n view the event log from the SonicWALL Web Management Interface or receive the log as an e-mail file.

• Syslog Server Support

In addition to the standard screen log, the SonicWALL can write detailed event log information to an external Syslog server. Syslog is the industry-standard method to capture information about network activity.

• ViewPoint Reporting (optional)

Monitoring critic al network events and activity , such as security thr eats, inappropri ate Web use, and bandwidth levels, is an essential component of network security. SonicWALL ViewPoint compliments the SonicWALL security features by providing detailed and comprehensive reports of network activity.

SonicWALL ViewPoint is a software application that creates dynamic, Web-based network reports. ViewPoint reporting generates both real-time and historical reports to offer a complete view of all activity through your SonicWALL Internet security appliance.

• E-mail Alerts

The SonicWALL ca n be configured to send alerts of high-priority events , such as attacks, system errors, and blocked Web sites. When these events occur, alerts can be immediatel y sent to an e-mail address or e-mail pager.

Page 10 So nicWALLTELE3 SP Administrator’s Guide

Dynamic Host Configuration Protocol (DHCP)

• DHCP Server The DHCP Server offers centra lized management of TCP/IP clie nt configurations, incl uding

IP addresses, gateway addresses, and DNS addresses. Upon startup, each network client receives its TCP/IP settings automatically from the SonicWALL DHCP Server .

• DHCP Client DHCP Client allows the SonicWALL to acquire TCP/IP settings (such as IP address, gateway

address, DNS address) from your ISP. This is necessary if your ISP assigns you a dynamic IP address.

• DHCP over VPN DHCP over VPN allows a Host (DHCP Client) beh ind a SonicWALL obta in an IP addres s lease

from a DHCP server at the end of a VPN tunnel. In some network deployments, it is desirable to have all VPN networks residing in one IP subnet address space. This facilitates address administration for the ne tworks using VPN tunnels.

Installation and Configuration

• Installation Wizard

The SonicWA LL Installation Wizard helps qu ickl y install and configure the So nicWALL.

• Online help

SonicWALL help documentation is built into the SonicWALL Web Management Interface for easy access during installation and management.

IPSec VPN

• SonicWALL VPN

SonicWALL VPN provides a si mple, secure tool that enabl es corpo rate off ices and busines s partners to connect securely over the Internet. By encrypting data, SonicWALL VPN provides private communic ations between two or more sites withou t the expense of leased site-to-site line s.

• VPN Client Software for Windows

Mobile users with dial-up Internet accounts can securely access remote network resources with the Soni cWALL VPN Cli ent. The So nicWALL VPN Cli ent establi shes a pri vate, encrypted VPN tunnel to the SonicWALL, allowing users to transparently access network servers from any location.

Contact SonicWALL, Inc. for information about the Content Filter List, Network Anti-Virus subscriptions, and other upgrades.

Web: http://www.sonicwall.com E-mail: sales@sonicwall.com Phone: (408) 745-9600 Fax: (408) 745-9300

Introduction Page 11

2 General and Network Settings

This chapter describes the tabs in the General section and the configuration of the SonicWALL TELE3 SP Network Settings. The Network Settings include the SonicWALL IP settings, the administrator password, and the time and date. There are three tabs other than Status in the General section:

• Network

• Time

• Password

Network

Note: The Network Settings change to the dial-up ISP network settings when a WAN Failover

occurs on the SP.

To configure the SonicWALL N etw o rk Se ttin gs, click General, and then click the Network tab.

Network Settings

Network Addressing Mode

The Network Addressing Mode menu determines the network address scheme of your SonicWALL. It includes four options: Standard, NAT Enabled, NA T with DHCP Client, an d NAT with PPPoE.

Page 12 So nicWALL TELE3 SP Administrator’ s Guide

• Standard mode requires valid IP addresses for all computers on your network , but allows

remote access to authenticated users.

• NAT Enabled mode translates the private IP addresses on the network to the single, valid

IP address of the SonicWALL. Select NAT Enabled if your ISP assigned you only one or two valid IP addresses.

• NAT with D HCP Client mode configures the SonicWALL to request IP settings from a

DHCP server on the Internet. NAT with DHCP Client is a typical network addressing mode for cable and DSL customers.

• NAT with PPPoE mode uses PPPoE to connect to the Internet. If desktop software and a

user name and password is required by your ISP, select NAT with PPPoE.

LAN Settings

• SonicWALL LAN IP Address The SonicWALL LAN IP Address is the IP address assigned to the SonicWALL LAN port.

It is used for managing the SonicWALL. This IP address should be a unique address from the LAN address range.

• LAN Subnet Mask The LAN Subnet Mask defines which IP addresses are on the LAN. The default Class C

subnet mask of "255.255.255.0" supports up to 254 IP addresses on the LAN. If the Class C subnet mask is used, all l ocal area n etwork addresse s should cont ain the same first three numbers as the SonicWALL LAN IP Address--for example, "192.168.168."

Multiple LAN Subnet Mask Support

Note: This feature does not replace or substitute configuring routes with the Routes tab in the

Advanced section of the SonicWALL. If you have to define a subnet on the other side of a router, you must define a static route using the Routes tab in the Advanced section.

Multiple LAN Subnet Mask Support facili tates the s upport of le gacy networks incor por ating the SonicWALL, and makes it eas ier to add addi tional node s if the origi nal s ubnet is full . Before you can configure multiple local LAN subnets in the SonicWALL, you must have the following information:

• Network Gateway Address - This is an IP address assigned to the SonicWALL in addition to the existing LAN IP address. If you have configured your SonicWALL in Standard mode, the IP address should be the Default Gateway IP address assigned to your Internet router on the same subnet. All users on the subnet you are configuring must use this IP address as their default router/gateway address.

• Subnet M as k - This value defines the s ize, and based upon the Network Ga teway entry, the scope of the subnet. If you are configuring a subnet mask that currently exists on the LAN, enter the existing subnet mask address into the Subnet Mask field. If you are configuring a new subnet mask, use a subne t mask that does not overlap any previously defined subnet masks.

General and Network Settings Page 13

Note: The Son icWALL cannot be manage d from any of the additional Net work Gateway addresses. You must use the IP address set as the LAN IP address of the SonicWALL. Also, you cannot mix Standard and N A T subnets behind the SonicWA LL.

WAN Settings

• WAN Gateway (Router) Address The WAN Gateway (Router) Address is the I P address of the WAN router or def ault gateway

that connects your network to the Internet. If you use Cable or DSL, your WAN router is probably located at your ISP.

If yo u selec t NAT with DHCP Client or N AT with PPPo E mode, the WAN Gateway (Router) Address is assigned automatically.

• SonicWALL WAN IP Address The SonicWALL WAN IP Address is a valid IP address assigned to the WAN port of the

SonicWALL. This address should be assigned by your ISP. If you s elect NAT Enabled mode, this is the only address seen by users on the Internet

and all activity appears to originate from this address. If you select NAT with DHCP Client, NAT with PPPoE, or NAT with L2 TP Client mod e,

the SonicWALL WAN IP address is assigned automatically. If you select Standard mode, the SonicWALL WAN IP Address is the same as the

SonicWALL LAN IP Address.

• WAN/LAN Subnet Mask The WAN/LAN Su bnet Mask determines which IP addresses are located on the WAN.

This subnet mask should be assigned by your ISP. If you select NAT with DHCP Client, NAT with PPPoE, or NAT with L2TP Client mode,

the WAN/LAN Subnet Mask is assigned automatically. If you select Standard mode, the WAN/LAN Subnet Mask is the same as the LAN

Subnet Mask.

DNS Settings

• DNS Servers DNS Servers, or Domain Name System Servers, are used by the SonicWALL for diagnostic

tests with the DNS Lookup Tool, and for upgrade and registration functionality. DNS Server addresses should be assigned by your ISP.

If you select NAT with DHCP Client or NAT with PPPoE mode, the DNS Server addresses is assigned automatically.

Note: The SonicWALL does not relay DNS settings to the LAN; you must enable and configure the So nicWALL DHCP server or manually con figure your computer DNS settings to obtain DNS name resolution.

Page 14 So nicWALL TELE3 SP Administrator’ s Guide

Standard Configuration

If your ISP provided you with enough IP addresses for all the compu ters and n e twork dev ices on your LAN, enable Standard mode.

To configure Sta ndard addressing mode, complete the following instructions :

1. Select Standard from the Network Addressing Mode menu. Because NAT is disabled,

you must assign valid IP addresses to all computers and network devices on your LAN.

2. Enter a unique, valid IP address from your LAN address range in the SonicWALL LAN IP

Address field. The SonicWALL LAN IP Address is the address assigned to the SonicWALL LAN a nd is used for management of the SonicWALL.

3. Enter you r net wor k subn et mask in the LAN Subnet Mask field. The LAN Subnet Mask

tells your SonicWALL which IP addresses are on your LAN. The default value, "255.255.255.0", supports up to 254 IP addresses.

4. Enter your WAN router or default gateway address in the WAN Gateway (Router)

Address field. Your router is the device that connects your network to the Internet. If you use Cable or DSL, your W A N router is located at your ISP.

5. Enter your DNS server IP address(es) in the D NS Serv ers field. The SonicWALL uses the

DNS servers for diagnostic tests and for upgrade and registration functionality.

6. Click Update. On ce the So nicWAL L has been updated, a messa ge confi rming the update

is displayed at the bottom of the browser window. Restart the SonicWALL for these changes to take effect.

NAT Enabled Configuration

Network Address Translation (NAT) connects your entire network to the Internet using a single IP address. Network Address Translation offers the following:

• In ternet access to additional computers on the LAN. Multiple computers can access the In-

ternet even if your ISP only assigned one or two valid IP addresses to your network.

• Additional security and anonymity because your LAN IP addresses are invisible to the out-

side world.

If your ISP hasn't provided enough IP addre sses fo r all machin es on your LA N, ena ble NAT and assign your network a private IP address range. You should use addresses from one of the following address ranges on your private network:

10.0.0.0 - 10.255.255.255

172.16.0.0 - 172.31.255.255

192.168.0.0 - 192.168.255.255

Note: If your network address range uses valid TCP/IP addresses, Internet sites within that range are not accessible from the LAN. For example, if you assign the address range 199.2.23 .1

- 199.2.23.255 to your LAN, a Web server on the Internet with the address of 199.2.23.20 is

not accessible.

General and Network Settings Page 15

When NAT is enabled, users on the Internet cannot access machines on the LAN unless they have been designated as Public LAN Servers.

To enable Network Address Translation (NAT), complete the following instructions.

1. Select NAT Enabled from the Network Addressing Mode menu in the Network

window.

2. Enter a unique IP address from your LAN address range in the SonicWALL LAN IP

Address field. The SonicWALL LAN IP Address is the address assigned to the SonicWALL LAN and is used for mana ge ment of the SonicWALL.

3. Enter your network subnet mask in the LAN Subnet Mask field. The LAN Subnet Mask

tells the SonicWALL which IP addresses are on your LAN. Use the default value, "255.255.255.0", if there are less than 254 computers on your LAN.

4. Enter your WAN router or default gateway address in the WAN Gateway (Router)

Address field. This is the device that connects your network to the Internet. If you use Cable or DSL, your WAN router is probably located at your ISP.

5. Enter a valid IP address assigned by your ISP in the SonicWALL WAN IP (NAT Public)

Address field. Because NAT is enabled, all network activity appears to originate from this address.

6. Enter your WAN subnet mask in the WAN/L AN Sub net M ask field. This subnet mask

should be assigned by your ISP.

Page 16 So nicWALL TELE3 SP Administrator’ s Guide

7. Enter your DNS server IP address(es) in the DNS Servers field. Th e SonicWALL u ses th ese

DNS servers for diagnostic tests and for upgrade and registration functionality.

8. Click Update. On ce the So nicWAL L has been updated, a messa ge confi rming the update

is displayed at the bottom of the browser window. Restart the SonicWALL for these changes to take effect.

If you enable Network Address Translation, designate the SonicWALL LAN IP Address as the gateway address for computers on your LAN. Consider the following example:

• The SonicWALL WAN Gateway (Router) Address is "10.1.1.1".

• The SonicWALL WAN IP (NAT Public) Address is "10.1.1.25".

• The private SonicWALL LAN IP Address is "192.168.168.1".

• Computers on the LAN have private IP addresses ranging from "192.168.168.2" to

"192.168.168.255".

In this ex ample, "192.168.168.1", the SonicW ALL LAN IP Address, is used as the gateway or router address for all computers on the LAN.

General and Network Settings Page 17

NAT with DHCP Client Configuration

The SonicWALL can receive an IP address from a DHCP server on the Internet. If your ISP did not provide you with a valid IP address, and instructed you to set your netw ork settings to obtain an IP address automatically, enable NAT with DHCP Client. NAT with DHCP Client mode is typically used with Cable and DSL connections.

To obtain IP settings dynamically, complete the following instructions.

1. Select NAT with DHCP Client from the Network Addressing Mode men u.

2. Enter a unique IP address from your LAN address range in the SonicWALL LAN IP

Address field. The SonicWALL LAN IP Address is the address assigned to the SonicWALL LAN and is used for mana ge ment of the SonicWALL.

3. Enter your network subnet mask in the LAN Subnet Mask field. The LAN Subnet Mask

tells your SonicWALL which IP addresses are on your LAN. The default value, "255.255.255.0", supports up to 254 IP addresses.

4. Click Update. On ce the So nicWAL L has been updated, a messa ge confi rming the update

is displayed at the bottom of the browser window. Restart the SonicWALL for these changes to take effect.

Note: When NAT is enabl ed, designate the SonicWALL LAN IP Addres s as the gateway addres s for computers on the LAN.

Page 18 So nicWALL TELE3 SP Administrator’ s Guide

When your SonicWALL has successfully received a DHCP lease, the Network window displays the SonicWALL WAN IP settings.

•The Lease Expires value shows when your DHCP lease expires.

•The WAN Ga tew ay (Ro u te r) A d dre ss , So nicW AL L W A N I P (NAT Pu bl ic) Address,

WAN/LAN Subnet Mask, and DNS Servers are obtained from a DHCP server on the Internet.

Note: The SonicWALL does not relay DNS settings to the LAN; you must enable and configure the SonicWALL DHCP server or ma nually co nfigure DN S settings on your com puters to obtai n DNS name resolution.

In the WAN/LAN Settings section of Network, you can Renew and Release the SonicWALL WAN IP (NAT Public) Address lease. When you click on Renew, the So nicWAL L renews the IP address used for the WAN IP address. Click Release, and the lease is released with the DHCP server.

NAT with PPPoE Configuration

The SonicWALL can use Point-to-Point Protocol over Ethernet to connect to the Internet. If your ISP requires the installation of desktop software and user name and password authentication to access the Internet, enable NAT with PPPoE.

To configure NAT with PPPoE, complete the following instructions.

1. Select NAT with PPPoE fro m the Network Addressing Mode menu.

General and Network Settings Page 19

2. Enter a unique IP address from your LAN address range in the SonicWALL LAN IP

Address field. The SonicWALL LAN IP Address is the address assigned to the SonicWALL LAN port and is used for management of the SonicWAL L.

3. Enter your network subnet mask in the LAN Subnet Mask field. The LAN Subnet Mask

tells your SonicWALL which IP addresses are on your LAN. Use the default value, "255.255.255.0", if there are less than 254 computers on your LAN.

4. Enter the user name provided by your ISP in the User Name field. The user name

identifies the PPPoE client.

5. Enter the password provided by your ISP in the Password field. The password

authenticates the PPPoE session. This field is case sensitive.

6. Select the Disconnect after __ Minutes of Inactivity check box to automatically

disconnect the PPPoE connection after a specified period of inactivity. Define a maximum number of mi nutes of inactivity i n the Minutes field. This value can range from 1 to 99 minutes.

7. In the WAN/LAN section, sel ec t Obtain an IP Address Automatically if your ISP does

not provid e a s tat ic IP address. Se lec t Use the following IP Address if your ISP assigns a specific IP address to you.

8. Click Update. On ce the So nicWAL L has been updated, a messa ge confi rming the update

is displayed at the bottom of the browser window. Restart the SonicWALL for these changes to take effect.

Note: When NAT is enabled, the SonicWALL LAN IP Address is used as the gateway address for computers on the LAN.

When your SonicWALL has successfully established a PPPoE connection, the Network page displays the SonicWALL WAN IP settings. The WAN Gateway (Router) Address, SonicWALL WAN IP (NAT Public) Addres s, WAN/LAN Subnet Mask, and DNS Serve rs are displayed.

Note: The SonicWALL does not relay DNS settings to the LAN; you must enable and configure the SonicWALL DHCP server or manually configure the computer DNS settings to obtain DNS name resolution.

Restarting the SonicWALL

Once the network settings have been updated, the Status bar at the bottom of the browser window displays "Restart So nicWALL for changes to take effect." Restart the SonicWALL by clicking Restart. Then click Yes to confirm the restart and send the restart command to the SonicWALL. The restart can take up to 90 seconds, during which time the SonicWALL is inaccessible and all network traffic through the SonicWALL is halted.

Note: If you change the SonicWALL LAN IP Address, you must to change the Managem ent Station IP address to be in the same subnet as the new LAN IP address.

Page 20 So nicWALL TELE3 SP Administrator’ s Guide

Setting the Time and Date

The SonicWALL uses the time and date settings to time stamp log events, to automatically update the Content Filter List, and for other internal purposes.

1. Click the Time tab.

2. Select your time zone from the Time Zone menu.

3. Click Update to add the information to the SonicWALL.

You can also enable automatic adjustments for daylight savings time, use univers al ti me

(UTC) rather than local time, and display the date in International format, with the day preceding the month.

To set the time and date manually, clear the check boxes and enter the time (in 24-hour format) and the date.

NTP Settings

Network Time Protocol (NT P) is a protocol use d to sync hronize compu ter clock times in a

network of computers. NT P uses Coordinated Univers al Time (UTC) to synchroni ze computer clock times to a millisecond, and sometimes to a fraction of a millisecond. Select Use NTP to set time automatically if you want to use your local server to set the SonicWALL clock. You can also set the Update Interval for the NTP server to synchronize the time in the SonicWALL. The default value is 60 minutes. You can add NTP servers to the SonicWALL for time synchronization by entering in the IP address of an NTP server in the Add NT P Serve r fi eld. If there are no NTP Servers in the list, the internal NTP list is used by default. To remove an NTP server, highlight the IP address and click Delete NTP Server.When you have configured

General and Network Settings Page 21

the Time window, click Update. Once the SonicWALL has been updated, a message confirming the update is displayed at the bottom of the browser window.

Setting the Administrator Password

To set the password, enter the old password in the Old Password field, and the new password in the New Password f ield. Enter the new password again in the Confirm New Password field and click Update. Once the SonicWALL has been updated, a message confirming the update is displayed at the bottom of the browser window.

Note: When setting the password for the first time, remember that the SonicWALL default password is “password”.

If the password is not entered exactly the s a m e in both New Password fields, the password is not changed. If you mistype the password, you are no t locked out of the SonicWALL.

Warning: The password cannot be recovered if it is lost or forgotten. If the password is lost, you must to reset the SonicWALL to its factory default state. Go to Appendix F for instructions.

Setting the Administrator Inactivity Timeout

The Administrator Inactivity Timeout setting allows you to configure the length of inactivity that can elapse before you are automatically logged out of the Web Managem ent Interface. The SonicWALL is preconfigured to log out the administrator after 5 minutes of inactivity.

Note: If the Administrator Inactivity Timeout is extended beyond 5 minutes, you should end every management session by clicking Logout to prevent unauthorized access to the SonicWALL Web M a nagement Interface.

Enter the desired number of minutes in the Administrat or Inactivit y Timeout section and click Update. The Inactivity Timeout can range from 1 to 99 minutes. Click Update, and a message confirming the update is displayed at the bottom of the browser window.

Page 22 So nicWALL TELE3 SP Administrator’ s Guide

3 Managing Your SonicWALL TELE3 SP

This chapter conta ins a brief overvi ew of SonicWAL L management commands and f unctions. The commands and functions are accessed through the SonicWALL Web Management Interface.

1. Log into the SonicWALL using a Web Browser

You can manage the SonicWALL from any computer connected to the LAN port of the SonicWALL us ing a Web browser. The computer use d for management is referred to as the “Management Station".

Note: To manage the SonicWALL, your Web browser must have Java and Java apple ts enabled and support HTTP uploads.

2. Open a Web brows er and t ype the Sonic WALL IP addr ess, initiall y, " 192.168 .168.16 8", int o

the Location or Address field at the top of the browser. An Authentication window with a Password dialogue box i s displayed.

3. Type “admin” in the User Name field and the password previously defined in the

Installation Wizard in the Password field. Passwords are case-sensitive. Enter the password exactly as defined and click Login.

Note: All SonicWALLs are configured with the User Name “admin” and the default Password “password”. The User Name is not configurable.

If you cannot log into the SonicWALL, a cached copy of the page is displayed instead of the correct page. Click Reload or Refresh on the Web browser and try again. Also, be sure t o wait until the Java applet has finish e d loa d ing bef ore atte m p ting to log in.

Once the password is entered, an authenticated management session is established. This session times out after 5 minutes of inactivity. T he default time-out can be increased on the Password window in the General section.

HTTPS Management

To enhance the security of the SonicWALL family of Internet Security appliances, HTTPS Management using Secure Socket Layer (SSL) is now supported when you log into your

Management interface u sing https ://IP Address where the I P addres s i s t he SonicWALL LAN IP address. For example, if the LAN IP address of your SonicWALL appliance is 192.168.168.1, you can log in to i t by ty pi n g https : //1 92.168.168.1. Acc es s is en cry pte d u sing S SL t ec hno lo gy f or a secure connection.

Managi ng Your Son i c WA LL TELE3 SP Page 23

HTTPS Manage ment allows secure access to the SonicWALL without a VPN client. It is a simple and secure way to manage your SonicWALL from both the LAN and the WAN.

The first t ime you a ccess the SonicWALL Management interface using HTT PS, y ou may s ee the following information message:

Click Yes to continue th e login process. SSL is supported by Netscape 4.7 and higher, as well as Internet Explorer 5.5 and higher.

HTTPS managem ent supports the fo llowing versions o f SSL: SSLv 2, SSLv3, and TLSv1. Also, the following encryption ciphers are supported: RC4-MD5, EXP-RC4-MD5, DES-CBC3-SHA, DES-CBC-SHA, RC4-SHA, EXP-RC2-CBC-MD5, NULL-SHA, an d NULL-MD5. The RSA key used i s 1024-bit.

Page 24 So nicWALL TELE3 SP Administrator’ s Guide

Status

To view the Status tab, log into your SonicWALL using your Web browser. Click General and then click the Status tab .

Note: The SonicWALL Status window is dis played above. Each SonicW ALL Internet Secu rity appliance displays unique characteristics, such as the presence of VPN acceleration hardware or a different amount of memory.

The Status tab displays the following information:

• SonicWALL Serial Number - the serial number of the SonicWA LL unit.

• Number of LAN IP addresses allowed with this license - number of IP addresses that

can be managed by the SonicWALL

• Registration code - the registration code generated when the SonicWALL is registered at

<http//www.mysonicwall.com>.

• SonicWALL Active time - the length of time in days, hours and minutes that the

SonicWALL is active.

• Firmware version - shows the current version number of the firmware installed on the

SonicWALL.

• ROM version - indicates the version number of the ROM.

• CPU - displays the type and speed of the SonicWALL processor.

• VPN Hardware Accelerator Detected - indicates the presence of a VPN Hardware

Accelerator in the firewall. This allows better throughput for VPN connections.

Managi ng Your Son i c WA LL TELE3 SP Page 25

• RAM - shows the amount of Random Access Memory on the board.

• Flash - indicates the size of the flash on the board.

• Ethernet Speeds - displays network speeds of the network card.

• Current Connections - number of computers connected to the SonicWALL.

Other SonicWALL general status information is displayed in this section relating to other features in the SonicWALL such as the type of network settings in use, log settings, content filter use, and if Stealth Mode is enabled on the SonicWALL.

The General, Log, Filter, Tools, Access, Advanced, DHCP, VPN, Anti-Virus, and High Availability buttons appear on the left side of the wi ndow. When one of the buttons is clicked, related management functions are selected by clicking the tabs at the top of the window.

A Logout button at the bottom of the screen terminates the management session and redisplays the Authentication window. If Logout is clicked, you must log in again to manage the SonicWALL. Online help is also available. Click Help at the top of any browser window to view the help files stored in the SonicWALL.

The Status window, shown o n the previous pa ge, displays the status of y our SonicWALL. It contains an overview of the SonicWALL configuration, as well as any important messages. Check the Status window after m aking changes to ens ure that the SonicWALL is configured properly.

CLI Support and Remote Management

Out-of-band management is available on SonicWALL Internet security appliances using the CLI (Command Line Interface) feature. SonicWALL Internet security appliances can be managed from a console using typed commands and a modem or null-modem cable that is connected to the serial port located on the back of the SonicWALL applian ce. The only modem cur r ent l y su pp o r te d is the US R ob o tics v .9 0 / v .9 2 m odem . CL I c o m m un i c a ti on r e q ui re s t he following modem settings:

• 9600 bps

• 8 bits

• no parity

• no hand-shaking

After the modem is accessed, a terminal emulator window such as a hyper terminal window is used to manage the SonicWALL Internet security appliance. Once the SonicWALL is accessed, type in the User Name and password: admin for User Name and then the password used for the management interface.

The following CLI commands are available for the SonicWALL:

• ? or Help - displa ys a listing of the top l evel commands availa ble.

• Export - exports preferences from the SonicWALL using Z-modem file transfer protocol.

• Import - imports preferences from the SonicWALL using Z-modem file transfer protocol.

• Logout - logout of the SonicWALL appliance.

Page 26 So nicWALL TELE3 SP Administrator’ s Guide

• Ping - pings either an IP address or domain name for a specified host.

• Restart - restart the SonicWALL

• Restore - restores the factory default settings for all saved parameters with the exception

of the password, the LAN IP address, and the subnet mask.

• Status - displays the information typically seen on the Web management interface tab

labeled General.

• TSR - retrieves a copy of the tech support report u sing Z-modem file transfer protocol.

Managi ng Your Son i c WA LL TELE3 SP Page 27

4 Logging and Alerts

This chapter describes the SonicWALL Internet Security appliance logging, alerting, and reporting features, wh ich can be viewed in the Log section of the SonicWALL Web Management Interface.There are four tabs in the Log se ction :

• View Log

• Log Settin gs

• Reports

• ViewPoint (requires a purchased upgrade)

View Log

The SonicW A LL maintains an Event log which displays potential security threats. This log can be viewed with a browser using the SonicWALL Web Management Interface, or it can be automatically sent to an e-mail address for c onvenie nce and archiving. The log is displayed in a table and is sortable by column.

The SonicWALL can alert you of im portant events, such as an attack to the SonicW ALL. Alerts are immediately e-mailed, either to an e-mail address or to an e-mail pager. Each log entry contains the date and time of the event and a brief message describing the event.

Click Log on the left side of the browser window, and then click View Log.

Page 28 SonicWALL TELE3 SP Administrator’s Guide

SonicWALL Log Mes sages

Each log entry contains the date and time of the event and a brief message describing the event. It is als o possible to copy the l og entri es from the ma nagement interf ace and paste i nto a report.

• TCP, UDP, or ICMP packets dropped

When IP packets are bloc ked by the SonicWALL, dropped TCP, UDP and ICMP messages i s displayed. The messages include the source and destination IP addresses of the packet. The TCP or UDP port number or the ICMP code follows the IP address. Log messages usually include the name of the service in quotation marks.

• Web, FTP, Gopher, or Newsgroup blocked

When a computer attempts to connect to the blocked site or newsgroup, a log event is displayed. T he computer’s I P address, Et hernet address, the name of the bl ocked Web site, and the Content Filter List Code is displayed. Code definitions for the 12 Content Filter List categories are shown below.

a=Violence/Profanity g=Satanic/Cult b=Partial Nudity h=Drug Culture c=Full Nudity i=Militant/Extremist d=Sexual Acts j=Sex Education e=Gross Depictions k=Gambling/Illegal f=Intolerance l=Alcohol/Tobacco

Descriptions of the categories are available at <http://www.sonicwall.com/Content-Filter/ categories.html>.

• ActiveX, Java, Cookie or Code Archive blocked

When ActiveX, Java or Web cookies are blocked, mes sages with the s ource and desti nation IP addresses of the connection attempt is displayed.

• Ping of Death, IP Spoof, and SYN Flood Attacks

The IP address of the machine under attack and the so urce of the attack is displayed. In most atta cks, the source addr es s sh own is f ake and does not reflect the real source of the attack.

Note: Some network conditions can produce network traffic that appears to be an attack, even whe n no one is de liber ately attacking the LAN. To follow up on a p ossi ble attack, contact your ISP to determine the source of the attack. Regardless of the nature of the attack, your LAN is protected and no further steps must be taken.

Logging and Alerts Page 29

+ 180 hidden pages

SonicWALL TELE3 SP Administrator's Manual

Specifications and Main Features

Frequently Asked Questions

User Manual