manualshive.com logo in svg

Dell SonicWALL GX250, Manual

The Dell SonicWALL GX250 User Manual is a comprehensive guide that provides step-by-step instructions to optimize the usage of this powerful network security appliance. Download the free manual from manualshive.com and gain valuable insights into configuring and maintaining the GX250 to enhance your network's protection and performance.

Share
Download
background image

SonicWALL Internet Security Appliance Guide Page 117

VPN Advanced Settings

All of the 

Advanced Settings

 for VPN connections are now located by clicking

Advanced

 

Settings

 located in the middle of the 

Configure

 tab. The following

settings are available in the

 Edit Advanced Settings

 window:

Enable Keep Alive

 

Require XAUTH/RADIUS (only allows VPN clients)

 

Enable Perfect Forward Secrecy 

Enable Windows Networking (NetBIOS) broadcast

 

Apply NAT and firewall rules

 

Forward packets to remote VPNs

 

Route all internet traffic through this SA

 

Default LAN Gateway

 

Enable Keep Alive

Checking the 

Enable Keep Alive

 checkbox allows the VPN tunnel to remain active or

maintain its current connection. A proprietary dead peer detection is now implemented
that detects whether or not the remote Security Gateway has a valid IKE tunnel. This
checkbox cannot be used with the Group VPN Security Association.

Require XAUTH/RADIUS (only allows VPN clients)

An IKE Security Association may be configured to require RADIUS authentication
before allowing VPN clients to access LAN resources. This authentication provides an
additional layer of VPN security while simplifying and centralizing management.
RADIUS authentication allows many VPN clients to share the same VPN configuration,
but requires each client to authenticate with a unique user name and password. And
because a RADIUS server controls network access, all employee privileges may be
created and modified from one location

integrated_manual.book  Page 117  Wednesday, June 13, 2001  6:21 PM

Summary of Contents for SonicWALL GX250

Page 1: ...ackage 20 Overview 20 Connecting the SonicWALL to the Network 21 Performing the Initial Configuration 23 4 MANAGING YOUR SONICWALL 33 Log into the SonicWALL From a Web Browser 33 CLI Support and Remote Management 35 5 NETWORK SETTINGS 37 Standard Configuration 39 NAT Enabled Configuration 40 Multiple LAN Subnet Mask Support 42 NAT with DHCP Client Configuration 43 NAT with PPPoE Configuration 44 S...

Page 2: ...Default Settings 71 Upgrade Features 74 Diagnostic Tools 74 DNS Name Lookup 74 Ping 76 Tech Support Report 79 9 NETWORK ACCESS RULES 81 Services 81 Detection Prevention 82 Network Connection Inactivity Timeout 82 Creating a Public LAN Server 83 Add Service 84 Rules 85 Understanding the Access Rule Hierarchy 89 User Authentication 91 Remote Management 93 Remote Management 94 10 ADVANCED FEATURES 97...

Page 3: ...iations 150 Editing and Deleting Security Associations 151 Basic VPN Terms and Concepts 152 13 HIGH AVAILABILITY 155 Getting Started with High Availability 156 Before You Start 156 Network Configuration for High Availability Pair 156 Configuring High Availability 157 Configuring High Availability on the Primary SonicWALL 157 High Availability Status 160 High Availability Status Window 160 E mail A...

Page 4: ... Anti Virus 187 SonicWALL Content Filter List Subscription 187 SonicWALL Authentication Service 188 SonicWALL Vulnerability Scanning Service 188 SonicWALL Per Incident Support 188 SonicWALL Premium Support 188 SonicWALL Extended Warranty 188 SonicWALL Global Management System 188 16 APPENDICES 190 APPENDIX A IP PORT NUMBERS 190 APPENDIX B CONFIGURING TCP IP SETTINGS 191 APPENDIX C ERASING THE FIRM...

Page 5: ...workmanship If there is a defect in the hardware SonicWALL will replace the product at no charge provided that it is returned to SonicWALL with transportation charges prepaid A Return Materials Authorization RMA number must be displayed on the outside of the package for the product being returned for replacement or the product will be refused The RMA number may be obtained by calling SonicWALL Cus...

Page 6: ...overs the installation and configuration of the SonicWALL GX250 and GX650 Organization of the Guide Chapter 1 Introduction describes the features and applications of the SonicWALL Chapter 2 SonicWALL QuickStart Installation demonstrates how to connect the SonicWALL to your network and perform the initial configuration Chapter 3 Managing Your SonicWALL provides a brief overview of the SonicWALL Web...

Page 7: ...ures presents a brief summary of the SonicWALL s subscription services firmware upgrades and other options Chapter 16 Hardware Description illustrates and describes the SonicWALL s front and back panel displays Chapter 17 Appendices additional information about the GX series Appendix A IP Port Numbers offers information about IP port numbering Appendix B Configuring TCP IP Settings provides instru...

Page 8: ...P traffic MD5 authentication is used to encrypt communications between your Management Station and the SonicWALL Web Management Interface MD5 Authentication prevents unauthorized users from detecting and stealing the SonicWALL password as it is sent over your network The following figure illustrates the SonicWALL s security functions By default the SonicWALL allows outbound access from the LAN to ...

Page 9: ...Internet and block traffic from the Internet to the LAN You may create additional Network Access Rules that allow inbound traffic to network servers such as Web and mail servers or that restrict outbound traffic to certain destinations on the Internet Auto Update The SonicWALL maintains the highest level of security by automatically notifying you when new firmware is released When new firmware is ...

Page 10: ...te extremely detailed event log information to an external Syslog server Syslog is the industry standard method to capture information about network activity E mail Alerts The SonicWALL may be configured to send alerts of high priority events such as attacks system errors and blocked Web sites When these events occur alerts may be immediately sent to an E mail address or E mail pager Dynamic Host ...

Page 11: ...icWALL Products High speed LAN and WAN connections are driving the need for high performance security systems in Internet data centers and large enterprises but the cost and complexity of currently available gigabit security products has hampered their market acceptance The new SonicWALL GX Series appeals to organizations seeking Internet security solutions for high bandwidth networks by offering ...

Page 12: ...provides a scalable path for future performance upgrades additional interfaces and different interface types The SonicWALL GX Series also delivers high availability through failover support and hot swappable power supplies Comprehensive Management The SonicWALL GX Series includes comprehensive security management tools and interface options including Web SNMP command line and global management by ...

Page 13: ...itecture SonicWALL GX security systems robust archi tecture meets the high demands of large scale security environments and provides a scalable platform for future upgrades High Availability SonicWALL GX models include high availability through failover support and dual hot swappable power supplies The GX Series Feature Chart Model GX250 GX650 Standard Interfaces 3 10 100Base TX 3 1000Base SX Scal...

Page 14: ...ver scalable high performance security beating existing complex and expen sive high speed security solutions AutoUpdate SonicWALL Internet security appliances maintain the highest level of security by automatically checking for new firmware updates with protection against newly discovered hacker attacks All firmware updates are FREE for the life of the product Flexible Management Options SonicWALL...

Page 15: ...pansion Cards Single Port 10 100Base T Single Port 1000Base SX Single Port 1000Base T Power Redundant hot swappable power supplies with PFC 100 240 VAC 50 60 Hz Redundant hot swappable power supplies with PFC 100 240 VAC 50 60 Hz Dimensions 19 x 19 x 5 25 inches 3U rack 48 3 x 48 3 x 13 3 cm Includes 19 rack mounting hardware Weight 30 lb 13 5 kg 19 x 19 x 5 25 inches 3U rack 48 3 x 48 3 x 13 3 cm...

Page 16: ...e types of network interfaces installed SonicWALL GX250 and SonicWALL GX650 Front Panel Description Power Lights up green if both power supplies are functioning on the SonicWALL GX250 or SonicWALL GX650 If it is red one of the power supplies has failed and an audible alarm also sounds Test Lights up when the SonicWALL is powered up and performing diagnostic tests for proper operation These tests t...

Page 17: ... 45 connectors There is an additional slot available for upgrading the appliance The standard NIC has two LEDs Link Activity The Link light is green when a twisted pair connection is made to another Ethernet device usually a switch or a hub on the port Note that the device connected to the SonicWALL must support the standard link integrity test The Link LED blinks indicating Activity when the Soni...

Page 18: ...links indicating Activity when the SonicWALL transmits or receives a frame Network Speed The Network Speed light remains off if there is no connection or if a 10Mbps connection is made If a 100 Mbps connection is made the LED is green If a 1000 Mbps connection is obtained the LED is yellow Reset Switch Resets the SonicWALL GX250 or the SonicWALL GX650 to its factory clean state This may be require...

Page 19: ...swappable power supplies with active power function correction 100 240 VAC 50 60 Hz Power Switches One power switch for each hot swappable power supply module The audible alarm sounds if only one power supply is functioning Alarm Reset Button The Alarm Reset button resets the audible alarm Cooling Vents The SonicWALL is convection cooled and has an internal fan that is not crucial to the function ...

Page 20: ...ling the SonicWALL appliance The WAN Ethernet port should be connected to the Internet router or modem The LAN Ethernet port should be connected to a network hub or switch on the internal protected network The DMZ Ethernet port included with the SonicWALL GX250 and GX650 should be connected to publicly accessible servers such as Web and Mail servers A crossover cable should be used when connecting...

Page 21: ...a computer Optional Connect the DMZ Ethernet port to a hub or switch with a standard Ethernet cable Or connect the DMZ port directly to a public server with a crossover cable Plug the SonicWALL power supply into an AC power outlet then plug the power supply output cable into the port on the back labeled Power Use the power adapter supplied with the SonicWALL do not use another power supply Note If...

Page 22: ...sses of Domain Name Servers either on your LAN or the Internet These addresses are required for downloading the Content Filter List and for the DNS Name Lookup tool The DNS addresses should be supplied by your ISP Mail Server Optional The Mail Server address is the name or the IP address of the mail server used to E mail log messages it may be a server on your LAN or the Internet For best results ...

Page 23: ...168 168 200 It may be necessary to restart the Management Station for the address change to take effect Note Appendix A describes how to change the IP address of your Management Station Launching the Web browser 1 Open a Web Browser such as Internet Explorer 5 0 or Netscape Navigator 3 0 or greater Then type the default SonicWALL IP address 192 168 168 168 into the Location or Address field in the...

Page 24: ...trator s password it is very important to choose a password which cannot be easily guessed by others 2 To set the password enter a new password in the New Password and Confirm New Password fields This window also displays the Use SonicWALL Global Management System checkbox SonicWALL Global Management System SonicWALL GMS is a web browser based security management system SonicWALL GMS allows enterp...

Page 25: ...matically by a Network Time Server on the Internet Click Next to continue Confirming Network Information 5 Confirm that you have the proper network information needed to configure the SonicWALL to access the Internet Click the hyperlinks for definitions of the net working terms Click Next to proceed to the next step integrated_manual book Page 25 Wednesday June 13 2001 6 21 PM ...

Page 26: ...cond option go to Step 11 8 Select the third option Provided you with desktop software a user name and password PPPoE if your ISP requires user name and password authenti cation as well as the installation of login software If you select the third option go to Step 12 9 Select the fourth option Automatically assigns you a dynamic IP address DHCP if your ISP automatically assigns you an IP address ...

Page 27: ...al Network Address Translation window is displayed 10 The Optional Network Address Translation NAT window offers the ability to enable NAT Select Don t Use NAT if there are enough static IP addresses for your SonicWALL all PCs and all network devices on your LAN Selecting Don t Use NAT enables the Standard mode Select Use NAT if valid IP addresses are in short supply or to hide all devices on your...

Page 28: ...sk WAN Gateway Router Address and DNS Server Addresses Click Next to continue If NAT is disabled go to Step 13 If Standard mode is selected go to Step 14 Setting the User Name and Password for PPPoE If you select NAT with PPPoE in the Connecting to the Internet window the SonicWALL ISP Settings PPoE window is displayed 12 Enter the User Name and Password provided by your ISP The Password is case s...

Page 29: ... and go to Step 15 Configuring LAN Network Settings 14 The Fill in information about your LAN window allows the configuration of the SonicWALL LAN IP Address and the LAN Subnet Mask The SonicWALL LAN IP Address is the private IP address assigned to the LAN port of the SonicWALL The LAN Subnet Mask defines the range of IP addresses on the LAN The default values provided by the SonicWALL work for mo...

Page 30: ...f IP addresses that are assigned to com puters on the LAN If the Enable DHCP Server checkbox is not checked the DHCP Server is disabled Click Next to continue Configuration Summary 16 The Configuration Summary window displays the configuration defined using the Installation Wizard If you want to modify any of the settings click Back to return to the Connecting to the Internet window If the configu...

Page 31: ...indow provides important information to help configure the computers on the LAN Click Print this Page to print the window information The SonicWALL takes 90 seconds to restart During this time the yellow Test LED is lit Click Close to exit the SonicWALL Wizard 18 Reset the IP address of the Management Station according to the information dis played in the final window of the Installation Wizard in...

Page 32: ... SonicWALL 20 Register the SonicWALL The Status window in the SonicWALL Web Manage ment Interface displays a link to the online registration form Registering the SonicWALL provides access to technical support software updates and informa tion about new products Once registered you receive a free one month subscrip tion to the SonicWALL Content Filter List and a one month trial of SonicWALL Network...

Page 33: ... Netscape Navigator 3 0 or greater or In ternet Explorer 5 0 Type the SonicWALL s IP address initially 192 168 168 168 into the Location or Address field at the top of the browser An Authentication window with a Password dialogue box is displayed 2 Type admin in the User Name field and the password you defined in the Instal lation Wizard in the Password field Then click Login Note All SonicWALLs a...

Page 34: ... management functions are selected by clicking the tabs at the top of the window A Logout button at the bottom of the screen terminates the management session and redisplays the Authentication window If Logout is clicked it is necessary to login again to manage the SonicWALL Online help is also available Click Help at the top of any browser window to view the help files stored in the SonicWALL The...

Page 35: ...pe in the User Name and password admin for user name and then the password used for the management interface The following CLI commands are available for the SonicWALL or Help displays a listing of the top level commands available Export exports preferences from the SonicWALL using Zmodem file transfer Import imports preferences from the SonicWALL using Zmodem file transfer Logout logout of the So...

Page 36: ...rs Network Settings Logging and Alerting Content Filtering and Blocking Web Management Tools Network Access Rules Advanced Features DHCP Server SonicWALL VPN High Availability ViewPoint These chapters describe all the commands and functions necessary to manage your SonicWALL integrated_manual book Page 36 Wednesday June 13 2001 6 21 PM ...

Page 37: ...ddress scheme of your SonicWALL It includes four options Standard NAT Enabled NAT with DHCP Client and NAT with PPPoE Standard mode requires valid IP addresses for all computers on your network but allows remote access to authenticated users NAT Enabled mode translates your network s private IP addresses to the Son icWALL s single valid IP address Select NAT Enabled if your ISP assigned you only o...

Page 38: ...et If you use Cable or DSL your WAN router is probably located at your ISP If you select NAT with DHCP Client or NAT with PPPoE mode the WAN Gateway Router Address is assigned automatically SonicWALL WAN IP Address The SonicWALL WAN IP Address is a valid IP address assigned to the WAN port of the SonicWALL This address should be assigned by your ISP If you select NAT Enabled mode this is the only ...

Page 39: ... all computers and network devices on your LAN 2 Enter a unique valid IP address from your LAN address range in the SonicWALL LAN IP Address field The SonicWALL LAN IP Address is the address assigned to the SonicWALL LAN port and is used for management of the SonicWALL 3 Enter your network s subnet mask in the LAN Subnet Mask field The LAN Sub net Mask tells your SonicWALL which IP addresses are o...

Page 40: ...your network a private IP address range You should use addresses from one of the following address ranges on your private network 10 0 0 0 10 255 255 255 172 16 0 0 172 31 255 255 192 168 0 0 192 168 255 255 Note If your network address range uses valid TCP IP addresses Internet sites within that range will not be accessible from the LAN For example if you assign the address range 199 2 23 1 199 2...

Page 41: ... feature if you have multiple subnets on your network 4 Enter your WAN router or default gateway address in the WAN Gateway Rout er Address field This is the device that connects your network to the Internet If you use Cable or DSL your WAN router is probably located at your ISP 5 Enter a valid IP address assigned by your ISP in the SonicWALL WAN IP NAT Public Address field Because NAT is enabled ...

Page 42: ...onicWALL LAN IP Address is 192 168 168 1 Computers on the LAN have private IP addresses ranging from 192 168 168 2 to 192 168 168 255 In this example 192 168 168 1 the SonicWALL LAN IP Address should be the gateway or router address for all computers on the LAN Multiple LAN Subnet Mask Support Firmware 6 1 0 0 supports multiple subnet masks on the LAN without the use of a second router Click Gener...

Page 43: ...AN address range in the SonicWALL LAN IP Address field The SonicWALL LAN IP Address is the address assigned to the SonicWALL s LAN port and is used for management of the SonicWALL 3 Enter your network s subnet mask in the LAN Subnet Mask field The LAN Subnet Mask tells your SonicWALL which IP addresses are on your LAN The default value 255 255 255 0 supports up to 254 IP addresses 4 Click the Upda...

Page 44: ...NS settings to obtain DNS name resolution NAT with PPPoE Configuration The SonicWALL may use Point to Point Protocol over Ethernet to connect to the Internet If your ISP requires the installation of desktop software and user name and password authentication to access the Internet enable NAT with PPPoE To configure NAT with PPPoE complete the following instructions Select NAT with PPPoE from the Ne...

Page 45: ...the Update button Once the SonicWALL has been updated a message con firming the update is displayed at the bottom of the browser window Restart the SonicWALL for these changes to take effect Note When NAT is enabled the SonicWALL LAN IP Address should be the gateway address for computers on the LAN When your SonicWALL has successfully established a PPPoE connection the Network page displays the So...

Page 46: ...an local time and display the date in International format with the day preceding the month To set the time and date manually uncheck the check boxes and enter the time in 24 hour format and the date NTP Settings Check the box Use NTP to set time automatically if you want to use your local server to set the SonicWALL clock You may also set the Update Interval for the NTP server to synchronize the ...

Page 47: ...P server highlight the IP address and click Delete NTP Server When you have configured the Time window click Update Once the SonicWALL has been updated a message confirming the update is displayed at the bottom of the browser window integrated_manual book Page 47 Wednesday June 13 2001 6 21 PM ...

Page 48: ...t password is password If the password is not entered exactly the same in both New Password fields the operation fails This is done to prevent mistyping a password and getting accidentally locked out of the SonicWALL Warning The password cannot be recovered if it is lost or forgotten If the password is lost it is necessary to reset the SonicWALL to its factory default state Go to Appendix C for in...

Page 49: ...s to the SonicWALL Web Management Interface Set the inactivity timeout by entering the desired number of minutes in the Administrator Inactivity Timeout section and then click Update The Inactivity Timeout may range from 1 to 99 minutes Once the SonicWALL has been updated a message confirming the update is displayed at the bottom of the browser window integrated_manual book Page 49 Wednesday June ...

Page 50: ...rt you of important events such as an attack to the SonicWALL Alerts are immediately E mailed either to an E mail address or to an E mail pager Click Log on the left side of the browser window and then click the View Log tab at the top of the window The log is displayed in a table and is sortable by column Depending on your Web browser you should be able to copy entries from the log and paste them...

Page 51: ...rchive blocked When ActiveX Java or Web cookies are blocked messages with the source and destination IP addresses of the connection attempt is displayed Ping of Death IP Spoof and SYN Flood Attacks The IP address of the machine under attack and the source of the attack is displayed In most attacks the source address shown is fake and does not reflect the real source of the attack Note Some network...

Page 52: ...red from the SonicWALL s memory If this field is left blank the log is not E mailed 3 Send Alerts To Enter your full E mail address username mydomain com in the Send alerts to field to be immediately E mailed when attacks or system errors occur Enter a standard E mail address or an E mail paging service If this field is left blank alert messages are not E mailed 4 Firewall Name The Firewall Name a...

Page 53: ...e day of the week the E mail is sent in the Every menu If the Week ly or the Daily option is selected enter the time of day when the E mail is sent in the At field If the Weekly or Daily option is selected and the log fills up it is E mailed automatically 9 When log overflows The log buffer fills up if the SonicWALL cannot E mail the log file The default behavior is to overwrite the log and discar...

Page 54: ...abled log messages showing Java ActiveX and Cookies which are blocked by the SonicWALL are displayed User Activity When enabled log messages showing successful and unsuccessful login attempts are displayed VPN TCP Stats Attacks When enabled log messages showing Denial of Service attacks such as SYN Flood Ping of Death and IP spoofing are displayed Dropped TCP When enabled log messages showing bloc...

Page 55: ...d by default Blocked Web Sites are disabled Attacks When enabled log entries categorized as Attacks generates an alert message System Errors When enabled log entries categorized as System Errors generates an alert message Blocked Web Sites When enabled log entries categorized as Blocked Web Sites generates an alert message Once you have configured the Log Settings window click Update Once the Soni...

Page 56: ...ction to begin log analysis When log analysis is enabled the button label changes to Stop Data Collection Reset Data Click Reset to clear the report statistics and begin a new sample period The sample period is also reset when data collection is stopped or started and when the SonicWALL is restarted View Data Select the desired report from the Report to view menu The options are Web Site Hits Band...

Page 57: ...Display Report menu displays a table showing the IP Address of the 25 top users of Internet bandwidth and the number of megabytes transmitted during the current sample period Bandwidth Usage by Service Selecting Bandwidth Usage by Service from the Display Report menu displays a table showing the name of the 25 top Internet services such as HTTP FTP RealAudio etc and the number of megabytes receive...

Page 58: ...terface Content Filtering and Blocking records Web site blocking by Filter List category domain name and keyword and provides instructions to update the SonicWALL Content Filter List Click Filter on the left side of the browser window and then click on the Categories tab at the top of the window Note Content Filtering applies only to the SonicWALL LAN integrated_manual book Page 58 Wednesday June ...

Page 59: ... WAN It does not block Web proxies located on the LAN Known Fradulent Certificates Digital certificates help verify that Web content and files originated from an authorized party If digital certificates are proven fraudulent then SonicWALL will block Web content and files that use these fraudulent certificates Enabling this feature protect users on the LAN from downloading malicious programs warra...

Page 60: ...ed Content Filtering is enforced at all times Block Between When selected Content Filtering is enforced during the time and days specified Enter the time period in 24 hour format and select the starting and ending day of the week that Content Filtering is enforced Updating the Filter List Since content on the Internet is constantly changing the Content Filter List needs to be updated regularly The...

Page 61: ...nloads of the Content Filter List Then select the day of the week and the time of day when the new list should be retrieved A current subscription to the Content Filter List updates is required Once loaded the creation date of the current active list is displayed at the top of the window If Filter List Not Loaded The Content Filter List expires 30 days after it is downloaded The Content Filter Lis...

Page 62: ... Download Now instructions to install the initial Content Filter List Click Update Once the SonicWALL is updated a message confirming the update is displayed at the bottom of the browser window Customizing the Filter List Click Filter on the left side of the browser window and then click on the Customize tab at the top of the window The Customize window allows you to customize the Content Filter L...

Page 63: ...ws you to enable and disable customization without removing and re entering custom domains Disable Web traffic except for Trusted Domains When the Disable Web traffic except for Trusted Domains checkbox is checked the SonicWALL only allows Web access to sites on the Trusted Domains list Don t block Java ActiveX Cookies to Trusted Domains When this box is checked SonicWALL permits Java ActiveX and ...

Page 64: ...he Add Keyword field and click Update Once the keyword has been added a message confirming the update is displayed at the bottom of the browser window To remove a keyword select it from the list and click Delete Keyword Once the keyword has been removed a message confirming the update is displayed at the bottom of the browser window Consent Features Consent allows you to enforce content filtering ...

Page 65: ...be used to remind users when their time has expired by displaying the page defined in the Consent page URL field Enter the time limit in minutes in the Maximum Web usage field When the default value of zero 0 is entered this feature is disabled Maximum idle time After a period of inactivity the SonicWALL requires the user to agree to the terms outlined in the Consent page before any additional Web...

Page 66: ... html where the SonicWALL LAN IP Address is used instead of 192 168 168 168 Consent Accepted URL Filtering Off When a user accepts the terms outlined in the Consent page and chooses to access the Internet without the protection of Content Filtering they are shown a Web page confirming their selection Enter the URL of this page in the Consent Accepted Filtering Off field This page must reside on a ...

Page 67: ...k must be 192 168 168 168 iAcceptFilter html where the SonicWALL LAN IP Address is used instead of 192 168 168 168 Enter the URL of this page in the Consent page URL Mandatory Filtering field and click Update Once the SonicWALL has been updated a message confirming the update is displayed at the bottom of the Web browser window Add New Address The SonicWALL may be configured to enforce content fil...

Page 68: ...re and perform several diagnostic tests Restarting the SonicWALL Click Tools on the left side of the browser window and then click the Restart tab at the top of the window The SonicWALL may be restarted from the Web Management Interface Click Restart SonicWALL and then click Yes to confirm the restart The SonicWALL takes up to 90 seconds to restart during which time Internet access for all users o...

Page 69: ...L settings and then retrieve them later for backup purposes It is recommended to save the SonicWALL settings when upgrading the firmware The Preferences window also provides options to restore the SonicWALL factory default settings and launch the SonicWALL Installation Wizard These functions are described in detail in the following pages integrated_manual book Page 69 Wednesday June 13 2001 6 21 P...

Page 70: ...tab 2 Click Export again to download the settings file Then choose the location to save the settings file The file is named sonicwall exp by default but may be renamed 3 Click Save to save the file This process may take up to a minute Importing the Settings File After exporting a settings file it is possible to import it back to the SonicWALL 1 Click Import in the Preferences tab integrated_manual...

Page 71: ...ettings and restore the SonicWALL to its factory default state 1 Click Restore on the Preferences tab to restore factory default settings 2 Click Yes and then restart the SonicWALL for the change to take effect Note The SonicWALL LAN IP Address LAN Subnet Mask and the Administrator Password is not reset Updating Firmware The SonicWALL has flash memory and may be easily upgraded with new firmware C...

Page 72: ... SonicWALL Serial Number Unit Type Current Firmware Version Language Current Available memory ROM version Options and Upgrades SonicWALL VPN Network Anti Virus When new firmware is available a message is E mailed to the address specified in the Log Settings window In addition the Status window includes notification of new firmware availability This notification provides links to firmware release n...

Page 73: ...used to upload new firmware into the SonicWALL must support HTTP uploads Netscape Navigator 3 0 and above is recommended When firmware is uploaded the SonicWALL settings may be erased It is recommended to save the SonicWALL s preferences so that they can be restored later Once the settings have been saved click Yes integrated_manual book Page 73 Wednesday June 13 2001 6 21 PM ...

Page 74: ...r your local reseller for more information about SonicWALL options and upgrades Web http www sonicwall com E mail sales sonicwall com Phone 408 745 9600 Fax 408 745 9300 When an upgrade is purchased an Activation Key and instructions for registering the upgrade are included Once you have registered the upgrade an Upgrade Key is issued Enter this key in the Enter upgrade key field and click Update ...

Page 75: ...up Find Network Path The Find Network Path tool shows whether an IP host is located on the LAN the WAN or the DMZ This is helpful to determine if the SonicWALL is properly configured For example if the SonicWALL thinks that a machine on the Internet is located on the LAN port then the SonicWALL Network or Intranet settings may be misconfigured Find Network Path shows if the target device is behind...

Page 76: ...h requires an IP address The SonicWALL DNS Name Lookup tool may be used to find the IP address of a host Ping The Ping test bounces a packet off a machine on the Internet back to the sender This test shows if the SonicWALL is able to contact the remote host If users on the LAN are having problems accessing services on the Internet try pinging the DNS server or another machine at the ISP location I...

Page 77: ...m source to destination This is a useful tool to determine if a communications stream is being stopped at the SonicWALL or is lost on the Internet To interpret this tool it is necessary to understand the three way handshake that occurs for every TCP connection The following displays a typical three way handshake initiated by a host on the SonicWALL s LAN to a remote host on the WAN 1 TCP received ...

Page 78: ... 158 1282 00 a0 4b 05 96 4a To 204 71 200 74 80 02 00 cf 58 d3 6a Client sends a final ACK and waits for start of data transfer 6 TCP sent on WAN ACK From 207 88 211 116 1937 00 40 10 0c 01 4e To 204 71 200 74 80 02 00 cf 58 d3 6a The SonicWALL forwards the client ACK to the remote host and waits for start of data transfer When using packet traces to isolate network connectivity problems look for ...

Page 79: ...formation is displayed 5 Click Stop to terminate the packet trace and Reset to clear the results Tech Support Report The Tech Support Report generates a detailed report of the SonicWALL configuration and status and saves it to the local hard disk This file can then be E mailed to SonicWALL Technical Support to help assist with a problem Before E mailing the Tech Support Report to the SonicWALL Tec...

Page 80: ...r Tech Support Report VPN Keys ARP Cache DHCP Bindings 1 Select the Report Options to be included in the Tech Support Report Click Save Report to save the report as a text file to the local disk A message is displayed to notify you that you are saving your SonicWALL settings in a plaintext file format 2 The report contains all of the information about your SonicWALL configuration in plaintext inte...

Page 81: ...of the window Note The LAN In column is not displayed if NAT is enabled The Services window allows you to customize Network Access Rules by service Services displayed in the Services window relate to the rules in the Rules window so any changes on the Services window appear in the Rules window The Default rule at the bottom of the table encompasses all Services LAN Out If the LAN Out checkbox is c...

Page 82: ...ugh Computers running Microsoft Windows communicate with one another through NetBIOS broadcast packets By default the SonicWALL blocks these broadcasts If you check the Windows Networking checkbox your SonicWALL allows NetBIOS broadcasts from LAN to DMZ or from LAN to WAN Then LAN users are able to view machines on the DMZ and on the WAN in their Windows Network Neighborhood Detection Prevention E...

Page 83: ...Mode or remove the Deny Default to LAN Rule in the Rules win dow to allow inbound access to a Public LAN Server 4 Click Update Once the SonicWALL has been updated a message confirming the update is displayed at the bottom of the browser window Repeat these instructions to configure additional Public LAN Servers Additional Notes In Standard Network Addressing Mode users on the Internet access Publi...

Page 84: ...ndow Two numbers appear in brackets next to each service The first number indicates the service s IP port number The second number indicates the IP protocol type 6 for TCP 17 for UDP or 1 for ICMP Note There may be multiple entries with the same name For example the default configuration has two entries labeled Name Service DNS for UDP port 53 and TCP port 53 Multiple entries with the same name ar...

Page 85: ...ith the same name are created they are grouped together as a single service and may not function as expected Disable Logging You may disable logging of events in the SonicWALL Event Log For example if LINUX s authentication messages are filling up your log you may disable logging of LINUX authentication 1 Highlight the name of the desired service in the listbox 2 Uncheck the Enable Logging check b...

Page 86: ...net to access a sensitive server on the LAN To create custom Network Access Rules click Access on the left side of the browser window and then click the Rules tab at the top of the window Note Use extreme caution when creating or deleting Network Access Rules because it is possible to disable firewall protection or block access to the Internet integrated_manual book Page 86 Wednesday June 13 2001 ...

Page 87: ...Range Begin field and the ending IP address in the Addr Range End field To include all IP addresses enter in the Addr Range Begin field 5 Select the destination of the traffic affected by the rule either LAN WAN DMZ or from the Destination Ethernet menu If you want to define the destination IP addresses that are affected by the rule for example to allow inbound Web access to several Web servers on...

Page 88: ...he bottom of the list Edit a Rule To edit a rule click the Note Pad icon on the right side of the browser window A new Web browser window appears displaying the current configuration of the rule Make the desired changes and click Update to update the rule The modified rule is displayed in the list of Current Network Access Rules Delete a Rule To delete a rule click the Trash Can icon at the right ...

Page 89: ...ules at the top override rules listed below For example consider the section of the Rules window shown below The Default Allow Rule 7 at the bottom of the page allows all traffic from the LAN to the WAN However Rule 1 blocks IRC Chat traffic from a computer on the LAN to a server on the WAN The Default Deny Rule 6 blocks all traffic from the WAN to the LAN however Rule 2 overrides this rule by all...

Page 90: ...ult your SonicWALL does not respond to ping requests from the Internet This Rule allows ping requests from your ISP servers to your SonicWALL 1 Click Add New Rule in the Rules window to launch the Add Network Access Rule window 2 Select Allow from the Action menu 3 Select Ping from the Service menu 4 Select WAN from the Source Ethernet menu 5 Enter the starting IP address of the ISP network in the...

Page 91: ...ser is required to re establish an Authenticated Session The inactivity timeout applies to both Remote Access and Bypass Filters This value may range from 5 to 99 minutes Current User List The Current User List is a list that displays all currently defined users To add a new user complete the following instructions 1 Highlight the Add New User entry in the Current User List box 2 Enter the user s ...

Page 92: ...der to establish an Authenticated User Session a user must enter the SonicWALL LAN IP Address into the Location or Go to field in their Web browser Note The Web browser used to establish an authenticated session must support Java and JavaScript The user sees the SonicWALL authentication window asking for their user name and password After completing these fields and clicking Login their password i...

Page 93: ... any interface and supports a custom SonicWALL MIBII for generating trap messages To configure SNMP in the SonicWALL Internet security appliance log into the SonicWALL management interface Click Access then Management The SNMP configuration panel is displayed The SonicWALL SNMP agent generates two traps Cold Start Trap and Alert Traps Cold Start Traps indicates that the SonicWALL appliance is re i...

Page 94: ...stem errors blocked web sites If none of the categories is selected on the Log Settings page then none of the trap messages are sent out Configuration of the Service and Rules Pages By default the SonicWALL appliance responds only to SNMP Get messages received on its LAN interface Appropriate rules must be set up in the SonicWALL to allow SNMP traffic into the trusted network SNMP trap messages ma...

Page 95: ...essary to configure a VPN connection for Remote Managment as the Management SA is automatically configured in this section 1 Enter a 16 character hexadecimal encryption key in the Encryption Key field Valid hexadecimal characters include 0 1 2 3 4 5 6 7 8 9 A B C D E and F A valid encryption key may be 1234567890ABCDEF Or you may use the randomly generated key that appears in the Encryp tion Key f...

Page 96: ...he SonicWALL is managed remotely by SonicWALL GMS Refer to SonicWALL GMS documentation for set up instructions Manage Using Internet Explorer Under the Management tab of the Access section there is a check box labeled Manage Using Internet Explorer This box is checked by default and enables Internet Explorer web browsers to quickly load the SonicWALL Web Management Authentication web page With the...

Page 97: ...g it locally for future requests Setting up a Web proxy server on a network can be cumbersome because each computer on the network must be configured to direct Web requests to the server If you have a proxy server on your network instead of configuring each computer to point to the proxy server you may move the server to the WAN and enable Web Proxy Forwarding The SonicWALL automatically forwards ...

Page 98: ...o the In ternet in the event that the proxy server fails Click Update 4 If the Web proxy server is located on the WAN between the SonicWALL and the Internet router add the Web proxy server address in the SonicWALL Intranet tab Click the Intranet tab at the top of the window 5 In the Intranet tab enter the proxy server s IP address in the Add Range field 6 Select Specified address ranges are attach...

Page 99: ...ting the SonicWALL between an unprotected and a protected segment as shown below Installation 1 Connect the LAN Ethernet port on the back of the SonicWALL to the net work segment to be protected against unauthorized access 2 Connect the WAN Ethernet port on the back of the SonicWALL to the rest of the network Note Devices connected to the WAN port do not have firewall protection It is recommended ...

Page 100: ... two IP addresses in the Add Range section Specify the IP addresses individually or as a range Intranet Settings Select one of the following three options SonicWALL s WAN link is connected directly to the Internet router Select this option if the SonicWALL is protecting your entire network This is the default setting Specified address ranges are attached to the LAN link Select this option if it is...

Page 101: ...To add a range of addresses such as 199 2 23 50 to 199 2 23 54 enter the starting address in the From Address field and the ending address in the To Address field An individual IP address should be entered in the From Address field only Note Up to 64 address ranges may be entered Click Update Once the SonicWALL has been updated a message confirming the update is displayed at the bottom of the brow...

Page 102: ...he static route in the Dest Network field The destination network is the IP address subnet of the remote network segment Note If the destination network uses IP addresses ranging from 192 168 1 1 to 192 168 1 255 enter 192 168 1 0 in the Dest Network field 2 Enter the subnet mask of the remote network segment in the Subnet mask field 3 Enter the IP address of your router in the Gateway field This ...

Page 103: ...vides Internet access to network servers The DMZ sits between the local network and the Internet Servers on the DMZ are publicly accessible but they are protected from attacks such as SYN Flood and Ping of Death Use of the DMZ port is optional Using the DMZ is a strongly recommended alternative to placing servers on the WAN port where they are not protected or establishing Public LAN servers Click...

Page 104: ... is displayed at the bottom of the browser window Note Network Address Translation NAT does not apply to servers on the DMZ One to One NAT One to One NAT maps valid external addresses to private addresses hidden by NAT Computers on your private LAN will be accessed on the Internet at the corresponding public IP addresses You may create a relationship between internal and external addresses by defi...

Page 105: ...e Guide Page 105 computers with private IP addresses of 192 168 168 2 to 192 168 168 16 may be accessed at the corresponding external IP address as shown in the diagram below integrated_manual book Page 105 Wednesday June 13 2001 6 21 PM ...

Page 106: ... that should be mapped to private address es in the Range Length field The range length may not exceed the number of valid IP addresses Up to 64 ranges may be added To map a single address enter a Range Length of 1 5 Click Update Once the SonicWALL has been updated a message confirming the update is displayed at the bottom of the browser window Restart the SonicWALL for changes to take effect Note...

Page 107: ...w Ethernet Speed Duplex Settings This section has the following settings WAN Link Settings DMZ Link Settings LAN Link Settings The default setting for all of the link settings is Auto Negotiate which means that the Ethernet links automatically negotiate the speed and duplex mode The other choice Force with drop down menus for choices of speed and duplex should be used only if your Ethernet card al...

Page 108: ... be a lengthy search process MTU Settings A network administrator may set the MTU Maximum Transmission Unit allowed over the over a packet or frame based network such as TCP IP If the MTU size is too large it may require more transmissions if the packet encounters a router unable to handle a larger packet If the packet size is too small this could result in more packet header overhead and more ack...

Page 109: ... you want to have a DHCP server located outside the SonicWALL appliance check the Allow DHCP Pass Through checkbox Note Make sure there are no other DHCP servers on the LAN before you enable the DHCP server 2 Enter the maximum length of the DHCP lease in the Lease Time field The Lease Time determines how often the DHCP Server renews IP leases The default Lease Time is 60 minutes The length of time...

Page 110: ...IP Address Enter the beginning IP address of your LAN IP address range in the Range Start field Enter the ending IP address in the Range End field Select the Allow BootP clients to use range checkbox if you want BootP clients to receive IP leases Then click Update When the SonicWALL has been updated a message confirming the update is displayed at the bottom of the browser window Continue this proc...

Page 111: ...Status Click the Status tab at the top of the browser window The scrolling window shows the details on the current bindings IP and MAC address of the bindings along with the type of binding Dynamic Dynamic BootP or Static BootP To delete a binding which frees the IP address in the DHCP server select the binding from the list and then click Delete Binding The operation takes a few seconds to comple...

Page 112: ... and the SonicWALL GX650 This chapter is organized into the following sections The VPN Summary Tab This section describes the Summary tab and settings Enabling Group VPN on the SonicWALL This section demonstrates the configuration of SonicWALL Group VPN settings using the Group VPN Security Association Configuring VPN using Manual Key This section describes the configuration of a SonicWALL applian...

Page 113: ...ices that have been assigned private IP addresses Remotely Managing the SonicWALL The SonicWALL GX series includes a free VPN client for remote administration and 100 VPN clients for remote users The SonicWALL VPN client installed on Windows 95 98 NT and 2000 allows you securely manage the SonicWALL over the Internet Accessing Network Resources from a VPN Client VPN client remote access allows you...

Page 114: ...ast check box is also checked This check box disables NetBIOS broadcasts for every Security Association configuration The Enable Fragmented Packet Handling check box should be checked if the VPN log report shows the log message Fragmented IPSec packet dropped Leave it unchecked until the VPN tunnel is established and in operation Current IPSec Security Associations This section displays all of the...

Page 115: ...client Security Association by using Manual Key Configuration Group Configuration or Advanced Configuration Group Configuration and Manual Key Configuration are described in this chapter Advanced Configuration is available at SonicWALL s Web site Before choosing your VPN client configuration evaluate the differences between the three methods Group Configuration uses IKE Internet Key Exchange and r...

Page 116: ...SonicWALL GX However only 100 VPN clients should connect to the SonicWALL PRO simultaneously See the VPN Feature Chart at the beginning of this chapter for more information Because Manual Key Configuration supports multiple SAs it enables individual control over remote users Advanced Configuration requires a complex setup and is therefore not recommended for most SonicWALL administrators Advanced ...

Page 117: ...n its current connection A proprietary dead peer detection is now implemented that detects whether or not the remote Security Gateway has a valid IKE tunnel This checkbox cannot be used with the Group VPN Security Association Require XAUTH RADIUS only allows VPN clients An IKE Security Association may be configured to require RADIUS authentication before allowing VPN clients to access LAN resource...

Page 118: ...unnel and in turn NAT is performed on inbound packets when they are received By using NAT for the VPN connection computers on the remote LAN are viewed as one address the SonicWALL s public address from the corporate LAN If the SonicWALL uses the Standard network configuration using this checkbox applies the firewall access rules and checks for attacks It does not apply NAT as the SonicWALL is not...

Page 119: ...nfiguration of remote site Security Associations Note Only one SA may have this checkbox enabled Default LAN Gateway A Default LAN Gateway is used at a central site in conjunction with a remote site using the Route all internet traffic through this SA checkbox The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packet...

Page 120: ...inates the need to individually configure remote VPN clients Group VPN is only available for VPN clients and it is recommended to use Authentication Service or XAUTH RADIUS in conjunction with the Group VPN for added security To enable Group VPN follow the instructions below 1 Click VPN on the left side of the management station interface 2 Click on Group VPN The Security Association default setti...

Page 121: ... to a floppy disk or e mailed to a remote VPN client The Shared Secret however is not exported and must be entered manually by the remote VPN client Note You must use the Group VPN Security Association even if you have only one VPN client to deploy The Group VPN Security Association defaults to the Simple Configuration previously available in firmware version 5 1 1 If you have only one client to d...

Page 122: ... file location box appears which allows searching for the location of the saved se curity file Select the file and click Open 3 A dialogue box asking to import the security file appears Click Yes and another box appears confirming the file is successfully imported into the client The client application now has an imported Group VPN policy integrated_manual book Page 122 Wednesday June 13 2001 6 21...

Page 123: ... settings 5 Click Pre Shared Key to enter the Pre Shared Secret created in the Group VPN settings in the SonicWALL appliance Click OK 6 Select None in the Select Certificate menu and select Domain Name in the ID Type menu Enter any word or phrase in the field below the ID Type menu Do not leave this field blank integrated_manual book Page 123 Wednesday June 13 2001 6 21 PM ...

Page 124: ...as it is imported directly into the Client application Exporting the security association to a file facilitates configuration of a large number of VPN clients and eliminates the need to configure each client individually Group VPN may also be configured using digital certificates in the Security Association settings For more information on Group VPN configuration using digital certificates refer t...

Page 125: ...reate a new Security Association by selecting Add New SA from the Security Association menu 4 Enter a descriptive name that identifies the VPN client in the Name field such as the client s location or name 5 Enter 0 0 0 0 in the IPSec Gateway Address field 6 Define an Incoming SPI and an Outgoing SPI The SPIs are hexadecimal 0123456789abcedf and may range from 3 to 8 characters in length Note SPIs...

Page 126: ...Network automatically updates the VPN configuration and opens the VPN Destination Network window 11 Enter 0 0 0 0 in the Range Start Range End and Destination Subnet Mask for NetBIOS broadcast fields 12 Click Advanced Settings 13 Check Enable Windows Networking NetBIOS broadcast if the remote site is allowed access to network resources by browsing the Windows Network Neigh borhood 14 Check Apply N...

Page 127: ...SonicWALL VPN Client Security Policy Editor from the Windows Start menu or double click the icon in the Windows Task Bar Select Add New Connection in the Edit menu at the top of the Security Policy Editor window Note The security policy may be renamed by highlighting New Connection in the Network Security Policy box and typing the desired security policy name Configuring VPN Security and Remote Id...

Page 128: ... if NAT is enabled Configuring VPN Client Security Policy 1 Double click New Connection in the Network Security Policy box on the left side of the Security Policy Editor window My Identity and Security Policy should appear below New Connection 2 Select Security Policy in the Network Security Policy box The Security Pol icy interface appears 3 Select Use Manual Keys in the Select Phase 1 Negotiatio...

Page 129: ... Select Certificate menu on the right side of the Security Policy Editor window 3 Select IP Address in the ID Type menu 4 In the Internet Interface box select the adapter you use to access the Internet Select PPP Adapter in the Name menu if you have a dial up Internet account Select your Ethernet adapter if you have a dedicated Cable ISDN or DSL line integrated_manual book Page 129 Wednesday June ...

Page 130: ...hange 2 Select Unspecified in the SA Life menu 3 Select None in the Compressed menu 4 Check the Encapsulation Protocol ESP checkbox 5 Select DES in the Encryption Alg menu 6 Select MD5 in the Hash Alg menu 7 Select Tunnel in the Encapsulation menu 8 Leave the Authentication Protocol AH checkbox unchecked integrated_manual book Page 130 Wednesday June 13 2001 6 21 PM ...

Page 131: ...character Authentication Key in the ESP Authentica tion Key field then click OK Configuring Outbound VPN Client Keys 1 Click Outbound Keys An Outbound Keying Material box is displayed 2 Click Enter Key to define the encryption and authentication keys 3 Type the SonicWALL Incoming SPI in the Security Parameter Index field 4 Select Binary in the Choose key format options 5 Enter the SonicWALL applia...

Page 132: ...ns The first step to set up a VPN between two SonicWALLs is creating corresponding Security Associations SAs The instructions below describe how to create an SA using Manual Keying and Internet Key Exchange IKE These instructions are followed by an example illustrating a VPN tunnel between two SonicWALLs Manual Key between Two SonicWALLs Click VPN on the left side of the SonicWALL browser window a...

Page 133: ...the same as the Outgoing SPI 7 Select an encryption algorithm from the Encryption Method menu The Son icWALL supports the following encryption algorithms Tunnel Only ESP NULL does not provide encryption or authentication This op tion offers access to computers at private addresses behind NAT and allows unsup ported services through the SonicWALL Encrypt ESP DES uses 56 bit DES to encrypt data DES ...

Page 134: ...tion Enter a 40 character hexadecimal key if you are using SHA 1 This encryption key must match the remote SonicWALL s encryption key Valid hexadecimal characters include 0 1 2 3 4 5 6 7 8 9 a b c d e and f 1234567890abcdef is an example of a valid DES or ARCFour encryption key If you enter an incorrect encryption key an error message is displayed at the bottom of the browser window When a new SA ...

Page 135: ...orking NetBIOS Broadcast is checked Otherwise enter 0 0 0 0 in the field 14 Click Advanced Settings 15 Check Enable Windows Networking NetBIOS broadcast if the remote site is allowed access to network resources by browsing the Windows Network Neigh borhood 16 Check Apply NAT and firewall rules if applicable 17 Check Forward Packets to Remote VPNs if configuring a hub and spoke net work 18 Check Ro...

Page 136: ...e Security Association such as Palo Alto Office or NY Headquarters in the Name field 4 Enter the IP address of the remote SonicWALL in the IPSec Gateway Address field This address must be valid and should be the NAT Public IP Address if the remote SonicWALL uses Network Address Translation NAT Note If the remote SonicWALL has a dynamic IP address enter 0 0 0 0 in the IPSec Gateway Address field Th...

Page 137: ...but the most sensitive data Strong Encrypt ESP 3DES uses 168 bit 3DES Triple DES to encrypt data 3DES is considered an almost unbreakable encryption method applying three DES keys in succession but it significantly impacts the data throughput of the Son icWALL Strong Encrypt for Check Point ESP 3DES is similar to Strong Encrypt ESP 3DES but is interoperable with Check Point Firewall 1 Strong Encry...

Page 138: ...mask field 11 Click Advanced Settings 12 Check Enable Keep Alive if you want the SA to check for an active VPN tunnel while the tunnel is connected 13 Check Enable Perfect Forward Secrecy for added security 14 Check Enable Windows Networking NetBIOS broadcast if the remote site is allowed access to network resources by browsing the Windows Network Neigh borhood 15 Check Apply NAT and firewall rule...

Page 139: ...ret from the IPSec Keying Mode menu 4 Because the SonicWALL TELE2 does not have a permanent WAN IP address the SonicWALL GX250 needs to authenticate the VPN session by matching the Name of the SA with the TELE2 Unique Firewall Identifier Enter the TELE2 Unique Fire wall Identifier in the Name field in this example San Francisco Office 5 Enter the WAN IP address of the remote SonicWALL in the IPSec...

Page 140: ... site is allowed access to network resources by browsing the Windows Network Neigh borhood 15 Check Apply NAT and firewall rules if applicable 16 Check Forward Packets to Remote VPNs if configuring a hub and spoke net work 17 Check Route all Internet Traffic through this SA if configuring a remote site without access to the Internet via the VPN tunnel 18 Enter the Default LAN Gateway if Route all ...

Page 141: ...you want the SA to check for an active VPN tunnel while the tunnel is connected 13 Check Enable Perfect Forward Secrecy for added security 14 Check Enable Windows Networking NetBIOS broadcast to allow the re mote site access to network resources by browsing the Windows Network Neigh borhood 15 Check Apply NAT and firewall rules if applicable 16 Check Forward Packets to Remote VPNs if configuring a...

Page 142: ...the data communication 3 A successful ping communication returns data packet information to you An un successful ping returns a message of Request Timed Out If you are unable to ping the remote network wait a few minutes for the VPN tunnel to become established and try pinging the network again If you are still unable to ping the remote network contact your network administrator Configuring Window...

Page 143: ...en Control Panel Locate the Network icon and double click it 2 Select Client for Microsoft Networks from the list and then click Properties 3 Check the Logon to Windows NT Domain checkbox and enter the domain name provided by your administrator into the Windows NT domain text box Select Quick Logon under Network logon options section integrated_manual book Page 143 Wednesday June 13 2001 6 21 PM ...

Page 144: ...main name provided by your ad ministrator in the Workgroup text box 5 Click on TCP IP or Dial Up Adapter and then Properties Click the WINS Configuration tab and select Enable WINS Resolution Enter the WINS serv integrated_manual book Page 144 Wednesday June 13 2001 6 21 PM ...

Page 145: ...domain Windows2000 users should consult their network administrators for instructions to set up the remote domain access If your remote network does not have a network domain server you cannot setup a WINS server and browse the network using Network Neighborhood To access shared resources on remote computers you need to know the private IP address of the remote computer and use the Find tool in th...

Page 146: ... which cannot transmit NetBIOS broadcasts may access resources across a VPN by locating a remote computer by IP address For example if a remote office has a Microsoft SQL server users at the local office may access the SQL server by using the server s private IP address There are several ways to facilitate connecting to a computer across a SonicWALL VPN Use the Find Computer tool Create a LMHOSTS ...

Page 147: ...box This forces inbound VPN clients to connect to this Security Association to authenticate to a RADIUS server 4 Configure the Security Association as specified in the IKE Configuration for the VPN Client section Note Only SonicWALL VPN Clients may authenticate to a RADIUS server Users tunneling from another VPN gateway such a second SonicWALL is not able to complete the VPN tunnel if the Require ...

Page 148: ...N connection is dropped This field may range between 0 and 30 however 3 RADIUS server retries is recommended 3 Enter the number of seconds between attempts to contact the RADIUS server in the RADIUS Server Timeout in Seconds field The RADIUS server timeout may range from 0 to 60 seconds but 5 seconds is recommended RADIUS Servers Specify the settings of the primary RADIUS server in the RADIUS serv...

Page 149: ...ser Name and Password is relayed to the RADIUS server for verification Once the VPN client is authenticated the client can access network resources SonicWALL Enhanced VPN Logging If Network Debug is checked in the Log Settings tab panel detailed logs are kept of the VPN negotiations with the SonicWALL appliance Enhanced VPN Logging is useful for evaluating VPN connections when problems may occur w...

Page 150: ...The feature is useful if it is suspected that a remote VPN user connection has become unstable or insecure It can also temporarily block access to the SonicWALL appliance if necessary Disable the Security Association by checking the Disable this SA check box Click Update to enable the change to take place integrated_manual book Page 150 Wednesday June 13 2001 6 21 PM ...

Page 151: ...r by clicking the Notepad icon located after the Encryption Method Security Associations may be deleted from the Current IPSec Security Associations section of the Summary tab by clicking on the Trash Can icon located next to the Notepad icon Or click on the hyperlinked name of the Security Association to go to the Configure tab and delete the Security Association by clicking Delete this SA at the...

Page 152: ...e key the more difficult it is to break the encryption Asymmetric vs Symmetric Cryptography Asymmetric and symmetric cryptography refer to the keys used to authenticate or encrypt and decrypt the data Asymmetric cryptography or public key cryptography uses two keys for verification Organizations such as RSA Data Security and Verisign support asymmetric cryptography With symmetric cryptography the ...

Page 153: ...s confidentiality and integrity of data by encrypting the data and encapsulating it into IP packets Encryption may be in the form of ARCFour similar to the popular RC4 encryption method DES etc The use of ESP increases the processing requirements in SonicWALL VPN and also increases the communications latency The increased latency is due to the encryption and decryption required for each IP packet ...

Page 154: ...mal characters Valid hexadecimal characters are 0 to 9 and a to f inclusive 0 1 2 3 4 5 6 7 8 9 a b c d e f For example a valid key would be 1234567890abcdef Strong Encryption TripleDES Strong Encryption or TripleDES 3DES is a variation on DES that uses a 168 bit key As a result 3DES is dramatically more secure than DES and is considered to be virtually unbreakable by security experts It also requ...

Page 155: ...ly disrupt business activi ties Internet connections that provide access to critical resources for remote offices telecommuters and mobile workers Connection downtime can result in lower pro ductivity for remote users Given the mission critical nature of many Internet connections each element of the Internet connection needs to be highly reliable SonicWALL High Availability adds to the award winni...

Page 156: ...me firmware version installed Each SonicWALL in the High Availability pair must have the same upgrades and subscriptions enabled If the backup unit does not have the same upgrades and subscriptions enabled these functions will not be supported in the event of a fail ure of the primary SonicWALL Network Configuration for High Availability Pair The following diagram illustrates the network configura...

Page 157: ...twork settings The bottom half of the window displays the backup SonicWALL information boxes To configure High Availability follow the steps below 1 Connect the primary SonicWALL and the backup SonicWALL to the network but leave the power turned off on both units 2 Turn on the primary SonicWALL unit and wait for the diagnostics cycle to complete Configure all of the settings in the primary SonicWA...

Page 158: ...se a heartbeat signal to communicate with one another This heartbeat is sent between the SonicWALLs over the network segment connected to the LAN ports of the two SonicWALLs The interruption of this heartbeat signal triggers the backup SonicWALL to take over operation from the active unit of the High Availability pair The time required for the backup SonicWALL to take over from the active unit dep...

Page 159: ...ings 11 To confirm that the synchronization is successful check the primary SonicWALL log for a High Availability confirmation message Alternatively you can log into the backup SonicWALL using its unique LAN IP address and confirm that it is the back up SonicWALL If the primary SonicWALL fails to synchronize with the backup an error message is displayed at the bottom of the screen An error message...

Page 160: ...y SonicWALL occurs the backup SonicWALL assumes the primary SonicWALL LAN and WAN IP Addresses There are three primary methods to check the status of the High Availability pair the High Availability Status window E mail Alerts and View Log These methods are described in the following sections High Availability Status Window One method to determine which SonicWALL is active is to check the High Ava...

Page 161: ...es to reflect the active status of the backup as shown below The first line in the status window indicates that the backup SonicWALL is currently Active It is also possible to check the status of the backup SonicWALL by logging into the LAN IP Address of the backup SonicWALL If the primary SonicWALL is operating normally the status window indicates that the backup SonicWALL is currently Idle If in...

Page 162: ...gh Availability pair For example when the backup SonicWALL takes over for the primary after a failure an E mail alert is sent indicating that the backup has transitioned from Idle to Active If the primary SonicWALL subsequently resumes operation after that failure and Preempt Mode has been enabled the primary SonicWALL takes over and another E mail alert is sent to the administrator indicating tha...

Page 163: ... off power on the currently active unit or by restarting it from the Web Management Interface In all of these cases heartbeats from the active SonicWALL are interrupted which forces the currently Idle unit to become Active To restart the active SonicWALL log into the primary SonicWALL LAN IP Address and click Tools on the left side of the browser window and then click Restart at the top of the win...

Page 164: ...w of all activity through your SonicWALL Internet security appliance With SonicWALL ViewPoint you are able to monitor network access enhance security and anticipate future bandwidth needs SonicWALL ViewPoint Displays bandwidth use by IP address and service Identifies inappropriate Web use Provides detailed reports of attacks Collects and aggregates system and network errors Shows VPN events and pr...

Page 165: ...k space 256 MB memory Internet Explorer 4 0 or later or Netscape Navigator 4 x Note More disk space may be required to analyze large networks Network Configuration for ViewPoint The following diagram illustrates the network configuration for SonicWALL ViewPoint The SonicWALL ViewPoint Server may be any computer or server located on the SonicWALL s LAN running Windows 2000 or Windows NT 4 0 SP 4 or...

Page 166: ...r domain name of the ViewPoint Server in the Syslog Serv er field Note The ViewPoint Server must have a static IP address Confirm that the server has a permanent IP address in the ViewPoint Server TCP IP Properties window 3 Enter 0 in the Syslog Individual Event Rate field to send all syslog messages without filtering 4 Confirm that the Syslog Format is set to Default 5 Click Update and then resta...

Page 167: ...e setup program without installing Note When you install ViewPoint be sure to close all other applications on the ViewPoint Server The installation wizard guides you through the set up program and installs ViewPoint reporting software and a syslog server Tomcat Web Server and MySQL Database The ViewPoint setup program detects whether the default Web syslog or MySQL ports are in use If the default ...

Page 168: ...int Software Once the programs are installed you may close the ViewPoint Installation Wizard window You need to restart your computer for the changes to take effect integrated_manual book Page 168 Wednesday June 13 2001 6 21 PM ...

Page 169: ...ured the ViewPoint Web server to use a different port than port 80 then add the port number to the URL for example http LocalHost 8080 1 Type the User Name and Password Note The default User Name is admin and the default Password is password Note The password that was configured during the ViewPoint installation is used to authenticate to your SonicWALL Internet security appliance it does not prov...

Page 170: ...change the ViewPoint user name highlight the text in the User Name field and replace it with your new user name 3 To change the ViewPoint password enter your current ViewPoint password in the Old Password field 4 Enter the new ViewPoint password in the New Password and Confirm New Password fields Note When setting the ViewPoint password for the first time remember that the default ViewPoint passwo...

Page 171: ... of the browser window and then click SonicWALL 2 Enter the LAN IP Address of your SonicWALL Internet security appliance in the IP Address field 3 Enter the current SonicWALL administrator password in the Old Password field 4 Enter the new SonicWALL administrator password in the New Password and Confirm New Password fields Note This password must match the password of your SonicWALL appliance Note...

Page 172: ...ViewPoint syslog server listens on to configure ViewPoint to forward syslog data to other servers and to limit the database size 1 From the ViewPoint Web Interface expand the Configure option on the left side of the browser window and then click Syslog 2 To change the UDP port number that the ViewPoint syslog server listens on enter the new port number in the Port Number field Note SonicWALL Inter...

Page 173: ...ding field To limit the database by size select the Maximum Database Size in Megabytes radio button and enter the number of megabytes of memory that the database will store in the corresponding field Note By default Viewpoint saves database records for seven days 6 Click Update and restart the ViewPoint server for syslog settings changes to take effect Note Maintenance on the ViewPoint database is...

Page 174: ...date is highlighted in the ViewPoint date calendar Select the desired month and year from the Month and Year menus 3 Select the desired day in the ViewPoint date calendar The new report date will be displayed in the upper right corner of the ViewPoint Report window The ViewPoint report table and chart is also updated to show the new report date 4 Click Close to close the ViewPoint Date Selector wi...

Page 175: ...nt The Logout option on the upper right side of the browser window terminates the management session and redisplays the Authentication window If the Logout op tion is clicked it is necessary to re login and authenticate to use ViewPoint Note The ViewPoint administrator is automatically logged out of the ViewPoint User Interface after 5 minutes of inactivity The current report date is displayed at ...

Page 176: ... of data transferred in bytes or the number of individual events Depending upon the report type events may be called hits events or connections All of these terms describe a single IP connection from one location to another location through the SonicWALL KBytes MBytes Most ViewPoint reports display data in terms of KBytes or MBytes KBytes an abbreviation for kilobytes and MBytes an abbreviation fo...

Page 177: ...rivileges are defined on the Users window in the SonicWALL Web Management Interface The User Login report illustrates the location and frequency of authenticated user sessions The User Login report table displays the time and the name or IP address of the machine that authenticated to the SonicWALL Failed Login The Failed Login report lists all attempts to login into your SonicWALL Internet securi...

Page 178: ...P traffic through the SonicWALL in MBytes transferred The table displays the hour of the day the number of events that occurred during the hour the number of MBytes transferred and the MBytes as a percentage of the total MBytes for the report day Both the chart and the table include inbound and outbound traffic through the LAN WAN and DMZ interfaces Bandwidth Monitor The Bandwidth Monitor report d...

Page 179: ...he amount of Web HTTP traffic traveling through your SonicWALL over time This report displays peak bandwidth usage times of Web traffic and provides information about the number of Web site hits and bandwidth use during the report period The Web Usage Summary report displays a bar graph of Web traffic through the SonicWALL in MBytes transferred The table displays the hour of the day the number of ...

Page 180: ...e Each Web site displayed in the table includes a link to the site so that the ViewPoint administrator may view and evaluate the listed Web sites Web Filter Reports Web Filter Summary Report The Web Filter Summary report shows the number of attempts to access blocked Web sites over time The Web Filter Summary report includes Web sites blocked by the SonicWALL s Content Filter List or by customized...

Page 181: ...ers attempted to visit that were blocked by the SonicWALL s Web Content Filtering policies The Top Objectionable Web Sites By User report displays a table of the users blocked by the SonicWALL the top 5 Web sites the users attempted to access and the number of attempts to access each Web site If more than 5 users attempted to access objectionable Web sites the additional users Web activity may be ...

Page 182: ...f E mail files transferred by user in KBytes and the total number of E mail events through the SonicWALL The Top Users of Mail report displays a pie chart of the top 10 users by the number of Mail Events The report table lists the top 10 users displayed in the chart the number of KBytes transferred by the user the number of mail events generated by the user and the number of events as a percentage...

Page 183: ...ttack categories displayed in the chart the number of attacks for the category and the number of attacks for the category as a percentage of the total attacks during the report period Dropped Packets The Dropped Packets report displays all IP packets dropped by your SonicWALL IP packets dropped by the SonicWALL include TCP Packets UDP Packets ICMP Packets IPSec Packets PPTP Packets Broadcast Packe...

Page 184: ...Server IP Address into the Location or Address field of the Web browser Note If the ViewPoint Web Interface uses a different port than port 80 add the port number after the IP address for example type http IP Address 8080 Note Internet Explorer 4 0 or greater or Netscape Navigator 4 x should be used to login and manage ViewPoint The Web browser must also be enabled for Java and cookies and support...

Page 185: ...for future use click No 5 Click Finish to complete the uninstallation process ViewPoint Server Across a VPN While it is recommended that the ViewPoint Server be located on the SonicWALL s LAN for performance issues it may also be located remotely across a VPN The only requirement is that the ViewPoint Server must be able to access and login to the SonicWALL Web Management Interface Note If your VP...

Page 186: ...orwards the messages to the MySQL database ViewPoint software operates on Windows 2000 or Windows NT 4 0 Service Pack 4 or greater Active ViewPoint Services For maintenance or other reasons it may be necessary to start or stop ViewPoint services ViewPoint related services in the Control Panel Administrative Tools Services directory include ViewPoint Syslogd and MySql Processes initiated by ViewPoi...

Page 187: ...tion This strategy ensures that current virus software is installed and active on every computer on the network preventing a rogue user from disabling virus protection and exposing the entire organization to an outbreak SonicWALL Network Anti Virus provides centrally managed and enforced virus installation transparent software updates and comprehensive Web based reports SonicWALL Network Anti Viru...

Page 188: ...t also includes advance swap shipment of defective products SonicWALL Premium Support is an excellent program if you rely heavily on network and Internet connectivity and cannot afford network downtime SonicWALL Extended Warranty SonicWALL Extended Warranty provides one additional year of warranty coverage and continued access to SonicWALL Technical Support resources There is no limit to how many ...

Page 189: ...com products services html for more information about SonicWALL options and upgrades Contact your local reseller to purchase SonicWALL upgrades A SonicWALL sales representative can help locate a SonicWALL authorized reseller near you Web http www sonicwall com E mail sales sonicwall com Phone 888 557 6642 or 408 745 9600 Fax 408 745 9300 integrated_manual book Page 189 Wednesday June 13 2001 6 21 ...

Page 190: ...eged users Many popular services such as Web FTP SMTP POP3 E mail DNS etc operate in this port range The assigned ports use a small portion of the possible port numbers For many years the assigned ports were in the range 0 255 Recently the range for assigned ports managed by the IANA has been expanded to the range 0 1023 Registered Port Numbers The Registered Ports are not controlled by the IANA a...

Page 191: ...TCP IP settings may be helpful when configuring the SonicWALL s IP settings From a Windows 95 or 98 computer do the following 1 From the Start menu highlight Settings and then select Control Pan el 2 Double click the Network icon in the Control Panel window 3 Double click TCP IP in the TCP IP Properties window 4 Select the Specify an IP Address radio button 5 Enter 192 168 168 200 in the IP Addres...

Page 192: ...he Reset Switch and then apply power to the SonicWALL Once the Test LED starts to flash let go of the Reset Switch The Test LED flashes for approximately 90 seconds while the firmware is erased After completing the diagnostic sequence the Test LED stays lit indicating that the firmware has been erased 4 Log back into the SonicWALL at the default IP address http 192 168 168 168 Make sure that the M...

Page 193: ...d tightened to ensure secure installation Choose a mounting location where all four mounting holes line up with those of the mounting bars of the 19 inch rack mount cabinet Mount in a location away from direct sunlight and sources of heat A maximum am bient temperature of 104º F 40º C is recommended Route cables away from power lines fluorescent lighting fixtures and sources of noise such as radio...

Page 194: ...ch case the user at his own expense is required to take whatever measures that may be necessary to correct the interference The cables supplied with this equipment are shielded and created specifically for use on this equipment The use of shielded I O cables are mandatory when connecting this equipment to any and all optional peripheral host devices Failure to do so may violate FCC rules BSMI Stat...

Page 195: ...SonicWALL Internet Security Appliance Guide Page Page 195 NOTES integrated_manual book Page 195 Wednesday June 13 2001 6 21 PM ...

Page 196: ...es 58 Certificates 114 Choose a diagnostic tool 75 Clear Log Now 53 Client Default Gateway 109 Client for Microsoft Networks 143 Configuration 100 Configuration Changes 160 Configure 114 175 Configuring High Availability 157 Configuring SonicWALL Settings 171 Connect using Secure Gateway Tunnel 128 Consent 65 Consent page URL 66 Content Filter List 10 46 187 Content Filter List Subscription 187 Co...

Page 197: ...s 63 Forcing Transitions 163 FTP Usage 175 G General 37 175 General Status 177 Global IPSec Settings 114 Global Management System 188 Group Configuration 115 Group VPN 112 120 GX250 Back Panel 17 GX650 Back Panel 17 H Hash Alg 130 heartbeat 158 Heartbeat Interval 158 heartbeats 157 Help 175 High Availability 155 High Availability Status 160 http 169 184 8080 184 LocalHost 169 8080 169 I ICSA 9 ID ...

Page 198: ...rity Policy 127 130 Network Settings 37 Network Time Protocol 46 nspecting the Package 20 O Online help 11 Outbound Keys 131 Outgoing SPI 125 131 P Packet Trace 77 Password 184 pcAnywhere 184 Per Incident Support 187 188 Ping 76 Ping of Death 9 port 8080 167 Port Number 173 PPP Adapter 124 129 PPPoE 178 Preempt mode 158 Preferences 69 Premium Support 188 Pre Shared Key 123 Pre Shared Secret 123 Pr...

Page 199: ...wisted Pair 17 U UDP port 514 186 UDP port number 172 Uninstalling ViewPoint 185 Unique Firewall Identifier 114 Updating Firmware 71 Upgrade Key 74 Use Manual Keys 128 User Activity 54 User Idle Timeout 91 User Login 177 User Name 184 V View Data 56 View Log 50 162 Viewpoint 164 ViewPoint Date Selector 174 ViewPoint Report Descriptions 177 ViewPoint Report Layout 175 ViewPoint Server 165 166 185 V...

Page 200: ...eason the battery or the SonicWALL Internet Security appliance requires disposal it must be done in accordance with the manufacturer s instructions UL Power Supply Compliance Notice Caution Disconnect power cord before servicing power supply To disconnect all power and current to the system unplug both power cords from system Radiation Warning Caution Use of controls or adjustments of performance ...

Reviews:

No comments

Related manuals for SonicWALL GX250

Forcepoint 1402-C3 Hardware Manual preview
1402-C3
Brand: Forcepoint Pages: 32
3Com SuperStack 3 User Manual preview
SuperStack 3
Brand: 3Com Pages: 64
IBM DataPower XH40 Quick Start Manual preview
DataPower XH40
Brand: IBM Pages: 2
Mackie D.2 Owner'S Manual preview
D.2
Brand: Mackie Pages: 28
Watchguard Firebox SOHO 6 Wireless User Manual preview
Firebox SOHO 6 Wireless
Brand: Watchguard Pages: 208
Barracuda CloudGen F80 Manual preview
CloudGen F80
Brand: Barracuda Pages: 6
D-Link DFL-1100 - Security Appliance User Manual preview
DFL-1100 - Security Appliance
Brand: D-Link Pages: 144
D-Link DFL-1660-AV-12 Datasheet preview
DFL-1660-AV-12
Brand: D-Link Pages: 5
D-Link DFL-200 - Security Appliance User Manual preview
DFL-200 - Security Appliance
Brand: D-Link Pages: 133
D-Link D DFL-500 DFL-500 Manual preview
D DFL-500 DFL-500
Brand: D-Link Pages: 122
D-Link DFL-200 - Security Appliance Quick Installation Manual preview
DFL-200 - Security Appliance
Brand: D-Link Pages: 14
D-Link DFL-1000 User Manual preview
DFL-1000
Brand: D-Link Pages: 118
D-Link CP310 - DFL - Security Appliance User Manual preview
CP310 - DFL - Security Appliance
Brand: D-Link Pages: 485
D-Link DFL-1660-IPS-12 Manual preview
DFL-1660-IPS-12
Brand: D-Link Pages: 20
D-Link DFL-1100 - Security Appliance Installation Manual preview
DFL-1100 - Security Appliance
Brand: D-Link Pages: 24
D-Link DFL- 860 Log Reference Manual preview
DFL- 860
Brand: D-Link Pages: 476
PaloAlto Networks PA-7050 PAN-AIRDUCT Quick Start Manual preview
PA-7050 PAN-AIRDUCT
Brand: PaloAlto Networks Pages: 2
Watchguard XCS 1180 Quick Start Manual preview
XCS 1180
Brand: Watchguard Pages: 23

Brands by name

Popular brands

Load more brands