background image

Security Best Practices for TZ 180 Running SonicOS Standard

11

SonicWALL TZ 180 Recommends Guide

Optimize your firewall 
access rules

On any firewall rule, enable fragmented 
packet handling, and verify that the 
connection timeout for the rule is 
appropriate to the referenced service. For 
example, telnet connections tend to be 
long-lasting, so TCP timeout should be set 
accordingly. Similarly, timeout can be set 
lower for short-lived services, thus keeping 
the connection cache clean.

For more information on 
firewall access, refer to the 
“Configuring Network Access 
Rules” chapter in the 

SonicOS 

Standard 3.8 Administrator’s 
Guide.

Optimize your VPN 
settings

Navigate to the 

VPN > Advanced

 page 

and verify that fragmented packet 
handling/NAT traversal/IKE DPD is 
enabled, and if you use Microsoft 
networking across VPN tunnels, uncheck 
the box next to 

Disable all VPN Windows 

Networking (NetBIOS) Broadcasts

When creating VPN policies, be sure to 
check the box next to 

Enable Windows 

Networking (NetBIOS) Broadcasts 

on 

the 

Advanced

 tab of the VPN policy.

For more information on VPN 
settings, refer to the 
“Configuring Advanced VPN 
Settings” chapter in the 

SonicOS 

Standard 3.8 Administrator’s 
Guide.

Audit your User 
accounts

Navigate to the 

Users > Local Users 

page 

and audit user entries at least once a month 
to verify there are not inappropriate 
accounts. Also enforce the use of complex 
passwords, and require users to change 
passwords on a regular basis. Three months 
is the recommended interval. Do not allow 
the use of common accounts, in which the 
username and password are known to a 
wide audience.

For more information on user 
accounts, refer to the 
“Configuring Local Users” 
chapter in the 

SonicOS Standard 

3.8 Administrator’s Guide.

Establish, a logging 
baseline

On the 

Log > View

 page, it is 

recommended to enable all categories and 
alerts for at least the first few days of a new 
installation, allowing a better understand 
the various functions. This generates a lot 
of log messages, so after a few days, 
configure logs a level appropriate for your 
environment.

For more information on 
logging baselines, refer to the 
“Viewing Log Events” chapter 
in the 

SonicOS Standard 3.8 

Administrator’s Guide.

Deliver logs and alerts 
by email

On the

 Log > Automation

 page, enter in 

the fully-qualified domain name (FQDN) 
or IP address of a mail server that you relay 
SMTP mail through, and a working email 
address that the appliance uses to notify in 
case of alerts, and to email the logs to on a 
periodic basis. This is strongly 
recommended.

For more information on logs 
and alerts, refer to the 
“Configuring Log Automation” 
chapter in the 

SonicOS Standard 

3.8 Administrator’s Guide.

Solution

Description

Related Information

Summary of Contents for TZ 180

Page 1: ...COMPREHENSIVE INTERNET SECURITY SonicWALL TZ 180 Recommends Guide SonicWALL Internet Security Appliances...

Page 2: ...SonicWALL Recommends Guide Recommended Solutions for the SonicWALL TZ 180 SonicOS 3 8 Standard and Enhanced...

Page 3: ......

Page 4: ...leshooting 18 VPN Troubleshooting 19 Internet Connectivity Troubleshooting 25 Firmware Update Troubleshooting 26 SonicWALL Solutions Integration 27 SonicWALL Security Services 27 SonicWALL Backup and...

Page 5: ...ii SonicWALL TZ 180 Recommends Guide...

Page 6: ...for TZ 180 Running SonicOS Standard section on page 9 This section provides instructions for configuring security settings for the TZ 180 security appliance and its nterfaces Troubleshooting TZ 180 C...

Page 7: ...section on page 17 Symptom I Am Having Registration Problems with the TZ 180 section on page 18 Symptom I Cannot Get Site to Site VPN to Work section on page 19 Symptom I Do Not Have Internet Access...

Page 8: ...Topology Figure 1 SonicWALL TZ 180 Sample Network Topology SSL VPN 200 link act 10 100 Local Area Network Wireless Local Area Network SonicWALL Security Services SonicWALL TZ 180 Remote Client SonicP...

Page 9: ...SSL encrypted for confidentiality and no sensitive or private data is exchanged Note Turn off pop up blockers on your Web browser when accessing MySonicWALL Web site or the management interface of yo...

Page 10: ...out the fields when prompted A registration code is generated Step 7 Navigate to the System Status page on the appliance management interface Under Security Services your registration code in the fie...

Page 11: ...re updating the firmware on the TZ 180 security appliance always perform these steps Create a backup store the current settings store a copy of the current firmware and record the details of the appli...

Page 12: ...ular basis Refer to SonicWALL Backup and Recovery Solutions section on page 28 for information about how a SonicWALL CDP appliance to perform this task If any problems occur restore using the backup s...

Page 13: ...small switch in for about 20 seconds until the wrench light on the front of the TZ 180 flashes then release it The security appliance is now in SafeMode For more information on SafeMode refer to the...

Page 14: ...ministrator name Navigate to the System Administration page and change the Administrator Name Make a note of your new administrator name Change the password to something complex for example a combinat...

Page 15: ...o allow this check the boxes to allow NetBIOS broadcast for LAN to DMZ and DMZ to LAN Microsoft networking relies on NetBIOS broadcasts to identify and register network resources such as servers and p...

Page 16: ...s page and audit user entries at least once a month to verify there are not inappropriate accounts Also enforce the use of complex passwords and require users to change passwords on a regular basis Th...

Page 17: ...icOS Standard 3 8 Administrator s Guide Keep backups Store known good preferences and firmware in a safe place that is accessible in the event of problems with the appliance and verify the appliance i...

Page 18: ...a Unique Public IP Address to the Resource on the OPT Interface page 16 Symptom Internal Users Are Having Problems Accessing the Server on the OPT Port page 16 Symptom Users Across a Site to Site VPN...

Page 19: ...es Look Fine page 25 Firmware Update Troubleshooting page 26 Symptom I Want to Update the Firmware on the TZ 180 page 26 DMZ OPT Port Troubleshooting Symptom I Am Having Problems Installing a Public S...

Page 20: ...it creates the necessary rules for NAT firewall and loopback the special rule that allows internal resources to contact the server on the OPT interface using its WAN IP address Verify that the OPT Int...

Page 21: ...addresses it does not enable connectivity Symptom Internal Users Are Having Problems Accessing the Server on the OPT Port Create a loopback rule to allow internal users on the LAN interface to access...

Page 22: ...a concurrent basis and not on a per user basis which means while you may have 40 unique users installed if you only had a 10 user GVC license only 10 of those users could connect at once Determine the...

Page 23: ...g mechanism such as WINS Active Directory DNS or static HOSTS LMHOSTS files for the GVC The easiest solution is to provide the appropriate WINS and DNS entries in the DHCP scope and to use the Virtual...

Page 24: ...to Work For a VPN tunnel to successfully negotiate a number of settings must exactly match on both sides otherwise the tunnel fails to negotiate The following is a list of settings to verify on both s...

Page 25: ...rated in Figure 11 in the VPN policy s General tab Figure 11 SonicOS Enhanced VPN Policy Aggressive Mode Using UFIs Navigate to the VPN policy General tab verify that the IPSec Keying Mode is set the...

Page 26: ...tting if these do not match the VPN policy negotiates using the lower of the two settings Figure 13 provides an example of Phase 1 setting Figure 13 VPN Policy Phase 1 Settings If you have implemented...

Page 27: ...he lower of the two settings Figure 14 provides a view of the Life Time field Incorrect destination network s If an incorrect destination exists for example if one side of the connection has Keep Aliv...

Page 28: ...1500 to 1404 then click OK User Level Authentication Check the Advanced settings for the VPN policy to ensure that this feature is off there are two checkboxes for Require Authentication of Local Use...

Page 29: ...oing to be constrained by the ADSL connection speed and also by any traffic flowing in and out of that connection at any time for example if there is someone at the remote office downloading data in h...

Page 30: ...is an increasingly common issue as ISPs provide xDSL and cable modem equipment with all in one functionality You may need to purchase a generic xDSL or cable modem and swap out the ISP equipment if it...

Page 31: ...rd and SonicOS Enhanced are incompatible and problems can arise if the proper upgrade procedure is not followed It is necessary to purchase a SonicOS Enhanced license If you do not install the SonicOS...

Page 32: ...ecurity services your network can be protected in a manner of minutes Figure 15 provides the recommended deployment of SonicWALL security services with the TZ 180 security appliance To purchase and ac...

Page 33: ...threats but also against those originating inside the network SonicWALL Gateway Anti Virus Anti Spyware and Intrusion Prevention Service closes potential back doors by inspecting ba multitude of emai...

Page 34: ...recovery of your TZ 180 Backup remote users using GVC As long as remote users can connect using SonicWALL GVC to the TZ 180 security appliance they can synchronize their monitored folders and applicat...

Page 35: ...your internal servers and many other network devices from anywhere they need to home on the road from a public Internet kiosk and other remote locations all without the need to install or constantly u...

Page 36: ...e 18 provides an example of the recommended deployment Configure your internal SMTP server to forward outgoing mail to the ES server and modify existing NAT rules so that incoming SMTP mail is forward...

Page 37: ...deployment in any network You can add extensive wireless capability to your TZ 180 security appliance by upgrading to SonicOS Enhanced which allows you to install up to eight SonicPoint or SonicPoint...

Page 38: ...anti virus anti spyware intrusion prevention and content filtering all from a single console SonicWALL GMS enables organizations to reduce staffing requirements speed deployment and lower costs GMS co...

Page 39: ...Standard Administrator s Guide available at http www sonicwall com us support SonicOS_Standard_3 8_Administrator s_Guide pdf For detailed information on configuring SonicOS Enhanced refer to the Sonic...

Page 40: ...phone numbers listed in Table 2 Table 2 SonicWALL Worldwide Support Phone Numbers Country Toll free number Local toll number Calling from North America United States 1 888 777 1476 Canada 1 888 777 14...

Page 41: ...at Web http www sonicwall com email sales sonicwall com Phone 408 745 9600 Fax 408 745 9300 United Arab Emirates 8000 4411 869 United Kingdom 0800 0280 488 31 0 411 617 811 All other countries 31 0 4...

Page 42: ...cations and descriptions subject to change without notice Trademarks SonicWALL is a registered trademark of SonicWALL Inc Microsoft Windows 98 Windows NT Windows 2000 Windows XP Windows Server 2003 In...

Page 43: ...Obtaining Technical Support 38 SonicWALL TZ 180 Recommends Guide...

Page 44: ...ed herein may be trademarks and or registered trademarks of their respective companies Specifications and descriptions subject to change without notice T 1 408 745 9600 SonicWALL Inc 1143 Borregas Ave...

Reviews: