Page 1
COMPREHENSIVE INTERNET SECURITY
SonicWALL Internet Security Appliances
SonicOS 4.0 Enhanced
Administrator’s Guide
For the SonicWALL TZ 180 and TZ 190
Page 2
Page 3
Table of Contents
Table of Contents .........................................................................................iii
Part 1: Introduction
Chapter 1: Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Copyright Notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Limited Warranty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
About this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Organization of this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
Guide Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
SonicWALL Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
More Information on SonicWALL Products . . . . . . . . . . . . . . . . . . . .28
Current Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Chapter 2: Common Criteria Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Common Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Overview of Common Criteria Operation . . . . . . . . . . . . . . . . . . . . . .31
Use of GUI Interface for Local Management . . . . . . . . . . . . . . . . . . .32
Related Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Chapter 3: Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
What’s New in SonicOS Enhanced 4.0 . . . . . . . . . . . . . . . . . . . . . . .35
SonicWALL Management Interface . . . . . . . . . . . . . . . . . . . . . . . . . .40
SonicOS Enhanced 4.0 Administrator Guide
iii
Page 4
Part 2: System
Chapter 4: Viewing the SonicWALL Security Dashboard . . . . . . . . . . . 47
System > Security Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
SonicWALL Security Dashboard Overview . . . . . . . . . . . . . . . . . . . . 47
Using the SonicWALL Security Dashboard . . . . . . . . . . . . . . . . . . . 50
Related Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Chapter 5: Viewing Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . 61
System > Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Wizards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
System Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Latest Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Registering Your SonicWALL Security Appliance . . . . . . . . . . . . . . . 64
Network Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Chapter 6: Managing SonicWALL Licenses . . . . . . . . . . . . . . . . . . . . . . 67
System > Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Node License Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Security Services Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Manage Security Services Online . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Manual Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Manual Upgrade for Closed Environments . . . . . . . . . . . . . . . . . . . . 70
Chapter 7: Configuring Administration Settings . . . . . . . . . . . . . . . . . . 73
System > Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Firewall Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Administrator Name & Password . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Login Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Multiple Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Web Management Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
SSH Management Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Advanced Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Download URL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Selecting UI Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
iv
SonicOS Enhanced 4.0 Administrator Guide
Page 5
Chapter 8: Managing Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
System > Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Digital Certificates Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Certificates and Certificate Requests . . . . . . . . . . . . . . . . . . . . . . . . .86
Certificate Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87
Importing Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87
Deleting a Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
Certificate Revocation List (CRL) . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
Generating a Certificate Signing Request . . . . . . . . . . . . . . . . . . . . .90
Chapter 9: Configuring Time Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . .93
System > Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93
System Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93
NTP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
Chapter 10: Setting Schedules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
System > Schedules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
Adding a Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97
Deleting Schedules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97
Chapter 11: Managing SonicWALL Security Appliance Firmware . . . . .99
System > Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100
Firmware Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100
SafeMode - Rebooting the SonicWALL Security Appliance . . . . . . .103
FIPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104
Chapter 12: Using SonicWALL Packet Capture . . . . . . . . . . . . . . . . . . .105
System > Packet Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105
Packet Capture Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105
Using Packet Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107
Configuring Packet Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111
Verifying Packet Capture Activity . . . . . . . . . . . . . . . . . . . . . . . . . . .120
Related Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122
SonicOS Enhanced 4.0 Administrator Guide
v
Page 6
Chapter 13: Using Diagnostic Tools & Restarting the Appliance . . . . 125
System > Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Tech Support Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Diagnostic Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Active Connections Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
CPU Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
DNS Name Lookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Find Network Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Packet Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Process Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Real-Time Black List Lookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Reverse Name Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Trace Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Web Server Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
System > Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Part 3: Network
Chapter 14: Configuring Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Network > Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Setup Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Interface Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Interface Traffic Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
SonicOS Enhanced Secure Objects . . . . . . . . . . . . . . . . . . . . . . . . 140
Transparent Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
vi
SonicOS Enhanced 4.0 Administrator Guide
Page 7
Configuring Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141
Configuring the LAN and OPT Interfaces (Static) . . . . . . . . . . . . . . .141
Configuring Advanced Settings for the Interface . . . . . . . . . . . . . . .142
Configuring Interfaces in Transparent Mode . . . . . . . . . . . . . . . . . .143
Configuring Wireless Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . .145
Configuring a WAN Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147
Configuring SonicWALL PortShield Interfaces . . . . . . . . . . . . . . . . .150
Configuring the Wireless WAN Interface . . . . . . . . . . . . . . . . . . . . .152
Managing WWAN Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . .153
Specifying the WAN Connection Model . . . . . . . . . . . . . . . . . . . . . .153
Configuring Basic Wireless WAN Settings . . . . . . . . . . . . . . . . . . . .154
Configuring Remotely Triggered Dial-Out on the WWAN . . . . . . . . .156
Configuring the Maximum Allowed WWAN Connections . . . . . . . . .157
Creating a WLAN Subnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .157
Chapter 15: Configuring PortShield Interfaces . . . . . . . . . . . . . . . . . . .159
SonicWALL PortShield Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159
Security Services with PortShield . . . . . . . . . . . . . . . . . . . . . . . . . . .159
Network > SwitchPorts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .160
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .160
Using Different Approaches to Configuration . . . . . . . . . . . . . . . . . .161
Creating a PortShield Interface from the Interfaces Area . . . . . . . . .162
Creating a New Zone for the PortShield Interface . . . . . . . . . . . . . .166
Refining the PortShield Interface . . . . . . . . . . . . . . . . . . . . . . . . . . .167
Creating Transparent Mode PortShield Interfaces . . . . . . . . . . . . . .169
Mapping Ports from the Switch Ports Window . . . . . . . . . . . . . . . . .172
PortShield Deployment Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174
Deployment Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175
Configuring the Hospitality Example Deployment . . . . . . . . . . . . . .176
Chapter 16: Setting Up WAN Failover and Load Balancing . . . . . . . . .181
Network > WAN Failover & Load Balancing . . . . . . . . . . . . . . . . . . . . .181
WAN Failover Caveats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181
Setting Up WAN Failover and Load Balancing . . . . . . . . . . . . . . . . .182
WAN Probe Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186
WAN Load Balancing Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . .189
SonicOS Enhanced 4.0 Administrator Guide
vii
Page 8
Chapter 17: Configuring Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Network > Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
How Zones Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Predefined Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Security Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Allow Interface Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Enabling SonicWALL Security Services on Zones . . . . . . . . . . . . . 194
The Zone Settings Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Adding a New Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Deleting a Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Configuring the WLAN Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Chapter 18: Configuring DNS Settings . . . . . . . . . . . . . . . . . . . . . . . . . 201
Network > DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Chapter 19: Configuring Address Objects . . . . . . . . . . . . . . . . . . . . . . 203
Network > Address Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Types of Address Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Address Object Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Creating and Managing Address Objects . . . . . . . . . . . . . . . . . . . . 204
Default Address Objects and Groups . . . . . . . . . . . . . . . . . . . . . . . 206
Adding an Address Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Editing or Deleting an Address Object . . . . . . . . . . . . . . . . . . . . . . 210
Creating Group Address Objects . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Public Server Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Working with Dynamic Addresses . . . . . . . . . . . . . . . . . . . . . . . . . 212
Chapter 20: Configuring Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Network > Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Route Advertisement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Route Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Advanced Routing Services (OSPF and RIP) . . . . . . . . . . . . . . . . . 230
Configuring Advanced Routing Services . . . . . . . . . . . . . . . . . . . . 237
viii
SonicOS Enhanced 4.0 Administrator Guide
Page 9
Chapter 21: Configuring NAT Policies . . . . . . . . . . . . . . . . . . . . . . . . . .245
Network > NAT Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245
NAT Policies Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .246
NAT Policy Settings Explained . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248
NAT Policies Q&A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .249
NAT Load Balancing Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . .250
Creating NAT Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .254
Using NAT Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .263
Chapter 22: Managing ARP Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . .271
Network > ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .271
Static ARP Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .272
Secondary Subnets with Static ARP . . . . . . . . . . . . . . . . . . . . . . . .273
Navigating and Sorting the ARP Cache Table . . . . . . . . . . . . . . . . .275
Navigating and Sorting the ARP Cache Table Entries . . . . . . . . . . .276
Flushing the ARP Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276
Chapter 23: Setting Up the DHCP Server . . . . . . . . . . . . . . . . . . . . . . . .277
Network > DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .277
DHCP Server Options Overview . . . . . . . . . . . . . . . . . . . . . . . . . . .278
DHCP Server Persistence Overview . . . . . . . . . . . . . . . . . . . . . . . .279
Enabling the DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .280
DHCP Server Lease Scopes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .280
Configuring DHCP Server for Dynamic Ranges . . . . . . . . . . . . . . . .281
Configuring Static DHCP Entries . . . . . . . . . . . . . . . . . . . . . . . . . . .283
Configuring SonicWALL DHCP Server Options . . . . . . . . . . . . . . . .285
Current DHCP Leases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294
DHCP Option Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294
Chapter 24: Using IP Helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303
Network > IP Helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303
IP Helper Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303
IP Helper Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .304
Adding an IP Helper Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .304
Editing an IP Helper Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .304
Deleting IP Helper Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .304
SonicOS Enhanced 4.0 Administrator Guide
ix
Page 10
Chapter 25: Setting Up Web Proxy Forwarding . . . . . . . . . . . . . . . . . . 305
Network > Web Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Configuring Automatic Proxy Forwarding (Web Only) . . . . . . . . . . 305
Bypass Proxy Servers Upon Proxy Failure . . . . . . . . . . . . . . . . . . . 306
Chapter 26: Configuring Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . 307
Network > Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Supported DDNS Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Configuring Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Dynamic DNS Settings Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Part 4: Wireless
Chapter 27: Viewing WLAN Settings, Statistics, and Station Status . 315
Wireless Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Considerations for Using Wireless Connections . . . . . . . . . . . . . . . 316
Recommendations for Optimal Wireless Performance . . . . . . . . . . 316
Adjusting the Antennas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Wireless Node Count Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . 317
MAC Filter List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
WiFiSec Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Wireless > Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
WLAN Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
WLAN Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
WLAN Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Station Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Chapter 28: Configuring Wireless Settings . . . . . . . . . . . . . . . . . . . . . . 323
Wireless > Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Wireless Radio Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Wireless Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Secure Wireless Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Configuring a Secure Wireless Bridge . . . . . . . . . . . . . . . . . . . . . . 326
Chapter 29: Configuring WEP and WPA Security . . . . . . . . . . . . . . . . 333
Wireless > WEP/WPA Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Authentication Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
WEP Encryption Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
WEP Encryption Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
WPA Encryption Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
WPA/WPA2 Encryption Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
x
SonicOS Enhanced 4.0 Administrator Guide
Page 11
Chapter 30: Configuring Advanced Wireless Settings . . . . . . . . . . . . .339
Wireless > Advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339
Beaconing & SSID Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .340
Wireless Client Communications . . . . . . . . . . . . . . . . . . . . . . . . . . .340
Configurable Antenna Diversity . . . . . . . . . . . . . . . . . . . . . . . . . . . .340
Advanced Radio Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .342
Chapter 31: Configuring MAC Filter List . . . . . . . . . . . . . . . . . . . . . . . . .345
Wireless > MAC Filter List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .345
Allow or Deny Specific Resources . . . . . . . . . . . . . . . . . . . . . . . . . .345
Chapter 32: Configuring Wireless IDS . . . . . . . . . . . . . . . . . . . . . . . . . .347
Wireless > IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .347
Wireless Bridge IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .347
Access Point IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .348
Enable Client Null Probing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .348
Association Flood Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .348
Intrusion Detection Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .349
Discovered Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .349
Scanning for Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .350
Authorizing Access Points on Your Network . . . . . . . . . . . . . . . . . .350
Chapter 33: Configuring Virtual Access Points . . . . . . . . . . . . . . . . . . .351
Wireless > Virtual Access Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .351
SonicPoint VAP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .352
Virtual AP Configuration Task List . . . . . . . . . . . . . . . . . . . . . . . . . .353
Thinking Critically About VAPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .365
Determining Your VAP Needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . .365
A Sample Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .365
Determining Security Configurations . . . . . . . . . . . . . . . . . . . . . . . .366
VAP Configuration Worksheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . .366
SonicOS Enhanced 4.0 Administrator Guide
xi
Page 12
Part 5: WWAN
Chapter 34: Configuring Wireless WAN (TZ 190 only) . . . . . . . . . . . . . 371
WWAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Wireless WAN Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Wireless WAN Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Viewing the WWAN Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Configuring Wireless WAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Monitoring WWAN Data Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
WWAN Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Part 6: SonicPoint
Chapter 35: Managing SonicPoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
SonicPoint > SonicPoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Before Managing SonicPoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
SonicPoint Provisioning Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Chapter 36: Viewing Station Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
SonicPoint > Station Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Chapter 37: Using and Configuring IDS . . . . . . . . . . . . . . . . . . . . . . . . 405
SonicPoint > IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Wireless Intrusion Detection Services . . . . . . . . . . . . . . . . . . . . . . 405
Chapter 38: Configuring RF Monitoring . . . . . . . . . . . . . . . . . . . . . . . . 409
SonicPoint > RF Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
RF Monitoring Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
Enabling RF Monitoring on SonicPoint(s) . . . . . . . . . . . . . . . . . . . . 411
Using The RF Monitoring Interface . . . . . . . . . . . . . . . . . . . . . . . . . 411
Types of RF Threat Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Practical RF Monitoring Field Applications . . . . . . . . . . . . . . . . . . . 415
Part 7: Firewall
Chapter 39: Configuring Access Rules . . . . . . . . . . . . . . . . . . . . . . . . . 421
Firewall > Access Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
Stateful Packet Inspection Default Access Rules Overview . . . . . . 422
Using Bandwidth Management with Access Rules Overview . . . . . 422
Configuration Task List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
xii
SonicOS Enhanced 4.0 Administrator Guide
Page 13
Chapter 40: Configuring Advanced Access Rule Settings . . . . . . . . . .433
Firewall > Advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .433
Detection Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434
Dynamic Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434
Source Routed Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434
Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434
Access Rule Service Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .435
IP and UDP Checksum Enforcement . . . . . . . . . . . . . . . . . . . . . . . .435
UDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .435
Chapter 41: Configuring TCP Settings . . . . . . . . . . . . . . . . . . . . . . . . . .437
Firewall > TCP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .437
TCP Traffic Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .437
TCP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .438
Working with SYN/RST/FIN Flood Protection . . . . . . . . . . . . . . . . .439
Chapter 42: Configuring Firewall Services . . . . . . . . . . . . . . . . . . . . . . .447
Firewall > Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .447
Default Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .448
Custom Services Configuration Task List . . . . . . . . . . . . . . . . . . . . .448
Chapter 43: Configuring Multicast Settings . . . . . . . . . . . . . . . . . . . . . .457
Firewall > Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .457
Multicast Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .458
Multicast Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .458
IGMP State Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .459
Enabling Multicast on LAN-Dedicated Interfaces . . . . . . . . . . . . . . .460
Enabling Multicast Through a VPN . . . . . . . . . . . . . . . . . . . . . . . . . .461
Chapter 44: Monitoring Active Connections . . . . . . . . . . . . . . . . . . . . .463
Firewall > Connections Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .463
Viewing Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .464
Filtering Connections Viewed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .464
SonicOS Enhanced 4.0 Administrator Guide
xiii
Page 14
Chapter 45: Managing Quality of Service . . . . . . . . . . . . . . . . . . . . . . . 467
Firewall > QoS Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
Marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
Conditioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
802.1p and DSCP QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
Bandwidth Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
Outbound Bandwidth Management . . . . . . . . . . . . . . . . . . . . . . . . 482
Inbound Bandwidth Management . . . . . . . . . . . . . . . . . . . . . . . . . . 486
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
Chapter 46: Configuring SSL Control . . . . . . . . . . . . . . . . . . . . . . . . . . 493
Firewall > SSL Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
Overview of SSL Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
SSL Control Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
Enabling SSL Control on Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
SSL Control Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Part 8: VoIP
Chapter 47: Configuring VoIP Support . . . . . . . . . . . . . . . . . . . . . . . . . 509
VoIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
VoIP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
SonicWALL’s VoIP Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
Configuring SonicWALL VoIP Features . . . . . . . . . . . . . . . . . . . . . 520
VoIP Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
Part 9: VPN
Chapter 48: Configuring VPN Policies . . . . . . . . . . . . . . . . . . . . . . . . . . 537
VPN > Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
VPN Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
Configuring VPNs in SonicOS Enhanced . . . . . . . . . . . . . . . . . . . . 542
Configuring GroupVPN Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . 552
Site-to-Site VPN Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . 561
Creating Site-to-Site VPN Policies . . . . . . . . . . . . . . . . . . . . . . . . . 562
VPN Auto-Added Access Rule Control . . . . . . . . . . . . . . . . . . . . . . 578
Chapter 49: Configuring Advanced VPN Settings . . . . . . . . . . . . . . . . 581
VPN > Advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
Advanced VPN Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
xiv
SonicOS Enhanced 4.0 Administrator Guide
Page 15
Chapter 50: Configuring DHCP Over VPN . . . . . . . . . . . . . . . . . . . . . . .587
VPN > DHCP over VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .587
DHCP Relay Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .587
Configuring the Central Gateway for DHCP Over VPN . . . . . . . . . .588
Configuring DHCP over VPN Remote Gateway . . . . . . . . . . . . . . . .588
Current DHCP over VPN Leases . . . . . . . . . . . . . . . . . . . . . . . . . . .591
Chapter 51: Configuring L2TP Server . . . . . . . . . . . . . . . . . . . . . . . . . . .593
VPN > L2TP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .593
Configuring the L2TP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .594
Part 10: User Management
Chapter 52: Managing Users and Authentication Settings . . . . . . . . . .599
User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .599
Introduction to User Management . . . . . . . . . . . . . . . . . . . . . . . . . .599
Viewing Status on Users > Status . . . . . . . . . . . . . . . . . . . . . . . . . .613
Configuring Settings on Users > Settings . . . . . . . . . . . . . . . . . . . . .614
Configuring Local Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .618
Configuring Local Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .621
Configuring RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . .625
Configuring LDAP Integration in SonicOS Enhanced . . . . . . . . . . . .631
Configuring Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .641
Configuring Multiple Administrator Support . . . . . . . . . . . . . . . . . . .670
Chapter 53: Managing Guest Services and Guest Accounts . . . . . . . .677
Users > Guest Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .677
Global Guest Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .678
Guest Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .678
Users > Guest Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .679
Viewing Guest Account Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . .680
Adding Guest Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .680
Enabling Guest Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .682
Enabling Auto-prune for Guest Accounts . . . . . . . . . . . . . . . . . . . . .682
Printing Account Details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .683
Users > Guest Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .683
Logging Accounts off the Appliance . . . . . . . . . . . . . . . . . . . . . . . . .684
SonicOS Enhanced 4.0 Administrator Guide
xv
Page 16
Part 11: Security Services
Chapter 54: Managing SonicWALL Security Services . . . . . . . . . . . . . 687
SonicWALL Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 687
Security Services Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 688
Managing Security Services Online . . . . . . . . . . . . . . . . . . . . . . . . 690
Security Services Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 690
Security Services Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 691
Update Signature Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 691
Activating Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693
Chapter 55: Configuring SonicWALL Content Filtering Service . . . . . 695
Security Services > Content Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . 695
SonicWALL Content Filtering Service . . . . . . . . . . . . . . . . . . . . . . . 696
Content Filter Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696
Content Filter Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697
Restrict Web Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 698
Trusted Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699
CFS Exclusion List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699
Message to Display when Blocking . . . . . . . . . . . . . . . . . . . . . . . . 700
Configuring SonicWALL Filter Properties . . . . . . . . . . . . . . . . . . . . 700
Custom List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700
Consent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701
Configuring N2H2 Internet Filtering . . . . . . . . . . . . . . . . . . . . . . . . 703
N2H2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703
Configuring SonicWALL Blocking Features . . . . . . . . . . . . . . . . . . 704
Configuring Websense Enterprise Content Filtering . . . . . . . . . . . . 705
Websense Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 705
Configuring SonicWALL Blocking Features . . . . . . . . . . . . . . . . . . 706
Chapter 56: Activating SonicWALL Client Anti-Virus . . . . . . . . . . . . . 709
Security Services > Anti-Virus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709
Activating SonicWALL Client Anti-Virus . . . . . . . . . . . . . . . . . . . . . 710
Activating a SonicWALL Client Anti-Virus FREE TRIAL . . . . . . . . . 712
Configuring Client Anti-Virus Service . . . . . . . . . . . . . . . . . . . . . . . 712
Security Services > E-mail Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 714
xvi
SonicOS Enhanced 4.0 Administrator Guide
Page 17
Chapter 57: Managing SonicWALL Gateway Anti-Virus Service . . . . .715
Security Services > Gateway Anti-Virus . . . . . . . . . . . . . . . . . . . . . . . .715
SonicWALL GAV Multi-Layered Approach . . . . . . . . . . . . . . . . . . . .716
HTTP File Downloads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .718
SonicWALL GAV Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . .718
Creating a mySonicWALL.com Account . . . . . . . . . . . . . . . . . . . . . .719
Registering Your SonicWALL Security Appliance . . . . . . . . . . . . . .721
Activating the Gateway Anti-Virus, Anti-Spyware, and IPS License .721
Activating FREE TRIALs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .723
Setting Up SonicWALL Gateway Anti-Virus Protection . . . . . . . . . .723
Enabling SonicWALL GAV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .724
Applying SonicWALL GAV Protection on Interfaces . . . . . . . . . . . .724
Applying SonicWALL GAV Protection on Zones . . . . . . . . . . . . . . .725
Viewing SonicWALL GAV Status Information . . . . . . . . . . . . . . . . .726
Updating SonicWALL GAV Signatures . . . . . . . . . . . . . . . . . . . . . . .727
Specifying Protocol Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .727
Enabling Inbound Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .727
Enabling Outbound SMTP Inspection . . . . . . . . . . . . . . . . . . . . . . .728
Restricting File Transfers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .728
Configuring Gateway AV Settings . . . . . . . . . . . . . . . . . . . . . . . . . .729
Configuring HTTP Clientless Notification . . . . . . . . . . . . . . . . . . . . .730
Configuring a SonicWALL GAV Exclusion List . . . . . . . . . . . . . . . . .731
Viewing SonicWALL GAV Signatures . . . . . . . . . . . . . . . . . . . . . . .732
Chapter 58: Activating Intrusion Prevention Service . . . . . . . . . . . . . .735
Security Services > Intrusion Prevention Service . . . . . . . . . . . . . . . . .735
SonicWALL Deep Packet Inspection . . . . . . . . . . . . . . . . . . . . . . . .735
How SonicWALL’s Deep Packet Inspection Works . . . . . . . . . . . . .736
SonicWALL IPS Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .736
SonicWALL Gateway Anti-Virus, Anti-Spyware, and IPS Activation 737
Creating a mySonicWALL.com Account . . . . . . . . . . . . . . . . . . . . . .738
Registering Your SonicWALL Security Appliance . . . . . . . . . . . . . .739
Activating FREE TRIALs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .740
Activating the Gateway Anti-Virus, Anti-Spyware, and IPS License 740
Setting Up SonicWALL Intrusion Prevention Service Protection . . .742
SonicOS Enhanced 4.0 Administrator Guide
xvii
Page 18
Chapter 59: Activating Anti-Spyware Service . . . . . . . . . . . . . . . . . . . . 745
Security Services > Anti-Spyware Service . . . . . . . . . . . . . . . . . . . . . . 745
SonicWALL Gateway Anti-Virus, Anti-Spyware, and IPS Activation 746
Creating a mySonicWALL.com Account . . . . . . . . . . . . . . . . . . . . . 747
Registering Your SonicWALL Security Appliance . . . . . . . . . . . . . . 748
Activating FREE TRIALs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 748
Activating the Gateway Anti-Virus, Anti-Spyware, and IPS License 749
Setting Up SonicWALL Anti-Spyware Service Protection . . . . . . . . 750
Chapter 60: Configuring SonicWALL Real-Time Blacklist . . . . . . . . . 753
SMTP Real-Time Black List Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . 753
Security Services > RBL Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 754
Adding RBL Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 754
User-Defined SMTP Server Lists . . . . . . . . . . . . . . . . . . . . . . . . . . 755
Chapter 61: Configuring SonicWALL Global Security Client . . . . . . . 757
Security Services > Global Security Client . . . . . . . . . . . . . . . . . . . . . . 757
Global Security Client Features . . . . . . . . . . . . . . . . . . . . . . . . . . . 758
How SonicWALL Global Security Client Works . . . . . . . . . . . . . . . 759
Global Security Client Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . 760
Activating Global Security Client Licenses on Your SonicWALL . . 760
Configuring Security Policies for Global Security Clients . . . . . . . . 761
Part 12: Log
Chapter 62: Managing Log Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 765
Log > View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 765
Log View Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 766
Refresh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 766
Clear Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 767
Export Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 767
E-mail Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 767
Filtering Log Records Viewed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 767
Log Event Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 768
Chapter 63: Configuring Log Categories . . . . . . . . . . . . . . . . . . . . . . . 769
Log > Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 769
Log Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 770
Log Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 771
xviii
SonicOS Enhanced 4.0 Administrator Guide
Page 19
Chapter 64: Configuring Syslog Settings . . . . . . . . . . . . . . . . . . . . . . . .775
Log > Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .775
Syslog Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .776
Syslog Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .777
Chapter 65: Configuring Log Automation . . . . . . . . . . . . . . . . . . . . . . . .779
Log > Automation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .779
E-mail Log Automation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .780
Mail Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .780
Chapter 66: Configuring Name Resolution . . . . . . . . . . . . . . . . . . . . . . .781
Log > Name Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .781
Selecting Name Resolution Settings . . . . . . . . . . . . . . . . . . . . . . . .781
Specifying the DNS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .782
Chapter 67: Generating Log Reports . . . . . . . . . . . . . . . . . . . . . . . . . . .783
Log > Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .783
Data Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .784
View Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .784
Chapter 68: Activating SonicWALL ViewPoint . . . . . . . . . . . . . . . . . . . .787
Log > ViewPoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .787
Activating ViewPoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .788
Enabling ViewPoint Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .789
Part 13: Wizards
Chapter 69: Configuring Internet Connectivity Using the Setup Wizard 793
Wizards > Setup Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .793
Using the Setup Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .793
Configuring a Static IP Address with NAT Enabled . . . . . . . . . . . . .795
Configuring DHCP Networking Mode . . . . . . . . . . . . . . . . . . . . . . . .800
Configuring NAT Enabled with PPPoE . . . . . . . . . . . . . . . . . . . . . . .805
Configuring PPTP Network Mode . . . . . . . . . . . . . . . . . . . . . . . . . . .810
Chapter 70: Using the Registration & License Wizard . . . . . . . . . . . . .815
Wizards > Registration & License Wizard . . . . . . . . . . . . . . . . . . . . . . .815
Chapter 71: Configuring a Public Server with the Wizard . . . . . . . . . . .821
Wizards > Public Server Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .821
SonicOS Enhanced 4.0 Administrator Guide
xix
Page 20
Chapter 72: Configuring VPN Policies with the VPN Policy Wizard . . 827
Wizards > VPN Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 827
Using the VPN Policy Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 828
Connecting the Global VPN Clients . . . . . . . . . . . . . . . . . . . . . . . . 831
Configuring a Site-to-Site VPN using the VPN Wizard . . . . . . . . . . 832
Index .......................................................................................................... 837
xx
SonicOS Enhanced 4.0 Administrator Guide
Page 21
PART 1
Introduction
SONICWALL SONICOS ENHANCED 4.0 ADMINISTRATOR’S GUIDE
21
Page 22
22
SONICWALL SONICOS ENHANCED 4.0 ADMINISTRATOR’S GUIDE
Page 23
Preface
Copyright Notice
© 2007 SonicWALL, Inc.
All rights reserved.
Under the copyright laws, this manual or the software described within, can not be copied, in
whole or part, without the written consent of the manufacturer, except in the normal use of the
software to make a backup copy. The same proprietary and copyright notices must be affixed
to any permitted copies as were affixed to the original. This exception does not allow copies to
be made for others, whether or not sold, but all of the material purchased (with all backup
copies) can be sold, given, or loaned to another person. Under the law, copying includes
translating into another language or format.
Specifications and descriptions subject to change without notice.
CHAPTER 1
Chapter 1: Preface
Trademarks
SonicWALL is a registered trademark of SonicWALL, Inc.
Microsoft Windows 98, Windows NT, Windows 2000, Windows XP, Windows Server 2003,
Internet Explorer, and Active Directory are trademarks or registered trademarks of Microsoft
Corporation.
eDirectory and NetWare are registered trademarks of Novell, Inc.
Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and
other countries. Netscape Navigator and Netscape Communicator are also trademarks of
Netscape Communications Corporation and may be registered outside the U.S.
Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe
Systems Incorporated in the U.S. and/or other countries.
Other product and company names mentioned herein may be trademarks and/or registered
trademarks of their respective companies and are the sole property of their respective
manufacturers.
SonicOS Enhanced 4.0 Administrator Guide
23
Page 24
About this Guide
Limited Warranty
SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case
commencing not more than ninety (90) days after the original shipment by SonicWALL), and
continuing for a period of twelve (12) months, that the product will be free from defects in
materials and workmanship under normal use. This Limited Warranty is not transferable and
applies only to the original end user of the product. SonicWALL and its suppliers' entire liability
and Customer's sole and exclusive remedy under this limited warranty will be shipment of a
replacement product. At SonicWALL's discretion the replacement product may be of equal or
greater functionality and may be of either new or like-new quality. SonicWALL's obligations
under this warranty are contingent upon the return of the defective product according to the
terms of SonicWALL's then-current Support Services policies.
This warranty does not apply if the product has been subjected to abnormal electrical stress,
damaged by accident, abuse, misuse or misapplication, or has been modified without the
written permission of SonicWALL.
DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL
EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES
INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT,
SATISFACTORY QUALITY OR ARISING FROM A COURSE OF DEALING, LAW, USAG E, OR
TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE MAXIMUM EXTENT ALLOWED BY
APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY CANNOT BE EXCLUDED,
SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY PERIOD. BECAUSE
SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW LONG AN
IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS
WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER
RIGHTS WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and
exclusion shall apply even if the express warranty set forth above fails of its essential purpose.
DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A
REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO
EVENT SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES
WHATSOEVER, INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS,
BUSINESS INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS
ARISING OUT OF THE USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL,
INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER
CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY ARISING OUT OF THE USE
OF OR INABILITY TO USE HARDWARE OR SOFTWARE EVEN IF SONICWALL OR ITS
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. In no event
shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort (including
negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall
apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME
STATES OR JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF
CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY
TO YOU.
About this Guide
Welcome to the SonicWALL SonicOS Enhanced 4.0 Administrator’s Guide. This manual
provides the information you need to successfully activate, configure, and administer SonicOS
Enhanced 4.0 for the SonicWALL PRO 4060, PRO 4100, and PRO 5060 security appliances.
24
SonicOS Enhanced 4.0 Administrator Guide
Page 25
Note Always check <http//:www.sonicwall.com/services/documentation.html> for the latest
version of this manual as well as other SonicWALL products and services documentation.
Organization of this Guide
The SonicWALL SonicOS Enhanced 4.0 Administrator’s Guide organization is structured into
the following parts that follow the SonicWALL Web Management Interface structure. Within
these parts, individual chapters correspond to SonicWALL security appliance management
interface layout.
Part 1 Introduction
This part provides an overview of new SonicWALL SonicOS Enhanced features, guide
conventions, support information, and an overview of the SonicWALL security appliance
management interface.
Part 2 System
About this Guide
Part 3 Network
This part covers a variety SonicWALL security appliance controls for managing system status
information, registering the SonicWALL security appliance, activating and managing
SonicWALL Security Services licenses, configuring SonicWALL security appliance local and
remote management options, managing firmware versions and preferences, and using included
diagnostics tools for troubleshooting.
This part covers configuring the SonicWALL security appliance for your network environment.
The Network section of the SonicWALL Management Interface includes:
• Interfaces - configure logical interfaces for connectivity.
• WAN Failover and Load Balancing - configure one of the user-defined interfaces to act
as a secondary WAN port for backup or load balancing.
• Zones - configure security zones on your network.
• DNS - set up DNS servers for name resolution.
• Address Objects - configure host, network, and address range objects.
• Routing - view the Route Table, ARP Cache and configure static and dynamic routing by
interface.
• NAT Policies - create NAT policies including One-to-One NAT, Many-to-One NAT, Many-
to-Many NAT, or One-to-Many NAT.
• ARP - view the ARP settings and clear the ARP cache as well as configure ARP cache time.
• DHCP Server - configure the SonicWALL as a DHCP Server on your network to
dynamically assign IP addresses to computers on your LAN or DMZ zones.
• IP Helper - configure the SonicWALL to forward DHCP requests originating from the
interfaces on the SonicWALL to a centralized server on behalf of the requesting client.
• Web Proxy - configure the SonicWALL to automatically forward all Web proxy requests to
a network proxy server.
SonicOS Enhanced 4.0 Administrator Guide
25
Page 26
About this Guide
• Dynamic DNS - configure the SonicWALL to dynamically register its WAN IP address with
a DDNS service provider.
Part 4 SonicPoint
The part covers the configuration of the SonicWALL security appliance for provisioning and
managing SonicWALL SonicPoints as part of a SonicWALL Distributed Wireless Solution.
Part 5 Firewall
This part covers tools for managing how the SonicWALL security appliance handles traffic
through the firewall.
Part 6 VoIP
This part provides instructions for configuring the SonicWALL security appliance to support
H.323 or SIP Voice over IP (VoIP) connections.
Part 7 Application Firewall
Application firewall is a set of application-specific policies that gives you granular control over
network traffic on the level of users, email users, schedules, and IP-subnets. The primary
functionality of this application-layer access control feature is to regulate Web browsing, file
transfer, email, and email attachments.
Part 8 VPN
This part covers how to create VPN policies on the SonicWALL security appliance to support
SonicWALL Global VPN Clients as well as creating site-to-site VPN policies for connecting
offices running SonicWALL security appliances.
Part 9 Users
This part covers how to configure the SonicWALL security appliance for user level
authentication as well as manage guest services for managed SonicPoints.
Part 10 Hardware Failover
This part explains how to configure the SonicWALL security appliance for failover to another
SonicWALL security appliance in the event of hardware failure.
Part 11 Security Services
26
This part includes an overview of available SonicWALL Security Services as well as instructions
for activating the service, including FREE trials. These subscription-based services include
SonicWALL Gateway Anti-Virus, SonicWALL Intrusion Prevention Service, SonicWALL
Content Filtering Service, SonicWALL Client Anti-Virus, and well as other services.
SonicOS Enhanced 4.0 Administrator Guide
Page 27
Part 12 Log
Part 13 Wizards
About this Guide
This part covers managing the SonicWALL security appliance’s enhanced logging, alerting, and
reporting features. The SonicWALL security appliance’s logging features provide a
comprehensive set of log categories for monitoring security and network activities.
This part walks you through using the SonicWALL Configuration Wizards for configuring the
SonicWALL security appliance for LAN to WAN (Internet) connectivity, settings up public
servers for Internet connectivity behind the firewall, and setting GroupVPN and site-to-site VPN
policies for establishing VPN connections for remote SonicWALL Global VPN Client users or
remote offices with a SonicWALL security appliance for LAN to LAN connections.
The SonicWALL Configuration Wizards in SonicOS Enhanced 4.0 include:
• The Setup Wizard takes you step by step through network configuration for Internet
connectivity. There are four types of network connectivity available: Static IP, DHCP,
PPPoE, and PPTP.
• The Registration & License Wizard simplifies the process of registering your SonicWALL
security appliance and obtaining licenses for additional security services.
• The Public Server Wizard takes you step by step through adding a server to your network,
such as a mail server or a web server. The wizard automates much of the configuration you
need to establish security and access for the server.
• The VPN Policy Wizard steps you through the configuration of Group VPNs and site-to-
site VPNs.
Guide Conventions
The following conventions used in this guide are as follows:
Convention
Bold Highlights items you can select on the SonicWALL
Italic Highlights a value to enter into a field. For example, “type
Menu Item > Menu Item Indicates a multiple step Management Interface menu
Icons Used in this Manual
These special messages refer to noteworthy information, and include a symbol for quick
identification:
Caution Important information that cautions about features affecting firewall performance, security
features, or causing potential problems with your SonicWALL.
Use
security appliance management interface.
192.168.168.168 in the IP Address field.”
choice. For example, Security Services > Content Filter
means select Security Services, then select Content
Filter.
SonicOS Enhanced 4.0 Administrator Guide
27
Page 28
About this Guide
Tip Useful information about security features and configurations on your SonicWALL.
Note Important information on a feature that requires callout for special attention.
SonicWALL Technical Support
For timely resolution of technical support questions, visit SonicWALL on the Internet at
http://www.sonicwall.com/us/Support.html. Web-based resources are available to help you
resolve most technical issues or contact SonicWALL Technical Support.
To contact SonicWALL telephone support, see the telephone numbers listed below:
North America Telephone Support
U.S./Canada - 888.777.1476 or +1 408.752.7819
International Telephone Support
Australia - + 1800.35.1642
Austria - + 43(0)820.400.105
EMEA - +31(0)411.617.810
France - + 33(0)1.4933.7414
Germany - + 49(0)1805.0800.22
Hong Kong - + 1.800.93.0997
India - + 8026556828
Italy - +39.02.7541.9803
Japan - + 81(0)3.5460.5356
New Zealand - + 0800.446489
Singapore - + 800.110.1441
Spain - + 34(0)9137.53035
Switzerland - +41.1.308.3.977
UK - +44(0)1344.668.484
More Information on SonicWALL Products
Contact SonicWALL, Inc. for information about SonicWALL products and services at:
28
Web:http://www.sonicwall.com
E-mail:sales@sonicwall.com
Phone:(408) 745-9600
Fax:(408) 745-9300
SonicOS Enhanced 4.0 Administrator Guide
Page 29
About this Guide
Current Documentation
Check the SonicWALL documentation Web site for that latest versions of
this manual and all other SonicWALL product documentation.
http://www.sonicwall.com/us/Support.html
SonicOS Enhanced 4.0 Administrator Guide
29
Page 30
About this Guide
30
SonicOS Enhanced 4.0 Administrator Guide
Page 31
Chapter 2: Common Criteria Guide
Common Criteria
The purpose of this chapter is to define the Common Criteria-compliant operation of
SonicWALL Internet Security Appliances.
Common Criteria is an information technology (IT) validation scheme adopted by the National
Information Assurance Partnership (NIAP). NIAP is a collaboration between the National
Institute of Standards and Technology (NIST) and the National Security Agency (NSA). NIAP
has established the Common Criteria Evaluation Validated Scheme (CCEVS) to validate IT
products. Common Criteria is also referred to as ISO 15408.
Overview of Common Criteria Operation
The Common Criteria evaluated configuration of SonicWALL Internet Security Appliances uses
only the firewall services of the device. The VPN services of the device are not included in the
Common Criteria evaluated configuration. The Common Criteria evaluated configuration
includes all features except those that are explicitly excluded.
The following features are not included in the Common Criteria evaluated configuration:
• VPN
CHAPTER 2
• IPsec or L2TP
• LDAP or RADIUS user authentication
• Security Services
–
Content Filtering Service
–
Client Anti-Virus
–
E-mail Filter
–
Anti-Spyware
–
RBL Filter
–
Global Security Client
–
Intrusion Prevention System
–
Gateway Anti-Virus
SonicOS Enhanced 4.0 Administrator Guide
31
Page 32
Common Criteria
• GMS Remote Management
• Syslog Logging
• SonicPoint
• Hardware Failover
Before installing the SonicWALL Internet Security Appliance, the device should be examined
for evidence of tampering. Each device includes a tamper-evident seal to prevent access to the
inside of the unit. Verify that the tamper evident seal is intact. If there is a sign of tampering,
contact SonicWALL Support Services by phone at 888.777.1476 or 408.752.7819.
The GUI management interface is used to administer the device. The use of the GUI
management interface is discussed in the “Use of GUI Interface for Local Management” section
below.
The Common Criteria evaluated configuration only supports SonicOS Enhanced 4.0. You can
verify that the device is running SonicOS Enhanced 4.0 from the System -> Status page of the
management GUI under the System Information table, Firmware Version entry.
Use of GUI Interface for Local Management
This section describes the use of the SonicWALL Graphical User Interface (GUI) interface for
local management. Using the red cross-over cable supplied with SonicWALL Internet Security
Appliances and a management PC, the SonicWALL GUI can be used for local configuration.
This provides a secure way of administering the device without the possibility of traffic between
the management PC and device being captured or traced. Following the instructions below will
insure that only the management PC, directly connected to the device, can be used for
management.
Follow the instructions in the SonicOS Getting Started Guide section 2, Connecting the Network
Cables, to connect a management PC to the device.
Follow the instructions in the SonicOS Getting Started Guide section 2, Configuring Your
Management Station and Accessing The Management Interface to access the management
interface of the device
Select an interface to be used as the local management interface. For example, on a PRO
series appliance, select X2 or X3.
Use the Add button on the Network -> Zones page to add a “Local Management” with a
Security Type of Trusted. On the Network -> Interfaces page, configure the local management
interface. Set the Zone to “Local Management”. Set the IP Address to 192.168.1.1. Set the
Subnet Mask to 255.255.255.0. Enable HTTP Management. Log out from the GUI management
interface using the Logout button.
Connect the red cross-over cable to the local interface. Configure the management PC's IP
address to be 192.168.1.2 with a netmask of 255.255.255.0. Use the management PC's
browser to access the device's management interface at http://192.168.1.2.
Use the Configure icon on the Network -> Interfaces page to configure the LAN interface.
Disable HTTP and HTTPS management.
Do not enable HTTP or HTTPS management on any interface other than the local management
interface. HTTP and HTTPS management is disabled on all other interfaces by default.
The management PC can now be used to locally administer the device in a secure manner.
32
SonicOS Enhanced 4.0 Administrator Guide
Page 33
Related Documents
Several other SonicWALL documents provide information relating to the Common Criteria
evaluated configuration of SonicWALL Internet Security Appliances. Those documents are
described here.
SonicOS Log Events Reference Guide
During the operation of a SonicWALL security appliance, SonicOS software sends log event
messages to the console. Event logging automatically begins when the SonicWALL security
appliance is powered on and configured. SonicOS Enhanced supports a traffic log containing
entries with multiple fields.
Log event messages provide operational informational and debugging information to help you
diagnose problems with communication lines, internal hardware, or your firmware
configuration.
Note Not all log event messages indicate operational issues with your SonicWALL security
appliance.
The Log > View console display provides log event messages including the following fields for
alert notification:
Common Criteria
• Time—Displays the hour and minute the event occurred.
• Priority—Displays the level urgency for the event.
• Category—Displays the event type.
• Message—Displays a description of the event.
• Source—Displays the source IP address of incoming IP packet.
• Destination—Displays the destination IP address of incoming IP packet.
• Note—Displays displays additional information specific to a particular event occurrence.
• Rule—Displays the source and destination zones for the access rule. This field provides a
link to the access rule defined in the Firewall > Access Rules page.
The display fields for a log event message provides you with data to verify your configurations,
trouble-shoot your security appliance, and track IP traffic.
SonicOS Enhanced 4.0 Administrator Guide
33
Page 34
Common Criteria
34
SonicOS Enhanced 4.0 Administrator Guide
Page 35
Introduction
SonicOS Enhanced 4.0 is the most powerful SonicOS operating system designed for the
SonicWALL PRO 4060, and the PRO 5060.
What’s New in SonicOS Enhanced 4.0
SonicOS Enhanced 4.0 introduces these new features:
• Strong SSL and TLS Encryption - The internal SonicWALL Web server now only supports
SSL version 3.0 and TLS with strong ciphers (128 bits or greater) when negotiating HTTPS
management sessions. SSL implementations prior to version 3.0 and weak ciphers
(symmetric ciphers less than 128 bits) are not supported. This heightened level of HTTPS
security protects against potential SSLv2 roll-back vulnerabilities and ensures compliance
with the Payment Card Industry (PCI) and other security and risk-management standards.
CHAPTER 3
Chapter 3: Introduction
Tip By default, Mozilla Firefox 2.0 and Microsoft Internet Explorer 7.0 enable SSL 3.0 and TLS,
and disable SSL 2.0. SonicWALL recommends using these most recent Web browser
releases. If you are using a previous release of these browsers, you should enable SSL 3.0
and TLS and disable SSL 2.0. In Internet Explorer, go to Tools > Internet Options, click on
the Advanced tab, and scroll to the bottom of the Settings menu. In Firefox, go to Tools >
Options, click on the Advanced tab, and then click on the Encryption tab.
• Single Sign-On User Authentication - SonicOS Enhanced 4.0 introduces Single Sign-On
User Authentication, which provides privileged access to multiple network resources with a
single workstation login. Single Sign-On uses the SonicWALL SSO Agent to identify user
activity based on workstation IP addresses. Access to resources is based on policy for the
group to which the user belongs.
• Stateful Hardware Failover - SonicOS Enhanced 4.0 introduces Stateful Hardware
Failover, which provides improved failover performance. With Stateful Hardware Failover,
the primary and backup security appliances are continuously synchronized so that the
backup can seamlessly assume all network responsibilities if the primary appliance fails,
with no interruptions to existing network connections. Once the primary and backup
SonicOS Enhanced 4.0 Administrator Guide
35
Page 36
Introduction
appliances have been associated as a hardware failover pair on mysonicwall.com, you can
enable this feature by selecting Enable Stateful Synchronization in the Hardware Failover
> Advanced page.
• Application Firewall - SonicOS Enhanced 4.0 introduces Application Firewall, which
provides a way to create application-specific policies to regulate Web browsing, file
transfer, email, and email attachments. Application Firewall enables application layer
bandwidth management, and also allows you to create custom policies for any protocol. It
gives you granular control over network traffic on the level of users, email users, and IP
subnets.
• HTTPS Filtering - SonicOS Enhanced 4.0 uses HTTPS Filtering to allow administrators to
control user access to Web sites when using the encrypted HTTPS protocol. HTTPS
Filtering is based on the ratings of Web sites, such as Gambling, Online Banking, Online
Brokerage and Trading, Shopping, and Hacking/Proxy Avoidance.
Note HTTPS Filtering is IP-based, so IP addresses must be used rather than domain
names in the Allowed or Forbidden lists. You can use the nslookup command in a
DOS cmd window to convert a domain name to its IP address(es). There may be
more than one IP address associated with a domain, and if so, all must be added to
the Allowed or Forbidden list.
• SSL Control - SonicOS Enhanced 4.0 introduces SSL Control, which is a system that
provides visibility into the handshake of Secure Socket Layer (SSL) sessions, and a method
for configuring policies to control the establishment of SSL sessions.
• Certificate Blocking - SonicOS Enhanced 4.0 provides a way to specify which HTTPS
certificates to block. This feature is closely integrated with SSL Control.
• Inbound NAT Load Balancing with Server Monitoring - SonicOS Enhanced 4.0
introduces Inbound NAT Load Balancing with Server Monitoring, which detects when a
server is unavailable and stops forwarding requests to it. Inbound NAT Load Balancing
spreads the load across two or more servers. When Stateful High Availability (Stateful
Hardware Failover) is configured, during a failover, SonicOS forwards all requests to the
alternate server(s) until it detects that the offline server is back online. Inbound NAT Load
Balancing also works with SonicWALL SSL-VPN appliances.
• Security Dashboard Web Page - SonicOS Enhanced 4.0 includes the Security Dashboard
page in the user interface, which displays a summary of threats stopped by the SonicWALL
security appliance. The Security Dashboard shows two types of reports:
–
A Global Report that displays a summary of threat data received from all SonicWALL
security appliances worldwide.
–
An Individual Appliance Report that displays a summary of attacks detected by the local
SonicWALL security appliance.
• Registration & License Wizard - As part of the new Security Dashboard, SonicOS
Enhanced 4.0 provides a License Wizard for both firewall registration and the purchase of
security service licenses. The available security services are the same as those that enable
Global Reports by providing threat data from SonicWALL devices around the world.
36
• Multiple SSH Support - SonicOS Enhanced 4.0 provides support for multiple concurrent
SSH sessions on the SonicWALL security appliance. When connected over SSH, you can
run command line interface (CLI) commands to monitor and manage the device. The
number of concurrent SSH sessions is determined by device capacity. Note that only one
session at a time can configure the SonicWALL, whether the session is on the GUI or the
SonicOS Enhanced 4.0 Administrator Guide
Page 37
Introduction
CLI (SSH or serial console). For instance, if a CLI session goes to the config level, it will
ask you if you want to preempt an administrator who is at config level in the GUI or an SSH
session.
• Multiple and Read-only Administrator Login - SonicOS Enhanced 4.0 introduces
Multiple Administrator Login, which provides a way for multiple users to be given
administration rights, either full or read-only, for the SonicOS security appliance.
Additionally, SonicOS Enhanced 4.0 allows multiple users to concurrently manage the
appliance, but only one user at a time can be in config mode with the ability to change
configuration settings. This feature applies to both the graphical user interface (GUI) and
the command line interface (CLI).
• IP-Based Connection Limit - SonicOS Enhanced 4.0 provides a way to limit the number
of connections on a per-source or per-destination IP address basis. This feature protects
against worms on the LAN side that initiate large numbers of connections in denial of
service attacks.
• IKEv2 Secondary Gateway Support - SonicOS Enhanced 4.0 introduces IKEv2
Secondary Gateway Support, which provides a way to configure a secondary VPN gateway
to act as an alternative tunnel end-point if the primary gateway becomes unreachable.
While using the secondary gateway, SonicOS can periodically check for availability of the
primary gateway and revert to it, if configured to do so. Configuration for the secondary
VPN gateway is available under VPN > Settings > Add Policy in the management
interface.
• IKEv2 Dynamic Client Support - SonicOS Enhanced 4.0 introduces IKEv2 Dynamic Client
Support, which provides a way to configure the Internet Key Exchange (IKE) attributes
rather than using the default settings. Previously, only the default settings were supported:
Diffie-Hellman (DH) Group 2, the 3DES encryption algorithm, and the SHA1 authentication
method. SonicOS now allows the following IKE Proposal settings:
–
DH Group: 1, 2, or 5
–
Encryption: DES, 3DES, AES-128, AES-192, AES-256
–
Authentication: MD5, SHA1
• These settings are available by pressing the Configure button in the VPN > Advanced
screen of the management interface. However, if a VPN Policy with IKEv2 exchange mode
and a 0.0.0.0 IPsec gateway is defined, you cannot configure these IKE Proposal settings
on an individual policy basis.
Note The VPN policy on the remote gateway must also be configured with the same
settings.
• Wireless IDS Rogue Detection - SonicOS Enhanced 4.0 supports wireless intrusion
detection on SonicPoint devices. Wireless IDS Rogue Detection allows you to configure a
set of authorized access points, defined by address object groups. If contact is attempted
from an unauthorized access point, SonicOS generates an alert.
• RF Management - SonicOS Enhanced 4.0 introduces Radio Frequency Management on
SonicPoint devices. RF Management provides detection of eleven types of wireless threats:
–
Long duration attack
–
Management frame flood
–
Null probe request
–
Broadcasting de-authentication
–
Valid station with invalid SSID
SonicOS Enhanced 4.0 Administrator Guide
37
Page 38
Introduction
–
Ad-Hoc station
–
Unassociated station
–
Wellenreiter attack
–
NetStumbler attack
–
EAPOL packet flood
–
Weak WEP IV
• SMTP Authentication - SonicOS Enhanced 4.0 supports RFC 2554, which defines an
SMTP service extension that allows the SMTP client to indicate an authentication method
to the server, perform an authentication protocol exchange, and optionally negotiate a
security layer for subsequent protocol interactions. This feature helps prevent viruses that
attack the SMTP server on port 25.
• Generic DHCP Option Support - SonicOS Enhanced 4.0 supports generic DHCP
configuration, which allows vendor-specific DHCP options in DHCP server leases.
• DHCP Server Lease Cross-Reboot Persistence - SonicOS Enhanced 4.0 introduces
DHCP Server Lease Cross-Reboot Persistence, which provides the ability to record and
return to DHCP server lease bindings across power cycles. The SonicWALL security
appliance does not have to depend on dynamic network responses to regain its IP address
after a reboot or power cycle. This feature is supported on all SonicWALL PRO platforms.
It is not supported on SonicWALL TZ platforms.
• Custom IP Type Service Objects - SonicOS Enhanced 4.0 introduces support for Custom
IP Type Service Objects, allowing administrators to augment the pre-defined set of Service
Objects.
• Dynamic Address Objects - SonicOS Enhanced 4.0 supports two changes to Address
Objects:
–
MAC - SonicOS Enhanced 4.0 will resolve MAC AOs to an IP address by referring to
the ARP cache on the SonicWALL.
–
FQDN - Fully Qualified Domain Names (FQDN), such as ‘www.sonicwall.com’, will be
resolved to their IP address (or IP addresses) using the DNS server configured on the
SonicWALL. Wildcard entries are supported through the gleaning of responses to
queries sent to the sanctioned DNS servers.
• Virtual Access Points - A “Virtual Access Point” (VAP) is a multiplexed instantiation of a
single physical Access Point (AP) so that it presents itself as multiple discrete Access
Points. To wireless LAN clients, each Virtual AP appears to be an independent physical AP,
when there is actually only a single physical AP. Before Virtual AP feature support, wireless
networks were relegated to a one-to-one relationship between physical Access Points and
wireless network security characteristics, such as authentication and encryption. For
example, an Access Point providing WPA-PSK security could not simultaneously offer
Open or WPA-EAP connectivity to clients. If Open or WPA-EAP were required, they would
need to have been provided by a separate, distinctly configured APs. This forced WLAN
network administrators to find a solution to scale their existing wireless LAN infrastructure
to provide differentiated levels of service. With the Virtual APs (VAP) feature, multiple VAPs
can exist within a single physical AP in compliance with the IEEE 802.11 standard for the
media access control (MAC) protocol layer that includes a unique Basic Service Set
Identifier (BSSID) and Service Set Identified (SSID). This allows segmenting wireless
network services within a single radio frequency footprint of a single physical access point
device.
38
SonicOS Enhanced 4.0 Administrator Guide
Page 39
Introduction
In SonicOS Enhanced 4.0, VAPs allow the network administrator to control wireless user
access and security settings by setting up multiple custom configurations on a single
physical interface. Each of these custom configurations acts as a separate (virtual) access
point, and can be grouped and enforced on single or multiple physical SonicPoint access
points simultaneously. You can configure up to eight VAPs per SonicPoint access point.
• Layer 2 Bridge Mode - SonicOS Enhanced 4.0 supports Layer 2 (L2) Bridge Mode, a new
method of unobtrusively integrating a SonicWALL security appliance into any Ethernet
network. L2 Bridge Mode is similar to the SonicOS Enhanced Transparent Mode in that it
enables a SonicWALL security appliance to share a common subnet across two interfaces,
and to perform stateful and deep-packet inspection on all traversing IP traffic, but it is
functionally more versatile.
L2 Bridge Mode employs a secure learning bridge architecture, enabling it to pass and
inspect traffic types that cannot be handled by many other methods of transparent security
appliance integration. Using L2 Bridge Mode, a SonicWALL security appliance can be nondisruptively added to any Ethernet network to provide in-line deep-packet inspection for all
traversing IPv4 TCP and UDP traffic. Unlike other transparent solutions, L2 Bridge Mode
can pass all traffic types, including IEEE 802.1Q VLANs, Spanning Tree Protocol, multicast,
broadcast, and IPv6, ensuring that all network communications will continue uninterrupted.
L2 Bridge Mode provides an ideal solution for networks that already have an existing
firewall, and do not have immediate plans to replace their existing firewall but wish to add
the security of SonicWALL Unified Threat Management (UTM) deep-packet inspection,
such as Intrusion Prevention Services, Gateway Anti-Virus, and Gateway Anti Spyware.
The following feature enhancements are included in SonicOS Enhanced 4.0:
• Enhanced Packet Capture - SonicOS Enhanced 4.0 provides an enhanced version of the
Packet Capture feature. Enhanced Packet Capture contains improvements in both
functionality and flexibility, including the following:
–
Capture control mechanism with improved granularity for custom filtering
–
Display filter settings independent from capture filter settings
–
Packet status indicating dropped, forwarded, generated, or consumed
–
Three-window output in the user interface that provides the packet list, decoded output
of selected packet, and hexadecimal dump of selected packet
–
Export capabilities that include text, HTML, hex dump, and CAP file format
–
Automatic buffer export to FTP server when full
–
Bidirectional packet capture based on IP address and port
–
Configurable wrap-around of capture buffer when full
• User Authentication - There are a number of enhancements to user authentication in
SonicOS Enhanced 4.0, including optional case-sensitive user names, optional
enforcement of unique login names, support for MSCHAP version 2, and support for VPN
and L2TP clients changing expired passwords (when that is supported by the back-end
authentication server and protocols used). Note that for this purpose there is a new setting
on the VPN > Advanced page to cause RADIUS to be used in MSCHAP mode when
authenticating VPN client users.
• IP Helper Scalability - SonicOS Enhanced 4.0 provides enhancements to the IP Helper
architecture to support large networks. Improvements include changes to DHCP relay and
Net-BIOS functionality. DHCP relay over VPN is now fully integrated.
• Diagnostics Page Tool Tips - SonicOS Enhanced 4.0 incorporates self-documenting
mouse-over descriptions for diagnostic controls in the graphical user interface.
SonicOS Enhanced 4.0 Administrator Guide
39
Page 40
Introduction
• BWM Rate Limiting - SonicOS Enhanced 4.0 enhances the Bandwidth Management
feature to provide rate limiting functionality. You can now create traffic policies that specify
maximum rates for Layer 2, 3, or 4 network traffic. This enables bandwidth management in
cases where the primary WAN link fails over to a secondary connection that cannot handle
as much traffic.
• DHCP Client Reboot Behavior Control - In SonicOS Enhanced 4.0 you can configure the
WAN DHCP client to perform a DHCP RENEW or a DHCP DISCOVERY query when
attempting to obtain a lease. The previous behavior was to always perform a RENEW,
which caused lease failures on some networks, particularly certain cable modem service
providers. The new behavior it to perform a DISCOVERY, but it is configurable.
• A checkbox has been added to the Network > Interfaces > WAN >DHCP Client page:
–
Enabled: when the appliance reboots, the DHCP client performs a DHCP RENEW
query.
–
Disabled: (Default) when the appliance reboots, the DHCP client performs a DHCP
DISCOVERY query.
• Dynamic Route Metric Recalculation Based on Interface Availability - To better support
redundant or multiple path Advanced Routing configurations, when a default-route's
interface is unavailable (due to no-link or negative WAN LB probe response), that default
route's metric will be changed to 255, and the route will be instantly disabled. When a
default-route's interface is again determined to be available, its metric will be changed back
to 20, and the route will be non-disruptively enabled.
SonicWALL Management Interface
The SonicWALL security appliance’s Web-based management interface provides a easy-touse graphical interface for configuring your SonicWALL security appliance. The following
provides an overview of the key management interface objects.
40
SonicOS Enhanced 4.0 Administrator Guide
Page 41
Navigating the Management Interface
Navigating the SonicWALL management interface includes a hierarchy of menu buttons on the
navigation bar (left side of your browser window). When you click a menu button, related
management functions are displayed as submenu items in the navigation bar.
Introduction
To navigate to a submenu page, click the link. When you click a menu button, the first submenu
item page is displayed. The first submenu page is automatically displayed when you click the
menu button. For example, when you click the Network button, the Network > Settings page
is displayed.
Status Bar
The Status bar at the bottom of the management interface window displays the status of
actions executed in the SonicWALL management interface.
Applying Changes
Click the Apply button at the top right corner of the SonicWALL management interface to save
any configuration changes you made on the page.
SonicOS Enhanced 4.0 Administrator Guide
41
Page 42
Introduction
If the settings are contained in a secondary window within the management interface, when you
click OK, the settings are automatically applied to the SonicWALL security appliance.
Navigating Tables
Navigate tables in the management interface with large number of entries by using the
navigation buttons located on the upper right top corner of the table.
The table navigation bar includes buttons for moving through table pages.
Common Icons in the Management Interface
The following describe the functions of common icons used in the SonicWALL management
interface:
42
SonicOS Enhanced 4.0 Administrator Guide
Page 43
Getting Help
Tip Accessing the SonicWALL security appliance online help requires an active Internet
Logging Out
Introduction
• Clicking on the edit icon displays a window for editing the settings.
• Clicking on the delete icon deletes a table entry
• Moving the pointer over the comment icon displays text from a Comment field entry.
Each SonicWALL security appliance includes Web-based on-line help available from the
management interface.
Clicking the question mark ? button on the top-right corner of every page accesses the
context-sensitive help for the page.
connection.
The Logout button at the bottom of the menu bar terminates the management interface session
and displays the authentication page for logging into the SonicWALL security appliance.
SonicOS Enhanced 4.0 Administrator Guide
43
Page 44
Introduction
44
SonicOS Enhanced 4.0 Administrator Guide
Page 45
PART 2
System
SONICWALL SONICOS ENHANCED 4.0 ADMINISTRATOR’S GUIDE
45
Page 46
46
SONICWALL SONICOS ENHANCED 4.0 ADMINISTRATOR’S GUIDE
Page 47
Chapter 4: Viewing the SonicWALL Security
System > Security Dashboard
This chapter describes how to use the SonicWALL Security Dashboard feature on a
SonicWALL security appliance. This chapter contains the following sections:
• “SonicWALL Security Dashboard Overview” on page 47
–
“What is the Security Dashboard?” on page 48
–
“Benefits” on page 49
–
“How Does the Security Dashboard Work?” on page 50
–
“Platforms” on page 50
• “Using the SonicWALL Security Dashboard” on page 50
–
“Administrator Prerequisites” on page 50
–
“Administrator Configuration Tasks” on page 50
CHAPTER 4
Dashboard
• “Related Features” on page 59
SonicWALL Security Dashboard Overview
This section provides an introduction to the Security Dashboard feature. This section contains
the following subsections:
• “What is the Security Dashboard?” on page 48
• “Benefits” on page 49
• “How Does the Security Dashboard Work?” on page 50
• “Platforms” on page 50
After reading the Security Dashboard Overview section, you will be familiar with this feature and
its benefits.
SonicOS Enhanced 4.0 Administrator Guide
47
Page 48
System > Security Dashboard
What is the Security Dashboard?
The SonicWALL Security Dashboard provides reports of the latest threat protection data from
a single SonicWALL appliance and aggregated threat protection data from SonicWALL security
appliances deployed globally. The SonicWALL Security Dashboard displays automatically
upon successful authentication to a SonicWALL security appliance, and can be viewed at any
time by navigating to the System > Security Dashboard menu in the left-hand menu.
Reports in the Security Dashboard include:
• Viruses Blocked by SonicWALL Network
• Intrusions Prevented by SonicWALL Network
• Spyware Blocked by SonicWALL Network
• Multimedia (IM/P2P) Detected/Blocked by SonicWALL Network
Each report includes a graph of threats blocked over time and a table of the top blocked threats.
Reports, which are updated hourly, can be customized to display data for the last 12 hours, 14
days, 21 days, or 6 months. For easier viewing, SonicWALL Security Dashboard reports can
be transformed into a PDF file format with the click of a button.
48
SonicOS Enhanced 4.0 Administrator Guide
Page 49
Benefits
System > Security Dashboard
The Security Dashboard provides the latest threat protection information to keep you informed
about potential threats being blocked by SonicWALL security appliances. If you subscribe to
SonicWALL’s security services, including Gateway Anti-Virus, Gateway Anti-Spyware,
Intrusion Prevention Service (IPS), and Content Filtering Service, you are automatically
protected from the threats reported by the SonicWALL Security Dashboard. SonicWALL’s
security services include ongoing new signature updates to protect against the latest virus and
spyware attacks. For information about activating SonicWALL security services, refer to the
“Purchasing Security Services” on page 52.
The Security Dashboard provides insight into threats over time, and can be configured to
display data from multiple time periods. The SonicWALL Security Dashboard can be viewed
easily in the System > Security Dashboard page of the SonicWALL appliance management
interface, or as a custom generated PDF file.
SonicOS Enhanced 4.0 Administrator Guide
49
Page 50
System > Security Dashboard
How Does the Security Dashboard Work?
The SonicWALL Security Dashboard provides global and appliance-level threat protection
statistics. At the appliance level, threat protection data from your SonicWALL security
appliance is displayed. At the global level, the SonicWALL Security Dashboard is updated
hourly from the SonicWALL backend server with aggregated threat protection data from
globally-deployed SonicWALL security appliances. Data provided by the SonicWALL backend
server is cached locally for reliable delivery.
Note The SonicWALL security appliance must have Internet connectivity (including connection to
a DNS server) to receive the latest threat protection statistics from the SonicWALL backend
server, which reports aggregated data from globally deployed SonicWALL security
appliances. If you lose connectivity, cached data from the last update will display, and the
latest data will not be available until connectivity is restored.
Platforms
The Security Dashboard is available on the SonicWALL security appliances running SonicOS
3.5 firmware and higher.
Using the SonicWALL Security Dashboard
This section contains the following subsections:
• “Administrator Prerequisites” on page 50
• “Administrator Configuration Tasks” on page 50
Administrator Prerequisites
SonicWALL security appliances running SonicOS 3.5 firmware or later must be set up and
registered on mysonicwall.com. For registration instructions, refer to the SonicWALL Getting
Started Guide for your security appliance, available on the Web at:
http://www.sonicwall.com/us/Support.html.
Note The SonicWALL security appliance must be configured for Internet connectivity and be
connected to the Internet to display the latest reports.
Administrator Configuration Tasks
This section contains the following subsections:
• “SonicWALL Security Dashboard Configuration Overview” on page 51
• “Purchasing Security Services” on page 52
50
SonicOS Enhanced 4.0 Administrator Guide
Page 51
SonicWALL Security Dashboard Configuration Overview
The SonicWALL Security Dashboard can be configured to display global or appliance-level
statistics, to display statistics for different time periods, and to generate a custom PDF file. For
information about purchasing SonicWALL security services that protect against the threats
reported in the SonicWALL Security Dashboard, refer to “Purchasing Security Services” on
page 52.
The SonicWALL Security Dashboard displays automatically upon successful login to a
SonicWALL security appliance. You can access the SonicWALL Security Dashboard at any
time by navigating to System > Security Dashboard in the left-hand menu. You may see the
introductory screen shown below before the dashboard displays.
System > Security Dashboard
This section provides the following subsections:
• “Switching to Global or Appliance-Level View” on page 51
• “Selecting Custom Time Interval” on page 52
• “Generating a Security Dashboard PDF” on page 52
Switching to Global or Appliance-Level View
To view SonicWALL Security Dashboard global reports, select the radio button next to Global
in the top of the System > Security Dashboard screen. To view appliance-level reports, select
the radio button next to the appliance serial number.
SonicOS Enhanced 4.0 Administrator Guide
51
Page 52
System > Security Dashboard
Selecting Custom Time Interval
The SonicWALL Security Dashboard reports default to a view of reports from the “Last 14
Days,” providing an aggregate view of threats blocked during that time period. You can
configure each report to one of four optional time periods. Each report can be configured to
reflect a different time period. To change a report to reflect a different time period, perform the
following steps:
Step 1 Select the report you want to change:
–
–
–
–
Step 2 Next to the title of the selected report, click the pull-down menu and select one of the following
options:
–
–
–
Viruses Blocked by SonicWALL Network
Intrusions Prevented by SonicWALL Network
Spyware Blocked by SonicWALL Network
Multimedia (IM/P2P) Detected/Blocked by SonicWALL Network.
Last 12 Hours - The selected report will display threat information from the last 12
hours
Last 14 Days - The selected report will display threat information from the last 14 days
Last 21 Days - The selected report will display threat information from the last 21 days
–
Last 6 Months - The selected report will display threat information from the last 6
months
Generating a Security Dashboard PDF
To create a PDF version of the SonicWALL Security Dashboard, first select the desired view
(global or appliance-level) and the desired time period for each report (the last 12 hours, 14
days, 21 days, or 6 months). Click the button at the top of the page.
Purchasing Security Services
To be protected from the threats reported in the SonicWALL Security Dashboard, it is
recommended that you purchase SonicWALL security services. This section provides
instructions for using the SonicWALL Registration & License Wizard, accessible from the
SonicWALL appliance management interface, to purchase SonicWALL security services.
SonicWALL security services include the following real-time protection services:
• Gateway Anti-Virus - Protects against viruses, worms, Trojans and other threats
• Gateway Anti-Spyware - Protects against new and existing malicious spyware
• Intrusion Prevention Service - Protects against application-layer attacks
• Content Filtering Service - Enhances protection and productivity by limiting access to
objectionable Web content
• Dynamic Support 8x5 - Provides one year of telephone and Web support, including
software and firmware updates
52
• ViewPoint - Provides detailed and comprehensive reporting on network activity
SonicOS Enhanced 4.0 Administrator Guide
Page 53
System > Security Dashboard
Note Your SonicWALL security appliance must be configured for Internet connectivity and must
be connected to the Internet to use the Registration & License Wizard.
SonicOS Enhanced 4.0 Administrator Guide
53
Page 54
System > Security Dashboard
To purchase SonicWALL security services using the SonicWALL Registration & License
Wizard, perform the following steps:
Step 1 Log in to the SonicWALL appliance management interface.
Step 2 In the left-navigation menu, click Wizards. The Configuration Wizard displays.
Step 3 Select the radio button next to Registration & License Wizard and click Next.
Step 4 The welcome screen displays. Click Next.
54
SonicOS Enhanced 4.0 Administrator Guide
Page 55
System > Security Dashboard
Step 5 If you have a mysonicwall.com account, enter your username and password in the Username
and Password fields. If you do not have a mysonicwall.com account, select the radio button
next to Create a sonicwall.com account. Click Next.
Step 6 If you selected Create a sonicwall.com account, the User Registration page displays. Provide
the information requested in order to create your account, then click Next.
SonicOS Enhanced 4.0 Administrator Guide
55
Page 56
System > Security Dashboard
Note If you used an existing mysonicwall.com account by providing your username and
password, you will not see this page. Skip to the next step.
Step 7 Select the checkbox next to the service you want to purchase and click Next.
Step 8 A notice displays that a separate browser window will be launched. Click OK.
56
SonicOS Enhanced 4.0 Administrator Guide
Page 57
System > Security Dashboard
Step 9 The mysonicwall.com page is launched in a separate browser window. Follow the on-screen
instructions to complete the purchase of SonicWALL security services.
Step 10 After you have purchased the security services, return to the wizard window. The License
Synchronization window will synchronize the new security services with the SonicWALL
security appliance. Click Next to complete the synchronization.
SonicOS Enhanced 4.0 Administrator Guide
57
Page 58
System > Security Dashboard
Step 11 The Congratulations page displays. You have successfully purchased and synchronized your
security services. Click Close to close the wizard.
58
To verify that the security services are licensed, navigate to Security Services > Summary in
the left-hand menu and verify that the status of the services is Licensed. For information on
advanced configuration for each service, refer to the SonicWALL Administrator’s Guides,
available on the Web at:
http://www.sonicwall.com/us/Support.html.
SonicOS Enhanced 4.0 Administrator Guide
Page 59
Related Features
SonicWALL Registration & License Wizard - Use the SonicWALL Registration & License
Wizard to purchase SonicWALL security services directly from your SonicWALL security
appliance management interface.
SonicWALL Security Services - SonicWALL provides a comprehensive offering of security
services that protect against the threats reported in the SonicWALL Security Dashboard. For a
full list, visit the SonicWALL website at
Some of the SonicWALL Security Services include:
• Gateway Anti-Virus - Protects against viruses, worms, Trojans and other threats
• Gateway Anti-Spyware - Protects against new and existing malicious spyware
• Intrusion Prevention Service - Protects against application-layer attacks
• Content Filtering Service - Enhances protection and productivity by limiting access to
objectionable Web content
• Dynamic Support 8x5 - Provides one year of telephone and Web support, including
software and firmware updates
• ViewPoint - Provides detailed and comprehensive reporting on network activity
System > Security Dashboard
http://www.sonicwall.com/us/Support.html.
SonicOS Enhanced 4.0 Administrator Guide
59
Page 60
System > Security Dashboard
60
SonicOS Enhanced 4.0 Administrator Guide
Page 61
System > Status
The System > Status page provides a comprehensive collection of information and links to
help you manage your SonicWALL security appliance and SonicWALL Security Services
licenses. It includes status information about your SonicWALL security appliance organized into
five sections: System Messages, System Information, Security Services, Latest Alerts,
and Network Interfaces as well as the Wizards button for accessing the SonicWALL
Configuration Wizard.
CHAPTER 5
Chapter 5: Viewing Status Information
Wizards
The Wizards button on the System > Status page provides access to the SonicWALL
Configuration Wizard, which allows you to easily configure the SonicWALL security appliance
using the following sub-wizards:
SonicOS Enhanced 4.0 Administrator Guide
61
Page 62
System > Status
• Setup Wizard - This wizard helps you quickly configure the SonicWALL security appliance
to secure your Internet (WAN) and LAN connections.
• Public Server Wizard - This wizard helps you quickly configure the SonicWALL security
appliance to provide public access to an internal server, such as a Web or E-mail server.
• VPN Wizard - This wizard helps you create a new site-to-site VPN Policy or configure the
WAN GroupVPN to accept VPN connections from SonicWALL Global VPN Clients.
• Wireless Wizard - (SonicWALL TZ 170 Wireless and SonicWALL TZ 170 SP Wireless
only), this wizard helps you select a wireless deployment mode and configure the radio
settings of the built-in 802.11b/g antennas.
For more information on using the SonicWALL Configuration Wizard, see “Wizards” on
page 791.
System Messages
Any information considered relating to possible problems with configurations on the
SonicWALL security appliance such as password, log messages, as well as notifications of
SonicWALL Security Services offers, new firmware notifications, and upcoming Security
Service s expirations are displayed in the System Messages section.
System Information
The following information is displayed in this section:
• Model - type of SonicWALL security appliance product
• Serial Number - also the MAC address of the SonicWALL security appliance
• Authentication Code - the alphanumeric code used to authenticate the SonicWALL
security appliance on the registration database at https://www.mysonicwall.com.
• Firmware Version - the firmware version loaded on the SonicWALL security appliance.
• ROM Version - indicates the ROM version.
• CPU - displays the average CPU usage over the last 10 seconds and the type of the
SonicWALL security appliance processor.
• Total Memory - indicates the amount of RAM and flash memory.
• System Time - The time registered on the internal clock on the SonicWALL appliance.
• Up Time - the length of time, in days, hours, and seconds the SonicWALL security
appliance is active.
• Current Connections - the number of network connections currently existing on the
SonicWALL security appliance.
• Last Modified By - The IP address of the user who last modified the system and the time
stamp of the last modification.
• Registration Code - the registration code is generated when your SonicWALL security
appliance is registered at http://www.mysonicwall.com.
62
SonicOS Enhanced 4.0 Administrator Guide
Page 63
Latest Alerts
Any messages relating to system errors or attacks are displayed in this section. Attack
messages include AV Alerts, forbidden e-mail attachments, fraudulent certificates, etc. System
errors include WAN IP changed and encryption errors. Clicking the blue arrow displays the Log
> Log View page.
For more information on SonicWALL security appliance logging, see “Log” on page 763.
Security Services
If your SonicWALL security appliance is not registered at mySonicWALL.com, the following
message is displayed in the Security Services folder: Your SonicWALL security appliance
is not registered. Click here
mySonicWALL.com account to register your SonicWALL security appliance or activate security
services. You can create a mySonicWALL.com account directly from the SonicWALL
management interface.
System > Status
to Register your SonicWALL security appliance. You need a
If your SonicWALL security appliance is registered, a list of available SonicWALL Security
Services are listed in this section with the status of Licensed or Not Licensed. If Licensed,
the Status column displays the number of licenses and the nu mber of licenses in use. Clicking
the Arrow icon displays the System > Licenses page in the SonicWALL Web-based
management interface. SonicWALL Security Services and SonicWALL security appliance
registration is managed by mySonicWALL.com.
Refer to Part 13 Security Services
activating them on the SonicWALL security appliance.
for more information on SonicWALL Security Services and
SonicOS Enhanced 4.0 Administrator Guide
63
Page 64
System > Status
Registering Your SonicWALL Security Appliance
Once you have established your Internet connection, it is recommended you register your
SonicWALL security appliance. Registering your SonicWALL security appliance provides the
following benefits:
• Try a FREE 30-day trial of SonicWALL Intrusion Prevention Service, SonicWALL Gateway
Anti-Virus, Content Filtering Service, and Client Anti-Virus
• Activate SonicWALL security services and upgrades
• Access SonicOS firmware updates
• Get SonicWALL technical support
Before You Register
If your SonicWALL security appliance is not registered, the following message is displayed in
the Security Services folder on the System > Status page in the SonicWALL management
interface: Your SonicWALL is not registered. Click here to Register
need a mySonicWALL.com account to register the SonicWALL security appliance.
If your SonicWALL security appliance is connected to the Internet, you can create a
mySonicWALL.com account and register your SonicWALL security appliance directly from the
SonicWALL management interface. If you already have a mySonicWALL.com account, you can
register the SonicWALL security appliance directly from the management interface.
your SonicWALL. You
Your mySonicWALL.com account is accessible from any Internet connection by pointing your
Web browser to https://www.mysonicwall.com. mySonicWALL.com uses the HTTPS
(Hypertext Transfer Protocol Secure) protocol to protect your sensitive information.
Note Make sure the Time Zone and DNS settings on your SonicWALL security appliance are
correct when you register the device. See SonicWALL Setup Wizard instructions for
instructions on using the Setup Wizard to set the Time Zone and DNS settings.
Note mySonicWALL.com registration information is not sold or shared with any other company.
You can also register your security appliance at the https://www.mysonicwall.com site by using
the Serial Number and Authentication C ode displayed in the Security Services section.
Click the SonicWALL
registration code after you have registered your security appliance. Enter the registration code
in the field below the You will be given a registration code, which you should enter below
heading, then click Update.
link to access your mySonicWALL.com account. You will be given a
Creating a mySonicWALL.com Account
Creating a mySonicWALL.com account is fast, simple, and FREE. Simply complete an online
registration form in the SonicWALL management interface.
64
SonicOS Enhanced 4.0 Administrator Guide
Page 65
System > Status
To create a mySonicWALL.com account from the SonicWALL management interface:
Step 1 In the Security Services section on the System > Status page, click the Register link in Your
SonicWALL is not registered. Click here to
Step 2 Click the here link in If you do not have a mySonicWALL account, please click here to
Register your SonicWALL.
create one on the mySonicWALL Login page.
Step 3 In the MySonicWALL Account page, enter in your information in the Account Information,
Personal Information and Preferences fields in the mySonicWALL.com account form. All
fields marked with an * are required fields.
Note Remember your username and password to access your mySonicWALL.com account.
Step 4 Click Submit after completing the MySonicWALL Account form.
Step 5 When the mySonicWALL.com server has finished processing your account, a page is displayed
confirming your account has been created. Click Continue.
Step 6 Congratulations! Your mySonicWALL.com account is activated. Now you need to log into
mySonicWALL.com from the management appliance to register your SonicWALL security
appliance.
SonicOS Enhanced 4.0 Administrator Guide
65
Page 66
System > Status
Registering Your SonicWALL Security Appliance
If you already have a mySonicWALL.com account, follow these steps to register your security
appliance:
Step 1 In the Security Services section on the System > Status page, click the Register link in Your
SonicWALL is not registered. Click here to
mySonicWALL Login page is displayed.
Step 2 In the mySonicWALL.com Login page, enter your mySonicWALL.com username and
password in the User Name and Password fields and click Submit.
Step 3 The next several pages inform you about free trials available to you for SonicWALL’s Security
Services:
• Gateway Anti-Virus - protects your entire network from viruses
• Client Anti-Virus - protects computers on your network from viruses
Register your SonicWALL. The
• Premium Content Filtering Service - protects your network and improves productivity by
limiting access to unproductive and inappropriate Web sites
• Intrusion Prevention Service - protects your network from Trojans, worms, and
application layer attacks
Step 4 Click Continue on each page.
Step 5 At the top of the Product Survey page, enter a friendly name for your SonicWALL security
appliance in the Friendly name field, and complete the optional product survey.
Step 6 Click Submit.
Step 7 When the mySonicWALL.com server has finished processing your registration, a page is
displayed confirming your SonicWALL security appliance is registered.
Step 8 Click Continue. The Manage Services Online table on the System > Licenses page
displayed.
Network Interfaces
Network Interfaces displays information about the interfaces for your SonicWALL security
appliance. Clicking the blue arrow displays the Network > Interfaces page for configuring your
Network settings. The available interfaces displayed in the Network Inter faces section depend
on the SonicWALL security appliance model.
66
SonicOS Enhanced 4.0 Administrator Guide
Page 67
System > Licenses
The System > Licenses page provides links to activate, upgrade, or renew SonicWALL
Security Services licenses. From this page in the SonicWALL Management Interface, you can
manage all the SonicWALL Security Services licensed for your SonicWALL security appliance.
The information listed in the Security Services Summary table is updated from your
mySonicWALL.com account. The System > Licenses page also includes links to FREE trials
of SonicWALL Security Services.
Node License Status
A node is a computer or other device connected to your LAN with an IP address.
If your SonicWALL security appliance is licensed for unlimited nodes, the Node License Status
section displays the message: The SonicWALL is licensed for unlimited Nodes/Users. No
other settings are displayed.
If your SonicWALL security appliance is not licensed for unlimited nodes, the Node License
Status table lists how many nodes your security appliance is licensed to have connected at any
one time, how many nodes are currently connected, and how many nodes you have in your
Node License Exclusion List.
CHAPTER 6
Chapter 6: Managing SonicWALL Licenses
The Currently Licensed Nodes table lists details on each node connected to your security
appliance.
SonicOS Enhanced 4.0 Administrator Guide
67
Page 68
System > Licenses
Excluding a Node
When you exclude a node, you block it from connecting to your network through the security
appliance. Excluding a node creates an address object for that IP address and assigns it to the
Node License Exclusion List address group.
To exclude a node:
Step 1 Select the node you want to exclude in the Currently Licensed Nodes table on the
System > Licenses page, and click the icon in the Exclude column for that node.
Step 2 A warning displays, saying that excluding this node will create an address object for it and place
it in the License Exclusion List address group. Click OK to exclude the node.
You can manage the License Exclusion List group and address objects in the Network >
Address Objects page of the management interface. Click the Node License Exclusion List
link to jump to the Network > Address Objects page. See Chapter 19, Network > Address
Objects for instructions on managing address objects.
Security Services Summary
The Security Services Summary table lists the available and activated security services on
the SonicWALL security appliance.
68
The Security Service column lists all the available SonicWALL Security Services and
upgrades available for the SonicWALL security appliance. The Status column indicates is the
security service is activated (Licensed), available for activation (Not Licensed), or no longer
active (Expired). The number of nodes/users allowed for the license is displayed in the Count
column. The Expiration column displays the expiration date for any Licensed Security Service.
The information listed in the Security Services Summary table is updated from your
mySonicWALL.com account the next time the SonicWALL security appliance automatically
synchronizes with your mySonicWALL.com account (once a day) or you can click the link in To
synchronize licenses with mySonicWALL.com click here in the Manage Security Services
Online section.
For more information on SonicWALL Security Services, see “Security Services” on page 685.
SonicOS Enhanced 4.0 Administrator Guide
Page 69
Manage Security Services Online
To activate, upgrade, or renew services, click the link in To Activate, Upgrade, or Renew
services, click here. Click the link in To synchronize licenses with mySonicWALL.com
click here to synchronize your mySonicWALL.com account with the Security Services
Summary table.
You can also get free trial subscriptions to SonicWALL Content Filter Service and Client AntiVirus by clicking the For Free Trials click here link. When you click these links, the
mySonicWALL.com Login page is displayed.
System > Licenses
Enter your mySonicWALL.com account username and password in the User Name and
Password fields and click Submit. The Manage Services Online page is displayed with
licensing information from your mySonicWALL.com account.
SonicOS Enhanced 4.0 Administrator Guide
69
Page 70
System > Licenses
Manual Upgrade
Manual Upgrade allows you to activate your services by typing the service activation key
supplied with the service subscription not activated on mySonicWALL.com. Type the activation
key from the product into the Enter upgrade key field and click Submit.
Manual Upgrade for Closed Environments
If your SonicWALL security appliance is deployed in a high security environment that does not
allow direct Internet connectivity from the SonicWALL security appliance, you can enter the
encrypted license key information from http://www.mysonicwall.com manually on the System
> Licenses page in the SonicWALL Management Interface.
Note Manual upgrade of the encrypted License Keyset is only for Closed Environments. If your
SonicWALL security appliance is connected to the Internet, it is recommended you use the
automatic registration and Security Services upgrade features of your SonicWALL security
appliance.
From a Computer Connected to the Internet
Step 1 Make sure you have an account at http://www.mysonicwall.com and your SonicWALL security
appliance is registered to the account before proceeding.
Step 2 After logging into www.mysonicwall.com, click on your registered SonicWALL security
appliance listed in Registered SonicWALL Products.
Step 3 Click the View License Keyset link. The scrambled text displayed in the text box is the License
Keyset for the selected SonicWALL security appliance and activated Security Services. Copy
the Keyset text for pasting into the System > Licenses page or print the page if you plan to
manually type in the Keyset into the SonicWALL security appliance.
70
SonicOS Enhanced 4.0 Administrator Guide
Page 71
System > Licenses
From the Management Interface of your SonicWALL Security Appliance
Step 1 Make sure your SonicWALL security appliance is running SonicOS Standard or Enhanced 2.1
(or higher).
Step 2 Paste (or type) the Keyset (from the step 3) into the Keyset field in the Manual Upgrade section
of the System > Licenses page (SonicOS).
Step 3 Click the Submit or the Apply button to update your SonicWALL security appliance. The status
field at the bottom of the page displays The configuration has been updated.
Step 4 You can generate the System > Diagnostics > Tech Support Report to verify the upgrade
details.
Note After the manual upgrade, the System > Licenses page does not contain any registration
and upgrade information.
Caution The warning message: SonicWALL Registration Update Needed. Please update your
registration information remains on the System > Status page after you have registered
your SonicWALL security appliance. Ignore this message.
SonicOS Enhanced 4.0 Administrator Guide
71
Page 72
System > Licenses
72
SonicOS Enhanced 4.0 Administrator Guide
Page 73
Chapter 7: Configuring Administration Settings
System > Administration
The System Administration page provides settings for the configuration of SonicWALL security
appliance for secure and remote management. You can manage the SonicWALL using a
variety of methods, including HTTPS, SNMP or SonicWALL Global Management System
(SonicWALL GMS). This chapter contains the following sections:
• “Firewall Name” on page 73
• “Administrator Name & Password” on page 73
• “Login Security Settings” on page 74
• “Multiple Administrators” on page 76
• “Web Management Settings” on page 77
• “SSH Management Settings” on page 78
• “Advanced Management” on page 78
• “Download URL” on page 82
• “Selecting UI Language” on page 83
CHAPTER 7
Firewall Name
The Firewall Name uniquely identifies the SonicWALL security appliance and defaults to the
serial number of the SonicWALL. The serial number is also the MAC address of the unit. To
change the Firewall Name, type a unique alphanumeric name in the Firewall Name field. It
must be at least 8 characters in length.
Administrator Name & Password
The Administrat or Name can be changed from the default setting of admin to any word using
alphanumeric characters up to 32 characters in length. To create a new administrator name,
type the new name in the Administrator Name field. Click Apply for the changes to take effect
on the SonicWALL.
SonicOS Enhanced 4.0 Administrator Guide
73
Page 74
System > Administration
Changing the Administrator Password
To set a new password for SonicWALL Management Interface access, type the old password
in the Old Password field, and the new password in the New Password field. Type the new
password again in the Confirm New Password field and click Apply. Once the SonicWALL
security appliance has been updated, a message confirming the update is displayed at the
bottom of the browser window.
Tip It’s recommended you change the default password “password” to your own custom
password.
Login Security Settings
The internal SonicWALL web-server now only supports SSL version 3.0 and TLS with strong
ciphers (128 bits or greater) when negotiating HTTPS management sessions. SSL
implementations prior to version 3.0 and weak ciphers (symmetric ciphers less than 128 bits)
are not supported. This heightened level of HTTPS security protects against potential SSLv2
roll-back vulnerabilities and ensures compliance with the Payment Card Industry (PCI) and
other security and risk-management standards.
Tip By default, Mozilla Firefox 2.0 and Microsoft Internet Explorer 7.0 enable SSL 3.0 and TLS,
and disable SSL 2.0. SonicWALL recommends using these most recent web browser
releases. If you are using a previous release of these browsers, you should enable SSL 3.0
and TLS and disable SSL 2.0. In Internet Explorer, go to Tools > Internet Options, click on
the Advanced tab, and scroll to the bottom of the Settings menu. In Firefox, go to Tools >
Options, click on the Advanced tab, and then click on the Encryption tab.
SonicOS Enhanced 4.0 introduces password constraint enforcement, which can be configured
to ensure that administrators and users are using secure passwords. This password constraint
enforcement can satisfy the confidentiality requirements as defined by current information
security management systems or compliance requirements, such as Common Criteria and the
Payment Card Industry (PCI) standard.
74
SonicOS Enhanced 4.0 Administrator Guide
Page 75
System > Administration
The Password must be changed every (days) setting requires users to change their
passwords after the designated number of days has elapsed. When a user attempts to login
with an expired password, a pop-up window will prompt the user to enter a new password. The
User Login Status window now includes a Change Password button so that users can change
their passwords at any time.
The Bar repeated passwords for this many changes setting requires users to use unique
passwords for the specified number of password changes.
The Enforce a minimum password length of setting sets the shortest allowed password.
The Enforce password complexity pulldown menu provides the following options:
• Require both alphabetic and numeric characters
• Require alphabetic, numeric, and symbolic characters
The Apply these password constraints for checkboxes specify which classes of users the
password constraints are applied to. The administrator checkbox refers to the default
administrator with the username admin.
The Log out the Administrator Inactivity Timeout after inactivity of (minutes) setting
allows you to set the length of inactivity time that elapses before you are automatically logged
out of the Management Interface. By default, the SonicWALL security appliance logs out the
administrator after 5 minutes of inactivity. The inactivity timeout can range from 1 to 99 minutes.
Click Apply, and a message confirming the update is displayed at the bottom of the browser
window.
Tip If the Administrator Inactivity Timeout is extended beyond 5 minutes, you should end every
management session by clicking Logout to prevent unauthorized access to the SonicWALL
security appliance’s Management Interface.
You can configure the SonicWALL security appliance to lockout an administrator or a user if the
login credentials are incorrect. Select the Enable Administrator/User Lockout on login
failure checkbox to prevent users from attempting to log into the SonicWALL security appliance
without proper authentication credentials. Type the number of failed attempts before the user
is locked out in the Failed login attempts per minute before lockout field. Type the length of
time that must elapse before the user attempts to log into the SonicWALL again in the Lockout
Period (minutes) field.
Caution If the administrator and a user are logging into the SonicWALL using the same source IP
address, the administrator is also locked out of the SonicWALL. The lockout is based on the
source IP address of the user or administrator.
SonicOS Enhanced 4.0 Administrator Guide
75
Page 76
System > Administration
Multiple Administrators
SonicOS Enhanced provides the ability for multiple administrators to access the SonicOS
Management Interface simultaneously. For more information on Multiple Administrators, see
the “Multiple Administrator Support Overview” section on page 590. The System >
Administration page contains a number of options to manage multiple administrators.
• The On preemption by another administrator setting configures what happens when one
administrator preempts another administrator using the Multiple Administrators feature.
The preempted administrator can either be converted to non-config mode or logged out.
–
Drop to non-config mode - Select to allow more than one administrator to access the
appliance in non-config mode without disrupting the current administrator.
–
Log Out - Select to have the new administrator preempt the current administrator.
• Allow preemption by a lower priority administrator after inactivity of (minutes) - Ente r
the number of minutes of inactivity by the current administrator that will allow a lowerpriority administrator to preempt.
• Enable inter-administrator messaging - Select to allow administrators to send text
messages through the management interface to other administrators logged into the
appliance. The message will appear in the browser’s status bar.
• Messaging polling interval - Sets how often the administrator’s browser will check for
inter-administrator messages. If there are likely to be multiple administrators who need to
access the appliance, this should be set to a reasonably short interval to ensure timely
delivery of messages.
Activating Configuration Mode
You can switch between configuration mode and non-config mode by clicking the button in the
Web Management section (directly below the Multiple Administrator section).
When you are in configuration mode, the End. config mode button is displayed. When you are
in configuration mode, the Configuration mode button is displayed. If there is not currently an
administrator in configuration mode, you will automatically be entered into configuration mode.
If another administrator is in configuration mode, the following message displays.
76
Click the Continue button to enter configuration mode. The current administrator is converted
to read-only mode and you are given full administrator access.
SonicOS Enhanced 4.0 Administrator Guide
Page 77
Web Management Settings
The SonicWALL security appliance can be managed using HTTP or HTTPS and a Web
browser. Both HTTP and HTTPS are enabled by default. The default port for HTTP is port 80,
but you can configure access through another port. Type the number of the desired port in the
Port field, and click Apply. However, if you configure another port for HTTP management, you
must include the port number when you use the IP address to log into the SonicWALL security
appliance. For example, if you configure the port to be 76, then you must type <LAN IP
Address>:76 into the Web browser, i.e. <http://192.168.168.1:76>. The default port for HTTPS
management is 443.
You can add another layer of security for logging into the SonicWALL security appliance by
changing the default port. To configure another port for HTTPS management, type the
preferred port number into the Port field, and click Update. For example, if you configure the
HTTPS Management Port to be 700, then you must log into the SonicWALL using the port
number as well as the IP address, for example, <https://192.168.168.1:700> to access the
SonicWALL.
System > Administration
The Certificate Selection menu allows you to use a self-signed certificate (Use Self-signed
Certificate), which allows you to continue using a certificate without downloading a new one
each time you log into the SonicWALL security appliance. You can also choose Import
Certificate to select an imported certificate from the System > Certificates page to use for
authentication to the management interface.
When the Use System Dashboard View as starting page checkbox is enabled, the System
> Dashboard page will be displayed when you first log into the SonicWALL security appliance.
If this option is disabled, the System > Status page will be displayed.
The Delete Cookies button removes all browser cookies saved by the SonicWALL appliance.
Deleting cookies will cause you to lose any unsaved changes made in the Management
interface.
Changing the Default Size for SonicWALL Management Interface Tables
The SonicWALL Management Interface allows you to control the display of large tables of
information across all tables in the management Interface. You can change the default table
page size in all tables displayed in the SonicWALL Management Interface from the default 50
items per page to any size ranging from 1 to 5,000 items.
To change the default table size:
Step 1 Enter the maximum table size number in the Table Size field.
Step 2 Click Apply.
SonicOS Enhanced 4.0 Administrator Guide
77
Page 78
System > Administration
SSH Management Settings
If you use SSH to manage the SonicWALL appliance, you can change the SSH port for
additional security. The default SSH port is 22.
Advanced Management
You can manage the SonicWALL security appliance using SNMP or SonicWALL Global
Management System. The following sections explain how to configure the SonicWALL for
management by these two options.
For more information on SonicWALL Global Management System, go to http://
www.sonicwall.com.
Enabling SNMP Management
SNMP (Simple Network Management Protocol) is a network protocol used over User Datagram
Protocol (UDP) that allows network administrators to monitor the status of the SonicWALL
security appliance and receive notification of critical events as they occur on the network. The
SonicWALL security appliance supports SNMP v1/v2c and all relevant Management
Information Base II (MIB) groups except egp and at. The SonicWALL security appliance replies
to SNMP Get commands for MIBII via any interface and supports a custom SonicWALL MIB for
generating trap messages. The custom SonicWALL MIB is available for download from the
SonicWALL Web site and can be loaded into third-party SNMP management software such as
HP Openview, Tivoli, or SNMPC.
78
SonicOS Enhanced 4.0 Administrator Guide
Page 79
System > Administration
To enable SNMP on the SonicWALL security appliance, log into the Management interface and
click System, then Administration. Select the Enable SNMP checkbox, and then click
Configure. The Configure SNMP window is displayed.
Step 1 Type the host name of the SonicWALL security appliance in the System Name field.
Step 2 Type the network administrator’s name in the System Contact field.
Step 3 Type an e-mail address, telephone number, or pager number in the System Location field.
Step 4 Type a name for a group or community of administrators who can view SNMP data in the Get
Community Name field.
Step 5 Type a name for a group or community of administrators who can view SNMP traps in the Trap
Community Name field.
Step 6 Type the IP address or host name of the SNMP management system receiving SNMP traps in
the Host 1 through Host 4 fields. You must configure at least one IP address or host name, but
up to four addresses or host names can be used.
Step 7 Click OK.
Configuring Log/Log Settings for SNMP
Trap messages are generated only for the alert message categories normally sent by the
SonicWALL security appliance. For example, attacks, system errors, or blocked Web sites
generate trap messages. If none of the categories are selected on the Log > Settings page,
then no trap messages are generated.
Configuring SNMP as a Service and Adding Rules
By default, SNMP is disabled on the SonicWALL security appliance. To enable SNMP you must
first enable SNMP on the System > Administration page, and then enable it for individual
interfaces. To do this, go to the Network > Interfaces page and click on the Configure button
for the interface you want to enable SNMP on.
For instructions on adding services and rules to the SonicWALL security appliance, see Part 5
Firewall.
If your SNMP management system supports discovery, the SonicWALL security appliance
agent automatically discover the SonicWALL security appliance on the network. Otherwise, you
must add the SonicWALL security appliance to the list of SNMP-managed devices on the
SNMP management system.
SonicOS Enhanced 4.0 Administrator Guide
79
Page 80
System > Administration
Enable GMS Management
You can configure the SonicWALL security appliance to be managed by SonicWALL Global
Management System (SonicWALL GMS). To configure the SonicWALL security appliance for
GMS management:
Step 1 Select the Enable Management using GMS checkbox, then click Configure. The Configure
GMS Settings window is displayed.
Step 2 Enter the host name or IP address of the GMS Console in the GMS Host Name or IP Address
field.
Step 3 Enter the port in the GMS Syslog Server Port field. The default value is 514.
Step 4 Select Send Heartbeat Status Messages Only to send only heartbeat status instead of log
messages.
Step 5 Select GMS behind NAT Device if the GMS Console is placed behind a device using NAT on
the network. Type the IP address of the NAT device in the NAT Device IP Address field.
Step 6 Select one of the following GMS modes from the Management Mode menu.
• IPSEC Management Tunnel - Selecting this option allows the SonicWALL security
appliance to be managed over an IPsec VPN tunnel to the GMS management console. The
default IPsec VPN settings are displayed. Select GMS behind NAT Device if applicable to
80
SonicOS Enhanced 4.0 Administrator Guide
Page 81
System > Administration
the GMS installation, and enter the IP address in the NAT Device IP Address field. The
default VPN policy settings are displayed at the bottom of the Configure GMS Settings
window.
• Existing Tunnel - If this option is selected, the GMS server and the SonicWALL security
appliance already have an existing VPN tunnel over the connection. Enter the GMS host
name or IP address in the GMS Host Name or IP Address field. Enter the port number in
the Syslog Server Port field.
SonicOS Enhanced 4.0 Administrator Guide
81
Page 82
System > Administration
• HTTPS - If this option is selected, HTTPS management is allowed from two IP addresses:
the GMS Primary Agent and the Standby Agent IP address. The SonicWALL security
appliance also sends encrypted syslog packets and SNMP traps using 3DES and the
SonicWALL security appliance administrator’s password. The following configuration
settings for HTTPS management mode are displayed:
• Send Syslog Messages in Cleartext Format - Sends heartbeat messages as cleartext.
• Send Syslog Messages to a Distributed GMS Reporting Server - Sends regular
• GMS Reporting Server IP Address - Enter the IP address of the GMS Reporting Server,
• GMS Reporting Server Port - Enter the port for the GMS Reporting Server. The default
Step 7 Click OK.
Download URL
SonicWALL Global VPN Client (GVC) and SonicWALL Global Security Client (GSC) allow
users to connect securely to your network using the GroupVPN Policy on the port they are
connecting to. GVC or the VPN client portion of GSC is required for a user to connect to the
GroupVPN Policy. Depending on how you have set up your VPN policies, if a user does not
have the latest GVC or GSC software installed, the user will be directed to a URL to download
the latest GVC or GSC software.
The Download URL section provides a field for entering the URL address of a site for
downloading the SonicWALL Global VPN Client application, when a user is prompted to use
the Global VPN Client for access to the network.
heartbeat messages to both the GMS Primary and Standby Agent IP address. The regular
heartbeat messages are sent to the specified GMS reporting server and the reporting
server port.
if the server is separate from the GMS management server.
value is 514
82
SonicOS Enhanced 4.0 Administrator Guide
Page 83
The default URL http://help.mysonicwall.com/applications/vpnclient displays the SonicWALL
Global VPN Client download site. You can point to any URL where you provide the SonicWALL
Global VPN Client application.
Selecting UI Language
If your firmware contains other languages besides English, they can be selected in the
Language Selection pulldown menu.
Note Changing the language of the SonicOS UI requires that the SonicWALL security appliance
be rebooted.
System > Administration
SonicOS Enhanced 4.0 Administrator Guide
83
Page 84
System > Administration
84
SonicOS Enhanced 4.0 Administrator Guide
Page 85
System > Certificates
To implement the use of certificates for VPN policies, you must locate a source for a valid CA
certificate from a third party CA service. Once you have a valid CA certificate, you can import
it into the SonicWALL security appliance to validate your Local Certificates. You import the valid
CA certificate into the SonicWALL security appliance using the System > Certificates page.
Once you import the valid CA certificate, you can use it to validate your local certificates.
Digital Certificates Overview
A digital certificate is an electronic means to verify identity by a trusted third party known as a
Certificate Authority (CA). The X.509 v3 certificate standard is a specification to be used with
cryptographic certificates and allows you to define extensions which you can include with your
certificate. SonicWALL has implemented this standard in its third party certificate support.
You can use a certificate signed and verified by a third party CA to use with an IKE (Internet
Key Exchange) VPN policy. IKE is an important part of IPsec VPN solutions, and it can use
digital certificates to authenticate peer devices before setting up SAs. Without digital
certificates, VPN users must authenticate by manually exchanging shared secrets or symmetric
keys. Devices or clients using digital signatures do not require configuration changes every
time a new device or client is added to the network.
A typical certificate consists of two sections: a data section and a signature section. The data
section typically contains information such as the version of X.509 supported by the certificate,
a certificate serial number, information, information about the user’s public key, the
Distinguished Name (DN), validation period for the certificate, optional information such as the
target use of the certificate. The signature section includes the cryptographic algorithm used by
the issuing CA, and the CA digital signature.
CHAPTER 8
Chapter 8: Managing Certificates
SonicWALL security appliances interoperate with any X.509v3-compliant provider of
Certificates. SonicWALL security appliances have been tested with the following vendors of
Certificate Authority Certificates:
• Entrust
• Microsoft
• OpenCA
SonicOS Enhanced 4.0 Administrator Guide
85
Page 86
System > Certificates
• OpenSSL
• VeriSign
Certificates and Certificate Requests
The Certificate and Certificate Requests section provides all the settings for managing CA
and Local Certificates.
The View Style menu allows you to display your certificates in the Certificates and Certificate
Requests table based on the following criteria:
• All Certificates - displays all certificates and certificate requests.
• Imported certificates and requests - displays all imported certificates and generated
certificate requests.
• Built-in certificates - displays all certificates included with the SonicWALL security
appliance.
• Include expired and built-in certificates - displays all expired and built-in certificates.
The Certificates and Certificate Requests table displays the following information about your
certificates:
• Certificate - the name of the certificate.
• Type - the type of certificate, which can include CA or Local.
• Validated - the validation information.
• Expires - the date and time the certificate expires.
• Details - the details of the certificate. Moving the pointer over the icon displays the
details of the certificate.
• Configure - Displays the edit and delete icons for editing or deleting a certificate
entry
86
Also displays the Import icon to import either certificate revocation lists (for CA
certificates) or signed certificates (for Pending requests).
SonicOS Enhanced 4.0 Administrator Guide
Page 87
Certificate Details
Clicking on the icon in the Details column of the Certificates and Certificate Requests table
lists information about the certificate, which may include the following, depending on the type
of certificate:
• Certificate Issuer
• Subject Distinguished Name
• Certificate Serial Number
• Valid from
• Expires On
• Status (for Pending requests and local certificates)
• CRL Status (for Certificate Authority certificates)
The details shown in the Details mouseover popup depend on the type of certificate.
Certificate Issuer, Certificate Serial Number, Valid from, and Expires On are not shown for
Pending requests since this information is generated by the Certificate provider. Similarly, CRL
Status information is shown only for CA certificates and varies depending on the CA certificate
configuration.
System > Certificates
Importing Certificates
After your CA service has issued a Certificate for your Pending request, or has otherwise
provided a Local Certificate, you can import it for use in VPN or Web Management
authentication. CA Certificates may also be imported to verify local Certificates and peer
Certificates used in IKE negotiation.
SonicOS Enhanced 4.0 Administrator Guide
87
Page 88
System > Certificates
Importing a Certificate Authority Certificate
To import a certificate from a certificate authority, perform these steps:
Step 1 Click Import. The Import Certificate window is displayed.
Step 1 Select Import a CA certificate from a PKCS#7 (*.p7b) or DER (.der or .cer) encoded file.
The Import Certificate window settings change.
Step 2 Enter the path to the certificate file in the Please select a file to import field or click Browse
to locate the certificate file, and then click Open to set the directory path to the certificate.
Step 3 Click Import to import the certificate into the SonicWALL security appliance. Once it is
imported, you can view the certificate entry in the Certificates and Certificate Requests table.
Step 4 Moving your pointer to the icon in the Details column displays the certificate details
information.
88
SonicOS Enhanced 4.0 Administrator Guide
Page 89
Importing a Local Certificate
To import a local certificate, perform these steps:
Step 1 Click Import. The Import Certificate window is displayed.
Step 2 Enter a certificate name in the Certificate Name field.
Step 3 Enter the password used by your Certificate Authority to encrypt the PKCS#12 file in the
Certificate Management Password field.
Step 4 Enter the path to the certificate file in the Please select a file to import field or click Browse
to locate the certificate file, and then click Open to set the directory path to the certificate.
Step 5 Click Import to import the certificate into the SonicWALL security appliance. Once it is
imported, you can view the certificate entry in the Certificates and Certificate Requests table.
Step 6 Moving your pointer to icon in the Details column displays the certificate details
information.
System > Certificates
Deleting a Certificate
To delete the certificate, click the delete icon. You can delete a certificate if it has expired or if
you decide not to use third party certificates for VPN authentication.
Certificate Revocation List (CRL)
A Certificate Revocation List (CRL) is a way to check the validity of an existing certificate. A
certificate may be invalid for several reasons:
• The status of the entity identified by the Certificate has changed in some way (for example,
an employee has left the company).
• The private key associated with a Certificate was stolen or compromised.
• A new certificate was issued that takes precedence over the old certificate.
If a certificate is invalid, the CA may publish the certificate on a Certificate Revocation List at
a given interval, or on an online server in a X.509 v3 database using Online Certificate Status
Protocol (OCSP). Consult your CA provider for specific details on locating a CRL file or URL.
Tip The SonicWALL security appliance supports obtaining the CRL via HTTP or manually
downloading the list.
SonicOS Enhanced 4.0 Administrator Guide
89
Page 90
System > Certificates
Importing a CRL
You can import the CRL by manually downloading the CRL and then importing it into the
SonicWALL security appliance.
Step 1 Click on the Import certificate revocation list icon. The Import CRL window is displayed.
Step 2 You can import the CRL from the certificate file by selecting Import CRL directly from a PEM
(.pem) or DER (.der or .cer) encoded file, and entering the path in the Select a CRL file to
import field or click the Browse button to navigate to the file, click Open, then click Import.
Step 3 You can also enter the URL location of the CRL by entering the address in the Enter CRL’s
location (URL) field, and then click Import. The CRL is downloaded automatically at intervals
determined by the CA service. Certificates are checked against the CRL by the SonicWALL
security appliance for validity when they are used.
Step 4 By default, if no CRL is available, a Certificate is presumed to be valid if it passes all other
checks (such as validity dates and signatures). To require that Certificates be checked against
a valid CRL, enable the Invalidate Certificates and Security Associations if CRL import or
processing fails setting.
Generating a Certificate Signing Request
Tip You should create a Certificate Policy to be used in conjunction with local certificates. A
Certificate Policy determines the authentication requirements and the authority limits
required for the validation of a certificate.
90
SonicOS Enhanced 4.0 Administrator Guide
Page 91
System > Certificates
To generate a local certificate, follow these steps:
Step 1 Click the New Signing Request button. The Certificate Signing Request window is displayed.
Step 2 In the Generate Certificate Signing Request section, enter an alias name for the certificate
in the Certificate Alias field.
Step 3 Select the Request field type from the menu, then enter information for the certificate in the
Request fields. As you enter information in the Request fields, the Distinguished Name (DN) is
created in the Subject Distinguished Name field.
You can also attach an optional Subject Alternative Name to the certificate such as the
Domain Name or E-mail Address.
Step 4 The Subject Key type is preset as an RSA algorithm. RSA is a public key cryptographic
algorithm used for encrypting data.
Step 5 Select a Subject Key size from the Subject Key Size menu.
Note Not all key sizes are supported by a Certificate Authority, therefore you should check with
your CA for supported key sizes.
Step 6 Click Generate to create a certificate signing request file. Once the Certificate Signing
Request is generated, a message describing the result is displayed.
Step 7 Click Export to download the file to your computer, then click Save to save it to a directory on
your computer. You have generated the Certificate Request that you can send to your
Certificate Authority for validation.
SonicOS Enhanced 4.0 Administrator Guide
91
Page 92
System > Certificates
92
SonicOS Enhanced 4.0 Administrator Guide
Page 93
System > Time
The System > Time page defines the time and date settings to time stamp log events, to
automatically update SonicWALL Security Services, and for other internal purposes.
CHAPTER 9
Chapter 9: Configuring Time Settings
By default, the SonicWALL security appliance uses an internal list of public NTP servers to
automatically update the time. Network Time Protocol (NTP) is a protocol used to synchronize
computer clock times in a network of computers. NTP uses Coordinated Universal Time (UTC)
to synchronize computer clock times to a millisecond, and sometimes to a fraction of a
millisecond.
System Time
To select your time zone and automatically update the time, choose the time zone from the
Time Zone menu. Set time automatically using NTP is activated by default to use NTP
(Network Time Protocol) servers from an internal list to set time automatically. Automatically
adjust clock for daylight saving changes is also activated by default to enable automatic
adjustments for daylight savings time.
SonicOS Enhanced 4.0 Administrator Guide
93
Page 94
System > Time
If you want to set your time manually, uncheck Set time automatically using NTP. Select the
time in the 24-hour format using the Time (hh:mm:ss) menus and the date from the Date
menus.
Selecting Display UTC in logs (instead of local time) specifies the use universal time (UTC)
rather than local time for log events.
Selecting Display time in International format displays the date in International format, with
the day preceding the month.
After selecting your System Time settings, click Apply.
NTP Settings
Network Time Protocol (NTP) is a protocol used to synchronize computer clock times in a
network of computers. NTP uses Coordinated Universal Time (UTC) to synchronize computer
clock times to a millisecond, and sometimes, to a fraction of a millisecond.
Tip The SonicWALL security appliance uses an internal list of NTP servers so manually entering
a NTP server is optional.
Select Use NTP to set time automatically if you want to use your local server to set the
SonicWALL security appliance clock. You can also configure Update Interval (minutes) for the
NTP server to update the SonicWALL security appliance. The default value is 60 minutes.
To add an NTP server to the SonicWALL security appliance configuration
Step 1 Click Add. The Add NTP Server window is displayed.
Step 2 Type the IP address of an NTP server in the NTP Server field.
Step 3 Click OK.
Step 4 Click Apply on the System > Time page to update the SonicWALL security appliance.
To delete an NTP server, highlight the IP address and click Delete. Or, click Delete All to delete
all servers.
94
SonicOS Enhanced 4.0 Administrator Guide
Page 95
System > Schedules
The System > Schedules page allows you to create and manage schedule objects for
enforcing schedule times for a variety of SonicWALL security appliance features.
CHAPTER 10
Chapter 10: Setting Schedules
SonicOS Enhanced 4.0 Administrator Guide
95
Page 96
System > Schedules
Note You cannot delete the default Work Hours, After Hours, or Weekend Hours schedules.
The Schedules table displays all your predefined and custom schedules. In the Schedules
table, there are three default schedules: Work Hours, After Hours, and Weekend Hours. You
can modify these schedules by clicking on the edit icon in the Configure column to display the
Edit Schedule window.
You apply schedule objects for the specific security feature. For example, if you add an access
rule in the Firewall > Access Rules page, the Add Rule window provides a drop down menu
of all the available schedule objects you created in the System > Schedules page.
A schedule can include multiple day and time increments for rule enforcement with a single
schedule. If a schedule includes multiple day and time entries, a + (expand) button appears
next to the schedule name. Clicking the + button expands the schedule to display all the day
and time entries for the schedule.
96
SonicOS Enhanced 4.0 Administrator Guide
Page 97
Adding a Schedule
To create schedules, click Add. The Add Schedule window is displayed.
Step 1 Enter a name for the schedule in the Name field.
Step 2 Select the days of the week to apply to the schedule or select All.
System > Schedules
Step 3 Enter the time of day for the schedule to begin in the Start field. The time must be in 24-hour
format, for example, 17:00 for 5 p.m.
Step 4 Enter the time of day for the schedule to stop in the Stop field. The time must be in 24-hour
format, for example, 17:00 for 5 p.m.
Step 5 Click Add.
Step 6 Click OK to add the schedule to the Schedules table.
Step 7 To delete existing days and times, select the schedule and click Delete. Or, to delete all existing
schedules, click Delete All.
Deleting Schedules
To delete individual schedule objects you created, select the checkbox next to the schedule
entry, the Delete button becomes enabled. Click Delete. To delete all schedule objects you
created, select the checkbox next to Name column header to select all schedules. Click Delete.
SonicOS Enhanced 4.0 Administrator Guide
97
Page 98
System > Schedules
98
SonicOS Enhanced 4.0 Administrator Guide
Page 99
System > Settings
This System > Settings page allows you to manage your SonicWALL security appliance’s
SonicOS versions and preferences.
CHAPTER 11
Chapter 11: Managing SonicWALL Security
Appliance Firmware
SonicOS Enhanced 4.0 Administrator Guide
99
Page 100
System > Settings
Settings
Import Settings
Step 1 Click Import Settings to import a previously exported preferences file into the SonicWALL
Step 2 Click Browse to locate the file which has a *.exp file name extension.
Step 3 Select the preferences file.
Step 4 Click Import, and restart the firewall.
To import a previously saved preferences file into the SonicWALL security appliance, follow
these instructions:
security appliance. The Import Settings window is displayed.
Export Settings
To export configuration settings from the SonicWALL security appliance, use the instructions
below:
Step 1 Click Export Settings. The Export Settings window is displayed.
Step 2 Click Export.
Step 3 Click Save, and then select a location to save the file. The file is named “sonicwall.exp” but can
be renamed.
Step 4 Click Save. This process can take up to a minute. The exported preferences file can be
imported into the SonicWALL security appliance if it is necessary to reset the firmware.
Firmware Management
100
The Firmware Management section provides settings that allow for easy firmware upgrade
and preferences management. The Firmware Management section allows you to:
• Upload and download firmware images and system settings.
SonicOS Enhanced 4.0 Administrator Guide
Loading...