How it Works
SonicWALL
Loading...
TELE3 SP
Administrator's Manual
210 pgs3.74 Mb0

SonicWALL TELE3 SP Administrator's Manual

Download
SONICWALL
The TELE3 SP Administrator's Guide
Contents
Copyright Notice ... ...................................................................... ........ 7
About this Guide .................................................... ............................. 8
SonicWALL Technical Support ............................................... ............... 9
1 Introduc ti on .................... ... ...................... ... .................................. ... .10
Your SonicWALL TELE3 SP (Smart Path) Internet Security Appli ance .....10
SonicWALL TELE3 SP Internet Securit y Appliance Features ...................11
2 Genera l and Ne twork Settings ............ ........... ... ...................... ... .......14
Network ........ .............. ....... ....... .............. ....... .............. ....... ....... ....... 1 4
Network Settings ..................................... ..........................................14
Standard Configuration ............................................................... .......17
NAT with DHCP Client Configuration ....................... ............................2 0
Setting the Time and Date .. ...............................................................23
Setting the Administrator Password ....................................................24
3 Managin g Your SonicWALL TEL E3 SP ......... ... ........... ... .....................25
Status .................. ....... ....... .............. ....... .............. ....... ....... ..............2 7
CLI Support and Remote Management ................................................2 8
4 Logging and Alerts ............................................................................30
SonicWALL Log Messages ..................................................................31
Log Settings ........................................................................ ..............32
Log Categories ..................................................................................34
Alert Categories .......................................................................... .......35
Reports ............................................................................................35
5 Content F i lteri n g and Bloc k ing ........... ...................... ... .....................37
Configuring SonicWALL Content Filtering .............................................38
Restrict Web Features .......................................................... ..............38
URL List ...................... ......................................................................39
Customizing the Content Filte ring List .................................................41
Consent ............................................................................................43
Configuring N2H2 Internet Filteri n g ....................................................45
Restrict Web Features .......................................................... ..............46
Configuring Websense En t erprise Content Filter ...................................49
Restrict Web Features .......................................................... ..............49
Configuring Websense Content Filter List ............................................51
Websense Server Status ....................................................................51
Settings ............................................................................................51
URL Cache ............................................................ ............................5 2
Contents Page 1
6 Web Management Tools ...................................................................53
Preferences ... ....... .............. ....... .............. ....... ....... .............. ....... .......54
Exporting the Settings File ................................................................. 55
Importing the Settings File .................................................................56
Restoring Factory Default Settings ......................................................56
Updating Firmware Manually ..............................................................59
Upgrade Features ..............................................................................60
Diagnostic Tools ................. ...............................................................61
DNS Name Lookup ............................................................................61
Ping .................................................................................................62
Packet Trace ....................................................................... ..............63
Tech Support Report ...................................... ...................................66
Trace Route ....................... ...............................................................67
7 Network Access Rules .......................................................................69
Viewing Network Access Rules ............................................................70
Services ........ ................................... ............................ .....................7 0
Windows Networking (NetB IO S) Broad c ast Pa ss Th rou g h .............. .......71
Detection Prevention ... ......................................................................71
Network Connection Inactivity Timeout ...............................................7 1
Add Service ............................... ........................................................72
Rules ............ ................................... ............................ ..................... 73
Understanding the Access Rule Hierarchy ............................................78
Examples ..........................................................................................79
HTTPS Management of the SonicWALL ........................................ .......80
Users ................... .............. .............. ..................... .............. .............. 8 1
User Login Changes ...........................................................................8 4
RADIUS ............................................................................................85
SonicWALL Management ................................ ...................................86
SonicWALL Remote Management ........................................................ 87
8 Advanced Features ...... ............ .. ....................... ... ........... ... ...............90
Proxy Relay ... ...................................................................... ..............90
Intranet ............................................................................................92
Intranet Configurat ion ....................................................................... 92
Routes .......... .............. ..................... .............. ..................... ..............9 4
One-to-One NAT ......... ......................................................................95
The Ethernet Tab ........................................... ...................................97
Bandwidth Management ....................................................................98
Introduction to Bandwidth Management ..............................................98
Page 2 SonicWALL TELE3 SP Administrator’s Guide
9 DHCP Server .... .. ........... ... ....................... .. ....................... ... .............102
Setup .............................................................................................102
Enable DHCP Server .... ................................................. ...................103
Deleting Dynamic Ranges and Static Ent ries ......................................104
DHCP over VPN ............................................................ ...................105
DHCP Status ................................................................ ...................109
DHCP Status ................................................................ ...................109
10 SonicWALL VPN ............................................................................110
NAT Traversal Support .....................................................................111
The VPN Interface ....... ....................................................................112
SonicWALL VPN Client for Remote Access and Managemen t ...............113
The Configure Tab ............................................................... ............114
VPN Advanced Settings ............................................................... .....117
Advanced Settings for VPN Configurations .........................................121
Enabling Group VPN on the Son icWALL ..... ........................................122
Group VPN Client Configuration ........................................................124
Manual Key Configuration for a SonicWALL and VPN Client .................127
Installing the VPN Client Software ..... ...............................................128
VPN for Two SonicWALLs .................. ...............................................135
Manual Key for Two SonicWALLs ..................... .................................135
Example of Manual Key Configuration for Two SonicWALLs ................138
IKE Configuration for Two SonicWALLs .............................................141
Example: Linking Two SonicWALLs using IKE ....................................144
VPN Third Party Digital Certificate Support ................................... .....147
Overview of Third Party Digital Certificate Support .............................148
Creating a Certificate Signing Req uest ...............................................150
Testing a VPN Tunnel Connection Using PING ....................... ............154
Configuring Windows Networking .....................................................155
Adding, Modifying and Deleting De st inat ion Networks ........................157
SonicWALL Enhanced VPN Logging ...................................................158
Disabling Security Associations .........................................................159
Basic VPN Terms and Concepts ........................................................160
11 High Availability .................................. ........ ... ... ........ ... ... ........ ... ... 163
Getting Started with High Availability ................................................164
Before Configuring High Availability ..................................................164
Network Configuration for High Availab il ity Pair .................................164
Configuring High Availabilit y on the Primary SonicWALL ......... ............165
High Availability Status .............. ......................................................168
Contents Page 3
High Availability Status Window ........................................................168
E-mail Alerts Indicating Stat us Cha nge ........................... ...................170
View Log ......................................... ...............................................170
Configuration Notes .........................................................................171
12 SonicW ALL Options and Upgrad es ................................................172
SonicWALL VPN Client for Windows ........................ ..........................172
SonicWALL Network Anti-Virus ................. ........................................172
Content Filter List Subscription .........................................................173
Vulnerability Scanning Service ..........................................................173
SonicWALL Authentication Service ................................. ...................173
SonicWALL ViewPoint Reportin g . ................................................. .....173
SonicWALL Global Manageme nt Syste m ........... .................................174
13 Hardware Description ...................................................................175
SonicWALL TELE3 SP Front Panel ............. ........................................175
SonicWALL TELE3 SP Front Panel Description ................. ...................175
SonicWALL TELE3 SP Back Panel .......................................... ............176
The SonicWALL TELE3 SP Back Panel Descrip tion ..............................176
14 Troubleshooting Guide ..................................................................178
The Link LED is off. ..... ....................................................................178
A computer on the LAN cannot access th e Int ernet . ...........................178
The SonicWALL does not es tabl ish au t he n ticat ed sessions. .................178
The SonicWALL does not save changes that you have made. ..............179
Duplicate IP address errors ........ ......................................................17 9
Machines on the WAN are not reachable. ..........................................179
15 Appendices .................................................................................... 180
Appendix A - Technical Specifications ................................................180
Appendix B - SonicWALL Support Solutions ...... .................................182
Appendix C - Introduction to Networking ................. ..........................189
Appendix D - IP Port Numbers ..........................................................194
Appendix E - Configuring TCP/IP Settings ..........................................195
Appendix F - Erasing the Firmware ...................................................197
Appendix G - Configuring RADIUS and ACE Servers ...........................198
Appendix H - Regulatory Compliance ................................................203
Notes .............................................................................................205
Page 4 SonicWALL TELE3 SP Administrator’s Guide
Copyright Notice
©
2002 SonicWALL, Inc. All rights reserved.
Under the copyright laws, this manual or the software described within, can not be copied, in whole or part, without the written c onsent of the ma nufacturer, ex cept in the normal us e of the software to make a backup copy. The same propri etary and copyright notices must be affixed to any permitted copies as were affixe d to the original . This exception does not allow copies to be made for others, whether or not sold, but all of the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under the law, copying includes translating into another language or format.
SonicWALL is a registered trademark of SonicWALL, Inc. Other product and company names mentioned herein can be trademarks and/or registered
trademarks of their respective companies. Specifications and descriptions subject to change witho ut notice.
LIMITED WARRANTY
SonicWALL, Inc. warrants the SonicWALL Internet Security Appliance (the Product) for one (1) year from the date of purchase against defects in materials and workmanship. If there is a defect in the hardware, Soni cWALL will replace the product at no charge, provided that it is returned to SonicWALL with trans portation c harges prepaid. A Return Materials Authorization (RMA) number must be displayed on the outside of the package for the product being returned for replacement or the product will be refused. The RMA number can be obtained by calling SonicWALL Customer Service between the hours of 8:30 AM and 5:30 PM Pacific Standard Time, Monday through Friday.
Phone:(408) 752-7819 Fax:(408) 745-9300 Web: <http://www.sonicwall.com/support> This warranty does not apply if the Product has been damaged by accident, abuse, misuse, or
misapplication or has been modified without the written permission of SonicWALL. In no event shall SonicWALL, Inc. or its suppliers be liable for any damages whatsoever
(including, without limitation, damages for loss of profits, business interruption, loss of information, or other pecuniary loss) arising out of the use of or inability to use the Product.
Some states do not allow the exclusion or limitation of implied warranties or liability for incidental or consequential damages, so the above limitation or exclusion can not apply to you. Wher e liability can not be limited under applicable law, the SonicWALL li abilit y sha ll be limited to the amount you paid for the Product. This warranty gives you specific legal rights, and you can have other rights which vary from state to state.
By using this Product, you agree to these limitations of liability.
Page 5
preface.fm Page 6 Wednesday, June 12, 2002 10:48 AM
THIS WARRANTY AND THE REMEDIES SET FORTH ABOVE ARE EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES, ORAL OR WRITTEN, EXPRESS OR IMPLIED.
No dealer, agent, or employee of SonicWALL is authorized to make any extension or addition to this warranty.
About this Guide
Thank you for purchasing the SonicWALL SonicWALL Internet Security appliance. The SonicWALL protects your PC from attacks and intrusions, filters objectional Web sites, provides private VPN connections to business partners and remote offices, and offers a centrally­managed defense against software viruses.
This manual covers the configuration of the SonicWALL Internet Security appliance features. For complete installation information, refer to the SonicWALL Internet Security Appliance Installation Guide.
Organization of This Guide
Chapter 1, Introduction, describes the features and applications of the SonicWALL.
Chapter 2, Managing Your SonicWALL, provides a brief overview of the SonicWALL Web Management Interface.
Chapter 3, Network Settings, describes the configuration of the SonicWALL IP settings, time, and password.
Chapter 4, Logging and Alerting, illustrates the SonicWALL logging, alerting, and reporting features.
Chapter 5, Content Filtering and Blocking, describes SonicWALL Web content filtering, including subscription updates and customized Web blocking.
Chapter 6, Web Management Tools, provides directions to restart the SonicWALL, import and export settings, upload new firmware, and perform diagnostic tests.
Chapter 7, Network Access Rules, explains how to permit and block traffic through the SonicWALL, set up servers, and enable remote management.
Chapter 8, Advanced Features, describes advanced SonicWALL settings, such as One-to-One NAT and Automatic Web Proxying.
Chapter 9, DHCP Server, describes the configuration and setup of the SonicWALL DHCP server.
Chapter 10, SonicWALL VPN, explains how to create a VPN tunnel between two SonicWALLs and creating a VPN tunnel from the VPN client to the SonicWALL.
Chapter 11, High Availabilty, describes the configuration and setup of two SonicWALL Internet security appliances (primary and backup) for a High Availibility pair. SonicWALL High Availability eliminates network downtime by allowing the configuration of two SonicWALLs (one primary and one backup) as a High Availability pair.
Page 6 SonicWALL TELE3 SP Administrator’s Guide
preface.fm Page 7 Wednesday, June 12, 2002 10:48 AM
Chapter 12, SonicWALL Options and Upgrades, presents a brief summary of the SonicWALL's subscription services, firmware upgrades and other options.
Chapter 13, Hardware, provides a description of the front and back of the TELE3 SP, including LED lights and ports.
Chapter 14,Troubleshooting Guide, shows solutions to commonly encountered problems.
Appendix A, Technical Specifications, lists the SonicWALL specifications.
Appendix B, SonicWALL Support Solutions, descriptions of available support packages from SonicWALL.
Appendix C, Introduction to Networking, provides an overview of the Internet, TCP/IP settings, IP security, and other general networking topics.
Appendix D, IP Port Numbers, offers information about IP port numbering.
Appendix E, Configuring TCP/IP Settings, provides instructions for configuring your Management Station's IP address.
Appendix F, Erasing the Firmware, describes the firmware erase procedure.
Appendix G, Configuring RADIUS and ACE Servers, vendor-specific configuration instructions for RADIUS and ACE servers. The appendix also includes a RADIUS Attributes Dictionary.
Appendix H, Regulatory Compliance, presents important emissions standards approvals and EMC information.
SonicWALL Technical Support
For fast resolution of technical questions, please visit the SonicWALL Tech Support Web site at <http://www.sonicwall.com/support>. There, you will find resources to resolve most technical issues and a Web request form to contact one of the SonicWALL Technical Support engineers.
Page 7
1 Introduction
Your SonicWALL TELE3 SP (Smart Path) Internet Security Appliance
The SonicWALL TELE3 SP (Smart Path) provides a complete security solution that protects your network from attacks, intrusions, and malicious tampering. In addition, the SonicWALL filters objectionable Web content and logs security threats. SonicWALL VPN provides secure, encrypted com munications to business p artners and branch offi ce s.
The SonicWALL TELE3 SP uses stateful packet inspection to ensure secure firewall filtering. Stateful packet inspection is widely considered to be the most effective method of filtering IP traffic. MD5 authentication is used to encrypt communications between your Management Station and the SonicWALL Web Management Interface. MD5 Authentication prevents unauthorized users from detecting and stealing the SonicWALL password as it is sent over your network.
SonicWALL Internet Security Appliance Functional Diagram
The following figure illustrates the SonicWALL Internet Security Appliance functions.
Page 8 Son icWALLTELE3 SP Administrat o r ’s Guide
By default, the SonicWALL TELE3 SP allows outbound access from the LAN to the Internet and blocks inbound access from the Internet to the LAN. Users on the Internet are restricted from accessing resources on the LAN unless they are authorized remote users or Network Access Rules were created to allow inbound access.
SonicWALL TELE3 SP Internet Security Appliance Features
Internet Security
ICSA-Certified Firewall After undergoing a rigorous suite of tests to expose security vulnerabilities, SonicWALL
Internet security appliances have received Firewall Certification from ICSA, the internationally -accepted authori ty on network security. The S onic WALL uses s tatef ul packet inspection, the most effective method of packet filtering, to protect your LAN from hackers and vandals on the Internet.
Hacker Attack Prevention The SonicWALL automatically detects and thwarts Den ial of Service (DoS) attacks such as
Ping of Death, SYN Flood, LAND Attack, and IP Spoofing.
Network Address Translation (NAT) Network Address Translation (NAT) transl ates the IP addresses used on your private LAN to
a single, public IP address that is used on the Internet. NAT allows multiple computers to access the Internet, even if only one IP address has been provided by your ISP.
Network Access Rules The default Network Access Rules allow traffi c from the LAN to the Internet and block traffic
from the Internet to the LAN. You can create additional Network Access Rules that allow inbou nd tr af f ic t o netw or k ser v er s, su ch as Web and mai l se rvers, or that r estr i ct outbound traffic to certain destinations on the Internet.
AutoUpdate The SonicWALL maintains the highest level of security by automa tically notifying you when
new firmware is released. When new firmware is available, the SonicWALL Web Management Interface displays a link to download and install the latest firmware. The SonicWALL also sends an e-mail with firmware release notes.
WAN Failover using a V.90 Modem Port The WAN Failover feature provides an alternate means of accessing the Internet when your
“always on” broadband connection loses its connection. This unique feature allows the SonicWALL TELE3 SP to failover to a dial-up Internet connection when the WAN Ethernet connection loses its connectivity.
SNMP Support SNMP (Simple Network Management Protocol) is a network protocol used over User
Datagram Protocol (UDP) that allows network administrators to monitor the status o f the SonicWALL Internet Security appliances and receive notification of any critical events as they occur on the network.
Introduction Page 9
Content Filtering
SonicWALL Content Filtering Overview
You can use the SonicWALL Web content filtering to enforce your company's Internet access policies. The SonicWALL blocks specified categories, such as violence or nudity, using an optional Co nte nt Filter List. Users on your network can bypass the C ontent Filter List by authenticating with a unique user name an d passw ord.
Content Filter List Updates (optional)
Since content on the Internet is constantly changing, the SonicWALL automatically updates the optional Content Filter List every week to ensure that access restrictions to new and relocated Websites and newsgroups are properly enforced.
Log and Block or Log Only
You can configure the SonicWALL to log and block access to objectional Web sites, or to log inappropriate usage without blocking Web access.
Filter Protocols
In addition to filtering access to Web sites, the SonicWALL can also block Newsgroups, ActiveX, Java, Cookies, and Web Proxies.
Logging and Reporting
Log Categories
You can s elect the info rmation you wish to di splay in the SonicW ALL event log. You ca n view the event log from the SonicWALL Web Management Interface or receive the log as an e-mail file.
Syslog Server Support
In addition to the standard screen log, the SonicWALL can write detailed event log information to an external Syslog server. Syslog is the industry-standard method to capture information about network activity.
ViewPoint Reporting (optional)
Monitoring critic al network events and activity , such as security thr eats, inappropri ate Web use, and bandwidth levels, is an essential component of network security. SonicWALL ViewPoint compliments the SonicWALL security features by providing detailed and comprehensive reports of network activity.
SonicWALL ViewPoint is a software application that creates dynamic, Web-based network reports. ViewPoint reporting generates both real-time and historical reports to offer a complete view of all activity through your SonicWALL Internet security appliance.
E-mail Alerts
The SonicWALL ca n be configured to send alerts of high-priority events , such as attacks, system errors, and blocked Web sites. When these events occur, alerts can be immediatel y sent to an e-mail address or e-mail pager.
Page 10 So nicWALLTELE3 SP Administrator’s Guide
Dynamic Host Configuration Protocol (DHCP)
DHCP Server The DHCP Server offers centra lized management of TCP/IP clie nt configurations, incl uding
IP addresses, gateway addresses, and DNS addresses. Upon startup, each network client receives its TCP/IP settings automatically from the SonicWALL DHCP Server .
DHCP Client DHCP Client allows the SonicWALL to acquire TCP/IP settings (such as IP address, gateway
address, DNS address) from your ISP. This is necessary if your ISP assigns you a dynamic IP address.
DHCP over VPN DHCP over VPN allows a Host (DHCP Client) beh ind a SonicWALL obta in an IP addres s lease
from a DHCP server at the end of a VPN tunnel. In some network deployments, it is desirable to have all VPN networks residing in one IP subnet address space. This facilitates address administration for the ne tworks using VPN tunnels.
Installation and Configuration
Installation Wizard
The SonicWA LL Installation Wizard helps qu ickl y install and configure the So nicWALL.
Online help
SonicWALL help documentation is built into the SonicWALL Web Management Interface for easy access during installation and management.
IPSec VPN
SonicWALL VPN
SonicWALL VPN provides a si mple, secure tool that enabl es corpo rate off ices and busines s partners to connect securely over the Internet. By encrypting data, SonicWALL VPN provides private communic ations between two or more sites withou t the expense of leased site-to-site line s.
VPN Client Software for Windows
Mobile users with dial-up Internet accounts can securely access remote network resources with the Soni cWALL VPN Cli ent. The So nicWALL VPN Cli ent establi shes a pri vate, encrypted VPN tunnel to the SonicWALL, allowing users to transparently access network servers from any location.
Contact SonicWALL, Inc. for information about the Content Filter List, Network Anti-Virus subscriptions, and other upgrades.
Web: http://www.sonicwall.com E-mail: sales@sonicwall.com Phone: (408) 745-9600 Fax: (408) 745-9300
Introduction Page 11
2 General and Network Settings
This chapter describes the tabs in the General section and the configuration of the SonicWALL TELE3 SP Network Settings. The Network Settings include the SonicWALL IP settings, the administrator password, and the time and date. There are three tabs other than Status in the General section:
Network
Time
Password
Network
Note: The Network Settings change to the dial-up ISP network settings when a WAN Failover
occurs on the SP.
To configure the SonicWALL N etw o rk Se ttin gs, click General, and then click the Network tab.
Network Settings
Network Addressing Mode
The Network Addressing Mode menu determines the network address scheme of your SonicWALL. It includes four options: Standard, NAT Enabled, NA T with DHCP Client, an d NAT with PPPoE.
Page 12 So nicWALL TELE3 SP Administrator’ s Guide
Standard mode requires valid IP addresses for all computers on your network , but allows
remote access to authenticated users.
NAT Enabled mode translates the private IP addresses on the network to the single, valid
IP address of the SonicWALL. Select NAT Enabled if your ISP assigned you only one or two valid IP addresses.
NAT with D HCP Client mode configures the SonicWALL to request IP settings from a
DHCP server on the Internet. NAT with DHCP Client is a typical network addressing mode for cable and DSL customers.
NAT with PPPoE mode uses PPPoE to connect to the Internet. If desktop software and a
user name and password is required by your ISP, select NAT with PPPoE.
LAN Settings
SonicWALL LAN IP Address The SonicWALL LAN IP Address is the IP address assigned to the SonicWALL LAN port.
It is used for managing the SonicWALL. This IP address should be a unique address from the LAN address range.
LAN Subnet Mask The LAN Subnet Mask defines which IP addresses are on the LAN. The default Class C
subnet mask of "255.255.255.0" supports up to 254 IP addresses on the LAN. If the Class C subnet mask is used, all l ocal area n etwork addresse s should cont ain the same first three numbers as the SonicWALL LAN IP Address--for example, "192.168.168."
Multiple LAN Subnet Mask Support
Note: This feature does not replace or substitute configuring routes with the Routes tab in the
Advanced section of the SonicWALL. If you have to define a subnet on the other side of a router, you must define a static route using the Routes tab in the Advanced section.
Multiple LAN Subnet Mask Support facili tates the s upport of le gacy networks incor por ating the SonicWALL, and makes it eas ier to add addi tional node s if the origi nal s ubnet is full . Before you can configure multiple local LAN subnets in the SonicWALL, you must have the following information:
Network Gateway Address - This is an IP address assigned to the SonicWALL in addition to the existing LAN IP address. If you have configured your SonicWALL in Standard mode, the IP address should be the Default Gateway IP address assigned to your Internet router on the same subnet. All users on the subnet you are configuring must use this IP address as their default router/gateway address.
Subnet M as k - This value defines the s ize, and based upon the Network Ga teway entry, the scope of the subnet. If you are configuring a subnet mask that currently exists on the LAN, enter the existing subnet mask address into the Subnet Mask field. If you are configuring a new subnet mask, use a subne t mask that does not overlap any previously defined subnet masks.
General and Network Settings Page 13
Note: The Son icWALL cannot be manage d from any of the additional Net work Gateway addresses. You must use the IP address set as the LAN IP address of the SonicWALL. Also, you cannot mix Standard and N A T subnets behind the SonicWA LL.
WAN Settings
WAN Gateway (Router) Address The WAN Gateway (Router) Address is the I P address of the WAN router or def ault gateway
that connects your network to the Internet. If you use Cable or DSL, your WAN router is probably located at your ISP.
If yo u selec t NAT with DHCP Client or N AT with PPPo E mode, the WAN Gateway (Router) Address is assigned automatically.
SonicWALL WAN IP Address The SonicWALL WAN IP Address is a valid IP address assigned to the WAN port of the
SonicWALL. This address should be assigned by your ISP. If you s elect NAT Enabled mode, this is the only address seen by users on the Internet
and all activity appears to originate from this address. If you select NAT with DHCP Client, NAT with PPPoE, or NAT with L2 TP Client mod e,
the SonicWALL WAN IP address is assigned automatically. If you select Standard mode, the SonicWALL WAN IP Address is the same as the
SonicWALL LAN IP Address.
WAN/LAN Subnet Mask The WAN/LAN Su bnet Mask determines which IP addresses are located on the WAN.
This subnet mask should be assigned by your ISP. If you select NAT with DHCP Client, NAT with PPPoE, or NAT with L2TP Client mode,
the WAN/LAN Subnet Mask is assigned automatically. If you select Standard mode, the WAN/LAN Subnet Mask is the same as the LAN
Subnet Mask.
DNS Settings
DNS Servers DNS Servers, or Domain Name System Servers, are used by the SonicWALL for diagnostic
tests with the DNS Lookup Tool, and for upgrade and registration functionality. DNS Server addresses should be assigned by your ISP.
If you select NAT with DHCP Client or NAT with PPPoE mode, the DNS Server addresses is assigned automatically.
Note: The SonicWALL does not relay DNS settings to the LAN; you must enable and configure the So nicWALL DHCP server or manually con figure your computer DNS settings to obtain DNS name resolution.
Page 14 So nicWALL TELE3 SP Administrator’ s Guide
Standard Configuration
If your ISP provided you with enough IP addresses for all the compu ters and n e twork dev ices on your LAN, enable Standard mode.
To configure Sta ndard addressing mode, complete the following instructions :
1. Select Standard from the Network Addressing Mode menu. Because NAT is disabled,
you must assign valid IP addresses to all computers and network devices on your LAN.
2. Enter a unique, valid IP address from your LAN address range in the SonicWALL LAN IP
Address field. The SonicWALL LAN IP Address is the address assigned to the SonicWALL LAN a nd is used for management of the SonicWALL.
3. Enter you r net wor k subn et mask in the LAN Subnet Mask field. The LAN Subnet Mask
tells your SonicWALL which IP addresses are on your LAN. The default value, "255.255.255.0", supports up to 254 IP addresses.
4. Enter your WAN router or default gateway address in the WAN Gateway (Router)
Address field. Your router is the device that connects your network to the Internet. If you use Cable or DSL, your W A N router is located at your ISP.
5. Enter your DNS server IP address(es) in the D NS Serv ers field. The SonicWALL uses the
DNS servers for diagnostic tests and for upgrade and registration functionality.
6. Click Update. On ce the So nicWAL L has been updated, a messa ge confi rming the update
is displayed at the bottom of the browser window. Restart the SonicWALL for these changes to take effect.
NAT Enabled Configuration
Network Address Translation (NAT) connects your entire network to the Internet using a single IP address. Network Address Translation offers the following:
In ternet access to additional computers on the LAN. Multiple computers can access the In-
ternet even if your ISP only assigned one or two valid IP addresses to your network.
Additional security and anonymity because your LAN IP addresses are invisible to the out-
side world.
If your ISP hasn't provided enough IP addre sses fo r all machin es on your LA N, ena ble NAT and assign your network a private IP address range. You should use addresses from one of the following address ranges on your private network:
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
Note: If your network address range uses valid TCP/IP addresses, Internet sites within that range are not accessible from the LAN. For example, if you assign the address range 199.2.23 .1
- 199.2.23.255 to your LAN, a Web server on the Internet with the address of 199.2.23.20 is
not accessible.
General and Network Settings Page 15
When NAT is enabled, users on the Internet cannot access machines on the LAN unless they have been designated as Public LAN Servers.
To enable Network Address Translation (NAT), complete the following instructions.
1. Select NAT Enabled from the Network Addressing Mode menu in the Network
window.
2. Enter a unique IP address from your LAN address range in the SonicWALL LAN IP
Address field. The SonicWALL LAN IP Address is the address assigned to the SonicWALL LAN and is used for mana ge ment of the SonicWALL.
3. Enter your network subnet mask in the LAN Subnet Mask field. The LAN Subnet Mask
tells the SonicWALL which IP addresses are on your LAN. Use the default value, "255.255.255.0", if there are less than 254 computers on your LAN.
4. Enter your WAN router or default gateway address in the WAN Gateway (Router)
Address field. This is the device that connects your network to the Internet. If you use Cable or DSL, your WAN router is probably located at your ISP.
5. Enter a valid IP address assigned by your ISP in the SonicWALL WAN IP (NAT Public)
Address field. Because NAT is enabled, all network activity appears to originate from this address.
6. Enter your WAN subnet mask in the WAN/L AN Sub net M ask field. This subnet mask
should be assigned by your ISP.
Page 16 So nicWALL TELE3 SP Administrator’ s Guide
7. Enter your DNS server IP address(es) in the DNS Servers field. Th e SonicWALL u ses th ese
DNS servers for diagnostic tests and for upgrade and registration functionality.
8. Click Update. On ce the So nicWAL L has been updated, a messa ge confi rming the update
is displayed at the bottom of the browser window. Restart the SonicWALL for these changes to take effect.
If you enable Network Address Translation, designate the SonicWALL LAN IP Address as the gateway address for computers on your LAN. Consider the following example:
The SonicWALL WAN Gateway (Router) Address is "10.1.1.1".
The SonicWALL WAN IP (NAT Public) Address is "10.1.1.25".
The private SonicWALL LAN IP Address is "192.168.168.1".
Computers on the LAN have private IP addresses ranging from "192.168.168.2" to
"192.168.168.255".
In this ex ample, "192.168.168.1", the SonicW ALL LAN IP Address, is used as the gateway or router address for all computers on the LAN.
General and Network Settings Page 17
NAT with DHCP Client Configuration
The SonicWALL can receive an IP address from a DHCP server on the Internet. If your ISP did not provide you with a valid IP address, and instructed you to set your netw ork settings to obtain an IP address automatically, enable NAT with DHCP Client. NAT with DHCP Client mode is typically used with Cable and DSL connections.
To obtain IP settings dynamically, complete the following instructions.
1. Select NAT with DHCP Client from the Network Addressing Mode men u.
2. Enter a unique IP address from your LAN address range in the SonicWALL LAN IP
Address field. The SonicWALL LAN IP Address is the address assigned to the SonicWALL LAN and is used for mana ge ment of the SonicWALL.
3. Enter your network subnet mask in the LAN Subnet Mask field. The LAN Subnet Mask
tells your SonicWALL which IP addresses are on your LAN. The default value, "255.255.255.0", supports up to 254 IP addresses.
4. Click Update. On ce the So nicWAL L has been updated, a messa ge confi rming the update
is displayed at the bottom of the browser window. Restart the SonicWALL for these changes to take effect.
Note: When NAT is enabl ed, designate the SonicWALL LAN IP Addres s as the gateway addres s for computers on the LAN.
Page 18 So nicWALL TELE3 SP Administrator’ s Guide
When your SonicWALL has successfully received a DHCP lease, the Network window displays the SonicWALL WAN IP settings.
•The Lease Expires value shows when your DHCP lease expires.
•The WAN Ga tew ay (Ro u te r) A d dre ss , So nicW AL L W A N I P (NAT Pu bl ic) Address,
WAN/LAN Subnet Mask, and DNS Servers are obtained from a DHCP server on the Internet.
Note: The SonicWALL does not relay DNS settings to the LAN; you must enable and configure the SonicWALL DHCP server or ma nually co nfigure DN S settings on your com puters to obtai n DNS name resolution.
In the WAN/LAN Settings section of Network, you can Renew and Release the SonicWALL WAN IP (NAT Public) Address lease. When you click on Renew, the So nicWAL L renews the IP address used for the WAN IP address. Click Release, and the lease is released with the DHCP server.
NAT with PPPoE Configuration
The SonicWALL can use Point-to-Point Protocol over Ethernet to connect to the Internet. If your ISP requires the installation of desktop software and user name and password authentication to access the Internet, enable NAT with PPPoE.
To configure NAT with PPPoE, complete the following instructions.
1. Select NAT with PPPoE fro m the Network Addressing Mode menu.
General and Network Settings Page 19
2. Enter a unique IP address from your LAN address range in the SonicWALL LAN IP
Address field. The SonicWALL LAN IP Address is the address assigned to the SonicWALL LAN port and is used for management of the SonicWAL L.
3. Enter your network subnet mask in the LAN Subnet Mask field. The LAN Subnet Mask
tells your SonicWALL which IP addresses are on your LAN. Use the default value, "255.255.255.0", if there are less than 254 computers on your LAN.
4. Enter the user name provided by your ISP in the User Name field. The user name
identifies the PPPoE client.
5. Enter the password provided by your ISP in the Password field. The password
authenticates the PPPoE session. This field is case sensitive.
6. Select the Disconnect after __ Minutes of Inactivity check box to automatically
disconnect the PPPoE connection after a specified period of inactivity. Define a maximum number of mi nutes of inactivity i n the Minutes field. This value can range from 1 to 99 minutes.
7. In the WAN/LAN section, sel ec t Obtain an IP Address Automatically if your ISP does
not provid e a s tat ic IP address. Se lec t Use the following IP Address if your ISP assigns a specific IP address to you.
8. Click Update. On ce the So nicWAL L has been updated, a messa ge confi rming the update
is displayed at the bottom of the browser window. Restart the SonicWALL for these changes to take effect.
Note: When NAT is enabled, the SonicWALL LAN IP Address is used as the gateway address for computers on the LAN.
When your SonicWALL has successfully established a PPPoE connection, the Network page displays the SonicWALL WAN IP settings. The WAN Gateway (Router) Address, SonicWALL WAN IP (NAT Public) Addres s, WAN/LAN Subnet Mask, and DNS Serve rs are displayed.
Note: The SonicWALL does not relay DNS settings to the LAN; you must enable and configure the SonicWALL DHCP server or manually configure the computer DNS settings to obtain DNS name resolution.
Restarting the SonicWALL
Once the network settings have been updated, the Status bar at the bottom of the browser window displays "Restart So nicWALL for changes to take effect." Restart the SonicWALL by clicking Restart. Then click Yes to confirm the restart and send the restart command to the SonicWALL. The restart can take up to 90 seconds, during which time the SonicWALL is inaccessible and all network traffic through the SonicWALL is halted.
Note: If you change the SonicWALL LAN IP Address, you must to change the Managem ent Station IP address to be in the same subnet as the new LAN IP address.
Page 20 So nicWALL TELE3 SP Administrator’ s Guide
Setting the Time and Date
The SonicWALL uses the time and date settings to time stamp log events, to automatically update the Content Filter List, and for other internal purposes.
1. Click the Time tab.
2. Select your time zone from the Time Zone menu.
3. Click Update to add the information to the SonicWALL.
You can also enable automatic adjustments for daylight savings time, use univers al ti me
(UTC) rather than local time, and display the date in International format, with the day preceding the month.
To set the time and date manually, clear the check boxes and enter the time (in 24-hour format) and the date.
NTP Settings
Network Time Protocol (NT P) is a protocol use d to sync hronize compu ter clock times in a
network of computers. NT P uses Coordinated Univers al Time (UTC) to synchroni ze computer clock times to a millisecond, and sometimes to a fraction of a millisecond. Select Use NTP to set time automatically if you want to use your local server to set the SonicWALL clock. You can also set the Update Interval for the NTP server to synchronize the time in the SonicWALL. The default value is 60 minutes. You can add NTP servers to the SonicWALL for time synchronization by entering in the IP address of an NTP server in the Add NT P Serve r fi eld. If there are no NTP Servers in the list, the internal NTP list is used by default. To remove an NTP server, highlight the IP address and click Delete NTP Server.When you have configured
General and Network Settings Page 21
the Time window, click Update. Once the SonicWALL has been updated, a message confirming the update is displayed at the bottom of the browser window.
Setting the Administrator Password
To set the password, enter the old password in the Old Password field, and the new password in the New Password f ield. Enter the new password again in the Confirm New Password field and click Update. Once the SonicWALL has been updated, a message confirming the update is displayed at the bottom of the browser window.
Note: When setting the password for the first time, remember that the SonicWALL default password is “password”.
If the password is not entered exactly the s a m e in both New Password fields, the password is not changed. If you mistype the password, you are no t locked out of the SonicWALL.
Warning: The password cannot be recovered if it is lost or forgotten. If the password is lost, you must to reset the SonicWALL to its factory default state. Go to Appendix F for instructions.
Setting the Administrator Inactivity Timeout
The Administrator Inactivity Timeout setting allows you to configure the length of inactivity that can elapse before you are automatically logged out of the Web Managem ent Interface. The SonicWALL is preconfigured to log out the administrator after 5 minutes of inactivity.
Note: If the Administrator Inactivity Timeout is extended beyond 5 minutes, you should end every management session by clicking Logout to prevent unauthorized access to the SonicWALL Web M a nagement Interface.
Enter the desired number of minutes in the Administrat or Inactivit y Timeout section and click Update. The Inactivity Timeout can range from 1 to 99 minutes. Click Update, and a message confirming the update is displayed at the bottom of the browser window.
Page 22 So nicWALL TELE3 SP Administrator’ s Guide
3 Managing Your SonicWALL TELE3 SP
This chapter conta ins a brief overvi ew of SonicWAL L management commands and f unctions. The commands and functions are accessed through the SonicWALL Web Management Interface.
1. Log into the SonicWALL using a Web Browser
You can manage the SonicWALL from any computer connected to the LAN port of the SonicWALL us ing a Web browser. The computer use d for management is referred to as the “Management Station".
Note: To manage the SonicWALL, your Web browser must have Java and Java apple ts enabled and support HTTP uploads.
2. Open a Web brows er and t ype the Sonic WALL IP addr ess, initiall y, " 192.168 .168.16 8", int o
the Location or Address field at the top of the browser. An Authentication window with a Password dialogue box i s displayed.
3. Type “admin” in the User Name field and the password previously defined in the
Installation Wizard in the Password field. Passwords are case-sensitive. Enter the password exactly as defined and click Login.
Note: All SonicWALLs are configured with the User Name “admin” and the default Password “password”. The User Name is not configurable.
If you cannot log into the SonicWALL, a cached copy of the page is displayed instead of the correct page. Click Reload or Refresh on the Web browser and try again. Also, be sure t o wait until the Java applet has finish e d loa d ing bef ore atte m p ting to log in.
Once the password is entered, an authenticated management session is established. This session times out after 5 minutes of inactivity. T he default time-out can be increased on the Password window in the General section.
HTTPS Management
To enhance the security of the SonicWALL family of Internet Security appliances, HTTPS Management using Secure Socket Layer (SSL) is now supported when you log into your
Management interface u sing https ://IP Address where the I P addres s i s t he SonicWALL LAN IP address. For example, if the LAN IP address of your SonicWALL appliance is 192.168.168.1, you can log in to i t by ty pi n g https : //1 92.168.168.1. Acc es s is en cry pte d u sing S SL t ec hno lo gy f or a secure connection.
Managi ng Your Son i c WA LL TELE3 SP Page 23
HTTPS Manage ment allows secure access to the SonicWALL without a VPN client. It is a simple and secure way to manage your SonicWALL from both the LAN and the WAN.
The first t ime you a ccess the SonicWALL Management interface using HTT PS, y ou may s ee the following information message:
Click Yes to continue th e login process. SSL is supported by Netscape 4.7 and higher, as well as Internet Explorer 5.5 and higher.
HTTPS managem ent supports the fo llowing versions o f SSL: SSLv 2, SSLv3, and TLSv1. Also, the following encryption ciphers are supported: RC4-MD5, EXP-RC4-MD5, DES-CBC3-SHA, DES-CBC-SHA, RC4-SHA, EXP-RC2-CBC-MD5, NULL-SHA, an d NULL-MD5. The RSA key used i s 1024-bit.
Page 24 So nicWALL TELE3 SP Administrator’ s Guide
Status
To view the Status tab, log into your SonicWALL using your Web browser. Click General and then click the Status tab .
Note: The SonicWALL Status window is dis played above. Each SonicW ALL Internet Secu rity appliance displays unique characteristics, such as the presence of VPN acceleration hardware or a different amount of memory.
The Status tab displays the following information:
SonicWALL Serial Number - the serial number of the SonicWA LL unit.
Number of LAN IP addresses allowed with this license - number of IP addresses that
can be managed by the SonicWALL
Registration code - the registration code generated when the SonicWALL is registered at
<http//www.mysonicwall.com>.
SonicWALL Active time - the length of time in days, hours and minutes that the
SonicWALL is active.
Firmware version - shows the current version number of the firmware installed on the
SonicWALL.
ROM version - indicates the version number of the ROM.
CPU - displays the type and speed of the SonicWALL processor.
VPN Hardware Accelerator Detected - indicates the presence of a VPN Hardware
Accelerator in the firewall. This allows better throughput for VPN connections.
Managi ng Your Son i c WA LL TELE3 SP Page 25
RAM - shows the amount of Random Access Memory on the board.
Flash - indicates the size of the flash on the board.
Ethernet Speeds - displays network speeds of the network card.
Current Connections - number of computers connected to the SonicWALL.
Other SonicWALL general status information is displayed in this section relating to other features in the SonicWALL such as the type of network settings in use, log settings, content filter use, and if Stealth Mode is enabled on the SonicWALL.
The General, Log, Filter, Tools, Access, Advanced, DHCP, VPN, Anti-Virus, and High Availability buttons appear on the left side of the wi ndow. When one of the buttons is clicked, related management functions are selected by clicking the tabs at the top of the window.
A Logout button at the bottom of the screen terminates the management session and redisplays the Authentication window. If Logout is clicked, you must log in again to manage the SonicWALL. Online help is also available. Click Help at the top of any browser window to view the help files stored in the SonicWALL.
The Status window, shown o n the previous pa ge, displays the status of y our SonicWALL. It contains an overview of the SonicWALL configuration, as well as any important messages. Check the Status window after m aking changes to ens ure that the SonicWALL is configured properly.
CLI Support and Remote Management
Out-of-band management is available on SonicWALL Internet security appliances using the CLI (Command Line Interface) feature. SonicWALL Internet security appliances can be managed from a console using typed commands and a modem or null-modem cable that is connected to the serial port located on the back of the SonicWALL applian ce. The only modem cur r ent l y su pp o r te d is the US R ob o tics v .9 0 / v .9 2 m odem . CL I c o m m un i c a ti on r e q ui re s t he following modem settings:
9600 bps
8 bits
no parity
no hand-shaking
After the modem is accessed, a terminal emulator window such as a hyper terminal window is used to manage the SonicWALL Internet security appliance. Once the SonicWALL is accessed, type in the User Name and password: admin for User Name and then the password used for the management interface.
The following CLI commands are available for the SonicWALL:
? or Help - displa ys a listing of the top l evel commands availa ble.
Export - exports preferences from the SonicWALL using Z-modem file transfer protocol.
Import - imports preferences from the SonicWALL using Z-modem file transfer protocol.
Logout - logout of the SonicWALL appliance.
Page 26 So nicWALL TELE3 SP Administrator’ s Guide
Ping - pings either an IP address or domain name for a specified host.
Restart - restart the SonicWALL
Restore - restores the factory default settings for all saved parameters with the exception
of the password, the LAN IP address, and the subnet mask.
Status - displays the information typically seen on the Web management interface tab
labeled General.
TSR - retrieves a copy of the tech support report u sing Z-modem file transfer protocol.
Managi ng Your Son i c WA LL TELE3 SP Page 27
4 Logging and Alerts
This chapter describes the SonicWALL Internet Security appliance logging, alerting, and reporting features, wh ich can be viewed in the Log section of the SonicWALL Web Management Interface.There are four tabs in the Log se ction :
View Log
Log Settin gs
Reports
ViewPoint (requires a purchased upgrade)
View Log
The SonicW A LL maintains an Event log which displays potential security threats. This log can be viewed with a browser using the SonicWALL Web Management Interface, or it can be automatically sent to an e-mail address for c onvenie nce and archiving. The log is displayed in a table and is sortable by column.
The SonicWALL can alert you of im portant events, such as an attack to the SonicW ALL. Alerts are immediately e-mailed, either to an e-mail address or to an e-mail pager. Each log entry contains the date and time of the event and a brief message describing the event.
Click Log on the left side of the browser window, and then click View Log.
Page 28 SonicWALL TELE3 SP Administrator’s Guide
SonicWALL Log Mes sages
Each log entry contains the date and time of the event and a brief message describing the event. It is als o possible to copy the l og entri es from the ma nagement interf ace and paste i nto a report.
TCP, UDP, or ICMP packets dropped
When IP packets are bloc ked by the SonicWALL, dropped TCP, UDP and ICMP messages i s displayed. The messages include the source and destination IP addresses of the packet. The TCP or UDP port number or the ICMP code follows the IP address. Log messages usually include the name of the service in quotation marks.
Web, FTP, Gopher, or Newsgroup blocked
When a computer attempts to connect to the blocked site or newsgroup, a log event is displayed. T he computer’s I P address, Et hernet address, the name of the bl ocked Web site, and the Content Filter List Code is displayed. Code definitions for the 12 Content Filter List categories are shown below.
a=Violence/Profanity g=Satanic/Cult b=Partial Nudity h=Drug Culture c=Full Nudity i=Militant/Extremist d=Sexual Acts j=Sex Education e=Gross Depictions k=Gambling/Illegal f=Intolerance l=Alcohol/Tobacco
Descriptions of the categories are available at <http://www.sonicwall.com/Content-Filter/ categories.html>.
ActiveX, Java, Cookie or Code Archive blocked
When ActiveX, Java or Web cookies are blocked, mes sages with the s ource and desti nation IP addresses of the connection attempt is displayed.
Ping of Death, IP Spoof, and SYN Flood Attacks
The IP address of the machine under attack and the so urce of the attack is displayed. In most atta cks, the source addr es s sh own is f ake and does not reflect the real source of the attack.
Note: Some network conditions can produce network traffic that appears to be an attack, even whe n no one is de liber ately attacking the LAN. To follow up on a p ossi ble attack, contact your ISP to determine the source of the attack. Regardless of the nature of the attack, your LAN is protected and no further steps must be taken.
Logging and Alerts Page 29
Log Messages from the Modem
PPP Dial-Up - initiating the dial-up access through the modem. It also displays the name
of the profile used for initiating the access as well as the telephone number dialed.
PPP Dial-Up: Modem connected including the baud rate and initiating the authentication.
PPP: Sta rting CHAP authentica tion - beginning the authentication process with the
dial-up server.
PPP: Authentication successful - successfully authenticated with the dial-up server.
PPP: PPP link established - connection established over the modem to the dial-up
server.
PPP Dial-Up: Received new IP address - WAN network settings obtained from the IS P.
WAN IP Changed - displays new IP address from the ISP.
PPP Dial-Up: User requested disconnect - modem connection ended at user request.
PPP Dial-Up: PPP Link down - no network connectivity over the modem connection.
PPP Dial-Up: Connect request canceled - modem disconnected from remote dial-up
access.
Log Set ti n gs
Click Log on the left side of the browser wi ndow, and then click the Log Settings tab.
Page 30 SonicWALL TELE3 SP Administrator’s Guide
Configure the following settings:
1. Mail Server - To e-mail log or alert messages, enter the name or IP address of your mail
server in the Mail Server field. If this field is left blank, log and alert messages are not e-mailed.
2. Send Log To - Enter your full e-mail address(username@mydomain.com) in the Send log
to field to receive th e event log via e-mail. Once se nt, the log is cleared from the SonicWALL memory. If this field is left blank, the log is not e-mailed.
3. Send Alerts To - Enter your full e-mai l addres s (us ername@mydomain.c o m) in the Send
alerts to field to be immediately e-mailed when attacks or system errors occur. Enter a standard e-mail address or an e-mail paging service. If this field is left blank, alert messages are not e-mailed.
4. Firewall Name - The Firewall Name appears in the subject of e-mails sent by the
SonicWALL. The Firewall Name is helpful if you are managing multiple SonicWALLs because it specifies the individual SonicWALL sending a log or an alert e-mail. By default, the Firewall Name is set to the SonicWALL serial number.
5. Sy slog Server - In addition to the standard event log, the SonicWALL can send a detailed
log to an external Syslog server. Syslog is an industry-standard protocol used to capture information about network activity. The SonicWALL Syslog captures all log activity and includes every connection source and destination IP address, IP service, and number of bytes transferred. The SonicWALL Syslog support requires an external server running a Syslog daemon on UDP Port 514.
Syslog Analyzers such as WebTrends Firewall Suite can be used to sort, analyze, and graph the Syslog data.
Enter the Syslog server name or IP address in the Syslog Server 1 or Syslog Server 2 field. Messages from the SonicWALL are then sent to the servers. If the SonicWALL is managed by SGMS, however, the Syslog Server fields cannot be configured by the administrator of the SonicWALL.
6. E-mail Log Now - Clicking E-mail Log Now immediately sends t he log to the address in
the Send Log To field and then clears the log.
7. Clear Log Now - Clicking Clear Log Now deletes the contents of the log.
8. Send Log / Every / At - The Send L og menu determines the frequency of log e-mail
messages: Daily, Weekly, or When Full. If the Weekly option is selected, then enter the day of the week the e-mail is sent in the Every menu. If the Weekly or the Daily option is selected, enter th e time of day when the e-mail is sent in the At field. If the When Full option is selected and the log fills up, it is e-mailed automatically.
9. When log overflows - The log buffer fills up if the SonicWALL cannot e-mail the log file.
The default behavior is to overwrite the log and discard its contents. However, you can configure the SonicWALL to shut down and prevent traffic from traveling through the SonicWALL if the log is full.
Logging and Alerts Page 31
10. Syslog Individual Event Rate (seconds/event) - The Syslog Individual Event
Rate setting filters repetitive messages from being written to Syslog. If duplicate events occur during the period specified in the Syslog Individual Event Rate field, they are not written to Syslog as unique events. Instead, the additional events are counted, and then at the end of the period, a message is written to the Syslog that includes the number of times the event occurred.
The Syslog Individual Event Rate default value is 60 seconds and the maximum value is 86,400 seconds (24 hours). Setting this value to 0 seconds sends all Syslog messages without filtering.
11. Syslog Format - You ca n choos e the for mat of the Sys log to b e Default or WebTrends.
If you select WebTrends, however, you must h ave W ebT ren ds s of tware installed on your system.
Log Categories
You can define which log messages appear in the SonicWALL Event Log. All Log Categ orie s are enabled by default except Network Debug.
System Maintenance
Logs general system activity, such as administrator log ins, automatic downl oads of the Content Filter Lists, and system activations.
System Errors
Logs problems with DNS, e-mail, and automati c downloads of the Content Filter List.
Blocked Web Sites
Logs Web sites or newsgroups blocked by the Content Filte r List or by c ustomized filte ring.
Blocked Java, ActiveX, and Cookies
Logs Java, ActiveX, and Cookies blocked by the SonicWALL.
User Activity
Logs succe ssful a nd unsuccessful log in at tempt s.
Attacks
Logs messages showing Denial of Service attacks, such as SYN Flood, Ping of Death, and IP spoofing.
Dropped TCP
Logs blocked incoming TCP connections.
Dropped UDP
Logs blocked incoming UDP packets.
Dropped ICMP
Logs blocked incoming ICMP packets.
Page 32 SonicWALL TELE3 SP Administrator’s Guide
Network Debug
Logs NetBIOS broadcasts, ARP resolution problems, and NAT resolution problems. Also, detailed messages for VPN connections are displayed to assist the network administrator with troubleshooting problems with active VPN tunnel s. Network Debug information is intended for experienced network administrators.
Alert Categories
Alerts are events, such as attacks, which warrant immediate attention. When events generate alerts, messages are immediately sent to the e-mail address defined in the Send a lerts to field. Attacks and System Errors are enabled by default, Block ed W eb Site s is disabled.
Attacks
Log entries categorized as Attacks generate alert messages.
System Errors
Log entries categorized as System Errors generate alert messages.
Blocked Web Sites
Log entries categorized as Blocked Web Sites generate alert messages.
Once you ha ve config ured the Log Settings window, click Update. Once the SonicWAL L is updated, a message confirming the update is displayed at the bottom of the browser window.
Reports
The SonicWALL is able to perform a rolling analysis of the event log to show the top 25 most frequently accessed Web sites, the top 25 users of bandwidth by IP address, and the top 25 services consuming the most bandwidth.Click Log on the left side of the browser window, and then click the Reports tab.
Logging and Alerts Page 33
The Reports window includes the followi ng functions and comma nds:
Start Data Collection
Click St art Da ta Colle ctio n to begin log analysis. When log an alysis is enabled, the bu tton label changes to Stop Data Collection.
Reset Data
Click Reset to clear the report statistics and begin a new sample period. The sample period is also reset when data collection is stopped or started, and when the SonicWALL is restarted.
View Data
Select the desired report from the Report to view menu. The opt ions a re We b Site Hits , Bandwidth Usage by IP Addr ess, and Bandwidth Usage by Service. These reports are explaine d below. Cl ick Refresh Data to update the report. The length of time analyzed by the report is displayed in the Current Sample Period.
Web Site Hits
Selecting We b Site Hits from the Display Report menu displays a table showing the U RLs for the 25 most frequently accessed Web sites and the number of hits to a site during the current sample period.
The Web Site Hits report ensures that the majority of Web access is to appropriate Web sites. If leisure, sports, or other inappropriate sites appear in the Web Site Hits Report, you can choose to block the sites.
Bandwidth Usage by IP Address
Selecting Bandwi dth Usage by IP Addr ess from the Display Report menu displays a table showing the IP Address of the 25 top users of Internet bandwidth and the number of megabytes transmitted during the current sample period.
Bandwidth Usage by Service
Selecting Bandwidth Usage by Service from the Display Report menu displays a table showing the name o f the 2 5 top I nte rnet serv ices , s uch as HTTP, FT P, R ealAudi o, etc ., and th e number of megabytes received from the service during the current sampl e period.
The Bandwidth Usage by Service report shows whether the services being used are appropriate for your organization. If services such as video or push broadcasts are consuming a large portion of the available bandwidth, you can choose to block these services.
Page 34 SonicWALL TELE3 SP Administrator’s Guide
5 Content Filtering and Blocking
Internet content filtering allows you to create and enforce Internet access policies tailored to the needs of the organization. You can select categories to block or monitor, such as pornography or racial intolerance, from a pre-defined list.
There are now three Content Filter Lists available for selection:
SonicWALL - Selecting SonicWALL for the Content Filter List Type allows you use the
URL list an d completely customi ze your Cont ent Filter feature including allowed and forbidden domains as well as content filtering using keywords.
N2H2 - N2H2 is a third party co ntent fi lter software package s upported by SonicWALL. You
can obta in mo re information on N2H 2 at < ht tp:/ / www.n 2h2.com>. If yo u se lec t N2H2 from the list, an N2H2 tab is available to configure the location of the N2H2 server and other settings.
Websense Enterprise - Websense Enterprise is also a third party content filter list package
supported by SonicWALL. You can obtain more information on Websense Enterprise at <http://www.Websense.com>. If you select Websense Enterprise from the list, a Websense tab is available to configure the location of the Websense server and other settings.
There are four tabs in the Filter section if the SonicWALL Content Filter is selected:
Configure
URL List
Customize
Consent
Content Fi ltering and Bl ocking Page 3 5
Configuring SonicWALL Content Filtering
The Configure tab is common between the three types of Content Filtering. Click Filter on the left side of the browser window, and then click on the Configure tab.
Select the type of Content Filter from the Content Filter Type menu. T o enforce Content Filtering on the LAN, select Apply Content Filter.
Restrict We b Fe a t u re s
Select any of the following applicat ions to block:
Block:
ActiveX
ActiveX is a programming language that embeds scripts in Web pages. Malicious programmers can use ActiveX to delete files or compromise security. Select the ActiveX check box to block ActiveX controls.
Java
Java is used to download and run small programs, called applets, on Web sites. It is safer than ActiveX since i t has built-in security mechanisms. Select the Java check box to block Java applets from the network.
Cookies
Cookies are used by Web servers to track Web usage and remember user identity. Cookies can also compromise users ' privacy by trac king Web activ ities. Sel ect the Cookies check box to disable Cookies.
Known F ra udulent Certif i ca te s
Digital certif icates help veri fy that Web content and fil es originated f rom an authorized party. Enabling this feature protects users on the LAN from downloading malicious programs warranted by these fraudulent certificates. If digital certificates are proven fraudulent, then the SonicWALL blocks the Web con tent and the files that use th ese fraudulent certificates.
Known fraudulent certificates blocked by SonicWALL include two certificates issued on January 29 and 30, 2001 by VeriSign to an impostor masquerading as a Microsoft employee.
Access to HTTP Proxy Servers
When a proxy server is located on the WAN, LAN users can circumvent content filtering by pointing their computer to the proxy server. Check this box to prevent LAN users from accessing proxy servers on the WAN.
Don’t Block Java/ActiveX/Cookies to Trusted Domains
Select this option if you have trusted domains using Java, ActiveX, and Cookies. To add a trusted domain, enter the domain name into the Add Trusted Domain field . Click Update to add the doma in to the list of trusted domains. T o delete a domain, select it from the list, and then click Delete.
Page 36 SonicWALL TELE3 SP Administrator’s Guide
Trusted Domains
Trusted D omai ns can be added in the Restrict Web Features sec tion of the Configure tab. If you trust content on specific domains, you can select Don ’t block Java/ActiveX/ Cookies to Trusted Domains and then add the Trusted Domains to the SonicWALL. Java
scripts, ActiveX, and cookies are not blocked from Trusted Domains if the checkbox is selected.
Message to display when a site is blocked
Enter your customized text to display to the user when access to a blocked site is attempted. The default message is Web Site blocked by SonicWALL Filter. Any message, including embedded HTML, up to 255 characters long, can be entered in this field.
URL List
The UR L List page allows you to see the status of the Content Filter List as well as configure a specific time to download the list. You can also determine how the SonicWALL responds when a Content Filter List is unavailable. Selecting categories to block is also configured on this page.
Note: Content Filtering applies only to the SonicWALL LAN.
List Status
This sec tion of the URL List tab indicate s the status of the URL list. If the Content Filter List is loaded, a status message is displayed in this section.
Content Fi ltering and Bl ocking Page 3 7
List Updates
It is important to note that Host names, and not TCP/IP addresses, are used for all filtering for several reasons. One reason is because many blocked sites operate server pools, where many computers service a single host name, making it impractical and difficult to add and maintain the numerical addresses of every server i n the pool. Another reason is the fact that man y sites which are included in the Content Filter List regularly change the IP address of the server to try to bypass Content Filter Lists. For this reason, maintaining a current list subscription is critical for effective content filtering.
Download Automatically every
Selecting Download Automatically every allows you to configure a specific time to download your Content Filter List. Select a day of the week and a time (24-hour format), for example, Sun. at 22:00 hours. Or, you can click Download Now to immediately download your Content Filter List.
It is recommended to download the URL L ist at a tim e w hen access to the Internet is at a minimum as downloading the URL List disrupts connectivity to the Internet.
Settings
If you have enabled blocking by Filter Categories and the URL List be come s unava ilable , there are two options available:
Block traffic to all Web sites except for Allowed Domains
Selecting this option blocks traffic to all Web sites except Allowed Domains until the URL List is available.
Allow traffic to all Web sites
Selecting this option allows traffic to all Web sites without the URL List. However, Forbidden
Domains and Keywords, if enabled, are still blocked.
Select Categories to Block
Block all categories
The SonicWALL uses a Content Filter List generated by CyberPatrol to block access to objectional Web sites. CyberPatrol classifies objectional Web sites based upon input from a wide range of social, political, and civic organizations. Select the Block all cate g o ri es che ck box to block all of these categories. Alternatively, you can select categories individually by selecting the appropriate check box.
When you register your SonicWALL at <http://www.mysonicwall.com>, you can downl oad a one month subscription to Content Filter List updates.
Page 38 SonicWALL TELE3 SP Administrator’s Guide
The following is a list of the Content Filter List categories:
Violence/Profanity Satanic/Cult Partial Nudity Drugs/Drug Culture Full Nudity Militant/Extremist Sexual Acts Sex Education Gross Depictions Questionable/Illegal Gambling Intolerance Alcohol & Tobacco
Visit <http://www.sonicwall.com/Content-Filter/categories.html> for a detailed description of the criteria used to define Content Filter List categories.
Customizing the Content Filtering List
The Customize tab allows you to customize your URL List by manually entering domain names or keywords to be blocked or allowed.
Custom Filter
You can customize your URL list to include Allowed Domains, F orbid den Do mains, and Keywords. By customizing your URL list, you can include specific domains to be allowed
(accessed), forbidden (blocked), and include speci fic keywords to be used to block sites. Select the checkbox Enable Allowed/Forbidden Domains to activate this feature.
Content Fi ltering and Bl ocking Page 3 9
To allow access to a Web site that is blocked by the Content Filter List, enter the host name, such as “www.ok-site.com”, into the Allowed Domains fields. 256 entries can be added to the Allowed Domains lis t.
To block a Web site that is not blocked by the Content Fil ter Lis t, enter the host name, such as “www.bad-site.com” into the Forbidden Domai ns field. 256 entries can be added to the
Forbidden Doma ins list.
Note: Do not include the prefix “http://” in either the Allowed Domains or Forbidden Domains
the fields. All subdomains are affected. For example, entering “yahoo.com” applies to “mail.yahoo.com” and “my.yahoo.com”.
To remove a trusted or forbidden domain, select it from the appropriate list, and click Delete Domain. Once the domain has been deleted, a message is displayed at the botto m of the Web browser window.
To enable blocking using Keywords, select the Enable Keyword Blocking check box. Enter the keyword to block in the Add K e yw or d field, and click Update. On ce th e ke ywo rd
has been added, a message confirming the update is displayed at the bottom of the browser window.
To remove a ke yword, selec t it from t he list and cl ick Delete Keyword. Once the keyword h as been removed, a message confirming the update is displayed at the bottom of the browser window.
Note: Customized domains do not have to be re-entered when the Content Filter List is updated each week and do not require a URL list subscription.
Enable Allowed/Forbidden Domains
To deactivate Custom Filter customization, clear the Enable Allowed/Forbidden Domains, and click Update. This option allows you to enable and disable customization without removing and re-entering custom domain s.
Enable Keyword Blocking
Select the Enable Keywor d Bl oc kin g i f you want to block Web traffic based on your list of customized keywords.
Disable all Web traffic except for Allowed Domains
When the Disable W eb traffic except for Allowed Do mains check box is selected, the SonicWALL only allows Web access to sites on the Allowed Domains list. With careful screening, this can be nearly 100% effective at blocking pornography and other objectional material.
Time of Day
The Time of Day feature allows you to define specific times when Content Filtering is enforced. For example, you could configure the SonicWALL to filter employee Internet access during normal business hours, but allow unrestricted access at night and on weekends.
Note: Time of Day restrictions only apply to the Content Filter List, Customized blocking and Keyword blocking. Consent and Restrict Web Features are not affected.
Page 40 SonicWALL TELE3 SP Administrator’s Guide
Always Block
When selected, Content Filtering is enforced at all time s.
Block Between
When selected, Con tent Filt eri ng is en forced during the time and days specified. E nter the time period, in 24-hour format, and select the starting and ending day of the week that Content Filtering is enforced.
Filter Block Action
Log Only
If this check box is selected, the SonicWALL logs and then allows access to all sites on the Content Filter, custom, and keyword lists. The Log Only check box allows you to monitor inappropriate usage without restricting access.
Log and Block Access
Select the check box and the SonicWALL blocks access to sites on the Content Filter, custom, and keyword lists. The SonicWALL also logs attempts to access these sites.
Consent
The Consent tab all ows you to enforc e conten t fil tering on des ignated computers and provide optional filtering on other computers. Consent can be configured to require the user to agree to the terms outlined in an Acceptable Use Policy window before Web browsing is allowed.
Click Filter on the left side of the browser window, and then click the Consent tab.
Content Fi ltering and Bl ocking Page 4 1
Maximum Web usage
In an environment where there are more users than computers, such as a classroom or library, time limits are often imposed. The SonicWALL can be used to remind users when their time has expired by displaying the page defined in the Consent page URL field. Enter the time limit, in minutes, in the Maximum Web usage field. When the default value of zero (0) is entered, this feature is disabled.
User Idle Timeout is 5 minutes (configure here
)
After a period of Web browser inactivity, the SonicWALL requires the user to agree to the terms outlined in the Consent page before accessing the Internet again. To configure the value, follow the link to the Users window and enter the desired value in the User Idle Timeout section.
Consent page URL (Optional Filtering)
When a user opens a Web browser on a computer requiring consent, they are shown a consent page and given the option to access the Internet with or without content filtering. You must create this Web (HTML) page. It can contain the text from, or links to an Acceptable Use Policy (AUP).
This page must contain links to two pages contained in the SonicWALL, which, when selected, tell the SonicWALL if the user wishes to have filtered or unfiltered access. The link for unfiltered access must be <192.168.168.168/iAccept.html> and the link for filtered access must be <192.168.168.168/iAcceptFilter.html>, where the SonicWALL LAN IP Address is used instead of "192.168.168.168".
“Consent Accepted” URL (Filtering Off)
When a user accepts the terms outlined in the Consent page and chooses to access the Internet without the protection of Content Filtering, they are shown a Web page confirming their selection. Enter the URL of this page in the “Consent Acc epted ” (F ilte ring Off) field. This page must reside on a Web server and be accessible as a URL by users on the LAN.
“Consent Accepted” URL (Filtering On)
When a user accepts the terms outlined in the Consent page and chooses to access the Internet with the protec tion of Cont ent Filterin g, they are s hown a Web page conf irming their selection. Enter the URL of this page in the “Consent Accepted” (Filtering On) field. This page must reside on a Web server and be accessible as a URL by users on the LAN.
Mandatory Filtered IP Addresses
Consent page URL (Mandatory Filtering)
When a user opens a Web browser on a computer using mandatory content filtering, a consent page is displayed. You must create the Web page that appears when the Web browser is opene d. It can contain text from an Acceptable Use Policy, and notification that violations are logged or blocked.
This Web page must reside on a Web server and be accessible as a URL by users on the LAN. This page must also contain a link to a page contained in the SonicWALL that tells the
Page 42 SonicWALL TELE3 SP Administrator’s Guide
SonicWALL that the user agrees to have filtering enabled. The link must be <192.168.168 .168/iAcc eptFilter. html>, where th e SonicWALL LAN IP Addr ess is used inst ead of "192.168.168.168".
Enter the URL of this page in the Consent page URL (Mandatory Fi ltering) field and click Update. Once the SonicWALL has been updated, a message confirming the update is displayed at the bottom of the Web browser window.
Add New Address
The SonicWALL can be configured to enforce content filtering for certain computers on the LAN. Enter the IP addresses of these computers in the Add New Addres s field and click Submit button. Up to 128 IP addresses can be entered.
To remove a computer from the list of computers to be filtered, highlight the IP address in the Mandatory Filtered IP Addresses list and click De let e Address.
Configuring N2H2 Internet Filtering
N2H2 is a third party Int ernet filt ering pa ckage that allows you t o use Inter net filt erin g through the SonicWALL. When you select N2H2 as your Content Filter List, the N2H2 tab is av ailable.
Content Fi ltering and Bl ocking Page 4 3
Restrict We b Fe a t u re s
Select any of the following applicat ions to block:
Block:
ActiveX
ActiveX is a programming language that embeds scripts in Web pages. Malicious programmers can use ActiveX to delete files or compromise security. Select the ActiveX check box to block ActiveX controls.
Java
Java is used to download and run small programs, called applets, on Web sites. It is safer than ActiveX since i t has built-in security mechanisms. Select the Java check box to block Java applets from the network.
Cookies
Cookies are used by Web servers to track Web usage and remember user identity. Cookies can also compromise users ' privacy by trac king Web activ ities. Sel ect the Cookies check box to disable Cookies.
Known F ra udulent Certif i ca te s
Digital certif icates help veri fy that Web content and fil es originated f rom an authorized party. Enabling this feature protects users on the LAN from downloading malicious programs warranted by these fraudulent certificates. If digital certificates are proven fraudulent, then the SonicWALL blocks the Web con tent and the files that use th ese fraudulent certificates.
Known fraudulent certificates blocked by SonicWALL include two certificates issued on January 29 and 30, 2001 by VeriSign to an impostor masquerading as a Microsoft employee.
Access to HTTP Proxy Servers
When a proxy server is located on the WAN, LAN users can circumvent content filtering by pointing their computer to the proxy server. Check this box to prevent LAN users from accessing proxy servers on the WAN.
Don’t Block Java/ActiveX/Cookies to Trusted Domains
Select this option if you have trusted domains using Java, ActiveX, and Cookies. To add a trusted domain, enter the domain name into the Add Trusted Domain field . Click Update to add the doma in to the list of trusted domains. T o delete a domain, select it from the list, and then click Delete.
Trusted Domains
Trusted D omai ns can be added in the Restrict Web Features sec tion of the Configure tab. If you trust content on specific domains, you can select Don ’t block Java/ActiveX/ Cookies to Trusted Domains and then add the Trusted Domains to the SonicWALL. Java
scripts, ActiveX, and cookies are not blocked from Trusted Domains if the checkbox is selected.
Page 44 SonicWALL TELE3 SP Administrator’s Guide
Message to display when a site is blocked
Enter your customized text to display to the user when access to a blocked site is attempted. The default message is Web Site blocked by SonicWALL Filter. Any message, including embedded HTML, up to 255 characters long, can be entered in this field.
Cust omi zatio n o f Con ten t Filt eri ng is not a vail able if yo u sel ect N2H2 as y our s our ce for yo ur Content Filter List. Refer to your N2H2 documentation for details on configuring N2H2 Internet Filtering for your network.
N2H2 Server Status
This section displays the status of the N2H2 Internet Filtering Protocol (IFP) server you are using for Internet filtering.
Settings Server Host Name or IP Address
Enter the Server Host Name or the IP address of the N2H2 Internet Filtering Protocol (IFP) server used to receive IFP requests.
Listen Port
Enter the UDP port number for the N2H2 Internet Filtering Protocol (IFP) server to “listen” for the N2H2 traffic. The default port is 4005.
Reply Port
Enter the UCP port number for the N2H2 server to send packets from the N2H2 client to the SonicWALL. The default port is 4005.
Content Fi ltering and Bl ocking Page 4 5
User Name
The User Name refers to a configuration of users, a group of users, or network defined within the N2H2 software
If Server is unavailable for 5 secs:
The default value for timeout of the server is 5 seconds, but you can enter a value between 1 and 10 seconds.
If the N2H2 server becomes unavailable, select from the following two options:
Block traffic to all Web sites
Allow traffic to all Web sites
URL Cache
Configure the size of the URL Cache in KB.
Cache Size Model
256 TELE3 SP
Note: A larger URL Cache size can increase in noticeable improvements in Internet browsing response times
.
Page 46 SonicWALL TELE3 SP Administrator’s Guide
Configuring Websense Enterprise Content Filter
Websense is a third party software package that allows you to use content filtering through the SonicWALL. Sele ct Websense Enterprise from the Content Filter Type menu.
Customization of the Content Filte r List is not available if you select Websense as your so urce for content filtering.
Restrict We b Fe a t u re s
Select any of the following applicat ions to block:
Block:
ActiveX
ActiveX is a programming language that embeds scripts in Web pages. Malicious programmers can use ActiveX to delete files or compromise security. Select the ActiveX check box to block ActiveX controls.
Java
Java is used to download and run small programs, called applets, on Web sites. It is safer than ActiveX since i t has built-in security mechanisms. Select the Java check box to block Java applets from the network.
Content Fi ltering and Bl ocking Page 4 7
Cookies
Cookies are used by Web servers to track Web usage and remember user identity. Cookies can also compromise users ' privacy by trac king Web activ ities. Sel ect the Cookies check box to disable Cookies.
Known F ra udulent Certif i ca te s
Digital certif icates help veri fy that Web content and fil es originated f rom an authorized party. Enabling this feature protects users on the LAN from downloading malicious programs warranted by these fraudulent certificates. If digital certificates are proven fraudulent, then the SonicWALL blocks the Web con tent and the files that use th ese fraudulent certificates.
Known fraudulent certificates blocked by SonicWALL include two certificates issued on January 29 and 30, 2001 by VeriSign to an impostor masquerading as a Microsoft employee.
Access to HTTP Proxy Servers
When a proxy server is located on the WAN, LAN users can circumvent content filtering by pointing their computer to the proxy server. Check this box to prevent LAN users from accessing proxy servers on the WAN.
Don’t Block Java/ActiveX/Cookies to Trusted Domains
Select this option if you have trusted domains using Java, ActiveX, and Cookies. To add a trusted domain, enter the domain name into the Add Trusted Domain field . Click Update to add the doma in to the list of trusted domains. T o delete a domain, select it from the list, and then click Delete.
Trusted Domains
Trusted D omai ns can be added in the Restrict Web Features sec tion of the Configure tab. If you trust content on specific domains, you can select Don ’t block Java/ActiveX/ Cookies to Trusted Domains and then add the Trusted Domains to the SonicWALL. Java
scripts, ActiveX, and cookies are not blocked from Trusted Domains if the checkbox is selected.
Message to display when a site is blocked
When a user attempts to access a site blocked by the Websense Enterprise Content Filter List, only Websense Enterprise messages are displayed in the browser. If the Websense Enterprise Content Filter List server is unavailable, the default SonicWALL message is displayed.
Page 48 SonicWALL TELE3 SP Administrator’s Guide
Configuring Websense Content Filter List
Configure the Websense Enterprise settings on this page.
Webse n se Server Status
This section displays the status of the Websense Enterprise server used for content filtering.
Settings
Server Host Name or IP Address
Enter the Server Host Name or the IP address of the Websense Enterprise server used for the Content Filter List.
Server Port
Enter the UDP port number for the SonicWALL to “listen” for the Websense Enterprise traffic. The default port number is 15686.
User Name
To enable reporting of users and groups defined on the Webense Enterprise server, leave this field blank. To enable reporting by a specific user or group be hind the SonicW ALL, enter the User Name configured on the Websense Enterprise Server for the u ser or group. If using NT­based directories on the Websens e Enterprise Server, the User Name is in this f ormat , for example: NTLM:\\domainname\username. If using LDAP-based directories on the Websense
Content Fi ltering and Bl ocking Page 4 9
Enterprise server, the User Name is in this format, for example: LDAP://o-domain/ou=sales/ username.
If you are not s ure about the en tering a user na me in this sectio n, leave the field bl ank and consult your Websense documentation for more information.
If Server is unavailable for 5 secs:
If the Websense Enterpri se server beco mes unava ila ble, selec t from the foll owing two o ptions:
Block traffic to all Web sites
Allow traffic to all Web sites
URL Cache
Configure the size of the URL Cache in KB.
Cache Size Model
256 TELE3 SP
Note: A larger URL Cache size can result in noticeable improvements in Internet browsing response times.
Page 50 SonicWALL TELE3 SP Administrator’s Guide
6 Web Management Tools
This chapter describes the SonicWALL M anagement Tools, available in the Tools section of the SonicWALL Web Ma nageme nt In terf ace . The Web Management Tools section allows you to restart the SonicWALL, import and export configuration settings, update the SonicWALL firmware, and perform several diagnostic tests.
There are four tabs in the Tools section:
Restart
Preferences
Firmware
Diagnostic
Restarting the SonicWALL
Click Tools on the left side of the browser window, and then click the Restart tab.
The SonicWALL can be restarted from the Web Management Interface. Click Restart SonicWALL, and then click Yes to confi rm the restart.
The SonicWALL takes up to 90 seco nds to restart, and the y ellow Test LE D is lit. During the restart time, Internet access for all users on the LAN is momentarily interrupted.
Web Management Tools Page 51
Preferences
Click Tools on the left side of the browser window, and then click the Preferences tab.
You can save the SonicWALL settings, and then retrieve them later for backup purposes. SonicWALL recomme nds saving the SonicWALL settings when upgrading the firmware.
The Preferences window also provides options to restore the SonicWALL factory default settings and launch the SonicWALL Installation Wizard. These functions are described in detail in the following pages.
Page 52 SonicWALL TELE3 SP Administrator’s Guide
Exporting the Settings File
It is possible to save the SonicWALL configuration information as a file on your computer, and retrieve it for later use.
1. Click Export in the Preferences tab.
2. Click Export again to download the settings file. Then choose the location to save the
settings file. The file is named “sonicwall.exp” by default, but it can be renamed.
3. Click Save to save the file. This process can take up to a minute.
Web Management Tools Page 53
Importi ng the Sett ing s Fi le
After exporting a settings file, you can import it back to the SonicWALL.
1. Click Import in the Preferences tab.
2. Click Browse to locate a settings file which was saved using Export.
3. Select the file, and click Import.
4. Restart the SonicWALL for the settings to take effect.
Note: The Web browser used to Import Settings must support HTTP uploads. Microsoft Internet Explorer 5.0 and higher as well as Netscape Navigator 4.0 and higher is recommended. Netscape Navigator can be downloaded at <http://www.netscape.com>
.
Restoring Factory Default Settings
You can erase the Soni cWALL confi guration settings an d restore the Soni cWA LL to its f actory default state.
1. Click Restore on the Preferences tab to restore factory default settings.
Page 54 SonicWALL TELE3 SP Administrator’s Guide
2. Click Yes, and then restart the SonicWALL for the change to take effect.
Note: The SonicWALL LAN IP Address, LAN Subnet Mask, and the Administrator Password are
not reset.
Updating Firmware
The SonicWALL has flash memory and can be easily upgraded with new firmware. Current firmware can be downloaded from SonicWALL, Inc. Web site directly into the SonicWALL .
Note: Firmware updates are only available to registered users. You can register your SonicWALL online at <http://www.mysonicwall.com>
1. Click Tools on the left side of the browser window, and then click the Firmware tab.
.
Web Management Tools Page 55
To be automatically notified when new firmware is available, select the Notify me when new firmware is available check box. Then click Update. If you enable firmware notification, your SonicWALL sends a status message to SonicWALL, Inc. Firmware Server on a daily basis. The status message includes the following information:
SonicWALL Serial Number
Unit Type
Current Firmware Version
Language
Current Available memory
ROM version
Options and Upgrades (SonicWALL VPN, Network Anti-Virus)
Note: The SonicWALL Privacy Policy is available at <http://www.sonicwall.com/ corporate_info/privacy.html> for additional information about privacy.
When new firmware is available, a message is e-mailed to the address specified in the Log Settings window. In addition, the Status window includes notification of new firmware availability. This notification provides links to firmware release notes and to a Firmware Update Wizard. The Firmware Update Wizard simplifies and automates the upgrade process. Follow the instruct ions in the Firmware Update Wizard to update the firmware.
Page 56 SonicWALL TELE3 SP Administrator’s Guide
Updating Firmware Manually
You can also upload firmware from the local hard drive. Click Upload Firmware.
Note: The Web browser used to Import Settings must support HTTP uploads. Microsoft
Internet Explorer 5.0 and higher as well as Netscape Navigator 4.0 a nd higher is recommended.
When firmware is uploaded, the SonicWALL settings can be erased. Before uploading new firmware, export and save the SonicWALL settings so that they can be restored l ater. Once the settings have been saved, click Yes.
Click Browse and select the fi rmware file from your loca l hard dr ive or from the SonicWAL L Companion CD. Click Upload, and then restart the SonicWALL.
Web Management Tools Page 57
Note: When uploading firmware to the SonicWAL L, you must not interrupt the Web browser by closing the window, clicking a link, or loading a new page. If the browser is interrupted, it can corrupt the SonicWALL firmware.
Upgrade Features
The SonicWALL can be upgraded to support new or optional features. Chapter 12, SonicWALL Options and Upgrades, provides a summary of the SonicWALL
firmware upgrades, subscription services, and support offerings. You can contact So nicWALL or your local reseller for more information abo ut SonicWALL options and upgrades.
Web:http://www.sonicwall.com E-mail:sales@sonicwall.com Phone:(408) 745-9600 Fax:(408) 745-9300
When an upgrade is purchased, an Activation Key and instructions for registering the upgrade are included. Once you have registered the upgrade, an Upgrade Key is issued. Ent er this key in the Enter up grade key field and click Update. Follow the instructions included with the upgrade for configuration.
Page 58 SonicWALL TELE3 SP Administrator’s Guide
Diagnostic Tools
The SonicWALL has several built-in tools which help troubleshoot network problems. Click
Tools on the left side of the browser window and then click the Diagnostic tab.
DNS Name Lookup
The SonicWALL h as a DNS l oo kup to ol th at retur ns the nu merical I P addr ess o f a domain name or if you enter an IP address, it returns the doma in name.
1. Select DNS Name Lookup from the Choose a diagnostic tool menu.
2. Enter the host name to lookup in the Look up the name field and click Go. Do n ot a dd
the prefix "http://". The SonicWALL then queries the DNS server and displays the result at the bottom of the screen.
Note: You must define a DNS server IP address in the Network tab of the General secti o n to perform a DNS Name Lookup.
Find Network Path
The Find N etw ork Pa th tool shows whether an IP host is located on the LAN or the WAN . This is helpful to determine if the SonicWALL is properly configured. For example, if the SonicWALL “thinks” that a computer on the Internet is located on the LAN, then the SonicWALL Network or Intranet settings can be misconfigured. Fin d Netw ork P ath shows if the target device is behind a router, and the Ethernet address of the target device. Find Network Path also shows the gateway the device is using and helps isolate configuration problems.
Web Management Tools Page 59
1. Select Find Network Path from the Choose a diagnostic tool menu.
2. Enter the IP address of the devi ce and click Go. The te st takes a f ew seconds to complete.
Once completed, a message showing the results is displayed in the browser window.
If the network path is incorrect, select the SonicWALL Intranet and Static Routes settings.
Note: Find Ne tw ork Pa t h requires an IP address. The SonicWALL DNS Name Lookup tool can be used to find the IP addre ss of a host.
Ping
The Ping test bounces a packet off a machine on the Internet back to the sender. This test shows if the SonicWALL is able to contact the remote host. If users on the LAN are having problems accessing services on the Internet, try pinging the DNS server, or another machine at the ISP location. If this test is succes sful, try pi ngi ng dev ices outs ide the ISP. This shows if the problem lies with the ISP connection.
1. Select Ping from the Choose a diagnostic tool me nu.
Page 60 SonicWALL TELE3 SP Administrator’s Guide
2. Enter the IP address of the target dev ice to ping and cli ck Go. The test tak es a few seconds
to complete. Once completed, a message showing the results is displayed in the browser window.
Note: Ping requires an IP address. The SonicWALL DNS Name Lookup tool can be used to find the IP address of a host.
Packet Trace
The Packet Trace tool tracks the status of a commu nicatio ns stream as it mov es fr om source to destination. This is a useful tool to determine if a communications stream is being stopped at the SonicWALL, o r is lost on the Internet.
To interpret this tool, it is necessary to unders tand the three-way handshake that occurs for every TCP connection. The following displays a typical three- way handshake initiated by a host on the SonicWALL LAN to a remote host on the WAN.
1. TCP received on LAN [SYN]
From 192.168.168.158 / 1282 (00:a0:4b:05:96:4a) To 204.71.200.74 / 80 (02:00:cf:58:d3:6a)
The SonicWALL receives SYN from LAN client.
2. TCP sent on WAN [SY N]
From 207.88.211.116 / 1937 (00:40:10:0c:01:4e) To 204.71.200.74 / 80 (02:00:cf:58:d3:6a)
The SonicWA LL forwards SYN from LAN clie nt to remote host.
3. TCP received on WAN [SYN,ACK]
Web Management Tools Page 61
From 204.71.200.74 / 80 (02:00:cf:58:d3:6a) To 207.88.211.116 / 1937 (00:40:10:0c:01:4e)
The SonicWA LL re ce ives SYN,ACK from re mote host.
4. TCP sent on LAN [SYN,ACK]
From 204.71.200.74 / 80 (02:00:cf:58:d3:6a) To 192.168.168.158 / 1282 (00:a0:4b:05:96:4a)
The SonicWALL forwards SYN,ACK to LAN client.
5. TCP received on LAN [ACK]
From 192.168.168.158 / 1282 (00:a0:4b:05:96:4a) To 204.71.200.74 / 80 (02:00:cf:58:d3:6a)
Client sends a final ACK, and waits for start of data transfer.
6. TCP sent on WAN [ACK]
From 207.88.211.116 / 1937 (00:40:10:0c:01:4e To 204.71.200.74 / 80 (02:00:cf:58:d3:6a)
The SonicWALL forwards the client ACK to the remote host an d waits for the data transfer to begin.
When using packet traces to isolate network connectivity problems, look for the location where the three-way handshake i s breaking down. This helps to deter mine if the problem resides with the SonicWALL configuration, or if there is a problem on the Internet.
Page 62 SonicWALL TELE3 SP Administrator’s Guide
1. Select Packet Trace from the Choose a diagnostic tool me nu.
Note: Packe t Tr ace requires an IP addres s. The SonicWALL DNS Name Looku p tool can be
used to find the IP a ddress of a host.
2. Enter the IP address of the remote host in the Trace on IP address fi eld, a nd cli ck Start.
You must enter an IP address in the Trace on IP address fi eld; do not enter a host name, such as “www.yahoo.com”.
3. Contact the remote host using an IP application such as Web, F TP, or Telnet.
4. Click Refresh and the packet trace information is displayed.
5. Click Stop to terminate the packet trace, and Reset to clear th e result s.
Web Management Tools Page 63
Tech Support Report
The Tech Support Report generates a detailed report of the SonicWALL configura tion and status, and saves it to the local hard disk. This file can then be e-mailed to SonicWALL Technical Support to help assist with a problem.
Before e-mailing the Tech Support Report to the SonicWALL Technical Support team, complete a Tech Support Request Form at <http://techsupport.sonicwall.com/swtech.html>. After the form is submitted, a unique case number is returned. Include this case number in all correspondence, as it allows SonicWALL tech support to provide you with better service.
In the Tools section, click the Diagnostic tab, and then select Tech Support Report from the Choose a diagnostic tool m enu. Four Report O pt io ns are availab le in the Tech Support Report section:
VPN Keys - saves share d secr ets, en cryption, an d authentication keys to the report.
ARP Ca che - saves a table relating IP addresses to the corresponding MAC or physical
addresses.
DHCP Bindings - saves entries from the SonicWALL DHCP server.
IKE Info - saves curre nt information about a ctive IKE configurations.
1. Select Tech Suppo rt R eport from the Choose a diagnostic tool menu.
2. S elect the Report Options to be included with your e-mail.
Page 64 SonicWALL TELE3 SP Administrator’s Guide
3. Click Save Report to save the file to your system. When you click Save Report, a warning
message is displayed.
4. Click OK to save the file. Attach the report to your Tech Support Request e-mail.
Trace Route
Trace Route is a diagnostic utility to assist in diagnosing and troubleshooting router
connections on the Internet. By using Internet Connect Message Protocol (ICMP) echo packets simil ar t o Ping pac ket s, Trace Route can te st interconnectivity with routers and other ho sts that are farther and farther along the network path until the connection fails or until the re mote host responds.
Enter the IP address or domain name of the destination host. For example, enter yahoo.com and click Go.
Web Management Tools Page 65
A second window is displayed w ith each hop to the destination host:
By following the route, you can diagnose where the connection fails between the SonicWALL and the destination.
Page 66 SonicWALL TELE3 SP Administrator’s Guide
7 Network Access Rules
Network Access Rules are management tools that allow you to define inbound and outbound access policy, configure user authentication, and enable remote management of the SonicWALL.
By default, the SonicWALL’s stateful packet inspection allows all communication from the LAN to the Internet, and blocks all traffic to the LAN from the Internet. This behavior is defined by the “Default” stateful inspection packet rule enabled in the SonicWALL:
• Allow all sessions originating from the LAN to the WAN.
• Deny all sessions originating from the WAN to the LAN.
Additional Network Access Rules can be defined to extend or override the default rules. For example, rules can be created that block certain types of traffic such as IRC from the LAN to the WAN, or allow certain types of traffic, such as Lotus Notes database synchronization, from specific hosts on the Internet to specific hosts on the LAN, or restrict use of certain protocols such as Telnet to authorized users on the LAN.
The custom rules evaluate network traffic source IP address, destination IP address, IP protocol type, and compare the information to rules created on the SonicWALL. Network Access Rules take precedence, and can override the SonicWALL’s stateful packet inspection. For example, a rule that blocks IRC traffic takes precedence over the SonicWALL default setting of allowing this type of traffic.
Note: The a bil ity to defin e N etwo rk Ac ces s Rul es is a very pow erfu l too l. U sing cus tom r ules can disable firewall protecti on or block all acc ess to the Internet. U s e caution when creating or deleting Network Access Rules.
Viewing Network Access Rules
The Services window displays a table of defined Network Access Rules. Rules are so rted from the most specific at the top, to less specific at the bottom of the table. At the bottom of the table is the Default rule. The Def ault r ule is all IP services e xcept those listed in the S ervices window. Rules can be created to override the behavior of the Default rule; for example, the Default rule allows users on the LAN to access all Internet services, including NNTP News. However, LAN access to NNTP can be unblocked by deselecting LAN Out corresponding to the NNTP News service.
Network Access Rules Page 67
Services
Click Access on the left side of the browser window, and then click the Services tab.
Note: The LAN In column is not displayed if NAT is enabled.
The Services window allows you to customize N etw ork Access Rules by service. Services displayed in the Services window relate to the rules in the Rules window, so a ny cha ng es on the Services window appear in the Rules wi ndo w. The Default rule, at the bottom of the table, encompasses all Services.
LAN Out
If th e LAN Out check box is selected, you can access that service from your LAN on the Internet. Otherwise, you are blocked from accessing that service. By default, the LAN Out check boxes are selected.
Note: If an Alert Icon appea rs n ext to a LAN Out, or LAN In check box, a rule in the Rules window modifies that service.
Public LAN Server
A Public LAN Server is a LAN server designated to receive inbound traffic for a specific service, such as Web or e-mail. You can define a Public LAN Server by entering the server's IP address in the Public LAN Server field for the appropriate service. If you do not hav e a Public LAN Server for a service, enter "0.0.0.0" in the field.
Windows Networking (NetBIOS) Broadcast Pass Through
Computers running Microsoft Windows communicate with one another through NetBIOS broadcast packets. By default, the SonicWALL blocks these broadcasts. If you select From LAN
Page 68 SonicWALL TELE3 SP Administrator’s Guide
to WAN , your SonicWALL allows NetBIOS broadcasts from LAN to LAN or from LAN to WAN. Then, LAN users are able to view machines on the WAN in their Windows Network Neighborhood.
Detection Preve ntion
Enable Stealth Mode
By default, the SonicWALL responds to incomi ng connection requests as either "blocked" or "open". If you enable Stealth Mode, your S onicWALL does not respond to blocked inbound connection requests. Stealth Mode makes your SonicWALL essentially invisible to hackers.
Randomize IP ID
A Randomize IP ID check box is available to prevent hackers using various detection tools from detecting the presence of a SonicWALL appliance. IP packets are given random IP IDs which makes it more difficult for hackers to “fingerprint” the SonicWALL appliance. Use this check box for additiona l se curity from hackers.
Network Connection Inactivity Timeout
If a connection to a remote server remains idle for more than five minutes, the SonicWALL closes the connection. Without this timeout, Internet connections could stay open inde finitely, creating potential security holes. You can increase the Inactivity Timeout if applications, such as Telnet and FTP, are frequently disconnected.
Network Access Rules Page 69
Add Service
To add a serv ice not lis ted in the Services window, cl ick Access on the left side of the browser window, and then click the A dd Se rvice tab.
The list on the right side of the window displays the services that are currently defined. These services also appear in the Services window.
Two numbers appear in brackets next to each service. The first number indicates the service's IP port number. The second number indicates the IP protocol type (6 for TCP, 17 for UDP, or 1 for ICM P) .
Note: There can be multiple entries with the same name. For example, the default configuration has two entries labeled “Name Service (DNS)” for UDP port 53 and TCP port 53. Multiple entries with the s ame name a r e grouped togeth er, and are treated as a s ingle servic e. Up to 128 entries are supported.
Add a Known Service
1. Select the name of the service you want to add from the Add a known service list.
2. Click Add. The new service appears in the list box on the right side of the browser window.
Note that some services add more than one entry to the list.
Note: Session Initiation Protocol (SIP) and HTTPS are also available Services.
Page 70 SonicWALL TELE3 SP Administrator’s Guide
Add a Custom Service
1. Select [Custom Service] from the Add a known service list.
2. Type a unique name, such as “CC:ma il” or “ Quake” in the Name field.
3. Enter the beginning number of the IP port range and ending number of the IP port range
in th e Port Range fields. If the service only requires one I P port, enter the single port number in both Port Range fields.
Note: Visit <http://www.ietf.org/rfc/rfc1700.txt> for a list of IP port numbers.
4. Select the IP protocol type, TCP, UDP or ICMP, from the Protocol list.
5. Click Add. The new service appears in the list on the right side of the browser window.
Note: If multiple entries with the same name are created, they are grouped together as a single service and can not function as expected.
Enable Logging
You can enable and disable logging of ev ents in the Soni cWALL Even t Log. For example, if Linux authentication messages are filling up your log, you can disable logging of Linux authentication.
1. Highlight the name of the desired service in the list.
2. Clear the Enabl e Logging check box.
3. Click Modify.
Delete a Service
To delete a service, highlight the name in the list, and click Delete Service. If multiple entries with the same name exist, delete all entries to remove the service.
Rules
The SonicWALL evaluates the source IP address, the destination IP address, and the service type when determining whether to allow or deny traffic. Custom rules take precedence and override the SonicWALL default rules.
By default, the SonicWALL blocks all traffic from the I nternet to the LAN and allows all traffic from the LAN to the Internet. Custom rules can be created to modify the default rules. For example, rules can be created for the following purposes:
• Allow traffic from the Internet to a mail server on the LAN.
• Restrict users on the LAN from using a specified service, such as QuickTime.
• Allow specified IP addresses on the Internet to access a sensitive server on the LAN.
• Configure bandwidth management for individual services.
Note: The maximum number of Rules for TELE3 SP is 100 with 50 available to use bandwidth management.
Note: A Rule configured for a s p ecif ic WA N I P add ress may n o t wor k whe n a WAN Fa il ove r to the modem occurs.
Network Access Rules Page 71
To create custom Network Access Rules, click Access on the left side of the browser window, and then click the Rules tab.
Note: Use extreme caution when creating or deleting Network Access Rules, because you can disable firewall protection or block access to the Internet.
Page 72 SonicWALL TELE3 SP Administrator’s Guide
Bandwidth Management
The SonicWALL can now be configured for bandwidth management of outbound (WAN) network traffic vi a bandw idth mana gement. Ea ch Service add via a Ru le has a checkbox to enable bandwidth manage ment for the Service. Sel ect Enable Bandwidth Management, then enter the Guaranteed Bandwidth in Kpbs for the Service, and enter the Maximum Bandwidth in number of Kpbs for the Service. Before you can enable and configure bandwidth management for Rules, you must enable it on the Ethernet page in the Advanced section.
Note: Bandwidth management is very complex and requires extensive knowledge of networks and networking protocols. Incorrect band width managem ent may cause ne twork problems or degradation of network performance. Se e Bandwidth Mana gement in Ch apter 10, Advanced, of this manual.
Add A New Rule
1. Click Add New Rule... to open the Add Rule window.
2. Select Allo w o r D en y in the Action list depending upo n whether the ru le is intended to
permit or block IP traffic.
3. Select the name of the service affected by the Rule from the Service list. If the servic e
is not listed, you must define the service in the Add Service window. The Default service encompasses all IP services.
4. Select the source of the traffic affected by the rule, either LAN or WAN, *(both), from the
Source Ethernet menu. If you want to define the source IP addresses that are affected by the rule, such as
restricting certain users from accessing th e In ternet, enter t he starti ng IP addresses of the address range in the Ad dr Range B egin field and the ending IP address in the Addr Range End field. To include all IP addresses, enter * in the Addr R ange Begin field.
5. Select the destinati on of t he traffic aff ected by the rule, either LAN or WA N or *, from the
Destination Ethernet menu.
Network Access Rules Page 73
If you want to define the destination IP addresses that are affected by the rule, for example, to allow inbound Web access to several Web servers on your LAN, enter the starting IP addresses of the address ra nge in the Addr Range Begin field and the ending IP address in the Addr Range En d field. To include all IP addresses, enter * in the Addr Range Begin field.
6. Select always from the Apply this rule menu if the rule is always in effect.
Select from the Appl y this ru le to define the speci fic time and day of week to enforce the rule. Enter the time of day (in 24-hour format) to begin and end enforcement. Then select the day of week to begin and end enforcement.
Note: If you want to enable the rule at different times depending on the day of the week, you have to make additional rules for each time period.
7. If you would like for the rule to timeout after a period of inactivity, set the amount of time,
in m inutes, in the Inactivity Timeout in Minutes field. The default value is 5 minutes.
8. Do not select the Allow Fragmented Packets check box. Large IP packets are often
divided into fragments before they are routed over the Internet and then reassembled at a destination host. Be cause ha ckers ex ploit IP fragme ntation in Den ial of Service attack s, the SonicWALL blocks fragmented packets by default. You can override the default configuration to all ow fragmented packets over PPTP or IPSec.
9. Enable Bandwidth Management, and enter the Guaranteed Bandwidth in Kpbs.
10. Enter the maximum amount of bandwidth available to the Rule at any time in the
Maximum Bandwidth field. Assign a priority from 0 (highest) to 7 (lowest).
11. Click Update. Once the SonicWALL has been updated, the new rule appears in the list of
Current Network Access Rules.
Note: Although custom rules can be c reated th at allo w inbound IP traffic, the SonicWALL
does not disable protection f rom Denial of Service at tacks, suc h as the SYN Flood and Ping of Death attacks.
For example, to configure the SonicWALL to allow Internet traffic to your Web server with an IP address of 208.5.5.5 (Standard mode), create the following rule:
1. Verify that HTTP has been added as a Service as outlined previously.
Page 74 SonicWALL TELE3 SP Administrator’s Guide
2. Click the Rules tab, and click Add New Rule....
3. Select Allow, then Web (HTTP) from the Service menu.
4. Select WAN from the Ethernet Source menu, and leave the Addr R ange Begin and
Addr Range End as they appear.
5. Select LAN fro m the Ethe rn et Des t ina ti on menu, and type in the I P address o f the Web
server, 208.5.5.5 in the Addr Range Begin field. No IP address is added in the Addr Range End since the destination is not a range of IP addresses.
6. Select always from the Apply this rule menu.
7. Enter a value (in minutes) in the Activity Timeout in Minutes field.
8. Do not select the Allow Fragmented Packets check box.
9. If you want the Rule to have guaranteed bandwidth, select Enable Outbound
Bandwidth Management, and enter values for Guaranteed Bandwidth, Maximum Bandwidth, and Bandwidth Priority.
10. Click Update to add the rule to the Soni cWAL L.
Note: The source part (WAN or LAN) can be limited to certain parts of the Internet using a
range of IP addresses on the WAN or LAN. For example, the following rule can be used to configure the same Web server to be only visible from a single C class subnet on the Internet: Allow HTTP, Source WAN 216.77.88.1 - 216.77.88.254, Destination LAN 208.5.5.5.
Network Access Rules Page 75
Current Network Access Rules List
All Network Access Rules are listed in the Current Network Access Rules table. The rules are listed from most to least specific. The rules at the top of Current Network Access Rules list take precedence over rules at the bottom of the list.
Edit a Rule
To e di t a r u le , cl ic k th e Note Pad icon on the righ t side of the b rows er win dow. A new Web browser window appears, displaying the current confi guration of the rule. Make the desired changes and click Update to update the rule. The modified rule is displayed in the list of
Current Network Access Rules.
Delete a Rule
To delete a rule, click the Trash Can icon at the right side of the browser window. A dialog box appears with the message “Do you want to remove this rule?”. Click OK. Once the SonicWALL has been updated, a message confirming the update is displayed at the bottom of the browser window.
Enable/Disable a Rule
To disable a rule without permanently removing it, clear the Enable check box to the right of the rule. To enab le a disab le d rule, select the Enable check box. The configuration is updated automatically, and a message confirming the update is displayed at the bottom of the browser window.
Restore the Default Network Access Rules
If the SonicWALL Network Access Rules have been modified or deleted, you can restore the Default Rules. The Default Rules prevent malicious intrusions and attacks, block all inbound IP traffic and allow all outbound IP traffic. Click Restore Rules to Defaults to reset the Network Access Rules. Once the SonicWA LL ha s been u pdated , a m essage confirm ing the
update is displayed at the bottom of the browser window.
Understanding the Access Rule Hierarchy
The rule hierarchy ha s two basic concepts:
1. Specific rules override general rules:
An individual service is more specific than the Default service. A single Ethernet link, such as LAN or WAN, is more specific than * (all). A single IP address is more specific than an IP address range.
2. E qually spe cific Deny rules override Allow rules.
Rules are displayed in the Current Network Access Rules list from the most specific to the least specific, and rules at the top override rules listed below. For example, consider the section of the Rules window shown below.
Page 76 SonicWALL TELE3 SP Administrator’s Guide
The Default Allow Rule (#7) at the bottom of the page allows all traffic from the LAN to the WAN. However, Rule #1 blocks IRC (Chat) traffic from a computer on the LAN to a server on the WAN.
The Default Deny Rule (#6) blocks all traffic from the WAN to the LAN, however, Rule #2 overrides this rule by allowing Web traffic from the WAN to the LAN.
Examples
The following examples illustrate methods for creating Network Access Rules.
Blocking LAN access for specific services
This example shows how to block LAN access to NNTP servers on the Internet during business hours.
1. Click Add New Rule in the Rules window to launch the Add Network Access Rule Web
browser window.
2. Select Deny from the Action menu.
3. Select NNTP from th e Service menu. If the service is not listed in th e list, you must to
add it in the Add Service window.
4. Select LAN from the So u rce Ethern et menu.
5. Since all computers on the LAN are to be affected, enter * in the Source Addr Range
Begin field.
6. Select WAN from the De s tina ti o n Eth er n et menu.
7. Enter * in the Destination Addr Range Begin f ield to block access to all NNTP servers.
8. Select Apply this rule "from" to configure the time of enforcement.
9. Enter "8:30" and "17:30" in the hour fields.
10. Select Mon to Fri from the menu.
11. Click Update to add your new R ule.
Network Access Rules Page 77
Enabling Ping
By default, your SonicW ALL does not respond to ping reques ts from the Internet. This Rule allows ping requests from your ISP servers to your SonicWALL.
1. Click Add New Rule in t he Rules window to l aunch the "Add Ne twork Access Rul e"
window.
2. Select Allow from the Action menu.
3. Select Ping from the Service menu.
4. Select WAN from the Source Ethernet menu.
5. Enter the starting IP address of the ISP network in the Source Addr Range Begin fiel d
and the ending IP address of the ISP network in the Source Addr Range End field.
6. Select LAN from the Destination Ethernet menu.
7. Since the intent is to allow a ping only to the SonicWALL , enter the SonicWALL LAN IP
Address in the Destin ati o n Ad dr Ra ng e Be g in field.
8. Select Always from t h e Apply this rule menu to ensure con tinuo us enforcement.
9. Click Update to add your new Rule.
HTTPS Management of the SonicWALL
To enhance the security of the TELE3 SP, HTTPS Management u sing Secure Socket Layer (SSL) is supported when you log into the SonicWALL using https://IP Address where the IP address is the SonicWALL LAN IP address. For example, if the LAN IP address of your SonicWALL appliance is 192.168.168.1, you can log in using HTTPS by entering <https://192.168.168.1>. Access is encrypted using SSL technology for a secure connection.
HTTPS Manage ment allows secure access to the SonicWALL without a VPN client. It is a simple and secure way to manage your SonicWALL from both the LAN and the WAN.
Page 78 SonicWALL TELE3 SP Administrator’s Guide
The first time you log into the S onicWALL usi ng HTTPS, yo u may see the f ollo wing informat ion message:
Click Yes to continue th e login process. SSL is supported by Netscape 4.7 and higher, as well as Internet Explorer 5.5 and higher.
HTTPS Mana gement supports the following versions of SSL: SSLv2, SSLv3, and TLSv1. Also, the following encryption ciphers are supported: RC4-MD5, EXP-RC4-MD5, DES-CBC3-SHA, RC4-SHA, EXP-RC2-CBC-MD5, NULL-SHA, and NULL-MD-5. An 1024-bit RSA key is used.
To use this f eature, yo u must a dd HT PP Ma nag eme nt as a Service to the firewall. See “Add Service” on page 70 for instructions on adding Services to the SonicWALL.
Users
Extensive modifications and additional features are available on the Users tab in the Access section of the Management interface. User level access can now be configured for authentication and access to the netw ork. Authentication can be performed using a local user database, RADIUS, or a combination of the two applications.
For instructions on configuring individual users on RADIUS servers, see Appendix G at the end of th is Guide.
Currently, when a V PN tu nnel is established between two SonicWALL appliances, any users residing on the local LAN of each So nicWALL can send data ac ross the VPN. In some cases, complete user access could be a security risk, and only authenticated users access the VPN tunnel and send data across the ne twork.
Network Access Rules Page 79
Global User Settings
Time users out after 5 minutes of inactivity - Enter the number of allowable inactivity
minutes before a user is automatically logged out of the network via the SonicWALL.
Maximum login session time - Configure the length of time, in m inutes, that a user is
allowed to be logged into the network via the SonicWALL. When a user logs into the SonicWALL us in g his username and password, the user can also set the maximum login session time, but LAN it cannot be longer than the time configured by the administrator. You may set the login session time to 0 (z ero) for unl imited login session time.
Allow DNS access for unauthenticated VPN users - Enabling this check box allows
unauthenticated DNS traffic to access the DNS server over a VPN tunnel with authentication enforcement. Use this checkbox i f you allow unauthentic ated users to access the DNS server on your LAN.
Users
Use RA DIUS - Select this radio butto n if you have configured RADIUS to authenticate users
accessing the network through the SonicWALL. If you have more than 100 users that require authentication, you must use RADIUS. If you select Use RAD I U S, users must log into the SonicWALL using HTTPS in order to encrypt the password sent to the SonicWALL. If a user attempts to log into the SonicWALL using HTTP, the browser is automati cally redirected to HTTPS.
Allow on ly use rs li st ed below - Enable this setting if you have a subset of RADIUS users
accessing the SonicWALL. The user names must be added to the internal SonicWALL user database before they can be authenticated using RADIUS.
Page 80 SonicWALL TELE3 SP Administrator’s Guide
Auth enticate us ers listed be low - Electing this option allows you to configure users in the
local database. To add new users, fill out the User Name, Password, and Confirm Pass-
word fields, then select from the list of privileges allowed for the user:
- Remote Access - Enable this check box if the user accesses LAN resources through the
firewall from a remote location on the Internet.
Note: By enabling Remote Access, you allow unencrypted traffic over the Internet.
- Bypass Filters - E na ble Bypass Filters if the user has unlimited access to the Internet from the LAN, bypassing Web, News, Java, and ActiveX blocking.
- Access to VPNs - Ena ble the check box i f the user can se nd information ove r the VPN Security Associations with authentication enforcement.
- Access from the VPN Client wi th XAU TH - Enable the check box if the user requires XAUTH for authentication and accesses the firewall via a VPN client.
- Limited Management Capabilities - By enabling this check box, the user has limited local management acce ss to the SonicWALL Management in terface. The access is limited to the following pages:
General - Status, Network, Time Log - View Log, Log Settings, Log Reports Tools - Restart, Diagnostics minus Tech Support Report
Note: The SonicWALL supports 100 users in the local database.
Adding a User to the Local Database
Note: You must add a user to the Local Database to enforce access privileges.
To add a new user, complete the following steps.
1. Log into the Management interface, click Access, then Users.
2. Highlight -Add New User- in the Current User list box.
3. Enter the name of a user into the User Name field.
4. Enter the user password in the Password and Confirm Password field. It is important to select a password not easily guessed by someone. Using a random mixture of alphanumeric characters and symbols is recommended. The password is case-sensitive.
5. Choose the privileges to be enabled for the user by selecting the appropriate check boxes.
6. Click Update to add the user to the SonicWALL database.
7. To remove a user, highlight the User Name, and click Remove User.
Network Access Rules Page 81
User Login Changes
When a user other than the administrator logs into the SonicWALL Management interface, a page is displayed with the user’s privileges listed. The user can set the maximum time for a login session, but it cannot be longer than the session time set by the administrator.The connection closes when the user exceeds the inactivity time-out period or the maximum sess ion time is exceeded. If the connection is closed, the user must re-authenticate to regain their access through th e S onicWALL.
Logging into the SonicWALL as the administrator automatically gives the user access to all VPN tunnels requiring authentication.
Note: Authentication sessions create a log entry in the SonicW ALL, but user activity is not logged
.
Page 82 SonicWALL TELE3 SP Administrator’s Guide
RADIUS
RADIUS has moved from VPN to Access because RADIUS can now provide control over user access and not jus t VPN access in this firmware release.
To configure RADIUS settings, complete the following instructions. Click the RADIUS tab.
1. Define the number of times the SonicWALL attempts to contact the RADIUS server in the RADIUS Server Retries field. If the RADIUS server does not respond within the specified number of retries, the connection is dropped. This field can range between 1 and 10, however 3 RADIUS se rver retries is recommended.
2. D ef in e th e RADIU S Server Timeout in Seconds. T he allowable range is 1-60 seconds with a default value of 5.
RADIUS Servers
3. Specify the settings of the primary RADIUS server in the RADIUS servers section. An optional secondary RADIUS server can be defined if a backup RADIUS server exists on the network.
4. Enter the IP address of the RADIUS server in the IP Address field.
5. Enter the Port Number for the RADIUS server.
6. If there is a secondary RADIUS server, enter the appropriate informat ion in the Secondary Server section.
7. Enter the RADIUS server administrative password or "shared secret" in the Shared Secret field. The alphanumeric Shared Secret can range from 1 to 31 characters in length. The is case sensitive.
RADIUS Users
You can select the default privileges for all RADIUS users in this section.
Remote Access - Enable this check box if the u ser access es the Soni cWALL from a remote
computer. This option is only available in Standard mode.
Bypass Filters - Enable Bypass Filters if the user can by pass Con tent Filter settings.
Access to VPNs - Enable the check box if the user can send information over VPN Security
Associations.
Access from the VPN Client with XAUTH - Enable the check box if a VPN clie nt is usin g
XAUTH for authentication.
Limited Management Capabilities - By enabling this check box, the user has limited local
management acce ss to the SonicWALL Management interface. The acce ss is limited to the following pages:
- General - Status, Network, Time
- Log - View Log, Log Settings, Log Reports
- Tools - Restart, Diagnostics minus Tech S upport Report
Network Access Rules Page 83
RADIUS Client Test
You can test your RADIUS Client user name and password by typing in a valid User name in the User field, and the Password in the Password field. If the validation is successful, the
Status messages changes to Success. If the validation fails, the Status message changes to Failure. Once the SonicWALL has been configured, a VPN Security Association requiring
RADIUS authentication prompts incoming VPN clients to enter a User Name and Password into a dialogue box.
SonicWALL Management
SonicWALL SNMP Support
SNMP (Simple Network Management Protocol) is a network protocol used over User
Datagram Protocol (UDP) that allows network administrators to monitor the status of the SonicWALL Internet Security appliances and receive notification of any critical events as they occur on the network. SonicWALL Internet security appliances support SNMP v1/v2c and all relevant Management Information Base II (MIBII) groups except egp and at. The SonicWALL replies to SNMP Ge t commands for MIBII vi a a ny i nterfac e and su ppor ts a cu stom S onicWALL MIB for generating trap messages. The custom SonicWALL MIB is available for download from the SonicWALL Website and can be loaded into third-party SNMP management software such as HP Openview, Tivoli, or SNMPC.
To configure SNMP in the SonicWALL Internet Security appliance, log into the SonicWALL Management interface. Click Access, then Management. The SNMP confi guration panel is displayed.
Page 84 SonicWALL TELE3 SP Administrator’s Guide
The SonicWALL SNMP agent generates two traps: Cold Start Trap and Alert Traps. Cold Start Traps indicates that the SonicWALL appliance is re-initializing itself so that the agent
configuration or the appliance can be altered. Alert Traps are based on the existing SonicWALL al ert mes sages whi ch all ows the trap mes sages to s hare a common message strin g with the alerts. Accordingly, no trap message can exist wi thout a corresponding alert mes sage.
To configure SNMP, enter the nec essary information in t he following fields:
1. To enable the SNMP agent, select Enable SNMP.
2. Enter the System Name. This is the hostname of the So nicWALL appliance.
3. In the System Contact field, type in the name of the network administrator for the SonicWALL appliance.
4. Enter an e-mail address, telephone number, or pager number in the System Location field.
5. Create a name for a group or community of administrators who can view SNMP data, and enter it in the Get Community Name field.
6. Create a name for a group or community of administrator s who can view SNMP traps, and enter it in the Trap Community Name field.
7. Enter the IP address or hostname of the SNMP management system receiving the SNMP traps in the Host 1 through 4 fields. Up to 4 addresses or hostnames can be specified.
Configuration of the Log/Log Settings for SNMP
Trap messages are generated only for the categories that alert messages are normally sent, i.e. attacks, system errors, blocked Web s ites. If none of th e categories are selected on the Log
Settings page, then none of the trap messages are sent out.
Configuration of the Service and Rules Pages
By default, the SonicWALL appliance responds only to SNMP G et mess ages received on its LAN interface. Appropriate rules must be set up in the SonicWALL to all ow SNMP traffic to and from the WAN. SNMP trap messages can be sent via the L A N, WAN, or LAN interface.
If your SNMP management system supports discovery, the SNMP agent should automatically discover the SonicWALL appliance on the network. Otherwise, you must add the SonicWALL appliance to the list of SNMP manageable devices on the SNMP management system.
SonicWALL Remote Management
All SonicWALLs include a Management Security Association (SA) for secure remote management. The Management SA does not permit access to remote network resources.
Note: If you have enabled VPN on your SonicWALL, the SonicWALL can be managed remotely using a Management SA or with a VPN SA. See Chapter 10 for VPN configuration instructions and basic VPN terms and concepts.
Network Access Rules Page 85
To enable secure remote management, click Access on the left side of the browser window, and click the Management tab. Then select Managed: "from the LAN interface and remotely from the WAN interface" to enable secure remote management.
When remote management is enabled, a Managem ent S A is automatically generated. The Manage ment SA uses Manual Keying to set up a VPN tunnel between the SonicWALL and the VPN client. The Management SA also defines Inbou nd and Outbound Security Parameter Indices (SPIs) which match the last eight digits of the SonicWALL serial number. The preset SPIs are displayed in the Security Association Information section. It is not necessary to configure a VPN connection for Remote Mana geme nt as the Manage ment S A is au tomatically conf igured in this section.
1. Enter a 16-character hexadecimal encryption key in the Encryption Key field. Valid hexadecimal characters inclu de 0, 1, 2, 3, 4, 5, 6 , 7, 8, 9, A, B, C, D, E and F. An example of a val id enc ryp ti on key is 123 4567 890A- B CD EF. O r you ca n u se the ran domly ge ner ated key that appears in the Encryption Key field.
2. Enter a 32-character hexadecimal authentication key in the Authentication Key field. An example of a va lid authen ticati on key i s 123456 7- 890ABCDEF1 2345678 90ABCDEF. Or you can use the randomly gene ra te d key that appears in the Authentication Key field.
3. Click Update. Restart the SonicWALL for the change to take effect.
Note: When a Management SA is created, the remote SonicWALL is managed at the SonicWALL WAN IP Address.
4. Click Help in the upper right corner of the So nicWALL Management I nterface to access detailed instructions for configuring the VPN client. Additional instructions are available at <http://www.sonicwall.com/products/documentation/VPN_documentation.html>.
Page 86 SonicWALL TELE3 SP Administrator’s Guide
Note: The Management Method list also includes the option for management by SonicWALL Global Management System (SonicWALL GMS). Select this option if the SonicWALL is managed remotely by Son icW AL L GMS.
Manage Using Internet Explorer check box
The check box labeled Manage Using Internet Explorer is selected by default. It enables the Microsoft Internet Explorer Web browser to quickly load the SonicWALL Web Management Authentication Web page. With the IE check box enabled, the SonicWALL Internet security appliance LAN responds to NetBIOS name request on port 137.
Users can disable the LAN port response to port 137 by clearing the IE check box, but the log in process into the SonicWALL M a nagement interface slows down.
HTTPS Port Management
A new feature allows you to co nfigure the port used HTTPS auth enticati on. By config uring an alternate port to 443, the standard port, you may be addi ng another layer of security of logging into the SonicWAL L. To configure ano ther port for HTTPS ma nagement, enter the preferred port number into the HTTPS Management Port field, and click Update. For example, if you configure the HTTPS Management Port to be 700, then you must log into the SonicWALL using the port number as well as the IP address, for example, <https://192.168.168.1:700> to access the SonicWALL..
The HTTPS Ma nage ment Cer tificate Common Name f ield defaults to the So nicWALL LAN Address. This allows you to conti nue using a certificate withou t downloa ding a new one eac h time you log into the SonicWALL.
Network Access Rules Page 87
8 Advanced Features
This chapter describes the SonicWALL Advanced Features, such as Web Proxy Forwarding, and One-to-One NAT. The Advanced Features can be accessed in the Advanced section of the So nicWAL L Web Management interface.There are five tabs in the Advanced section:
Proxy Relay
Intranet
Routes
One-to-One NAT
Ethernet
Proxy Relay
Web Proxy Forwarding
A Web proxy server intercepts HTTP requests and determ ines if it has s tored copies of the requested Web pages. If it does not, the proxy completes the request to the server on the Internet, returning the requested information to the u ser and also saving i t locally for future requests.
Setting up a Web proxy server on a network can be c umbersome , because each computer on the network must be configured to direct Web requests to the server.
If you have a proxy server on your network, instead of configuring each computer to point to the proxy server, you can move the server to the WAN and enable Web Proxy Forwarding. The SonicWALL automatically forwards all Web proxy requests to the proxy server without requiring all the computers on the network to be configured.
Page 88 SonicWALL TELE3 SP Administrator’s Guide
Configuring Web Proxy Relay
1. Connect your Web proxy server to a hub, and connect the hub to the SonicWALL WAN port.
Note: The proxy server must be located on the WAN; it can not be located on the LAN.
2. Log into the SonicWALL Web Management Interface. Click Advanced at the left side of the b rowser window, an d then c lick the Proxy Relay tab at the top of the window.
3. Enter the name or IP address of the proxy server in the Proxy Web Server field, and the proxy IP port in the Proxy Web Server Port fi eld. Click Upda te.
4. If the Web proxy server is located on the WAN between the SonicWALL and the Internet router, add the Web proxy server address in the SonicWALL Intranet tab. Click the Intranet tab at the top of the window.
5. To bypass the Proxy Servers if a failure occurs, select the Bypass Proxy Servers Upon
Proxy Server Failure check box.
Note: The Intranet settings tab is di splayed on page 98.
6. In the Int ranet tab, enter the proxy server IP address in the Add Range field.
7. Select Specified address ranges are attached to the WAN link and click Update. Once the SonicWALL has been updated, a message confirming the update is displayed at the bottom of the browser window.
Bypass Proxy Servers Upon Proxy Failure
If a Web proxy server is specified in the Proxy Relay tab of the Advanced section, selecting the By pass Prox y S erv ers Up on Pr oxy Ser ver Fai lu re check box allows clients behind the SonicWALL to bypass the Web proxy server in the event it becomes unavailable. Instead, the client’s browser acc esses the Internet directly as if a Web proxy server i s not specified.
Advanced Features Page 89
Intranet
The SonicWALL can be configured as an Intranet firewall to prevent network users from accessing sensitive servers. By default, users on your LAN can access the Internet router, but not devices connected to the WAN port of the SonicWALL. To enable access to the area between the SonicWALL WAN port and the Internet, you must configure the Intranet settings on the SonicWALL.
Note: The functionality of this feature can be affected if a WAN Failover to the modem occurs on the SP.
Intranet firewalling is achieved by connecting the SonicWALL between an u nprotected and a protected segment of the network.
Installation
1. Connect the LAN Ethernet port on th e back of the So nicWALL to the network segment to be protected against unauthorized access.
2. Connect the WAN Ethernet port on the back of the SonicWALL to the rest of the network.
Note: Devices connected to the WAN port do not have firewall protection. It is recommended that you use another SonicWALL Internet security appliance to protect computers on the WAN
.
3. Connect the SonicWALL to a pow er outlet, and turn it on.
Intranet Configuration
Click Advanced on the left side of the browser window, and then click the Intranet tab.
To enable an Intranet fi rewall, you must spe cify which machines are located on the LAN, or you must spec ify whic h machines are locat ed on the WAN.
It is best to select the network area wi th the least number of machines. For example, if only one or two machines are conn ected to the W AN, sel ect S pecif i ed add ress ranges ar e att ached
Page 90 SonicWALL TELE3 SP Administrator’s Guide
to the WAN link. That way, you only have to enter one or two IP addresses in the Add Range sectio n. Specif y the IP addr esses ind ividually or as a ra nge.
Intranet Settings
Select one of the foll owing four opti ons:
SonicWALL WAN link is connected directly to the Internet router Selec t this opti on if t he So nicWA LL is p rote cting your e ntire netw ork. T his is the de faul t
setting.
Specified address ranges are attached to the LAN link Select this option if it is easier to specify the devices on your LAN. Then enter your LAN IP
address range(s). If you do not include all computers on your LAN, the computers not included are unable to send or receive data through th e SonicWALL.
Specified address ranges are attached to the WAN link Select this option if it is easier to specify the devices on your WAN. Then enter your WAN
IP address range(s). Computers connected to the WAN port that are not included are inaccessible to users on your LAN.
Add Range To add a range of addresses, such as "199.2.23.50" to "199.2.23.54", enter the starting
address in the From Address field and the ending address in the To Addr ess fie ld. A n individual IP address should be entered in the From Address field only.
Note: Up to 64 address ranges can be entered.
Click Update. Once the SonicWALL has been updated, a message confirming the update is displayed at the bottom of the browser window.
Advanced Features Page 91
Routes
Static Routes must be def ined if the LAN or W AN are s egmented i nto s ubnets, ei ther for size or practical considerations. If you have routers on your LAN or WAN, you must configure the Static Routes section of the SonicWALL.
Click Advanced on the left side of the browser window, and then click the Routes tab. The SonicWALL LAN IP Addre ss, LAN S ubnet Ma sk, WAN IP Address and WAN Subnet Mask are
displayed in the Current Network Settings section. Refer to these settings when configuring your Static Routes.
Note: The functionality of this feature can be affected if a WAN Failover to the modem occurs on the SP.
To add Static Route entries, follow these instructions:
1. Enter the destination network of the static route in the Dest. Net wo rk field. The destina- tion network is the IP address subnet of the remote network segment.
Note: If the destination network uses IP addresses ranging from "192.168.1.1" to "192.168. 1.255" , enter "192 .168.1.0" in the Dest. Network field.
2. Enter the subnet mask of the remote network segment in the Subnet mask field.
3. Enter the IP address of your router in the Gateway field. This IP address should be in the same subnet as the SonicWALL. If your router is located on the SonicWALL LAN, the Gateway address should be in the same subnet as the SonicWALL LAN IP Address.
4. Select the port on the SonicWALL that the ro uter is co nnected to either the LAN o r the WAN from the Link list.
Page 92 SonicWALL TELE3 SP Administrator’s Guide
5. Click Update. On ce the So nicWAL L has been updated, a messa ge confi rming the update is displayed at the bottom of the Web browser window. Restart the SonicWALL for the change to take effect.
Note: The SonicWALL can support up to 128 static route entries.
One-to-One NAT
One-to-One NAT maps valid, external addresses to private addresses hidden by NAT.
Computers on your private LAN are accessed on the Internet at the corresponding public IP addresses.
Note: The functionality of this feature can be affected if a WAN Failover to the modem occurs on the SP.
You can create a re lationship between internal an d external address es by defining i nternal and external address ranges o f equal length. Once the relationship i s defined, the computer with th e first IP address of the private address range is accessibl e at the first IP address of the extern al address range, the s econd computer at the second external IP address, etc.
To co nfig ure One-to-One NAT , complete the following instructions.
1. S elect the Enable One-to-One NAT check box.
2. Enter the beginning IP address of the private address range being mapped in the Private Range Begin field. This is the IP address of the first m ac hine that is acc e ss ibl e from t he Internet.
3. Enter the beginning IP address of the valid address range being mapped in the Public
Range Begin field. This address should be assigned by your ISP.
Note: Do not include the SonicWALL WAN IP (NAT Public) Address or the WAN Gateway (Router) Address in this range.
Advanced Features Page 93
4. Enter the number of public IP addresses that should be mapped to private addresses in the Range Length field. The range length can not exceed the number of valid IP addresses. Up to 64 ranges can be added. To map a single address, enter a Range Length of 1.
5. Click Update. On ce the So nicWAL L has been updated, a messa ge confi rming the update is displayed at the bottom of the browser window. R estart the SonicWALL for changes to take effect.
Note: Th e One-to-One NAT window maps valid, public IP addresses to private LAN IP addresses. It does not all ow traffic from the Internet to the private LAN
.
A rule must be created in the Rules sec tio n to a l lo w ac ce ss to LA N ser ve r s. A fte r One-to- One NAT is configured, create an Allow rule to permit traffic from the Internet to the private IP address(es ) on the LAN.
One-to-One NAT Configuration Example
This example a ssumes that you have a SonicWALL runni ng in the NAT-enabl e d mode, with IP addresses on the LAN in the range 192.168.1.1 - 192.168.1.254, and a WAN IP address of
208.1.2. 2. Also, y ou own t he IP addr esses in t he range 20 8.1.2.1 - 20 8.1.2. 6.
Note: If you have only one IP address from your ISP, you cannot use One-to-One NAT.
You have three web servers on the LAN with the IP addresses of 192.168.1.10, 192.168.1.11, and 192.168.1.12. Each of the servers must have a default gateway pointing to 192.168.1.1, the SonicWALL LAN IP address.
You also have three addi tional I P addresses fr om your I SP, 208.1.2.4 , 208.1.2.5 , and 208.1 .2.6, that you want to use for three additional web servers. Use the following steps to configure One­to-One NAT:
1. Log into the Management Interface, and click Advanced. Then click the One-to-One NAT tab.
2. Select Enable One-to-One NAT and click Update.
3. Type in the IP address, 192.168.1.10, in the Private Range Begin fie ld.
4. Type in the IP address, 208.1.2.4, in the Public Range Begin field
5. T ype in 3 in the Range length fiel d,.
Note: You can configure th e IP addresses individually, but it is easier to co nfigure them in a range. However, the IP addresses on both the private and public s ides must be consec utive to configure a range of addresses.
6. Click Update.
7. Click Access, then the Rules tab.
8. Click Add New Rule and configure the following settings:
Allow
Page 94 SonicWALL TELE3 SP Administrator’s Guide
Service - HTTP
Source - WAN
Destination - LAN 192.168.1.10 - 192.168.1.12
Apply this rule - always
9. Click Update and restart the SonicWALL.
The server configurations take effect after the SonicWALL restarts and the configuration is updated. Requests for http://208.1.2.4 are answered by the server at 192.168.1.10. Requests for http://208.1.2.5 are answered by the server at 192.168.1.11, and requests for http://
208.1.2.6 are answered by the server at 192.168.1.12. From the LAN, the servers can only be
accessed using the private IP addresses (192.168.1.x), not the public IP addresses or domain names. For example, from the LAN, you must use URLs like http://1921.168.1.10 to reach the web servers. An IP address, such as 192.168.1.10, on the LAN cannot be used in both pu blic LAN serv er config urations a nd in pub lic LAN se rver One- to-One NAT c onfigurat ions.
The Ethernet Tab
The Ethernet tab allows the management of Ethernet settings using the SonicWALL Management interface. The tab has the fol lowing settings:
WAN Link Settings
LAN Link Settings
Bandwidth Management
The default selection for all of the link settings is Auto Neg ot iate because the Ethernet links automatically negotiate the speed and duplex mode of the Ethernet connection. The other choice, Force, with lists f or speed and duplex, should be used only if your Ethernet card also forces these settings. You must force from both sides of your connection to enable this setting.
Advanced Features Page 95
Proxy Management Workstation Ethernet Address on WAN
If you are managing the Ethernet connection from the LAN side of your network, this check box can be selected. The SonicWALL appliance takes the Ethernet address of the computer managing the SonicWALL appliance and proxies that address onto the WAN port of the SonicWALL. If you are not managing the SonicWALL appliance from the LAN side, the firmware looks for a random computer on the LAN creating a l engthy search process.
Bandwidth Management
Bandwidth is the capacity of a communication channel (cable, DSL, T1 lines, etc.) to carry signals. A larger bandwidth can transfer more data over a communication channel in a given time. Sometimes referred to as “throughput”, and in digital communications, it is usually measured in bits per second (bps) o r a multiple of bps such as Kbps, Mbps, or Gbps.
Note: The functionality of this feature can be affected if a WAN Failover to the modem occurs on the SP.
Introduction to Bandwidth Management
Bandwidth management is a means of allocating bandwidth resources to critical applications on a network. Without bandw idth management, an a pplication or a user can take control of all available bandwidth and prevent other applicati ons or users from using the network. Because it is imp os sible to dif fere ntia te b etw een typ es o f net wo rk t raff ic, i t is a lso imp oss ible to cont rol which users or applications have priority on the network.
Applications can also require a specific quantity and quality of service which cannot be predicted in terms of available bandwidth. This can make some applications run poorly if bandwidth is not properly allocated t o the application when necessary.
Bandwidth management works by sorting outbound ne tw ork tra ffic into classes by application and service type. Traffic is then scheduled according to minim um and maximum bandwidth configured for each traffic type.
Why Use Bandwidth Management?
Corporate networks using intranets for information sharing and Web navigation have an increased demand for bandwidth, but simply adding on more c onnections or larger connections (T1 lines or larger) doesn’t address the bandwidth issue because netwo rk availability is not guaranteed.
Nearly all n etwork li nks are sha red by more than one user or a pplicati on which mean s avail able bandwidth is shared between all users and all applications. Using bandwidth management to allocate bandwidth to applications or users during peak times can prevent traffic congestion on the network. Temporary network congestion can be improved by using bandwidth management.
SonicWALL Bandwidth Management
Bandwidth Management is controlled by the SonicWALL Internet Security Appliance on outbound traffic only. It allows network administrators to guarantee minimum bandwidth and
Page 96 SonicWALL TELE3 SP Administrator’s Guide
prioritize traffic based on Rules created in the Access section of the SonicWALL Mana gement interface. By controlling the amount of bandwidth to an application or user, the network administrator can prevent a small number of applications or users to consume all available bandwidth.
Key Features of SonicWALL Bandwidth Management
Outgoing traffic is managed according to traffic type: Telnet, FTP, HTTP, etc.
Network Access Rules can be configure d to allocate bandwidth based on IP addresses.
VPN traffic can also be managed by enabling bandwidth management on the VPN Configure tab, and then specifying the Guaranteed, Maximum, and priority of all VPN traffic through the SonicWALL.
Note: Bandwidth manage ment cannot be configure d for individual VPN Secu rity Associations. It can only be configured for all VPN traffic.
Key Benefits of SonicWALL Bandwidth Management
The network administrator ha s f ull control of outbound network traffic and ca n pre vent traffic congestion on the network.
Prevent a small number of appli c ations and users f rom consuming all avai labl e bandw idth.
Quality of Service policies can be implemented across the network allowing priority applications to run smoothly.
How does SonicWALL Bandwidth Management Work?
Bandwidth management works by allocating traffic to a class based upon application type, source or destination addresses, or a combination of both. It then assigns individual limits for each class of network traffic. By assigning priorities to network traffic, applications requiring a quick response time, such as telnet, can take precedence over traffic requiring less response time, such as FTP.
Balancing the bandwidth allocated to different network traffic and then assigning priorities to traff ic can i mprove network performa nce.
Traffic is classified in the following manner:
•TCP/IP or UDP ports
Services such as FTP, HTTP, E-mail, SIP
Source or destination IP address
SonicWALL Bandwidth Management can assign a portion of the available bandwidth and a priority to each class of network traffic. Pri orities rank from 0 (highest), to 7 (lowest).
The packet classifier analyzes a packet when it arrives for its packet protocol, source information, and des tinati on i nformation. It th en all ocates the pac ket to a clas s queue where it waits to be processed. If the queue is full, the packet is dropped. Normal retransmission of data ensures that the pack et is sent again.
Class queues are processed based on the amount of bandwidth allocated (guaranteed and maximum), and the priority assigned to the class queue. Within the class queue, packets are
Advanced Features Page 97
processed on a first-in, first-out basis. When network traffic reaches the maximum allocated to the class, packets from the next class in priority order are pro cessed.
Typically, each class is allocated a portion of the available bandwidth, and when th at limit is reached, no more tra ffic for that parti cular class is f orwarded. But if there is available bandwidth on the network that is not in use by a part icular class, a clas s can temporarily borrow bandwidth and send traffic until the maximum bandwidth allocated to the class is reached.
Spare bandwidth is allocated among the highest priority classes until no more bandwidth is available or until all of those classes have reached their maximum bandwidth. If this happens, the remainder of the bandwidth is divided among the next priority classes. This process is repeated until all of the available bandwidth is consumed.
Defining a class of traffic that has 0 bandwidth allocated to it effectively blocks the traffic unless there is no other traffic with higher priority on the network.
Overview of Bandwidth Management
Page 98 SonicWALL TELE3 SP Administrator’s Guide
Examples of Bandwidth Management Rules
Rule Service Priority Guarantee d Maximum
Allow SMTP 0 (highest) 300 Kbps 1000 Kbps Allow FTP 1 100 Kbps 200 Kbps Allow HTTP 2 100Kbps 200 Kbps
Enabling Bandwidth Management on the SonicWALL
To enable Bandwidth Management on the SonicWALL, you must know the current bandwidth of your connection. Once you have this figure, you can select Enabl e Ba ndwidt h Mana gement on the Advanced/Ethernet pa ge, and then enter t he amount of av ail able WAN bandwi dth in Kbps. Now that you have enabled Bandwidth Management, you can begin configuring Rules to use bandwidth management.
Note: Traffic inbound from the WAN to the LAN based o n a Rule using bandwidth management is allowed as if there is no bandwidth management in place. However, outbound traffic (reply packets) for traffic associated wi th an inbound Rule is managed based on the configuration for that Rule.
MTU Settings
A network administrator may set the MTU (Maximum Transmissi on Unit) allo wed over a packet or frame-based network such as TCP/IP. If the MTU size is too large, it may require more transmissions if the packet encounters a router unable to handle a larger packet. If the packet size is too small, this could result in more packet header overhead and more acknowledgements that have to sent and processed.
The default value is 1500 octets based on the E thernet standard MTU. The mini mum value that can be set is 68. Decreasing the packet size may improve the performance of the network.
Advanced Features Page 99
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use