Download SonicWALL GMS/UMA 6.0 Administrator`s Guide

Global Management System (GMS) 6.0 Administrator’s Guide PROTECTION AT THE SPEED OF BUSINESS™ SonicWALL GMS / UMA Administrator’s Guide Version 6.0 SonicWALL, Inc. 2001 Logic Drive San Jose, CA 95124-3452 Phone: +1.408.745.9600 Fax: +1.408.745.9300 E-mail: [email protected] SonicWALL GMS 6.0 Administrator’s Guide i Copyright Notice © 2010 SonicWALL, Inc. All rights reserved. Under the copyright laws, this manual or the software described within, can not be copied, in whole or part, without the written consent of the manufacturer, except in the normal use of the software to make a backup copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed to the original. This exception does not allow copies to be made for others, whether or not sold, but all of the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under the law, copying includes translating into another language or format. Specifications and descriptions subject to change without notice. Trademarks SonicWALL is a registered trademark of SonicWALL, Inc. Windows XP, Windows Vista, Windows 7, Windows Server 2008, Windows Server 2003, Internet Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation. Firefox is a trademark of the Mozilla Foundation. Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape Communications Corporation and may be registered outside the U.S. Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems Incorporated in the U.S. and/or other countries. Other product and company names mentioned herein may be trademarks and/or registered trademarks of their respective companies and are the sole property of their respective manufacturers. End User Licensing Agreement For SonicWall Global Management System This End User Licensing Agreement (EULA) is a legal agreement between you and SonicWALL, Inc. (SonicWALL) for the SonicWALL software product identified above, which includes computer software and any and all associated media, printed materials, and online or electronic documentation (SOFTWARE PRODUCT). By opening the sealed package(s), installing, or otherwise using the SOFTWARE PRODUCT, you agree to be bound by the terms of this EULA. If you do not agree to the terms of this EULA, do not open the sealed package(s), install or use the SOFTWARE PRODUCT. You may however return the unopened SOFTWARE PRODUCT to your place of purchase for a full refund. The SOFTWARE PRODUCT is licensed, not sold. You acknowledge and agree that all right, title, and interest in and to the SOFTWARE PRODUCT, including all associated intellectual property rights, are and shall remain with SonicWALL. This EULA does not convey to you an interest in or to the SOFTWARE PRODUCT, but only a limited right of use revocable in accordance with the terms of this EULA. • The SOFTWARE PRODUCT is licensed as a single product and can only be used as such. • You may also store or install a copy of the SOFTWARE PRODUCT on a storage device, such as a network server, used only to install or run the SOFTWARE PRODUCT on your other computers over an internal network. • You may not resell, or otherwise transfer for value, rent, lease, or lend the SOFTWARE PRODUCT. • The SOFTWARE PRODUCT is trade secret or confidential information of SonicWALL or its licensors. You shall take appropriate action to protect the confidentiality of the SOFTWARE PRODUCT. You shall not reverse-engineer, de-compile, or disassemble the SOFTWARE PRODUCT, in whole or in part. The provisions of this section will survive the termination of this EULA. • You agree and certify that neither the SOFTWARE PRODUCT nor any other technical data received from SonicWALL, nor the direct product thereof, will be exported outside the United States except as permitted by ii SonicWALL GMS 6.0 Administrator’s Guide the laws and regulations of the United States, which may require U.S. Government export approval/licensing. Failure to strictly comply with this provision shall automatically invalidate this License. License SonicWALL grants you a non-exclusive license to use the SOFTWARE PRODUCT for a number of SonicWALL eligible products. This number is specified and shipped with the SOFTWARE PRODUCT. Support for additional SonicWALL eligible products is subject to a separate upgrade license. Upgrades If the SOFTWARE PRODUCT is labeled as an upgrade, you must be properly licensed to use a product identified by SonicWALL as being eligible for the upgrade in order to use the SOFTWARE PRODUCT. A SOFTWARE PRODUCT labeled as an upgrade replaces and/or supplements the product that formed the basis for your eligibility for the upgrade. You may use the resulting upgraded product only in accordance with the terms of this EULA. If the SOFTWARE PRODUCT is an upgrade of a component of a package of software programs that you licensed as a single product, the SOFTWARE PRODUCT may be used and transferred only as part of that single product package and may not be separated for use on more than one computer. Support Services SonicWALL may provide you with support services related to the SOFTWARE PRODUCT (“Support Services”). Use of Support Services is governed by the SonicWALL policies and programs described in the user manual, in “online” documentation, and/or in other SonicWALL-provided materials. Any supplemental software code provided to you as part of the Support Services shall be considered part of the SOFTWARE PRODUCT and subject to terms and conditions of this EULA. With respect to technical information you provide to SonicWALL as part of the Support Services, SonicWALL may use such information for its business purposes, including for product support and development. SonicWALL shall not utilize such technical information in a form that identifies its source. Ownership As between the parties, SonicWALL retains all title to, ownership of, and all proprietary rights with respect to the SOFTWARE PRODUCT (including but not limited to any images, photographs, animations, video, audio, music, text, and ‘applets” incorporated into the SOFTWARE PRODUCT), the accompanying printed materials, and any copies of the SOFTWARE PRODUCT. The SOFTWARE PRODUCT is protected by copyrights laws and international treaty provisions. The SOFTWARE PRODUCT is licensed, not sold. This EULA does not convey to you an interest in or to the SOFTWARE PRODUCT, but only a limited right of use revocable in accordance with the terms of this EULA. U.S. Government Restricted Rights If you are acquiring the Software including accompanying documentation on behalf of the U.S. Government, the following provisions apply. If the Software is supplied to the Department of Defense (“DoD”), the Software is subject to “Restricted Rights”, as that term is defined in the DOD Supplement to the Federal Acquisition Regulations (“DFAR”) in paragraph 252.227 7013(c) (1). If the Software is supplied to any unit or agency of the United States Government other than DOD, the Government’s rights in the Software will be as defined in paragraph 52.227 19(c) (2) of the Federal Acquisition Regulations (“FAR”). Use, duplication, reproduction or disclosure by the Government is subject to such restrictions or successor provisions. Contractor/Manufacturer is: SonicWALL, Inc. 2001 Logic Drive, San Jose, CA 95124-3452, USA. SonicWALL GMS 6.0 Administrator’s Guide iii Exports License Licensee will comply with, and will, at SonicWALL’s request, demonstrate such compliance with all applicable export laws, restrictions, and regulations of the U.S. Department of Commerce, the U.S. Department of Treasury and any other any U.S. or foreign agency or authority. Licensee will not export or re-export, or allow the export or re-export of any product, technology or information it obtains or learns pursuant to this Agreement (or any direct product thereof) in violation of any such law, restriction or regulation, including, without limitation, export or re-export to Cuba, Iran, Iraq, Libya, North Korea, Sudan, Syria or any other country subject to applicable U.S. trade embargoes or restrictions, or to any party on the U.S. Export Administration Table of Denial Orders or the U.S. Department of Treasury List of Specially Designated Nationals, or to any other prohibited destination or person pursuant to U.S. law, regulations or other provisions. Miscellaneous This EULA represents the entire agreement concerning the subject matter hereof between the parties and supercedes all prior agreements and representations between them. It may be amended only in writing executed by both parties. This EULA shall be governed by and construed under the laws of the State of California as if entirely performed within the State and without regard for conflicts of laws. Should any term of this EULA be declared void or unenforceable by any court of competent jurisdiction, such declaration shall have no effect on the remaining terms hereof. The failure of either party to enforce any rights granted hereunder or to take action against the other party in the event of any breach hereunder shall not be deemed a waiver by that party as to subsequent enforcement of rights or subsequent actions in the event of future breaches. Termination This EULA is effective upon your opening of the sealed package(s), installing or otherwise using the SOFTWARE PRODUCT, and shall continue until terminated. Without prejudice to any other rights, SonicWALL may terminate this EULA if you fail to comply with the terms and conditions of this EULA. SonicWALL reserves the right to terminate this EULA five (5) years after the SOFTWARE PRODUCT is issued to Licensee. In event of termination, you agree to return or destroy the SOFTWARE PRODUCT (including all related documents and components items as defined above) and any and all copies of same. Limited Warranty SonicWALL warrants that a) the software product will perform substantially in accordance with the accompanying written materials for a period of ninety (90) days from the date of purchase, and b) any support services provided by SonicWALL shall be substantially as described in applicable written materials provided to you by SonicWALL. Any implied warranties on the software product are limited to ninety (90) days. Some states and jurisdictions do not allow limitations on duration of an implied warranty, so the above limitation may not apply to you. Customer Remedies SonicWALL’s and its suppliers’ entire liability and your exclusive remedy shall be, at SonicWALL’s option, either a) return of the price paid, or b) repair or replacement of the SOFTWARE PRODUCT that does not meet SonicWALL’s Limited Warranty and which is returned to SonicWALL with a copy of your receipt. This Limited Warranty is void if failure of the SOFTWARE PRODUCT has resulted from accident, abuse, or misapplication. Any replacement SOFTWARE PRODUCT shall be warranted for the remainder of the original warranty period or thirty (30) days, whichever is longer. Outside of the United States, neither these remedies nor any product Support Services offered by SonicWALL are available without proof of purchase from an authorized SonicWALL international reseller or distributor. No Other Warranties To the maximum extent permitted by applicable law, SonicWALL and its suppliers/licensors disclaim all other warranties and conditions, either express or implied, including, but not limited to, implied warranties of merchantability, fitness for a particular purpose, title, and non-infringement, with regard to the SOFTWARE PRODUCT, and the provision of or failure to provide support services. This limited warranty gives you specific legal rights. You may have others, which vary from state/jurisdiction to state/jurisdiction. iv SonicWALL GMS 6.0 Administrator’s Guide Limitation of Liability Except for the warranties provided hereunder, to the maximum extent permitted by applicable law, in no event shall SonicWALL or its suppliers/licensors be liable for any special, incidental, indirect, or consequential damages for lost business profits, business interruption, loss of business information,) arising out of the use of or inability to use the SOFTWARE PRODUCT or the provision of or failure to provide support services, even if SonicWALL has been advised of the possibility of such damages. In any case, SonicWALL’s entire liability under any provision of this EULA shall be limited to the amount actually paid by you for the SOFTWARE PRODUCT; provided, however, if you have entered into a SonicWALL support services agreement, SonicWALL’s entire liability regarding support services shall be governed by the terms of that agreement. Because some states and jurisdiction do not allow the exclusion or limitation of liability, the above limitation may not apply to you. Manufacturer is SonicWALL, Inc. with headquarters located at 2001 Logic Drive, San Jose, CA 95124-3452, USA. SonicWALL GMS 6.0 Administrator’s Guide v vi SonicWALL GMS 6.0 Administrator’s Guide Table of Contents Chapter 1: Introduction to SonicWALL GMS .....................................................1 Overview of SonicWALL GMS ....................................................................................................................1 What Is SonicWALL GMS? ....................................................................................................................2 Benefits of Using SonicWALL GMS .....................................................................................................2 Scaling SonicWALL GMS Deployments ..............................................................................................9 Deployment Requirements ......................................................................................................................... 10 Operating System Requirements ......................................................................................................... 10 Database Requirements ......................................................................................................................... 11 MySQL Requirements ........................................................................................................................... 11 Java Requirements .................................................................................................................................. 12 Browser Requirements .......................................................................................................................... 12 Hardware for Single Server Deployment ........................................................................................... 12 Hardware for a Distributed Server Deployment ............................................................................... 12 SonicWALL Appliance and Firmware Support ................................................................................ 13 GMS Gateway Requirements ............................................................................................................... 13 Network Requirements ......................................................................................................................... 15 GMS Internet Access through a Proxy Server .................................................................................. 16 Logging in to GMS ....................................................................................................................................... 16 Navigating the SonicWALL GMS User Interface ................................................................................... 18 SonicToday Panel ................................................................................................................................... 18 Appliance Panels .................................................................................................................................... 19 Monitor Panel ......................................................................................................................................... 23 Console Panel ......................................................................................................................................... 24 Understanding SonicWALL GMS Icons .................................................................................................. 25 Using the GMS TreeControl Menu ........................................................................................................... 27 About Signed Applets in SonicWALL GMS ............................................................................................ 28 Otherwise, click No. In this case you must manually edit the java.policy file. Configuring SonicWALL GMS View Options ........................................................................................................................................... 29 Group View ............................................................................................................................................ 30 SonicWALL GMS 6.0 Administrator’s Guide vii Unit View ................................................................................................................................................ 31 Creating SonicWALL GMS Fields and Dynamic Views ................................................................. 33 Getting Help .................................................................................................................................................. 41 Tips and Tutorials .................................................................................................................................. 42 Chapter 2: Adding SonicWALL Appliances and Performing Basic Management Tasks ...................................................................................................................43 Adding SonicWALL Appliances to SonicWALL GMS ......................................................................... 43 Adding SonicWALL Appliances Manually ........................................................................................ 45 Importing SonicWALL Appliances ..................................................................................................... 50 Registering SonicWALL Appliances .......................................................................................................... 51 Modifying Management Properties ............................................................................................................ 52 Modifying SonicWALL Appliance Management Options .............................................................. 52 Changing Agents or Management Methods ...................................................................................... 53 Moving SonicWALL Appliances Between Groups .......................................................................... 54 Deleting SonicWALL Appliances from GMS ......................................................................................... 55 Performing Basic Appliance Management ................................................................................................ 55 Chapter 3: Using the SonicToday Panel ..........................................................57 Overview of the SonicToday Panel ........................................................................................................... 58 Editing a Component Window .................................................................................................................. 58 Adding a Component Window .................................................................................................................. 60 Application Widget ................................................................................................................................ 60 Event Alert .............................................................................................................................................. 62 RSS Feed .................................................................................................................................................. 66 Adding More Pages ...................................................................................................................................... 68 Editing and Deleting Pages ......................................................................................................................... 69 Other Features .............................................................................................................................................. 70 Chapter 5: UMH/UMA System Settings ............................................................75 Status ............................................................................................................................................................... 77 Licenses .......................................................................................................................................................... 78 Time ................................................................................................................................................................ 80 Administration .............................................................................................................................................. 81 SonicWALL GMS 6.0 Administrator’s Guide viii Settings ........................................................................................................................................................... 83 Diagnostics .................................................................................................................................................... 85 Technical Support Report ..................................................................................................................... 87 Logs and Syslogs .................................................................................................................................... 87 File Manager .................................................................................................................................................. 88 Working with Multiple Files ................................................................................................................. 89 Backup/Restore ............................................................................................................................................ 90 Data Export Wizard .............................................................................................................................. 91 RAID .............................................................................................................................................................. 94 Restart ............................................................................................................................................................. 95 Chapter 6: UMA Network Settings ....................................................................97 Settings ........................................................................................................................................................... 98 Routes ............................................................................................................................................................. 99 Chapter 7: UMH/UMA Deployment Settings ..................................................101 Deployment Roles ...................................................................................................................................... 101 Configuring the All In One Role ....................................................................................................... 103 Configuring the Database Only Role ................................................................................................ 105 Configuring the Console Role ............................................................................................................ 105 Configuring the Agent Role ............................................................................................................... 107 Configuring the Reports Summarizer Role ...................................................................................... 108 Configuring the Monitor Role ........................................................................................................... 109 Configuring the Event Role ............................................................................................................... 110 Configuring the Syslog Collector Role .............................................................................................. 111 Configuring Database Settings ........................................................................................................... 112 Deployment Settings .................................................................................................................................. 114 Configuring Web Port Settings .......................................................................................................... 115 Configuring SMTP Settings ................................................................................................................ 115 Configuring SSL Access ...................................................................................................................... 116 Deployment Services .................................................................................................................................. 117 Chapter 9: Configuring SonicOS System Settings .......................................121 Viewing System Status ............................................................................................................................... 122 SonicWALL GMS 6.0 Administrator’s Guide ix Configuring Time Settings ........................................................................................................................ 125 Viewing Licensed Node Status ................................................................................................................. 127 Configuring Administrator Settings ......................................................................................................... 129 Using Configuration Tools ........................................................................................................................ 131 Restarting SonicWALL Appliances ................................................................................................... 132 Requesting Diagnostics for SonicWALL ......................................................................................... 132 Inheriting Settings ................................................................................................................................ 133 Clearing the ARP Cache ...................................................................................................................... 136 Synchronizing Appliances ................................................................................................................... 136 Synchronizing with mysonicwall.com ............................................................................................... 137 Manually Uploading Signature Updates ............................................................................................ 137 Generating Tech Support Reports .................................................................................................... 138 Configuring Contact Information ............................................................................................................ 139 Configuring System Settings ..................................................................................................................... 139 Configuring Schedules ............................................................................................................................... 141 Editing Management Settings ................................................................................................................... 143 Configuring SNMP .................................................................................................................................... 145 Navigating the System > Certificates Page ...................................................................................... 147 About Certificates ................................................................................................................................ 148 Configuring CA Certificates ............................................................................................................... 148 Importing New Local and CA Certificates ...................................................................................... 149 Generating a Certificate Signing Request ......................................................................................... 150 Configuring SCEP ............................................................................................................................... 151 Chapter 10: Configuring SonicOS Network Settings ....................................153 Overview of Interfaces .............................................................................................................................. 153 Virtual Interfaces (VLAN) .................................................................................................................. 154 Configuring Network Settings in SonicOS Enhanced .......................................................................... 156 Configuring Interface Settings ........................................................................................................... 156 WAN Failover and Load Balancing .................................................................................................. 168 Configuring Zones ............................................................................................................................... 172 Configuring the WLAN Zone .......................................................................................................... 176 Configuring DNS ................................................................................................................................. 180 Configuring Dynamic DNS ................................................................................................................ 181 SonicWALL GMS 6.0 Administrator’s Guide x Configuring Address Objects ............................................................................................................. 184 Configuring NAT Policies .................................................................................................................. 187 Configuring Web Proxy Forwarding Settings .................................................................................. 195 Configuring Routing in SonicOS Enhanced .................................................................................... 196 Configuring RIP in SonicOS Enhanced ................................................................................................. 198 Configuring IP Helper ......................................................................................................................... 200 Configuring ARP .................................................................................................................................. 203 Configuring SwitchPorts ..................................................................................................................... 207 Configuring PortShield Groups ......................................................................................................... 208 Configuring Network Monitor ........................................................................................................... 210 Configuring Network Settings in SonicOS Standard ............................................................................ 212 Configuring Basic Network Settings in SonicOS Standard ........................................................... 213 Configuring Dynamic DNS ................................................................................................................ 222 Configuring Web Proxy Forwarding ................................................................................................. 223 Configuring Intranet Settings ............................................................................................................. 223 Configuring Routing in SonicOS Standard ...................................................................................... 225 Configuring RIP in SonicOS Standard ............................................................................................. 225 Configuring OPT Addresses .............................................................................................................. 227 Configuring One-to-One NAT ......................................................................................................... 229 Configuring Ethernet Settings ............................................................................................................ 231 Configuring ARP .................................................................................................................................. 233 Chapter 11: Configuring UTM Appliance Settings ........................................235 Understanding the Network Access Rules Hierarchy ........................................................................... 235 Configuring Firewall Settings in SonicOS Enhanced .......................................................................... 237 Configuring Firewall Rules in SonicOS Enhanced ......................................................................... 238 Configuring Advanced Firewall Settings ......................................................................................... 245 Configuring Multicast Settings ........................................................................................................... 247 Configuring Voice over IP Settings ................................................................................................... 249 Configuring TCP Settings ................................................................................................................... 251 Configuring Quality of Service Mapping .......................................................................................... 254 Configuring SSL Control ................................................................................................................... 265 Configuring Firewall Settings in SonicOS Standard .............................................................................. 269 Configuring Rules in SonicOS Standard .......................................................................................... 269 SonicWALL GMS 6.0 Administrator’s Guide xi Configuring Advanced Firewall Settings in SonicOS Standard .................................................... 273 Configuring Voice over IP Settings ................................................................................................... 275 Chapter 12: Configuring Log Settings ...........................................................277 Configuring Log Settings ........................................................................................................................... 278 Configuring Enhanced Log Settings ........................................................................................................ 281 Heartbeat Settings on the Enhanced Log Settings Page ................................................................ 284 Configuring Name Resolution .................................................................................................................. 285 Chapter 13: Viewing Diagnostic Information .................................................287 Viewing Network Diagnostic Settings ..................................................................................................... 288 Viewing Connections Monitor ................................................................................................................. 290 Viewing CPU Monitor ............................................................................................................................... 292 Viewing Process Monitor .......................................................................................................................... 293 Chapter 14: Configuring Website Blocking ...................................................295 Configuring General Website Blocking .................................................................................................. 296 Selecting the Content to Block ................................................................................................................. 298 Content Filter List ................................................................................................................................ 299 CFS Filter List ....................................................................................................................................... 302 Configuring the CFS Exclusion List ........................................................................................................ 308 Customizing Access by Domain .............................................................................................................. 309 Enabling Website Blocking Customization ..................................................................................... 310 Adding Individual Forbidden/Allowed Domains .......................................................................... 311 Adding Multiple Domains From a List ............................................................................................ 311 Timing Options in SonicOS Standard .............................................................................................. 312 Deleting Domains from the Domain Lists ...................................................................................... 312 Blocking Access to Domains by Keywords ........................................................................................... 313 Blocking Web Features .............................................................................................................................. 315 Configuring Access Consent ..................................................................................................................... 316 N2H2 and Websense Content Filtering .................................................................................................. 318 N2H2 ..................................................................................................................................................... 318 Websense ............................................................................................................................................... 320 SonicWALL GMS 6.0 Administrator’s Guide xii Chapter 15: Configuring Dynamic Host Configuration Protocol .................321 DHCP Server Options Overview ............................................................................................................ 322 Configuring DHCP Over VPN ................................................................................................................ 322 Configuring Dynamic DHCP IP Address Ranges ................................................................................ 325 Configuring Static IP Addresses ............................................................................................................... 329 Configuring DHCP Option Objects ...................................................................................................... 333 Configuring DHCP Option Groups ...................................................................................................... 334 Configuring General DHCP Settings ...................................................................................................... 334 Configuring Trusted DHCP Relay Agents ............................................................................................. 336 Chapter 16: Configuring User Settings ..........................................................337 Configuring Users in SonicOS Enhanced .............................................................................................. 337 Configuring User Login Settings ....................................................................................................... 338 Configuring LDAP and Active Directory ........................................................................................ 340 Global User Settings ............................................................................................................................ 352 Configuring an Acceptable Use Policy ............................................................................................. 353 Configuring Local Users ..................................................................................................................... 354 Configuring Local Groups .................................................................................................................. 356 Configuring ULA Settings .................................................................................................................. 359 Configuring HTTP URL-Based ULA Settings ................................................................................ 359 Configuring RADIUS for SonicOS Enhanced ............................................................................... 360 Configuring Single Sign-On .............................................................................................................. 362 Configuring Guest Services ................................................................................................................ 366 Configuring Guest Accounts .............................................................................................................. 368 Configuring Users in SonicOS Standard ................................................................................................. 370 Configuring User Settings ................................................................................................................... 370 Global User Settings ............................................................................................................................ 372 Configuring an Acceptable Use Policy ............................................................................................. 373 Configuring ULA Settings .................................................................................................................. 374 Configuring HTTP URL-Based ULA ............................................................................................... 374 Configuring RADIUS for SonicOS Standard .................................................................................. 375 Chapter 17: Configuring Anti-Spam Settings ................................................377 Activating Anti-Spam .......................................................................................................................... 377 SonicWALL GMS 6.0 Administrator’s Guide xiii Configuring Anti-Spam Settings ........................................................................................................ 378 Configuring Anti-Spam Real-Time Black List Filtering ................................................................. 383 Chapter 18: Configuring Virtual Private Networking ....................................389 VPN SA Management Overview ............................................................................................................. 389 Deployment Caveats ............................................................................................................................ 390 Authentication Methods ..................................................................................................................... 390 Viewing the VPN Summary ...................................................................................................................... 391 Configuring VPN Settings ......................................................................................................................... 392 Configuring ULA Settings for VPNs ...................................................................................................... 395 Configuring VPNs in SonicOS Enhanced .............................................................................................. 396 Configuring VPNs in Interconnected Mode ................................................................................... 396 Configuring VPNs in Non-Interconnected Mode .......................................................................... 399 Generic VPN Configuration in SonicOS Enhanced ...................................................................... 401 Configuring VPNs in SonicOS Standard ................................................................................................ 403 IKE Using SonicWALL Certificates ................................................................................................. 404 IKE Using Third-Party Certificates .................................................................................................. 412 IKE Using Pre-Shared Secret ............................................................................................................. 421 Manual Keying ...................................................................................................................................... 429 Setting up the L2TP Server ...................................................................................................................... 436 Monitoring VPN Connections ................................................................................................................. 437 Management of VPN Client Users .......................................................................................................... 437 Enabling the VPN Client .................................................................................................................... 438 Downloading VPN Client Software .................................................................................................. 439 VPN Terms and Concepts ........................................................................................................................ 439 Using OCSP with SonicWALL Security Appliances ............................................................................ 442 OpenCA OCSP Responder ................................................................................................................ 444 Using OCSP with VPN Policies ........................................................................................................ 444 Chapter 19: Configuring SSL-VPN Settings ..................................................445 SSL VPN NetExtender Overview ..................................................................................................... 445 SSL VPN > Portal Settings ................................................................................................................ 449 SSL VPN > Client Settings ................................................................................................................ 450 SSL VPN > Client Routes .................................................................................................................. 454 SonicWALL GMS 6.0 Administrator’s Guide xiv Chapter 20: Configuring Security Services ...................................................457 Configuring SonicWALL Network Anti-Virus ...................................................................................... 458 Configuring Anti-Virus Settings ........................................................................................................ 458 SonicWALL Network Anti-Virus Email Filter ...................................................................................... 461 Email Filtering ...................................................................................................................................... 461 Configuring the SonicWALL Content Filter Service ............................................................................ 463 Configuring the SonicWALL Intrusion Prevention Service ................................................................ 463 Overview of IPS ................................................................................................................................... 464 SonicWALL Deep Packet Inspection ............................................................................................... 464 Enabling Intrusion Prevention Services ........................................................................................... 466 Configuring IPS Policies .................................................................................................................... 469 Manual Upload of Keyset and Signature Files ................................................................................ 470 Configuring the SonicWALL RBL Filter ............................................................................................... 472 Configuring the SonicWALL Gateway Anti-Virus ............................................................................... 473 Configuring GAV Settings ................................................................................................................. 475 Configuring GAV Protocols .............................................................................................................. 476 Viewing SonicWALL GAV Signatures ............................................................................................. 477 Configuring the SonicWALL Anti-Spyware Service ............................................................................. 478 Enabling SonicWALL Anti-Spyware ................................................................................................ 480 Specifying Spyware Danger Level Protection .................................................................................. 481 Applying SonicWALL Anti-Spyware Protection to Zones (Enhanced) ..................................... 482 Chapter 21: Configuring High Availability .....................................................487 Configuring High Availability Settings .................................................................................................... 488 Configuring Advanced High Availability Settings ................................................................................. 489 Monitoring High Availability .................................................................................................................... 492 Verifying High Availability Status ........................................................................................................... 493 Chapter 22: Configuring SonicPoints ............................................................495 Managing SonicPoints ................................................................................................................................ 496 Before Managing SonicPoints ............................................................................................................ 496 SonicPoint Provisioning Profiles ....................................................................................................... 497 Updating SonicPoint Settings ............................................................................................................. 508 SonicPoint WLAN Scheduling ......................................................................................................... 509 SonicWALL GMS 6.0 Administrator’s Guide xv Updating SonicPoint Firmware ......................................................................................................... 510 Automatic Provisioning (SDP & SSPP) ........................................................................................... 510 Viewing Station Status ............................................................................................................................... 511 Event and Statistics Reporting ........................................................................................................... 511 Using and Configuring SonicPoint IDS .................................................................................................. 513 Detecting SonicPoint Access Points ................................................................................................. 513 Wireless Intrusion Detection Services .............................................................................................. 513 Using and Configuring Virtual Access Points ........................................................................................ 516 Configuring Virtual Access Point Groups ....................................................................................... 517 Configuring Virtual Access Points .................................................................................................... 518 Configuring Virtual Access Point Profiles ....................................................................................... 519 Chapter 23: Configuring Wireless Options ....................................................521 Configuring General Wireless Settings .................................................................................................... 522 Wireless Radio Operating Schedule .................................................................................................. 524 Configuring Wireless Security Settings .................................................................................................... 525 WEP Encryption Settings ................................................................................................................... 525 WEP Encryption Keys ........................................................................................................................ 526 WPA and WPA2 Encryption Settings .............................................................................................. 526 WPA and WPA2 Settings ................................................................................................................... 528 Preshared Key Settings (PSK) ............................................................................................................ 528 Extensible Authentication Protocol (EAP) Settings ...................................................................... 529 Configuring Advanced Wireless Settings ................................................................................................ 530 Configuring MAC Filter List Settings ...................................................................................................... 533 Configuring Intrusion Detection Settings ............................................................................................... 535 Chapter 24: Configuring Wireless Guest Services .......................................537 Configuring Wireless Guest Services Settings ........................................................................................ 538 Adding a Guest ..................................................................................................................................... 540 Configuring the URL Allow List .............................................................................................................. 541 Denying Access to Networks with the IP Deny List ............................................................................ 542 Configuring the Custom Login Screen .................................................................................................... 543 Configuring External Authentication ...................................................................................................... 544 Configuring General Settings ............................................................................................................. 545 SonicWALL GMS 6.0 Administrator’s Guide xvi Configuring Settings for Auth Pages ................................................................................................. 546 Configuring Web Content Settings ................................................................................................... 547 Configuring Advanced Settings ......................................................................................................... 548 Configuring WGS Account Profiles ........................................................................................................ 549 Chapter 25: Configuring Modem Options ......................................................551 Configuring the Modem Profile ............................................................................................................... 551 Configuring Modem Settings .................................................................................................................... 555 Configuring Advanced Modem Settings ................................................................................................. 558 Chapter 26: Configuring Wireless WAN Options ..........................................559 About Wireless WAN ................................................................................................................................ 559 Configuring the Connection Profile ........................................................................................................ 560 Configuring WWAN Settings ................................................................................................................... 564 Configuring Advanced Settings ................................................................................................................ 565 Chapter 27: Managing Inheritance in GMS ....................................................569 Configuring Inheritance Filters ................................................................................................................ 569 Applying Inheritance Settings ................................................................................................................... 570 Chapter 28: Configuring Web Filters with CSM .............................................575 Configuring Web Filter Settings ............................................................................................................... 575 Configuring Web Filter Policies ............................................................................................................... 578 Modifying the *Default Policy Group .............................................................................................. 579 Adding Category Sets .......................................................................................................................... 580 Restoring Defaults ............................................................................................................................... 581 Configuring Custom Categories ............................................................................................................... 582 Configuring Miscellaneous Web Filters .................................................................................................. 584 Configuring the Custom Block Page ....................................................................................................... 586 Chapter 29: Configuring Application Filters for CSM ...................................587 Configuring Application Filters ................................................................................................................ 587 SonicWALL GMS 6.0 Administrator’s Guide xvii Chapter 30: Registering and Upgrading SonicWALL Appliances ...............591 Registering SonicWALL Appliances ........................................................................................................ 591 Upgrading Firmware .................................................................................................................................. 592 Upgrading Licenses .................................................................................................................................... 594 Searching ...................................................................................................................................................... 594 Creating License Sharing Groups ............................................................................................................. 597 Viewing Used Activation Codes ............................................................................................................... 600 Chapter 31: Adding SSL-VPN Appliances to GMS ........................................603 Preparing SSL VPN Appliances for GMS Management ...................................................................... 603 Preparing SonicWALL SSL VPN Appliances ................................................................................. 604 Preparing SonicWALL Aventail EX-Series SSL VPN Appliances .............................................. 605 Adding SSL-VPN Appliances in GMS .................................................................................................... 606 Managing SSL-VPN Appliance Settings ................................................................................................. 608 Chapter 32: Using General SSL-VPN Status and Tools ................................611 SSL-VPN Status .......................................................................................................................................... 612 SSL-VPN Tools .......................................................................................................................................... 614 SSL-VPN Info ............................................................................................................................................. 616 Updating SSL-VPN Appliance Information .................................................................................... 616 Chapter 33: Registering, Upgrading, and Logging in to SonicWALL SSL-VPN Appliances ........................................................................................................617 Registering SonicWALL SSL-VPN Appliances ..................................................................................... 617 Upgrading SonicWALL SSL-VPN Firmware ........................................................................................ 619 Logging in to SSL-VPN using SonicWALL GMS ................................................................................ 620 Chapter 34: CDP / Email Security Appliance Management ..........................623 Adding a CDP/ES Appliance to GMS ................................................................................................... 624 Preparing the Appliance ...................................................................................................................... 624 Adding the Appliance to GMS ......................................................................................................... 625 Managing CDP/ES General Settings ...................................................................................................... 626 Viewing and Managing CDP/ES Status ........................................................................................... 627 CDP/ES Appliance Tools for Synchronization .............................................................................. 630 SonicWALL GMS 6.0 Administrator’s Guide xviii Editing CDP/ES Appliance Contact Information ......................................................................... 631 Registering CDP/ES Appliances ............................................................................................................. 632 Registration Tasks on GMS ................................................................................................................ 632 Registration Tasks on the CDP/ES Appliance ............................................................................... 633 Modifying a CDP/ES Appliance ....................................................................................................... 633 Deleting a CDP/ES Appliance .......................................................................................................... 634 Configuring Alerts ...................................................................................................................................... 634 Adding Alerts ........................................................................................................................................ 635 Enabling/Disabling Alerts .................................................................................................................. 635 Deleting Alerts ...................................................................................................................................... 636 Editing Alerts ........................................................................................................................................ 636 Current Alerts ....................................................................................................................................... 637 Templates ..................................................................................................................................................... 637 Template Management Screen ........................................................................................................... 637 Accessing the CDP/ES Management Interface .................................................................................... 640 Using Multi-Solution Management .......................................................................................................... 640 Logging into the CDP/ES Management Interface ......................................................................... 641 Configuring Multi-Solution Management ........................................................................................ 642 Recording .............................................................................................................................................. 644 Configuring Heartbeat using Email Security CLI ........................................................................... 648 Chapter 35: GMS Reporting Features ............................................................651 GMS Reporting Overview ........................................................................................................................ 651 Viewing GMS Reports ........................................................................................................................ 653 Navigating GMS Reporting ...................................................................................................................... 655 Global and Group Views .................................................................................................................... 656 Unit View .............................................................................................................................................. 657 Using Interactive Reports ................................................................................................................... 658 Searching for a Report ......................................................................................................................... 659 Collapsible TreeControl Pane ............................................................................................................ 664 Enabling/Disabling Scheduled Reports ........................................................................................... 664 Combined Reports ............................................................................................................................... 664 Improved Navigation .......................................................................................................................... 665 Showing Domain Names in Reports ...................................................................................................... 666 SonicWALL GMS 6.0 Administrator’s Guide xix Managing GMS Reports on the Console Panel and Policies Panel .................................................... 667 Chapter 36: Scheduling and Configuring Reports ........................................671 Configuring Scheduled Reports ................................................................................................................ 671 Viewing or Managing Scheduled Reports ........................................................................................ 672 Adding or Editing a Scheduled Report ............................................................................................. 673 Selecting Reports for Summarization ...................................................................................................... 675 Configuring Inheritance for Reporting Screens ..................................................................................... 676 Configuring Data Storage Settings ........................................................................................................... 677 Configuring Summarization Data for Top Usage ................................................................................. 678 Configuring Summarization Data for Bandwidth Reports .................................................................. 679 Viewing Current Alerts .............................................................................................................................. 680 Scheduling PDF Compliance Reports ..................................................................................................... 680 Compliance Report Overview ............................................................................................................ 680 Adding a New Scheduled Compliance Report ................................................................................ 681 Customizing Your Detailed Reports Page ....................................................................................... 685 Chapter 37: Viewing Reports ..........................................................................689 Managing Report Settings ......................................................................................................................... 690 Editing Report Settings ....................................................................................................................... 690 Selecting a Graphical Display ............................................................................................................. 690 Setting a Date or Date Range ............................................................................................................. 691 Additional Settings ............................................................................................................................... 692 Troubleshooting Reports ................................................................................................................... 692 Viewing Dashboard Reports ..................................................................................................................... 694 Viewing the Dashboard Summary Report ....................................................................................... 694 Viewing the Security Dashboard Report .......................................................................................... 697 Using Custom Reports on UTM Appliances ......................................................................................... 699 Toggling Between Split Mode and Full Mode ................................................................................. 700 Configuring the Date and Time for Custom Reports .................................................................... 702 Configuring the Report Layout and Generating the Report ......................................................... 704 Generating the Custom Report .......................................................................................................... 712 Viewing a Custom Report ................................................................................................................... 713 Printing a Page or Exporting the Report as a PDF or CSV File .................................................. 715 SonicWALL GMS 6.0 Administrator’s Guide xx Saving the Report Template ............................................................................................................... 716 Viewing Status Reports .............................................................................................................................. 716 Viewing the Status Up-Time Summary Report ............................................................................... 717 Viewing Status Up-Time Over Time ................................................................................................ 718 Viewing the Status Down-Time Summary Report ......................................................................... 720 Viewing Status Down-Time Over Time ........................................................................................... 721 Viewing Bandwidth Reports ..................................................................................................................... 723 Viewing the Bandwidth Summary Report ........................................................................................ 723 Viewing the Top Users of Bandwidth .............................................................................................. 725 Viewing Bandwidth Usage Over Time ............................................................................................. 727 Viewing the Top Users of Bandwidth Over Time .......................................................................... 729 Viewing Services Reports .......................................................................................................................... 731 Viewing the Services Summary Report ............................................................................................. 731 Viewing Web Usage Reports .................................................................................................................... 733 Viewing the Web Usage Summary Report ....................................................................................... 734 Viewing the Top Web Sites ................................................................................................................ 736 Viewing the Top Users of Web Bandwidth ..................................................................................... 737 Viewing Web Usage by User .............................................................................................................. 739 Viewing Web Usage By Site ............................................................................................................... 741 Viewing Web Usage By Category ...................................................................................................... 742 Viewing Web Usage Over Time ........................................................................................................ 744 Viewing Top Sites Over Time ............................................................................................................ 745 Viewing Top Users Over Time .......................................................................................................... 747 Viewing Web Usage By User Over Time ......................................................................................... 749 Viewing Web Usage By Category Over Time ................................................................................. 750 Viewing Web Filter Reports ...................................................................................................................... 751 Viewing the Web Filter Summary Report ........................................................................................ 752 Viewing the Web Filter Top Sites Report ........................................................................................ 754 Viewing the Top Users that Try to Access Blocked Sites ............................................................. 755 Viewing the Blocked Sites for Each User ........................................................................................ 757 Viewing Blocked Sites Sorted By Site ............................................................................................... 758 Viewing Blocked Sites Sorted By Category ...................................................................................... 759 Viewing Blocked Site Attempts Over Time ..................................................................................... 761 Viewing the Top Blocked Site Attempts Over Time ..................................................................... 762 SonicWALL GMS 6.0 Administrator’s Guide xxi Viewing the Top Blocked Site Users Over Time ............................................................................ 763 Viewing Blocked Sites for Each User Over Time .......................................................................... 764 Viewing Blocked Sites By Category Over Time .............................................................................. 765 Viewing File Transfer Protocol Reports ................................................................................................. 767 Viewing the FTP Summary Report ................................................................................................... 767 Viewing the Top FTP Sites By User ................................................................................................. 769 Viewing FTP Bandwidth Usage Over Time .................................................................................... 770 Viewing the Top Users of FTP Bandwidth Over Time ................................................................ 772 Viewing Mail Usage Reports ..................................................................................................................... 773 Viewing the Mail Usage Summary Report ....................................................................................... 774 Viewing the Top Users of Mail Bandwidth ..................................................................................... 776 Viewing Mail Usage Over Time ......................................................................................................... 777 Viewing the Top Users of Mail Bandwidth Over Time ................................................................. 779 Viewing VPN Usage Reports ................................................................................................................... 780 Viewing the VPN Usage Summary Report ...................................................................................... 781 Viewing the Top VPN Users ............................................................................................................. 783 Viewing VPN Usage Over Time ....................................................................................................... 784 Viewing the Top VPN Users Over Time ......................................................................................... 785 Viewing VPN Usage By Policy .......................................................................................................... 787 Viewing the Top VPN Policies Over Time ..................................................................................... 788 Viewing Hourly VPN Usage By Policy ............................................................................................ 789 Viewing the VPN Services Summary Report .................................................................................. 790 Viewing Attacks Reports ........................................................................................................................... 792 Viewing the Attack Summary Report ............................................................................................... 792 Viewing the Attacks By Category ...................................................................................................... 794 Viewing the Errors Report ................................................................................................................. 795 Viewing Attack Reports Over Time .................................................................................................. 797 Viewing the Attacks By Category Over Time ................................................................................. 798 Viewing Errors Over Time ................................................................................................................. 799 Viewing Virus Attacks Reports ................................................................................................................ 801 Viewing the Top Viruses By Attack Attempts Report ................................................................... 803 Viewing the Virus Attack Attempts Report ..................................................................................... 804 Viewing the Virus Attacks By User Report ..................................................................................... 806 Viewing Anti-Spyware Reports ................................................................................................................ 807 SonicWALL GMS 6.0 Administrator’s Guide xxii Viewing a Spyware Summary ............................................................................................................. 809 Viewing Spyware Attempts By Category .......................................................................................... 810 Viewing Spyware Attempts Over Time ............................................................................................ 811 Viewing Spyware Attempts By Category Over Time ..................................................................... 813 Viewing Intrusion Prevention Reports ................................................................................................... 814 Viewing the Intrusion Prevention Summary Report ...................................................................... 816 Viewing Intrusion Attempts By Category ........................................................................................ 817 Viewing Intrusions Over Time .......................................................................................................... 819 Viewing Intrusion Reports By Category Over Time ...................................................................... 821 Viewing Application Firewall Reports ..................................................................................................... 822 Viewing the Application Firewall Summary Report ....................................................................... 823 Viewing the Application Firewall Over Time Report .................................................................... 824 Viewing Application Firewall Top Applications ............................................................................. 825 Viewing Application Firewall Top Users ......................................................................................... 826 Viewing Application Firewall Top Policies ...................................................................................... 827 Viewing Authentication Reports .............................................................................................................. 828 Viewing the User Login Report ......................................................................................................... 829 Viewing the Administrator Login Report ........................................................................................ 830 Viewing the Failed Login Report ....................................................................................................... 830 Viewing the Log .......................................................................................................................................... 831 Viewing the Log for a SonicWALL Appliance ................................................................................ 832 Chapter 38: SSL-VPN Reporting .....................................................................835 SSL-VPN Reporting Overview ................................................................................................................ 835 What is SSL-VPN Reporting? ............................................................................................................ 836 Benefits of SSL-VPN Reporting ........................................................................................................ 836 How Does SSL-VPN Reporting Work? ........................................................................................... 837 Using and Configuring SSL-VPN Reporting ......................................................................................... 837 About Viewing Available SSL-VPN Report Types ........................................................................ 837 Configuring SSL-VPN Scheduled Reports ..................................................................................... 839 Configuring SSL-VPN Summarization ............................................................................................. 840 Chapter 39: Viewing SSL-VPN Reports ..........................................................841 Viewing Status Reports .............................................................................................................................. 841 Viewing the Status Summary Report ............................................................................................... 842 Viewing the Status Over Time Report ............................................................................................ 842 Viewing the Status Down-Time Summary Report ......................................................................... 842 Viewing the Status Down-Time Over Time Report ...................................................................... 843 Viewing SSL-VPN Bandwidth Reports .................................................................................................. 845 Viewing SSL-VPN Bandwidth Summary Reports .......................................................................... 845 Viewing SSL-VPN Top Users of Bandwidth Reports ................................................................... 847 SonicWALL GMS 6.0 Administrator’s Guide xxiii Viewing SSL-VPN Bandwidth Usage Over Time Reports ............................................................848 Viewing SSL-VPN Top Users of Bandwidth Over Time Reports ...............................................850 Using SSL-VPN Custom Reports ............................................................................................................851 Toggling Between Split Mode and Full Mode .................................................................................852 Configuring the Date and Time for Custom Reports .....................................................................855 Configuring the Report Layout and Generating the Report ..........................................................858 Generating the Custom Report ..........................................................................................................864 Viewing a Custom Report ...................................................................................................................865 Printing a Page or Exporting the Report as a PDF or CSV File ...................................................867 Saving the Report Template ................................................................................................................868 Viewing SSL-VPN Resources Reports ....................................................................................................869 Viewing SSL-VPN Resources Summary Reports ............................................................................869 Viewing SSL-VPN Resources Top Users Reports ..........................................................................871 Viewing SSL-VPN Authentication Reports ............................................................................................874 Viewing SSL-VPN User Login Reports ............................................................................................874 Viewing SSL-VPN Failed Login Reports .........................................................................................875 Viewing the SSL-VPN Log .......................................................................................................................876 Viewing the Log for a SSL-VPN Appliance .....................................................................................876 Chapter 40: Using Navigation and Monitoring Tools ...................................881 GMS Navigation Tool ................................................................................................................................881 VPN Monitor ...............................................................................................................................................883 Net Monitor .................................................................................................................................................886 Configuring the Net Monitor .............................................................................................................887 Adding Devices to the Net Monitor ..................................................................................................891 Managing Realtime Monitors ..............................................................................................................900 Managing Severity and Thresholds ....................................................................................................906 Adding Custom Icons to the Net Monitor .......................................................................................912 Real-Time Syslog .........................................................................................................................................912 Live Monitoring ...........................................................................................................................................913 Chapter 41: Configuring User Settings ..........................................................927 Configuring General Settings ...................................................................................................................928 Configuring Reports Settings ...................................................................................................................930 Adding Web Sites to the Filter List ....................................................................................................931 Deleting Web Sites from the Filter List ............................................................................................931 Adding Web Users to the Filter List ..................................................................................................931 Deleting Web Users from the Filter List ..........................................................................................932 Chapter 42: Configuring Log Settings ...........................................................933 Configuration ...............................................................................................................................................933 xxiv SonicWALL GMS 6.0 Administrator’s Guide View Log ...................................................................................................................................................... 934 Chapter 43: Managing Tasks ...........................................................................937 Scheduled Tasks .......................................................................................................................................... 937 Chapter 44: Configuring Management Settings ............................................941 Settings ........................................................................................................................................................ 941 Configuring Email Settings ................................................................................................................. 942 Configuring Prefs File Settings .......................................................................................................... 942 Enabling Reporting and Synchronization with Managed Units ................................................... 943 Enhanced Security Access Settings ................................................................................................... 944 Domains ....................................................................................................................................................... 945 About Domains .................................................................................................................................... 945 Creating a New Domain ..................................................................................................................... 946 Users ............................................................................................................................................................. 953 Creating User Groups ......................................................................................................................... 954 Adding Users ........................................................................................................................................ 955 Moving a User ...................................................................................................................................... 957 Configuring Screen Access ................................................................................................................. 958 Configuring Appliance Access ........................................................................................................... 960 Configuring Unit, View, and Other Permissions ............................................................................ 961 Custom Groups .......................................................................................................................................... 964 Creating Custom Fields ....................................................................................................................... 964 Configuring Prefs File Settings .......................................................................................................... 966 Enabling Reporting and Synchronization with Managed Units ................................................... 966 Enhanced Security Access Settings ................................................................................................... 967 Custom Groups .......................................................................................................................................... 968 Creating Custom Fields ....................................................................................................................... 968 Sessions ........................................................................................................................................................ 970 Managing Sessions ............................................................................................................................... 971 Agents ........................................................................................................................................................... 971 Managing Agent Configurations ........................................................................................................ 972 SNMP Managers ......................................................................................................................................... 973 Configuring SNMP Settings ............................................................................................................... 974 Inheritance Filters ....................................................................................................................................... 974 Message of the Day .................................................................................................................................... 975 Database Maintenance ............................................................................................................................... 977 Configuring Backup Schedule and Settings ..................................................................................... 978 Backing Up a Database Immediately ................................................................................................ 979 Restoring a Database Backup ............................................................................................................. 979 SonicWALL GMS 6.0 Administrator’s Guide xxv Chapter 45: Managing Reports in the Console Panel ..................................981 Settings ..........................................................................................................................................................981 Enabling Report Table Sorting ...........................................................................................................982 Controlling the Number of Appliances with Log Viewer Enabled ..............................................982 Summarizer ..................................................................................................................................................983 About Summary Data in Reports .......................................................................................................983 About the Distributed Summarizer ..................................................................................................984 Summarizer Settings and Summarization Interval ...........................................................................987 Configuring the Syslog Deletion Schedule Settings ........................................................................991 Configuring Host Name Resolution ..................................................................................................992 Email/Archive .............................................................................................................................................994 Configuring Email/Archive Settings .................................................................................................994 Scheduled Reports .......................................................................................................................................995 Management ...............................................................................................................................................1000 Configuring Report Data Management ...........................................................................................1000 Chapter 46: Using Diagnostics .....................................................................1003 Debug Log Settings ...................................................................................................................................1003 Configuring Debug Log Settings ......................................................................................................1004 Request Snapshot ......................................................................................................................................1006 Performing a System Snapshot .........................................................................................................1006 Performing the Snapshot ...................................................................................................................1007 Snapshot Status ..........................................................................................................................................1008 Viewing the Snapshot or Diagnostics ..............................................................................................1008 Summarizer Status .....................................................................................................................................1009 Chapter 47: Granular Event Management ...................................................1015 Granular Event Management Overview ................................................................................................1015 What is Granular Event Management? ...........................................................................................1017 Benefits .................................................................................................................................................1018 How Does Granular Event Management Work? ..........................................................................1018 Using Granular Event Management .......................................................................................................1019 About Alerts ........................................................................................................................................1020 Configuring Granular Event Management ............................................................................................1023 Configuring Events on the Console Panel .....................................................................................1023 Configuring Alerts on the Policies Panel ........................................................................................1037 Configuring Alerts on the Reports Panel ........................................................................................1038 Adding Destinations and Schedules to an Alert ............................................................................1039 Viewing Current Alerts .............................................................................................................................1040 Sample Event Alert Reports ....................................................................................................................1041 xxvi SonicWALL GMS 6.0 Administrator’s Guide Chapter 48: Managing Licenses ...................................................................1045 GMS License ............................................................................................................................................. 1045 Upgrading a Demo License to a Retail License ............................................................................ 1046 Product Licenses ................................................................................................................................ 1047 SonicWALL Upgrades ............................................................................................................................. 1049 Upgrading the Node License ............................................................................................................ 1050 Purchasing Upgrades ......................................................................................................................... 1050 Activating the Upgrades .................................................................................................................... 1051 Chapter 49: Web Services .............................................................................1053 URI Basics ................................................................................................................................................. 1054 Settings ....................................................................................................................................................... 1055 Status ........................................................................................................................................................... 1056 Distributed Instances ............................................................................................................................... 1057 The Distributed Instances Table ..................................................................................................... 1057 Configuring Distributed Settings ..................................................................................................... 1058 Adding a Distributed Instance ......................................................................................................... 1058 Chapter 50: Using GMS Help .........................................................................1061 Tips and Tutorials ..................................................................................................................................... 1061 About GMS ............................................................................................................................................... 1062 Log Viewer ................................................................................................................................................. 1066 Real-time Syslog Viewer .......................................................................................................................... 1068 GMS Reports and Corresponding Syslog Categories ......................................................................... 1069 Forwarding Syslog Data to Another Syslog Server ............................................................................. 1072 Forwarding the Syslog Data to a WebTrends Server .......................................................................... 1072 Posting GMS Reporting to Another Web Server for End-User Access .......................................... 1073 Miscellaneous Procedures and Troubleshooting Tips ........................................................................ 1073 Miscellaneous Procedures ................................................................................................................. 1073 Troubleshooting Tips ........................................................................................................................ 1076 Accessing the CLI ..................................................................................................................................... 1080 Local CLI Access ............................................................................................................................... 1080 Remote (SSL) CLI Access ................................................................................................................ 1080 CLI Commands ........................................................................................................................................ 1081 Logging In ........................................................................................................................................... 1082 Logging Out ........................................................................................................................................ 1082 Executing a Command without Logging In .................................................................................. 1083 Adding SonicWALL Appliances ...................................................................................................... 1084 Adding Users ...................................................................................................................................... 1088 Changing Users ................................................................................................................................... 1092 SonicWALL GMS 6.0 Administrator’s Guide xxvii Deleting a Single User ........................................................................................................................1095 Deleting Multiple Users .....................................................................................................................1096 Adding and Removing Activation Codes .......................................................................................1097 Deleting Nodes Using XML .............................................................................................................1101 Monitoring Tunnel Status ..................................................................................................................1102 Monitoring Tunnel Statistics .............................................................................................................1103 Refreshing a Tunnel ...........................................................................................................................1104 Renegotiating a Tunnel ......................................................................................................................1104 Synchronizing Tunnel Information .................................................................................................1104 Configuring SonicWALL Parameters ....................................................................................................1105 Using the Configure Command .......................................................................................................1105 Preparing a Configuration File .........................................................................................................1106 Modifying SonicWALL Parameters .......................................................................................................1109 Using the ModifyArray Command ..................................................................................................1109 Preparing a Parameter Modification File ........................................................................................1110 Configuration Parameters ........................................................................................................................1112 System/Time .......................................................................................................................................1112 xxviii SonicWALL GMS 6.0 Administrator’s Guide CHAPTER 1 Introduction to SonicWALL GMS This chapter introduces the SonicWALL Global Management System (GMS) User Interface (UI) navigation and management views. SonicWALL GMS is intended for large-scale deployments for enterprise and service provider solutions. This section includes the following subsections: • “Overview of SonicWALL GMS” section on page 1 • “Deployment Requirements” section on page 10 • “Logging in to GMS” section on page 16 • “Navigating the SonicWALL GMS User Interface” section on page 18 • “Understanding SonicWALL GMS Icons” section on page 25 • “Using the GMS TreeControl Menu” section on page 27 • “About Signed Applets in SonicWALL GMS” section on page 28 • “Otherwise, click No. In this case you must manually edit the java.policy file. Configuring SonicWALL GMS View Options” section on page 29 • “Getting Help” section on page 41 Overview of SonicWALL GMS This section contains the following subsections: • “What Is SonicWALL GMS?” section on page 2 • “Benefits of Using SonicWALL GMS” section on page 2 • “Scaling SonicWALL GMS Deployments” section on page 9 SonicWALL GMS 6.0 Administrator’s Guide 1 Overview of SonicWALL GMS What Is SonicWALL GMS? The SonicWALL Global Management System (SonicWALL GMS) is a Web-based application that can configure and manage thousands of SonicWALL Internet security appliances and non-SonicWALL appliances from a central location. SonicWALL GMS is capable of managing large networks that use SonicWALL appliances. This dramatically lowers the cost of managing a secure distributed network. SonicWALL GMS does this by enabling administrators to monitor the status of and apply configurations to all managed SonicWALL appliances, groups of SonicWALL appliances, or individual SonicWALL appliances. You can also configure multiple site VPNs for SonicWALL appliances. From the SonicWALL GMS user interface (UI), you can add VPN licenses to SonicWALL appliances, configure VPN settings, and enable or disable remote-client access for each network. SonicWALL GMS provides monitoring features that enable you to view the current status of SonicWALL appliances, pending tasks, and log messages. It also provides graphical reporting of UTM appliance and network activities for the SonicWALL appliances. A wide range of informative real-time and historical reports can be generated to provide insight into usage trends and security events. Benefits of Using SonicWALL GMS SonicWALL GMS offers the following benefits: Major New Features in GMS 6.0 • 2 Multi-Solution Management:Comprehensive Management Support for CDP and Email Security—The Multi-Solution Management feature in GMS provides next generation management capability by allowing administrators to manage multiple appliance types—such as CDP, SSL VPN, SonicWALL-Aventail SSL VPN, and Email Security—through their respective web user interfaces over HTTP and HTTPS. This enhancement enables the configuration of GMS Core Management functionalities through the GMS user interface. Now functions such as creating tasks, posting policies, scheduling tasks, and more are easily completed across multiple appliances at Unit Node and Group Node levels. SonicWALL GMS 6.0 Administrator’s Guide Overview of SonicWALL GMS • Simplified Certificate Management—Allows the administrator to configure both CA and Local certificates in one place, simplifying the process of viewing, editing, and creating new certificates. • GMS Web Services— GMS administrators typically use several other consoles to manage their network or, in the case of an MSP, their customers' networks. The web services API facilitates integration between GMS and other management consoles and greatly increases the productivity of the internal IT staff. Constructed using the Representational State Transfer (REST), an architectural style that specifies constraints, such as the uniform interface, that if applied to a Web service induce desirable properties, such as performance, scalability and modifiability, that enable services to work best on the Web. Using this RESTful approach, GMS Web Services will be simple, lightweight, and scalable. • Group Level Interfaces—Allows interface management to be applied at a group level. Administrators are now able to manage all UTM appliance interface features with a few clicks, including configuration of network interfaces, WAN connection models, DNS servers, and more. • Application Firewall Reporting—Application Firewall Reporting introduces detailed reporting on the application firewall feature of fifth generation UTM devices. Reports include but are not limited to top categories, top applications, top users, and top policies. Users can drill down within reports. This feature allows reports to be generated for Dynamic Policies and Custom Policies. Useful examples for this feature include, viewing a report by category such as Instant Messaging, or applying Bandwidth Management by monitoring the activity of streaming media. • CDP Reporting—This feature supports following reports. The reports are categorized based on the selected context node (Group or Unit) on the tree control panel. Report Navigation (drill down) is also supported among specific reports. • CDP Alert and Monitoring—Apart from basic alert configuration, the extended GEM framework within GMS allows users to define severities and thresholds, as well as destinations and schedules for every destination for the alerts when triggered. • SonicOS 5.5 Support—This feature brings GMS support for the UTM product line to the recently released SonicOS 5.5. New features now manageable by GMS include SonicPoint N support, SSL VPN NetExtender, UTM anti-spam, and active/active failover, and more… SonicOS 5.5 support renders GMS applicable to a wider range of UTM appliance features and makes the GMS administrator more productive. SonicWALL GMS 6.0 Administrator’s Guide 3 Overview of SonicWALL GMS 4 • Custom and Granular Reports—This feature allows the GMS administrator to create custom reports using the raw logs collected from Aventail and SMB SSL VPN devices under management. GMS customers can now create granular reports on who accessed what applications at what time for forensic analysis and troubleshooting. Using data from these reports can help increase employee productivity and network uptime. • Enhanced CLI Support—The new Command Line Interface (CLI) does not require a user to do an OS level login into the GMS server. With this feature users are able to send commands to GMS from a remote host in a secure manner. This feature enables the automation of the interaction between GMS and other systems used by the customer. It facilitates execution of commands on the GMS CLI if the user can not access the GMS Console host using Remote Desktop. In addition, a third party application can interact with the GMS CLI from a remote host using the GMS CLI Client and Server. Lastly, a user can automate tasks on the GMS CLI from a remote host by using the GMS CLI Client application in batch/shell scripts. This feature enhances the productivity of the internal IT staff of enterprise and service provider customers. • Enhanced Summarizer Capacity Planning—GMS 6.0 includes enhanced tools to assess hardware utilization for collection of syslog data and summarization for reporting. This feature also includes an estimation tool to determine total capacity of the hardware in use. The impact of a variety of parameters such as number of users and types of reports enabled is taken into consideration both at the global level and for each device under management. Enhanced performance assessment facilitates finding the root cause of peak hardware usage and proper capacity expansion planning and therefore allows the GMS administrator to time his new hardware purchases and associated expenses appropriately as he grows his business and brings more devices under management. • ESPER Live Monitoring—Provides the user with the ability to monitor the deployment setup and alert based on any irregularities detected. Live monitoring allows the user to see the threats as and when it is displayed in the UI and at the same time tag the threats with a severity and provide additional Destinations based on Schedules. • Inheritance Enhancements—GMS now allows for reverse inheritance, offering the ability to inherit policy settings from a unit up to the parent nodes. GMS 5.1 only allowed for forward inheritance, i.e. policies could only be pushed from the group level down to the device level. With GMS 6.0, reverse Inheritance allows for policies to be inherited from a specific device to the group level. Effectively, Reverse Inheritance enables the user to copy existing configurations and to create predefined SonicWALL SonicWALL GMS 6.0 Administrator’s Guide Overview of SonicWALL GMS configurations. Reverse Inheritance saves GMS administrators a considerable amount of time by taking one well configured firewall and promoting its policy configuration to the group level. From the group level the configurations can then be pushed down to other devices. • Inheritance Support for Reporting Screens—Adds inheritance support for setting configurations for GMS reports. This allows a new unit to be added to a group which then can inherit the GMS report settings for that group. This feature increases the GMS administrator’s productivity. • Multiple Authentication Servers—The GMS administrator can define multiple authentication servers per GMS Domain. Many customers use multiple authentication domains within their network. This feature allows GMS to be used within a broader range of customer environments. • RADIUS Authentication Support GMS Login—The login module for GMS now supports RADIUS authentication. Many customers use RADIUS as part of their authentication infrastructure. RADIUS authentication support allows GMS to be used within a broader range of customer environments. It is also part of the upcoming PCI 1.2 requirements. Existing GMS Features • Enhanced User Management—SonicWALL GMS includes the ability to move users across groups, search for users, and apply unit permissions at user-group level. Domain-level user management support is also introduced, with “domain” level user groups, where users belonging to each domain can view each other and set privileges within the domain, and stay isolated from users of other domains. • Third Party Authentication Server Support—SonicWALL GMS supports third party authentication servers, including LDAP, RADIUS, and Active Directory. • Custom Reports—SonicWALL GMS provides the Custom Reports feature that lets you filter raw syslog data to generate granular reports customized by date and time ranges and by highly flexible filtering of the data customized for your own needs. In the Internet Activity custom report, you can see the date and time down to the second of all Internet activity passing through a monitored SonicWALL security appliance, and view detailed information not available in reports generated from summarized data. • Policy-Based Management—SonicWALL GMS enables network administrators to globally define, distribute, enforce and deploy network security policies for managed SonicWALL appliances, creating a highly secure and controllable firewall configuration environment. SonicWALL GMS 6.0 Administrator’s Guide 5 Overview of SonicWALL GMS 6 • Managed VPN Services—SonicWALL GMS simplifies the task of globally defining, distributing, enforcing and deploying VPN policies for managed VPN gateways, making it easy to manage a global VPN network. • Managed Remote VPN Client Connections—SonicWALL GMS allows administrators to define user policies for remote Global VPN Client users. The user policies can either be emailed to remote users or directly downloaded from the SonicWALL VPN gateways. • Comprehensive Security Service Management —In addition to managing security and VPN policies, SonicWALL GMS enables network administrators to globally define, distribute, enforce and deploy all the firewall settings for managed SonicWALL appliances. It also enables network administrators to remotely upgrade SonicWALL appliances and add subscription services such as content filtering and virus scanning. • License Management—SonicWALL GMS provides centralized license management of SonicWALL upgrade and subscription services. This makes it easy to store, apply, track, and update upgrade and subscription license information for all managed SonicWALL appliances. • Multi-Tier Policy Hierarchy Architecture—SonicWALL GMS enables administrators to define and distribute one or more policies to an individual or a group of managed SonicWALL appliances. The policies can be executed immediately or can be scheduled to take effect at a later time. SonicWALL GMS supports up to seven levels of groups. Policies can be applied at any level. • Scalable Architecture—The SonicWALL GMS distributed architecture scales to support thousands of SonicWALL appliances, making large-scale deployments easy to manage. It allows network administrators to deploy a management architecture that scales to support a rapidly growing customer base while minimizing support staff and hardware. • Load balancing and Redundancy for Security Management—In a SonicWALL GMS multi-server configuration, each Agent is responsible for a set of SonicWALL appliances. If an Agent fails, peer SonicWALL GMS Agents will manage the SonicWALL appliances for the failed Agent. SonicWALL GMS also provides redundancy for the SonicWALL GMS Console. • Role-Based Management—SonicWALL GMS provides a multi-user architecture with customizable views. Multiple users with different management privileges can be defined to distribute management tasks across a group of administrators and operators. • Granular Event Management—SonicWALL GMS introduces Granular Event Management (GEM). GEM offers a significant improvement in control over the way different events are handled. You now have more flexibility when SonicWALL GMS 6.0 Administrator’s Guide Overview of SonicWALL GMS deciding where and when to send alerts, and you can configure event thresholds, severities, schedules, and alerts from a centralized location in the management interface rather than configuring these on a per-unit basis as before. • Centralized Reporting—SonicWALL GMS provides graphical reporting of firewall and network activities for the SonicWALL appliances. A wide range of informative real-time and historical reports can be generated to provide insight into usage trends and security events. SonicWALL GMS provides aggregated reports for groups of SonicWALL appliances. It also enables the user, in addition to changing the date for a report, to set the number of users or sites as well as select a type of chart for the report. • Centralized Monitoring—SonicWALL GMS includes monitoring capabilities for fault and performance data analysis. Monitoring includes VPN and device up/down status, VPN statistics, uptime calculations, and security events for GMS management activities, as well as for any TCP/IP based device or application. • Support for SNMP—A powerful real-time alert mechanism greatly enhances the administrator's ability to pinpoint and respond to critical events. SonicWALL GMS can centrally receive firewall SNMP traps over the secure management tunnel and forward them to an SNMP management system, ensuring the security of firewall traps. The SonicWALL GMS security events can also be forwarded to the SNMP management system as SNMP traps. • Log Viewer—SonicWALL GMS provides detailed daily firewall logs to analyze specific events. • Command-Line Interface—SonicWALL GMS features a command line interface that can add multiple SonicWALL appliances at once, configure security and VPN policies, change SonicWALL appliance settings, and display product-related status. • Database Support—SonicWALL GMS supports access to industry-leading relational databases for highly efficient and reliable data storage and retrieval. • Audit Trailing—All changes made in SonicWALL GMS are automatically logged, along with the identities of the individuals making the changes. • Enhanced Security Access—SonicWALL’s ESA feature allows for greater granular control of user access across a GMS network, which is applicable for installations that must comply with stringent regulatory compliance and account management controls as found in such standards as PCI, SOX, or HIPPA. SonicWALL GMS 6.0 Administrator’s Guide 7 Overview of SonicWALL GMS • GUI-Based Architecture—The SonicWALL GMS user interface (UI) is easy to use and enables administrators to navigate through the managed SonicWALL appliances, view their settings, and make changes. • Advanced Security Features – A random password is assigned to each SonicWALL appliance. – SonicWALL GMS communicates with managed SonicWALL appliances using Internet Protocol Security (IPSec) VPN tunnels. – SonicWALL GMS communicates with the SonicWALL registration database using HTTPS. – The SonicWALL GMS login password is encrypted. 8 • Enhanced Search Features—SonicWALL GMS enables you to locate task or log entries by entering search criteria. It also enables you to search for licenses and subscriptions. • Upgrade and Subscription Expiration Notices—SonicWALL GMS sends an email notification to the SonicWALL GMS administrator when firewall upgrade and subscription services are about to expire for the managed SonicWALL appliances. By default, the emails are sent out 30 days and 7 days prior to the expiration dates. The SonicWALL GMS administrator can change the default values by specifying the period when to email the expiry notifications for the firewall upgrades and subscriptions. SonicWALL GMS 6.0 Administrator’s Guide Overview of SonicWALL GMS Scaling SonicWALL GMS Deployments SonicWALL GMS is designed to be highly scalable to support service providers and enterprise customers with large numbers of SonicWALL appliances. SonicWALL GMS offers a distributed management architecture, consisting of multiple servers, multiple consoles and several agents. Each agent server can manage a number of SonicWALL appliances. Additional capacity can be added to the management system by adding new agent servers. This distributed architecture also provides redundancy and load balancing, assuring reliable connections to the SonicWALL appliances under management. In the distributed architecture, the console server provides the user a single interface to the management system. Each agent server can manage a number of SonicWALL appliances, depending on the GMS gateway that resides between the agent server and the SonicWALL appliances and the amount of syslog traffic from the remotely managed appliances. For example, the SonicWALL PRO Series can act as the gateway for up to 1,000 SonicWALL appliances. • The GMS gateway that resides between a SonicWALL GMS agent server and the SonicWALL appliances provides secure communications. • Each SonicWALL appliance can have a primary agent server and a standby server. Each agent server can be a primary server for certain SonicWALL appliances and a standby server for other SonicWALL appliances. • Configuration of and changes to the SonicWALL GMS and the SonicWALL appliances are written to the database. • The users at the Admin Workstations can access the SonicWALL GMS console through a Web browser (HTTP) from any location. The SonicWALL GMS console can also be securely accessed using HTTPS. • The SonicWALL GMS console server can also be an agent server. SonicWALL GMS 6.0 Administrator’s Guide 9 Deployment Requirements Deployment Requirements Before installing SonicWALL GMS, review the following deployment requirements. Note SonicWALL does not support installations of GMS running on any virtualization software, such as VMware. This section includes the following subsections: • “Operating System Requirements” section on page 10 • “Database Requirements” section on page 11 • “Java Requirements” section on page 12 • “Browser Requirements” section on page 12 • “Hardware for Single Server Deployment” section on page 12 • “Hardware for a Distributed Server Deployment” section on page 12 • “SonicWALL Appliance and Firmware Support” section on page 13 • “GMS Gateway Requirements” section on page 13 • “Network Requirements” section on page 15 • “GMS Internet Access through a Proxy Server” section on page 16 Operating System Requirements The SonicWALL GMS supports the following operating systems: • Windows 2000 Server (SP4) • Windows 2000 Professional (SP4) • Windows XP Professional (SP2) • Windows 2003 Server (SP1, 32-bit) Note 10 GMS management is not supported on MacOS. SonicWALL GMS 6.0 Administrator’s Guide Deployment Requirements Database Requirements The SonicWALL GMS release supports the following databases: • Microsoft SQL Server 2000 (SP4) and Microsoft SQL Server 2005 (SP1) on either Windows 2000 Server (SP4) or 2003 Server (SP1) Regarding MS SQL Server 2005, SonicWALL GMS supports: – SQL Server 2005 Workgroup – SQL Server 2005 Standard – SQL Server 2005 Enterprise SonicWALL GMS does not support MS SQL Server 2005 Express. • SonicWALL MySQL Install Package installed on either Windows 2000 Server (SP4) or 2003 Server (SP1) Caution The MySQL bundled with GMS/VP/UMA is fine tuned for optimal performance in a system with 2 GB RAM and above. Changing the MySQL configuration is not supported. The configuration information is kept in the my.ini file, and should not be changed unless instructed to do so by SonicWALL technical support. Note SonicWALL GMS services use JRE 1.5.0_06. SonicWALL GMS automatically downloads the Java Plug-in 1.5 when accessing GMS. For Microsoft SQL Server installations, SonicWALL GMS uses Tomcat 5.5.26. MySQL Requirements MySQL is intended for use with SonicWALL GMS 5.1 or higher. It is not recommended to use with other platforms. In order to run a successful installation of MySQL, the following prerequisites must be met: • Windows Operating System (XP, 2000, 2003) • 6 GB disk space, minimum • 2 GB RAM, minimum Note that only NTFS file systems are supported, not FAT. MySQL for GMS 5.1 is not supported on Virtual Machines (VMs). SonicWALL GMS 6.0 Administrator’s Guide 11 Deployment Requirements Java Requirements Java Plug-in version 1.5 or higher. The JDBC driver is installed by GMS for Microsoft SQL Server and MySQL Server. Browser Requirements • Microsoft Internet Explorer 6.0 or higher • Mozilla Firefox 2.0 or higher • Pop-up blocker disabled SonicWALL GMS supports SSL 3.0 / TLS 1.0 for HTTPS management of SonicWALL appliances, and for direct login to the unit from GMS. For enhanced security across a GMS network for installations that must comply with stringent regulatory compliance and account management controls as found in such standards as PCI, SOX, or HIPPA, the following browsers have SSL 3.0/TLS 1.0 as standard encryption protocols: • Microsoft Internet Explorer 7.0 or higher • Mozilla Firefox 2.0 or higher You can set other browsers to use these protocols in their Tools > Internet Options > Advanced settings. Hardware for Single Server Deployment • x86 Environment: Minimum 3 GHz processor dual-core CPU Intel processor, 2 GB RAM, and 300 GB disk space Hardware for a Distributed Server Deployment GMS Server • x86 Environment: Minimum 3 GHz processor single-CPU Intel processor, 2 GB RAM, and 300 GB disk space Database Server • 12 x86 Environment: Minimum 3 GHz processor dual-core CPU Intel processor, 2 GB RAM, and 300 GB disk space SonicWALL GMS 6.0 Administrator’s Guide Deployment Requirements Note It is highly recommended that you install the database on a separate server. SonicWALL Appliance and Firmware Support Table 1 Platforms and Firmware Versions SonicWALL Platforms SonicWALL Firmware Version SonicWALL Security appliances: NSA Series, TZ Series, and PRO Series SonicOS Standard 2.0 or higher, SonicOS Enhanced 2.0 or higher SonicWALL SSL VPN Series appliances SonicOS SSL VPN 1.5.0.3 or higher for basic management; SonicOS SSL VPN 2.1 or higher for SSL VPN Reporting SonicWALL CSM Series appliances SonicOS CF 1.0 or higher SonicWALL CDP Series appliances SonicWALL CDP 2.3 or higher SonicWALL Aventail EX-Series Note Version 9.0 or higher Legacy SonicWALL XPRS/XPRS2, SonicWALL SOHO2, SonicWALL Tele2, and SonicWALL Pro/Pro-VX models are not supported for GMS management. Appliances running SonicWALL legacy firmware including SonicOS Standard 1.x and SonicWALL firmware 6.x.x.x are not supported for GMS management. Non-SonicWALL Appliance Support SonicWALL GMS provides monitoring support for non-SonicWALL TCP/IP and SNMP-enabled devices and applications. GMS Gateway Requirements A GMS gateway is a SonicWALL appliance (a firewall) that allows for secure communication between the SonicWALL GMS server and managed appliance(s) using VPN tunnels. The GMS gateway must meet one of the following requirements: SonicWALL GMS 6.0 Administrator’s Guide 13 Deployment Requirements • SonicWALL NSA Series network security appliance with minimum firmware version SonicOS Enhanced 5.0 • SonicWALL PRO Series network security appliance with minimum firmware version SonicOS Enhanced 3.2 • SonicWALL VPN-based network security appliance Note The GMS gateway should be at minimum a SonicWALL NSA 2400 with minimum firmware SonicOS Enhanced 5.0, or a SonicWALL PRO 2040 with minimum firmware SonicOS Enhanced 3.2. There are three SonicWALL GMS management methods with different GMS gateway requirements. When using HTTPS as the management method, it is optional to have a GMS gateway between each SonicWALL GMS agent server and the managed SonicWALL appliance(s). If you select Existing VPN tunnel, a gateway is optional. If you select Management VPN tunnel, you must have a GMS gateway between the SonicWALL GMS agent server and the managed SonicWALL appliance(s) to allow each SonicWALL GMS agent server to securely communicate with its managed appliance(s). The following list provides more detail on SonicWALL GMS management methods and gateway requirements: • Management VPN tunnel—A GMS gateway is required. Each GMS agent server must have a dedicated gateway. The security association (SA) for this type of VPN tunnel must be configured in the managed SonicWALL appliance(s). SonicWALL GMS automatically creates the SA in the GMS gateway. For this configuration, the GMS gateway must be a SonicWALL VPN-based appliance. The GMS gateway can be configured in NAT-Enabled or transparent mode. The reason for a dedicated gateway with this method is due to the Scheduler's function. When a unit is added into GMS with 'Management VPN' as the method, the scheduler service logs into the gateway and creates the management tunnel. Also, the scheduler service periodically logs into its gateway and checks for management SAs. If there are SAs created for units that the agent does not manage, the SAs are deleted. If there are two agents sharing a gateway, they will be constantly deleting the other agent’s SAs. • 14 Existing VPN tunnel—A GMS gateway is optional. SonicWALL GMS can use VPN tunnels that already exist in the network to communicate with the managed appliance(s). For this configuration, the GMS gateway can be a SonicWALL VPN-based appliance or another VPN device that is interoperable with SonicWALL VPN. SonicWALL GMS 6.0 Administrator’s Guide Deployment Requirements • HTTPS—A GMS gateway is optional. SonicWALL GMS can use HTTPS management instead of a VPN tunnel to communicate with the managed appliance(s). However, the SonicWALL Aventail EX-Series SSL VPN appliance allows HTTPS access only to its LAN port(s), and not to its WAN port(s). This means that when SonicWALL GMS is deployed outside of the Aventail LAN subnet(s), management traffic must be routed from GMS to a gateway that allows access into the LAN network, and from there be routed to the Aventail LAN port. Network Requirements To complete the SonicWALL GMS deployment process, the following network requirements must be met: • The SonicWALL GMS server must have access to the Internet • The SonicWALL GMS server must have a static IP address • The SonicWALL GMS server’s network connection must be able to accommodate 1 KB/s for each device under management. For example, if SonicWALL GMS is monitoring 100 SonicWALL appliances, the connection must support at least 100 KB/s. Note Depending on the configuration of SonicWALL log settings and the amount of traffic handled by each device, the network traffic can vary dramatically. The 1 KB/s for each device is a general recommendation. Your installation requirements may be different. SonicWALL GMS 6.0 Administrator’s Guide 15 Logging in to GMS GMS Internet Access through a Proxy Server If the GMS server cannot access the Internet directly and needs to go through a proxy server, the following proxy entries are required in the sgmsConfig.xml file of the GMS server: <Parameter name="proxySet" value="1"/> <Parameter name="proxyHost" value="10.0.30.62"/> <Parameter name="proxyPort" value="3128"/> <Parameter name="proxyUser" value="0A57CF01AB39ACF8863C8089321B9287"/> <Parameter name="proxyPassword" value="EE80851182B4B962FC3E0EDF1F00275A"/> The proxyUser and proxyPassword parameters are required only if the Proxy Server requires authentication, in which case these are TEAV encrypted. This configuration supports both HTTP and HTTPS Proxy, as long as the settings are identical for both. To exempt certain hosts from the proxy configuration and allow them to be connected to directly, add the following tag to sgmsConfig.xml: <Parameter name="nonProxyHosts" value="*something.com|www.foo*|192.168.0.*"/> The exact values of all of these parameters should be changed to the appropriate values for your deployment. The asterisk symbol (*) is a wildcard that means any string. The pipe symbol (|) is a delimiter for the hosts in the list. To do TEAV encryption of the string “test”, please go to the directory <gms-install>\bin in a DOS window. Type the following command: ..\jre\bin\java -cp . TEAV test The output will look like this: input = [test] Encrypted: 5F397A4552CC08F2A409A9297588F134 Decrypted: [test] Logging in to GMS The first time you start SonicWALL GMS, the Registration page will appear. Note 16 SonicWALL GMS must be registered before you can use it. To register, SonicWALL GMS must have direct access to the Internet. SonicWALL GMS 6.0 Administrator’s Guide Logging in to GMS To register SonicWALL GMS, follow these steps: Installation Type Login Procedure GMS Software Double-click the GMS icon on the desktop of the system where you installed GMS. UMA Open a web browser and navigate to the IP address of the UMA appliance on your network. UMA or GMS via Remote Login open a Web browser and enter or http://sgms_ipaddress or http://localhost. http://sgms_ipaddress/sgms/login The SonicWALL GMS login page appears. 1. Enter the SonicWALL user ID (default: admin) and password (default: password). Select ‘Local Domain’ as the domain (default). 2. Click Submit. The SonicWALL GMS UI opens. Note For more information on installation, login procedures, and registration of your GMS installation, please refer to the appropriate Getting Started Guide, available at: <http://www.sonicwall.com/us/support.html> SonicWALL GMS 6.0 Administrator’s Guide 17 Navigating the SonicWALL GMS User Interface Navigating the SonicWALL GMS User Interface The following sections describe the four major panels of the SonicWALL GMS UI: • “SonicToday Panel” section on page 18 • “Appliance Panels” section on page 19 • “Monitor Panel” section on page 23 • “Console Panel” section on page 24 SonicToday Panel Using RSS and AJAX technology, SonicToday is a tab intended to work as a customizable dashboard where you are able to monitor the latest happenings with your SonicWALL GMS 5.1 deployment, your network, the IT and Security World, as well as the rest of the world. Upon initial login, you see a default SonicToday tab. You are able to further customize this page by configuring and adding preferred components. 18 SonicWALL GMS 6.0 Administrator’s Guide Navigating the SonicWALL GMS User Interface Appliance Panels The appliance panels allows administrators to add, delete, configure and view SonicWALL UTM appliances and other compatible appliances which are managed by GMS. These panels include: • UTM Panel—For management and reporting on compatible firewall/UTM appliances. • SSL-VPN Panel—For management and reporting on SonicWALL SSL-VPN Virtual Private Networking appliances. • CDP Panel—For Management of SonicWALL Continuous Data Protection appliances. • ES Panel—For Management of SonicWALL Email Security appliances. Within the Firewall and SSL-VPN panels are two sub-panels: • “Policies Panel” section on page 20 • “Reports Panel” section on page 21 SonicWALL GMS 6.0 Administrator’s Guide 19 Navigating the SonicWALL GMS User Interface Policies Panel The Policies Panel is used to configure SonicWALL appliances. From these pages, you can apply settings to all SonicWALL appliances being managed by SonicWALL GMS, all SonicWALL appliances within a group, or individual SonicWALL appliances. To open the Policies Panel, click the Firewall tab at the top of the SonicWALL GMS UI and then click the Policies tab. The SonicWALL appropriate appliance Policies Panel appears: From the Policies Panel, you can do the following: 20 • View the status of a SonicWALL appliance or group. • Change general settings such as network settings, time, and SonicWALL passwords. • Configure SonicWALL log settings. • Configure website blocking options. • Configure firewall options. • Configure advanced settings, such as proxy settings, intranet settings, routes, DMZ addresses, one-to-one network address translation (NAT), and Ethernet settings. • Configure Dynamic Host Configuration Protocol (DHCP) settings. • Create Virtual Private Networking (VPN) Security Associations (SAs). • Configure Remote Authentication Dial-In User Service (RADIUS), anti-virus, and high availability settings. • Register SonicWALL appliances. SonicWALL GMS 6.0 Administrator’s Guide Navigating the SonicWALL GMS User Interface • Update SonicWALL firmware. • Activate other feature upgrades and subscription services. Reports Panel The Reports Panel is an essential component of network security that is used to view and schedule reports about critical network events and activity, such as security threats, inappropriate Web use, and bandwidth levels. To open the Reports Panel, clickthe UTM or SSL-VPN tab at the top of the SonicWALL GMS UI and then click the Reports tab. From the Reports Panel, you can view the following for managed SonicWALL appliances: • View general bandwidth usage. These reports include a real-time report, a daily bandwidth summary report, a top users of bandwidth report, and a weekly summary report. • View bandwidth usage, by service. These reports include a real-time report and a summary report. • View Web bandwidth usage. These reports include a daily bandwidth summary report, a top visited sites report, a top users of Web bandwidth report, a report that contains the top sites of each user, and a weekly summary report. SonicWALL GMS 6.0 Administrator’s Guide 21 Navigating the SonicWALL GMS User Interface 22 • View the number of attempts that users made to access blocked websites. These reports include a daily summary report, a top blocked sites report, a top users report, a report that contains the top blocked sites of each user, and a weekly summary report. • View file transfer protocol (FTP) bandwidth usage. These reports include a daily FTP bandwidth summary report, a top users of FTP bandwidth report, and a weekly summary report. • View mail bandwidth usage. These reports include a daily mail summary report, a top users of mail report, and a weekly summary report. • View VPN usage. These reports include a daily VPN summary report, a top users of VPN bandwidth report, and a weekly summary report. • View reports on attempted attacks and errors. The attack reports include a daily attack summary report, an attack by category report, a top sources of attacks report, and a weekly attack summary report. The error reports include a daily error summary report and a weekly error summary report. • View detailed logging information. The detailed logging information contains each transaction that occurred on the SonicWALL appliance. • View successful and unsuccessful user and administrator authentication attempts. These reports include a user authentication report, an administrator authentication report, and a failed authentication report. SonicWALL GMS 6.0 Administrator’s Guide Navigating the SonicWALL GMS User Interface Monitor Panel The Monitor Panel is the administrator’s central tool for monitoring the status of any managed TCP/IP and SNMP capable devices and applications. The GMS Monitor panel provides power and flexibility to help you manage availability of network devices by providing a real-time graphical representation of your network, creating custom threshold-based realtime monitor alerts and emailing or archiving network status reports based on your specifications. To access the Monitoring features, click the Monitor tab at the top of the SonicWALL GMS UI. From the Monitor Panel, you can access the following information about managed appliances: • GMS Navigation Tool—Shows a color-coded graphical representation of the GMS network, providing a quick way to locate devices. • VPN Monitor—Shows a color-coded graphical representation of the VPN network. • NetMonitor—Periodically tests the status of SonicWALL appliances and other attached network devices. Enables you to do the following: – Categorize and monitor devices by device type, geography, or any other organizational scheme – Assign priorities to devices within each category – Create Realtime SNMP-based monitors SonicWALL GMS 6.0 Administrator’s Guide 23 Navigating the SonicWALL GMS User Interface – Create and automatically email and archive scheduled SNMP reports for devices being monitored in real time • Real-Time Syslog—Enables you to diagnose the system by viewing the syslog message in real time. Console Panel The Console Panel is used to configure SonicWALL GMS settings, view pending tasks, manage licenses, and configure system wide granular event management settings. To open the Console Panel, click the Console tab at the top of the SonicWALL GMS UI. From the Console Panel, you can do the following: 24 • Change the SonicWALL GMS password. • View the SonicWALL GMS log. The SonicWALL GMS log contains information on alert notifications, failed SonicWALL GMS login attempts, and other events that apply to SonicWALL GMS. • Manage tasks. You can view the status of SonicWALL tasks and, if necessary, delete them. • Manage upgrade and subscription licenses for SonicWALL appliances. After loading these licenses into the license pool, you can apply them to SonicWALL appliances from the Policies Panel. • Manage SonicWALL GMS user logins and privileges, agents, and dynamic views. SonicWALL GMS 6.0 Administrator’s Guide Understanding SonicWALL GMS Icons • Manage system wide Granular Event Management settings, including general settings, severity levels, event thresholds, schedules and schedule groups, and alerts. Understanding SonicWALL GMS Icons This section describes the meaning of icons that appear next to managed appliances listed in the left pane of the SonicWALL GMS management interface. Status Icon Description One blue box indicates that the appliance is operating normally. The appliance is accessible from SonicWALL GMS, and no tasks are pending or scheduled. Two blue boxes indicate that appliances in a group are operating normally. All appliances in the group are accessible from SonicWALL GMS and no tasks are pending or scheduled. Three blue boxes indicate that all appliances in the global group of this type (Firewall/SSL-VPN/CDP) are operating normally. All appliances of this type are accessible from SonicWALL GMS and no tasks are pending or scheduled. One blue box with a lightning flash indicates that one or more tasks are pending or running on the appliance. Two blue boxes with a lightning flash indicate that tasks are currently pending or running on one or more appliances within the group. Two blue boxes with a clock indicate that tasks are currently scheduled to execute at a future time on one or more appliances within the group. One blue box with a clock indicates that one or more tasks are scheduled on the appliance. One yellow box indicates that the appliance has been added to SonicWALL GMS management (provisioned), but not yet acquired. SonicWALL GMS 6.0 Administrator’s Guide 25 Understanding SonicWALL GMS Icons Two yellow boxes indicate that one or more appliances in the group have been added to SonicWALL GMS management, but not acquired. Three yellow boxes indicate that one or more of the global group of appliances of this type (Firewall/SSL-VPN/CDP) have been added to SonicWALL GMS management, but not acquired. One yellow box with a lightning flash indicates that one or more tasks are pending on the provisioned appliance. Two yellow boxes with a lightning flash indicates that tasks are pending on one or more provisioned appliances within the group. One red box indicates that the appliance is no longer sending heartbeats to SonicWALL GMS. Two red boxes indicate that one or more appliance in the group is no longer sending heartbeats to SonicWALL GMS. Three red boxes indicate that one or more of the global group of appliances of this type (UTM/SSL-VPN/CDP) is no longer sending heartbeats to SonicWALL GMS. Two red boxes with a lightning flash indicate that one or more appliance in the group is no longer sending heartbeats to SonicWALL GMS and has one or more tasks pending. One red box with a lightning flash indicates that the appliance is no longer sending heartbeats to SonicWALL GMS and has one or more tasks pending. 26 SonicWALL GMS 6.0 Administrator’s Guide Using the GMS TreeControl Menu Using the GMS TreeControl Menu This section describes the content of the TreeControl menu within the SonicWALL GMS UI. You can control the display of the TreeControl pane by selecting one of the appliance tabs at the top. For example, when you click the UTM tab, the TreeControl pane displays all the managed firewall units. You can display any of the following three appliance types when GMS is managing all of these device types: • UTM Appliances • SSL-VPNs • CDPs You can hide the entire TreeControl pane by clicking the sideways arrow icon, and redisplay the pane by clicking it again. This is helpful when viewing some reports or other extra-wide screens, especially on the Monitor or Console panel. To open a TreeControl menu, right-click the View All icon, a Group icon, or a Unit icon. SonicWALL GMS 6.0 Administrator’s Guide 27 About Signed Applets in SonicWALL GMS The following options are available in the right-click menu: • Find—Opens a Find dialog box that allows you to search for groups or units. • Refresh—Refreshes the GMS UI display. • Rename Unit—(unit view only) Renames the selected SonicWALL appliance. • Add Unit—Add a new unit to the GMS management view. Requires unit IP and login information. • Modify Unit—(unit view only) Change basic settings for the selected unit, including unit name, IP and Login information, serial number, management port and encryption/authentication keys. • Delete—Delete the selected unit, with option to delete interconnected SAs or to delete from Net Monitor. • Add to NetMonitor—Add an existing unit to Net Monitor. • Import XML—Import an edited XML file to replace the current TreeControl navigation view. • Login to Unit—(unit view only) Login to the selected unit using HTTP or HTTPS protocols. • Modify Properties—Displays the properties for the selected SonicWALL appliance. • Manage Views—Opens a dialog box where you can create, delete, or modify a view. • Change View—Select pre-set or user created views. Views are created in the Manage View window (see above). • Reassign Agents—Opens a dialog box where you can change the IP address of the primary and standby schedulers and the type of VPN tunnel (management vs. site-to-site) used between SonicWALL GMS and the managed SonicWALL appliances. About Signed Applets in SonicWALL GMS There are a number of applets in the GMS UI, such as the TreeControl Applet in the leftmost pane, Net Monitor and other Monitoring Tools in the Monitor Tab. Signed Applets refers to a technique for adding a digital signature to a Java applet to prove that it was not tampered with upon receipt from the signer. Signed applets can be given more privileges than ordinary applets. By default, 28 SonicWALL GMS 6.0 Administrator’s Guide Otherwise, click No. In this case you must manually edit the java.policy file. applets have no access to system resources outside the directory from which they were launched, but a signed applet can access local system resources as allowed by the local system’s security policy. In some previous releases of GMS, you were required to edit the java.policy file yourself on the client browser system in order to enable a number of applet related operations, such as Copy/Paste, Import file, Browse local folders, and HTTP/HTTPS login to the managed units from the GMS UI. There is no need to edit the java.policy file for signed applets. When a signed applet starts up, a warning pop-up is displayed. If you want to trust the applet, click Yes. Copy/paste, Import and HTTP/HTTPS logins will work without any edits to the java.policy file. Otherwise, click No. In this case you must manually edit the java.policy file. Configuring SonicWALL GMS View Options The SonicWALL GMS UI is a robust and powerful tool you can use to apply settings to all SonicWALL appliances being managed by SonicWALL GMS, all appliances or devices within a group, or individual appliances or devices SonicWALL GMS 6.0 Administrator’s Guide 29 Otherwise, click No. In this case you must manually edit the java.policy file. Configuring simply by selecting the Global, Group, or Unit view within the SonicWALL GMS UI. The SonicWALL GMS UI supports up to seven group levels of hierarchy. Note Views are only available in the Policies and Reports Panel. Changing views does not affect the Console or Monitor Panels. This section describes each view and what to consider when making changes. Select from the following: • “Group View” section on page 30 • “Unit View” section on page 31 • “Creating SonicWALL GMS Fields and Dynamic Views” section on page 33 Group View From the Group view of the Policies panel, changes you make are applied to all SonicWALL appliances within the group. The Global view—the top view that contains all appliances—is a type of Group view. To open the Group view, click a group icon in the left pane of the SonicWALL GMS UI. The Group Status page appears. The Group View Status page contains a list of statistics for all SonicWALL appliances within the group. 30 SonicWALL GMS 6.0 Administrator’s Guide Otherwise, click No. In this case you must manually edit the java.policy file. As you move through the SonicWALL GMS UI with the Group view selected and make changes, those changes are broken down into configuration tasks and applied to each subgroup and each SonicWALL appliance within the group. As SonicWALL GMS processes the tasks, some SonicWALL appliances may be down or offline. When this occurs, SonicWALL GMS spools the task and reattempts the update later. Depending on the page that you are configuring, the SonicWALL appliance(s) may automatically restart. We recommend scheduling the tasks to run when network activity is low. To determine if a change will require restarting, refer to the configuration instructions for that task. Making group changes through the SonicWALL GMS UI enables you to save time by instituting changes that affect all SonicWALL appliances within the group through a single operation. Although this is very convenient, some changes can have unintended consequences. Be careful when making changes on a group or global level. Unit View From the Unit view of the Policies panel, changes you make are only applied to the selected SonicWALL appliance. To open the Unit view, click a SonicWALL appliance in the left pane of the SonicWALL GMS UI. The Status page for the SonicWALL appliance appears. From the Unit view on the Reports Panel, you can generate real-time and historical reports for the selected SonicWALL appliance. As you navigate the SonicWALL GMS UI, you can generate graphical reports and view detailed log data for the selected SonicWALL appliance. For more information, see “Reports Panel” on page 21. SonicWALL GMS 6.0 Administrator’s Guide 31 Otherwise, click No. In this case you must manually edit the java.policy file. Configuring As you navigate the SonicWALL GMS UI with a single SonicWALL appliance selected and make changes, those changes are broken down into configuration tasks and sent to the selected SonicWALL appliance. As SonicWALL GMS processes the tasks, the SonicWALL appliance may be down or offline. When this occurs, SonicWALL GMS spools the task and reattempts the update later. Note Depending on the page that you are configuring, the SonicWALL appliance may automatically restart. We recommend scheduling the tasks to run when network activity is low. To determine if a change will require restarting, refer to the configuration instructions for that task. Unit View Status Page The Unit View Status page contains a list of statistics for the selected SonicWALL appliance. These include the following: 32 • SonicWALL Model—specifies the model of the SonicWALL appliance. If the unit is not registered, “Not Registered” appears instead of a model number. • Serial Number—specifies the serial number of the SonicWALL appliance. • Number of LAN IPs allowed—specifies the number of IP addresses that are allowed on the LAN. • DMZ Port—specifies whether the SonicWALL appliance has a DMZ port. • CPU—specifies the CPU used in the SonicWALL appliance. • VPN Upgrade—specifies whether the SonicWALL is licensed for a VPN upgrade. • VPN Clients—specifies whether the SonicWALL is licensed for VPN Clients. • Firmware Version—specifies the version of the firmware installed on the SonicWALL appliance. • Content Filter Subscription List/Service—specifies whether the SonicWALL appliance is licensed for a Content Filter List subscription. • PKI Subscription—specifies whether the SonicWALL appliance has a PKI subscription. • Anti-Virus Subscription—specifies whether the SonicWALL appliance has an anti-virus subscription. SonicWALL GMS 6.0 Administrator’s Guide Otherwise, click No. In this case you must manually edit the java.policy file. • Extended Warranty—specifies whether the SonicWALL appliance has an extended warranty. • SonicWALL Status—specifies the operational status of the SonicWALL appliance. • Tasks Pending—specifies whether the SonicWALL appliance has any pending tasks. • Agent Assigned—specifies the IP address of the SonicWALL GMS agent server that is the primary agent managing the SonicWALL appliance. • Standby Agent—specifies the IP address of the peer SonicWALL GMS that acts as the backup agent for this SonicWALL appliance. If the primary agent fails, this SonicWALL GMS server will manage the appliance. • Managed using Management Tunnel—specifies if the SonicWALL appliance is being managed by SonicWALL GMS using the management VPN tunnel. • Fetch Uptime—the Uptime parameter indicates how long the SonicWALL has been running since the last time it was powered up or restarted. To display the current uptime setting at the unit level for the selected SonicWALL, click Fetch Uptime. Creating SonicWALL GMS Fields and Dynamic Views The SonicWALL GMS uses an innovative method for organizing SonicWALL appliances. SonicWALL appliances are not forced into specific, limited, rigid hierarchies. You can simply create a set of fields that define criteria (e.g., country, city, state) which separate SonicWALL appliances. Then, create and use dynamic views to display and sort appliances on the fly. For information about organizing SonicWALL appliances, see the following sections: • “About Default SonicWALL Fields” on page 34 • “Creating Custom Fields” on page 36 • “Understanding Dynamic Views” on page 38 • “Configuring Dynamic Views” on page 39 • “Changing Views” on page 41 SonicWALL GMS 6.0 Administrator’s Guide 33 Otherwise, click No. In this case you must manually edit the java.policy file. Configuring About Default SonicWALL Fields SonicWALL GMS includes standard fields that can be used to sort SonicWALL appliances based on their model, their firmware version, and other criteria. Default SonicWALL GMS fields include the following: • AV Enforcement—places the SonicWALL appliances into two groups: appliances that have anti-virus (AV) subscriptions and appliances that do not. • AV Status—places the SonicWALL appliances into different groups based on their status. • CFS Status—places the SonicWALL appliances into two groups: appliances that have content filtering service (CFS) subscriptions and appliances that do not. • Dialup Mode—performs grouping based on whether an appliance has switched to dialup mode for Internet access. • Firmware—creates a group for each Firmware version and places each SonicWALL appliance into its corresponding group. • Management—performs grouping based on whether appliances are managed by HTTPS Management mode, GMS Management Tunnel mode, or Existing/LAN mode. • Model—creates a group for each SonicWALL model and places each SonicWALL appliance into its corresponding group. • Network Type—creates a group for each network type and places each SonicWALL appliance into its corresponding group. These include: – Standard – NAT with DHCP Client – NAT with PPPoE Client – NAT with L2TP Client – NAT with PPTP Client – NAT Enabled – Unknown 34 • Nodes—creates a group for each node range and places each SonicWALL appliance into its corresponding group. • PKI Status—places the SonicWALL appliances into two groups: appliances that have Public Key Infrastructure (PKI) certificates and appliances that do not. SonicWALL GMS 6.0 Administrator’s Guide Otherwise, click No. In this case you must manually edit the java.policy file. • Registered—places the SonicWALL appliances into two groups: appliances that are registered and appliances that are not. • Scheduler—creates a group for each scheduler agent and places each SonicWALL appliance into its corresponding group. • UnitStatus—performs grouping based on the Up/Down/Provisioned status of appliances. • VPN Present—places the SonicWALL appliances into two groups: appliances that have VPN and appliances that do not. • Warranty Status—places the SonicWALL appliances into two groups: appliances that have current warranties and appliances that do not. SonicWALL GMS 6.0 Administrator’s Guide 35 Otherwise, click No. In this case you must manually edit the java.policy file. Configuring Creating Custom Fields When first configuring SonicWALL GMS, you can create custom fields that you can use to organize managed appliances. SonicWALL GMS supports up to ten custom fields. Note Although SonicWALL GMS supports up to ten custom fields, only seven fields can be used to sort SonicWALL appliances at any given time. The following are examples of custom fields that you can use: • Geographic—useful for organizing SonicWALL appliances by location. Especially useful when used in combination with other grouping methods. Geographic fields may include: – Country – Time Zone – Region – City • Customer-based—useful for organizations that are providing managed security services for multiple customers. Customer-based fields may include: – Company – Division – Department 36 • Configuration-based—useful when SonicWALL appliances will have very different configurations. (e.g., Filtering, No Filtering, Pornography Filtering, Violence Filtering, or VPN). • User-type—different service offerings can be made available to different user types. For example, engineering, sales, and customer service users can have very different configuration requirements. Or, if offered as a service to end users, you can allow or disallow network address translation (NAT) depending on the number of IP addresses that you want to make available. SonicWALL GMS 6.0 Administrator’s Guide Otherwise, click No. In this case you must manually edit the java.policy file. SonicWALL GMS is pre-configured with four custom fields: Country, Company, Department, and State. These fields can be modified or deleted. To add fields, follow these steps: 1. Click the Console tab, expand the Management tree and click Custom Groups. 2. Right-click Custom Groupings in the right pane. 3. Select Add Category from the pop-up menu. 4. Enter the name of the group in the Category Name field. Note Category names can only contain alpha-numeric characters. Special characters and/or spaces are not accepted. 5. Enter the default value for the group in the Default Value field. 6. Click Ok. You can create up to ten fields. Note Although the fields appear to be in a hierarchical form, this has no effect on how the fields will appear within a view. To modify or delete fields, right-click any of the existing fields and select Properties or Delete Category, respectively from the pop-up menu. SonicWALL GMS 6.0 Administrator’s Guide 37 Otherwise, click No. In this case you must manually edit the java.policy file. Configuring Understanding Dynamic Views After creating custom fields and reviewing the SonicWALL GMS fields, SonicWALL GMS administrators can set up views to dynamically filter the SonicWALL security appliances that are displayed in the GMS user interface based on fields. Note Each view can filter for a maximum of seven fields. Some views can include the following: • Standard Geographic Views When the number of SonicWALL appliances managed by SonicWALL GMS becomes large, you can divide the appliances geographically among SonicWALL administrators. For example, if one administrator will be responsible for each time zone in the United States, you can choose the following grouping methods: – Administrator 1: Country: USA, Time Zone: Pacific, State, City. – Administrator 2: Country: USA, Time Zone: Mountain, State, City. – Administrator 3: Country: USA, Time Zone: Central, State, City. – Administrator 4: Country: USA, Time Zone: Eastern, State, City. • Firmware Views To ensure that all SonicWALL appliances are using the current firmware, you can create a view to check and update firmware versions and batch process firmware upgrades when network activity is low. For example, if you want to update all SonicWALL appliances to the latest firmware at 2:00 A.M., you can use the following grouping method: – Firmware Version, Time Zone If you want to update SonicWALL appliances only for companies that have agreed to the upgrade and you want the upgrades to take place at 2:00 A.M., you can use the following grouping method: – Company, Firmware Version, Time Zone • Registration Views To ensure that all SonicWALL appliances are registered, you can create a registration view and check it periodically. To create a registration view, you can use the following grouping method: – Registration Status, any other grouping fields 38 SonicWALL GMS 6.0 Administrator’s Guide Otherwise, click No. In this case you must manually edit the java.policy file. • Upgrade View You can create views that contain information on which upgrades customers do not have and forward this information to the Sales Department. For example, you can choose the following grouping methods: – Content Filter List, Company, Division, Department – Anti-Virus, Company, Division, Department – Warranty Status, Company, Division, Department Configuring Dynamic Views To create a view, follow these steps: 1. Right-click anywhere in the left pane of the SonicWALL GMS window and select Manage Views from the pop-up menu. The Edit View page appears. 2. Type a descriptive name for the new view in the View Name field. 3. To make this view available to non-administrators, select Visible to Non-Administrators. SonicWALL GMS 6.0 Administrator’s Guide 39 Otherwise, click No. In this case you must manually edit the java.policy file. Configuring 4. To add a view category, click Add Level. View categories are used to filter SonicWALL appliances in your view. The Group Categories column contains categories that are a combination of custom fields and SonicWALL GMS fields. 5. To change the Group Category field, select the desired field from the drop-down list. For a list of SonicWALL GMS fields and their meanings, see “About Default SonicWALL Fields” on page 34. 6. Choose an Operator to apply to apply to the value for this view: – equals (default value) – starts with – ends with – contains – does not equal – does not contain 7. Type a value for the category in the Value column. 8. You can add up to seven categories or levels. 9. To delete a view category, select the level and click Delete Level. 10. When you are finished configuring this view, click Modify View. 11. When you are finished, click Done. 40 SonicWALL GMS 6.0 Administrator’s Guide Getting Help Changing Views To change views from within the SonicWALL GMS UI, follow these steps: 1. Right-click anywhere in the left pane of the SonicWALL GMS window and select Change View from the pop-up menu. The Change View dialog box appears. 2. Select a view and click OK. The GMS UI displays only the SonicWALL appliances that meet the requirements of the filters defined in the view. Getting Help In addition to this manual, SonicWALL GMS provides on-line help resources. To get help, follow these steps: 1. Navigate to the page where you need help. 2. Click the Question Mark (?) in the upper right-hand corner of the window. Help for the selected page appears. SonicWALL GMS 6.0 Administrator’s Guide 41 Getting Help Tips and Tutorials Tips and tutorials are also available in some section of the user interface, and are denoted by a “Lightbulb” icon: To access tips and tutorials: 42 1. Navigate to the page where you need help. 2. If available, click the Lightbulb icon in the upper right-hand corner of the window. Tips, tutorials, and online help are displayed for this topic. SonicWALL GMS 6.0 Administrator’s Guide CHAPTER 2 Adding SonicWALL Appliances and Performing Basic Management Tasks This chapter describes how to add SonicWALL appliances to SonicWALL GMS, register appliances, and modify management properties. It also provides an introduction to basic appliance management tasks that can be performed through SonicWALL GMS. This chapter contains the following sections: • “Adding SonicWALL Appliances to SonicWALL GMS” on page 43 • “Registering SonicWALL Appliances” on page 51 • “Modifying Management Properties” on page 52 • “Deleting SonicWALL Appliances from GMS” on page 55 • “Performing Basic Appliance Management” on page 55 Adding SonicWALL Appliances to SonicWALL GMS SonicWALL GMS can communicate with SonicWALL appliances through VPN tunnels, HTTPS, or directly over VPN tunnels that already exist between the SonicWALL appliances and the GMS gateway. When using HTTPS to access a SonicWALL Aventail SSL VPN appliance, GMS must connect to the LAN port of the Aventail appliance. When SonicWALL GMS is deployed outside of the Aventail LAN subnet, management traffic must be routed from GMS to a gateway that allows access into the LAN network, and from there be routed to the Aventail LAN port. SonicWALL GMS 6.0 Administrator’s Guide 43 Adding SonicWALL Appliances to SonicWALL GMS To add SonicWALL appliances using the command-line interface, refer to the SonicWALL Global Management System Command Line Interface Guide. The following sections describe two methods for adding SonicWALL appliances to GMS: 44 • “Adding SonicWALL Appliances Manually” on page 45 • “Importing SonicWALL Appliances” on page 50 SonicWALL GMS 6.0 Administrator’s Guide Adding SonicWALL Appliances to SonicWALL GMS Adding SonicWALL Appliances Manually To manually add a SonicWALL appliance using the SonicWALL GMS management interface, follow these steps: 1. Click the appliance tab that corresponds to the type of appliance that you want to add: UTM, SSL-VPN, CDP, or Email Security. 2. Expand the SonicWALL GMS tree and select the group to which you will add the SonicWALL appliance. Then, right-click the group and select Add Unit from the pop-up menu. To not specify a group, right-click an open SonicWALL GMS 6.0 Administrator’s Guide 45 Adding SonicWALL Appliances to SonicWALL GMS area in the left pane (TreeControl pane) of the SonicWALL GMS management interface and select Add Unit. The Add Unit dialog box appears. 3. Note 46 Enter a descriptive name for the SonicWALL appliance in the Unit Name field. Do not enter the single quote character (‘) in the Unit Name field. 4. If applicable, choose a Domain to add this appliance to from the Domain drop-down list. Note Domain selection is only available to the admin of the LocalDomain. Individual domain admins are only able to add an appliance to their respective domains. 5. Enter the serial number of the SonicWALL appliance in the Serial Number field. On SonicWALL Aventail appliances, the serial number is found on a sticker on the back of the appliance. Enter it without hyphens into the field. 6. For the Managed Address, choose weather to Determine automatically, or Specify manually. Most deplyoments will be able to determine the address automatically. SonicWALL GMS 6.0 Administrator’s Guide Adding SonicWALL Appliances to SonicWALL GMS 7. Enter the administrator login name for the SonicWALL appliance in the Login Name field. For SonicWALL Aventail SSL VPN appliances, the login name is pre-configured as “GMS” and cannot be changed. 8. Enter the password used to access the SonicWALL appliance in the Password field. 9. For Management Mode, select from the following: – If the SonicWALL appliance will be managed through an existing VPN tunnel or over a private network, select Using Existing Tunnel or LAN. – If the SonicWALL appliance will be managed through a dedicated management VPN tunnel, select Using Management VPN Tunnel (default). – If the SonicWALL appliance will be managed over HTTPS, select Using HTTPS. 10. Enter the IP address of the managed appliance in the IP Address field. 11. Enter the port used to administer the SonicWALL appliance in the HTTP(S) Port field (default ports are HTTP: 80; HTTPS: 443). For SonicWALL Aventail appliance management, use HTTPS port 8443. 12. For VPN tunnel management, enter a 16-character encryption key in the SA Encryption Key field. The key must be exactly 16 characters long and composed of hexadecimal characters. Valid hexadecimal characters are “0” to “9”, and “a” to “f” (i.e., 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). For example, a valid key would be “1234567890abcdef.” Note This key must match the encryption key of the SonicWALL appliance. You can set the key on the appliance by logging directly into it. 13. For VPN tunnel management, enter a 32-character authentication key in the SA Authentication Key field. The key must be exactly 32 characters long and composed of hexadecimal characters. For example, a valid key would be “1234567890abcdef1234567890abcdef.” Note This key must match the authentication key of the SonicWALL appliance. 14. If the SonicWALL appliance uses the Anti-Virus feature, enter the Anti-Virus password. Otherwise, leave the field blank. SonicWALL GMS 6.0 Administrator’s Guide 47 Adding SonicWALL Appliances to SonicWALL GMS 15. Select the IP address of the SonicWALL GMS agent server that will manage the SonicWALL appliance from the Agent IP Address list box: – If SonicWALL GMS is configured in a multi-tier distributed environment, you must select the SonicWALL GMS Agent whose IP address matches the IP address that you specified when configuring the SonicWALL appliance for SonicWALL GMS management. – If SonicWALL GMS is in a single-server environment, the IP address of the SonicWALL GMS agent server already appears in the field. 16. If SonicWALL GMS is configured in a multi-tier distributed environment, enter the IP address of the backup SonicWALL GMS server in the Standby Agent IP field. The backup server will automatically manage the SonicWALL appliance in the event of a primary server failure. Any Agent can be configured as the backup. Note If SonicWALL GMS is deployed in a single server environment, leave this field blank. 17. To add the appliance to Net Monitor, select the Add this unit to Net Monitor checkbox. 18. Click Properties. The Unit Properties dialog box appears. 19. This dialog box displays the category fields to which the SonicWALL appliance belongs. To change any of the values, select a new value from the drop-down list. When you are finished, click OK. You are returned to the Add Unit dialog box. 48 SonicWALL GMS 6.0 Administrator’s Guide Adding SonicWALL Appliances to SonicWALL GMS 20. Click OK. The User Privileges dialog box displays. 21. Select the user group or individual users to which read-write privileges should be assigned. Keep in mind that admins always maintain read-write privileges, regardless of your selection here. 22. Click OK. The new SonicWALL appliance appears in the SonicWALL GMS management interface. It will have a yellow icon that indicates it has not yet been successfully acquired. SonicWALL GMS will then attempt to establish a management VPN tunnel, set up an HTTPS connection, or use the existing site-to-site VPN tunnel to access the appliance. GMS then reads the appliance configuration and acquires the SonicWALL appliance for management. This will take a few minutes. After the SonicWALL appliance is successfully acquired, its icon turns blue, its configuration settings are displayed at the unit level, and its settings are saved to the database. A text version of this configuration file is also saved in the file: <gms_directory>/etc/Prefs. Note In a multi-tier distributed environment, both the primary and secondary SonicWALL GMS Agents must be configured to use the same management method. SonicWALL GMS 6.0 Administrator’s Guide 49 Adding SonicWALL Appliances to SonicWALL GMS Importing SonicWALL Appliances To reduce the amount of information that you have to manually enter when adding SonicWALL appliances, GMS enables you to import the saved prefs file of a SonicWALL appliance. To add a SonicWALL appliance to the SonicWALL GMS UI using the import option, follow these steps: 1. Right-click in the left pane of the SonicWALL GMS UI and select Add Unit from the pop-up menu. The Add Unit dialog box appears. 2. Enter a descriptive name for the SonicWALL appliance in the Unit Name field. Do not enter the single quote character (') in the SonicWALL Name field. 3. Enter the password to access the SonicWALL appliance in the Password field. 4. Click Import. The Import dialog box appears. Note If the above Import Dialog Box does not appear, you need to edit the java.policy file on your system. 5. Find and select the saved prefs file of the SonicWALL appliance. Click Import. You are returned to the Add Unit dialog box. 6. Click Properties. The Unit Properties dialog box appears. 7. This dialog box displays fields to which the SonicWALL appliance belongs. To change any of the values, enter a new value. When you are finished, click OK. 8. After you are returned to the Add Unit dialog box, click OK again. 9. Select the user group or individual users to which read-write privileges should be assigned. Keep in mind that admins always maintain read-write privileges, regardless of your selection here. 10. The new SonicWALL appliance appears in the SonicWALL GMS UI. It will have a yellow icon that indicates it has not yet been successfully acquired. The SonicWALL GMS will then attempt to establish a management VPN tunnel to the appliance, read its configuration, and acquire it for management. This will take a few minutes. 50 SonicWALL GMS 6.0 Administrator’s Guide Registering SonicWALL Appliances After the SonicWALL appliance is successfully acquired, its icon will turn blue, its configuration settings will be displayed at the unit level, and its settings will be saved to the database. A text version of this configuration file is also saved in <gms_directory>/etc/Prefs. Registering SonicWALL Appliances After successfully adding one or more SonicWALL appliances to the SonicWALL GMS UI, the next step is to register them. Registration is required for firmware upgrades, technical support, and more. Note Registering SonicWALL Aventail SSL VPN appliances from GMS is not supported. To register one or more SonicWALL appliances, follow these steps: 1. Select the global icon, a group, or a SonicWALL appliance. 2. Expand the Register/Upgrades tree and click Register SonicWALLs. The Register SonicWALLs page appears. 3. Click Register. SonicWALL GMS creates a task for each SonicWALL appliance registration. If the appliance is already registered, the Register SonicWALLs page will state This appliance is registered. By default, SonicWALL GMS executes the tasks immediately. However, they can also be scheduled for another time and will remain in the schedule queue until they are executed. To view the status of these tasks, click the Console tab. Then, expand the Tasks tree and click Scheduled Tasks. SonicWALL GMS 6.0 Administrator’s Guide 51 Modifying Management Properties During the task execution, SonicWALL GMS registers each selected SonicWALL appliance using the information that you used to register with the SonicWALL registration site. After registration is complete, the task will be removed from the Scheduled Tasks page and the status of the task execution will be logged. To view these logs, click the Console tab. Then, expand the Log tree and click View Log. Modifying Management Properties The following sections describe how to modify management properties: • “Modifying SonicWALL Appliance Management Options” on page 52 • “Changing Agents or Management Methods” on page 53 • “Moving SonicWALL Appliances Between Groups” on page 54 Modifying SonicWALL Appliance Management Options If you make a mistake or need to change the settings of an added SonicWALL appliance, you can manually modify its settings or how it is managed. Note If a unit has not been acquired (yellow icon), you can change its management mode using this procedure. After it has been acquired (red or blue icon), you cannot change its management mode using this procedure and must reassign it. For more information, see “Changing Agents or Management Methods” on page 53. To modify a SonicWALL appliance, perform the following steps: 52 1. Right-click in the left pane of the SonicWALL GMS UI and select Modify Unit from the pop-up menu. The Modify Unit dialog box appears. 2. The Modify Unit dialog box contains the same options as the Add Unit dialog box. For descriptions of the fields, see “Adding SonicWALL Appliances to SonicWALL GMS” on page 43. 3. When you have finished modifying options, click OK. The SonicWALL appliance settings are modified. SonicWALL GMS 6.0 Administrator’s Guide Modifying Management Properties Changing Agents or Management Methods To provide increased flexibility when managing SonicWALL appliances, SonicWALL GMS enables you to change the Agents that manage SonicWALL appliances, as well as their management methods. To change how a SonicWALL appliance is managed, follow these steps: 1. Right-click on the group or appliance that you want to re-assign and select Re-assign Agents from the pop-up menu. 2. If the appliances to be re-assigned are managed using existing tunnels or the LAN, a warning message is displayed. Click Ok. Caution Make sure that the appliances will be able to successfully connect to the re-assigned GMS to avoid losing connection to the appliances. 3. The Re-assign Agents dialog box appears. 4. Select the IP address of the SonicWALL GMS agent server that will manage the SonicWALL appliance from the Scheduler IP Address list box. 5. If SonicWALL GMS is configured in a multi-tier distributed environment, enter the IP address of the backup SonicWALL GMS server in the Standby Scheduler IP field. The backup server will automatically manage the SonicWALL appliance in the event of a primary failure. Any Agent can be configured as the backup. Note If SonicWALL GMS is in a single server environment, leave this field blank. SonicWALL GMS 6.0 Administrator’s Guide 53 Modifying Management Properties 6. Select from the following management modes: – If the SonicWALL appliance will be managed through an existing VPN tunnel or over a private network, select Using Existing Tunnel or LAN. – If the SonicWALL appliance will be managed through a dedicated management VPN tunnel, select Using Management VPN Tunnel (default). – If the SonicWALL appliance will be managed over HTTPS, select Using HTTPS. Note 7. HTTPS management requires additional configuration on the appliance itself. Enter the port used to administer the SonicWALL appliance in the SonicWALL HTTP Port field (standard: 80; HTTPS: 443). For SonicWALL Aventail appliance management, use HTTPS port 8443. 8. When you are finished, click OK. A task is created for each selected SonicWALL appliance. Moving SonicWALL Appliances Between Groups To move SonicWALL appliances between groups, simply change the properties of their custom fields. To change these properties, follow these steps. 1. Right-click on a SonicWALL appliance or group in the left pane of the SonicWALL GMS UI and select Modify Properties from the pop-up menu. The Properties dialog box appears 2. Make any changes to the categories to which the SonicWALL appliance or group of appliances belongs. For information on creating categories, see “Creating SonicWALL GMS Fields and Dynamic Views” on page 33. Note If you are performing this procedure at the group or global level, all parameters will be changed for all selected SonicWALL appliances. For example, if you were attempting to only change the Country attribute, all other parameters would be changed as well. 3. 54 Click OK. The SonicWALL appliance(s) are moved to the new group. SonicWALL GMS 6.0 Administrator’s Guide Deleting SonicWALL Appliances from GMS Deleting SonicWALL Appliances from GMS To delete a SonicWALL appliance or a group of appliances from GMS, perform the following steps: 1. Right-click on a SonicWALL appliance or group in the left pane and select Delete from the pop-up menu. 2. In the warning message that displays, click Yes. The SonicWALL appliance or group is deleted from GMS. Performing Basic Appliance Management This section provides links to locations in this guide that describe the most common appliance management tasks. Table 2 Appliance Management Management Task Location Inheriting Group Settings “Managing Inheritance in GMS” on page 569 Upgrading Firmware “Upgrading Firmware” on page 592 Managing Subscription Services “Configuring Security Services” on page 457 Manually Uploading Signatures “Manually Uploading Signature Updates” on page 137 Managing Certificates “Configuring Certificates” on page 146 “Generating a Certificate Signing Request” on page 150 Backing up the Prefs File “Configuring System Settings” on page 139 Understanding Heartbeat Messages “Configuring System Settings” on page 139 “Configuring Log Settings” on page 278 SonicWALL GMS 6.0 Administrator’s Guide 55 Performing Basic Appliance Management 56 SonicWALL GMS 6.0 Administrator’s Guide CHAPTER 3 Using the SonicToday Panel This chapter introduces the SonicWALL Global Management System (GMS) management interface navigation and management views. SonicWALL GMS is intended for large-scale deployments for enterprise and service provider solutions. This section includes the following subsections: • “Overview of the SonicToday Panel” section on page 58 • “Editing a Component Window” section on page 58 • “Adding a Component Window” section on page 60 • “Adding More Pages” section on page 68 • “Editing and Deleting Pages” section on page 69 • “Other Features” section on page 70 SonicWALL GMS 6.0 Administrator’s Guide 57 Overview of the SonicToday Panel Overview of the SonicToday Panel Using RSS and AJAX technology, SonicToday is a tab intended to work as a customizable dashboard where you are able to monitor the latest happenings with your SonicWALL GMS 6.0 deployment, your network, the IT and Security World, as well as the rest of the world. Upon initial login, you see a default SonicToday tab. You are able to further customize this page by configuring and adding preferred components. Editing a Component Window One customizable feature of SonicToday is the ability to edit the title of any given component window. To do this: 1. 58 Click the Edit link, located on the right side of the component window you wish to modify. In this example, we will modify the title of the component window “CNN Top Stories.” SonicWALL GMS 6.0 Administrator’s Guide Editing a Component Window 2. The component window will expand, revealing the following entries you can modify: Title – The title of the component window. RSS URL – The URL of the RSS Feed the current component window updates from. Items – The number of items to be displayed on the component window. Refresh Interval – The frequency of time the component window will refresh the RSS Feed. In this example, we will change the title to “CNN Top 5 Stories.” For Items, we specify that we want five items shown in the component window, and we want the Refresh Interval to occur every 30 minutes. Click Save to save your changes and exit the component window. The changes will update the component window immediately. SonicWALL GMS 6.0 Administrator’s Guide 59 Adding a Component Window Adding a Component Window Another way to fully customize your SonicToday dashboard is by adding a component window specifically to your preferences. Note that no component containing the same content can be added more than once in the SonicToday dashboard. In this section, there are three different component windows you can add: • “Application Widget” section on page 60 • “Event Alert” section on page 62 • “RSS Feed” section on page 66 Application Widget The application widget specifically details Logs, Scheduled Tasks, and Current Sessions in SonicWALL GMS 6.0. The convenience of this new widget is that it enables you to keep track of all these different details from the SonicToday dashboard page, rather than navigating through other tabs. To add the application widget: 1. 60 Click Add Component to bring up the Add Component Manager dialogue box. Select Application Widget from the ‘Type’ drop-down list. SonicWALL GMS 6.0 Administrator’s Guide Adding a Component Window 2. Specify what type of Widget you want in the component. The Title will default to the Widget you choose, but you may customize this if you prefer. You also will indicate how many Items you want to be shown on the component window, as well as the Refresh Interval. In this example, we will add a widget that monitors Logs, displaying the latest five every ten minutes. 3. Click Add when finished specifying entries. The component window is added to the SonicToday dashboard. SonicWALL GMS 6.0 Administrator’s Guide 61 Adding a Component Window Event Alert This feature in SonicWALL GMS allows you to receive alerts from your email, SNMP traps, and console on the SonicToday dashboard. You are able to filter which alerts you want directed to your SonicToday dashboard. To set up an event alert: 1. 62 Click Add Component to bring up the Add Component Manager dialogue box. Select Event Alert from the ‘Type’ drop-down list. SonicWALL GMS 6.0 Administrator’s Guide Adding a Component Window 2. Select the Alert Type you would like to add from the drop-down list. The Title will default to the Alert Type you choose, but you may customize this if you prefer. You also will indicate how many Items you want to be shown on the component window, as well as the Refresh Interval. The field Show Alerts Triggered within last is used to provide the number of triggered alerts in hours. Only alerts triggered within this time period will appear on the SonicToday dashboard. In this example, we will add an event alert for Unit Status, displaying the latest five every 30 minutes. This event alert will also show alerts triggered within the last 24 hours. 3. Click Add when finished specifying entries. The component window is added to the SonicToday dashboard. You will see a No alerts configured for destination SonicToday notification in the newly added ‘Unit Status’ component window. This is because you have not identified which unit you are inquiring status on. SonicWALL GMS 6.0 Administrator’s Guide 63 Adding a Component Window To Identify a Unit for this Alert 64 1. Click the UTM tab to bring up a detailed list of all the units associated with SonicWALL GMS. 2. Click on the unit for which you wish to receive alerts. In this example, we will use the unit ‘TZ 150.’ Double click the unit name to see detailed information regarding this unit. SonicWALL GMS 6.0 Administrator’s Guide Adding a Component Window 3. Navigate under the ‘Policies’ tab to the ‘Events’ link. Click the option ‘Alert Settings. 4. For the first option of ‘Unit Status,’ click the configure icon settings for this status alert. A dialog box will appear. SonicWALL GMS 6.0 Administrator’s Guide to specify 65 Adding a Component Window You must ensure one of the destinations for this alert is User Interface-SonicToday or else the alert will not be directed to your SonicToday dashboard. Click this option from the drop-down list under the ‘Destination/Schedule’ section. Click Update to save changes. You will now be alerted on the component window as soon as a unit fails. It is a very detailed failure notice, complete with date and exact time the unit failed. Whenever there is no alert added for a selected alert type, the No alerts configured for destination SonicToday message is displayed. Once the alert destination is configured as mentioned in “To Identify a Unit for this Alert” section on page 64, the alert message will appear in the component window. Only alerts triggered within a timeperiod displays in the SonicToday dashboard. RSS Feed RSS Feed is a component window designed to keep you updated with what is going on in the IT and Security World, as well as all around the globe. This section contains procedures for customizing an RSS Feed component window on your SonicToday dashboard. To choose a Predefined RSS Feed: 1. 66 Click Add Component to bring up the Add Component Manager dialogue box. SonicWALL GMS 6.0 Administrator’s Guide Adding a Component Window 2. Select RSS Feed from the ‘Type’ drop-down list. This will automatically bring up a list of predefined RSS Feeds you may choose from. The Title will default to the Alert Type you choose, but you may customize this if you prefer. You also will indicate how many Items you want to be shown on the component window, as well as the Refresh Interval. In this example, we will select ‘AP Sports News,’ displaying the first five items every 30 minutes on the component window. 3. Click Add when you are finished. This will add the new RSS Feed component window to your SonicToday dashboard. To Choose a Custom RSS Feed: 1. Click Add Component to bring up the Add Component Manager dialogue box. 2. Select RSS Feed from the ‘Type’ drop-down list. This will automatically bring up a list of predefined RSS Feeds you may choose from. 3. Scroll to the bottom of the predefined list and select Custom RSS Feed... Enter the URL of the RSS Feed you would like on your component window. Note To search a large directory of available RSS Feeds, navigate to: http://www.rsfeeds.com/ SonicWALL GMS 6.0 Administrator’s Guide 67 Adding More Pages 4. Enter the Title for this custom RSS Feed page. Also indicate how many Items you want to be shown on the component window, as well as the Refresh Interval. In this example, we will choose ‘Rediff Top Stories,’ displaying the first five items every 30 minutes on the component window. 5. Click Add when you are finished. This will add the new RSS Feed component window to your SonicToday dashboard. Adding More Pages SonicToday allows you to create more pages in addition to your default dashboard page. Note that only one page may be designated as your SonicToday default page. As soon as a new page is marked as the default, any previous default page settings are overwritten. To create a new page: 68 1. Click Manage Page from the toolbar to bring up the Page Manager. 2. In the ‘Page’ section, select Add New Page from the drop-down list. 3. Name your new page under ‘Page Title.’ 4. Select the layout of your page under ‘Page Layout.’ A thumbnail image pops up alongside each option to assist you. SonicWALL GMS 6.0 Administrator’s Guide Editing and Deleting Pages 5. You also have the option of making this your default page, simply by placing a checkmark in the box labeled ‘Default Page.’ 6. Click Add when you are finished. The toolbar now displays the newly added page. In this example, we titled the new page ‘News.’ You can now add and customize component windows to navigate between pages. Editing and Deleting Pages To edit a page, click Manage Page from the toolbar. Select the page you wish to edit, make your changes, and click Edit to finish. To delete a page, click Manage Page from the toolbar. Select the page you wish to delete and click Delete. Click OK to finish. SonicWALL GMS 6.0 Administrator’s Guide 69 Other Features Other Features See the following sections: • AutoHide, page 70 • Page Selector, page 70 • Component Height Resize, page 71 • Manual Refresh, page 71 • Removing or Deleting a Component, page 71 • Minimizing or Maximizing a Component, page 71 AutoHide AutoHide is a feature you customize by turning on or off. When AutoHide is turned on, the control bar will hide after an interval of two seconds when the mouse is moved away from the control bar. When AutoHide is turned off, the control bar always appears on the SonicToday dashboard. To turn AutoHide on, click the Off icon . To turn AutoHide off, click the On icon Page Selector Whenever the number of pages added to the SonicToday dashboard exceeds five, a page selector bar appears at the top of the main window with left and right arrows. The arrows can be used to scroll across different pages in both directions. By default, the selector is scrolled to a point where the default page appears on it. Any page can be selected by clicking on the page title. 70 SonicWALL GMS 6.0 Administrator’s Guide Other Features Component Height Resize The height of a component can be increased and decreased by stretching or shrinking the resize cursor on the status bar when the mouse is moved over the status bar. Manual Refresh Aside from the automatic refresh, which you configure in the “Editing a Component Window” section on page 58, you can force a refresh on the component window by clicking the refresh icon on the component window header. Removing or Deleting a Component Any component window can be removed or deleted from the page by clicking the close icon on the component window header. Minimizing or Maximizing a Component Each component can be in minimized or maximized state. The components are loaded in the page with the state they were saved in the database. To minimize a component window, click the minimize icon component window header. in the To maximize a component window, click the maximize icon component window header. in the SonicWALL GMS 6.0 Administrator’s Guide 71 Other Features 72 SonicWALL GMS 6.0 Administrator’s Guide Part 1 Host and Appliance Settings SonicWALL GMS 6.0 Administrator’s Guide 73 74 SonicWALL GMS 6.0 Administrator’s Guide CHAPTER 5 UMH/UMA System Settings This chapter describes how to configure the system settings that are available on the SonicWALL UMH/UMA system pages. Note The UMA appliance and the GMS application both provide a system settings interface, referred to as “UMA” for the appliance and “UMH” in GMS software deployments. In either scenario, the switch icon is used to toggle between application and system interfaces. The UMH System > Status page is shown below: SonicWALL GMS 6.0 Administrator’s Guide 75 The UMA System > Status page is shown below: This chapter includes the following sections: 76 • “Status” section on page 77 • “Licenses” section on page 78 • “Time” section on page 80 • “Administration” section on page 81 • “Settings” section on page 83 • “Diagnostics” section on page 85 • “File Manager” section on page 88 • “Backup/Restore” section on page 90 • “RAID” section on page 94 • “Restart” section on page 95 SonicWALL GMS 6.0 Administrator’s Guide Status Status This section describes the UMH/UMA System > Status page, used to view general status of the appliance hardware and licensed firmware. The UMH System > Status page is shown below: The UMA System > Status page is shown below: This page identifies the following specifications: Item Usage Name Displays the user-friendly name of the system. Serial Number Displays the system identification number. Version Displays current firmware version and date. SonicWALL GMS 6.0 Administrator’s Guide 77 Licenses Item Usage License Displays the Global Management System or ViewPoint license status. Role Displays configuration set in the Deployment > Roles section of the user interface. Host Name / IP Displays the system host name (for example, an FQDN such as mysystem.myhost.com) and IP address. Current Time Displays the current date and time, based on your localized time zone settings Operating System Displays the system’s currently loaded operating system. CPU Displays basic specifications (speed and number of cores) for the system’s processor. RAM Displays amount of random access memory (RAM) installed on the system. RAID Array Displays type, status, and size of the currently installed RAID array. (UMA only) Available Disk Space Displays free space and total space, in gigabytes. Licenses This section describes the UMH/UMA System > Licenses page, used to view and manage GMS and ViewPoint licenses. The UMH System > Licenses page is shown below: 78 SonicWALL GMS 6.0 Administrator’s Guide Licenses The UMA System > Licenses page is shown below: This page identifies the following specifications: Item Usage Security Service The current license type based on product registration and serial number. Support Service The available SonicWALL support types based on product registration and serial number. For the UMA, the Hardware Warranty is also listed here. Status License status. If unlicensed, you must purchase a license or register your product or appliance. Count Number of valid licenses. Expiration Expiration date of your current license. In addition, you may also use the buttons on this screen to: – Manage Licenses through your MySonicWALL.com account – Refresh Licenses by connecting with the SonicWALL licensing server – Upload Licenses if no external network connection is available SonicWALL GMS 6.0 Administrator’s Guide 79 Time Time This section describes the UMA appliance System > Time page, used to view and manage the appliance date/time settings. This page is only available on the UMA appliance. This page allows the administrator to set the following time and date settings: 80 • Time in Hours/Minutes/Seconds • Date in Month / Day / Year • Time Zone from standard international time zones or coordinated universal time (UTC) for deployments spanning multiple time zones. • The Set time automatically using NTP checkbox may be selected for auto-updated time using standard time servers. Selecting this option causes the system to automatically adjust for daylight savings time in time zones that recognize DST. SonicWALL GMS 6.0 Administrator’s Guide Administration Administration This section describes the UMH/UMA System > Administration page, used to manage basic administrative settings. The UMH System > Administration page is shown below: The UMA System > Administration page is shown below: SonicWALL GMS 6.0 Administrator’s Guide 81 Administration This page provides the following functions: Item Usage Host Settings Inactivity Timeout Number of minutes before an administrator is forcefully logged out of the user interface. Entering a value of -1 allows the account to remain logged in until the appliance is power cycled. Ensure that your console is in a secure location as this setting can expose your system to potential physical security issues. The default value is 10 minutes. Enhanced Security Access (ESA) Enforce Password Security Check this box to enforce the password security settings in the following boxes. Number of failed login attempts before user can be locked out Number of tries a user has to enter the correct password before being locked out of the system for a specified time. Default is 6. User lockout minutes Time specified for locking a user out after the user has failed to correctly log in the specified number of times. Default is 30 minutes. Number of days to force password change Number of days before a user is forced to change his or her password. Default is 90 days. Administrator Password Administrator Name Default administrator login name, admin. Current Password The current password for the admin account. New Password The new password for the admin account. Confirm Password The new password for the admin account. To change the administrator password, enter the Current Password in the appropriate field, and then enter a New Password and confirm that password. Click the Update button when you are finished making changes. Click Reset to return to default settings. 82 SonicWALL GMS 6.0 Administrator’s Guide Settings Settings This section describes the UMH/UMA System > Settings page, used to manage manual software or firmware upgrades and, on the appliance, re-initialization of factory default settings. The UMH System > Settings page is shown below: The UMA System > Settings page is shown below: On the UMH, this page displays the current version of SonicWALL GMS running on the system, and provides a link to click for the history of upgrades on this system. This page also allows the administrator to: – Upload a SonicWALL GMS Service Pack or Hotfix by uploading a valid software image from your local drive. After uploading the software, click Apply to reboot the system with the new version. SonicWALL GMS 6.0 Administrator’s Guide 83 Settings On the UMA, this page displays the current version of SonicWALL firmware running on the appliance, and provides a link to click for the history of upgrades on this system. This page also allows the administrator to: – Upgrade firmware by uploading a valid firmware image from your local drive. SonicWALL approved service packs and hotfixes can also be installed through this screen. After uploading the firmware, click Apply to reboot the appliance with the new version. – Reinitialize the appliance to factory default settings by clicking the Reinitialize button. This will remove any of your current settings on the appliance and re-image the UMA with factory default settings. This option is only available for the UMA appliance. Note 84 Please be patient while the process is taking place. This process can take up to 15 minutes. Do NOT manually reset or cycle power to the device during this time. SonicWALL GMS 6.0 Administrator’s Guide Diagnostics Diagnostics This section describes the UMH/UMA System > Diagnostics page, used to set the log debug level, test connectivity to servers, and download system and log files. The UMH System > Diagnostics page is shown below: SonicWALL GMS 6.0 Administrator’s Guide 85 Diagnostics The UMA System > Diagnostics page is shown below: This page provides the following diagnostic capabilities: • Debug Log Settings – Set the System Debug Level by selecting a value from the drop-down list. Select 0 for no debug information in the logs, 1 or 2 for more debug information, and 3 for maximum debug information. Click Update to apply your changes, or click Reset to return to the default setting of 3. • Test Connectivity – Select one of the following options and then click Test to test connectivity: – Database Connectivity – Test connectivity using the database parameters configured on the Deployment > Roles page. – License Manager Connectivity – Test connectivity with the host name that you type into the License Manager Host field. – SMTP Server Connectivity – Test connectivity using the SMTP server displayed here. The SMTP server is configured on the Deployment > Settings page. • Download System/Log Files – You can generate a TSR and view or search log files in this section: – For information about generating a TSR, see the “Technical Support Report” section on page 87. 86 SonicWALL GMS 6.0 Administrator’s Guide Diagnostics • For information about viewing and searching log files, see the “Logs and Syslogs” section on page 87. Technical Support Report The Tech Support Report generates a detailed report of the SonicWALL security appliance configuration and status, and saves it to the local hard disk using the Export Reports button. This file can then be e-mailed to SonicWALL Technical Support to help assist with a problem. Tip You must register your SonicWALL security appliance on mysonicwall.com to receive technical support. Before e-mailing the Tech Support Report to the SonicWALL Technical Support team, complete a Tech Support Request Form at https://www.mysonicwall.com. After the form is submitted, a unique case number is returned. Include this case number in all correspondence, as it allows SonicWALL Technical Support to provide you with better service. Logs and Syslogs Both the Logs and Syslogs checkboxes and selection screens allow for the selection of one or more application or system logs. Within the log list, you can select multiple logs using the Ctrl key and search log titles using the Search Filter field. The Search Filter field accepts regular expressions, such as *Summarizer* for files with “Summarizer” in their name, or *.?r? for files with an extension that has “r” as the middle letter (for example, leak.wri and mysql.err). After entering a search filter value, click the right arrow next to the field to see the resulting file list. After you have selected the appropriate log files, click the Export Logs button. Log(s) are exported to a zip file in a location which you specify. SonicWALL GMS 6.0 Administrator’s Guide 87 File Manager File Manager This section describes the UMA appliance System > File Manager page, used to view and manage system files for an UMA appliance. This page is only available on the UMA appliance. The File Manager feature provides a way to view the file system and export, delete, add, or modify files without opening an SSH session to the appliance. You can select the folder to view from the Select Folder drop-down list. To search for certain file names, enter search parameters using regular expressions in the Search Filter field and then click the right arrow next to the field. 88 SonicWALL GMS 6.0 Administrator’s Guide File Manager This page allows the administrator to perform the following actions: Item Usage Export Exports the currently selected file. If the file size is larger than 5MB, the file is exported as a .zip file. Files exported should be less than 200MB. Single files can be exported by clicking the Export icon to the right of the file name. Delete Deletes the currently selected file if correct permissions are available. Single files can be deleted by clicking the Delete icon to the right of the file name. Add/Edit (Upload) Allows files to be added to, or overwritten in, the currently selected folder. This feature is only available for certain folders and files. Files can be uploaded by clicking the Upload icon (a plus sign) in the upper right corner of the screen. Working with Multiple Files Both Export and Delete actions are supported on multiple files.To perform these actions on multiple files: 1. Select checkboxes for multiple files, or click the Select All checkbox to choose all files. 2. Click the Export or Delete buttons on the bottom of the screen to perform these actions on selected files. Note Multiple files are exported as a .zip file. Be aware that files larger than 200MB may take a large portion of your unit’s bandwidth. SonicWALL GMS 6.0 Administrator’s Guide 89 Backup/Restore Backup/Restore This section describes the UMA appliance System > Backup/Restore page, used to create or restore a snapshot of configurations and data on your UMA appliance. This page is only available on the UMA appliance. This data export feature allows you to periodically offload backup data and archived reports from your UMA appliance to an offsite client. Web Services are used with this feature. See the “Web Services” chapter for more information about Web Services. See the “Data Export Wizard” section on page 91 for information about using the date export feature. To create a local snapshot, select one of the following backup options in the Manage Backups section and then click Download Snapshot: • Backup Configurations Only – Backs up system configurations only. • Backup Data Only – Backs up system data only. • Backup Both Configurations and Data – Backs up system configurations and data. To restore a backup, the snapshot is uploaded to your local storage and then used to restore data. In the Manage Restores section, click Browse to select the backup file in the Snapshot file field and then click Restore Snapshot. 90 SonicWALL GMS 6.0 Administrator’s Guide Backup/Restore Data Export Wizard If you have a SonicWALL UMA appliance, you can download and run the Data Export Wizard. The wizard will help you configure a Java-based client and a corresponding script that you can use to schedule recurring, automatic backups. To download and use the wizard: 1. Log in as admin to your UMA appliance and navigate to the System > Backup/Restore page. 2. Click the HERE link under Manage Backups and select whether to run or save the auto_export.zip file. 3. Click the Extract button, browse to the desired folder such as C:\Program Files, and select the Use folder names option to extract the files from the zip file into a sub-folder called auto_export. 4. Open the README.txt file and read the instructions for using the wizard. On a Windows machine, double-click runWizard.bat to launch the wizard. On a Linux machine, execute runWizard.sh. Note 5. In the first release of SonicWALL GMS 6.0, if the runWizard.bat file seems to exit immediately, it may be because you chose a folder with spaces in the name. Edit the runWizard.bat file in a text editor and add quotes around the command. The Select a Task screen displays. SonicWALL GMS 6.0 Administrator’s Guide 91 Backup/Restore Select one of the following options and then click Next: – Create a new configuration script from scratch – Edit an existing configuration script The Select button appears. Click Select to open a dialog showing existing configuration files in the auto_export/configs directory. Click the desired file and then click Open. 6. The GMS Instance Authentication screen displays. 7. Enter the following information to allow SonicWALL GMS to communicate with Web Services on the UMA, and then click Next: – GMS Serial – The serial number of the UMA system – IP/Domain – Either the domain name or the IP address of the UMA system – HTTPS Port – GMS Web Services always uses the HTTPS protocol to provide the fundamental security mechanism. By default, the port number is 8443. – Username – The GMS administrator’s username – Password – The GMS administrator’s password 8. 92 The wizard displays the available export Web services. Select the checkbox for each service that should be included in the configuration and then click Next. SonicWALL GMS 6.0 Administrator’s Guide Backup/Restore For example, select the System Backup export service to include it in the export script to offload system backups from a UMA system. 9. The wizard displays a configuration summary. After reviewing the summary, click Save to create the configuration file. 10. Type the file name into the Input dialog box, or accept the pre-populated name if editing an existing configuration script. Click OK. The wizard saves the file in the .../auto_export/configs directory with ".ec" as the file name extension. 11. Click Done to exit the wizard. SonicWALL GMS 6.0 Administrator’s Guide 93 RAID 12. You can now set up a scheduled task (in Windows) or a cron job (in Linux) to execute runTask.bat or runTask.sh to periodically download backup data from the UMA. The downloaded backup data is stored in the …/auto_export/export directory. Windows command example: C:\Program Files\auto_export\runTask.bat config_004010235FBE_archiv_report.ec Linux command example: /home/ac/auto_export\runTask.sh config_004010235FBE_archived_report.ec Data is transferred from the UMA system to the target client that executes the export task whenever the schedule is triggered. RAID This section describes the UMA appliance System > RAID page, used to review RAID array drive status. This page is only available on the UMA appliance. 94 SonicWALL GMS 6.0 Administrator’s Guide Restart This page identifies the following specifications: Item Usage RAID Settings Displays the RAID manufacturer, model, serial number, driver, and firmware version. Do not use the serial number from this screen for MySonicWALL registration, it is not the same information as your UMA appliance. Array Displays array type, combined size (for all active drives) and status. This section also itemizes all installed drives in the array and their model, serial number, size (individual), and status. Restart This section describes the UMA appliance System > Restart page, used to restart the appliance. This page is only available on the UMA appliance. This page allows the administrator to restart the appliance, temporarily disconnecting users and stopping any services. If you made any changes to the settings, be sure to apply them before you restart.The process of restarting generally takes about 3 minutes. SonicWALL GMS 6.0 Administrator’s Guide 95 Restart 96 SonicWALL GMS 6.0 Administrator’s Guide CHAPTER 6 UMA Network Settings This chapter describes how to configure the network settings that are available in the SonicWALL UMA appliance Network screens. This chapter includes the following sections: • “Settings” section on page 98 • “Routes” section on page 99 SonicWALL GMS 6.0 Administrator’s Guide 97 Settings Settings This section describes the UMA appliance Network > Settings page, used to configure basic networking and host settings. This page allows the administrator to configure the following settings: Item Usage Host section: Name A descriptive name for this appliance Domain In the form of “sonicwall.com”; this domain is not used for authentication Networking section: 98 Host IP address The static IP address for the eth0 interface of the appliance Subnet mask In the form of “255.255.255.0” Default gateway The IP address of the network gateway – this is the default gateway of your perimeter firewall or networking appliance, not the GMS Gateway. DNS server 1 The IP address of the primary DNS server SonicWALL GMS 6.0 Administrator’s Guide Routes Item Usage DNS server 2 (Optional) – The IP address of the secondary DNS server DNS server 3 (Optional) – The IP address of the tertiary DNS server To apply your changes to the above fields, click the Update button. To revert to default settings, click Reset. You can also configure suffixes and enable suffix searches on this page, to aid in host name resolution. If the UMA cannot resolve a host name to its IP address, it appends one suffix at a time to the host name in the order the suffixes are configured, and tries to resolve the host name with that suffix. To enable suffix searches, select the Search Suffix checkbox. To add a suffix, click the Add button to open the Add/Edit Search Suffix dialog box. Type the desired suffix into the Search Suffix field and then click Add. You can click the Configure icon for the suffix to edit it, or click the delete icon to delete it. Note Adding, configuring, or deleting a suffix restarts the Web server on the UMA, and disconnects your browser login session. Routes This section describes the UMA appliance Network > Routes page, used to configure default or alternate network routes. SonicWALL GMS 6.0 Administrator’s Guide 99 Routes The default route is generally populated with the Default Gateway, specified in the Network > Settings page. 100 SonicWALL GMS 6.0 Administrator’s Guide CHAPTER 7 UMH/UMA Deployment Settings This chapter describes how to configure the settings that are available in the SonicWALL UMH/UMA Deployment pages. Note The UMA appliance and the GMS application both provide a system settings interface, referred to as “UMA” for the appliance and “UMH” in GMS software deployments. In either scenario, the switch icon is used to toggle between application and system interfaces. This chapter includes the following sections: • “Deployment Roles” section on page 101 • “Deployment Settings” section on page 114 • “Deployment Services” section on page 117 Deployment Roles The role that you assign to your SonicWALL GMS instance defines the SonicWALL Universal Management Suite services that it will provide. SonicWALL GMS uses these services to perform management, monitoring, and reporting tasks. Your SonicWALL GMS instance can be deployed in any of the following roles: • All In One • Agent • Console SonicWALL GMS 6.0 Administrator’s Guide 101 Deployment Roles • Database Only • Reports Summarizer • Monitor • Event • Syslog Collector In the UMH or UMA system management interface, clicking Details in the same row as a role provides a list of the services that run on a system in that role, and information about using the role. As the number of managed appliances increases, a more distributed deployment provides better performance. To manage large numbers of SonicWALL appliances, you can use several SonicWALL GMS appliances operating in different roles in a distributed deployment. You can also use Windows Server machines running SonicWALL GMS in any of the roles. You can include the MySQL database installation with any role. The All In One or Database Only roles automatically include the MySQL database. If you are configuring a role that includes a Console, such as the Console or All In One role, the system can be configured as a redundant Console. The Include Redundancy checkbox is used to configure the GMS deployment to have a redundant Console. You can scale your deployment to handle more units and more reporting by adding more systems in the Agent role. Agents provide built-in redundancy capability, meaning that if an Agent goes down, other Agents can perform the configuration tasks and other tasks of the Agent that went down. Note When configuring the role for the first appliance in a distributed deployment, you should either include the database or be prepared to provide the IP address of an existing database server. You can meet this database objective in one of the following ways: • By selecting a role that includes the database automatically, such as All In One or Database Only • By selecting the Include Database (MYSQL) checkbox if configuring the appliance with any other role • By setting up a compatible database on another machine and providing that IP address when prompted You can configure the role of the SonicWALL GMS appliance without using the Role Configuration Tool. 102 SonicWALL GMS 6.0 Administrator’s Guide Deployment Roles All role configuration is performed in the appliance management interface, available at the URL: http://<IP address>:<port>/appliance/ Refer to the following sections for instructions on manually configuring the system role: • “Configuring the All In One Role” section on page 103 • “Configuring the Database Only Role” section on page 105 • “Configuring the Console Role” section on page 105 • “Configuring the Agent Role” section on page 107 • “Configuring the Reports Summarizer Role” section on page 108 • “Configuring the Monitor Role” section on page 109 • “Configuring the Event Role” section on page 110 • “Configuring the Syslog Collector Role” section on page 111 Configuring the All In One Role All In One deployments are ideal for managing a small number of SonicWALL appliances or for test environments. However, SonicWALL recommends that you use a multi-system, distributed deployment in production environments, with the database on a dedicated server and the other services on one or more systems. When only one other system is deployed, the Console role should be assigned to it. The All In One role provides all nine services utilized by SonicWALL GMS: • Syslog Collector • Reports Scheduler • Update Manager • Reports Summarizer SonicWALL GMS 6.0 Administrator’s Guide 103 Deployment Roles • SNMP Manager • Scheduler • Monitoring Manager • Web Server • Database To deploy your SonicWALL GMS in the All In One role, perform the following steps in the appliance management interface: 104 1. Navigate to the Deployment > Role page. Under Host Role Configuration, select the All In One radio button. 2. If this SonicWALL GMS will connect to managed appliances through a GMS gateway, type the gateway IP address into the GMS Gateway IP field. To determine if a GMS Gateway is required, see the SonicWALL Getting Started Guide for your product. 3. If a GMS gateway will be used, type the password into both the GMS Gateway Password and Confirm GMS Gateway Password fields. 4. If this SonicWALL GMS listens for syslog messages on a non-standard port, type the port number into the Syslog Server Port field. The default port is 514. 5. If deploying another system in the Console role, select the Include Redundancy checkbox to configure this system as a redundant Console. 6. Configure the database settings as described in the Configuring Database Settings section, on page 112. 7. Select the Include Redundancy checkbox to configure this system as a redundant Console. 8. Configure the Web port settings as described in the Configuring Web Port Settings section, on page 115. 9. To apply your changes, click Update. To change the settings on this page back to the defaults, click Reset. SonicWALL GMS 6.0 Administrator’s Guide Deployment Roles Configuring the Database Only Role The Database Only role is used in a multi-server SonicWALL GMS deployment. In this role, the server is configured to run only the database service. SonicWALL recommends that one of the servers in a multi-server GMS deployment is assigned a Database Only role. Only the SonicWALL Universal Management Suite Database service runs on a Database Only system. The MySQL database engine is pre-installed along with the SonicWALL GMS installation. SonicWALL GMS can also use a MySQL database or a Microsoft SQL Server database installed on a server. Only the MySQL database included in the installer is supported. On the Deployment > Role page in the SonicWALL GMS appliance management interface, you can configure your SonicWALL GMS systems to use either a MySQL or a SQL Server database. To deploy your SonicWALL GMS in the Database Only role, perform the steps described in the Configuring Database Settings section, on page 112. Configuring the Console Role The Console role is used in a multi-server, distributed SonicWALL GMS deployment. In this role, the SonicWALL GMS installation will run all SonicWALL Universal Management Suite services except for the Database service. In this scenario, the Database role is assigned to a separate appliance or server. In the Console role, the SonicWALL GMS behaves as an Agent, and also provides the following functions: SonicWALL GMS 6.0 Administrator’s Guide 105 Deployment Roles • Provides Web user interface for the SonicWALL GMS application • Emails Scheduled Reports • Performs Event Management tasks • Performs various periodic checks, such as checking for new appliances that can be managed, checking for new firmware versions of managed appliances, and similar functions To deploy your SonicWALL GMS in the Console role, perform the following steps in the appliance management interface: 106 1. Navigate to the Deployment > Role page. Under Host Role Configuration, select the Console radio button. 2. If this SonicWALL GMS will connect to managed appliances through a GMS gateway, type the gateway IP address into the GMS Gateway IP field. To determine if a GMS Gateway is required, see the SonicWALL Getting Started Guide for your product. 3. If a GMS gateway will be used, type the password into both the GMS Gateway Password and Confirm GMS Gateway Password fields. 4. If this SonicWALL GMS listens for syslog messages on a non-standard port, type the port number into the Syslog Server Port field. The default port is 514. 5. To use a MySQL or Microsoft SQL Server database on another system, do not select the Include Database (MYSQL) checkbox. To include the MySQL database on this system (not recommended), select this checkbox (for this configuration, select the All In One role instead of the Console role). 6. If deploying another system in the Console or All In One role, select the Include Redundancy checkbox to configure this system as a redundant Console. 7. Configure the database settings as described in the Configuring Database Settings section, on page 112. SonicWALL GMS 6.0 Administrator’s Guide Deployment Roles 8. Configure the Web port settings as described in the Configuring Web Port Settings section, on page 115. 9. To apply your changes, click Update. To change the settings on this page back to the defaults, click Reset. Configuring the Agent Role The Agent role can be used in a distributed deployment of SonicWALL GMS. The primary functions of this role include the following: • Manages units by acquiring them, pushing configuration tasks to the units and tracking their up/down status • Performs monitoring based on ICMP probes, TCP probes, and SNMP OID retrievals • Collects and stores syslog messages • Performs report summarization The following SonicWALL Universal Management Suite services run on an Agent system: • Syslog Collector • Reports Summarizer • SNMP Manager • Scheduler • Monitoring Manager To deploy your SonicWALL GMS in the Agent role, perform the following steps in the appliance management interface: 1. Navigate to the Deployment > Role page. Under Host Role Configuration, select the Agent radio button. SonicWALL GMS 6.0 Administrator’s Guide 107 Deployment Roles 2. If this SonicWALL GMS will connect to managed appliances through a GMS gateway, type the gateway IP address into the GMS Gateway IP field. To determine if a GMS Gateway is required, see the SonicWALL Getting Started Guide for your product. 3. If a GMS gateway will be used, type the password into both the GMS Gateway Password and Confirm GMS Gateway Password fields. 4. If this SonicWALL GMS listens for syslog messages on a non-standard port, type the port number into the Syslog Server Port field. The default port is 514. 5. To include the MySQL database on this system, select the Include Database (MYSQL) checkbox. To use a MySQL or Microsoft SQL Server database on another system, do not select this checkbox. 6. Configure the database settings as described in the Configuring Database Settings section, on page 112. 7. Configure the Web port settings as described in the Configuring Web Port Settings section, on page 115. 8. To apply your changes, click Update. To change the settings on this page back to the defaults, click Reset. Configuring the Reports Summarizer Role The Reports Summarizer role is used to dedicate a server for performing only summarization of reports in a multi-server GMS deployment. Syslogs collected by the Syslog Collector service are consumed by the Reports Summarizer service to create generate reports. In such a deployment, it is essential that the Syslog Collectors running on various GMS Servers write syslogs to folders that are accessible by Reports Summarizer systems. The following services run on a Summarizer system: 108 • SonicWALL Universal Management Suite - Reports Summarizer • SonicWALL Universal Management Suite - Web Service Server SonicWALL GMS 6.0 Administrator’s Guide Deployment Roles To deploy your SonicWALL GMS in the Reports Summarizer role, perform the following steps in the appliance management interface: 1. Navigate to the Deployment > Role page. Under Host Role Configuration, select the Reports Summarizer radio button. 2. To include the MySQL database on this system, select the Include Database (MYSQL) checkbox. To use a MySQL or Microsoft SQL Server database on another system, do not select this checkbox. 3. Configure the database settings as described in the Configuring Database Settings section, on page 112. 4. Configure the Web port settings as described in the Configuring Web Port Settings section, on page 115. 5. To apply your changes, click Update. To change the settings on this page back to the defaults, click Reset. Configuring the Monitor Role The Monitor role is used to dedicate the SonicWALL GMS installation to monitoring appliances and applications in a multi-server SonicWALL GMS deployment. The monitoring is based on ICMP probes, TCP probes, and SNMP OID retrievals. Only the SonicWALL Universal Management Suite Monitoring Manager service runs on a Monitor system. SonicWALL GMS 6.0 Administrator’s Guide 109 Deployment Roles To deploy your SonicWALL GMS in the Monitor role, perform the following steps in the appliance management interface: 1. Navigate to the Deployment > Role page. Under Host Role Configuration, select the Monitor radio button. 2. To include the MySQL database on this system, select the Include Database (MYSQL) checkbox. To use a MySQL or Microsoft SQL Server database on another system, do not select this checkbox. 3. Configure the database settings as described in the Configuring Database Settings section, on page 112. 4. Configure the Web port settings as described in the Configuring Web Port Settings section, on page 115. 5. To apply your changes, click Update. To change the settings on this page back to the defaults, click Reset. Configuring the Event Role The Event, or Event Management, role of a GMS Server is used to dedicate a server for performing only event based alerting of appliances and applications in a multi-server SonicWALL GMS deployment. The following services run on an Event Management system: 110 • SonicWALL Universal Management Suite - Event Manager • SonicWALL Universal Management Suite - Web Service Server SonicWALL GMS 6.0 Administrator’s Guide Deployment Roles To deploy your SonicWALL GMS in the Event role, perform the following steps in the appliance management interface: 1. Navigate to the Deployment > Role page. Under Host Role Configuration, select the Event radio button. 2. To include the MySQL database on this system, select the Include Database (MYSQL) checkbox. To use a MySQL or Microsoft SQL Server database on another system, do not select this checkbox. 3. Configure the database settings as described in the Configuring Database Settings section, on page 112. 4. Configure the Web port settings as described in the Configuring Web Port Settings section, on page 115. 5. To apply your changes, click Update. To change the settings on this page back to the defaults, click Reset. Configuring the Syslog Collector Role The Syslog Collector role can be assigned to a SonicWALL GMS installation in a multi-server deployment of SonicWALL GMS. In this role, the SonicWALL GMS installation is dedicated to collecting syslog messages on the configured port (by default, port 514). The syslog messages are stored in the SonicWALL GMS file system. The syslog messages are used by the Reports Summarizer service running on another SonicWALL GMS server or SonicWALL GMS in the distributed deployment. The folder where the Syslog Collector service stores the syslog messages must be accessible by the server running the Reports Summarizer service. Only the SonicWALL Universal Management Suite Syslog Collector service runs on a Syslog Collector system. SonicWALL GMS 6.0 Administrator’s Guide 111 Deployment Roles To deploy your SonicWALL GMS in the Syslog Collector role, perform the following steps in the appliance management interface: 1. Navigate to the Deployment > Role page. Under Host Role Configuration, select the Syslog Collector radio button. 2. If this SonicWALL GMS listens for syslog messages on a non-standard port, type the port number into the Syslog Server Port field. The default port is 514. 3. To include the MySQL database on this system, select the Include Database (MYSQL) checkbox. To use a MySQL or Microsoft SQL Server database on another system, do not select this checkbox. 4. Configure the database settings as described in the Configuring Database Settings section, on page 112. 5. Configure the Web port settings as described in the Configuring Web Port Settings section, on page 115. 6. To apply your changes, click Update. To change the settings on this page back to the defaults, click Reset. Configuring Database Settings Database settings configuration is largely the same for any role when you choose to include the database on that appliance. For roles that automatically include the default MySQL database, such as All In One or Database Only, the Database Type, Database Host, and Database Port fields are not editable. This is also the case for any role when the Include Database (MYSQL) checkbox is selected. The Administrator Credentials fields are displayed only if the role has been defined to include the installation of the MySQL database. These are not available when a SQL Server database is selected. This section describes the options for configuring the database settings for either the MySQL database or the Microsoft SQL Server database. The SonicWALL GMS can run the MySQL database, but SonicWALL GMS can also use either a MySQL or a SQL Server database running on a Windows Server machine in a multi-system deployment. 112 SonicWALL GMS 6.0 Administrator’s Guide Deployment Roles To configure the database settings for any role, perform the following steps in the appliance management interface: 1. Navigate to the Deployment > Role page and select the role for this appliance. 2. To run the MySQL database on this SonicWALL GMS, select the Include Database (MYSQL) checkbox. To use a MySQL or Microsoft SQL Server database on another system, do not select this checkbox. 3. Under Database Configuration, if Include Database (MYSQL) was not selected in the previous step, select either MYSQL or SQL Server from the Database Type drop-down list. This field is not editable if you previously selected Include Database (MYSQL) or if the selected role is All In One or Database Only. 4. In the Database Host field, type in the IP address of the database server or accept the default, localhost, if this SonicWALL GMS includes the database. This field is not editable if you previously selected Include Database (MYSQL) or if the selected role is All In One or Database Only. Note If your deployment requires an instance name for the SQL server database, when completing the Database Host field, enter the Host or IP address, followed by a back slash and the instance name. The format should look as follows: 10.20.30.40\INSTANCE. 5. To use a different port when SonicWALL GMS accesses the database, type the port into the Database Port field. The default port is 3306. 6. To use a different user name when SonicWALL GMS accesses the database, type the user name into the Database User field. The default user name is “sa”. SonicWALL GMS 6.0 Administrator’s Guide 113 Deployment Settings 7. Type the password that SonicWALL GMS will use to access the database into both the Database Password and Confirm Database Password fields. 8. If your deployment uses a custom database driver, type the value into the Database Driver field. Otherwise, accept the default, com.mysql.jdbc.Driver. 9. If your deployment uses a custom database URL, type the value into the Database URL field. If you are using a different port, change the default port, 3306, in the URL. Otherwise, accept the default URL, jdbc:mysql://localhost:3306. Deployment Settings This section describes the UMH/UMA Deployment > Settings page, used for Web port, SMTP, and SSL access configuration. The Deployment > Settings page is identical in both the UMH and UMA management interfaces, except for the left navigation pane which shows the Network menu item on the UMA. 114 SonicWALL GMS 6.0 Administrator’s Guide Deployment Settings See the following sections: • “Configuring Web Port Settings” section on page 115 • “Configuring SMTP Settings” section on page 115 • “Configuring SSL Access” section on page 116 Configuring Web Port Settings Web port settings configuration is largely the same on any role: 1. On the Deployment > Settings page under Web Port Configuration, to use a different port for HTTP access to the SonicWALL GMS, type the port number into the HTTP Port field. The default port is 80. If you enter another port in this field, the port number must be specified when accessing the appliance management interface or SonicWALL GMS management interface. For example, if port 8080 is entered here, the appliance management interface would be accessed with the URL: http://<IP Address>:8080/appliance/. 2. To use a different port for HTTPS access to the SonicWALL GMS, type the port number into the HTTPS Port field. The default port is 443. If you enter another port in this field, the port number must be specified when accessing the appliance management interface or SonicWALL GMS management interface. For example, if port 4430 is entered here, the appliance management interface would be accessed with the URL: https://<IP Address>:4430/appliance/. Configuring SMTP Settings The SMTP Configuration section allows you to configure an SMTP server name or IP address, a sender email address, and an administrator email address. You can test connectivity to the configured server. To configure SMTP settings: 1. Navigate to the Deployment > Settings page under the SMTP Configuration section. 2. Type the FQDN or IP address of the SMTP server into the SMTP server field. 3. Type the email address from which mail will be sent into the Sender address field. SonicWALL GMS 6.0 Administrator’s Guide 115 Deployment Settings 4. Type the email address of the system administrator into the Administrator address field. 5. To test connectivity to the SMTP server, click Test Connectivity. 6. To apply your changes, click Update. Configuring SSL Access The SSL Access Configuration section allows you to configure and upload a custom Keystore/Certificate file for SSL access to the GMS appliance, or select the default local keystore. To configure SSL access: 1. Navigate to the Deployment > Settings page under SSL Access Configuration section. 2. Select the Default radio button to keep, or revert to, the default settings, where the default GMS Web Server certificate with 'gmsvpserverks' keystore is used. 3. Select the Custom radio button to upload a custom keystore certificate for GMS SSL access. 4. In the Keystore/Certificate file field, click the Browse button to select your certificate file. Note 116 Your custom file is renamed to ‘gmsvpservercustomks’ after upload. 5. Type the password for the keystore certificate into the Keystore/Certificate password field. 6. Click the View button to display details about your keystore certificate. 7. Click the Update button to submit your changes. SonicWALL GMS 6.0 Administrator’s Guide Deployment Services Deployment Services This section describes the UMH/UMA Deployment > Services page, used for starting and stopping the GMS services running on the system. The Deployment > Services page is identical in both the UMH and UMA management interfaces, except for the left navigation pane which shows the Network menu item on the UMA. Details are available for the current role, and the status of each service is displayed on the page The page is shown below for the All In One role, which includes all services. To start, stop, or restart one or more services: 1. Navigate to the Deployment > Services page. 2. Select the checkbox next to Service Name to select all services, or select one or more checkboxes for individual services. 3. To disable or stop the selected services, click the Disable/Stop button. 4. To enable or start the selected services, click the Enable/Start button. 5. To restart the selected services, click the Restart button. SonicWALL GMS 6.0 Administrator’s Guide 117 Deployment Services 118 SonicWALL GMS 6.0 Administrator’s Guide Part 2 Policies SonicWALL GMS 6.0 Administrator’s Guide 119 120 SonicWALL GMS 6.0 Administrator’s Guide CHAPTER 9 Configuring SonicOS System Settings This chapter describes how to use SonicWALL GMS to configure general System Policy settings on managed SonicWALL appliances. The following sections describe how to configure the system settings: • Status—Provides a comprehensive collection of information to help you manage your SonicWALL security appliances and SonicWALL Security Services licenses. It includes GMS status information on Firewall, Management, Subscription, and Firewall Models. See “Viewing System Status” on page 122. • Time—Describes how to change the time and time options for one or more SonicWALL appliances. See “Configuring Time Settings” on page 125. • Licensed Nodes (Unit-level view only)—Provides a Node License Status table listing the number of nodes your SonicWALL security appliance is licensed to have connected at any one time, how many nodes are currently connected, and how many nodes you have in your Node license Exclusion List. See “Viewing Licensed Node Status” on page 127. • Administrator—Describes how to change the administrator and password options for one or more SonicWALL appliances. See “Configuring Administrator Settings” on page 129. • Tools—Provides a set of common system configuration tasks for restarting an appliance, requesting diagnostic information, inheriting settings, system synchronization, and synchronizing the appliance to mysonicwall.com. Also includes options to generate a Tech Support Report (TSR) and the ability to email the TSR. See “Using Configuration Tools” on page 131. • Info—Describes how to change contact information for one or more SonicWALL appliances. See “Configuring Contact Information” on page 139. SonicWALL GMS 6.0 Administrator’s Guide 121 Viewing System Status • Settings—Describes how to backup and save SonicWALL appliance settings as well as restore them from preferences files. See “Configuring System Settings” on page 139. • Schedules—Describes how to create and configure schedule groups, which are used to apply firewall rules for specify days and hours of the week. See “Configuring Schedules” on page 141. • Management—Describes how to edit the remote management settings on SonicWALL security appliances for management by GMS or VPN client. See “Editing Management Settings” on page 143. • SNMP—Describes how to configure Simple Network Management Protocol. See “Configuring SNMP” on page 145. • Certificates (Unit-level view only)—Describes how to configure both third-party Certificate Authority (CA) certificates and local certificates. See “Configuring Certificates” on page 146. Viewing System Status The System Status page provides a comprehensive collection of information to help you manage your SonicWALL security appliances and SonicWALL Security Services licenses. In the global view mode, it provides a summary of all of the devices that are managed by the SonicWALL GMS, including the number of appliances, whether the appliances are up or down, and the number of security services subscriptions. 122 SonicWALL GMS 6.0 Administrator’s Guide Viewing System Status To view a summary of all devices managed by the GMS, click the Change View icon at the top left and select GlobalView. Expand the System tree in the middle panel, and click on Status. The Status page displays. At the individual appliance level, the Status page provides more details such as the serial number, firmware version, and information on management, reporting, and security service subscriptions. SonicWALL GMS 6.0 Administrator’s Guide 123 Viewing System Status To view a summary of the status of an individual appliance, select the appliance in the left pane, and then click System > Status in the navigation pane. The Status page displays. If tasks are pending for the selected unit, GMS provides a hyperlink that takes the user to the Tasks Screen for that unit. Also in System > Status, GMS displays the Last Log Entry for the unit with a hyperlink that takes the user to the unit Logs screen. The links are only provided if the user actually has permissions to access those screens on the Console panel. In the Subscription section header, GMS provides a click here link that displays your current subscription details on the Register/Upgrades > Search screen. The search parameters are pre-populated for retrieving the subscription services that are currently active on the appliance(s) and the search is executed and the results are sorted by Expiry Date for your convenience. This page provides a PDF icon that you can click to get a PDF file containing the same content as the Web page. 124 SonicWALL GMS 6.0 Administrator’s Guide Configuring Time Settings At the bottom of the status screen, GMS provides a way to retrieve dynamic information about the selected appliance, and also provides a link to the GMS Getting Started Guide. You can click the Fetch Information link to view the following dynamic information: • Firewall UpTime since Last Reboot • Last Modified Time and the user who last modified the appliance • Modem speed and active profile used (only for dial-up appliances) You can retrieved this information by clicking the Fetch Information button at the global, group, or unit level. The actual results, however, are displayed only at the unit level. To view the SonicWALL GMS Getting Started Guide, click the Open Getting Started Instructions In New Window button. Configuring Time Settings The SonicWALL Global Management System (SonicWALL GMS) user interface (UI) is similar to the standard SonicWALL appliance UI. However, SonicWALL GMS offers the ability to push configuration settings to a single SonicWALL GMS 6.0 Administrator’s Guide 125 Configuring Time Settings SonicWALL appliance, a group of SonicWALL appliances, or all SonicWALL appliances being managed by the SonicWALL GMS. To change time settings on one or more SonicWALL appliances, perform the following steps: 1. Expand the System tree and click Time. The Time page displays. 2. Select the Time Zone of the appliance(s) from the Time Zone field. 3. To configure the SonicWALL(s) to automatically adjust their clocks for Daylight Savings Time, select the Automatically Adjust Clock for Daylight Savings Changes check box. 4. To configure the SonicWALL(s) to use Universal Time Coordinated (UTC) or Greenwich Mean Time (GMT) instead of local time, select the Display UTC in Logs Instead of Local Time check box. 5. To configure the SonicWALL(s) to display the time in the international time format, select the Display Time in International Format check box. 6. Select from the following: – To manually configure the time and date, make sure the Use NTP to set time automatically check box is deselected. The SonicWALL appliance(s) will automatically use the time settings of the SonicWALL GMS agent. – To configure the SonicWALL(s) to automatically set the local time using Network Time Protocol (NTP), select the Use NTP to set time automatically check box. 7. 126 When you are finished, click Update. A task gets scheduled to apply the new settings for each selected appliance. SonicWALL GMS 6.0 Administrator’s Guide Viewing Licensed Node Status 8. If you don't want to use the SonicWALL appliance's internal NTP list, you can add your own NTP list. To add an NTP server, enter the IP address of an NTP server in the Add NTP Server field. A task gets scheduled to add the NTP server to each selected SonicWALL appliance. Note 9. Note To add additional NTP servers, click Add and enter another NTP server. To clear all screen settings and start over, click Reset. If you are not using NTP for the appliance, then GMS configures the time of the appliance to be identical to the time of the GMS Agent pushing the configuration to the appliance (after adjusting for any time zone differences). Viewing Licensed Node Status A node is a computer or other device connected to your LAN with an IP address. If your SonicWALL security appliance is licensed for unlimited nodes, the Licensed Nodes section displays the message: The SonicWALL is licensed for unlimited Nodes/Users. No other settings are displayed. If your SonicWALL security appliance is not licensed for unlimited nodes, the Node License Status table lists how many nodes your security appliance is licensed to have connected at any one time, how many nodes are currently connected, and how many nodes you have in your Node License Exclusion List. To view licensed node information, perform the following steps: 1. Expand the System tree and click on Licensed Nodes. The Licensed Nodes page displays. SonicWALL GMS 6.0 Administrator’s Guide 127 Viewing Licensed Node Status 2. To update the licensed node information, click on Request Licensed Node Information from the appliance. The Currently Licensed Nodes table lists details on each node connected to your security appliance. Above the table, GMS displays how many nodes the appliance is licensed for. When you exclude a node, you block it from connecting to your network through the security appliance. Excluding a node creates an address object for that IP address and assigns it to the Node License Exclusion List address group. To exclude a node that is currently licensed, perform the following steps: 1. Click the configure icon in the Exclude column of the Currently Licensed Nodes table. Then click Ok on the warning message that displays. 2. To exclude a node that is not currently licensed, click on Add New Node For Exclusion. The Add License Exclusion Node window displays. 3. Enter the IP address of the node in the Node IP Address field. 4. Optionally, you can enter a comment about the node in the Comment field. 5. Click Update. In SonicOS Enhanced, you can manage the License Exclusion List group and address objects in the Network > Address Objects page of the management interface. On the Address Objects page, scroll down to the Node License Exclusion List row and click the configure icon. See “Configuring Address Objects” on page 184 for instructions on managing address objects. 128 SonicWALL GMS 6.0 Administrator’s Guide Configuring Administrator Settings Configuring Administrator Settings The Administrator page configures administrator settings for the SonicWALL appliance. These settings affect both SonicWALL GMS and other administrators. To change administrator settings on one or more SonicWALL appliances, perform the following steps: 1. Expand the System tree and click Administrator. The Administrator page displays. 2. Enter the login name for the administrator in the Administrator Login Name field. 3. Specify the maximum number of days after which the a password expires and must be updated in the Password must be changed every (days) field. 4. Specify the number of previous passwords that are remembered and that a new password cannot match in the Bar repeated passwords for this many changes field. 5. Specify the minimum password length in the Enforce a minimum password length of field. 6. Select the level of password complexity from the Enforce Password Complexity drop-down list. You can select one of the following: – None – Require both alphanumeric and numeric characters – Require alphabetic, numeric and symbolic characters SonicWALL GMS 6.0 Administrator’s Guide 129 Configuring Administrator Settings 7. Select the Administrators checkbox to apply these password constraints only to full and read-only administrators. 8. Select the Other full administrators checkbox to apply these password constraints to all administrators with local passwords. 9. Select the Limited administrators checkbox to apply these password constraints to all local users with limited administrator privileges. 10. Select the Other local users checkbox to apply these password constraints only to non-administrator users. 11. Specify how long the SonicWALL appliance(s) wait (in minutes) before logging out inactive administrators in the Log out the Administrator after inactivity of field. 12. To lockout the SonicWALL appliance after user login failure, select the Enable user lockout on login failure check box. Then, specify the number of login failure attempts that must occur before the user is locked out in the Failed login attempts per minute before lockout field and how long the user will be locked out in the Lockout Period field. 13. For On preemption by another administrator:, select one of the following actions to take when an administrator is preempted by another: – Drop to non-config mode - move the preempted administrator to non-configuration mode – Log out - log out the preempted administrator. 14. Select from the following options to change the SonicWALL appliance password(s): – If you are configuring a SonicWALL appliance at the unit level, enter and reenter the new SonicWALL password. Then, enter the SonicWALL GMS password and click Change Password. The password is changed. – If you are configuring a SonicWALL appliance at the group or global level, enter the SonicWALL GMS password and click Change Password. Each SonicWALL appliance will receive a unique randomly generated password. This unique password is encrypted and recorded in the SonicWALL GMS database. At the non-unit level, passwords can be configured in two ways: –GMS can assign random passwords to the appliances (recommended for security purposes). –The user can specify a specific password which will be assigned to all the appliances in the node (not recommended). 130 SonicWALL GMS 6.0 Administrator’s Guide Using Configuration Tools To have GMS assign random passwords, leave the New SonicWALL Password and Confirm New SonicWALL Passwords fields empty. Note The unique encrypted password is also written into a file in <gms_directory>/etc/. The filename format is Prefs<serialnumber>.pwd; each file contains the old and the new password for the SonicWALL appliance. The file gets overwritten every time the password for the SonicWALL appliance is changed. The encryption is base64. 15. When you are finished, click Update. A task gets spooled and once it is executed successfully, the settings are updated for the selected SonicWALL appliances. 16. To clear all screen settings and start over, click Reset. Using Configuration Tools This chapter describes how to use SonicWALL tools to restart SonicWALL appliances, request diagnostics, inherit settings from the group, and more. The following sections describe the options available in the GMS tools menu: • “Restarting SonicWALL Appliances” on page 132 • “Requesting Diagnostics for SonicWALL” on page 132 • “Inheriting Settings” on page 133 • “Clearing the ARP Cache” on page 136 • “Synchronizing Appliances” on page 136 • “Synchronizing with mysonicwall.com” on page 137 • “Manually Uploading Signature Updates” on page 137 • “Generating Tech Support Reports” on page 138 SonicWALL GMS 6.0 Administrator’s Guide 131 Using Configuration Tools Restarting SonicWALL Appliances Some SonicWALL GMS changes require the SonicWALL appliance(s) to automatically be restarted after changes are applied. However, there may be instances when you want to restart the SonicWALL appliance(s) manually. To restart one or more SonicWALL appliances, perform the following steps: 1. Expand the System tree and click Tools. The Tools page displays. 2. To restart the selected SonicWALL appliance(s), click Restart SonicWALL. Note We recommend restarting the SonicWALL appliance(s) when network activity is low. Requesting Diagnostics for SonicWALL To request diagnostics for SonicWALL appliances, perform the following steps: 132 1. Expand the System tree and click Tools. The Tools page displays. 2. To request diagnostics for the selected SonicWALL appliance(s), click Request Diagnostics. SonicWALL GMS schedules a task to request diagnostics for the selected SonicWALL appliances. SonicWALL GMS 6.0 Administrator’s Guide Using Configuration Tools 3. To view the diagnostics, navigate to Diagnostics > Snapshot Status on the Console panel. 4. In the Diagnostics Requested drop-down list, select the diagnostics that you want to review. 5. Click View SnapShot Data. Inheriting Settings On the Policies panel, in the System > Tools screen, you can apply inheritance filters at a global, group, or appliance level. You can select an existing inheritance filter and customize which of its rules are actually inherited. You can do this on the fly, without the need to create an entirely separate filter. For more information on inheritance, see “Configuring Inheritance Filters” on page 569. To apply the inheritance filters, perform the following steps: 1. Expand the System tree and click Tools. The Tools page displays. 2. Select the appropriate radio button for either forward or reverse inheritance. Use the Filter drop down menu to select the desired filter to apply. Click the “Preview” button to proceed to the “Preview of Inheritance Settings” window. SonicWALL GMS 6.0 Administrator’s Guide 133 Using Configuration Tools 134 Note When configuring forward inheritance at the group level, all selected settings are pushed to all units in the group. 3. Review the settings to be inherited. Users may continue with all of the default screens selected for inheritance or select only specific screens for inheritance by checking boxes next to the desired settings. Note The Preview panel footer states, “All referring objects should also be selected as part of the settings picked, to avoid any dependency errors while inheriting.” If the user deselects dependent screen data, the settings will not inherit properly. 4. If the user is attempting forward inheritance, they may click “Update” to proceed. If the user is attempting to reverse inherit settings, an additional selection must be made at the bottom of the Preview panel. The user must select either to update the chosen settings to only the target parent node, SonicWALL GMS 6.0 Administrator’s Guide Using Configuration Tools or to update the target parent node along with all unit nodes under it. Once the user makes this selection, they may click “Update” to proceed, or “Reset” to edit previous selections. 5. If the user selects to update the target parent node and all unit nodes, a “Modify Task Description and Schedule” panel opens in place of the Preview panel. (This panel will not appear if the user selects “Update only target parent node”). If the “Modify Task Description and Schedule” panel opens, the user can edit the task description in the “Description” field. They may also adjust the schedule for inheritance, or continue with the default scheduling. If the user chooses to edit the timing by clicking on the arrow next to “Schedule,” a calendar expands allowing the user to click on a radio button for “Immediate” execution, or to select an alternate day and time for inheritance to occur. 6. Once the user has completed any edits, they select either “Accept” or “Cancel” to execute or cancel the scheduled inheritance, respectively. Once the inheritance operation begins, a progress bar appears, along with text stating the operation may take a few minutes, depending on the volume of data to be inherited. Once the inheritance operation is complete, the desired settings from the unit or group node should now be updated and reflected in the parent node’s settings, as well as in the settings of all other units, if selected. SonicWALL GMS 6.0 Administrator’s Guide 135 Using Configuration Tools Note For the Access/Services and Access/Rules pages, by default, inheriting group settings overwrites the values at the unit level with the group values. If you wish for SonicWALL GMS to append the group settings to the values at the unit level, you need to enable the Append Group Settings option on the General/GMS Settings page on the Console Panel. For more information on inheritance, see “Managing Inheritance in GMS” on page 569. Clearing the ARP Cache SonicWALL appliances store information about all devices with which they have communicated. To clear the ARP Cache for one or more SonicWALL appliances, perform the following steps: 1. Expand the System tree and click Tools. The Tools page displays. 2. Click Clear ARP Cache. Synchronizing Appliances If a change is made to the SonicWALL appliance through any means other than through GMS, SonicWALL GMS will be notified of the change through the syslog data stream. You can configure an alert through the Granular Event Management framework to send email notification when a local administrator makes changes to a SonicWALL appliance through the local user interface rather than through GMS. After the syslog notification is received, SonicWALL GMS will schedule a task to synchronize its database with the local change. After the task successfully executes, the current configuration (prefs) file is read from the SonicWALL appliance and loaded into the database. Auto-synchronization automatically occurs whenever SonicWALL GMS receives a local change notification status syslog message from a SonicWALL appliance. You can also force an auto-synchronization at any time for a SonicWALL appliance or a group of SonicWALL appliances. To do this, perform the following steps: 1. 136 Expand the System tree and click Tools. The Tools page displays. SonicWALL GMS 6.0 Administrator’s Guide Using Configuration Tools 2. Note To synchronize the selected SonicWALL appliance(s), click Synchronize Now. SonicWALL GMS schedules a task to synchronize the selected SonicWALL appliances. The auto-synchronization feature can be disabled on the Console/Management Settings screen and by unchecking the Enable Auto Synchronization checkbox. Synchronizing with mysonicwall.com SonicWALL appliances check their licenses/subscriptions with mysonicwall.com once very 24 hours. Using the Synchronize with mysonicwall.com Now button, a user can have an appliance synchronize this information with mysonicwall.com without waiting for the 24-hour schedule. To force the SonicWALL to synchronize with mysonicwall.com now, perform the following steps: 1. Expand the System tree and click Tools. The Tools page displays. 2. To synchronize the selected SonicWALL appliance(s), click Synchronize with mysonicwall.com Now. SonicWALL GMS schedules a task to synchronize the selected SonicWALL appliances’ license information into GMS. Manually Uploading Signature Updates For SonicWALL appliances that do not have direct access to the Internet (for example, appliances in high-security environments) you can manually upload updates to security service signatures. To instruct GMS to download updates to security service signatures, perform the following steps: 1. Click on the Console tab, expand the Management tree, and click on GMS Settings. 2. Select the check boxes for the Firewalls managed by this GMS do not have Internet Access and Upload latest signatures on subscription status change settings. See “Settings” on page 941 for more information. 3. Click on the Policies tab, expand the System tree, and click Tools. 4. When there are updates signatures to upload, the Upload Signatures Now button is displayed. Click this button to manually upload the signatures. SonicWALL GMS 6.0 Administrator’s Guide 137 Using Configuration Tools Note The Upload Signatures Now button is displayed only when the GMS has downloaded updated signature files that are ready to be uploaded. Generating Tech Support Reports To generate a Tech Support Report that is emailed to the administrator email address perform the following steps: 1. Expand the System tree and click Tools. The Tools page displays. 2. Select any of the following four report options: – VPN Keys—Saves shared secrets, encryption, and authentication keys to the report. – ARP Cache—Saves a table relating IP addresses to the corresponding MAC or physical addresses. – DHCP Bindings—Saves entries from the SonicWALL security appliance DHCP server. – IKE Info—Saves current information about active IKE configurations. 3. 138 Click Email TechSupport Report. The requested reports are emailed to the administrator email address. SonicWALL GMS 6.0 Administrator’s Guide Configuring Contact Information Configuring Contact Information The System > Info page contains contact information for the SonicWALL appliance. These settings are for informational purposes only and do not affect the operation of SonicWALL appliances. To change informational settings on one or more SonicWALL appliances, perform the following steps: 1. Expand the System tree and click Info. The Info page displays. 2. Enter contact information for the SonicWALL appliance(s). 3. When you are finished, click Update. A task gets spooled and once it is executed successfully, the information is updated for the selected SonicWALL appliances. 4. To reset all screen settings and start over, click Reset. Configuring System Settings SonicWALL GMS enables you to save SonicWALL appliance settings to the SonicWALL GMS database which can be used for restoration purposes. GMS can automatically take back ups of the appliance configuration files at regular schedules and store them in the database. The schedule is configured in the Console > Management > GMS Settings screen Automatically save... Here you can specify that a back up should never be taken or back ups should be taken on a daily or weekly schedule. If the schedules are set for daily or weekly, then the back ups are performed for all appliances for which the Enable Prefs File Backup checkbox is selected in this screen. SonicWALL GMS 6.0 Administrator’s Guide 139 Configuring System Settings To purge older back ups, you can specify how many of the latest prefs files should be stored in the database. The listbox here displays all the Prefs files backed up, along with the firmware version. In addition to automatic back ups, you can manually force a Prefs back up by selecting the Store settings... buttons. To save or apply SonicWALL appliance settings, perform the following steps: 140 1. Expand the System tree and click Settings. The Settings page displays. 2. To save the settings of a SonicWALL appliance to the SonicWALL GMS database, enter a name for the settings in the Name field and click Store settings read from unit. Then, if you want to save these settings to a local file, click Save the settings to a local file. You can save multiple version of settings for each SonicWALL appliance to the SonicWALL GMS database and to different local files. 3. To apply settings to the SonicWALL appliance directly from SonicWALL GMS database, select the saved settings and click Restore the settings to the unit. Note The Restore the settings to the unit option is available only at the unit level, and not at the group and global levels. This option previously was available at the group and global levels. GMS now does not display the option at both the group and global levels to minimize risk of you writing a non-compatible prefs file to an incorrect firmware version running on a SonicWALL appliance. SonicWALL GMS 6.0 Administrator’s Guide Configuring Schedules 4. To store an external Prefs file into the database, enter the path to the file and click Store settings from local file. The Store settings from local file button is used to store the prefs file from the local hard disk into the GMS database so that it displays in the list box of the Settings page. Once stored in the database (when it will display in the list box), you can then click the Restore the settings to the unit button. 5. To automatically backup the preferences for the selected SonicWALL appliance, select the Enable Prefs File Backup check box and click Update. Note The backed up prefs file contains the configuration settings and the firmware version of the security appliance you are backing up. 6. Go to the Console > Management > GMS Settings page and update the values in the Automatically save prefs file section. This enables you to specify when and how frequently GMS backs up the prefs files. 7. If you want to automatically purge older backups, select the number of newer backup files you want to keep in the Number of newest Prefs Files to be preserved field. Enter 0 to prevent purging of older backups. 8. Set the value in the Missed Reports Threshold field to the number of heartbeat messages GMS can miss before considering the unit to be down. GMS relies on special syslogs called heartbeat messages to determine if an appliance is up and running. By default, if GMS does not receive three successive heartbeat messages, it makes the appliance as “down”. You can customize this threshold to any number. If you set the value to “0”, then GMS will not mark this node as down. 9. To delete settings from the SonicWALL GMS database, select the saved settings and click Delete the settings. Configuring Schedules You can configure schedule groups on the Policies panel, in System > Schedules. Schedule Groups are groups of schedules to which you can apply firewall rules. For example, you might want to block access to auction sites during business hours, but allow employees to access the sites after hours. You can apply rules to specific schedule times or all schedules within a Schedule Group. For example, you might create an Engineering Work Hours group that runs from 11:00 AM to 9:00 PM, Monday through Friday and 12:00 SonicWALL GMS 6.0 Administrator’s Guide 141 Configuring Schedules PM to 5:00 PM, Saturday and Sunday. Once configured, you can apply specific firewall rules to the entire Engineering Work Hours Schedule Group or only to the weekday schedule. To create a Schedule Group, perform the following steps: 1. Expand the System tree and click Schedules. The Schedules page displays. 2. To add a Schedule Group, click Add Schedule Group. 3. Enter the name of the Schedule Group in the Name field. 4. In the Schedule Type section, select if the schedule will occur Once, Recurring, or Mixed. Note 5. 142 The one-time and mixed schedule types are only available for systems running SonicOS Enhanced 5.5 and above. For a schedule that occurs only once, select the year, month, date, hour, and minutes for the Start and End fields. SonicWALL GMS 6.0 Administrator’s Guide Editing Management Settings 6. For recurring schedules, select the check boxes for each day the schedule will apply. 7. Enter the start time for the recurring schedule in the Start Time field. Make sure to use the 24-hour format. 8. Enter the end time for the recurring schedule in the Stop Time field. Make sure to use the 24-hour format. 9. Click Add. 10. Repeat Step 4. through Step 9. for each schedule to add. 11. To delete a schedule, select the schedule and click Delete. 12. Click OK. The Schedule Group is added and configured. 13. To edit a Schedule Group, click its Edit icon ( ). The Edit Schedule Group dialog box displays. Edit the Schedule Group details and click OK. Editing Management Settings To edit the remote management settings for a SonicWALL security appliance, perform the following steps: 1. Expand the System tree and click Management. The Management page displays. Caution Changing the management parameters can cause units to be disconnected from GMS. SonicWALL GMS 6.0 Administrator’s Guide 143 Editing Management Settings 2. Enter the port number for HTTP connections in the HTTP Port field. 3. To enable HTTPS access to the appliance, select the Enable HTTPS Access to the unit checkbox and enter the port number in the HTTPS Port field. For the SonicWALL Aventail appliance, use port 8443 for HTTPS access. 4. The Certificate Common Name field defaults to the SonicWALL LAN Address. This allows you to continue using a certificate without downloading a new one each time you log into the appliance. Note To change the HTTP or HTTPS ports for SonicOS Enhanced units, go to the Firewalls > Service Objects screen and edit the corresponding service object. 5. Specify whether the appliance is to be managed by GMS or a VPN client in the Enable Management Using pull-down menu. 6. Enter the IP address or host name of the GMS server in the GMS HostName or IPAddress field. 7. Enter the syslog server port (default: 514) in the GMS Syslog Server Port field. 8. If the GMS is behind a device performing Network Address Translation (NAT), select the GMS behind NAT Device checkbox and enter the IP address in the NAT Device IP Address field. 9. If the appliance will be managed over an existing VPN tunnel, select the GMS on VPN (No SA Required) checkbox. 10. To minimize the amount of syslog between the GMS and the SonicWALL security appliance, select the Send Heartbeat Status Messages Only checkbox. This option should be used if you do not need the data to generate reports in GMS. When you check this setting, the unit will only send heartbeat (m=96) messages that tell GMS that the unit is alive. Click the Change button. 11. To allow users on the LAN interface to ping the appliance to verify that it is online, select the Enable Ping from LAN/WorkPort to management interface checkbox. Click the Change button. 12. To allow GMS administrators to preempt users who are logged in directly to the SonicWALL security appliance, select the Allow GMS to preempt a logged in administrator checkbox. 144 SonicWALL GMS 6.0 Administrator’s Guide Configuring SNMP 13. If you have configured security associations on the appliance the Security Association Information section displays at the bottom of the Management page. Enter the SA keys in the Encryption Key and Authentication Key fields and click Change Only SA Keys. 14. When you have finished configuring remote management settings, click Update. Configuring SNMP This section describes how to configure Simple Network Management Protocol (SNMP) settings for one or more SonicWALL appliances. To configure SNMP, perform the following steps: 1. Expand the System tree and click SNMP. The SNMP page displays. 2. Select the Enable SNMP check box. 3. Enter a name for the System Name field. 4. Enter the name of the administrator responsible for the SNMP server in the System Contact field. 5. Enter the location of the SNMP server in the System Location field. 6. Enter the community name from which the SNMP server will respond to Get requests in the Get Community Name field. 7. Enter the name of administrator group that can view SNMP traps in the Trap Community Name field 8. Enter the SNMP server IP addresses or hostnames in the Hosts 1-4 fields. SonicWALL GMS 6.0 Administrator’s Guide 145 Configuring SNMP 9. When you are finished, click Update. A task gets spooled and once it is executed successfully, the information is updated for each selected SonicWALL appliances. Configuring Certificates The Certificates dialog box displays details for Certificate Authority (CA) Certificates and local certificates that you have imported or configured on your SonicWALL appliance. This section contains the following sub-sections: 146 • Navigating the System > Certificates Page, page 147 • About Certificates, page 148 • Configuring CA Certificates, page 148 • Importing New Local and CA Certificates, page 149 • Generating a Certificate Signing Request, page 150 • Configuring SCEP, page 151 SonicWALL GMS 6.0 Administrator’s Guide Configuring SNMP Navigating the System > Certificates Page The Certificate and Certificate Requests section provides all the settings for managing CA and Local Certificates. View Style The View Style menu allows you to choose which certificates are displayed. Options include: • All Certificates - displays all certificates and certificate requests. • Imported certificates and requests - displays all imported certificates and generated certificate requests. • Built-in certificates - displays all certificates included with the SonicWALL security appliance. • Include expired and built-in certificates - displays all expired and built-in certificates. Certificates and Certificate Requests The Certificates and Certificate Requests table displays information about your certificates. Information and options include: • Certificate - the name of the certificate. • Type - the type of certificate, which can include CA or Local. • Validated - the validation information. • Expires - the date and time the certificate expires. SonicWALL GMS 6.0 Administrator’s Guide 147 Configuring SNMP • Details - the details of the certificate. Moving the pointer over the MAGNIFYING GLASS icon displays the details of the certificate. • Configure - Allows configuration with the following options: – Edit icon to make changes to the certificate – Delete icon to remove a certificate – Import icon to import either certificate revocation lists (for CA certificates) or signed certificates (for Pending requests). • New Signing Request - Create a new signing request directly from the GMS user interface • SCEP - Manage certificates using the Simple Certificate Enrollment Protocol (SCEP) standard About Certificates A digital certificate is an electronic means to verify identity by using a trusted third party known as a Certificate Authority (CA). SonicWALL now supports third party certificates in addition to the existing Authentication Service. SonicWALL security appliances interoperate with any X.509v3-compliant provider of Certificates. However, SonicWALL security appliances have been tested with the following vendors of Certificate Authority Certificates: • Entrust • Microsoft • OpenCA • OpenSSL • VeriSign Configuring CA Certificates To configure CA Certificates in this dialog box, perform the following steps. 148 1. From the Name list box, click on a certificate. 2. Note the details, including the certificate name and subject in the Details region. 3. Click on the Email Certificate button if you want to send the certificate to a location by email. 4. Click the Delete Certificate button if you want to remove the certificate. SonicWALL GMS 6.0 Administrator’s Guide Configuring SNMP 5. Specify a URL of the location of the Certificate Revocation List (CRL) in the CRL URL field. Then click the CRL URL button to launch the CRL. 6. To import a CRL, click the Browse button for the Import CRL field and navigate to the CRL. Then click the Import CRL button to import the CRL. 7. Click on the Invalidate Certificates and Security Association if CRL import or processing fails checkbox to ensure safe cleanup of half-imported certificates if when trying to import a CRL, the process is interrupted. Importing New Local and CA Certificates This option allows you to import pre-existing certificates stored locally. To import a certificate: 8. Click the Import Certificate link. 9. Choose between a local end-user certificate or a CA certificate. 10. (local only) Enter a name in the Certificate Name field. 11. (local only) Enter the password used to encrypt the certificate in the Certificate Management Password field. 12. Browse to the certificate location and Open the file. 13. Click the Import button to complete the process. SonicWALL GMS 6.0 Administrator’s Guide 149 Configuring SNMP Generating a Certificate Signing Request Note This section assumes that you are familiar with Public Key Infrastructure (PKI) and the implementation of digital certificates with VPN. To obtain a certificate, perform the following steps: 150 1. On the System > Certificates page, click the New Signing Request link. 2. Complete the information in the Generate Certificate Request section and click Generate Request. The request displays in the Current Certificate Requests section. 3. Click Export. You are prompted to save the file. It will be saved in the PKCS 10 format. 4. Obtain a certificate from one of the approved certificate authorities using the PKCS 10 file. 5. After you receive the certificate file, locate and import the file by clicking Browse in the Import Certificate With Private Key section. Then click Import. The certificate will appear in the Current Local Certificates section. SonicWALL GMS 6.0 Administrator’s Guide Configuring SNMP Configuring SCEP Note SCEP configuration is supported at the appliance level. The Simple Certificate Enrollment Protocol (SCEP) simplifies the process of issuing large numbers of certificates using an automatic enrollment technique. SCEP is supported for appliances running SonicOS Enhanced 5.5 or higher. To configure SCEP, perform the following steps: 1. On the System > Certificates page, click the SCEP link. The SCEP Configuration window displays. 2. Configure the following options for the SCEP configuration: • CSR list - Select a certificate signing request (CSR) list if one has been uploaded. • Challenge Password - (optional) Enter the password that is used to authenticate the enrollment request. • CA URL - Enter the URL of the certificate authority. • Request Count - The default is 256. • Polling Interval(S) - The default is 30. • Max Polling Time(S) - The default is 28800. 3. Click the SCEP button to apply the SCEP configuration. SonicWALL GMS 6.0 Administrator’s Guide 151 Configuring SNMP 152 SonicWALL GMS 6.0 Administrator’s Guide CHAPTER 10 Configuring SonicOS Network Settings This chapter describes how to configure network settings for SonicWALL appliances. It is divided into sections for SonicWALL security appliances running SonicOS Enhanced and SonicOS Standard. • “Overview of Interfaces” section on page 153 • “Configuring Network Settings in SonicOS Enhanced” section on page 156 • “Configuring Network Settings in SonicOS Standard” section on page 212 Overview of Interfaces You can configure the LAN interface in three different modes: • Static IP—Uses a static IP address and acts as a gateway for devices on the LAN. • Transparent Mode—Allows you to assign a single IP address to two physical interfaces, where each interface accesses an exclusive range of IP addresses in the shared subnet. Behaves as a proxy at Layer 3, intercepting ARPs and changing source MAC addresses of packets traversing the interface pair. • Layer 2 Bridged Mode—Similar to Transparent Mode, but dynamically learns IP addresses on both interfaces so that you do not need to subdivide the subnet that is being bridged. Provides deep-packet inspection and application of policies before forwarding packets. Places the bridged interfaces into promiscuous mode and passes traffic between them with source and destination MAC addresses intact. SonicWALL GMS 6.0 Administrator’s Guide 153 Overview of Interfaces Figure 1 shows the basic interfaces for a SonicWALL appliance. The WAN interface can use a static or dynamic IP address and can connect to the Internet via Transmission Control Protocol (TCP), Point-to-Point Protocol over Ethernet (PPPoE), Level 2 Tunneling Protocol (L2TP), or Point-to-Point Tunneling Protocol (PPTP). A SonicWALL appliance might have one, many, or no optional interfaces. Optional interfaces can be configured for LAN, WAN, DMZ, WLAN, or Multicast connections, or they can be disabled. Figure 1 Interfaces Network Security Appliance LAN Static IP Transparent Mode Layer 2 Bridge Mode OPT (LAN/WAN/DMZ/Multicast) Static IP Dynamic IP WAN Static IP, Dynamic IP, TCP, PPPoE, L2TP, PPTP Internet LAN DMZ WAN Virtual Interfaces (VLAN) On the SonicWALL NSA Series and SonicWALL PRO 2040/3060/4060/4100/5060 security appliances, virtual Interfaces are sub-interfaces assigned to a physical interface. Virtual interfaces allow you to have more than one interface on one physical connection. Virtual interfaces provide many of the same features as physical interfaces, including Zone assignment, DHCP Server, and NAT and Access Rule controls. Selecting Layer 2 Bridged mode is not possible for a VLAN interface. VLAN support on SonicOS Enhanced is achieved by means of sub-interfaces, which are logical interfaces nested beneath a physical interface. Every unique VLAN ID requires its own sub-interface. For reasons of security and control, 154 SonicWALL GMS 6.0 Administrator’s Guide Overview of Interfaces SonicOS does not participate in any VLAN trunking protocols, but instead requires that each VLAN that is to be supported be configured and assigned appropriate security characteristics. Figure 2 VLAN Interfaces Network Security Appliance E7500 X0 VLAN 10 10.10.10.5 10.10.10.7 10.10.10.9 10.20.20.3 X3 VLAN 20 10.20.20.5 10.10.10.4 10.10.10.2 10.20.20.7 LAN / WLAN 10.10.10.1/24 / 10.20.20.1/24 SonicOS Enhanced 4.0 and higher can apply bandwidth management to both egress (outbound) and ingress (inbound) traffic on the WAN interface. Outbound bandwidth management is done using Class Based Queuing. Inbound Bandwidth Management is done by implementing ACK delay algorithm that uses TCP’s intrinsic behavior to control the traffic. Class Based Queuing (CBQ) provides guaranteed and maximum bandwidth Quality of Service (QoS) for the SonicWALL security appliance. Every packet destined to the WAN interface is queued in the corresponding priority queue. The scheduler then dequeues the packets and transmits it on the link depending on the guaranteed bandwidth for the flow and the available link bandwidth. SonicWALL GMS 6.0 Administrator’s Guide 155 Configuring Network Settings in SonicOS Enhanced Configuring Network Settings in SonicOS Enhanced The following sections describe how to configure network settings in SonicOS Enhanced: • “Configuring Interface Settings” on page 156 • “WAN Failover and Load Balancing” on page 168 • “Configuring Zones” on page 172 • “Configuring the WLAN Zone” on page 176 • “Configuring DNS” on page 180 • “Configuring Dynamic DNS” on page 181 • “Configuring Address Objects” on page 184 • “Configuring NAT Policies” on page 187 • “Configuring Web Proxy Forwarding Settings” on page 195 • “Configuring RIP in SonicOS Enhanced” on page 198 • “Configuring IP Helper” on page 200 • “Configuring ARP” on page 203 • “Configuring SwitchPorts” on page 207 • “Configuring PortShield Groups” on page 208 • “Configuring Network Monitor” on page 210 Configuring Interface Settings Interface settings define the networks associated with the LAN, WAN, optional (OPT), and WWAN interfaces. This includes protocols, gateways, DNS servers, Virtual LANs, and management settings. To configure the network interfaces for one or more SonicWALL appliance, perform the following steps: 1. Note 156 Select a single SonicWALL appliance, or a group of SonicWALL appliances running SonicOS Enhanced. Group level interface edits are only available for UTM appliances. SonicWALL GMS 6.0 Administrator’s Guide Configuring Network Settings in SonicOS Enhanced 2. Expand the Network tree and click Interfaces. The Interfaces page displays. 3. Click the Edit icon ( ) of the LAN, WAN, OPT, or WWAN interface. The Edit Interface window is displayed. For a WWAN interface, GMS navigates directly to the Network > WWAN > Settings screen. For configuration information, see “Configuring WWAN Settings” on page 564. SonicWALL GMS 6.0 Administrator’s Guide 157 Configuring Network Settings in SonicOS Enhanced Editing Interface Settings You can edit interface settings in the Network > Interfaces screen by clicking the edit icon in the row for the interface that you want to edit. The Edit Interface dialog box displays. Transparent Mode The following options are available when configuring an interface in Transparent Mode: For LAN, DMZ, or Multicast interfaces, configure the following settings: • For IP Assignment, select Static, Transparent Mode, or Layer 2 Bridged Mode. The display changes according to your selection. Configure the resulting field as follows: – Static—For static IP addresses, enter the IP Address for the interface and Subnet Mask for the network. – Transparent Mode—For transparent mode, select an address object that contains the range of IP addresses you want to have access through this interface in the Transparent Range menu. – PortShield Switch Mode—For SonicWALL TZ 210, TZ 210W and NSA 240 appliances, you can configure interfaces for PortShield switch mode, which manually groups ports together to share a common network subnet as well as common zone settings. For more information, see “Configuring PortShield Groups” on page 208. 158 SonicWALL GMS 6.0 Administrator’s Guide Configuring Network Settings in SonicOS Enhanced Layer 2 Bridge Mode Note When configuring a zone for Layer 2 Bridge Mode, the only access rule automatically added is an allow rule between the bridge pair. Other necessary access rules must be added manually. The following options are available when configuring an interface in Layer 2 Bridge Mode: – Layer 2 Bridged Mode—On appliances running SonicOS Enhanced 3.5 and 4.0 or higher, you can select Layer 2 Bridged Mode for physical interfaces in either the LAN or the DMZ zone. On appliances running SonicOS Enhanced 5.5 or higher, you can select Layer 2 Bridge Mode for the WLAN zone. –In the Bridged-to field, select a WAN, LAN, or DMZ interface with a static IP address. –Select the Block all non-IPv4 traffic checkbox to allow only IPv4 traffic on this bridge-pair. –Select the Never route traffic on this bridge-pair checkbox to prevent traffic from being routed to another interface. –Select the Only sniff traffic on this bridge-pair checkbox to allow the bridged interface to be connected to a mirrored port on a switch in a one-arm mode to perform intrusion detection by examining traffic going through the switch. SonicWALL GMS 6.0 Administrator’s Guide 159 Configuring Network Settings in SonicOS Enhanced –Select the Disable stateful-inspection on this bridge-pair to enable asymmetric routing on this interface. Layer 2 Bridge Bypass Relay Control The Engage physical bypass on malfunction option enables Layer 2 Bridge Bypass Relay Control, also known as “Fail to Wire.” The bypass relay option provides the user the choice of avoiding disruption of network traffic by bypassing the firewall in the event of a malfunction. The bypass relay will be closed for any unexpected anomaly (power failure, watchdog exception, fallback to safe-mode). Note The Engage physical bypass on malfunction option is available only for SonicWALL E7500 appliances running SonicOS Enhanced version 5.5 or higher and only when the X0 interface is bridged to the X1 interface. Selecting the Engage physical bypass on malfunction option automatically configures the other Layer 2 Bridge mode options as follows: –Block all non-IPv4 traffic - Disabled –Never route traffic - Enabled –Only sniff traffic - Disabled –Disable stateful-inspection - Not modified • Comment—Enter any comments regarding the interface. • Management—Select one or more of the following management options: – HTTP—Allows HTTP management over the interface. – HTTPS—Allows HTTPS management over the interface. – Ping—The interface will respond to ping requests. – SNMP—The interface will support Simple Network Management Protocol (SNMP). – SSH—The interface will support Secure Shell (SSH) for CLI-based administration. • User Login—Select from the following user login options: – HTTP—When selected, users will be able to login using HTTP. – HTTPS—When selected, users will be able to login using HTTPS. 160 SonicWALL GMS 6.0 Administrator’s Guide Configuring Network Settings in SonicOS Enhanced – Add rule to enable redirect from HTTP to HTTPS—Redirects users to HTTPS when they attempt to access the device using HTTP. This option is only applicable when HTTPS access is enabled and HTTP access is not. WAN Settings Perform the following steps to configure the WAN settings for the SonicWALL appliance. 1. Select how the WAN connects to the Internet from the IP Assignment list box: • Static—Configure the following settings for static IP address interfaces: – IP Address—Enter the IP address of the interface. – Subnet Mask—Enter the subnet mask for the network. – Default Gateway—IP address of the WAN gateway. – DNS Server 1-3—IP addresses of the DNS Servers. – Comment—Enter any comments regarding the interface. • DHCP—Configure the following settings if the WAN IP address will use DHCP: – Host Name—Specifies the host name of the SonicWALL device on the WAN interface. – Comment—Enter any comments regarding the interface. – IP Address, Subnet Mask, Gateway (Router) Address, and DNS Server 1-3—These settings are automatically filled in by DHCP. SonicWALL GMS 6.0 Administrator’s Guide 161 Configuring Network Settings in SonicOS Enhanced • PPPoE—Configure the following settings if the WAN IP address will use PPPoE: – User Name—Enter username provided by the ISP. – Password—Enter the password used to authenticate the username with the ISP. This field is case-sensitive. – Comment—Enter any comments regarding the interface. – Service Name—Enter the name of a service that must be supported by PPPoE servers that respond to a client connection request. The service name can be up to 50 characters. Many installations use the system name as a service name, for example “sonicwall-server” or “redback-server”. If the service name is left blank the client will connect to any service. – Select from the following: –To configure the SonicWALL appliance(s) to dynamically obtain an IP address, select Obtain an IP Address automatically. –To configure the SonicWALL appliance(s) to use a fixed IP address, select Use the following IP Address and enter the IP address. – Select from the following: –To configure the SonicWALL appliance(s) to obtain the DNS server information automatically, select Obtain DNS Server Address Automatically. –To specify DNS servers, select Specify DNS Servers and enter the DNS Server IP addresses. 162 SonicWALL GMS 6.0 Administrator’s Guide Configuring Network Settings in SonicOS Enhanced Note For PPPoE interfaces, a Protocol tab appears that displays the acquired IP address, subnet mask, gateway address, and DNS server addresses. – Click the Protocol tab. – View the settings for the acquired IP address, subnet mask, gateway address, and DNS server addresses. – Inactivity Disconnect—Specify how long (in minutes) the SonicWALL appliance waits before disconnecting from the Internet, and select the checkbox. – Strictly use LCP echo packets for server keep-alive—This checkbox is enabled when the client recognizes that the server relies on Link Control Protocol (LCP) echo requests for keeping the PPPoE connection alive. – Disconnect the PPPoE client if the server does not send traffic for __ minutes—Select this checkbox and enter the number of minutes to wait without traffic before the connection is ended. When enabled, the PPPoE client monitors traffic from the server on the tunnel and disconnects when no traffic is seen for the specified time period. • PPTP—Configure the following settings if the WAN IP address will use PPTP: – User Name—Enter username provided by the ISP. – User Password—Enter the password used to authenticate the username with the ISP. This field is case-sensitive. – PPTP Server IP Address—this information is provided by your ISP. – PPTP (Client) Host Name—this information is provided by your ISP. – Comment—Enter any comments regarding the interface. – Inactivity Disconnect—Specify how long (in minutes) the SonicWALL appliance waits before disconnecting from the Internet. – Select from the following from the PPTP IP Assignment list box: – To configure the SonicWALL appliance(s) to dynamically obtain an IP address, select DHCP. – To configure the SonicWALL appliance(s) to use a fixed IP address, select Static and enter the IP address, subnet mask, and gateway IP address. SonicWALL GMS 6.0 Administrator’s Guide 163 Configuring Network Settings in SonicOS Enhanced Note • For PPTP interfaces, a Protocol tab appears that displays the acquired IP address, subnet mask, gateway address, and DNS server addresses. L2TP——Configure the following settings if the WAN IP address will use L2TP: – User Name—Enter username provided by the ISP. – User Password—Enter the password used to authenticate the username with the ISP. This field is case-sensitive. – L2TP Server IP Address—this information is provided by your ISP. – L2TP (Client) Host Name—this information is provided by your ISP. – Comment—Enter any comments regarding the interface. – Inactivity Disconnect—Specify how long (in minutes) the SonicWALL appliance waits before disconnecting from the Internet. – Select from the following from the L2TP IP Assignment list box: –To configure the SonicWALL appliance(s) to dynamically obtain an IP address, select DHCP. –To configure the SonicWALL appliance(s) to use a fixed IP address, select Static and enter the IP address, subnet mask, and gateway IP address. Note 2. For L2TP interfaces, a Protocol tab appears that displays the acquired IP address, subnet mask, gateway address, and DNS server addresses. Select one or more of the following management options: – HTTP—When selected, allows HTTP management from the interface. – HTTPS—When selected, allows HTTPS management from the interface. – Ping—When selected, the interface will respond to ping requests. – SNMP—When selected, the interface will support Simple Network Management Protocol (SNMP). 3. User Login—Select from the following user login options: – HTTP—When selected, users will be able to login using HTTP. – HTTPS—When selected, users will be able to login using HTTPS. 164 SonicWALL GMS 6.0 Administrator’s Guide Configuring Network Settings in SonicOS Enhanced – Add rule to enable redirect from HTTP to HTTPS—Redirects users to HTTPS when they attempt to access the device using HTTP. This option is only applicable when HTTPS access is enabled and HTTP access is not. 4. Click Update. The settings are saved. To clear any changes and start over, click Reset. 5. Click the Advanced tab and configure the following Ethernet settings: – Link Speed—To configure the interface to automatically negotiate Ethernet settings, select Auto Negotiate. If you want to specify the forced Ethernet speed and duplex, select the appropriate setting. – Override Default MAC Address—Select to manually enter the MAC address. Otherwise, the default MAC address is used. – Enable Multicast Support—Select to enable multicast on the interface. –Interface MTU—Specify the size of the Maximum Transmission Unit (MTU) in octets (default: 1500). – To fragment packets that are larger than this MTU, select the Fragment non-VPN outbound packets larger than this Interface's MTU check box. Note If the maximum transmission unit (MTU) size is too large for a remote router, it may require more transmissions. If the packet size is too small, this could result in more packet header overhead and more acknowledgements that have to be processed. – To ignore Don’t Fragment (DF) bits from routers connected to the SonicWALL appliance, select the Ignore Don't Fragment (DF) Bit check box. 6. Configure the following Bandwidth Management settings: • To enable egress bandwidth management on this interface, select the check box and enter the bandwidth of the connection in the Available Interface Bandwidth field in kilobytes per second (Kbps). • To enable ingress bandwidth management on this interface, select the check box and enter the bandwidth of the connection in the Available Interface Bandwidth field in kilobytes per second (Kbps). 7. Click Update. The settings are saved. To clear any changes and start over, click Reset. SonicWALL GMS 6.0 Administrator’s Guide 165 Configuring Network Settings in SonicOS Enhanced Configuring VLAN Sub-Interfaces When you add a VLAN sub-interface, you need to assign it to a Zone, assign it a VLAN Tag, and assign it to a physical interface. Based on your zone assignment, you configure the VLAN sub-interface the same way you configure a physical interface for the same zone. 1. At the bottom of the Network > Interfaces page, click Add VLAN Interface. The Add Interface window displays. 2. Select a Zone to assign to the interface. You can select LAN, DMZ, WLAN, or unassigned. The zone assignment does not have to be the same as the parent (physical) interface. 3. Enter a Portshield Interface Name for the sub-interface. 4. Declare the parent (physical) interface to which this sub-interface will belong. There is no per-interface limit to the number of sub-interfaces you can assign – you may assign sub-interfaces up to the system limit (in the hundreds). 5. For LAN and DMZ, select Static or Transparent for the IP Assignment. WLAN interfaces use static IP addresses: – For static IP addresses, enter the IP Address for the interface and Subnet Mask for the network. – For transparent mode, select an address object that contains the range of IP addresses you want to have access through this interface in the Transparent Range menu. 6. Management—Select from the following management options: – HTTP—When selected, allows HTTP management from the interface. – HTTPS—When selected, allows HTTPS management from the interface. – Ping—When selected, the interface will respond to ping requests. – SNMP—When selected, the interface will support Simple Network Management Protocol (SNMP). 7. 166 User Login—Select from the following user login options: SonicWALL GMS 6.0 Administrator’s Guide Configuring Network Settings in SonicOS Enhanced – HTTP—When selected, users will be able to login using HTTP. – HTTPS—When selected, users will be able to login using HTTPS. – Add rule to enable redirect from HTTP to HTTPS—Redirects users to HTTPS when they attempt to access the device using HTTP. This option is only applicable when HTTPS access is enabled and HTTP access is not. 8. Check Create Default DHCP Lease Scope to indicate that the amount of time allowed for an IP address issued by DHCP will be the default. 9. Click OK. The Virtual interface displays in the VLAN Interfaces table below the Interfaces table. WAN Connection Model To configure the WAN connection model for a SonicWALL appliance with WWAN capability running SonicOS Enhanced 3.6 or higher, navigate to the Network > Interfaces page and select one of the following options in the WAN Connection Model drop-down menu: • WWAN only—The WAN interface is disabled and the WWAN interface is used exclusively. • Ethernet only—The WWAN interface is disabled and the WAN interface is used exclusively. • Ethernet with WWAN Failover—The WAN interface is used as the primary interface and the WWAN interface is disabled. If the WAN connection fails, the WWAN interface is enabled and a WWAN connection is automatically initiated. Managing WWAN Connections To initiate a WWAN connection, perform the following steps: 1. In the Interface Settings table, in the WWAN row, click Connect. The SonicWALL appliance attempts to connect to the WWAN service provider. 2. To disconnect a WWAN connection, click Disconnect. SonicWALL GMS 6.0 Administrator’s Guide 167 Configuring Network Settings in SonicOS Enhanced WAN Failover and Load Balancing WAN Failover enables you to configure one of the user-defined interfaces as a secondary WAN port. The secondary WAN port can be used in a simple “active/passive” setup to allow traffic to be only routed through the secondary WAN port if the Primary WAN port is unavailable. This allows the SonicWALL to maintain a persistent connection for WAN port traffic by “failing over” to the secondary WAN port. For a SonicWALL appliance with a WWAN interface, such as a TZ 190, you can configure failover using the WWAN interface. Failover between the Ethernet WAN (the WAN port, OPT port, or both) and the WWAN is supported through the WAN Connection Model setting. This feature also allows you to perform simple load balancing for the WAN traffic on the SonicWALL. You can select a method of dividing the outbound WAN traffic between the two WAN ports and balance network traffic. Load-balancing is currently only supported on Ethernet WAN interfaces, but not on WWAN interfaces. The SonicWALL can monitor WAN traffic using Physical Monitoring which detects if the link is unplugged or disconnected, or Physical and Logical Monitoring, which monitors traffic at a higher level, such as upstream connectivity interruptions. Note 168 Before you begin, be sure you have configured a user-defined interface to mirror the WAN port settings. SonicWALL GMS 6.0 Administrator’s Guide Configuring Network Settings in SonicOS Enhanced To configure the WAN Failover for a SonicWALL appliance, perform the following steps: 1. Expand the Network tree and click WAN Failover & LB. The WAN Failover & LB page displays. 2. Select the Enable Load Balancing check box. 3. Select the secondary interface(s) from the Secondary WAN Interface drop-down menu. Note If this is not configured, you will need to configure a WAN interface from the Network > Interfaces page. Appliances running SonicOS Enhanced 5.5 can support up to three alternate WAN interfaces. For these appliances, the Secondary WAN Interface drop-down menu is replaced with up to three Alternate WAN drop-down menus. The drop-down menu will contain all interfaces configured as WAN interfaces. 4. Specify how often the SonicWALL appliance will check the interface (5-300 seconds) in the Check interface every field (default: 5 seconds). SonicWALL GMS 6.0 Administrator’s Guide 169 Configuring Network Settings in SonicOS Enhanced 5. Specify the number of times the SonicWALL appliance tests the interface as inactive before failing over in the Deactive interface after field (default: 3). For example, if the SonicWALL appliance tests the interface every 5 seconds and finds the interface inactive after 3 successive attempts, it will fail over to the secondary interface after 15 seconds. 6. Specify the number of times the SonicWALL appliance tests the interface as active before failing back to the primary interface in the Deactive interface after field (default: 3). For example, if the SonicWALL appliance tests the interface every 5 seconds and finds the interface active after 3 successive attempts, it will fail back to the primary interface after 15 seconds. 7. To configure outbound load balancing, select from the following: – Select Basic Active/Passive Failover to enable a basic failover setup. When the primary device fails to provide a connection, it will enter standby and allow the secondary device to take over network traffic. Check the Preempt and failback to Primary WAN when possible checkbox to enable immediate failback to the primary device when available. – Select Per Connection Round-Robin to enable a Round-Robin form of load balancing. In the 17th or 18th century, when peasants in France wanted to complain to the king using a petition, the usual reaction from the monarch was to seize the two or three people on top of that petition list and execute them. In order to stop this form of arbitrary vengeance, the names were signed in a circle at the bottom of the petition so that no one would be on top of the list. This became known as a Round-Robin. Thus, in load balancing, Round-Robin is where network requests are applied to a circular list. When the network load becomes too much, GMS acts as a monarch and picks several of the network clients from the list to execute. This process allows GMS to quickly and easily free up network resources. – Select Spillover-based and enter a value (in Kb/sec) to enable the secondary device to serve as a load balancer. With this option selected, traffic will be re-routed to the secondary device should the primary WAN device exceed the specified bandwidth. – Select Percentage-Based to split network traffic between the primary and secondary or alternate WAN interfaces based on your specified percentages. –Enter a Primary WAN Percentage and Secondary WAN Percentage that add up to 100 to divide traffic between the two WAN interfaces. 170 SonicWALL GMS 6.0 Administrator’s Guide Configuring Network Settings in SonicOS Enhanced –Appliances running SonicOS Enhanced 5.5 or above can divide traffic between up to four WAN interfaces. Enter a Primary WAN Percentage, and up to three Alternate WAN Percentage settings that add up to 100. When using Percentage-Based load balancing, you may select the Use Source and Destination IP Addresses Binding checkbox to keep related traffic together across an interface. Timesaver When using Percentage-Based load balancing, fill in the Primary WAN Percentage field only. The Secondary WAN Percentage field will be calculated for you. 8. The SonicWALL appliance can monitor the WAN by detecting whether the link is unplugged or disconnected or by sending probes to a target IP address of an “always available” target upstream device on the WAN network, such as an ISP side router. To enable probe monitoring, select the Enable Probe Monitoring check box and configure the following settings: – Primary WAN Probe Settings—Select the protocol used for monitoring and enter the IP address and port (TCP only) of the probe target. If there will be an optional probe target, specify these settings also and select whether the SonicWALL appliance must test both targets or either target. – Secondary WAN Probe Settings—Select the protocol used for monitoring and enter the IP address and port (TCP only) of the secondary probe target. If there will be an optional secondary probe target, specify these settings also and select whether the SonicWALL appliance must test both targets or either target. SonicWALL GMS 6.0 Administrator’s Guide 171 Configuring Network Settings in SonicOS Enhanced – WWAN WAN Probe Settings—Select the protocol used for monitoring and enter the IP address and port (TCP only) of the WWAN probe target. If there will be an optional WWAN probe target, specify these settings also and select whether the SonicWALL appliance must test both targets or either target. Note TCP probing is useful if you do not have ping (ICPM) response enabled on your network devices. In this case, TCP can be used to probe the device on a user-specified port. 9. Select the Respond to Probes checkbox to enable GMS managed devices to respond to probe requests. With this option selected, you can also check the Any TCP-SYN to Port checkbox and enter a specific port to probe. 10. Click the Update button at the bottom of the page to save these settings. Configuring Zones A Zone is a logical grouping of one or more interfaces designed to make management, such as the definition and application of Access Rules, a simpler and more intuitive process than following a strict physical interface scheme. There are four fixed Zone types: Trusted, Untrusted, Public, and Encrypted. Trusted is associated with LAN Zones. These fixed Zone types cannot be modified or deleted. A Zone instance is created from a Zone type and named accordingly, i.e Sales, Finance, etc. Only the number of interfaces limits the number of Zone instances for Trusted and Untrusted Zone types. The Untrusted Zone type (i.e. the WAN) is restricted to two Zone instances. The Encrypted Zone type is a special system Zone comprising all VPN traffic and doesn’t have any associated interfaces. Trusted and Public Zone types offer an option, Interface Trust, to automate the creation of Access Rules to allow traffic to flow between the Interfaces of a Zone instance. For example, if the LAN Zone has interfaces X0, X3, and X5 assigned to it, checking Allow Interface Trust on the LAN Zone creates the necessary Access Rules to allow hosts on these Interfaces to communicate with each other. To add or edit a Zone, perform the following steps: 1. 172 Select the global icon, a group, or a SonicWALL appliance. SonicWALL GMS 6.0 Administrator’s Guide Configuring Network Settings in SonicOS Enhanced 2. Expand the Network tree and click Zones. The Zones page displays. 3. Click the Edit Icon ( ) for a Zone or click Add New Zone. The Edit Zone or Add Zone dialog box displays. 4. If this is a new Zone, enter a name for the Zone. 5. Select the Security Type. 6. To configure the SonicWALL appliance to automatically create the rules that allow data to freely flow between interfaces in the same Zone, select the Allow Interface Trust check box. 7. To enforce content filtering on multiple interfaces in the same Trusted or Public Zones, select the Enforce Content Filtering Service check box. 8. For appliances running SonicOS Enhanced 4.0 or above, if the selected node is a group or global node, or if the selected appliance is licensed for SonicWALL CFS Premium, select a predefined CFS policy or the default policy from the CFS Policy drop-down list. The drop-down list is only populated if the Enforce Content Filtering Service checkbox is enabled. It is not available for the WAN zone. 9. To enforce network anti-virus protection on multiple interfaces in the same Trusted or Public Zones, select the Enforce Network Anti-Virus Service check box. SonicWALL GMS 6.0 Administrator’s Guide 173 Configuring Network Settings in SonicOS Enhanced 10. To enforce gateway anti-virus protection on multiple interfaces in the same Trusted or Public Zones, select the Enable Gateway Anti-Virus Service check box. 11. To enforce Intrusion Prevention Services (IPS) on multiple interfaces in the same Trusted or Public Zones, select the Enable IPS check box. 12. To enable Anti-Spyware on the zone, select Enable Anti-Spyware Service. 13. To enforce security policies for Global Security Clients on multiple interfaces in the same Trusted or Public Zones, select Enforce Global Security Clients. 14. To automatically create a GroupVPN policy for this zone, select Create Group VPN. 15. For appliances running SonicOS Enhanced 4.0 or above, select the Enable SSL Control check box to allow SSL Control in this zone. This check box is not active for the VPN or Multicast zones. 16. For WLAN zones, see for information about configuring settings on the other tabs. For all other zones, click Update when you are finished. The Zone is modified or added for selected SonicWALL appliance. To clear all settings and start over, click Reset. Configuring Guest Services on Non-Wireless Zones Trusted and Public Zone types offer the ability to configure guest services. To configure Guest Services on a non-wireless zone, perform the following steps: 174 1. When the Security Type for a zone is selected as either Trusted or Public, the Guest Services tab displays. 2. Select the Enable Guest Services checkbox. SonicWALL GMS 6.0 Administrator’s Guide Configuring Network Settings in SonicOS Enhanced 3. Configure any of the following options: – Enforce Guest Login over HTTPS—Requires guests to use HTTPS instead of HTTP to access the guest services. – Enable inter-guest communication—Allows guests connecting to SonicPoints in this Zone to communicate directly and wirelessly with each other. – Bypass AV Check for Guests—Allows guest traffic to bypass Anti-Virus protection. – Enable External Guest Authentication—Requires guests connecting from the device or network you select to authenticate before gaining access. This feature, based on Lightweight Hotspot Messaging (LHM) is used for authenticating Hotspot users and providing them parametrically bound network access. Note Refer to the SonicWALL Lightweight Hotspot Messaging technote available at the SonicWALL documentation Web site http://www.sonicwall.com/us/Support.html for complete configuration of the Enable External Guest Authentication feature. – Custom Authentication Page—Redirects users to a custom authentication page when they first connect to the zone. Click Configure to set up the custom authentication page. Enter either a URL to an authentication page or a custom challenge statement in the text field, and click OK. – Post Authentication Page—Directs users to the page you specify immediately after successful authentication. Enter a URL for the post-authentication page in the filed. – Bypass Guest Authentication—Allows the appliance to integrate into environments already using some form of user-level authentication. This feature automates the Guest Services authentication process, allowing users to reach Guest Services resources without requiring authentication. This feature should only be used when unrestricted Guest Services access is desired, or when another device upstream of the appliance is enforcing authentication. – Redirect SMTP traffic to—Redirects SMTP traffic incoming on this zone to an SMTP server you specify. Select the address object to redirect traffic to. – Deny Networks—Blocks traffic from the networks you name. Select the subnet, address group, or IP address to block traffic from. SonicWALL GMS 6.0 Administrator’s Guide 175 Configuring Network Settings in SonicOS Enhanced – Pass Networks—Automatically allows traffic through the zone from the networks you select. – Max Guests—Specifies the maximum number of guest users allowed to connect to the zone. The default is 10. 4. Click OK to apply these settings to the zone. Configuring the WLAN Zone The Add Zone or Edit Zone screens for WLAN zones contain two tabs that are not available for other zones. This section describes the settings on the Wireless and Guest Services tabs of the Add or Edit Zone screens. For instructions about WLAN configuration settings on the General tab, see Configuring Zones, page 172. To configure specific wireless-zone settings: 176 1. Select the global icon, a group, or a SonicWALL appliance. 2. In the Network > Zones pages, click the Add New Zone or the Edit icon for the WLAN zone. 3. Configure the settings on the General tab as described for other zones. To expose the wireless-only tabs when adding a new zone, select Wireless for the Security Type. 4. Click the Wireless tab. 5. On the Wireless tab, select Only allow traffic generated by a SonicPoint to allow only traffic from SonicWALL SonicPoints to enter the WLAN Zone interface. This allows maximum security of your WLAN. Uncheck this option if you want to allow any traffic on your WLAN Zone regardless of whether or not it is from a wireless connection. SonicWALL GMS 6.0 Administrator’s Guide Configuring Network Settings in SonicOS Enhanced Tip Uncheck Only allow traffic generated by a SonicPoint and use the zone on a wired interface to allow guest services on that interface. 6. Select SSL-VPN Enforcement to require that all traffic that enters into the WLAN Zone be authenticated through a SonicWALL SSL-VPN appliance. If you select both SSL-VPN Enforcement, and WiFiSec Enforcement, the Wireless zone will allow traffic authenticated by either a SSL-VPN or an IPsec VPN. 7. In the SSL-VPN Server list, select an address object to direct traffic to the SonicWALL SSL-VPN appliance. 8. In the SSL-VPN Service list, select the service or group of services you want to allow for clients authenticated through the SSL-VPN. 9. Select WiFiSec Enforcement to require that all traffic that enters into the WLAN Zone interface be either IPsec traffic, WPA traffic, or both. With WiFiSec Enforcement enabled, all non-guest wireless clients connected to SonicPoints attached to an interface belonging to a Zone on which WiFiSec is enforced are required to use the strong security of IPsec. The VPN connection inherent in WiFiSec terminates at the “WLAN GroupVPN”, which you can configure independently of “WAN GroupVPN” or other Zone GroupVPN instances. If you select both WiFiSec Enforcement, and SSL-VPN Enforcement, the Wireless zone will allow traffic authenticated by either a SSL-VPN or an IPsec VPN. 10. If you have enabled WiFiSec Enforcement, you can specify services that are allowed to bypass the WiFiSec enforcement by checking WiFiSec Exception Service and then selecting the service you want to exempt from WiFiSec enforcement. 11. If you have enabled WiFiSec Enforcement, you can select Require WiFiSec for Site-to-Site VPN Tunnel Traversal to require WiFiSec security for all wireless connections through the WLAN zone that are part of a site-to-site VPN. 12. Select Trust WPA traffic as WiFiSec to accept WPA as an allowable alternative to IPsec. Both WPA-PSK (Pre-shared key) and WPA-EAP (Extensible Authentication Protocol using an external 802.1x/EAP capable RADIUS server) will be supported on SonicPoints. 13. Under the SonicPoint Settings heading, select the SonicPoint Provisioning Profile you want to apply to all SonicPoints connected to this zone. Whenever a SonicPoint connects to this zone, it will automatically be provisioned by the settings in the SonicPoint Provisioning Profile, unless you have individually configured it with different settings. SonicWALL GMS 6.0 Administrator’s Guide 177 Configuring Network Settings in SonicOS Enhanced 14. Click the Guest Services tab. You can choose from the following configuration options for Wireless Guest Services: – Enable Wireless Guest Services—Enables guest services on the WLAN zone. – Enforce Guest Login over HTTPS—Requires guests to use HTTPS instead of HTTP to access the guest services. – Enable inter-guest communication—Allows guests connecting to SonicPoints in this WLAN Zone to communicate directly and wirelessly with each other. – Bypass AV Check for Guests—Allows guest traffic to bypass Anti-Virus protection. – Enable External Guest Authentication—Requires guests connecting from the device or network you select to authenticate before gaining access. This feature, based on Lightweight Hotspot Messaging (LHM) is used for authenticating Hotspot users and providing them parametrically bound network access. Note 178 Refer to the SonicWALL Lightweight Hotspot Messaging technote available at the SonicWALL documentation Web site http://www.sonicwall.com/us/Support.html for complete configuration of the Enable External Guest Authentication feature. SonicWALL GMS 6.0 Administrator’s Guide Configuring Network Settings in SonicOS Enhanced – Custom Authentication Page—Redirects users to a custom authentication page when they first connect to a SonicPoint in the WLAN zone. Click Configure to set up the custom authentication page. Enter either a URL to an authentication page or a custom challenge statement in the text field, and click OK. – Post Authentication Page—Directs users to the page you specify immediately after successful authentication. Enter a URL for the post-authentication page in the filed. – Bypass Guest Authentication—Allows a SonicPoint running WGS to integrate into environments already using some form of user-level authentication. This feature automates the WGS authentication process, allowing wireless users to reach WGS resources without requiring authentication. This feature should only be used when unrestricted WGS access is desired, or when another device upstream of the SonicPoint is enforcing authentication. – Redirect SMTP traffic to—Redirects SMTP traffic incoming on this zone to an SMTP server you specify. Select the address object to redirect traffic to. – Deny Networks—Blocks traffic from the networks you name. Select the subnet, address group, or IP address to block traffic from. – Pass Networks—Automatically allows traffic through the WLAN zone from the networks you select. – Max Guests—Specifies the maximum number of guest users allowed to connect to the WLAN zone. The default is 10. – Enable Dynamic Address Translation (DAT)—Wireless Guest Services (WGS) provides spur of the moment “hotspot” access to wireless-capable guests and visitors. For easy connectivity, WGS allows wireless users to authenticate and associate, obtain IP settings from the SonicWALL appliance Wireless DHCP services, and authenticate using any Web-browser. Without DAT, if a WGS user is not a DHCP client, but instead has static IP settings incompatible with the Wireless WLAN network settings, network connectivity is prevented until the user’s settings change to compatible values. Dynamic Address Translation (DAT) is a form of Network Address Translation (NAT) that allows the SonicWALL Wireless to support any IP addressing scheme for WGS users. For example, the SonicWALL Wireless WLAN interface is configured with an address of 172.16.31.1, and one WGS client has a static IP Address of 192.168.0.10 and a default gateway of 192.168.0.1, while another has a static IP address of 10.1.1.10 and a gateway of 10.1.1.1, and DAT enables network communication for both of these clients. SonicWALL GMS 6.0 Administrator’s Guide 179 Configuring Network Settings in SonicOS Enhanced 15. Click OK to apply these settings to the WLAN zone. Configuring DNS Domain Name System (DNS) is the Internet standard for locating domain names and translating them into IP addresses. By default, the SonicWALL appliance will inherit its DNS settings from the WAN Zone. To configure DNS, perform the following steps: Note Network > DNS is only available in appliances running SonicOS Enhanced. 1. Expand the Network tree and click DNS. The DNS page displays. 2. Select from the following: – To specific IP addresses manually, select Specify DNS Servers Manually and enter the IP addresses of the servers. – To inherit the DNS settings from the WAN Zone configuration, select Inherit DNS Settings Dynamically from WAN Zone. 3. 180 When you are finished, click Update. The settings are changed for the selected SonicWALL appliance. To clear all screen settings and start over, click Reset. SonicWALL GMS 6.0 Administrator’s Guide Configuring Network Settings in SonicOS Enhanced DNS Rebinding Attack Prevention DNS rebinding is a DNS-based attack on code embedded in web pages. Normally requests from code embedded in web pages (JavaScript, Java and Flash) are bound to the web-site they are originating from.DNS rebinding attackers register a domain which is delegated to a DNS server they control. The domains exploit very short TTL parameters to scan the attacked network and perform other malicious activities. To configure DNS, perform the following steps: 1. Select the Enable DNS Rebinding Attack Prevention checkbox. 2. From the Action pull-down menu, select an action to perform when a DNS rebinding attack is detected: – Log Attack – Log Attack & Return a Query Refused Reply – Log Attack & Drop DNS Reply 3. (Optional) For the Allowed Domains pull-down menu, select an FQDN Address Object/Group containing allowed domain-names (e.g. *.sonicwall.com) for which locally connected/routed subnets should be considered legal responses. Configuring Dynamic DNS Dynamic DNS (DDNS) is a service provided by various companies and organizations that dynamically changes IP addresses to automatically update DNS records without manual intervention. This service allows for network access using domain names rather than IP addresses, even when the target’s IP addresses change. To configure Dynamic DNS on the SonicWALL security appliance, perform these steps: 1. Expand the Network tree and click Dynamic DNS. The Dynamic DNS page displays. SonicWALL GMS 6.0 Administrator’s Guide 181 Configuring Network Settings in SonicOS Enhanced 2. Click Add Dynamic DNS Profile. The Add Dynamic DNS Profile window is displayed. 3. Select the Provider from the drop-down list at the top of the page. This example uses DynDNS.org. Dyndns.org requires the selection of a service. This example assumes you have created a dynamic service record with dyndns.org. 4. Enter a name to assign to the DDNS entry in the Profile Name field. This can be any value used to identify the entry in the Dynamic DNS Settings table. 5. If Enable this profile is checked, the profile is administratively enabled, and the SonicWALL security appliance takes the actions defined in the Online Settings section on the Advanced tab. 6. If Use Online Settings is checked, the profile is administratively online. 7. Enter your dyndns.org username and password in the User Name and Password fields. 8. Enter the fully qualified domain name (FQDN) of the hostname you registered with dyndns.org in the Domain Name field. Make sure you provide the same hostname and domain as you configured. 9. When using DynDNS.org, select the Service Type from the drop-down list that corresponds to your type of service through DynDNS.org. The options are: – Dynamic—A free Dynamic DNS service. 182 SonicWALL GMS 6.0 Administrator’s Guide Configuring Network Settings in SonicOS Enhanced – Custom—A managed primary DNS solution that provides a unified primary/secondary DNS service and a web-based interface. Supports both dynamic and static IP addresses. – Static—A free DNS service for static IP addresses. 10. When using DynsDNS.org, you may optionally select Enable Wildcard and/or configure an MX entry in the Mail Exchanger field. Check Backup MX if your DDNS provider allows for the specification of an alternative IP address for the MX record. 11. Click the Advanced tab. You can typically leave the default settings on this page. 12. The On-line Settings section provides control over what address is registered with the dynamic DNS provider. The options are: –Let the server detect IP Address—The dynamic DNS provider determines the IP address based upon the source address of the connection. This is the most common setting. –Automatically set IP Address to the Primary WAN Interface IP Address—This will cause the SonicWALL device to assert its WAN IP address as the registered IP address, overriding auto-detection by the dynamic DNS server. Useful if detection is not working correctly. –Specify IP Address manually—Allows for the IP address to be registered to be manually specified and asserted. 13. The Off-line Settings section controls what IP Address is registered with the dynamic DNS service provider if the dynamic DNS entry is taken off-line locally (disabled) on the SonicWALL. The options are: –Do nothing—the default setting. This allows the previously registered address to remain current with the dynamic DNS provider. SonicWALL GMS 6.0 Administrator’s Guide 183 Configuring Network Settings in SonicOS Enhanced –Use the Off-Line IP Address previously configured at Providers site—if your provider supports manual configuration of Off-Line Settings, you can select this option to use those settings when this profile is taken administratively offline. –Make Host Unknown—Unregisters the entry. –Specify IP Address manually—Manually specify the IP address. 14. When you are finished, click Update. The settings are changed for the selected SonicWALL appliance. To clear all screen settings and start over, click Reset. Configuring Address Objects Note Address objects are only supported in SonicOS Enhanced. SonicOS Enhanced supports Address Objects, which can be a host, network, MAC or IP address range. An Address Object Group is a group of Address Objects or other Address Object Groups. Once defined, you can quickly establish NAT Policies, VPN Security Associations (SAs), firewall rules, and DHCP settings between Address Objects and Address Object Groups without individual configuration. All SonicWALL appliances come with a group of pre-defined default network objects. These include subnets for each interface, interface IP addresses for each interface, management IP addresses, and more. For appliances running SonicOS Enhanced, GMS supports paginated navigation and sorting by column header on the Address Objects screen. In either of the tables, you can click a column header to use for sorting. An arrow is displayed to the right of the selected column header. You can click the arrow to reverse the sorting order of the entries in the table. You can perform the following tasks from the Address Object page: 184 • “Creating an Address Object Group” on page 185 • “Creating an Address Object” on page 186 • “Deleting a Network Address Group or Object” on page 187 SonicWALL GMS 6.0 Administrator’s Guide Configuring Network Settings in SonicOS Enhanced Creating an Address Object Group To create an Address Object Group, perform the following steps: 1. Expand the Network tree and click Address Objects. The Address Objects page displays. 2. Scroll down and click Add New Group. 3. Enter a name for the Address Object Group in the Name field. 4. Select an object or group that will be a part of the Address Object Group and click the right arrow. Repeat for each object or group to add. 5. When you are finished, click OK. SonicWALL GMS 6.0 Administrator’s Guide 185 Configuring Network Settings in SonicOS Enhanced Creating an Address Object The Network > Address Objects page allows you to create address objects. You can create various kinds of address objects, including Host, Range, and Network. For a SonicWALL appliance running SonicOS Enhanced 3.5 or 4.0(or higher), you can create Fully Qualified Domain Name (FQDN) or MAC dynamic address objects. The FQDN and MAC address objects are available in the Address Objects drop-down lists in a number of other configuration screens, including Zones, SonicPoints, and Access Rules. These dynamic address objects are resolved to an IP address when used, either by the ARP cache or the DNS server of the SonicWALL. To create an address object, perform the following steps: 1. Scroll to the bottom of the Address Objects page and click Add New Address Object. 2. Enter a name for the Address Object in the Name field. 3. Select the zone to which this Address Object will be assigned from the Zone Assignment list box. 4. Select from the following: – To specify an individual IP address, select Host from the Type drop-down menu and enter the IP address. – To specify an IP address range, select Range from the Type drop-down menu and enter the starting and ending IP addresses. – To specify a network, select Network from the Type drop-down menu and enter the IP address and subnet mask. – To specify a MAC address, select MAC from the Type drop-down menu and enter the MAC address. – To specify a FQDN, select FQDN from the Type drop-down menu and enter the host name. 186 5. When you are finished, click OK. 6. Repeat this procedure for each Address Object to add. SonicWALL GMS 6.0 Administrator’s Guide Configuring Network Settings in SonicOS Enhanced Modifying a Network Address Group or Object To modify a network address group or object, perform the following steps: 1. Go to the Network > Address Object page. 2. Click the Edit icon ( 3. Modify the settings and click OK. ) next to the selected address group or object. Deleting a Network Address Group or Object GMS now enables you to delete a single address group or object more conveniently as well as select multiple objects at a time. To delete network address group objects, perform the following steps: 1. Go to the Network > Address Object page. 2. Click on the Trash can icon of the selected address group or object. Configuring NAT Policies Note The NAT policies page is only supported in SonicOS Enhanced. SonicWALL appliances support Network Address Translation (NAT). NAT is the automated translation of IP addresses between different networks. For example, a company might use private IP addresses on a LAN that are represented by a single IP address on the WAN side of the SonicWALL appliance. SonicWALL appliances support two types of NAT: • Address-to-Address Translation—local addresses are matched to public IP addresses. For example, the private IP address 10.50.42.112 might be mapped to the public IP address 132.22.3.2. • Port Translation or Network Address Port Translation (NAPT)—local addresses are dynamically matched to public IP address/port combinations (standard TCP ports). For example, the private IP address 192.168.102.12 might be mapped to the public IP address 48.12.11.1 using port 2302. SonicWALL GMS 6.0 Administrator’s Guide 187 Configuring Network Settings in SonicOS Enhanced Note IP address/port combinations are dynamic and not preserved for new connections. For example, the first connection for IP address might use port 2302, but the second connection might use 2832. Common Types of Mapping SonicWALL supports several types of address mapping. These include • One-to-One Mapping—one local IP address is mapped to one public IP address using Address-to-Address translation. • Many-to-One Mapping—many local IP addresses are mapped to a single public IP address using NAPT. • Many-to-Many Mapping—many local IP addresses are mapped to many public IP addresses. If the number of public IP addresses are greater than or equal to the number of local IP addresses, the SonicWALL appliance uses Address-to-Address translation. If the number of public IP addresses is less than the number of local IP addresses, the SonicWALL appliance uses NAPT. For example. If there are 10 private IP addresses and 5 public IP addresses, two private IP addresses will be assigned to each public IP address using NAPT. SonicWALL NAT Policy Fields When configuring a NAT Policy, you will configure a group of settings that specify how the IP address originates and how it will be translated. Additionally, you can apply a group of filters that allow you to apply different policies to specific services and interfaces. • Original Source—used to remap IP addresses based on the source address, this field specifies an Address Object that can consist of an IP address or IP address range. Note 188 This field can also be used as a filter. • Translated Source—specifies the IP address or IP address range to which the original source will be mapped. • Original Destination—used to remap IP addresses based on the destination address, this field specifies an Address Object that can consist of an IP address or IP address range. SonicWALL GMS 6.0 Administrator’s Guide Configuring Network Settings in SonicOS Enhanced Note This field can also be used as a filter. • Translated Destination—specifies the IP address or IP address range to which the original source will be mapped. • Original Service—used to filter destination addresses by service, this field specifies a Service Object that can be a single service or group of services. • Translated Service—.specifies the service or port to which the original service will be remapped. • Source Interface—filters source addresses by interface. • Destination Interface—filters destination addresses by interface. Common NAT Configuration Types The following sections describe common NAT configuration types: • “One-to-One Mapping” on page 189 • “Many-to-One Mapping” on page 190 • “Many-to-Many Mapping” on page 190 One-to-One Mapping To configure one-to-one mapping from the private network to the public network, select the Address Object that corresponds to the private network IP address in the Original Source field and the public IP address that it will used to reach the Internet in the Translated Source field. Leave the other fields alone, unless you want to filter by service or interface. Note If you map more than one private IP address to the same public IP address, the private IP addresses will automatically be configured for port mapping or NAPT. To configure one-to-one mapping from the public network to the private network, select the Address Object that corresponds to the public network IP address in the Original Destination field and the private IP address that it will used to reach the server in the Translated Destination field. Leave the other fields alone, unless you want to filter by service or interface. SonicWALL GMS 6.0 Administrator’s Guide 189 Configuring Network Settings in SonicOS Enhanced Note If you map one public IP address to more than one private IP address, the public IP addresses will be mapped to the first private IP address. Load balancing is not supported. Additionally, you must set the Original Source to Any. Many-to-One Mapping To configure many-to-one mapping from the private network to the public network, select the select the Address Object that corresponds to the private network IP addresses in the Original Source field and the public IP address that it will used to reach the Internet in the Translated Source field. Leave the other fields alone, unless you want to filter by service or interface. Note You can also specify Any in the Original Source field and the Address Object of the LAN interface in the Translated Source field. Many-to-Many Mapping To configure many-to-many mapping from the private network to the public network, select the select the Address Object that corresponds to the private network IP addresses in the Original Source field and the public IP addresses to which they will be mapped in the Translated Source field. Leave the other fields alone, unless you want to filter by service or interface. Note If the IP address range specified in the Original Source is larger than the Translated Source, the SonicWALL appliance will use port mapping or NAPT. If the Translated Source is equal to or larger than the Original Source, addresses will be individually mapped. To configure many-to-many mapping from the public network to the private network, select the Address Object that corresponds to the public network IP addresses in the Original Destination field and the IP addresses on the private network in the Translated Destination field. Leave the other fields alone, unless you want to filter by service or interface. 190 SonicWALL GMS 6.0 Administrator’s Guide Configuring Network Settings in SonicOS Enhanced Note If the IP address range specified in the Original Destination is smaller than the Translated Destination, the SonicWALL appliance will be individually mapped to the first translated IP addresses in the translated range. If the Translated Destination is equal to or smaller than the Original Destination, addresses will be individually mapped. NAT Load Balancing and Probing NAT load balancing provides the ability to balance incoming traffic across multiple, similar network resources. Load Balancing distributes traffic among similar network resources so that no single server becomes overwhelmed, allowing for reliability and redundancy. If one server becomes unavailable, traffic is routed to available resources, providing maximum uptime. With probing enabled, the SonicWALL will use one of two methods to probe the addresses in the load-balancing group, using either a simple ICMP ping query to determine if the resource is alive, or a TCP socket open query to determine if the resource is alive. Per the configurable intervals, the SonicWALL can direct traffic away from a non-responding resource, and return traffic to the resource once it has begun to respond again. NAT Load Balancing Methods NAT load balancing is configured on the Advanced tab of a NAT policy. SonicOS offers the following NAT methods: • Sticky IP—Source IP always connects to the same Destination IP (assuming it is alive). This method is best for publicly hosted sites requiring connection persistence, such as Web applications, Web forms, or shopping cart applications. This is the default mechanism, and is recommended for most deployments. • Round Robin—Source IP cycles through each live load-balanced resource for each connection. This method is best for equal load distribution when persistence is not required. • Block Remap/Symmetrical Remap—These two methods are useful when you know the source IP addresses/networks (e.g. when you want to precisely control how traffic from one subnet is translated to another). • Random Distribution—Source IP connects to Destination IP randomly. This method is useful when you wish to randomly spread traffic across internal resources. SonicWALL GMS 6.0 Administrator’s Guide 191 Configuring Network Settings in SonicOS Enhanced For more information about NAT Load Balancing, see the SonicOS Enhanced 4.0 Administrator’s Guide. Configuring NAT Policies To configure NAT Policies on a unit running SonicOS Enhanced, perform the following steps: 1. 192 Expand the Network tree and click NAT Policies. The NAT Policies page displays. SonicWALL GMS 6.0 Administrator’s Guide Configuring Network Settings in SonicOS Enhanced 2. To edit an existing policy, click its Edit icon ( Add NAT Policy. 3. Configure the following: ). To add a new policy, click – Original Source—used to remap IP addresses based on the source address, this field specifies an Address Object that can consist of an IP address or IP address range. – Translated Source—specifies the IP address or IP address range to which the original source will be mapped. – Original Destination—used to remap IP addresses based on the destination address, this field specifies an Address Object that can consist of an IP address or IP address range. – Translated Destination—specifies the IP address or IP address range to which the original source will be mapped. – Original Service—used to filter source addresses by service, this field specifies a Service Object that can be a single service or group of services. – Translated Service—used to filter destination addresses by service, this field specifies a Service Object that can be a single service or group of services. – Source Interface—filters source addresses by interface. – Destination Interface—filters destination addresses by interface. 4. To enable the NAT policy, select the Enable check box. 5. Add any comments to the Comments field. SonicWALL GMS 6.0 Administrator’s Guide 193 Configuring Network Settings in SonicOS Enhanced 6. If you selected an Address Group Object for any of the drop-down lists on the General tab, you can make changes on the Advanced tab. Click the Advanced tab. 7. Select the NAT method from the NAT Method drop-down list. For information on the available methods, see “NAT Load Balancing Methods” on page 191. 8. Optionally select the Enable Probing checkbox and make desired changes to the following fields: – Probe host every ... seconds—indicates how often to probe the addresses in the load-balancing group – Probe Type—specifies to use either Ping (ICMP) or TCP (checks that a socket is opened) for probing – Port—specifies the port that the probe will use, such as TCP port 80 for a Web server – Reply time out—specifies the number of seconds to wait for a reply to the probe – Deactivate host after ... missed intervals—specifies the number of reply time outs before deciding that the host is unreachable – Reactivate host after ... successful intervals—specifies the number of replies received before deciding that the host is available for load balancing again 9. 194 When you are finished, click Update. The policy is added and you are returned to the NAT Policies screen. SonicWALL GMS 6.0 Administrator’s Guide Configuring Network Settings in SonicOS Enhanced Configuring Web Proxy Forwarding Settings A Web proxy server intercepts HTTP requests and determines if it has stored copies of the requested Web pages. If it does not, the proxy completes the request to the server on the Internet, returning the requested information to the user and also saving it locally for future requests. Setting up a Web proxy server on a network can be cumbersome, because each computer on the network must be configured to direct Web requests to the server. If there is a proxy server on the SonicWALL appliance’s network, you can move the SonicWALL appliance between the network and the proxy server, and enable Web Proxy Forwarding. This will forward all WAN requests to the proxy server without requiring the computers to be individually configured. To configure Web Proxy Forwarding settings, perform the following steps: 1. Expand the Network tree and click Web Proxy. The Web Proxy page displays. 2. Enter the name or IP address of the proxy server in the Proxy Web Server field. 3. Enter the proxy IP port in the Proxy Web Server Port field. 4. To bypass the Proxy Server if a failure occurs, select the Bypass Proxy Servers Upon Proxy Server Failure check box. 5. If you have clients configured on the DMZ, select the Forward DMZ Client Requests to Proxy Server check box. 6. When you are finished, click Update. The settings are changed for the selected SonicWALL appliance. To clear all screen settings and start over, click Reset. SonicWALL GMS 6.0 Administrator’s Guide 195 Configuring Network Settings in SonicOS Enhanced Configuring Routing in SonicOS Enhanced If you have routers on your interfaces, you can configure the SonicWALL appliance to route network traffic to specific predefined destinations. Static routes must be defined if the network connected to an interface is segmented into subnets, either for size or practical considerations. For example, a subnet can be created to isolate a section of a company, such as finance, from network traffic on the rest of the LAN, DMZ, or WAN. To add static routes, perform the following steps: 1. 196 Expand the Network tree and click Routing. The Routing page displays. SonicWALL GMS 6.0 Administrator’s Guide Configuring Network Settings in SonicOS Enhanced 2. Click Add Route Policy. 3. Select the source address object from the Source list box. 4. Select the destination address object from the Destination list box. 5. Specify the type of service that will be routed from the Service list box. 6. Select the address object that will act as a gateway for packets matching these settings. 7. Select the interface through which these packets will be routed from the Interface list box. 8. Specify the RIP metric in the Metric field. 9. Type a descriptive comment into the Comment field. 10. For appliances running SonicOS Enhanced 4.0 and above, optionally select the Disable route when the interface is disconnected checkbox. 11. For appliances running SonicOS Enhanced 4.0 and above, select the Allow VPN path to take precedence checkbox to allow a matching VPN network to take precedence over the static route when the VPN tunnel is up. 12. When you are finished, click Update. The route settings are configured for the selected SonicWALL appliance(s). To clear all screen settings and start over, click Reset. SonicWALL GMS 6.0 Administrator’s Guide 197 Configuring RIP in SonicOS Enhanced Probe-Enabled Policy Based Routing Configuration For appliances running SonicOS Enhanced 5.5 and above, you can optionally configure a Network Monitor policy for the route. When a Network Monitor policy is used, the static route is dynamically disabled or enabled, based on the state of the probe for the policy. 1. In the Probe pull-down menu select the appropriate Network Monitor object or select Create New Network Monitor object... to dynamically create a new object. For more information, see “Configuring Network Monitor” on page 210. 2. Typical configurations will not check the Disable route when probe succeeds checkbox, because typically administrators will want to disable a route when a probe to the route’s destination fails. This option is provided to give administrators added flexibility for defining routes and probes. 3. Select the Probe default state is UP to have the route consider the probe to be successful (i.e. in the “UP” state) when the attached Network Monitor policy is in the “UNKNOWN” state. This is useful to control the probe-based behavior when a unit of a High Availability pair transitions from “IDLE” to “ACTIVE,” because this transition sets all Network Monitor policy states to “UNKNOWN.” 4. Click Update to apply the configuration. Configuring RIP in SonicOS Enhanced Routing Information Protocol (RIP) is a distance-vector routing protocol that is commonly used in small homogeneous networks. Using RIP, a router will periodically send its entire routing table to its closest neighbor, which passes the information to its next neighbor, and so on. Eventually, all routers within the network will have the information about the routing paths. When attempting to route packets, a router will check the routing table and select the path that requires the fewest hops. SonicWALL appliances support RIPv1 or RIPv2 to advertise its static and dynamic routes to other routers on the network. Changes in the status of VPN tunnels between the SonicWALL and remote VPN gateways are also reflected in the RIPv2 advertisements. Choose between RIPv1 or RIPv2 based on your router’s capabilities or configuration. RIPv1 is an earlier version of the protocol that has fewer features, and it also sends packets via broadcast instead of multicast. RIPv2 packets are backwards-compatible and can be accepted by some RIPv1 implementations that provide an option of listening for multicast 198 SonicWALL GMS 6.0 Administrator’s Guide Configuring RIP in SonicOS Enhanced packets. The RIPv2 Enabled (broadcast) selection broadcasts packets instead of multicasting packets, and is for heterogeneous networks with a mixture of RIPv1 and RIPv2 routers. To configure RIP, perform the following steps: 1. Expand the Network tree and click RIP (ENH). The RIP (ENH) page displays. 2. Click the Edit Icon ( ) for an interface. The Edit Route Advertising Settings dialog box displays. 3. Select the RIP version from the RIP Advertisements list box: – RIPv1 Enabled—first version of RIP. – RIPv2 Enabled (multicast)—sends route advertisements using multicasting (a single data packet to specific nodes on the network). – RIPv2 Enabled (broadcast)—sends route advertisements using broadcasting (a single data packet to all nodes on the network). SonicWALL GMS 6.0 Administrator’s Guide 199 Configuring RIP in SonicOS Enhanced 4. In the Advertise Default Route menu, select Never, or When WAN is up, or Always. 5. To advertise static routes that you specified on the Routes page, select the Advertise Static Routes check box. 6. To advertise remote VPN networks that you specified on the Routes page, select the Advertise Remote VPN Networks check box. 7. To set the amount of time between a VPN tunnel state change and the time the change is advertised, enter a value in the Route Change Damp Time field (default: 30 seconds). 8. To specify the number of advertisements that are sent after a route is deleted, enter a value in the Deleted Route Advertisements field (default: 5 advertisements). 9. By default, the connection between this router and its neighbor counts as one hop. However, there are cases where you want to discourage or reduce the use of this route by adding additional hops. To change the hop count of this route, enter the number of hops in the Route Metric field. 10. Optional. If RIPv2 is selected from the Route Advertisements list box, you can enter a value for the Route Tag. This value is implementation-dependent and provides a mechanism for routers to classify the originators of RIPv2 advertisements. 11. Optional. Select from the following RIPv2 Authentication options: – User Defined—Enter 4 hex digits in the Authentication Type field and 32 hex digits in the Authentication Data field. – Cleartext Password—Enter a password (16 characters or less) in the Authentication Password field. – MD5 Digest—Enter a numerical value from 0-255 in the Authentication Key-Id field. Enter a 32 hex digit value for the Authentication Key field, or use the generated key. 12. When you are finished, click Update. The settings are changed for the SonicWALL appliance. To clear all screen settings and start over, click Reset. Configuring IP Helper The IP Helper allows the SonicWALL to forward DHCP requests originating from the interfaces on a SonicWALL to a centralized DHCP server on the behalf of the requesting client. IP Helper is used extensively in routed VLAN environments where a DHCP server is not available for each interface, or 200 SonicWALL GMS 6.0 Administrator’s Guide Configuring RIP in SonicOS Enhanced where the layer 3 routing mechanism is not capable of acting as a DHCP server itself. The IP Helper also allows NetBIOS broadcasts to be forwarded with DHCP client requests. Note IP Helper is only supported in SonicOS Enhanced. To enable IP Helper and add an IP Helper policy, perform the following steps: 1. Expand the Network tree and click IP Helper. The IP Helper page displays. 2. Select the Enable IP Helper check box. For appliances running SonicOS Enhanced versions lower than 5.5, you can also configurre DHCP and NetBIOS support: 3. To enable DHCP support, select Enable DHCP Support. 4. To enable NetBIOS support, select Enable NetBIOS Support. Configuring Relay Protocols Appliances running SonicOS Enhanced versions 5.5 and higher support Enhanced IP Helper that offers configurable Relay Protocols. The following built-in applications are included: • DHCP—UDP port number 67/68 SonicWALL GMS 6.0 Administrator’s Guide 201 Configuring RIP in SonicOS Enhanced • Net-Bios NS—UDP port number 137 • Net-Bios Datagram—UDP port number 138 • DNS—UDP port number 53 • Time Service—UDP port number 37 • Wake on LAN (WOL) • mDNS—UDP port number 5353; multicast address 224.0.0.251 To enable any of these protocols, select the Enable checkbox and click Update. To configure additional protocols, perform the following steps: 1. Click Add Relay Protocol. The Add Ip Helper Application window displays. 2. Configure the following options: • Name—The name of the protocols. Note that these are case sensitive and must be unique. • Port 1/2—The unique UDP port number. • Translate IP—Translation of the source IP while forwarding a packet. • Timeout—IP Helper cache timeout in seconds at an increment of 10. • Raw Mode—Unidirectional forwarding that does not create an IP Helper cache. This is suitable for most of the user-defined protocols that are used for discovery, for example WOL/mDNS. 3. 202 Click Update. SonicWALL GMS 6.0 Administrator’s Guide Configuring RIP in SonicOS Enhanced Configuring IP Helper Policies 1. To add an IP Helper Policy, click Add IP Helper Policy. The Add IP Helper dialog box displays. 2. The policy is enabled by default. To configure the policy without enabling it, clear the Enabled check box. 3. Select DHCP or NetBIOS from the Protocol menu. 4. Select a source Interface or Zone from the From menu. 5. Select a destination IP address or subnet from the To menu. 6. Enter an optional comment in the Comment field. 7. Click OK to add the policy to the IP Helper Policies table. 8. Repeat this procedure for each policy to add. To delete a policy, click the trash can icon next to the policy. 9. When you are finished, click Update. The settings are changed for the selected SonicWALL appliance. To clear all screen settings and start over, click Reset. Configuring ARP ARP (Address Resolution Protocol) maps layer 3 (IP addresses) to layer 2 (physical or MAC addresses) to enable communications between hosts residing on the same subnet. ARP is a broadcast protocol that can create excessive amounts of network traffic on your network. To minimize the broadcast traffic, an ARP cache is maintained to store and reuse previously learned ARP information. To configure ARP, perform the following steps: SonicWALL GMS 6.0 Administrator’s Guide 203 Configuring RIP in SonicOS Enhanced 1. Expand the Network tree and click ARP. The ARP page displays. Static ARP Entries The Static ARP feature allows for static mappings to be created between layer 2 MAC addresses and layer 3 IP addresses, but also provides the following capabilities: • 204 Publish Entry—Enabling the Publish Entry option in the Add Static ARP window causes the SonicWALL device to respond to ARP queries for the specified IP address with the specified MAC address. This can be used, for example, to have the SonicWALL device reply for a secondary IP address on a particular interface by adding the MAC address of the SonicWALL. See the Secondary Subnet section that follows. SonicWALL GMS 6.0 Administrator’s Guide Configuring RIP in SonicOS Enhanced • Bind MAC Address—Enabling the Bind MAC Address option in the Add Static ARP window binds the MAC address specified to the designated IP address and interface. This can be used to ensure that a particular workstation (as recognized by the network card's unique MAC address) can only be used on a specified interface on the SonicWALL. Once the MAC address is bound to an interface, the SonicWALL will not respond to that MAC address on any other interface. It will also remove any dynamically cached references to that MAC address that might have been present, and it will prohibit additional (non-unique) static mappings of that MAC address. • Update IP Address Dynamically—The Update IP Address Dynamically setting in the Add Static ARP window is a sub-feature of the Bind MAC Address option. This allows for a MAC address to be bound to an interface when DHCP is being used to dynamically allocate IP addressing. Enabling this option will blur the IP Address field, and will populate the ARP Cache with the IP Address allocated by the SonicWALL's internal DHCP server, or by the external DHCP server if IP Helper is in use. Secondary Subnets with Static ARP The Static ARP feature allows for secondary subnets to be added on other interfaces, and without the addition of automatic NAT rules. Adding a Secondary Subnet using the Static ARP Method 1. Add a 'published' static ARP entry for the gateway address that will be used for the secondary subnet, assigning it the MAC address of the SonicWALL interface to which it will be connected. 2. Add a static route for that subnet, so that the SonicWALL regards it as valid traffic, and knows to which interface to route that subnet's traffic. 3. Add Access Rules to allow traffic destined for that subnet to traverse the correct network interface. 4. Optional: Add a static route on upstream device(s) so that they know which gateway IP to use to reach the secondary subnet. Flushing the ARP Cache It is sometimes necessary to flush the ARP cache if the IP address has changed for a device on the network. Since the IP address is linked to a physical address, the IP address can change but still be associated with the SonicWALL GMS 6.0 Administrator’s Guide 205 Configuring RIP in SonicOS Enhanced physical address in the ARP Cache. Flushing the ARP Cache allows new information to be gathered and stored in the ARP Cache. Click Flush ARP Cache to clear the information. To configure a specific length of time for the entry to time out, enter a value in minutes in the ARP Cache entry time out (minutes) field. Navigating and Sorting the ARP Cache Table Entries To view ARP cache information, click Request ARP Cache display from unit(s). The ARP Cache table provides easy pagination for viewing a large number of ARP entries. You can navigate a large number of ARP entries listed in the ARP Cache table by using the navigation control bar located at the top right of the ARP Cache table. Navigation control bar includes four buttons. The far left button displays the first page of the table. The far right button displays the last page. The inside left and right arrow buttons moved the previous or next page respectively. You can enter the policy number (the number listed before the policy name in the # Name column) in the Items field to move to a specific ARP entry. The default table configuration displays 50 entries per page. You can change this default number of entries for tables on the System > Administration page. You can sort the entries in the table by clicking on the column header. The entries are sorted by ascending or descending order. The arrow to the right of the column entry indicates the sorting status. A down arrow means ascending order. An up arrow indicates a descending order. 206 SonicWALL GMS 6.0 Administrator’s Guide Configuring RIP in SonicOS Enhanced Configuring SwitchPorts The SwitchPorts page allows you to manage the assignments of ports to PortShield interfaces. A PortShield interface is a virtual interface with a set of ports assigned to it. To configure a SwitchPort, perform the following steps: 1. Expand the Network tree and click SwitchPorts. The SwitchPorts page displays. 2. Click the Edit icon ( ) for the SwitchPort you want to configure. The SwitchPort Configuration window displays. The name of the PortShield interface group will be assigned by default. 3. Click on the Port Enable list box and click on either the Enable or Disable option to either activate or deactivate the interfaces in the PortShield interface group. SonicWALL GMS 6.0 Administrator’s Guide 207 Configuring RIP in SonicOS Enhanced 4. Click on the PortShield interface list box and click on the PortShield interface you created in the previous procedure. 5. Click on the Link Speed list box and click on a throughput speed you want to assign the interface. The choices are: – Auto negotiate – 100Mbps Full Duplex – 100 Mbps Half Duplex – 10 Mbps Full Duplex – 10 Mbps Half Duplex Note Do not change this setting from the default of Auto negotiate unless your system requires you to do so. Also, note that for any setting involving the Full Duplex feature to work properly, be sure to configure Full Duplex on both ends of the link. By not having Full Duplex configured on both ends, a duplex mismatch occurs, causing throughput loss. 6. Click on the Rate Limit option and Select on a value. The rate limit value enables you to throttle traffic coming into the switch. Remember, these values apply to inbound traffic only. 7. Click Ok. Wait for a few seconds. The system then will incorporate the changes you made to the PortShield interface Group and add it back to the switch ports list. Configuring PortShield Groups On the Network > PortShield Groups page, you can manually group ports together, which allows them to share a common network subnet as well as common zone settings. 208 SonicWALL GMS 6.0 Administrator’s Guide Configuring RIP in SonicOS Enhanced Note The PortShield Groups page is supported on appliances running SonicOS Enhanced versions 5.5 or higher. To assign an interface to a PortShield group, perform the following steps: 1. Navigate to the Network > PortShield Groups page. 2. Click on the Configure icon for the interface you want to assign to a PortShield group. The Edit Switch Port window displays. Note Interfaces must be configured before being grouped with PortShield. 3. In the Port Enabled pulldown menu, select whether you want to enabled or disable the interface. 4. In the PortShield Interface pulldown menu, select which interface you want to assign as the master interface for the PortShield interface. 5. In the Link Speed pulldown menu, select the link speed for the interfaces. 6. Click OK. SonicWALL GMS 6.0 Administrator’s Guide 209 Configuring RIP in SonicOS Enhanced Configuring Network Monitor This section describes how to configure the Network Monitor feature, which provides a flexible mechanism for monitoring network path viability. The results and status of this monitoring are displayed on the Network Monitor page, and are also provided to affected client components and logged in the system log. Each custom NM policy defines a destination Address Object to be probed. This Address Object may be a Host, Group, Range, or FQDN. When the destination Address Object is a Group, Range or FQDN with multiple resolved addresses, Network Monitor probes each probe target and derives the NM Policy state based on the results. To add a network monitor policy on the SonicWALL security appliance, perform these steps: 1. From the Network > Network Monitor page, click the Add button. The Add Network Monitor Policy window is displayed. 2. Enter the following information to define the network monitor policy: • 210 Name - Enter a description of the Network Monitor policy. SonicWALL GMS 6.0 Administrator’s Guide Configuring RIP in SonicOS Enhanced • Probe Target - Select the Address Object or Address Group to be the target of the policy. Address Objects may be Hosts, Groups, Ranges, or FQDNs object. Objects within a Group object may be Host, Range, or FQDN Address Objects. You can dynamically create a new address object by selecting Create New Address Object. • Probe Type - Select the appropriate type of probe for the network monitor policy: – Ping (ICMP) - This probe uses the route table to find the egress interface and next-hop for the defined probe targets. A Ping echo-request is sent out the egress interface with the source IP address of the egress interface. An echo response must return on the same interface within the specified Response Timeout time limit for the ping to be counted as successful. – TCP - This probe uses the route table to find the egress interface and next-hop for the defined probe targets. A TCP SYN packet is sent to the probe target with the source IP address of the egress interface. A successful response will be counted independently for each probe target when the target responds with either a SYN/ACK or RST via the same interface within the Response Timeout time window. When a SYN/ACK is received, a RST is sent to close the connection. If a RST is received, no response is returned. – Ping (ICMP) - Explicit Route - This probe bypasses the route table and uses the source IP address of the interface specified in the Outbound Interface pull-down menu to send a Ping to the targets. If a Next Hop Gateway is not specified, the probe assumes that the targets are directly connected to the Outbound Interface's network. – TCP - Explicit Route - This probe bypasses the route table and uses the source IP address of the interface specified in the Outbound Interface pull-down menu to send a TCP SYN packet to the targets. If a Next Hop Gateway is not specified, the probe assumes that the targets are directly connected to the Outbound Interface's network. When a SYN/ACK is received, a RST is sent to close the connection. If a RST is received, no response is returned. – Next Hop Gateway - Manually specifies the next hop that is used from the outbound interface to reach the probe target. This option must be configured for Explicit Route policies. For non-Explicit Route policies, the probe uses the appliance’s route table to determine the egress interface to reach the probe target.If a Next Hop Gateway is not specified, the probe assumes that the targets are directly connected to the Outbound Interface's network. SonicWALL GMS 6.0 Administrator’s Guide 211 Configuring Network Settings in SonicOS Standard • Outbound Interface - Manually specifies which interface is used to send the probe. This option must be configured for Explicit Route policies. For non-Explicit Route policies, the probe uses the appliance’s route table to determine the egress interface to reach the probe target. • Port - Specifies the destination port of target hosts for TCP probes. A port is not specified for Ping probes. 3. Optionally, you can adjust the following thresholds for the probes: • Probe hosts every - The number of seconds between each probe. This number cannot be less than the Reply time out field. • Reply time out - The number of seconds the Network Monitor waits for a response for each individual probe before a missed-probe will be counted for the specific probe target. The Reply time out cannot exceed the Probe hosts every field. • Probe state is set to DOWN after - The number of consecutive missed probes that triggers a host state transition to DOWN. • Probe state is set to UP after - The number of consecutive successful probes that triggers a host state transition to UP. • All Hosts Must Respond - Selecting this checkbox specifies that all of the probe target Host States must be UP before the Policy State can transition to UP. If not checked, the Policy State is set to UP when any of the Host States are UP. 4. Optionally, you can enter a descriptive comment about the policy in the Comment field. 5. Click Update to submit the Network Monitor policy. Then click Update on the Network > Network Monitor page. When configuring a static route, you can optionally configure a Network Monitor policy for the route. When a Network Monitor policy is used, the static route is dynamically disabled or enabled, based on the state of the probe for the policy. For more information, see “Probe-Enabled Policy Based Routing Configuration” on page 198. Configuring Network Settings in SonicOS Standard The following sections describe how to configure network settings in SonicOS Standard: • 212 “Configuring Basic Network Settings in SonicOS Standard” on page 213 SonicWALL GMS 6.0 Administrator’s Guide Configuring Network Settings in SonicOS Standard • “Configuring Web Proxy Forwarding” on page 223 • “Configuring Intranet Settings” on page 223 • “Configuring Routing in SonicOS Standard” on page 225 • “Configuring RIP in SonicOS Standard” on page 225 • “Configuring One-to-One NAT” on page 229 • “Configuring Ethernet Settings” on page 231 • “Configuring ARP” on page 233 Configuring Basic Network Settings in SonicOS Standard The Network settings page is used to configure the network addressing mode, LAN settings, WAN settings, DMZ settings, and the DNS server address(es). SonicOS Standard supports six network addressing modes. For all of these modes, first configure the universal settings: • “LAN Settings for all Network Addressing Modes” on page 213 Then configure the settings for the appropriate network addressing mode: • “Standard Mode” on page 214 • “NAT-Enabled Mode” on page 215 • “NAT with DHCP Client Mode” on page 217 • “NAT With PPPoE Client” on page 218 • “NAT With L2TP Client” on page 219 • “NAT With PPTP Client” on page 221 Note Making changes to this page causes the SonicWALL appliance will automatically restart. We recommend scheduling the tasks to run when network activity is low. LAN Settings for all Network Addressing Modes For all six of the network addressing modes supported in SonicOS Standard, complete the following basic network settings: 1. Enter the IP address assigned to the LAN interface in the SonicWALL LAN IP Address field and the subnet the IP address belongs to in the LAN Subnet Mask field. SonicWALL GMS 6.0 Administrator’s Guide 213 Configuring Network Settings in SonicOS Standard 2. To add an additional subnet, enter the IP address and subnet in the Network Gateway and Subnet Mask fields and click Add Subnet. 3. Enter the IP address of the router that provides Internet access to SonicWALL appliance in the WAN Gateway (Router) Address field. The SonicWALL WAN IP Address and WAN Subnet Mask are automatically set to the SonicWALL LAN IP Address. and LAN Subnet Mask, respectively. Standard Mode When you select Standard Mode (also known as Transparent Mode), Network Address Translation (NAT) is disabled. All nodes on the LAN or WorkPort that will access or be accessed from the Internet must use valid, Internet-accessible IP addresses. To configure a SonicWALL appliance for standard network addressing, perform the following steps: 214 1. On the Network > Settings, select Standard from the Network Addressing Mode area. 2. Configure the LAN Settings as described in “LAN Settings for all Network Addressing Modes” on page 213. 3. Enter the IP addresses of the DNS servers in the DNS Server 1-3 fields. SonicWALL GMS 6.0 Administrator’s Guide Configuring Network Settings in SonicOS Standard Note SonicWALL appliances require the IP address of at least one DNS server to function properly. 4. When you are finished, click Update. The settings are changed for the selected SonicWALL appliance. To clear all screen settings and start over, click Reset. NAT-Enabled Mode NAT provides anonymity to machines on the LAN or WorkPort by connecting the entire network to the Internet using a single IP address. This provides security to the internal machines by hiding them from the outside world and conserves IP addresses. When using NAT, we recommend using internal network IP addresses from a special range. The following IP address ranges are reserved for private IP networks and are not routed on the Internet: 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 If your network uses IP addresses that are not registered to your organization and are not within the private IP address ranges, the servers on the Internet to which those IP addresses belong will not be accessible from your network. For example, if an IP address on your network is 185.5.20.105 and it is not registered to your organization, the server that uses that IP address on the Internet will not be accessible from your network. Note If you choose to use NAT, but need to make some machines available to the outside world, use One-to-One NAT. One-to-One NAT maps external IP addresses to private IP addresses. For more information, see “Configuring One-to-One NAT” on page 229. SonicWALL GMS 6.0 Administrator’s Guide 215 Configuring Network Settings in SonicOS Standard To configure a SonicWALL appliance for NAT, perform the following steps: 1. On the Network > Settings page, select NAT Enabled from the Network Addressing Mode area. 2. Configure the LAN Settings as described in “LAN Settings for all Network Addressing Modes” on page 213. 3. Configure the following WAN Settings: – SonicWALL WAN IP (NAT Public) Address—Public IP address used to access the Internet. All activity on the Internet will appear to originate from this address. This IP address must be valid and is generally supplied by your Internet Service Provider (ISP). – WAN Gateway (Router) Address—Address of the router that attaches the LAN to the Internet. – WAN Subnet Mask—Determines the subnet to which the public IP address belongs. This is generally supplied by your ISP. 216 4. Enter the IP addresses of the DNS servers in the DNS Server 1-3 fields. Note SonicWALL appliances require the IP address of at least one DNS server to function properly. SonicWALL GMS 6.0 Administrator’s Guide Configuring Network Settings in SonicOS Standard 5. When you are finished, click Update. The settings are changed for the selected SonicWALL appliance. To clear all screen settings and start over, click Reset. NAT with DHCP Client Mode When you select the NAT with DHCP Client mode, the SonicWALL appliance uses DHCP to obtain a dynamic IP address from the ISP and NAT. For more information on NAT, see “NAT-Enabled Mode” on page 215. To configure a SonicWALL appliance for NAT with a DHCP client, perform the following steps: 1. On the Network > Settings, page, select NAT with DHCP Client from the Network Addressing Mode area. 2. Configure the LAN Settings as described in “LAN Settings for all Network Addressing Modes” on page 213. 3. The WAN settings and the DNS server IP addresses are automatically provided by the DHCP server of the service provider. You do not need to configure any parameters in the WAN Settings area. 4. In the Other Settings area, enter the name of the DHCP server in the Host Name field. 5. When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset. SonicWALL GMS 6.0 Administrator’s Guide 217 Configuring Network Settings in SonicOS Standard NAT With PPPoE Client When you select the NAT with PPPoE Client mode, the SonicWALL appliance uses PPP over Ethernet (PPPoE) to connect to the Internet. PPPoE is required by some ISPs to authenticate users over broadband Internet access devices (e.g., DSL, cable modems, wireless). Note that when using NAT for the PPPoE client, the password appears in clear text. Note When this mode is selected, the SonicWALL LAN IP Address is used as the gateway address for computers on the LAN or WorkPort. To configure a SonicWALL appliance for NAT with PPPoE, perform the following steps: 218 1. On the Network > Settings, page, select NAT with PPPoE Client from the Network Addressing Mode area. 2. Configure the LAN Settings as described in “LAN Settings for all Network Addressing Modes” on page 213. 3. Configure the following ISP Settings: SonicWALL GMS 6.0 Administrator’s Guide Configuring Network Settings in SonicOS Standard – User Name—username provided by the ISP. – Password—password used to authenticate the username with the ISP. This field is case-sensitive. 4. To specify how long the SonicWALL appliance waits before disconnecting from the Internet, select the Disconnect after minutes of inactivity checkbox and enter the amount of time in the inactivity field. 5. Select from the following: – To configure the SonicWALL appliance(s) to dynamically obtain an IP address, select Obtain an IP Address automatically. – To configure the SonicWALL appliance(s) to use a fixed IP address, select Use the following IP Address and enter the IP address. 6. When you are finished, click Update. The settings are changed for the selected SonicWALL appliance. To clear all screen settings and start over, click Reset. NAT With L2TP Client When you select the NAT with L2TP Client mode, the SonicWALL appliance uses Layer Two Tunneling Protocol (L2TP) to connect to the Internet. Note When this mode is selected, the SonicWALL LAN (WorkPort) IP Address is used as the gateway address for computers on the LAN or WorkPort. SonicWALL GMS 6.0 Administrator’s Guide 219 Configuring Network Settings in SonicOS Standard To configure a SonicWALL appliance for NAT with L2TP, perform the following steps: 1. On the Network > Settings, page, select NAT with L2TP Client from the Network Addressing Mode area. 2. Configure the LAN Settings as described in “LAN Settings for all Network Addressing Modes” on page 213. 3. Select from the following WAN settings: – To configure the SonicWALL appliance to dynamically obtain an IP address, select Obtain an IP address using DHCP. –To renew the IP address, click Renew Lease. –To release the IP address, click Release. – To configure the SonicWALL appliance to use fixed settings, select Use the specified IP address and enter the following: –SonicWALL WAN IP (NAT Public) Address—Public IP address used to access the Internet. All activity on the Internet will appear to originate from this address. This IP address must be valid and is generally supplied by your Internet Service Provider (ISP). –WAN Gateway (Router) Address—Address of the router that attaches the LAN to the Internet. –WAN Subnet Mask—Determines the subnet to which the public IP address belongs. This is generally supplied by your ISP. 4. 220 Enter the IP address of the DNS server in the DNS Server 1 field. SonicWALL GMS 6.0 Administrator’s Guide Configuring Network Settings in SonicOS Standard 5. Configure the following ISP L2TP Settings: – L2TP Host Name—this information is provided by your ISP. – L2TP Server IP Address—this information is provided by your ISP. – User Name—username provided by the ISP. – Password—password used to authenticate the username with the ISP. This field is case-sensitive. 6. To specify how long the SonicWALL appliance waits before disconnecting from the Internet, select the Disconnect after minutes of inactivity checkbox and enter the amount of time in the inactivity field. 7. When you are finished, click Update. The settings are changed for the selected SonicWALL appliance. To clear all screen settings and start over, click Reset. NAT With PPTP Client When you select the NAT with PPTP Client mode, the SonicWALL appliance uses Point-to-Point Tunneling Protocol (PPTP) to connect to the Internet. When this mode is selected, the SonicWALL LAN (WorkPort) IP Address is used as the gateway address for computers on the LAN or WorkPort. To configure a SonicWALL appliance for NAT with PPTP, perform the following steps: 1. On the Network > Settings, page, select NAT with PPTP Client from the Network Addressing Mode area. 2. Configure the LAN Settings as described in “LAN Settings for all Network Addressing Modes” on page 213. 3. Select from the following WAN settings: – To configure the SonicWALL appliance to dynamically obtain an IP address, select Obtain an IP address using DHCP. SonicWALL GMS 6.0 Administrator’s Guide 221 Configuring Network Settings in SonicOS Standard –To renew the IP address, click Renew Lease. –To release the IP address, click Release. – To configure the SonicWALL appliance to use fixed settings, select Use the specified IP address and enter the following: –SonicWALL WAN IP (NAT Public) Address—Public IP address used to access the Internet. All activity on the Internet will appear to originate from this address. This IP address must be valid and is generally supplied by your Internet Service Provider (ISP). –WAN Gateway (Router) Address—Address of the router that attaches the LAN to the Internet. –WAN Subnet Mask—Determines the subnet to which the public IP address belongs. This is generally supplied by your ISP. 4. Enter the IP address of the DNS server in the DNS Server 1 field. 5. Configure the following ISP PPTP Settings: – PPTP Host Name—this information is provided by your ISP. – PPTP Server IP Address—this information is provided by your ISP. – User Name—username provided by the ISP. – User Password—password used to authenticate the username with the ISP. This field is case-sensitive. 6. To specify how long the SonicWALL appliance waits before disconnecting from the Internet, select the Disconnect after minutes of inactivity checkbox and enter the amount of time in the inactivity field. 7. When you are finished, click Update. The settings are changed for the selected SonicWALL appliance. To clear all screen settings and start over, click Reset. Configuring Dynamic DNS Note 222 Dynamic DNS forwarding settings are identical in SonicOS Standard and Enhanced. For configuration information, see “Configuring Dynamic DNS” on page 181 in the SonicOS Enhanced section of this chapter. SonicWALL GMS 6.0 Administrator’s Guide Configuring Network Settings in SonicOS Standard Configuring Web Proxy Forwarding Note Web proxy forwarding settings are identical in SonicOS Standard and Enhanced. For configuration information, see “Configuring Web Proxy Forwarding Settings” section on page 195 in the SonicOS Enhanced section of this chapter. Configuring Intranet Settings SonicWALLs can be installed between LAN segments of intranets to prevent unauthorized access to certain resources. For example, if the administrative offices of a school are on the same network as the student computer lab, they can be separated by a SonicWALL. Figure 3 shows how a SonicWALL appliance can be installed between two network segments on an Intranet. Figure 3 Note SonicWALL Intranet Configuration Devices connected to the WAN port do not have firewall or content filter protection. To protect these units, install another SonicWALL appliance between the Internet and devices connected to the WAN port of the other SonicWALL appliance. SonicWALL GMS 6.0 Administrator’s Guide 223 Configuring Network Settings in SonicOS Standard Although the systems on the WAN and LAN links are separated, they are still on the same subnet. Consequentially, you must make the systems on the larger network aware of the systems on the smaller network. To do this, perform the following steps: 1. Expand the Network tree and click Intranet. The Intranet page displays. 2. Select from the following: – If the SonicWALL is not used to separate LAN segments on the intranet, select SonicWALL’s WAN link is connected to the Internet Router. – If the smaller network is connected to the LAN, select Specified addresses are attached to the LAN link. – If the smaller network is connected to the WAN, select Specified addresses are attached to the WAN link. 3. Enter the IP address or IP address range of a system or group of systems on the smaller network: – To enter a single IP address, enter the IP address in the Addr Range Begin field. – To enter a range of IP addresses, enter the starting IP address in the Addr Range Begin field and the ending IP address in the Addr Range End field. – Click Add Range. 224 4. Repeat Step 3. for each IP address or IP address range on the smaller network. 5. When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset. SonicWALL GMS 6.0 Administrator’s Guide Configuring Network Settings in SonicOS Standard 6. To define which services can be accessed from outside the restricted network segment, see “Configuring Firewall Settings in SonicOS Standard” on page 269. Configuring Routing in SonicOS Standard If the LAN(s) have internal routers, their addresses and network information must be entered into the SonicWALL(s). To add an internal router, perform the following steps: 1. Expand the Network tree and click Routing. The Routing page displays. 2. Select whether the router is connected to the LAN (WorkPort), WAN, or OPT interface from the Link list box. 3. Enter the destination network IP addresses in the Destination Network and Subnet Mask fields. 4. Enter the IP address of the router in the Gateway field. 5. Click Add Route. Repeat Step 2. through Step 4. for each route that you want to add. 6. When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset. Configuring RIP in SonicOS Standard RIP is a distance-vector routing protocol that is commonly used in small homogeneous networks. Using RIP, a router will periodically send its entire routing table to its closest neighbor, which passes the information to its next neighbor, and so on. Eventually, all routers within the network will have the information about the routing paths. When attempting to route packets, a router will check the routing table and select the path that requires the fewest hops. SonicWALL GMS 6.0 Administrator’s Guide 225 Configuring Network Settings in SonicOS Standard RIP is not supported by all SonicWALL appliances. To configure RIP, perform the following steps: 1. Expand the Network tree and click RIP. The RIP page displays. 2. Select the RIP version from the RIP Advertisements list box: – RIPv1 Enabled—first version of RIP. – RIPv2 Enabled (multicast)—sends route advertisements using multicasting (a single data packet to specific nodes on the network). – RIPv2 Enabled (broadcast)—sends route advertisements using broadcasting (a single data packet to all nodes on the network). 226 3. To advertise static routes that you specified on the Routing page, select the Advertise Static Routes check box. 4. To set the amount of time between a VPN tunnel state change and the time the change is advertised, enter a value in the Route Change Damp Time field (default: 30 seconds). 5. To specify the number of advertisements that are sent after a route is deleted, enter a value in the Deleted Route Advertisements field (default: 5 advertisements). 6. By default, the connection between this router and its neighbor counts as one hop. However, there are cases where you want to discourage or reduce the use of this route by adding additional hops. To change the hop count of this route, enter the number of hops in the Route Metric field. SonicWALL GMS 6.0 Administrator’s Guide Configuring Network Settings in SonicOS Standard 7. Optional. If RIPv2 is selected from the Route Advertisements list box, you can enter a value in the RIPv2 Route Tag field. This value is implementation-dependent and provides a mechanism for routers to classify the originators of RIPv2 advertisements. 8. Optional. Select from the following RIPv2 Authentication options: – User Defined—Enter 4 hex digits in the Authentication Type field and 32 hex digits in the Authentication Data field. – Cleartext Password—Enter a password (16 characters or less) in the Authentication Password field. – MD5 Digest—Enter a numerical value from 0-255 in the Authentication Key-Id field. Enter a 32 hex digit value for the Authentication Key field, or use the generated key. 9. When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset. Configuring OPT Addresses SonicWALL appliances protect users by preventing Internet users from accessing systems within the LAN (WorkPort). However, this security also prevents users from reaching servers intended for public access, such as Web and mail servers. To allow these services, many SonicWALL models have a special Demilitarized Zone (DMZ) port (also known as the HomePort) which is used for public servers. The DMZ sits between the LAN (WorkPort) and the Internet. Servers on the DMZ are publicly accessible, but are protected from denial of service attacks such as SYN Flood and Ping of Death. Although the DMZ port is optional, it is strongly recommended for public servers or when connecting the servers directly to the Internet where they are not protected. Note Some newer SonicWALL appliances have one or more OPT ports that can be configured as a DMZ port. For more information, see “Overview of Interfaces” on page 153. Each server on the DMZ port or HomePort requires a unique, publishable Internet IP address. The ISP that provides your Internet connection should be able to provide these addresses. SonicWALL GMS 6.0 Administrator’s Guide 227 Configuring Network Settings in SonicOS Standard To add OPT IP addresses, perform the following steps: 1. Expand the Network tree and click DMZ Addresses or HomePort Addresses. 2. The DMZ/HomePort Addresses page displays. 3. Select from the following: – If the devices on the DMZ will use fixed IP addresses, select OPT in Standard Mode. Then, enter the starting IP address in the Addr Range Begin field, the ending IP address in the Addr Range End field, and click Add Range. Repeat this step for each range of IP addresses. – To enter a single IP address, enter the IP address in the Addr Range Begin field. – If the devices on the DMZ or HomePort will use NAT, select OPT in NAT Mode and do the following: –Enter the private internal IP address assigned to the DMZ or HomePort interface in the OPT Private Address field. –Assign a subnet mask in the DMZ or HomePort Subnet Mask field. The LAN (WorkPort) and OPT can have the same subnet mask, but the subnets must be different. For instance, the LAN subnet can be 192.168.0.1 with a subnet mask of 255.255.255.0, and the DMZ subnet can be 172.16.18.1 with a subnet mask of 255.255.255.0. –To define a DMZ or HomePort public IP address that will be used to access devices on the DMZ interface, enter an IP address in the OPT NAT Many to One Public Address field (Optional). 4. 228 Select from the following: SonicWALL GMS 6.0 Administrator’s Guide Configuring Network Settings in SonicOS Standard – Enter a single IP address in the Addr Range Begin field. – Enter a range of IP addresses in the Addr Range Begin field and the ending IP address in the Addr Range End field. 5. Click Add Range. 6. To enter additional IP addresses and IP address ranges, repeat Steps 3. and 4. 7. When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset. Configuring One-to-One NAT One-to-One NAT maps valid external IP addresses to internal addresses hidden by NAT. This enables you to hide most of your network by using internal IP addresses. However, some machines may require access. This enables you to allow direct access when necessary. To do this, assign a range of internal IP addresses to a range of external IP addresses of equal size. The first internal IP address will correspond to the first external IP address, the second internal IP address to the second external IP address, and so on. For example, if an ISP has assigned IP addresses 209.19.28.16 through 209.19.28.31 with 209.19.28.16 as the NAT public address and the address range 192.168.168.1 through 192.168.168.255 is used on the LAN (WorkPort), the following table shows how the IP addresses will be assigned. Table 3 One-to-One NAT Example LAN Address WAN Address Accessed Via 192.168.168.1 209.19.28.16 Inaccessible, NAT public IP address 192.168.168.2 209.19.28.17 209.19.28.17 192.168.168.3 209.19.28.18 209.19.28.18 [...] [...] [...] 192.168.168.16 209.19.28.31 209.19.28.31 192.168.168.16 No corresponding IP address No corresponding IP address SonicWALL GMS 6.0 Administrator’s Guide 229 Configuring Network Settings in SonicOS Standard LAN Address WAN Address Accessed Via [...] [...] [...] 192.168.168.16 No corresponding IP address 230 SonicWALL GMS 6.0 Administrator’s Guide No corresponding IP address Configuring Network Settings in SonicOS Standard To configure One-to-One NAT, perform the following steps: 1. Expand the Network tree and click One-to-One NAT. The One-to-One NAT page displays. Figure 4 One-to-One NAT Page 2. Select the Enable One-to-One NAT check box. 3. Enter the first IP address of the internal IP address range in the Private Range Begin field. 4. Enter the first corresponding external IP address in the Public Range Begin field. 5. Enter the number of IP addresses in the range in the Range Length field. 6. Click Add Range. 7. To add additional IP address ranges, repeat Step 3. through 6. for each range. When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset. Note: Do not include the NAT Public IP Address in a range. Configuring Ethernet Settings This section describes how to configure Ethernet settings on each port of the SonicWALL appliance(s). The Ethernet Settings screen is only available on SonicWALL 6.x.x.x firmware versions and SonicOS Standard firmware versions. SonicWALL GMS 6.0 Administrator’s Guide 231 Configuring Network Settings in SonicOS Standard To configure Ethernet settings, perform the following steps: 1. Expand the Network tree and click Ethernet. The Ethernet page displays. 2. Select from the following WAN Link Settings: – To configure the WAN link to automatically negotiate Ethernet settings, select Auto Negotiate. – To specify WAN link settings, select Force and select the speed and duplex settings. 3. Select from the following OPT Link Settings: – To configure the OPT to automatically negotiate Ethernet settings, select Auto Negotiate. – To specify OPT link settings, select Force and select the speed and duplex settings. 4. Select from the following LAN Link Settings: – To configure the LAN link to automatically negotiate Ethernet settings, select Auto Negotiate. – To specify LAN link settings, select Force and select the speed and duplex settings. 5. 232 If you are managing the Ethernet connection from the LAN (WorkPort) side of your network, select the Proxy Management Workstation Ethernet Address on WAN check box. The SonicWALL appliance will take the Ethernet address of the computer that is managing the SonicWALL appliance and will proxy the address on the WAN port of the SonicWALL. SonicWALL GMS 6.0 Administrator’s Guide Configuring Network Settings in SonicOS Standard If you are not managing the SonicWALL appliance from the LAN side of your network, the firmware looks for a random computer on the LAN which can be a lengthy search process. 6. To limit the size of packets sent over the Ethernet WAN interface, select the Fragment Outbound Packets Larger than the WAN MTU check box and enter the maximum size in the WAN MTU field. If the maximum transmission unit (MTU) size is too large for a remote router, it may require more transmissions. If the packet size is too small, this could result in more packet header overhead and more acknowledgements that have to be processed. The default size is 1,500 MTU. 7. To enable bandwidth management, select the Enable check box and enter the bandwidth of the connection in the Available Bandwidth field. 8. When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset. Configuring ARP Note ARP settings are identical in SonicOS Standard and Enhanced. For configuration information, see “Configuring ARP” on page 203 in the SonicOS Enhanced section of this chapter. SonicWALL GMS 6.0 Administrator’s Guide 233 Configuring Network Settings in SonicOS Standard 234 SonicWALL GMS 6.0 Administrator’s Guide CHAPTER 11 Configuring UTM Appliance Settings The UTM settings in SonicWALL GMS are different for SonicWALL security appliances running SonicOS Enhanced and Standard. The following sections describe how to configure UTM settings for each of the operating systems: • “Understanding the Network Access Rules Hierarchy” section on page 235 • “Configuring Firewall Settings in SonicOS Enhanced” section on page 237 • “Configuring Firewall Settings in SonicOS Standard” section on page 269 Understanding the Network Access Rules Hierarchy To determine whether packets are allowed through the UTM appliance, each SonicWALL checks the destination IP address, source IP address, and port against the firewall rules. Note Firewall rules take precedence over the default UTM functions. Because it is possible to disable all protection or block all access to the Internet, use caution when creating or deleting network access rules. Network access rules do not disable protection from Denial of Service attacks such as SYN Flood, Ping of Death, LAND, and so on. However, it is possible to create vulnerabilities to attacks that exploit application weaknesses. SonicWALL GMS 6.0 Administrator’s Guide 235 Understanding the Network Access Rules Hierarchy It is important to consider the purpose and ramifications of a rule before adding it to the firewall rule list. Use the following guidelines to determine the rule logic: • What is the purpose of the rule? For example, “This rule will restrict all Internet Relay Chat (IRC) access from the LAN (WorkPort) to the Internet.” Or, “This rule will allow a remote Lotus Notes server to synchronize with our internal Notes server via the Internet. • Will the rule allow or deny traffic? • What is the flow of the traffic: LAN (WorkPort) to Internet or Internet to LAN (WorkPort)? • Which IP services will be affected? • Which computers on the LAN (WorkPort) will be affected? • Which computers on the Internet will be affected? Be as specific as possible. For example, if traffic is being allowed from the Internet to the LAN (WorkPort), it is better to only allow specific computers to access the LAN or WorkPort. After determining the logic of the rule, consider the ramifications: • Will this rule stop LAN (WorkPort) users from accessing important resources on the Internet? For example, if IRC is blocked, are there users who require this service? • Can the rule be modified to be more specific? For example, if IRC is blocked for all users, will a rule that only blocks certain users be more effective? • Will this rule allow Internet users to access LAN or WorkPort resources in a way that makes the LAN vulnerable? For example, if NetBIOS ports (UDP 137,138, 139) are allowed from the Internet to the LAN, Internet users may be able to connect to PCs that have file sharing enabled. • Does this rule conflict with other rules? The rule hierarchy uses two basic concepts: • Specific rules override general rules. • Equally specific Deny rules override Allow rules. For example: a rule defining a specific service is more specific than the Default rule; a defined Ethernet link, such as LAN (WorkPort), or WAN, is more specific than * (all); and a single IP address is more specific than an IP address range. 236 SonicWALL GMS 6.0 Administrator’s Guide Configuring Firewall Settings in SonicOS Enhanced Rules are listed in the LAN (WorkPort) Interface window from most specific to the least specific, and rules at the top override rules listed below. To illustrate this, consider the rules shown below: Table 4 Sample Rules. # Action Service Source Destination 1 Deny Chat (IRC) 206.18.25.4 (LAN) 148.178.90.55 (WAN) 2 Allow Ping 199.2.23.0 - 199.2.23.255 (WAN) 206.18.25.4 (LAN) 3 Deny Web (HTTP) 216.37.125.0 - 216.37.125.255 (WAN) * 4 Allow Lotus Notes WAN LAN (WorkPort) 5 Deny News (NNTP) LAN (WorkPort) * 6 Deny Default * LAN (WorkPort) 7 Allow Default LAN (WorkPort) * The Default Allow Rule (#7) at the bottom of the page allows all traffic from the LAN (WorkPort) out to the WAN. However, Rule #5 blocks all NNTP traffic from the LAN (WorkPort). The Default Deny Rule (#6) blocks traffic from the WAN to the LAN (WorkPort). However, Rule #4 overrides part of this rule by allowing Lotus Notes into the LAN (WorkPort) from the WAN. Configuring Firewall Settings in SonicOS Enhanced The following sections describe how to configure UTM settings in SonicOS Enhanced: • “Configuring Firewall Rules in SonicOS Enhanced” on page 238 • “Configuring Multicast Settings” on page 247 • “Configuring Advanced Firewall Settings” on page 245 • “Configuring Voice over IP Settings” on page 249 • “Configuring TCP Settings” on page 251 SonicWALL GMS 6.0 Administrator’s Guide 237 Configuring Firewall Settings in SonicOS Enhanced • “Configuring Quality of Service Mapping” on page 254 • “Configuring SSL Control” on page 265 Configuring Firewall Rules in SonicOS Enhanced To configure rules for SonicOS Enhanced, the service or service group that the rule will apply to must first be defined. If it is not, you can define the service or service group and then create one or more rules for it. To create one or more rules for the service. See “Configuring Access Rules” on page 238. To configure a service or service group, see “Configuring Service Objects” on page 242 and “Adding a Service Group” on page 244. Configuring Access Rules The following procedure describes how to add, modify, reset to defaults, or delete firewall rules for UTM appliances running SonicOS Enhanced. For appliances running SonicOS Enhanced, GMS supports paginated navigation and sorting by column header on the Access Rules screen. In the Access Rules table, you can click the column header to use for sorting. An arrow is displayed to the right of the selected column header. You can click the arrow to reverse the sorting order of the entries in the table. By hovering your mouse over entries on the Access Rules screen, you can display information about an object, such as an Address Object or Service. To configure an access rule, perform the following steps: 238 1. Select the global icon, a group, or a SonicWALL appliance. 2. Expand the UTM tree and click Access Rules. The Access Rules page displays. The Firewall > Access Rules page enables you to select multiple views of Access Rules, including Drop-down boxes, Matrix, and SonicWALL GMS 6.0 Administrator’s Guide Configuring Firewall Settings in SonicOS Enhanced All Rules. The default view is the Matrix View which provides a matrix of source and destination nodes between LAN, WAN, VPN, Multicast, and WLAN. 3. From the Matrix View, click the Edit icon ( ). for the source and destination interfaces for which you will configure a rule. The Access Rules table for that interface pair displays. 4. Below the Access Rules table, click Add Rule. The Add Rule dialog box displays. 5. Select whether access to this service will be allowed or denied. Note If a policy has a “No-Edit” policy action, the Action radio buttons will not be editable. SonicWALL GMS 6.0 Administrator’s Guide 239 Configuring Firewall Settings in SonicOS Enhanced 6. Select a service from the from the Service Name list box. If the service does not exist, see “Configuring Service Objects” on page 242. 7. Select the source Address Object from the Source list box. 8. Select the destination Address Object from the Destination list box. 9. Specify if this rule applies to all users or to an individual user or group in the Users Allowed list box. 10. Specify when the rule will be applied by selecting a schedule or Schedule Group from the Schedule list box. If the rule will always be applied, select Always on. If the schedule does not exist, see ““Configuring Schedules” on page 141. 11. To enable logging for this rule, select the Logging check box. 12. Check the Allow Fragmented Packets checkbox to allow fragmented packets. Caution Fragmented packets are used in certain types of Denial of Service attacks and, by default, are blocked. You should only enable the Allow Fragmented Packets check box if users are experiencing problems accessing certain applications and the SonicWALL logs show many dropped fragmented packets. 13. Add any comments to the Comment field. 14. Click the Advanced tab. 15. Specify how long (in minutes) TCP connections may remain idle before the connection is terminated in the TCP Connectivity Inactivity Timeout field. 16. Specify how long (in seconds) UDP connections may remain idle before the connection is terminated in the UDP Connectivity Inactivity Timeout field. 17. Specify the percentage of the maximum connections this rule is to allow in the Number of connections allowed (% of maximum connections) field. 240 SonicWALL GMS 6.0 Administrator’s Guide Configuring Firewall Settings in SonicOS Enhanced 18. Click the QoS tab. For information on configuring the QoS tab, see “Configuring Quality of Service Mapping” on page 254. 19. Click the Bandwidth tab. The Bandwidth page displays. 20. SonicWALL appliances can manage inbound and outbound traffic on the primary WAN interface using bandwidth management. 21. To enable outbound bandwidth management for this service, select the Enable Outbound Bandwidth Management check box. Enter the amount of bandwidth that will always be available to this service in the Guaranteed Bandwidth field, and select either % or Kbps in the drop-down list. Keep in mind that this bandwidth will be permanently assigned to this service and not available to other services, regardless of the amount of bandwidth this service does or does not use. Enter the maximum amount of bandwidth that will be available to this service in the Maximum Bandwidth field. Select the priority of this service from the Bandwidth Priority list box. Select a priority from 0 (highest) to 7 (lowest). 22. To enable inbound bandwidth management for this service, select the Enable Inbound Bandwidth Management check box. Enter the amount of bandwidth that will always be available to this service in the Guaranteed Bandwidth field, and select either % or Kbps in the drop-down list. Keep in mind that this bandwidth will be permanently assigned to this service and not available to other services, regardless of the amount of bandwidth this service does or does not use. Enter the maximum amount of bandwidth that will be available to this service in the Maximum Bandwidth field. Select the priority of this service from the Bandwidth Priority list box. Select a priority from 0 (highest) to 7 (lowest). SonicWALL GMS 6.0 Administrator’s Guide 241 Configuring Firewall Settings in SonicOS Enhanced Note In order to configure bandwidth management for this service, bandwidth management must be enabled on the SonicWALL appliance. For information on configuring bandwidth management in SonicOS Standard, see “Configuring Ethernet Settings” on page 231. For SonicOS Enhanced, see “Overview of Interfaces” on page 153. 23. To track bandwidth usage for this service, select the Enable Tracking Bandwidth Usage check box. 24. To add this rule to the rule list, click OK. You are returned to the Access Rules page. 25. If the network access rules have been modified or deleted, you can restore the Default Rules. The Default Rules prevent malicious intrusions and attacks, block all inbound IP traffic and allow all outbound IP traffic. To restore the network access rules to their default settings, click Restore Rules to Defaults and then click Update. A task is scheduled to update the rules page for each selected SonicWALL appliance. 26. To modify a rule, click its Edit icon ( ). The Add/Modify Rule dialog box displays. When you are finished making changes, click OK. SonicWALL GMS creates a task that modifies the rule for each selected SonicWALL appliance. 27. To enable logging for a rule, select its Logging check box. 28. To disable a rule without deleting it, deselect its Enable check box. 29. To delete a rule, click its trash can icon. SonicWALL GMS creates a task that deletes the rule for each selected SonicWALL appliance. Configuring Service Objects A Service Object is a protocol/port range combination that defines a service. A Service Group is a group of services that, once defined, enable you to quickly establish firewall rules without manually configuring each service. By default, a large number of services are pre-defined. GMS supports paginated navigation and sorting by column header in the Service Objects screen. In any of the tables, you can click the column header to use for sorting. An arrow is displayed to the right of the selected column header. You can click the arrow to reverse the sorting order of the entries in the table. 242 SonicWALL GMS 6.0 Administrator’s Guide Configuring Firewall Settings in SonicOS Enhanced To add a service, perform the following steps: 1. Select the global icon, a group, or a SonicWALL appliance running SonicOS Enhanced. 2. Expand the Firewall tree and click Service Objects. 3. To add a service in the Custom Services section, click Add Service. 4. Enter the name of the service in the Name field. 5. Select the type of protocol from the Protocol drop-down list. 6. Enter the starting and ending port for the service in the Port Range fields. For a service that uses a single port, type the port number into the first field. 7. Click OK. The service is added and appears in the Custom Services section. Note Although most default services can not be edited or deleted, you can edit or delete custom services by clicking the edit or delete buttons that correspond to the desired custom service. SonicWALL GMS 6.0 Administrator’s Guide 243 Configuring Firewall Settings in SonicOS Enhanced Editing Custom Services Click the Edit icon under Configure to edit the service in the Edit Service window, which includes the same configuration settings as the Add Service window. Deleting Custom Services Click the Trashcan icon to delete an individual custom service. You can delete all custom services by selecting the checkboxes on the left-hand side of the rows under Custom Services, and then clicking UPDATE. Adding a Service Group A Service Group is a group of services that can be used to quickly apply rules to large numbers of services without individually configuring each service. By default, many Service Groups are pre-defined. To add a new Service Group, perform the following steps: 1. To add a service group, click the Add Group button on the Service Objects page. The Add Service Group dialog box displays. 2. Enter a name for the service group in the Name field. 3. To add a service, select it and click the right arrow button. 4. To remove a service, select it and click the left arrow button. 5. Click OK. The service group is added. Note 244 Service Groups can be edited or deleted by clicking the Edit or Trashcan icons that correspond to the desired Service Group. SonicWALL GMS 6.0 Administrator’s Guide Configuring Firewall Settings in SonicOS Enhanced Editing Custom Services Groups Click the Edit icon under Configure to edit the custom service group in the Edit Service Group window, which includes the same configuration settings as the Add Service Group window. Deleting Custom Services Groups Click the Trashcan icon to delete the individual custom service group entry. You can delete all custom service groups by selecting the checkboxes on the left-hand side of the rows under Custom Service Groups, and then clicking UPDATE. Configuring Advanced Firewall Settings To configure advanced access settings, perform the following steps: 1. Select the global icon, a group, or a SonicWALL appliance running SonicOS Enhanced. 2. Expand the Firewall tree and click Advanced. The Advanced page displays. SonicWALL GMS 6.0 Administrator’s Guide 245 Configuring Firewall Settings in SonicOS Enhanced 3. To enable stealth mode, select the Enable Stealth Mode check box. During normal operation, SonicWALL appliances respond to incoming connection requests as either “blocked” or “open.” During stealth operation, SonicWALL appliances do not respond to inbound requests, making the appliances “invisible” to potential hackers. 4. To configure the SonicWALL appliance(s) to generate random IP IDs, select the Randomize IP ID check box. This prevents hackers from using various detection tools to “fingerprint” IP IDs and detect the presence of a SonicWALL appliance. 5. Select Decrement IP TTL for forwarded traffic to decrease the Time-to-live (TTL) value for packets that have been forwarded and therefore have already been in the network for some time. TTL is a value in an IP packet that tells a network router whether or not the packet has been in the network too long and should be discarded. 6. Select Never generate ICMP Time-Exceeded packets if you do not want the SonicWALL appliance to generate these reporting packets. The SonicWALL appliance generates Time-Exceeded packets to report when it has dropped a packet because its TTL value has decreased to zero. 7. Select the dynamic ports that will be supported from the Dynamic Ports area: – Enable support for Oracle (SQLNet)—Select if you have Oracle applications on your network. – Enable support for Windows Messenger—Select this option to support special SIP messaging used in Windows Messenger on Windows XP. – Enable RTSP Transformations—Select this option to support on-demand delivery of real-time data, such as audio and video. Real Time Streaming Protocol (RTSP) is an application-level protocol for control over delivery of data with real-time properties. 8. The Drop Source Routed Packets check box is selected by default. Clear the check box if you are testing traffic between two specific hosts and you are using source routing. 9. Select Disable Anti-Spyware, Gateway AV and IPS Engine if you want to enable more connections at the expense of the Gateway Anti-Virus and Intrusion Prevention services. This is generally not recommended because it opens the SonicWALL security appliance to possible threats. 10. To specify how long the SonicWALL appliance(s) wait before closing inactive TCP connections outside the LAN, enter the amount of time in the Default Connection Timeout field (default: 25 minutes). The Connection 246 SonicWALL GMS 6.0 Administrator’s Guide Configuring Firewall Settings in SonicOS Enhanced Inactivity Timeout option disables connections outside the LAN if they are idle for a specified period of time. Without this timeout, connections can stay open indefinitely and create potential security holes. 11. Select the Force inbound and outbound FTP data connections to use default port 20 check box to specify that any FTP data connection through the SonicWALL must come from port 20 or the connection will be dropped and logged. By default, FTP connections from port 20 are allowed, but remapped to outbound traffic ports such as 1024. 12. Under IP, UDP Checksum Enforcement, select one or both checkboxes to force the SonicWALL to perform checksums on IP packet headers and on UDP packets. Packets with invalid checksums will be dropped. This helps to prevent attacks that involve falsification of header fields that define important characteristics of the packet. 13. To specify how long the SonicWALL appliance(s) wait before closing inactive UDP connections outside the LAN, enter the amount of time in the Default UDP Connection Timeout field. 14. When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset. Configuring Multicast Settings To configure multicast settings, perform the following steps: 1. Select the global icon, a group, or a SonicWALL appliance. At unit level, the Multicast screen is available only for UTM appliances with SonicOS Enhanced firmware version 2.5 and higher. SonicWALL GMS 6.0 Administrator’s Guide 247 Configuring Firewall Settings in SonicOS Enhanced 2. Expand the Firewall tree and click Multicast. The Multicast page displays. 3. To enable multicast, select the Enable Multicast check box. 4. Configure the following options: – Require IGMP Membership reports for multicast data forwarding—This checkbox is enabled by default. Select this checkbox to improve performance by regulating muliticast data to be forwarded to only interfaces belonging to an enabled multicast group address. – Multicast state table entry timeout (minutes)—This field has a default of 5. The value range for this field is 5 to 60 (minutes). Increase the value if you have a client that is not sending reports periodically. 5. Select from the following: – To receive all (class D) multicast addresses, select Enable reception of all multicast addresses. Receiving all multicast addresses may cause your network to experience performance degradation. – Default. To enable reception for the following multicast addresses, select Enable reception for the following multicast addresses and select Create a new multicast object or Create new multicast group from the list box. 6. To view the IGMP State Information, click Request IGMP State Information. The following information displays: – Multicast Group Address—Provides the multicast group address the interface is joined to. – Interface / VPN Tunnel—Provides the interface (such as X0) or the VPN policy. 248 SonicWALL GMS 6.0 Administrator’s Guide Configuring Firewall Settings in SonicOS Enhanced – IGMP Version—Provides the IGMP version (such as V2 or V3). – Time Remaining—Provides the remaining time left for the multicast session. This is calculated by subtracting the “Multicast state table entry timeout (minutes)” value, which has the default value of 5 minutes, and the elapsed time since the multicast address was added. 7. When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset. Configuring Voice over IP Settings To configure Voice over IP (VoIP) settings, perform the following steps: 1. Select the global icon, a group, or a SonicWALL appliance. 2. Expand the Firewall tree and click VoIP. The VoIP page displays. 3. To enable secure NAT, select the Use secure NAT check box. 4. Select Enable SIP Transformations to support translation of Session Initiation Protocol (SIP) messages. Tip By default, NAT translates Layer 3 addresses, but does not translate Layer 5 SIP/SDP addresses. Unless there is another NAT traversal solution that requires this feature to be turned off, it is highly recommended to enable SIP transformations. SonicWALL GMS 6.0 Administrator’s Guide 249 Configuring Firewall Settings in SonicOS Enhanced After enabling SIP transformations, configure the following options: – Select Permit non-SIP packets on signaling port to enable applications such as Apple iChat and MSN Messenger, which use the SIP signaling port for additional proprietary messages. Enabling this checkbox may open your network to malicious attacks caused by malformed or invalid SIP traffic. This checkbox is disabled by default. – (SonicOS Enhanced only) Select the Enable SIP Back-to-Back User Agent (B2BUA) support setting when the SonicWALL security appliance can see both legs of a voice call (for example, when a phone on the LAN calls another phone on the LAN). This setting should only be enabled when the SIP Proxy Server is being used as a B2BUA. Tip If there is not the possibility of the SonicWALL security appliance seeing both legs of voice calls (for example, when calls will only be made to and received from phones on the WAN), the Enable SIP Back-to-Back User Agent (B2BUA) support setting should be disabled to avoid unnecessary CPU usage. – SIP Signaling inactivity time out (seconds)—Specifies the period of time that must elapse before timing out an inactive SIP session if no SIP signaling occurs (default: 1800 seconds or 30 minutes). – SIP Media inactivity time out (seconds)—Specifies the period of time that must elapse before timing out an inactive SIP session if no media transfer activity occurs (default: 120 seconds or 2 minutes). – The Additional SIP signaling port (UDP) for transformations setting allows you to specify a nonstandard UDP port used to carry SIP signaling traffic. Normally, SIP signaling traffic is carried on UDP port 5060. However, a number of commercial VoIP services use different ports, such as 1560. Using this setting, the security appliance performs SIP transformation on these non-standard ports. Tip 5. 250 Tip: Vonage’s VoIP service uses UDP port 5061. Select Enable H.323 Transformations to allow stateful H.323 protocol-aware packet content inspection and modification by the SonicWALL. The SonicWALL performs any dynamic IP address and transport port mapping within the H.323 packets, which is necessary for communication between H.323 parties in trusted and untrusted networks/zones. Clear this check box to bypass the H.323 specific processing performed by the SonicWALL. SonicWALL GMS 6.0 Administrator’s Guide Configuring Firewall Settings in SonicOS Enhanced After enabling H.323 transformations, configure the following options: – Only accept incoming calls from Gatekeeper—when selected, only incoming calls from specified Gatekeeper IP address will be accepted. – Enable LDAP ILS Support— when selected, the SonicWALL appliance will support Lightweight Directory Access Protocol (LDAP) and Microsoft Netmeeting’s Internet Locator Service (ILS) – H.323 Signaling/Media inactivity time out (seconds)—specifies how long the SonicWALL appliance waits before closing a connection when no activity is occurring. – Default WAN/DMZ Gatekeeper IP Address—specifies the IP address of the H.323 Gatekeeper that acts as a proxy server between clients on the private network and the Internet. 6. When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset. Configuring TCP Settings To configure TCP settings, perform the following steps: 1. Select the global icon, a group, or a SonicWALL appliance. At unit level, the TCP Settings screen is available only for UTM appliances with SonicOS Enhanced firmware version 3.0 and higher. 2. Expand the Firewall tree and click TCP Settings. The TCP Settings page displays. SonicWALL GMS 6.0 Administrator’s Guide 251 Configuring Firewall Settings in SonicOS Enhanced 3. Select Enforce strict TCP compliance with RFC 793 and RFC 1122 to force VoIP traffic to comply with RFC 793 (TCP) and RFC 1122 (Internet Hosts, including Link and IP layers) standards. 4. Select Enable TCP Checksum Validation to drop any packets with invalid TCP checksums. 5. Enter a value for the Default TCP Connection Timeout. This is the default time assigned to Access Rules for TCP traffic. If a TCP session is active for a period in excess of this setting, the TCP connection will be cleared by the SonicWALL. Note Setting excessively long connection time-outs will slow the reclamation of stale resources, and in extreme cases could lead to exhaustion of the connection cache. 6. Specify the Maximum Segment Lifetime to set the number of seconds that any TCP packet is valid before it expires. This setting is also used to determine the amount of time (calculated as twice the Maximum Segment Lifetime, or 2MSL) that an actively closed TCP connection remains in the TIME_WAIT state to ensure that the proper FIN / ACK exchange has occurred to cleanly close the TCP connection. 7. Configure the Layer 3 SYN Flood Protection options. Select the desired level of protection against half-opened TCP sessions and high-frequency SYN packet transmissions: – Watch and Report Possible SYN Floods—This option enables the device to monitor SYN traffic on all interfaces on the device and to log suspected SYN flood activity that exceeds a packet count threshold. The feature does not turn on the SYN Proxy on the device so the device forwards the TCP three-way handshake without modification. This is the least invasive level of SYN Flood protection. Select this option if your network is not in a high risk environment. – Proxy WAN Client Connections When Attack is Suspected—This option enables the device to enable the SYN Proxy feature on WAN interfaces when the number of incomplete connection attempts per second surpasses a specified threshold. This method ensures the device continues to process valid traffic during the attack and that performance does not degrade. Proxy mode remains enabled until all WAN SYN flood attacks stop occurring or until the device blacklists all of them using the SYN Blacklisting feature. This is the intermediate level of SYN Flood protection. Select this option if your network experiences SYN Flood attacks from internal or external sources. 252 SonicWALL GMS 6.0 Administrator’s Guide Configuring Firewall Settings in SonicOS Enhanced – Always Proxy WAN Client Connections—This option sets the device to always use SYN Proxy. This method blocks all spoofed SYN packets from passing through the device. Note that this is an extreme security measure and directs the device to respond to port scans on all TCP ports because the SYN Proxy feature forces the device to respond to all TCP SYN connection attempts. This can degrade performance and can generate a false positive. Select this option only if your network is in a high risk environment. 8. Configure the SYN Attack Threshold. The appliance gathers statistics on WAN TCP connections, keeping track of the maximum and average maximum and incomplete WAN connections per second. Out of these statistics, the device suggests a value for the SYN flood threshold in the Suggested value calculated from gathered statistics field. Enter the desired threshold for the number of incomplete connection attempts per second before the device drops packets in the Attack Threshold field. 9. Configure the SYN-Proxy Options: – All LAN/DMZ servers support the TCP SACK option—This checkbox enables Selective ACK where a packet can be dropped and the receiving device indicates which packets it received. Enable this checkbox only when you know that all servers covered by the UTM appliance accessed from the WAN support the SACK option. – Limit MSS sent to WAN clients (when connections are proxied)—Enables you to enter the maximum Minimum Segment Size value. If you specify an override value for the default of 1460, this indicates that a segment of that size or smaller will be sent to the client in the SYN/ACK cookie. Setting this value too low can decrease performance when the SYN Proxy is always enabled. Setting this value too high can break connections if the server responds with a smaller MSS value. – Maximum TCP MSS sent to WAN clients—The value of the MSS. The default is 1460. Note When using Proxy WAN client connections, remember to set these options conservatively since they only affect connections when a SYN Flood takes place. This ensures that legitimate connections can proceed during an attack. – Always log SYN packets received—Logs all SYN packets received. SonicWALL GMS 6.0 Administrator’s Guide 253 Configuring Firewall Settings in SonicOS Enhanced 10. Configure the Layer 2 SYN/RST/FIN Flood Protection - MAC Blacklisting options to configure how the appliance deals with devices that exceeded the SYN, RST, and FIN Blacklist attack threshold: – Threshold for SYN/RST/FIN flood blacklisting (SYNs / Sec)—The maximum number of SYN, RST, and FIN packets allowed per second. The default is 1,000. This value should be larger than the SYN Proxy threshold value because blacklisting attempts to thwart more vigorous local attacks or severe attacks from a WAN network. – Enable SYN/RST/FIN flood blacklisting on all interfaces—This checkbox enables the blacklisting feature on all interfaces on the UTM appliance. – Never blacklist WAN machines—This checkbox ensures that systems on the WAN are never added to the SYN Blacklist. This option is recommended as leaving it unchecked may interrupt traffic to and from the UTM appliance’s WAN ports. – Always allow SonicWall management traffic—This checkbox causes IP traffic from a blacklisted device targeting the UTM appliance’s WAN IP addresses to not be filtered. This allows management traffic, and routing protocols to maintain connectivity through a blacklisted device. Configuring Quality of Service Mapping Quality of Service (QoS) adds the ability to recognize, map, modify, and generate the industry-standard 802.1p and Differentiated Services Code Points (DSCP) Class of Service (CoS) designators. When used in combination with a QoS capable network infrastructure, SonicOS QoS features provide predictability that is vital for certain types of applications, such as Voice over IP (VoIP), multimedia content, or business-critical applications such as credit card processing. To centrally manage the 802.1p-DSCP Mappings Table, GMS now provides a new configuration found under the path Policies > Firewalls > QoS Mapping. Even the highest amounts of bandwidth ultimately are used to capacity at some point by users on the network. Being able to manage bandwidth to obtain the most efficient use from it is essential. Only QoS, when configured and implemented correctly, properly manages traffic and guarantees the desired levels of network service. Three concepts are central to the traffic management provided by QoS: – Classification – Marking 254 SonicWALL GMS 6.0 Administrator’s Guide Configuring Firewall Settings in SonicOS Enhanced – Conditioning The following sections describe how to understand and configure QoS: • “Working with Classification” on page 255 • “Working with Conditioning” on page 257 • “Working with 802.1p and DSCP QoS” on page 258 • “Working with DSCP Marking” on page 259 • “Configuring QoS” on page 261 • “Enabling 802.1p Tagging” on page 262 • “Creating a QoS Rule” on page 262 • “Configuring QoS Settings” on page 263 Working with Classification Classification is necessary as a first step to identify traffic that needs to be prioritized for optimal use. GMS uses access rules as the interface to classification of traffic. This provides fine control using combination of Address Object, Service Object, and Schedule Object elements, allowing for classification criteria as general as all HTTP traffic and as specific as SSH traffic from HostA to ServerB on Wednesdays at 2:12am. GMS provides the ability to recognize, map, modify, and generate the industry-standard external CoS designators, DSCP and 802.1p protocols. Once identified, or classified, it can be managed. Management can be performed internally by SonicWALL BWM, which is effective as long as the network is a fully contained autonomous system. Once external or intermediate elements are introduced, for example, foreign network infrastructures with unknown configurations, or other hosts contending for bandwidth (for example, the endpoints of the network and all entities in between are within your management. BWM works exactly as configured. Once external entities are introduced, the precision and efficacy of BWM configurations can begin to degrade. Once GMS classifies the traffic, it then tags it to communicate this classification to certain external systems that are capable of abiding by CoS tags. The external systems then can participate in providing QoS to traffic passing through them. SonicWALL GMS 6.0 Administrator’s Guide 255 Configuring Firewall Settings in SonicOS Enhanced Note Many service providers do not support CoS tags such as 802.1p or DSCP. Also, most network equipment with standard configurations will not be able to recognize 802.1p tags, and could drop tagged traffic. Note If you wish to use 802.1p or DSCP marking on your network or your service provider’s network, you must first establish that these methods are supported. Verify that your internal network equipment can support CoS priority marking, and that it is correctly configured to do so. Check with your service provider - some offer fee-based support for QoS using these CoS methods. Working with Marking Once the traffic has been classified, if it is to be handled by QoS capable external systems, it must be tagged to enable external systems to make use of the classification, and provide correct handling and Per Hop Behaviors (PHB). An example of a QoS capable external system is a CoS-aware switch or router that might be available on a premium service provider’s infrastructure, or on a private WAN. Originally, this was attempted at the IP layer (layer 3) with RFC 791’s three precedence bits and RFC 1394 ToS (type of service) field, but this was not widely used. Its successor, RFC 2474, introduced the more widely used DSCP (Differentiated Services Code Point) which offers up to 64 classifications, in addition to user-definable classes. DSCP was further enhanced by RFC 2598 (Expedited Forwarding, intended to provide leased-line behaviors) and RFC 2697 (Assured Forwarding levels within classes, also known as Gold, Silver, and Bronze levels). DSCP is a safe marking method for traffic that traverses public networks because there is no risk of incompatibility. At the very worst, a hop along the path might disregard or strip the DSCP tag, but it will rarely mistreat or discard the packet. The other prevalent method of CoS marking is IEEE 802.1p which occurs at the MAC layer (layer 3) and is closely related to IEEE 802.1Q VLAN marking, sharing the same 16-bit field, although it is actually defined in the IEEE 802.1D standard. Unlike DSCP, 802.1p will only work with 802.1p capable equipment, and is not universally interoperable. Additionally, 802.1p, because of its different packet structure, can rarely traverse wide area networks, even private WANs. Nonetheless, 802.1p is gaining wide support among Voice and 256 SonicWALL GMS 6.0 Administrator’s Guide Configuring Firewall Settings in SonicOS Enhanced Video over IP vendors, so a solution for supporting 802.1p across network boundaries (i.e., WAN links) was introduced in the form of 802.1p to DSCP mapping. 802.1p to DSCP mapping allows 802.1p tags from one LAN to be mapped to DSCP values by GMS, allowing the packets to safely traverse WAN links. When the packets arrive on the other side of the WAN or VPN, the receiving GMS appliance can then map the DSCP tags back to 802.1p tags for use on that LAN. Working with Conditioning Finally, the traffic can be conditioned or managed using any of the many policing, queueing, and shaping methods available. GMS provides internal conditioning capabilities with its Egress and Ingress Bandwidth Management (BWM). SonicWALL BWM is a perfectly effective solution for fully autonomous private networks with sufficient bandwidth, but can become somewhat less effective as more unknown external network elements and bandwidth, but can become somewhat less effective as more unknown external network elements and bandwidth contention are introduced. To provide end-to-end QoS, business-class service providers are increasingly offering traffic conditioning services on their IP networks. These services typically depend on the customer premise equipment to classify and tag the traffic, generally using a standard marking method such as DSCP. GMS has the ability to DSCP mark traffic after classification, as well as the ability to map 802.1p tags to DSCP tags for external network traversal and CoS preservation. For VPN traffic, GMS can DSCP mark not only the internal (payload) packets, but the external (encapsulating) packets as well so that QoS capable service providers can offer QoS even on encrypted VPN traffic. The actual conditioning method employed by service providers varies from one to the next, but it generally involves a class-based queueing method such as Weighted Fair Queuing for prioritizing traffic, in addition to a congestion avoidance method, such as tail-drop or Random Early Detection. SonicWALL GMS 6.0 Administrator’s Guide 257 Configuring Firewall Settings in SonicOS Enhanced Working with 802.1p and DSCP QoS The following sections detail the 802.1p standards and DSCP QoS. GMS supports layer 2 and layer 3 CoS methods for broad interoperability with external systems participating in QoS enabled environments. The layer 2 method is the IEEE 802.1p standard wherein 3 bits of an additional 16 bits. inserted into the header of the Ethernet frame can be used to designate the priority of the fame, as illustrated in the following figure. • TPID: Tag Protocol Identifier begins at byte 12 (after the 6-byte destination and source fields), is 2 bytes long, and has an Ethertype of 0x8100 for tagged traffic. • 802.1p: The first three bits of the TCI (Tag Control Information - beginning at byte 14, and spanning 2 bytes) define user priority, giving eight (2^3) priority levels. IEEE 802.1p defines the operation for these 3 user priority bits. • CFI: Canonical Format Indicator is a single-bit flag, always set to zero for Ethernet switches. CFI is used for compatibility reasons between Ethernet networks and Token Ring networks. If a frame received at an Ethernet port has a CFI set to 1, then that frame should not be forwarded as it is to an untagged port. • VLAN ID: VLAN ID (starts at bit 5 of byte 14) is the identification of the VLAN. It has 12 bits and allows for the identification of 4,096 (2^12) unique VLAN IDs. Of the 4,096 possible IDs, an ID of 0 is used to identify priority frames, and an ID of 4,095 (FFF) is reserved, so the maximum possible VLAN configurations are 4,094. 802.1p support begins by enabling 802.1p marking on the interfaces which you wish to have process 802.1p tags. 802.1p can be enabled on any Ethernet interface on any SonicWALL appliance that supports VLANs, including the SonicWALL NSA Series and PRO 2040, PRO 3060, PRO 4060, PRO 4100, and PRO 5060. 258 SonicWALL GMS 6.0 Administrator’s Guide Configuring Firewall Settings in SonicOS Enhanced Note 802.1p tagging is not currently supported on the SonicWALL TZ Series or PRO 1260. Although Enable 802.1p tagging does not appear as an option on VLAN sub-interfaces, it is related to the 802.1q tags of VLAN subinterfaces. The behavior of the 802.1p field within these tags can be controlled by firewall access rules. The default 802.1p capable network Access Rule action of None resets existing 802.1p tags to 0, unless otherwise configured. Enabling 802.1p marking allows the target interface to recognize incoming 802.1p tags generated by 802.1p capable network devices, and will also allow the target interface to generate 802.1p tags, as controlled by Access Rules. Frames that have 802.1p tags inserted by GMS will bear VLAN ID 0. 802.1p tags will only be inserted according to access rules, so enabling 802.1p marking on an interface will not, at its default setting, disrupt communications with 802.1p-incapable devices. 802.1p requires the specific support by the networking devices with which you wish to use this method of prioritization. Many voice and video over IP devices provide support for 802.1p, but the feature must be enabled. Check your equipment’s documentation for information on 802.1p support if you are unsure. Similarly, many server and host network cards (NICs) have the ability to support 802.1p, but the feature is usually disabled by default. Working with DSCP Marking DSCP (Differentiated Services Code Point) marking uses six bits of the eight bit ToS field in the IP header to provide up to 64 classes (or code points) for traffic. Since DSCP is a layer 3 marking method, there is no concern about compatibility as there is with 802.1p marking. Devices that do not support DSCP will simply ignore the tags, or at worst, they reset the tag value to 0. SonicWALL GMS 6.0 Administrator’s Guide 259 Configuring Firewall Settings in SonicOS Enhanced The above diagram depicts an IP packet, with a close-up on the ToS portion of the header. The ToS bits were originally used for Precedence and ToS (delay, throughput, reliability, and cost) settings, but were later reused by the RFC 2474 for the more versatile DSCP settings. The following table shows the commonly used code point as well as their mapping to the legacy Precedence and ToS settings. Table 5 260 Code Points DSCP DSCP Description Legacy IP Precedence Legacy IP ToS (D, T, R) 0 Best Effort 0 (Routine - 000) - 8 Class 1 1 (Priority - 001) - 10 Class 1, Gold AF11 1 (Priority - 001) T 12 Class 1, Silver AF12 1 (Priority - 001) D 14 Class 1, Bronze AF13 1 (Priority - 001) D, T 16 Class 2 2 (Immediate - 010) - 18 Class 2, Gold AF21 2 (Immediate - 010) T 20 Class 2, Silver AF22 2 (Immediate - 010) D 22 Class 2, Bronze AF23 2 (Immediate - 010) D, T 24 Class 3 3 (Flash - 011) - 26 Class 3, Gold AF31 3 (Flash - 011) T 27 Class 3, Silver AF32 3 (Flash - 011) D 30 Class 3, Bronze AF33 3 (Flash - 011) D, T 32 Class 4 4 (Flash Override - 100) - 34 Class 4, Gold AF41 4 (Flash Override - 100) T 36 Class 4, Silver AF42 4 (Flash Override - 100) D 38 Class 4, Bronze AF43 4 (Flash Override - 100) D, T 40 Express Forwarding 5 (CRITIC/ECP - 101) SonicWALL GMS 6.0 Administrator’s Guide - Configuring Firewall Settings in SonicOS Enhanced DSCP DSCP Description Legacy IP Precedence Legacy IP ToS (D, T, R) 46 Expedited Forwarding (EF) 5 (CRITIC/ECP - 101) D, T 48 Control 6 (Internet Control - 110) - 56 Control 7 (Internet Control - 111) - DSCP marking can be performed on traffic to and from any interface and to and from any zone type, without exception. DSCP marking is controlled by Access Rules, from the QoS tab, and can be used in conjunction with 802.1p marking, as well as with SonicOS internal bandwidth management. DSCP Marking and Mixed VPN Traffic Among the security measures and characteristics pertaining to them, IPSec VPNs employ anti-replay mechanisms based upon monotonically incrementing sequence numbers added to the ESP header. Packets with duplicate sequence numbers are dropped, as are packets that do not adhere to sequence criteria. One criterion governs the handling of out-of-order packets. GMS provides a replay window of 64 packets, i.e., if an ESP packet for a Security Association (SA) is delayed by more than 64 packets, the packet will be dropped. This should be considered when using DSCP marking to provide layer 3 QoS to traffic traversing a VPN. If you have a VPN tunnel transporting a variety of traffic, some that is being DSCP tagged high priority (for example, VoIP), and some that is DSCP tagged low-priority, or untagged/best-effort packets over the best-effort ESP packets. Under certain traffic conditions, this can result in the best-effort packets being delayed for more than 64 packets, causing them to be dropped by the receiving SonicWALL’s anti-replay defenses. If symptoms of such a scenario emerge (for example, excessive retransmissions of low-priority traffic), it is recommended that you create a separate VPN policy for the high-priority and low-priority classes of traffic. This is most easily accomplished by placing the high-priority hosts (for example, the VoIP network) on their own subnet. Configuring QoS To configure QoS, perform the following tasks: • “Enabling 802.1p Tagging” on page 262 • “Creating a QoS Rule” on page 262 SonicWALL GMS 6.0 Administrator’s Guide 261 Configuring Firewall Settings in SonicOS Enhanced • “Configuring QoS Settings” on page 263 • “Adding a Service” on page 270 • “Creating Rules” on page 271 Enabling 802.1p Tagging Before you begin to perform any QoS configuration tasks, you first need to enable your device to accept QoS values. To do that you have to enable the IEEE 802.1p tagging protocol. You enable protocols at the WAN interface level. To enable 802.1p tagging, perform the following steps: 1. Click on the Interfaces option in the Network menu. GMS displays the Interfaces list. 2. Click on the Configuration icon for the WAN interface. GMS displays the Edit Interface dialog box. 3. Click on the Advanced Tab. GMS displays the Advanced Tab. 4. Click on the Enable 802.1p tagging checkbox to place a check mark in the checkbox. 5. Click Update. Creating a QoS Rule The next step you must perform is you need to create a QoS rule for the WAN interface in the Access Rules dialog box. To configure a QoS rule, perform the following steps: 1. 262 From the Firewall menu, click on the Access Rules option. GMS displays the Access Rules dialog box that contains various interfaces for which you can create an access rule. SonicWALL GMS 6.0 Administrator’s Guide Configuring Firewall Settings in SonicOS Enhanced 2. Select the LAN > WAN rule and click Add Rule. GMS displays the Add Rule dialog box. 3. Click the QoS tab. The QoS page displays. 4. Under DSCP Marking Settings select the DSCP Marking Action. You can select None, Preserve, Explicit, or Map. Preserve is the default. – None: DSCP values in packets are reset to 0. – Preserve: DSCP values in packets will remain unaltered. – Explicit: Set the DSCP value to the value you select in the Explicit DSCP Value field. This is a numeric value between 0 and 63. 5. Under 802.1p Marking Settings select the 802.1p Marking Action. You can select None, Preserve, Explicit, or Map. None is the default. 6. Click Ok. GMS configures your WAN interface to accept traffic shaping values. Configuring QoS Settings Now that you have enabled the 802.1p protocol and created a specific QoS rule, you can create your QoS settings. To create QoS settings, perform the following steps: 1. Click on the QoS Settings option in the Firewall menu. GMS displays the QoS Mapping dialog box: SonicWALL GMS 6.0 Administrator’s Guide 263 Configuring Firewall Settings in SonicOS Enhanced 2. Click on the Configuration icon for any of the 802.1p Class of Service objects. GMS displays the class of service Edit QoS Mapping dialog box. 3. Configure the following 802.1p to DSCP conversion settings: – To DSCP: Indicates the value of the DSCP marking value that indicates the priority of the traffic. – From DSCP Begin: The lower limit of the range of values for marking that indicates the priority assigned to a packet traveling across the network. – From DSCP End: The upper limit of the range of values for marking that indicates the priority assigned to a packet traveling across the network. 264 SonicWALL GMS 6.0 Administrator’s Guide Configuring Firewall Settings in SonicOS Enhanced Configuring SSL Control SonicWALL appliances running SonicOS Enhanced 4.0 and higher allow SSL Control, a system for providing visibility into the handshake of SSL sessions, and a method for constructing policies to control the establishment of SSL connections. SSL (Secure Sockets Layer) is the dominant standard for the encryption of TCP based network communications, with its most common and well-known application being HTTPS (HTTP over SSL). SSL provides digital certificate-based endpoint identification, and cryptographic and digest-based confidentiality to network communications. An effect of the security provided by SSL is the obscuration of all payload, including the URL (Uniform Resource Locator, for example, https://www.mysonicwall.com) being requested by a client when establishing an HTTPS session. This is due to the fact that HTTP is transported within the encrypted SSL tunnel when using HTTPS. It is not until the SSL session is established (step 14) that the actual target resource (www.mysonicwall.com) is requested by the client, but since the SSL session is already established, no inspection of the session data by the UTM appliance or any other intermediate device is possible. As a result, URL based content filtering systems cannot consider the request to determine permissibility in any way other than by IP address. While IP address based filtering does not work well for unencrypted HTTP because of the efficiency and popularity of Host-header based virtual hosting (defined in Key Concepts below), IP filtering can work effectively for HTTPS due to the rarity of Host-header based HTTPS sites. But this trust relies on the integrity of the HTTPS server operator, and assumes that SSL is not being used for deceptive purposes. SonicWALL GMS 6.0 Administrator’s Guide 265 Configuring Firewall Settings in SonicOS Enhanced For the most part, SSL is employed legitimately, being used to secure sensitive communications, such as online shopping or banking, or any session where there is an exchange of personal or valuable information. The ever decreasing cost and complexity of SSL, however, has also spurred the growth of more dubious applications of SSL, designed primarily for the purposes of obfuscation or concealment rather than security. An increasingly common camouflage is the use of SSL encrypted Web-based proxy servers for the purpose of hiding browsing details, and bypassing content filters. While it is simple to block well known HTTPS proxy services of this sort by their IP address, it is virtually impossible to block the thousands of privately-hosted proxy servers that are readily available through a simple Web-search. The challenge is not the ever-increasing number of such services, but rather their unpredictable nature. Since these services are often hosted on home networks using dynamically addressed DSL and cable modem connections, the targets are constantly moving. Trying to block an unknown SSL target would require blocking all SSL traffic, which is practically infeasible. SSL Control provides a number of methods to address this challenge by arming the security administrator with the ability to dissect and apply policy based controls to SSL session establishment. While the current implementation does not decode the SSL application data, it does allow for gateway-based identification and disallowance of suspicious SSL traffic. For more information about SSL Control, see the SonicOS Enhanced 4.0 Administrator’s Guide. 266 SonicWALL GMS 6.0 Administrator’s Guide Configuring Firewall Settings in SonicOS Enhanced To configure SSL Control, perform the following steps: 1. Select the global icon, a group, or a SonicWALL appliance running SonicOS Enhanced 4.0 or higher. 2. Expand the Firewall tree and click SSL Control. The SSL Control page displays. 3. Under General Settings, select the Enable SSL Control checkbox to enable SSL Control for the selected group or appliance. 4. Under Action, select one of the following: – Log the event—If an SSL policy violation, as defined within the Configuration section below, is detected, the event will be logged, but the SSL connection will be allowed to continue. – Block the connection and log the event—In the event of a policy violation, the connection will be blocked and the event will be logged. 5. Under Configuration, select one or more of the following: – Enable Blacklist—Controls detection of the entries in the blacklist, as configured in the Custom Lists section below. – Enable Whitelist—Controls detection of the entries in the whitelist, as configured in the Custom Lists section below. Whitelisted entries take precedence over all other SSL control settings. – Detect Expired Certificates—Controls detection of certificates whose start date is before the current system time, or whose end date is beyond the current system time. Date validation depends on the SonicWALL GMS 6.0 Administrator’s Guide 267 Configuring Firewall Settings in SonicOS Enhanced SonicWALL’s System Time. Make sure your System Time is set correctly, preferably synchronized with NTP, on the System > Time page. – Detect SSLv2—Controls detection of SSLv2 exchanges. SSLv2 is known to be susceptible to cipher downgrade attacks because it does not perform integrity checking on the handshake. Best practices recommend using SSLv3 or TLS instead of SSLv2. – Detect Self-Signed Certificates—Controls the detection of certificates where both the issuer and the subject have the same common name. – Detect Certificate signed by an Untrusted CA—Controls the detection of certificates where the issuer’s certificate is not in the SonicWALL’s System > Certificates trusted store. – Detect Weak Ciphers(< 64bits)—Controls the detection of SSL sessions negotiated with symmetric ciphers less than 64 bits, commonly indicating export cipher usage. 6. Under Custom Lists, configure the Blacklist and Whitelist by defining strings for matching common names in SSL certificates. Entries are case-sensitive and are used with pattern-matching. For example, “sonicwall.com” will match “https://www.sonicwall.com” and “https://mysonicwall.com” , but not “https://www.sonicwall.de”. To add an entry to the Blacklist, type it into the Black List field and then click Add. To add an entry to the Whitelist, type it into the White List field and then click Add. 7. 268 When finished, click Update. To return to default values and start over, click Reset. SonicWALL GMS 6.0 Administrator’s Guide Configuring Firewall Settings in SonicOS Standard Configuring Firewall Settings in SonicOS Standard The following sections describe how to configure firewall settings in SonicOS Standard: • “Configuring Rules in SonicOS Standard” on page 269 • “Configuring Advanced Firewall Settings in SonicOS Standard” on page 273 • “Configuring Voice over IP Settings” on page 275 Configuring Rules in SonicOS Standard To configure rules for SonicOS Standard, perform the following steps: 1. Determine whether the service for which you want to create a rule is defined. If not, define the service. See “Adding a Service” on page 270. 2. Create one or more rules for the service. See “Creating Rules” on page 271. 3. Repeat this procedure for each service for which you would like to define rules. SonicWALL GMS 6.0 Administrator’s Guide 269 Configuring Firewall Settings in SonicOS Standard Adding a Service By default, a large number of services are pre-defined. This section describes how to add a new or custom service. To add a service, perform the following steps: 270 1. Select the global icon, a group, or a SonicWALL appliance. 2. Expand the Firewall tree and click Services. The Services page displays. 3. To add a known service (e.g., HTTP, FTP, News), select the service from the Service Name list box and click Add Known Service. Repeat this step for each service that you would like to add. A task is scheduled for each service for each selected SonicWALL appliance. Note Features and services vary widely depending on the managed appliance’s firmware type and version. Some options, including Add Known Service are only available when managing a Non-SonicOS device (such as a SonicWALL TELE3 TZX). SonicWALL GMS 6.0 Administrator’s Guide Configuring Firewall Settings in SonicOS Standard 4. To add a custom service, enter its name in the Service Name field, enter the port range it uses in the Port Begin and Port End fields, select the appropriate protocol check boxes, and click Add Custom Service. Repeat this step for each service that you would like to add. A task gets scheduled for each service for each selected SonicWALL appliance. 5. To remove a service from the list, select its trash can check box and click Update. A task gets scheduled to update the services page for each selected SonicWALL appliance. 6. To clear all screen settings and start over, click Reset. Creating Rules This section describes how to define rules for defined services in SonicOS Standard. To create a rule, perform the following steps: 1. Select the global icon, a group, or a SonicWALL appliance. 2. Expand the Firewall tree and click Rules. The Rules page displays. 3. Click Add Rule. The Add Rule dialog box displays. 4. Select a service from the from the Service Name list box. If the service does not exist, see “Adding a Service” on page 270. 5. Select whether access to this service will be allowed or denied. 6. Select the SonicWALL interface to which this rule applies from the Source list box.. 7. To apply the rule to a range of IP addresses, enter the first and last IP addresses of the range in the Addr. begin field and Addr. End fields, respectively. The rule will apply to requests originating from IP addresses within this range. For all IP addresses, enter an asterisk (*). SonicWALL GMS 6.0 Administrator’s Guide 271 Configuring Firewall Settings in SonicOS Standard 8. Specify when the rule will be applied. By default, it is Always. To specify a time, enter the time of day (in 24-hour format) to begin and end enforcement. Then, enter the days of the week to begin and end rule enforcement. 9. Specify how long (in minutes) the connection may remain idle before the connection is terminated in the Inactivity Timeout field. Caution Fragmented packets are used in certain types of Denial of Service attacks and, by default, are blocked. You should only enable the Allow Fragmented Packets check box if users are experiencing problems accessing certain applications and the SonicWALL logs show many dropped fragmented packets. 10. SonicWALL appliances can manage outbound traffic using bandwidth management. To enable bandwidth management for this service, select the Enable Outbound Bandwidth Management check box. Enter the amount of bandwidth that will always be available to this service in the Guaranteed Bandwidth field. Keep in mind that this bandwidth will be permanently assigned to this service and not available to other services, regardless of the amount of bandwidth this service does or does not use. Enter the maximum amount of bandwidth that will be available to this service in the Maximum Bandwidth field. Select the priority of this service from the Bandwidth Priority list box. Select a priority from 0 (highest) to 7 (lowest). Note In order to configure bandwidth management for this service, bandwidth management must be enabled on the SonicWALL appliance. To configure bandwidth management in SonicOS Standard, see “Configuring Ethernet Settings” on page 231. For SonicOS Enhanced, see “Overview of Interfaces” on page 153. 11. To add this rule to the rule list, click Update. Repeat Step 3. through Step 11. for each rule that you will to add. 12. If the network access rules have been modified or deleted, you can restore the Default Rules. The Default Rules prevent malicious intrusions and attacks, block all inbound IP traffic and allow all outbound IP traffic. To restore the network access rules to their default settings, click Restore Rules to Defaults and click Update. A task is scheduled to update the rules page for each selected SonicWALL appliance. 272 SonicWALL GMS 6.0 Administrator’s Guide Configuring Firewall Settings in SonicOS Standard 13. If the network access rules for a SonicWALL appliance need to be uniform with access rules for other SonicWALL appliances in the same group, you can restore the group rules. To do this, click Restore Rules to Group Settings and click Update. A task is scheduled to overwrite the rules page for each selected SonicWALL appliance. If you want to append the group rules to the current rules, make sure the Append Services and Rules inherited from group check box is selected on the GMS Settings page of the Console Panel. Note This option is not available at the group or global level. 14. To modify a rule, select its notepad icon. The Add/Modify Rule dialog box displays. When you are finished making changes, click Update. SonicWALL GMS creates a task that modifies the rule for each selected SonicWALL appliance. 15. To disable a rule without deleting it, deselect its Enable Rule check box. 16. To delete a rule, select its trash can icon and click Update. SonicWALL GMS creates a task that deletes the rule for each selected SonicWALL appliance. Configuring Advanced Firewall Settings in SonicOS Standard To configure advanced access settings, perform the following steps: 1. Select the global icon, a group, or a SonicWALL appliance. 2. Expand the Firewall tree and click Advanced. The Advanced page displays. 3. Computers running Microsoft Windows communicate with each other through NetBIOS broadcast packets. By default, SonicWALL appliances block these broadcasts. To allow NetBIOS packets to pass among the interfaces select the appropriate checkbox in the Windows Networking (NetBIOS) Broadcast Pass Through section. SonicWALL GMS 6.0 Administrator’s Guide 273 Configuring Firewall Settings in SonicOS Standard 4. Detection prevention helps hide SonicWALL appliances from potential hackers. Select from the following Detection Prevention options: – To enable stealth mode, select the Enable Stealth Mode check box. During normal operation, SonicWALL appliances respond to incoming connection requests as either “blocked” or “open.” During stealth operation, SonicWALL appliances do not respond to inbound requests, making the appliances “invisible” to potential hackers. – Hackers can use various detection tools to “fingerprint” IP IDs and detect the presence of a SonicWALL appliance. To configure the SonicWALL appliance(s) to generate random IP IDs, select the Randomize IP ID check box. 5. Select the dynamic ports that will be supported from the Dynamic Ports area: – Enable support for Oracle (SQLNet)—Select if you have Oracle applications on your network. – Enable support for Windows Messenger—Select this option to support special SIP messaging used in Windows Messenger on the Windows XP. – Enable RTSP Transformations—Select this option to support on-demand delivery of real-time data, such as audio and video. Real Time Streaming Protocol (RTSP) is an application-level protocol for control over delivery of data with real-time properties. 274 6. The Drop Source Routed Packets check box is selected by default. Clear the check box if you are testing traffic between two specific hosts and you are using source routing. 7. Select Disable Anti-Spyware, Gateway AV and IPS Engine if you want to enable more connections at the expense of the Gateway Anti-Virus and Intrusion Prevention services. This is generally not recommended because it opens the SonicWALL security appliance to possible threats. 8. The Connection Inactivity Timeout option disables connections outside the LAN if they are idle for a specified period of time. Without this timeout, connections can stay open indefinitely and create potential security holes. To specify how long the SonicWALL appliance(s) wait before closing inactive connections outside the LAN, enter the amount of time in the Default Connection Timeout field (default: 25 minutes). SonicWALL GMS 6.0 Administrator’s Guide Configuring Firewall Settings in SonicOS Standard 9. By default, FTP connections from port 20 are allowed, but remapped to outbound traffic ports such as 1024. If you select the Force inbound and outbound FTP data connections to use default port 20 check box, any FTP data connection through the SonicWALL must come from port 20 or the connection will be dropped and logged. Note To enforce IP Header, UDP, TCP, or ICMP checksums, select the appropriate option from the IP, UDP, TCP, ICMP Checksum Enforcement section. 10. When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset. Configuring Voice over IP Settings VoIP settings are identical in SonicOS Enhanced and SonicOS Standard. To configure VoIP, see “Configuring Voice over IP Settings” on page 249. SonicWALL GMS 6.0 Administrator’s Guide 275 Configuring Firewall Settings in SonicOS Standard 276 SonicWALL GMS 6.0 Administrator’s Guide CHAPTER 12 Configuring Log Settings This chapter describes how to the SonicWALL Global Management System to configure where the SonicWALL appliance(s) send their logs, how often the logs are sent, and what information is included. This chapter includes the following sections: • “Configuring Log Settings” section on page 278 • “Configuring Enhanced Log Settings” section on page 281 • “Configuring Name Resolution” section on page 285 SonicWALL GMS 6.0 Administrator’s Guide 277 Configuring Log Settings Configuring Log Settings To configure log settings, perform the following steps: 1. In the left pane, select the global icon, a group, or a SonicWALL appliance. 2. Select the Policies tab. In the center pane, navigate to Log > Log Settings. 3. Enter the IP address or name of the mail server in the Mail Server (name or IP Address) field. 4. Enter the name of the SonicWALL appliance in the Firewall Name field. The firewall name appears in the subject of email sent by the SonicWALL appliance. By default, the firewall name is the same as the SonicWALL appliance serial number. Note 5. 278 The name of the SonicWALL appliance cannot be configured at the group or global level. To override syslog settings with ViewPoint settings, check the Override Syslog settings with ViewPoint settings box. SonicWALL GMS 6.0 Administrator’s Guide Configuring Log Settings 6. To select a syslog format, choose one of the two options from the Syslog Format drop-down menu: – Default—The standard SonicWALL syslog format. – WebTrends—A reporting software that analyzes traffic activity, protocol usage, security problems, resource usage, bandwidth consumption, and more. For more information, visit http://www.webtrends.com. 7. To specify how often SonicWALL GMS logs repetitive events, enter the time period (in seconds) in the Syslog Event Redundancy Filter field (default: 60 seconds). This prevents repetitive events from being logged to the syslog. If duplicate events occur during the period, they will be logged as a single event that specifies the number of times that the event occurred.The minimum is 0 seconds and the maximum is 86,400 seconds (24 hours). If you specify 0, all events are logged. For GMS network deployments using Gen-2/Distributed Summarizer Mode, enter 0 in the Syslog Event Redundancy Filter field. Although a higher setting prevents a log file from being full of repetitive events, setting this field to anything other than 0 will result in inaccurate reporting. For information about the Distributed Summarizer, see the “About the Distributed Summarizer” section on page 984. 8. To enable event rate limiting, check the Enable Event Rate Limiting box and enter a maximum number of events per second in the Maximum Events Per Second field. 9. To enable data rate limiting, check the Enable Data Rate Limiting box and enter a maximum bytes per second in the Maximum Bytes Per Second field. 10. Specify how often the SonicWALL appliance(s) send heartbeats to SonicWALL GMS in the Heartbeat Rate field (default: 60 seconds). If SonicWALL GMS does not receive a heartbeat message within three intervals, SonicWALL GMS will consider the SonicWALL appliances offline or unavailable and its icon will turn red. Note It is highly recommended to leave the Heartbeat Rate at the default setting of 60 seconds. Values close to zero will generate a large number of status messages. The maximum value is 86,400 seconds (24 hours). 11. Enter the complete email address (for example, [email protected]) where the log will be sent in the Email Log to field. If this field is left blank, the log will not be sent. SonicWALL GMS 6.0 Administrator’s Guide 279 Configuring Log Settings Note This address will also be used as the return address. 12. Some events, such as an attack, may require immediate attention. Enter the complete email address or email pager address in the Email Alerts to field. If this field is left blank, alerts will not be sent. Note This address will also be used as the return address. For information about alerts in the GMS Granular Event Management framework, see “Configuring Granular Event Management” on page 1023. 13. To email the log now, click Email Log Now. 14. To clear the log, click Clear Log Now. A confirmation displays. Click OK to clear the log. 15. To add a syslog server, enter the IP address and port in the Syslog Server IP Address and Port fields. Click Add. 16. For automated log delivery, specify when the log file will be sent from the Send Log drop-down menu. Select When Full, Daily, or Weekly. If the log will be sent daily, select the time that the log will be sent (24-hour format). If the log will be sent weekly, select the day of the week and the time. 17. In some cases, the log buffer may fill up. This may occur if there is a problem with the mail server and the log cannot be successfully emailed. Under When Log Overflows, select Overwrite Log (SonicWALL appliances will overwrite the log and discard its contents) or Shutdown SonicWALL (this will prevent further traffic from not being logged). 18. Select information to log from the Categories section. To select all categories, check the Select All box. Note If you are using SonicWALL GMS, make sure that it can generate all reports for each SonicWALL appliance by selecting all log category check boxes except for Network Debug. 19. When you are finished, click Update. 280 SonicWALL GMS 6.0 Administrator’s Guide Configuring Enhanced Log Settings Configuring Enhanced Log Settings 1. In the center pane, navigate to Log > Enhanced Log Settings. 2. Enter the IP address or name of the mail server in the Mail Server (name or IP Address) field. 3. Enter the email address that will appear as the sender on emails in the From E-mail Address field. 4. Select a method of authentication from the Authentication Method drop-down menu, either None or POP before SMTP. 5. If you selected POP before SMTP, enter the POP server name or IP address in the POP Server (name or IP address) field, and the POP account user name and password in the Username and Password fields. 6. Enter the name of the SonicWALL appliance in the Firewall Name field. The firewall name appears in the subject of email sent by the SonicWALL appliance. By default, the firewall name is the same as the SonicWALL appliance serial number. Note 7. The name of the SonicWALL appliance cannot be configured at the group or global level. In the Syslog Facility drop-down menu, select one of the syslog facility options. SonicWALL GMS 6.0 Administrator’s Guide 281 Configuring Enhanced Log Settings 8. To override syslog settings with ViewPoint settings, check the Override Syslog settings with ViewPoint settings box. 9. To select a syslog format, choose one of the two options from the Syslog Format drop-down menu: – Default—The standard SonicWALL syslog format. – WebTrends—A reporting software that analyzes traffic activity, protocol usage, security problems, resource usage, bandwidth consumption, and more. For more information, visit http://www.webtrends.com. 10. To specify how often SonicWALL GMS logs repetitive events, enter the time period (in seconds) in the Syslog Event Redundancy Filter field (default: 60 seconds). This prevents repetitive events from being logged to the syslog. If duplicate events occur during the period, they will be logged as a single event that specifies the number of times that the event occurred.The minimum is 0 seconds and the maximum is 86,400 seconds (24 hours). If you specify 0, all events are logged. 11. To enable event rate limiting, check the Enable Event Rate Limiting box and enter a maximum number of events per second in the Maximum Events Per Second field. 12. To enable data rate limiting, check the Enable Data Rate Limiting box and enter a maximum bytes per second in the Maximum Bytes Per Second field. 13. Specify how often the SonicWALL appliance(s) send heartbeats to SonicWALL GMS in the Heartbeat Rate field (default: 60 seconds). If SonicWALL GMS does not receive a heartbeat message within three intervals, SonicWALL GMS will consider the SonicWALL appliances offline or unavailable and its icon will turn red. Note It is highly recommended to leave the Heartbeat Rate at the default setting of 60 seconds. Values close to zero will generate a large number of status messages. The maximum value is 86400 seconds (24 hours). 14. Enter the complete email address (for example, [email protected]) where the log will be sent in the Email Log to field. If this field is left blank, the log will not be sent. Note 282 This address will also be used as the return address. SonicWALL GMS 6.0 Administrator’s Guide Configuring Enhanced Log Settings 15. Some events, such as an attack, may require immediate attention. Enter the complete email address or email pager address in the Email Alerts to field. If this field is left blank, alerts will not be sent. Note This address will also be used as the return address. 16. To email the log now, click Email Log Now. The scheduler displays. 17. Expand Schedule by clicking the plus icon. 18. Select Immediate or specify a future date and time. 19. Click Accept. 20. To clear the log, click Clear Log Now. A confirmation displays. Click OK to clear the log. 21. To add a syslog server, enter the IP address and port in the Syslog Server IP Address and Port fields. Click Add. The scheduler displays. 22. Expand Schedule by clicking the plus icon. 23. Select Immediate or specify a future date and time. 24. Click Accept. 25. For automated log delivery, specify when the log file will be sent from the Send Log drop-down menu. Select When Full, Daily, or Weekly. If the log will be sent daily, select the time that the log will be sent (24-hour format). If the log will be sent weekly, select the day of the week and the time. 26. In some cases, the log buffer may fill up. This may occur if there is a problem with the mail server and the log cannot be successfully emailed. Under When Log Overflows, select Overwrite Log (SonicWALL appliances will overwrite the log and discard its contents) or Shutdown SonicWALL (this will prevent further traffic from not being logged). 27. From the Logging Level drop-down menu, select one of the logging level options. 28. From the Alert Level drop-down menu, select one of the alert level options. 29. Enter a period of time, in seconds, in the Log Redundancy Filter (seconds) field. 30. Enter a period of time, in seconds, in the Alert Redundancy Filter (seconds) field. 31. For each category in the Categories table, select a combination of Log, Alerts, and Syslog. SonicWALL GMS 6.0 Administrator’s Guide 283 Configuring Enhanced Log Settings Note If you are using SonicWALL GMS, make sure that it can generate all reports for each SonicWALL appliance by selecting all log category check boxes. 32. When you are finished, click Update. The scheduler displays. 33. Expand Schedule by clicking the plus icon. 34. Select Immediate or specify a future date and time. 35. Click Accept. Heartbeat Settings on the Enhanced Log Settings Page A heartbeat is a message generated by the UTM appliance sent out at various intervals to a connected management server to determine whether the management server connected to the UTM appliance is active. You can now set a threshold value for how often a heartbeat message is generated. You can do this on the Log Settings page. To specify the Heartbeat Rate, perform the following: 284 1. Navigate to the Policies Panel. 2. Click the Log menu to display logging options. 3. Click the Log Settings option. GMS displays the Log Settings dialog box. SonicWALL GMS 6.0 Administrator’s Guide Configuring Name Resolution 4. In the Heartbeat Rate field in the General region, type a value that represents the number of seconds that is the interval between heartbeat tests. Note that the default interval is 60 seconds. Configuring Name Resolution To configure name resolution, perform the following steps: 1. In the left pane, select the global icon, a group, or a SonicWALL appliance. 2. Select the Policies tab. SonicWALL GMS 6.0 Administrator’s Guide 285 Configuring Name Resolution 3. In the center pane, navigate to Log > Name Resolution. 4. From the Name Resolution Method drop-down menu, select none, DNS, NetBios or DNS then NetBios. 5. For DNS and DNS then NetBios, configure the following DNS settings: – Specify DNS Servers Manually—Select this radio button to manually configure the DNS servers and specify the IP address(es) in the Log Resolution DNS Server 1 - 3 fields. – Inherit DNS Settings Dynamically from WAN—Select this radio button to inherit the DNS settings from the WAN. 6. 286 Click Update. SonicWALL GMS 6.0 Administrator’s Guide CHAPTER 13 Viewing Diagnostic Information SonicWALL appliances store information about all devices with which they have communicated. When you generate diagnostic information, only one report can be generated at a time and the information is only maintained during the current session. For example, if you run a firewall log report and then log off or generate another report, the firewall log report data will be lost until you run the report again. This chapter includes the following sections: • “Viewing Network Diagnostic Settings” section on page 288 • “Viewing Connections Monitor” section on page 290 • “Viewing CPU Monitor” section on page 292 • “Viewing Process Monitor” section on page 293 SonicWALL GMS 6.0 Administrator’s Guide 287 Viewing Network Diagnostic Settings Viewing Network Diagnostic Settings To view network settings, perform the following steps: 1. In the left pane, select the global icon, a group, or a SonicWALL appliance. 2. Click the Policies tab. In the center pane, navigate to Diagnostics > Network. 3. To refresh the diagnostic data, click Refresh Diagnostic Data display. 4. To delete the diagnostic data, click Delete Diagnostic Data display. 5. To view the log file for the selected SonicWALL appliance(s), click Request Log file display from unit(s). 6. To test the RADIUS server, enter the username and password of a valid user in the User and Password fields and click Radius Client Test. 7. To perform a DNS lookup from the SonicWALL appliance(s), enter a hostname or IP address in the Host field and click DNS Lookup. 8. To find a network path from the SonicWALL appliance(s), enter an IP address in the Host field and click Find Network Path. 9. To ping a host from the SonicWALL appliance(s), enter a hostname or IP address in the Host field and click Ping. 10. To perform a Traceroute from the SonicWALL appliance(s), enter a hostname or IP address in the Host field and click TraceRoute Lookup. 11. To view dynamic routing information, click Fetch Default Route Policies (SonicOS 2.5 Enhanced or later). 288 SonicWALL GMS 6.0 Administrator’s Guide Viewing Network Diagnostic Settings 12. To perform a reverse name resolution, enter an IP address in the Reverse Lookup the IP Address field and click Reverse Name Resolution. 13. To perform a real-time black list lookup, enter an IP address in the IP Address field, a FQDN for the RBL in the RBL Domain field, and DNS server information in the DNS Server field. Click Real-time Black List Lookup. 14. To generate a Tech Support Report, select any of the following four report options: –VPN Keys—Saves shared secrets, encryption, and authentication keys to the report. –ARP Cache—Saves a table relating IP addresses to the corresponding MAC or physical addresses. –DHCP Bindings—Saves entries from the SonicWALL security appliance DHCP server. –IKE Info—Saves current information about active IKE configurations. 15. Click Fetch Tech Support Report. 16. To request a packet trace, enter the IP address of the remote host in the Host field, and click Start. You must enter an IP address in the Host field; do not enter a host name, such as “www.yahoo.com”. Click Stop to terminate the packet trace and Query to query the trace. To reset a host, enter the IP address in the Host field and click Reset. SonicWALL GMS 6.0 Administrator’s Guide 289 Viewing Connections Monitor Viewing Connections Monitor The Connections Monitor displays real-time, configurable views of all connections to and through a SonicWALL security appliance. To view connections monitor data, perform the following steps: 1. In the left pane, select the global icon, a group, or a SonicWALL appliance. 2. Click the Policies tab. In the center pane, navigate to Diagnostics > Connections Monitor. 3. Select the filters values to sort by. You can filter the results to display only connections matching certain criteria. You can filter by Source IP, Destination IP, Destination Port, Protocol, Source Interface, and Destination Interface. Enter your filter criteria in the Active Connections Monitor Settings table. The fields you enter values into are combined into a search string with a logical AND. For example, if you enter values for Source IP and Destination IP, the search string will look for connections matching: Source IP AND Destination IP Check the Group Filters box next to any two or more criteria to combine them with a logical OR. For example, if you enter values for Source IP, Destination IP, and Protocol, and check Group Filter next to Source IP and Destination IP, the search string will look for connections matching: (Source IP OR Destination IP) AND Protocol 290 4. Click Fetch Active Connections Monitor to apply the filter immediately to the Active Connections Monitor table. The scheduler displays. 5. Expand Schedule by clicking the plus icon. 6. Select Immediate or specify a future date and time. SonicWALL GMS 6.0 Administrator’s Guide Viewing Connections Monitor 7. Click Accept. The updated Connections Monitor page displays. SonicWALL GMS 6.0 Administrator’s Guide 291 Viewing CPU Monitor Viewing CPU Monitor For GMS managed SonicWALL UTM appliances running SonicOS 3.0 and higher, the CPU Monitor displays real-time CPU utilization in second, minute, hour, and day intervals. To view CPU utilization data, perform the following steps: 1. In the left pane, select the global icon, a group, or a SonicWALL appliance. 2. Click the Policies tab. In the center pane, navigate to Diagnostics > CPU Monitor. 3. To refresh the CPU diagnostic display, click Refresh Diagnostic Data display. 4. To delete the CPU diagnostic display, click Delete Diagnostic Data display. 5. To modify the time period for the CPU data, select one of the following periods from the Chart for drop-down menu: – CPU History for the last 60 seconds—Displays CPU history for the last minute. – CPU History for the last 60 minutes—Displays CPU history for the last hour. – CPU History for the last 24 hours—Displays CPU history for the last day. – CPU History for the last 30 days—Displays CPU history for the last 30 days. 292 SonicWALL GMS 6.0 Administrator’s Guide Viewing Process Monitor 6. Click Fetch CPU Information to display CPU information from the SonicWALL appliance. The scheduler displays. 7. Expand Schedule by clicking the plus icon. 8. Select Immediate or specify a future date and time. 9. Click Accept. Viewing Process Monitor For GMS managed SonicWALL UTM appliances running SonicOS 3.0 and higher, the Process Monitor displays individual system processes, their CPU utilization, and their system time. To view diagnostic data, perform the following steps: 1. Select the global icon, a group, or a SonicWALL appliance. 2. Expand the Diagnostics tree and click Process Monitor. The Process Monitor page displays. 3. To refresh the process diagnostic display, click Refresh Diagnostic Data display. 4. To delete the process diagnostic display, click Delete Diagnostic Data display. SonicWALL GMS 6.0 Administrator’s Guide 293 Viewing Process Monitor 294 5. Click Fetch Process Information to display Process Monitor information. The scheduler displays. 6. Expand Schedule by clicking the plus icon. 7. Select Immediate or specify a future date and time. 8. Click Accept. SonicWALL GMS 6.0 Administrator’s Guide CHAPTER 14 Configuring Website Blocking This chapter describes how to use SonicWALL GMS to configure website blocking options for one or more SonicWALL appliances. This functionality can be used to deny access to material supplied by the active content filtering subscription, specific domains, domains by keyword, and Web features such as ActiveX, Java, and cookies. To configure website blocking features, select from the following: This Chapter includes the following sections: • “Configuring General Website Blocking” section on page 296 • “Configuring the CFS Exclusion List” section on page 308 • “Blocking Web Features” section on page 315 • “Configuring Access Consent” section on page 316 • “N2H2 and Websense Content Filtering” section on page 318 Note SonicWALL appliances are entitled to a one-month content filter trial subscription. SonicWALL GMS 6.0 Administrator’s Guide 295 Configuring General Website Blocking Configuring General Website Blocking The general page is used to configure whether access to restricted content, sites, and features is blocked or logged, if and when users can access blocked material, and the message that will be displayed when users attempt to access blocked material. SonicWALL offers two types of content filtering and supports two third-party content filtering packages: N2H2 and Websense Enterprise. To configure filtering options for N2H2 or Websense, view the documentation that came with the software package. To configure general blocking options, perform the following steps: 296 1. In the left pane, select the global icon, a group, or a SonicWALL appliance. 2. Click the Policies tab. 3. In the center pane, navigate to Website Blocking > General. The Website Blocking General page displays. SonicWALL GMS 6.0 Administrator’s Guide Configuring General Website Blocking 4. Select the content filtering package that you will use: – SonicWALL CFS—Enables the CFS SonicWALL filtering package based on the firmware version of the SonicWALL appliance. To configure SonicWALL content filtering, see “Selecting the Content to Block” on page 298. – N2H2—To use N2H2, you must have the N2H2 software package running on a server in your network. For more information, visit www.n2h2.com. – Websense—To use Websense, you must have the Websense Enterprise software package running on a server in your network. For more information, visit www.websense.com. Note If you select N2H2 or Websense, make sure to configure the appropriate filtering options. For more information, see “N2H2 and Websense Content Filtering” on page 318. 5. A trusted domain is a domain that is allowed to use Web features such as Java, ActiveX, and cookies. To create a list of trusted domains, select the Don't block Java/ActiveX/Cookies to Trusted Domains check box. 6. Enter one or more domains name in the Trusted Domains field and click Add. The scheduler displays. Multiple domains should be separated by a “;” semicolon. Timesaver Importing a .txt file with one domain name per line is the easiest way to add multiple domains to a Trusted Domains list. Click the Import... button to add multiple domains from a text file. 7. Expand Schedule by clicking the plus icon. 8. Select Immediate or specify a future date and time. 9. Click Accept. 10. Repeat steps 5 - 10 for other domains you would like to add. Note Enter the domain name only. For example, “yahoo.com.” Do not include “http://.” Entering “yahoo.com” will also allow access to www.yahoo.com, my.yahoo.com, sports.yahoo.com, and so on. SonicWALL GMS 6.0 Administrator’s Guide 297 Selecting the Content to Block Note This feature will only enable Web features for the selected domains. To make the domain available for unrestricted browsing, add it to the Allowed Domains list. For more information, see “Customizing Access by Domain” on page 309. 11. To delete a domain from the Trusted Domain list, click the checkbox in the trash can column for the domain and click Update. 12. To apply content filtering and Web feature restrictions to the LAN port (WorkPort), select LAN/WorkPort. 13. To apply content filtering and Web feature restrictions to the DMZ port (HomePort), select DMZ/HomePort/WLAN/OPT. For SonicWALL wireless appliances, the DMZ/HomePort/WLAN/OPT option also applies content filtering and Web feature restrictions to the WLAN interface. 14. Enter the message that will be displayed when users attempt to access restricted content, sites, and features. For example, “This Web site is blocked is restricted. Get back to work.” 15. When you are finished, click Update. The scheduler displays. 16. Expand Schedule by clicking the plus icon. 17. Select Immediate or specify a future date and time. 18. Click Accept. Selecting the Content to Block Depending on the version of the firmware, you will use either the CFL Filter List or the CFS Filter List page. If a SonicWALL appliance uses CFL, it will periodically download a filter list that will be used to block objectionable sites. If a SonicWALL appliance uses CFS, it will send a request to the SonicWALL site each time a request for potentially objectionable material is made. Note 298 You must activate a service licence to use CFL or CFS content blocking. SonicWALL GMS 6.0 Administrator’s Guide Selecting the Content to Block Content Filter List The CFL Filter List page defines categories of website content that will be blocked and when the SonicWALL appliance(s) will download the content filter list. Note This page does not affect N2H2 or Websense content filtering. For information on configuring filtering options for these software packages, refer to their documentation. To configure the filter list, perform the following steps: 1. In the left pane, select the global icon, a group or a SonicWALL appliance. 2. Click the Policies tab. 3. In the center pane, navigate to Website Blocking > CFL Filter List. 4. Select the content to block by checking the box next to any of the following categories (to select all categories, check the Select All box): – Violence/Profanity—Includes pictures or text depicting extreme cruelty, or physical or emotional acts against any animal or person that are primarily intended to hurt or inflict pain. Obscene words, phrases, SonicWALL GMS 6.0 Administrator’s Guide 299 Selecting the Content to Block and profanity are defined as text that uses, but is not limited to, George Carlin’s seven censored words, more often than once every 50 messages (Newsgroups) or once a page (Web sites). – Partial Nudity—Pictures exposing the female breast or full exposure of either male or female buttocks, except when exposing genitalia. Excludes all swimsuits, including thongs. – Full Nudity—Pictures exposing any or all portions of the human genitalia. Excludes sites containing nudity or partial nudity of a wholesome nature. For example, Web sites hosted by publications such as National Geographic or Smithsonian Magazine and museums such as the Guggenheim, the Louvre, or the Museum of Modern Art are not blocked. – Sexual Acts (graphics or text)—Pictures or text exposing anyone or anything involved in explicit sexual acts and or lewd and lascivious behavior, including masturbation, copulation, pedophilia, and intimacy involving nude or partially nude people in heterosexual, bisexual, lesbian or homosexual encounters. This also includes phone sex ads, dating services, adult personals, CD-ROMs, and videos. – Gross Depictions (graphics or text)—Pictures or descriptive text of anyone or anything that are crudely vulgar or grossly deficient in civility or behavior, or that show scatological impropriety. For example, maiming, bloody figures, or indecent depiction of bodily functions. – Intolerance (graphics or text)—Pictures or text advocating prejudice or discrimination against any race, color, national origin, religion, disability or handicap, gender, or sexual orientation. Includes any picture or text that elevates one group over another. Also includes intolerant jokes or slurs. – Satanic/Cult (graphics or text)—Pictures or text advocating devil worship, an affinity for evil or wickedness, or the advocacy to join a cult. A cult is defined as a closed society headed by a single individual where loyalty is demanded and leaving is punishable. – Drug Culture (graphics or text)—Pictures or text advocating the illegal use of drugs for entertainment. Includes substances used for other than their primary purpose to alter the individual’s state of mind, such as glue sniffing. Excludes currently illegal drugs legally prescribed for medicinal purposes (e.g., drugs used to treat glaucoma or cancer). – Militant/Extremist (graphics or text)—Pictures or text advocating extremely aggressive and combative behaviors, or unlawful political measures. Topics include groups that advocate violence as a means 300 SonicWALL GMS 6.0 Administrator’s Guide Selecting the Content to Block to achieve their goals. Includes “how to” information on weapons making, ammunition making, or the making or use of pyrotechnic materials. Also includes the use of weapons for unlawful reasons. – Sex Education (graphics or text)—Pictures or text advocating the proper use of contraceptives. This topic includes condom use, the correct way to wear a condom and how to put a condom in place. Also included are sites relating to discussion about the use of the Pill, IUDs, and other types of contraceptives. In addition to the above, this includes discussion sites on discussing diseases with a partner, pregnancy, and respecting boundaries. Excluded from this category are commercial sites selling sexual paraphernalia. – Gambling/Questionable/Illegal (graphics or text)—Pictures or text advocating materials or activities of a dubious nature which that be illegal in any or all jurisdictions, such as illegal business schemes, chain letters, copyright infringement, computer hacking, phreaking (using someone’s phone lines without permission), and software piracy.. – Alcohol/Tobacco (graphics or text)—Pictures or text advocating the sale, consumption, or production of alcoholic beverages and tobacco products. 5. To configure the SonicWALL appliance(s) to download the content list weekly, select the Automatically Download List Every check box and select the day of the week and time when the download will occur. Tip If you select this option, configure the SonicWALL appliance(s) to download the list at a time when network activity is low. Note This option requires a subscription to the Content Filter List updates. 6. To download a new content filter list now, click the Download Filter List Now button. The scheduler displays. 7. Expand Schedule by clicking the plus icon. 8. Select Immediate or specify a future date and time. 9. Click Accept. 10. Select one of the following Logging options: – Log and Block Access—Blocks access to restricted content, sites, and features and logs access attempts. SonicWALL GMS 6.0 Administrator’s Guide 301 Selecting the Content to Block – Log Only—Does not block access to restricted content, sites, and features, but logs access. This enables organizations to monitor appropriate usage without restricting access. 11. Select from the following filter list expiration options: – To block access to all Web sites except trusted domains thirty days after the filter list expires, select Block traffic to all websites except for Allowed Domains. – To allow access to all Web sites thirty days after the filter list expires, select Allow traffic access to all websites. 12. When you are finished, click Update. The scheduler displays. 13. Expand Schedule by clicking the plus icon. 14. Select Immediate or specify a future date and time. 15. Click Accept. CFS Filter List The CFS Filter List allows you to block objectionable content. You must have a license for the CFS Filter List. To configure the Content Filter Service, perform the following steps: • “Configuring the General CFS Filter List Settings” on page 302. • “Configuring the CFS Standard Page” on page 303. • “Configuring the CFS Premium Page” on page 306. Configuring the General CFS Filter List Settings The CFS Filter List page defines categories of Web site content that will be blocked in real time. Each time a request for potentially objectionable material is made, CFS sends a request to the SonicWALL site. Note This page does not affect N2H2 or Websense content filtering. For information on configuring filtering options for these software packages, refer to their documentation. To configure the filter list, perform the following steps: 302 1. In the left pane, select the global icon, a group, or a SonicWALL appliance. 2. Click the Policies tab. SonicWALL GMS 6.0 Administrator’s Guide Selecting the Content to Block 3. In the center pane, navigate to Website Blocking > CFS Filter List. 4. Specify how long the SonicWALL appliance will wait if the CFS server is unavailable before blocking Web traffic in the If Server is unavailable for field. 5. Specify the action the SonicWALL appliance will take if the server is unavailable. To block access to all Web sites, select Block traffic to all Web sites. To allow access to all Web sites, select Allow traffic to all Web sites. 6. Specify how the SonicWALL appliance will respond to blocked URLs in the If Server marks URL as blocked section: – Block Access to URL—Blocks access to restricted content, sites, and features. – Log Access to URL—Does not block access to restricted content, sites, and features, but logs access. This enables organizations to monitor appropriate usage without restricting access. 7. Specify the size of the URL cache in the Cache Size field. For information on valid ranges, click the Click here for valid ranges link. 8. When you are finished, click Update. The scheduler displays. 9. Expand Schedule by clicking the plus icon. 10. Select Immediate or specify a future date and time. 11. Click Accept. Configuring the CFS Standard Page The CFS Standard page defines categories of Web site content that will be blocked in real time. SonicWALL GMS 6.0 Administrator’s Guide 303 Selecting the Content to Block Note This page does not affect N2H2 or Websense content filtering. For information on configuring filtering options for these software packages, refer to their documentation. To configure the filter list, perform the following steps: 1. In the left pane, select the global icon, a group, or a SonicWALL appliance. 2. Click the Policies tab. 3. In the center pane, navigate to the Website Blocking > CFS Standard. 4. Select the content to block by checking the box next to one of the following categories (to select all categories, check the Select all box): – Violence/Hate/Racism—Includes pictures or text exposing extreme cruelty, or physical or emotional acts against any animal or person that are primarily intended to hurt or inflict pain. Includes pictures or text advocating prejudice or discrimination against any race, color, national origin, religion, disability or handicap, gender, or sexual orientation. Includes any picture or text that elevates one group over another. Also includes intolerant jokes or slurs. – Cult/Occult (graphics or text)—Pictures or text advocating devil worship, an affinity for evil or wickedness, or the advocacy to join a cult. A cult is defined as a closed society headed by a single individual where loyalty is demanded and leaving is punishable. – Intimate Apparel/Swimsuit —Partial Nudity—Pictures exposing males or females in lingerie, swimsuits, or other intimate apparel. – Drugs/Illegal Drugs (graphics or text)—Pictures or text advocating the illegal use of drugs for entertainment. Includes substances used for other than their primary purpose to alter the individual’s state of 304 SonicWALL GMS 6.0 Administrator’s Guide Selecting the Content to Block mind, such as glue sniffing. Excludes currently illegal drugs legally prescribed for medicinal purposes (e.g., drugs used to treat glaucoma or cancer). – Nudism (graphics or text)—Pictures or text advocating nudism, providing information, or advertising related resorts or services. – Illegal Skills/Questionable Skills (graphics or text)—Pictures or text advocating materials or activities of a dubious nature which that be illegal in any or all jurisdictions, such as illegal business schemes, chain letters, copyright infringement, computer hacking, phreaking (using someone’s phone lines without permission), and software piracy. – Pornography (graphics or text)—Pictures of any or all portions of the human genitalia and pictures or text exposing anyone or anything involved in explicit sexual acts and or lewd and lascivious behavior, including masturbation, copulation, pedophilia, and intimacy involving nude or partially nude people in heterosexual, bisexual, lesbian or homosexual encounters. Excludes sites containing nudity or partial nudity of a wholesome nature and all swimsuits, including thongs. – Sex Education (graphics or text)—Pictures or text advocating the proper use of contraceptives. This topic includes condom use, the correct way to wear a condom and how to put a condom in place. Also included are sites relating to discussion about the use of the Pill, IUDs, and other types of contraceptives. In addition to the above, this includes discussion sites on discussing diseases with a partner, pregnancy, and respecting boundaries. Excluded from this category are commercial sites selling sexual paraphernalia. – Weapons (graphics or text)—Pictures or text advocating the legal or illegal use of weapons, providing weapons for sale, or advocating extremely aggressive and combative behaviors, or unlawful political measures. – Gambling (graphics or text)—Pictures or text providing or advocating gambling services relating to lotteries, casinos, betting, numbers games, on-line sports, and financial betting, including non-monetary dares – Adult/Mature Content (graphics or text)—Pictures or text such as phone sex ads, dating services, adult personals, CD-ROMs, and videos. Excludes sites containing nudity or partial nudity of a wholesome nature and all swimsuits, including thongs. – Alcohol & Tobacco (graphics or text)—Pictures or text advocating the sale, consumption, or production of alcoholic beverages and tobacco products. SonicWALL GMS 6.0 Administrator’s Guide 305 Selecting the Content to Block 5. When you are finished, click Update. The scheduler displays. 6. Expand Schedule by clicking the plus icon. 7. Select Immediate or specify a future date and time. 8. Click Accept. 9. If you believe that a website is rated incorrectly, or to submit a new URL for blocking, click the here link in the sentence If you believe that a Web site is rated incorrectly or you wish to submit a new URL, click here. Configuring the CFS Premium Page The CFS Premium service enables you to add advanced content filtering functionality to one or more SonicWALL appliances by choosing specific content to filter from 64 different content categories. This section describes how to configure the CFS Premium service. Note This page does not affect N2H2 or Websense content filtering. For information on configuring filtering options for these software packages, refer to their documentation. To configure the CFS Premium service, perform the following steps: 306 1. In the left pane, select the global icon, a group, or a SonicWALL appliance. 2. Click the Policies tab. 3. In the center pane, navigate to Website Blocking > CFS Premium. SonicWALL GMS 6.0 Administrator’s Guide Selecting the Content to Block 4. Click Add CFS Policy. 5. Enter a name for the policy. 6. Click the URL List tab. 7. Check the boxes of the categories to block. To select all categories, check the Select all Categories box. 8. Click the Settings tab. a. To disable the allowed domains list, select the Disable Allowed Domains check box. SonicWALL GMS 6.0 Administrator’s Guide 307 Configuring the CFS Exclusion List b. To prevent access to domains specified in the Forbidden Domain list, select the Enable Forbidden Domains check box. c. To enable the keyword blocking feature, select the Enable Keyword Blocking check box. 9. From the drop-down menu, select when the forbidden URLs will be blocked. 10. When you are finished, click OK. The scheduler displays. 11. Expand Schedule by clicking the plus icon. 12. Select Immediate or specify a future date and time. 13. Click Accept. 14. Repeat this procedure for each filter that you would like to add. Configuring the CFS Exclusion List The CFS exclusion list allows you to specify an IP address or IP address range that is excluded from Website blocking. To enable and configure a CFS exclusion list, perform the following tasks: 1. 308 In the left pane, select the global icon, a group, or a SonicWALL appliance. SonicWALL GMS 6.0 Administrator’s Guide Customizing Access by Domain 2. Click the Policies tab. In the center pane, navigate to Website Blocking > CFS Exclusion List. 3. Check the Enable CFS Exclusion List box to enable CFS block list exclusions. 4. Enter an IP address or IP address range to exclude. For a single IP address, enter the same IP address in the IP Address From and IP Address To fields. For a range, enter the beginning IP address in the IP Address From field and the ending IP address in the IP Address To field. 5. Click Add IP Range Entry. 6. Repeat steps 5 and 6 to add more IP addresses or IP address ranges. 7. To delete an IP address or IP address range from the CFS exclusion list, click the checkbox in the trashcan column for the addresses.a truste4d 8. Click Update. The scheduler displays. 9. Expand Schedule by clicking the plus icon. 10. Select Immediate or specify a future date and time. 11. Click Accept. Customizing Access by Domain The Customization page is used to block or allow access to specific domain names. This enables an organization to block access to domains that are not in the content filter list, allow access to domains in the content filter list, or only allow access to specific domains. Allowed domains are domains that users can access, regardless of whether they appear in the content filter list. Allowed domains are particularly useful for dedicated systems that are only allowed to access specific websites. Up to 256 entries are supported in the Allowed Domains list. SonicWALL GMS 6.0 Administrator’s Guide 309 Customizing Access by Domain Timesaver Importing a .txt file with one domain per line is the easiest way to add multiple domains to a forbidden/allowed list. See the “Adding Multiple Domains From a List” section on page 311 for more. Forbidden domains are domains that users will not be allowed to access. This is useful when a website disrupts a corporate or educational environment. To find out which websites are most frequently accessed, refer to the Top Web Site Hits section of the log report. Up to 256 entries are supported in the Forbidden Domains list. Note This feature is not available if you select N2H2 or Websense content filtering. For information on configuring filtering options for these software packages, refer to their documentation. Enabling Website Blocking Customization To configure list customization options: 310 1. In the left pane, select the global icon, a group, or a SonicWALL appliance. 2. Click the Policies tab. 3. In the center pane, navigate to Website Blocking > Customization. 4. Enable list customization by checking the Enable Allowed/Forbidden Domains box. SonicWALL GMS 6.0 Administrator’s Guide Customizing Access by Domain 5. To disable Web traffic except for allowed domains, check the Disable all Web traffic except for Allowed Domains box. (This option is available only on appliances running SonicOS Standard, or other non-Enhanced firmware.) Adding Individual Forbidden/Allowed Domains To add one or more allowed/forbidden domains: 1. Note To add a small number of domains, enter the domain name in the Allowed Domains field and click Add. The scheduler displays.You can add several domains at once by separating your entries with a semicolon “;”. Enter the domain name only. For example, “yahoo.com.” Do not include “http://.” Entering “yahoo.com” will also allow access to www.yahoo.com, my.yahoo.com, sports.yahoo.com, and so on. 2. Expand Schedule by clicking the plus icon. 3. Select Immediate or specify a future date and time. 4. Click Accept. 5. Repeat this step for each domain you would like to add. Adding Multiple Domains From a List To add a large number of domains from a text-based list: 1. Click the Import... button, the upload file window displays. 2. Click the Browse... button to upload a text-based (.txt) file containing the URL list. The URLs in this text file must be separated by line breaks. 3. In the Schedule window, select Immediate or specify a future date and time. 4. Click Accept. SonicWALL GMS 6.0 Administrator’s Guide 311 Customizing Access by Domain Timing Options in SonicOS Standard To configure timing options for SonicOS Standard appliances: 1. Select one of the following Timing options. (This option is available only on appliances running SonicOS Standard, or other non-Enhanced firmware.) – Always Block—Always blocks access to all restricted content, sites, and features. – Block From—Blocks access to restricted content, sites, and features between the selected hours. Select the from and to hours and the day range from the pull-down menus. 2. When you are finished, click Update. The scheduler displays. 3. Expand Schedule by clicking the plus icon. 4. Select Immediate or specify a future date and time. 5. Click Accept. Deleting Domains from the Domain Lists To delete one or more domains from the Allowed Domain or Forbidden Domain lists, perform the following steps: 312 1. Navigate to Website Blocking > Customization. 2. Check the box below the trash can icon and next to the item you want to delete. Repeat this step for each domain that you want to remove from the domain lists. 3. When you are finished, click Update. The scheduler displays. 4. Expand Schedule by clicking the plus icon. 5. Select Immediate or specify a future date and time. 6. Click Accept. SonicWALL GMS 6.0 Administrator’s Guide Blocking Access to Domains by Keywords Blocking Access to Domains by Keywords The URL Keywords page is used to block access to domain names by keyword. This provides a second line of defense against objectionable material. For example, if the keyword “xxx” was included in the list, the site “www.new-site.com/xxx.html” would be blocked. Note Be careful when using this feature. For example, blocking the word “breast” can prevent access to both pornographic or objectionable sites, but will also block sites on breast cancer. Note This feature is not available if you select N2H2 or Websense content filtering. For information on configuring filtering options for these software packages, refer to their documentation. To configure domain blocking by keyword, perform the following steps: 1. In the left pane, select the global icon, a group, or a SonicWALL appliance. 2. Click the Policies tab. 3. In the center pane, navigate to Website Blocking > URL Keywords. 4. Enable keyword blocking by checking the Enable Keyword Blocking box. SonicWALL GMS 6.0 Administrator’s Guide 313 Blocking Access to Domains by Keywords 5. Click Update. The scheduler displays. 6. Expand Schedule by clicking the plus icon. 7. Select Immediate or specify a future date and time. 8. Click Accept. 9. To add one or more keywords, enter them in the URL Keyword field and click Add. The scheduler displays. Multiple keywords should be separated by a “;” semicolon. Timesaver Importing a .txt file with one keyword per line is the easiest way to add multiple keywords. Click the Import... button to add multiple keywords from a text file. 10. Expand Schedule by clicking the plus icon. 11. Select Immediate or specify a future date and time. 12. Click Accept. Repeat these steps for each keyword you would like to add. 13. To remove a keyword, select its check box below the trash can icon. Repeat this step for each keyword that you want to remove from the keyword lists. 314 SonicWALL GMS 6.0 Administrator’s Guide Blocking Web Features Blocking Web Features The Web Features page is used to block ActiveX Controls, Java, cookies, Web proxy, and known fraudulent certificates. To block these features, perform the following steps: 1. In the left pane, select the global icon, a group, or a SonicWALL appliance. 2. Click the Policies tab. 3. In the center pane, navigate to Website Blocking > Web Features. 4. Check the boxes next to the objects to block: – ActiveX—Blocks ActiveX controls. ActiveX is a programming language used to imbed small programs in Web pages. It is generally considered insecure because it is possible for malicious programmers to write controls that can delete files, compromise security, or cause other damage. – Java—Blocks Java applets. Java applets are downloadable Web applications that are used on many websites. Selecting this option will block all Java applets, regardless of their function. – Cookies—Prevents websites from placing information on user hard drives. Cookies are used by Web servers to track Web usage and remember user identity. Cookies can compromise users' privacy by tracking Web activities. Note Blocking cookies on the public Internet creates a large number of accessibility problems. Most sites make extensive use of cookies to generate Web pages and blocking cookies will make most e-commerce applications unusable. SonicWALL GMS 6.0 Administrator’s Guide 315 Configuring Access Consent – Access to HTTP Proxy Servers—Blocks users from accessing Web proxy servers on the Internet to circumvent content filtering by pointing their computers to the proxy servers. – Known Fraudulent Certificates—Blocks access to Web content that originated from a known fraudulent certificate. Digital certificates help verify that Web content originated from an authorized party. 5. When you are finished, click Update. The scheduler displays. 6. Expand Schedule by clicking the plus icon. 7. Select Immediate or specify a future date and time. 8. Click Accept. Configuring Access Consent The consent feature allows organizations to specify computers that are always filtered and computers that are filtered by user request. This feature is popular in libraries, Internet cafes, and other public Internet systems. Note This feature is not available if you select N2H2 or Websense content filtering. For information on configuring filtering options for these software packages, refer to their documentation. To configure the consent feature, perform the following steps: 316 1. In the left pane, select the global icon, a group, or a SonicWALL appliance. 2. Click the Policies tab. 3. In the center pane, navigate to Website Blocking > Consent. SonicWALL GMS 6.0 Administrator’s Guide Configuring Access Consent 4. Check the Require Consent check box to require consent. Users can choose if they want filtering or not. 5. Enter the maximum time (in minutes) a user can access the Internet in the Maximum Web Usage field. 6. Specify the maximum amount of time (in minutes) a connection may remain idle before the user is logged out and must agree to the consent agreement again in the User Idle Timeout field. 7. Enter the URL of the Web page from which users choose to enable filtering in the Consent Page URL (Optional Filtering) field. This page displays when users first attempt to access the Internet and must contain a link for choosing unfiltered access and a link for choosing filtered access. The link for unfiltered access is IPaddress/iAccept.html. The link for filtered access is IPaddress/iAcceptFilter.html. IPaddress is the LAN (WorkPort) IP address of the SonicWALL appliances. 8. Enter the URL of the page that displays when users choose to access the Internet without content filtering in the “Consent Accepted” URL (Filtering Off) field. This page must be accessible on the LAN (WorkPort). 9. Enter the URL of the page that displays when users access the Internet with content filtering enabled in the “Consent Accepted” URL (Filtering On) field. This page must be accessible on the LAN (WorkPort). 10. When a user opens a Web browser on a computer with mandatory content filtering they will be shown a consent page. Enter the URL for the consent page in the Consent Page URL (Mandatory Filtering) field. You will need to create this Web page. It usually contains an Acceptable Use Policy and a notification that violations will be logged or blocked. This Web page must reside on a Web server that is accessible as a URL by LAN (WorkPort) users. This page must also contain a link that tells the SonicWALL appliance that the user agrees to having filtering enabled. To do this, create the following link: IPaddress/iAcceptFilter.html where IPaddress is the LAN (WorkPort) IP address of the SonicWALL appliance. 11. To enforce content filtering for a specific computer on the LAN, enter the IP address in the IP Addresses field of the Mandatory Filtered IP Addresses section and click Add. Up to 128 IP addresses can be entered. 12. To remove a computer from the list of computers to be filtered, click the checkbox in the trash can column for the IP address. 13. When you are finished, click Update. The scheduler displays. SonicWALL GMS 6.0 Administrator’s Guide 317 N2H2 and Websense Content Filtering 14. Expand Schedule by clicking the plus icon. 15. Select Immediate or specify a future date and time. 16. Click Accept. N2H2 and Websense Content Filtering This following sections describes additional filtering configuration options for N2H2 and Websense content filtering: • “N2H2” on page 318 • “Websense” on page 320 N2H2 To configure N2H2 content filtering options, perform the following steps: 318 1. In the left pane, select the global icon, a group, or a SonicWALL appliance. 2. Click the Policies tab 3. In the center pane, navigate to Website Blocking > N2H2. 4. Enter the N2H2 server name or IP address in the Server Host Name or IP Address field. 5. Enter the port that the N2H2 server listens for N2H2 requests in the Listen Port field (default: 4005). SonicWALL GMS 6.0 Administrator’s Guide N2H2 and Websense Content Filtering 6. Enter the port that the N2H2 server uses to send packets to the SonicWALL appliances in the Reply Port field (default: 4005). 7. Enter the username associated with the N2H2 account in the User Name field. 8. Enter the size of the URL cache in the URL Cache Size field. A larger URL cache can improve browser response times. 9. Select the action that the SonicWALL appliance(s) will take if the N2H2 server is unavailable beyond a specified period of time. First, enter the time period (in seconds) in the If user is unavailable for field. Then, select one of the options: – To block traffic to all Web sites, select Block traffic to all Web sites. – To allow access to all Web sites, select Allow traffic to all Web sites. 10. If a server marks a URL as blocked, select one of the following actions: – Block Access to URL—Blocks access to restricted sites and logs access attempts. – Log Access to URL—Does not block access to restricted sites, but logs access. This enables organizations to monitor appropriate usage without restricting access. 11. When you are finished, click Update. The scheduler displays. 12. Expand Schedule by clicking the plus icon. 13. Select Immediate or specify a future date and time. 14. Click Accept. SonicWALL GMS 6.0 Administrator’s Guide 319 N2H2 and Websense Content Filtering Websense To configure Websense content filtering options, perform the following steps: 1. In the left pane, select the global icon, a group, or a SonicWALL appliance. 2. Click the Policies tab. 3. In the center pane, navigate to Website Blocking > Websense. 4. Enter the Websense server name or IP address in the Server Host Name or IP Address field. 5. Enter the port used for Websense packets in the Server Port field (default: 15868). 6. Enter the username associated with the Websense account in the User Name field. 7. Enter the size of the URL cache in the URL Cache Size field. A larger URL cache can improve browser response times. The default cache size is 50. 8. Enter a time period (in seconds) in the If user is unavailable for field. Then, select the action that the SonicWALL appliance(s) will take after that period of time: – To block traffic to all Web sites, select Block traffic to all Web sites. – To allow access to all Web sites, select Allow traffic to all Web sites. 9. When you are finished, click Update. The scheduler displays. 10. Expand Schedule by clicking the plus icon. 11. Select Immediate or specify a future date and time. 12. Click Accept. 320 SonicWALL GMS 6.0 Administrator’s Guide CHAPTER 15 Configuring Dynamic Host Configuration Protocol This chapter describes how to use the SonicWALL Global Management System (SonicWALL GMS) to configure SonicWALL appliances as DHCP servers. Dynamic Host Configuration Protocol (DHCP) enables network administrators to automate the assignment of IP addresses from a centralized DHCP server. This conserves IP addresses and make it easy for mobile users to move among different segments of the network without having to manually enter new IP addresses. This chapters includes the following sections: • “DHCP Server Options Overview” section on page 322 • “Configuring DHCP Over VPN” section on page 322 • “Configuring Dynamic DHCP IP Address Ranges” section on page 325 • “Configuring Static IP Addresses” section on page 329 • “Configuring DHCP Option Objects” section on page 333 • “Configuring DHCP Option Groups” section on page 334 • “Configuring General DHCP Settings” section on page 334 SonicWALL GMS 6.0 Administrator’s Guide 321 DHCP Server Options Overview DHCP Server Options Overview For SonicWALL appliances running SonicOS Enhanced 4.0 and above, the SonicWALL DHCP server options feature provides support for DHCP options, also known as vendor extensions, as defined primarily in RFCs 2131 and 2132. DHCP options allow you to specify additional DHCP parameters in the form of pre-defined, vendor-specific information that is stored in the options field of a DHCP message. When the DHCP message is sent to clients on the network, it provides vendor-specific configuration and service information. The SonicOS Enhanced 4.0 Administrator’s Guide provides a list of DHCP options by RFC-assigned option number. SonicWALL GMS provides a way to define DHCP options using a drop down list based on RFC-defined option numbers, allowing administrators to easily create DHCP objects and object groups, and configure DHCP generic options for dynamic and static DHCP lease scopes. Once defined, the DHCP option is included in the options field of the DHCP message, which is then passed to DHCP clients on the network, describing the network configuration and service(s) available. Configuring DHCP Over VPN Note This screen is available at the unit/appliance level only. DHCP over VPN enables clients of the SonicWALL appliance to obtain IP addresses from a DHCP server at the other end of the VPN tunnel or a local DHCP server. 322 SonicWALL GMS 6.0 Administrator’s Guide Configuring DHCP Over VPN To configure DHCP over VPN, perform the following steps: 1. Select the global icon, a group, or a SonicWALL appliance. 2. Expand the DHCP tree and click DHCP over VPN. The DHCP over VPN page displays 3. Select from the following: – To configure the SonicWALL appliance to forward DHCP requests through a VPN tunnel, select Remote Gateway from the DHCP Relay Mode list box and do the following: –Select the security association (SA) through which the DHCP server resides from the Obtain using DHCP through this SA list box. –Enter the IP address that will be inserted by the SonicWALL appliance as the IP address of the DHCP Relay Agent in the Relay IP Address field. –To manage this SonicWALL appliance remotely through the VPN tunnel from behind the Central Gateway, enter the management IP address in the Remote Management IP Address field. –If you enable Block traffic through tunnel when IP spoof detected, the SonicWALL blocks any traffic across the VPN tunnel that is spoofing an authenticated user’s IP address. If you have any static devices, however, you must ensure that the correct Ethernet address is entered for the device. –If the VPN tunnel is disrupted, temporary DHCP leases can be obtained from the local SonicWALL appliance. Once the tunnel is active, it will stop issuing leases. To enable this option, select the Obtain temporary lease from local DHCP server if tunnel is down check box. SonicWALL GMS 6.0 Administrator’s Guide 323 Configuring DHCP Over VPN When you enable this option, clients will be able to obtain IP addresses if the tunnel is unavailable. To ensure that clients use the remote DHCP server shortly after it becomes available, enter a short lease time in the Temporary Lease Time field. The default value is two minutes. Make sure to enable DHCP and enter an IP address range on the DHCP Setup page. Otherwise, the SonicWALL appliance will be unable to act as a DHCP server. –To specify static IP addresses on the LAN (WorkPort), enter the IP address and MAC address and click Add. Repeat this step for each device that uses a static IP address. –To specify a device that is not allowed to obtain an IP address through the SA, enter its MAC address and click Add. Repeat this step for each device that will not be allowed to obtain an IP address through the SA. – To configure the SonicWALL appliance to forward DHCP requests to local servers, select Central Gateway from the DHCP Relay Mode list box and do the following: –To configure the SonicWALL appliance to send DHCP requests to specific DHCP servers, select the Send DHCP requests to the server addresses listed below check box. Then, enter the IP address of a DHCP server and click Add. Repeat this step for DHCP server that you want to add. –To configure the SonicWALL appliance to broadcast DHCP requests, deselect the Send DHCP requests to the server addresses listed below check box and leave the DHCP Servers field blank. –To use the DHCP server built into the SonicWALL appliance for some clients, select the Use Internal DHCP Server check box. To use the internal DHCP server for Global VPN clients, select the For Global VPN Client check box. To use the internal DHCP server for remote firewalls, select the For Remote Firewalls check box. 4. 324 When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset. SonicWALL GMS 6.0 Administrator’s Guide Configuring Dynamic DHCP IP Address Ranges Configuring Dynamic DHCP IP Address Ranges Note This screen is available at the unit/appliance level only. This section describes how to configure dynamic IP address ranges. To configure one or more dynamic IP address ranges, perform the following steps: 1. Select a SonicWALL appliance. 2. Expand the DHCP tree and click Dynamic Ranges. The Dynamic Ranges page displays. 3. Do one of the following: – To enable the DHCP server, select the Enable DHCP Server check box. – To disable the DHCP server, deselect the Enable DHCP Server check box. 4. Select Enable Conflict Detection to turn on automatic DHCP scope conflict detection on each zone. SonicWALL GMS 6.0 Administrator’s Guide 325 Configuring Dynamic DHCP IP Address Ranges 5. To add or edit a dynamic range, do one of the following: – To add a dynamic range, click Add Dynamic Range. – To edit an existing dynamic range, click the icon in the Edit Dynamic Range column. The DHCP Setup dialog for Dynamic Ranges is displayed. 6. In the DHCP Setup dialog box, on the General tab, complete the following fields: – Select the Enable this DHCP Scope check box to enable the DHCP range. Deselect it to disable the range. – Enter the start of the range in the Range Start field. – Enter the end of the range in the Range End field. – In the Lease Time field, type the number of minutes that an IP address is used before another IP address is issued (or the same one is re-issued). 1440 minutes (24 hours) is the default value. – Specify the IP address and subnet mask of the default gateway for this IP address range in the Default Gateway and Subnet Mask fields. By default, these fields will use the settings on the Network Settings page. – Select the Allow BootP clients to use range check box if you have BootP clients on this network. BootP stands for bootstrap protocol, which is a TCP/IP protocol and service that allows diskless workstations to obtain their IP address, other TCP/IP configuration information, and their boot image file from a BootP server. 326 SonicWALL GMS 6.0 Administrator’s Guide Configuring Dynamic DHCP IP Address Ranges 7. Click the DNS/WINS tab. 8. In the DHCP Setup dialog box, on the DNS/WINS tab, complete the following fields: – Optionally enter the domain name associated with this IP address range in the Domain Name field. – To configure one or more DNS servers for this range, do one of the following: –To use the DNS servers specified on the Network Settings page, select Set DNS Servers using SonicWALLs Network settings. –To specify the DNS servers manually for this IP address range, select Specify Manually and then type the IP address of your DNS Server in the DNS Server 1 field. You can specify two additional DNS servers. – If you have WINS running on your network, type the WINS server IP address in the WINS Server 1 field. You can add an additional WINS server. SonicWALL GMS 6.0 Administrator’s Guide 327 Configuring Dynamic DHCP IP Address Ranges 9. For units running SonicOS Enhanced 4.0 and above, click the Advanced tab. This tab allows you to configure the SonicWALL DHCP server to send Cisco Call Manager information to VoIP clients on the network, and to configure DHCP generic options for lease scopes. 10. Enter the IP address or FQDN of your VoIP Call Manager in the Call Manager 1 field. You can add two additional VoIP Call Manager addresses. For more information about configuring VoIP, see “Configuring Voice over IP Settings” on page 249. 11. To configure a DHCP lease scope, select a DHCP option or option group in the DHCP Generic Option Group drop-down menu. 12. To always use DHCP options for this DHCP server lease scope, select the Send Generic options always checkbox. 13. When you are finished, click OK. The settings are saved. To clear all screen settings and start over, click Cancel. 328 SonicWALL GMS 6.0 Administrator’s Guide Configuring Static IP Addresses Configuring Static IP Addresses Static entries are IP addresses assigned to servers requiring permanent IP settings. Note This screen is available at the unit/appliance level only. To configure one or more static IP addresses, perform the following steps: 1. Select a SonicWALL appliance. 2. Expand the DHCP tree and click Static Entries. The Static Entries page displays 3. Do one of the following: – To enable the DHCP server, select the Enable DHCP Server check box. – To disable the DHCP server, deselect the Enable DHCP Server check box. 4. Select Enable Conflict Detection to turn on automatic DHCP scope conflict detection on each zone. SonicWALL GMS 6.0 Administrator’s Guide 329 Configuring Static IP Addresses 5. To add or edit a static entry, do one of the following: – To add a static entry, click Add Static Entry. – To edit an existing static entry, click the icon in the Edit Static Entry column. The DHCP Setup dialog for Static Entries is displayed. 6. In the DHCP Setup dialog box, on the General tab, complete the following fields: – Select the Enable this DHCP Scope check box to enable this static DHCP scope. Deselect it to disable the scope. – Type a descriptive name for this static DHCP entry in the Entry Name field. – Type the IP address of the device in the Static IP Address field. – Enter the Ethernet (MAC) address of the device in the Ethernet Address field. – In the Lease Time field, type the number of minutes that an IP address is used before it is re-issued. 1440 minutes (24 hours) is the default value. – Specify the IP address and subnet mask of the default gateway for this IP address in the Default Gateway and Subnet Mask fields. By default, these fields will use the settings on the Network Settings page. 7. 330 To add a static IP address, click Add Static Entry and complete the following fields: SonicWALL GMS 6.0 Administrator’s Guide Configuring Static IP Addresses – Specify the IP address and subnet mask of the default gateway for this IP address in the Default Gateway and Subnet Mask fields. By default, these fields will use the settings on the Network Settings page. – Enter the lease time for this IP address in the Lease Time field. 8. Click the DNS/WINS tab. 9. In the DHCP Setup dialog box, on the DNS/WINS tab, complete the following fields: – If you have a domain name associated with this IP address, enter it in the Domain Name field. – To configure one or more DNS servers for this range, do one of the following: –To use the DNS servers specified on the Network Settings page, select Set DNS Servers using SonicWALLs Network settings. –To specify the DNS servers manually for this IP address, select Specify Manually and then type the IP address of your DNS Server in the DNS Server 1 field. You can specify two additional DNS servers. – If you have WINS running on your network, type the WINS server IP address in the WINS Server 1 field. You can add an additional WINS server. SonicWALL GMS 6.0 Administrator’s Guide 331 Configuring Static IP Addresses 10. For units running SonicOS Enhanced 4.0 and above, click the Advanced tab. This tab allows you to configure the SonicWALL DHCP server to send Cisco Call Manager information to VoIP clients on the network, and to configure DHCP generic options for lease scopes. 11. Enter the IP address or FQDN of your VoIP Call Manager in the Call Manager 1 field. You can add two additional VoIP Call Manager addresses. For more information about configuring VoIP, see “Configuring Voice over IP Settings” on page 249. 12. To configure a DHCP lease scope, select a DHCP option or option group in the DHCP Generic Option Group drop-down menu. 13. To always use DHCP options for this DHCP server lease scope, select the Send Generic options always checkbox. 14. When you are finished, click OK. The settings are saved. To clear all screen settings and start over, click Cancel. 332 SonicWALL GMS 6.0 Administrator’s Guide Configuring DHCP Option Objects Configuring DHCP Option Objects Note This screen is available at the unit/appliance level only for units running SonicOS Enhanced 4.0 and above. This section describes how to configure DHCP Option Objects. DHCP Option Objects can be used when setting DHCP Generic Options for DHCP Dynamic Ranges or Static Entries. For more information about DHCP Options, see “DHCP Server Options Overview” on page 322. To configure DHCP Option Objects: Step 1 Expand the DHCP tree and click Option Objects. Step 2 Click Add New Object or the Configure icon for an existing object. The Add/Edit DHCP Option Objects page displays. Step 3 Type a name for the option in the Option Name field. Step 4 From the Option Number drop-down list, select the option number that corresponds to your DHCP option. Step 5 Optionally check the Option Array checkbox to allow entry of multiple option values in the Option Value field. Step 6 The option type displays in the Option Type drop-down menu. The drop-down menu will be functional only if multiple option numbers are available. Step 7 Type the option value, for example, an IP address, in the Option Value field. If Option Array is checked, multiple values may be entered, separated by a semi-colon (;). Step 8 Click the OK button. The object will display in the DHCP Option Object Settings list. SonicWALL GMS 6.0 Administrator’s Guide 333 Configuring DHCP Option Groups Configuring DHCP Option Groups Note This screen is available at the unit/appliance level only for units running SonicOS Enhanced 4.0 and above. This section describes how to configure DHCP Option Groups. For more information about DHCP Options, see “DHCP Server Options Overview” on page 322. To configure DHCP Option Groups: Step 1 Expand the DHCP tree and click Option Groups. Step 2 Click Add New Group or the Configure icon for an existing group. The Add/Edit DHCP Option Group page displays. Step 3 Type a name for the group in the Name field. Step 4 To add DHCP Option Objects to the group, select one or more objects on the left side and click the arrow to move them to the right. Step 5 To remove DHCP Option Objects from the group, select one or more objects on the right side and click the arrow to move them to the left. Or, click Remove All to remove all objects from the group. Step 6 When finished, click OK. Configuring General DHCP Settings Note This screen is available at the Group level only. This section describes how to configure general DHCP settings for a group of appliances. The settings in the Policies > DHCP > Setup page apply to all appliances in the selected group, depending on their inheritance settings. To configure general IP, perform the following steps: 1. 334 Select the global icon or a group name. SonicWALL GMS 6.0 Administrator’s Guide Configuring General DHCP Settings 2. Expand the DHCP tree and click Setup. The Static Entries page displays. 3. Select from the following: – To enable the DHCP server, select the Enable DHCP Server check box. – To disable the DHCP server, deselect the Enable DHCP Server check box. – To disable the DHCP server and configure computers on the LAN (WorkPort) to use a DHCP server outside the firewall, deselect the Enable DHCP Server check box and select the Allow DHCP Pass Through check box. – Enter the lease time for this IP address in the Lease Time field. – Optional. Enter the domain name associated with this IP address in the Domain Name field. – To use the DNS and WINS servers specified on the Network Settings page, select Set DNS Servers using SonicWALLs Network settings. – To specify the DNS servers manually for this IP address, select Specify Manually and enter the IP addresses of the DNS and WINS servers. 4. When you are finished, click Update. The settings are saved. To clear all screen settings and start over, click Reset. SonicWALL GMS 6.0 Administrator’s Guide 335 Configuring Trusted DHCP Relay Agents Configuring Trusted DHCP Relay Agents This section describes how to configure trusted DHCP relay agents. The settings for this feature are configured in the Policies > DHCP > Trusted Agents page. To configure a trusted DHCP relay agent, perform the following steps: 1. Navigate to the Policies > DHCP > Trusted Agents screen in the SonicWALL GMS user interface. 2. Click the Enable Trusted DHCP Relay Agent List checkbox to enable this feature. 3. Choose a Trusted Relay Agent List from the dropdown menu. Note 4. 336 The default selection for the trusted agent list is the “Default Trusted Relay Agent List” address group. The entries for this address group are defined in the Network > Address Objects page. Click the Update button to confirm your changes. SonicWALL GMS 6.0 Administrator’s Guide CHAPTER 16 Configuring User Settings This chapter describes how to use the SonicWALL GMS to configure user and user access settings. Included in this chapter are the following sections: • “Configuring Users in SonicOS Enhanced” on page 337 • “Configuring Users in SonicOS Standard” on page 370 Configuring Users in SonicOS Enhanced The following sections describe how to configure user settings in SonicOS Enhanced: • “Configuring User Login Settings” on page 338 • “Configuring LDAP and Active Directory” on page 340 • “Global User Settings” on page 352 • “Configuring an Acceptable Use Policy” on page 353 • “Configuring Local Users” on page 354 • “Configuring Local Groups” on page 356 • “Configuring ULA Settings” on page 359 • “Configuring HTTP URL-Based ULA Settings” on page 359 • “Configuring RADIUS for SonicOS Enhanced” on page 360 • “Configuring Single Sign-On” on page 362 • “Configuring Guest Services” on page 366 • “Configuring Guest Accounts” on page 368 SonicWALL GMS 6.0 Administrator’s Guide 337 Configuring Users in SonicOS Enhanced Configuring User Login Settings In addition to the authentication methods available in SonicOS Standard, SonicOS Enhanced allows you to use Lightweight Directory Access Protocol (LDAP) to authenticate users. LDAP is compatible with Microsoft’s Active Directory. For SonicWALL appliances running SonicOS Enhanced 4.0 and higher, you can select the SonicWALL Single Sign-On Agent to provide Single Sign-On functionality. Single Sign-On (SSO) is a transparent user authentication mechanism that provides privileged access to multiple network resources with a single workstation login. SonicWALL PRO and TZ series security appliances running SonicOS Enhanced 4.0 provide SSO functionality using the SonicWALL Single Sign-On Agent (SSO Agent) to identify user activity based on workstation IP address when Active Directory is being used for authentication. The SonicWALL SSO Agent must be installed on a computer in the same domain as Active Directory. The Policies > Users > Settings page for SonicOS Enhanced is shown below. 338 SonicWALL GMS 6.0 Administrator’s Guide Configuring Users in SonicOS Enhanced To configure User Login Settings: Step 1 Select one of the following authentication methods from the Authentication method for login drop-down list: – Local Users—To configure users in the local database using the Users > Local Users and Users > Local Groups pages. For information on configuring local users and groups, see “Configuring Local Users” on page 354 and “Configuring Local Groups” on page 356. – RADIUS—If you have more than 1,000 users or want to add an extra layer of security for authenticating the user to the SonicWALL. If you select Use RADIUS for user authentication, users must log into the SonicWALL using HTTPS in order to encrypt the password sent to the SonicWALL. If a user attempts to log into the SonicWALL using HTTP, the browser is automatically redirected to HTTPS. For information on configuring RADIUS, see “Configuring RADIUS for SonicOS Enhanced” on page 360. – RADIUS + Local Users—If you want to use both RADIUS and the SonicWALL local user database for authentication. For information on configuring RADIUS, see “Configuring RADIUS for SonicOS Enhanced” on page 360. – LDAP—If you use a Lightweight Directory Access Protocol (LDAP) server or Microsoft Active Directory (AD) server to maintain all your user account data. For information about configuring LDAP, see “Configuring LDAP and Active Directory” on page 340. – LDAP + Local Users—If you want to use both LDAP and the SonicWALL local user database for authentication. For information about configuring LDAP, see “Configuring LDAP and Active Directory” on page 340. Step 2 In the Single-sign-on method drop-down list, select SonicWALL SSO Agent if you are using Active Directory for authentication and the SonicWALL SSO Agent is installed on a computer in the same domain. Otherwise, select None. For information on configuring SSO, see “Configuring Single Sign-On” on page 362. Step 3 To require that user names are treated as case-sensitive, select the Case-sensitive user names checkbox. Step 4 To prevent a user from logging in from more than one location at a time, select the Enforce login uniqueness check box. Step 5 Enter the number of minutes that the login authentication page is displayed in the Show authentication page for field. SonicWALL GMS 6.0 Administrator’s Guide 339 Configuring Users in SonicOS Enhanced Step 6 Select Redirect users from HTTPS to HTTP on completion of login if the session does not need to be encrypted. Configuring LDAP and Active Directory In addition to RADIUS and the local user database, SonicOS Enhanced can support LDAP and Microsoft Active Directory (AD) directory services for user authentication. The following sections describe how to configure LDAP and Active Directory: • “LDAP Terms” on page 340 • “Prerequisites for LDAP Configuration” on page 342 • “Configuring LDAP” on page 343 • “Further Information on LDAP Schemas” on page 352 Active Directory support on SonicOS Enhanced is not a single-sign on mechanism by itself, but rather the ability for SonicOS Enhanced to act as an LDAP client against an Active Directory’s LDAP interface using Microsoft’s implementation of an LDAP schema. SonicOS Enhanced provides extremely flexible schema interoperability, with support for the Microsoft AD schema, the LDAP core schema, the RFC2798 inetOrgPerson schema, and even user-defined schemas. Connectivity to LDAP servers is also flexible, with support for following protocols: • LDAPv2 (RFC3494) • LDAPv3 (RFC2251-2256, RFC3377) • LDAPv3 over TLS (RFC2830) • LDAPv3 with STARTTLS (RFC2830) • LDAP Referrals (RFC2251) LDAP Terms The following terms are useful when working with LDAP and its variants: 340 • Attribute—A data item stored in an object in an LDAP directory. Object can have required attributes or allowed attributes. For example, the ‘dc’ attribute is a required attribute of the ‘dcObject’ (domain component) object. • cn—The ‘common name’ attribute is a required component of many object classes throughout LDAP. SonicWALL GMS 6.0 Administrator’s Guide Configuring Users in SonicOS Enhanced • dc—The ‘domain component’ attribute is commonly found at the root of a distinguished name, and is commonly a required attribute. • dn—A ‘distinguished name’, which is a globally unique name for a user or other object. It is made up of a number of components, usually starting with a common name (cn) component and ending with a domain specified as two or more domain components (dc). For example, ‘cn=john,cn=users,dc=domain,dc=com’ • Entry—The data that is stored in the LDAP directory. Entries are stored in ‘attribute’/value (or name/value) pairs, where the attributes are defined by ‘object classes’. A sample entry would be ‘cn=john’ where ‘cn’ (common name) is the attribute, and ‘john’ is the value. • Object—In LDAP terminology, the entries in a directory are referred to as objects. For the purposes of the SonicOS implementation of the LDAP client, the critical objects are ‘User’ and ‘Group’ objects. Different implementations of LDAP can refer to these object classes in different fashions, for example, Active Directory refers to the user object as ‘user’ and the group object as ‘group’, while RFC2798 refers to the user object as ‘inetOrgPerson’ and the group object as ‘groupOfNames’. • Object class—Object classes define the type of entries that an LDAP directory may contain. A sample object class, as used by AD, would be ‘user’ or ‘group’. • ou—The ‘organizational unit’ attribute is a required component of most LDAP schema implementations. • Schema—The schema is the set of rules or the structure that defines the types of data that can be stored in a directory, and how that data can be stored. Data is stored in the form of “entries.” • TLS—Transport Layer Security is the IETF standardized version of SSL (Secure Sockets Layer). TLS 1.0 is the successor to SSL 3.0. Microsoft Active Directory’s Classes can be browsed at <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/a dschema/classes_all.asp> LDAP / AD Configuration is performed from the ‘User > Settings’ page. Selecting either LDAP or LDAP+Local Users and clicking Apply at the top of the page will enable LDAP support, the former using an LDAP directory server exclusively, and the latter using a combination of the LDAP server and the local user database. Upon applying these settings, an informational alert will be presented. Because the SonicWALL will be receiving sensitive username and password information from authenticating clients, HTTPS logins will automatically be enabled to secure the credential exchanges. SonicWALL GMS 6.0 Administrator’s Guide 341 Configuring Users in SonicOS Enhanced Prerequisites for LDAP Configuration Before beginning your LDAP configuration, you should prepare your LDAP server and your SonicWALL for LDAP over TLS support. This will involve installing a server certificate and your LDAP server, and a CA (Certificate Authority) certificate for the issuing CA on your SonicWALL. Assuming this has not already been done, the steps for performing these tasks in an Active Directory environment follow: Configuring the CA on the Active Directory server: 1. Navigate to Start > Settings > Control Panel > Add/Remove Programs. 2. Select Add/Remove Windows Components. Note Skip step numbers 3 through 7 if Certificate Services are already installed. 3. Select Certificate Services. 4. Select Enterprise Root CA when prompted. 5. Enter the requested information. For detailed information on CA setup, see http://www.microsoft.com/windows2000/techinfo/planning/security/casetu psteps.asp 6. Launch the Domain Security Policy application: 7. Start > Run > dompol.msc. 8. Open Security Settings > Public Key Policies. 9. Right click on Automatic Certificate Request Settings. 10. Select New > Automatic Certificate Request. 11. Step through the wizard, and select Domain Controller from the list. Exporting the CA certificate from the AD server: 342 1. Launch the Certification Authority application: Start > Run > certsrv.msc. 2. Right click on the CA you created, select properties. 3. On the General tab, click the View Certificate button. 4. From the Details tab, select Copy to File. 5. Step through the wizard, select the Base-64 Encoded X.509 (.cer) format. SonicWALL GMS 6.0 Administrator’s Guide Configuring Users in SonicOS Enhanced 6. Specify a path and filename to which to save the certificate. Importing the CA certificate onto the SonicWALL: 1. Browse to System > CA Certificates. 2. Select Add new CA certificate. Browse to and select the certificate file you just exported 3. Click the Import certificate button. Note Should installation of Certificate Services on the Active Directory server be undesirable for some reason, secure operation can be achieved without TLS by using LDAP with RADIUS – see RADIUS with LDAP for user groups section later. Configuring LDAP Perform the following steps to configure LDAP authentication. 1. Browse to the User > Settings page and select either LDAP or LDAP + Local Users. 2. Click the Configure LDAP button to launch the LDAP configuration window: SonicWALL GMS 6.0 Administrator’s Guide 343 Configuring Users in SonicOS Enhanced 3. Configure the following options in the LDAP settings window: – Name or IP Address—Enter the FQDN or the IP address of the LDAP server against which you wish to authenticate. If using a name, be certain it can be resolved by your DNS server. Also, if using TLS with the ‘Require valid certificate from server’ option, the name provided here must match the name to which the server certificate was issued (i.e. the CN) or the TLS exchange will fail. – Port Number—The default LDAP over TLS port number is TCP 636. The default LDAP (unencrypted) port number is TCP 389. If you are using a custom listening port on your LDAP server, specify it here. – Server timeout—The amount of time, in seconds, that the SonicWALL will wait for a response from the LDAP server before timing out. Allowable ranges are 1 to 99999 (in case you’re running your LDAP server on a VIC-20 located on the moon), with a default of 10 seconds. – Anonymous Login—Some LDAP servers allow for the tree to be accessed anonymously. If your server supports this (MS AS generally does not), then you may select this option. – Login name—Specify a user name which has rights to log in to the LDAP directory. The login name will automatically be presented to the LDAP server in full ‘dn’ notation. This can be any account with LDAP read privileges (essentially any user account) – Administrative privileges are not required. Note that this is the user’s name, not their login ID (e.g. John Smith rather than jsmith). – Login password—The password for the user account specified above. – Protocol version—Select either LDAPv3 or LDAPv2. Most modern implementations of LDAP, including AD, employ LDAPv3. – Use TLS—Use Transport Layer Security (SSL) to log in to the LDAP server. It is strongly recommended that TLS be used to protected the username and password information that will be sent across the network. Most modern implementations of LDAP server, including AD, support TLS. Deselecting this default setting will provide an alert which must be accepted to proceed. – Send LDAP ‘Start TLS’ Request—Some LDAP server implementations support the Start TLS directive rather than using native LDAP over TLS. This allows the LDAP server to listen on one port (normally 389) for LDAP connections, and to switch to TLS as directed by the client. AD does not use this option, and it should only be selected if required by your LDAP server. 344 SonicWALL GMS 6.0 Administrator’s Guide Configuring Users in SonicOS Enhanced – Require valid certificate from server—Validates the certificate presented by the server during the TLS exchange, matching the name specified above to the name on the certificate. Deselecting this default option will present an alert, but exchanges between the SonicWALL and the LDAP server will still use TLS – only without issuance validation. – Local certificate for TLS—Optional, to be used only if the LDAP server requires a client certificate for connections. Useful for LDAP server implementations that return passwords to ensure the identity of the LDAP client (AD does not return passwords). This setting is not required for AD. If your network uses multiple LDAP/AD servers with referrals, then select one as the primary server (probably the one that holds the bulk of the users) and use the above settings for that server. It will then refer the SonicWALL on to the other servers for users in domains other than its own. For the SonicWALL to be able to log in to those other servers, each server must have a user configured with the same credentials (user name, password and location in the directory) as per the login to primary server. This may entail creating a special user in the directory for the SonicWALL login. Note that only read access to the directory is required. 4. Select the Schema tab: – LDAP Schema—Select Microsoft Active Directory, RFC2798 inetOrgPerson, RFC2307 Network Information Service, Samba SMB, Novell eDirectory, or user-defined. Selecting any of the predefined schemas will automatically populate the fields used by that SonicWALL GMS 6.0 Administrator’s Guide 345 Configuring Users in SonicOS Enhanced schema with their correct values. Selecting ‘user-defined’ will allow you to specify your own values – use this only if you have a specific or proprietary LDAP schema configuration. – Object class—This defines which attribute represents the individual user account to which the next two fields apply. – Login name attribute—This defines which attribute is used for login authentication: –sAMAccountName for Microsoft Active Directory –inetOrgPerson for RFC2798 inetOrgPerson –posixAccount for RFC2307 Network Information Service –sambaSAMAccount for Samba SMB –inetOrgPerson for Novell eDirectory – Qualified login name attribute – if not empty, this specifies an attribute of a user object that sets an alternative login name for the user in name@domain format. This may be needed with multiple domains in particular, where the simple login name may not be unique across domains. This is set to mail for Microsoft Active Directory and RFC2798 inetOrgPerson. – User group membership attribute – this attribute contains the information in the user object of which groups it belongs to. This is memberOf in Microsoft Active Directory. The other pre-defined schemas store group membership information in the group object rather than the user object, and therefore do not use this field. – Framed IP address attribute – this attribute can be used to retrieve a static IP address that is assigned to a user in the directory. Currently it is only used for a user connecting via L2TP with the SonicWALL’s L2TP server In future this may also be supported for Global VPN Client. In Active Directory the static IP address is configured on the Dial-in tab of a user’s properties. 346 SonicWALL GMS 6.0 Administrator’s Guide Configuring Users in SonicOS Enhanced 5. Select the Directory tab. – Primary Domain – specify the user domain used by your LDAP implementation. For AD, this will be the Active Directory domain name, e.g. yourADdomain.com. Changes to this field will, optionally, automatically update the tree information in the rest of the page. This is set to mydomain.com by default for all schemas except Novell eDirectory, for which it is set to o=mydomain. – User tree for login to server – The tree in which the user specified in the ‘Settings’ tab resides. For example, in AD the ‘administrator’ account’s default tree is the same as the user tree. – Trees containing users – The trees where users commonly reside in the LDAP directory. One default value is provided which can be edited, an up to a total of 64 DN values may be provided, and the SonicWALL search the directory using them all until a match is found, or the list is exhausted. If you have created other user containers within your LDAP or AD directory, you should specify them here. – Trees containing user groups – Same as above, only with regard to user group containers, and a maximum of 32 DN values may be provided. These are only applicable when there is no user group membership attribute in the schema's user object, and are not used with AD. All the above trees are normally given in URL format but can alternatively be specified as distinguished names (e.g. “myDom.com/Sales/Users” could alternatively be given as the DN “ou=Users,ou=Sales,dc=myDom,dc=com”). The latter form will be necessary if the DN does not conform to the normal formatting rules SonicWALL GMS 6.0 Administrator’s Guide 347 Configuring Users in SonicOS Enhanced as per that example. In Active Directory the URL corresponding to the distinguished name for a tree is displayed on the Object tab in the properties of the container at the top of the tree. Note AD has some built-in containers that do not conform (e.g. the DN for the top level Users container is formatted as “cn=Users,dc=…”, using ‘cn’ rather than ‘ou’) but the SonicWALL knows about and deals with these, so they can be entered in the simpler URL format. Ordering is not critical, but since they are searched in the given order it is most efficient to place the most commonly used trees first in each list. If referrals between multiple LDAP servers are to be used, then the trees are best ordered with those on the primary server first, and the rest in the same order that they will be referred. Note When working with AD, to locate the location of a user in the directory for the ‘User tree for login to server’ field, the directory can be searched manually from the Active Directory Users and Settings control panel applet on the server, or a directory search utility such as queryad.vbs in the Windows NT/2000/XP Resource Kit can be run from any PC in the domain. – Auto-configure – This causes the SonicWALL to auto-configure the ‘Trees containing users’ and ‘Trees containing user groups’ fields by scanning through the directory/directories looking for all trees that contain user objects. The ‘User tree for login to server’ must first be set, and clicking the Auto-configure button then brings up the following dialog: 348 SonicWALL GMS 6.0 Administrator’s Guide Configuring Users in SonicOS Enhanced 6. Select whether to append new located trees to the current configuration, or to start from scratch removing all currently configured trees first, and then click OK. Note that it will quite likely locate trees that are not needed for user login and some tidying up afterwards, manually removing such entries, is worth while. If using multiple LDAP/AD servers with referrals, this process can be repeated for each, replacing the ‘Domain to search’ accordingly and selecting ‘Append to existing trees’ on each subsequent run. 7. Select the LDAP Users tab. – Allow only users listed locally – Requires that LDAP users also be present in the SonicWALL local user database for logins to be allowed. – User group membership can be set locally by duplicating LDAP user names – Allows for group membership (and privileges) to be determined by the intersection of local user and LDAP user configurations. – Default LDAP User Group – A default group on the SonicWALL to which LDAP users will belong in addition to group memberships configured on the LDAP server. Group memberships (and privileges) can also be assigned simply with LDAP. By creating user groups on the LDAP/AD server with the same name as SonicWALL built-in groups (such as ‘Guest Services’, ‘Content Filtering Bypass’, ‘Limited Administrators’) and assigning users to these groups in the directory, or creating user groups on the SonicWALL GMS 6.0 Administrator’s Guide 349 Configuring Users in SonicOS Enhanced SonicWALL with the same name as existing LDAP/AD user groups, SonicWALL group memberships will be granted upon successful LDAP authentication. The SonicWALL appliance can retrieve group memberships more efficiently in the case of Active Directory by taking advantage of its unique trait of returning a ‘memberOf’ attribute for a user. 8. Select the LDAP Relay tab. The RADIUS to LDAP Relay feature is designed for use in a topology where there is a central site with an LDAP/AD server and a central SonicWALL, with remote satellite sites connected into it via low-end SonicWALL security appliances that may not support LDAP. In that case the central SonicWALL can operate as a RADIUS server for the remote SonicWALLs, acting as a gateway between RADIUS and LDAP, and relaying authentication requests from them to the LDAP server. Additionally, for remote SonicWALLs running non-enhanced firmware, with this feature the central SonicWALL can return legacy user privilege information to them based on user group memberships learned via LDAP. This avoids what can be very complex configuration of an external RADIUS server such as IAS for those SonicWALLs. 9. Configure the following LDAP Relay options: – Enable RADIUS to LDAP Relay – Enables this feature. – Allow RADIUS clients to connect via - Check the relevant checkboxes and policy rules will be added to allow incoming Radius requests accordingly. 350 SonicWALL GMS 6.0 Administrator’s Guide Configuring Users in SonicOS Enhanced – RADIUS shared secret - This is a shared secret common to all remote SonicWALLs. – User groups for legacy users – These define the user groups that correspond to the legacy ‘Access to VPNs’, ‘Access from VPN client with XAUTH’, ‘Access from L2TP VPN client’ and ‘Allow Internet access (when access is restricted)’ privileges respectively. When a user in one of the given user groups is authenticated, the remote SonicWALL will be informed that the user is to be given the relevant privilege. Note The ‘Bypass filters’ and ‘Limited management capabilities’ privileges are returned based on membership to user groups named ‘Content Filtering Bypass’ and ‘Limited Administrators’ – these are not configurable. 10. Select the Test tab. The Test page allows for the configured LDAP settings to be tested by attempting authentication with specified user and password credentials. Any user group memberships and/or framed IP address configured on the LDAP/AD server for the user will be displayed. SonicWALL GMS 6.0 Administrator’s Guide 351 Configuring Users in SonicOS Enhanced Further Information on LDAP Schemas • Microsoft Active Directory: Schema information is available at <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsche ma/adschema/active_directory_schema.asp> and <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ldap/lda p/ldap_reference.asp> • RFC2798 InetOrgPerson: Schema definition and development information is available at <http://rfc.net/rfc2798.html> • RFC2307 Network Information Service: Schema definition and development information is available at <http://rfc.net/rfc2307.html> • Samba SMB: Development information is available at <http://us5.samba.org/samba/> • Novell eDirectory: LDAP integration information is available at <http://www.novell.com/documentation/edir873/index.html?page=/docum entation/edir873/edir873/data/h0000007.html> • User-defined schemas: See the documentation for your LDAP installation. You can also see general information on LDAP at <http://rfc.net/rfc1777.html> Global User Settings The settings listed below apply to all users when authenticated through the SonicWALL. To configure global user settings, expand the Users tab and click on the Settings tab. 352 SonicWALL GMS 6.0 Administrator’s Guide Configuring Users in SonicOS Enhanced The following options are configured in the User Session Settings section: • Inactivity timeout (minutes): users can be logged out of the SonicWALL after a preconfigured inactivity time. Enter the number of minutes in this field. The default value is 5 minutes. • Enable login session limit: you can limit the time a user is logged into the SonicWALL by selecting the check box and typing the amount of time, in minutes, in the Login session limit (minutes) field. The default value is 30 minutes. • Login page timeout (minutes): defines how much time a user has to log in before the login page times out. If it times out, a message displays saying they must click before attempting to log in again. • Show user login status window with logout button: causes a status window to display with a Log Out button during the user’s session. The user can click the Log Out button to log out of their session. • User's login status window refreshes every (minutes): determines how often the users’ status display is updated. • User's login status window sends status heartbeat every (seconds): determines how often a heartbeat is sent back to the SonicWALL. This heartbeat notifies the SonicWALL of a user’s connection status and continues to be sent as long at the status window is open. • Enable disconnected user detection: causes the SonicWALL to detect when a user’s connection is no longer valid and end the session. • Timeout on heartbeat from user's login status window (minutes): sets the time needed without a reply from the heartbeat before ending the user session. • LDAP read from server options: are available when the LDAP option is active. The options are: – Automatically update the schema configuration – Export details of the schema Configuring an Acceptable Use Policy An acceptable use policy (AUP) is a policy users must agree to follow in order to access a network or the Internet. It is common practice for many businesses and educational facilities to require that employees or students agree to an acceptable use policy before accessing the network or Internet through the SonicWALL. SonicWALL GMS 6.0 Administrator’s Guide 353 Configuring Users in SonicOS Enhanced The Acceptable Use Policy section allows you to create the AUP message window for users. You can use HTML formatting in the body of your message. Clicking the Example Template button creates a preformatted HTML template for your AUP window. Perform the following steps to configure an AUP: 1. Expand the Users tree and click on the Settings tab. 2. Select which users will see the AUP page by selecting the Display on login from checkboxes. For SonicOS Enhanced, select the zones that will display the AUP page. For SonicOS Standard, select the network interfaces. 3. Configure the dimensions of the AUP window in pixels in the Window size (pixels) fields. 4. Check the Enable scroll bars on the window to allow users to scroll through the AUP window contents. 5. Enter the text for the AUP in the Acceptable use policy page content. The content can include HTML formatting. The page that is displayed to the user includes an I Accept button or Cancel button for user confirmation. 6. Click the Example Template button to create a preformatted HTML template for your AUP window. Caution Clicking the Example Template button will overwrite the existing content in the AUP window. 7. Click the Preview button to display your AUP message as it will appear for the user. 8. Click Update. Configuring Local Users 354 SonicWALL GMS 6.0 Administrator’s Guide Configuring Users in SonicOS Enhanced SonicOS Enhanced uses a Group/User hierarchy for organizing users. This section describes how to configure new users and groups. To add or edit a user, perform the following steps: 1. Expand the Users tree and click Local Users. The Local Users page displays. 2. To add a local group, click Add New Local User. To edit the settings of an existing user, click its Configure icon. 3. Configure the following options: – Name—name of the user. – Password—password of the user. – Bypass Filters—select Bypass Filters if the user will have unlimited access to the Internet from the LAN, bypassing Web, News, Java, and ActiveX blocking. – Limited Management Capabilities—select this option to provide the user limited local management access to the SonicWALL Management interface. The access is limited to the following pages: –General—Status, Network, Time –Log—View Log, Log Settings, Log Reports –Tools—Restart, Diagnostics minus Tech Support Report SonicWALL GMS 6.0 Administrator’s Guide 355 Configuring Users in SonicOS Enhanced 4. Click the Groups tab. 5. Select a user group to which this user will be a member and click the right arrow button (->). Repeat this step for each group to add. 6. Click the VPN Access tab. 7. Select a network to which this user will be able to access through the VPN client software and click the right arrow button (->). Repeat this step for each network to add. 8. When you are finished, click OK. The settings are saved. Repeat this procedure for each user to add or modify. Configuring Local Groups By default, SonicOS Enhanced has five groups. These include: 356 • Everyone • Guest Services • Trusted Users • Content Filtering Bypass SonicWALL GMS 6.0 Administrator’s Guide Configuring Users in SonicOS Enhanced • Limited Administrators The permissions of these groups will automatically be applied to its members unless you manually modify a users settings. To add or edit a group, perform the following steps: 1. Expand the Users tree and click Local Groups. The Local Groups page displays. 2. To add a local group, click Add New Local Group. To edit the settings of an existing group, click its Configure icon. 3. Configure the following options: – Bypass Filters—select Bypass Filters if the users within the group will have unlimited access to the Internet from the LAN, bypassing Web, News, Java, and ActiveX blocking. – Limited Management Capabilities—select this option to provide users within the group limited local management access to the SonicWALL Management interface. The access is limited to the following pages: –General—Status, Network, Time –Log—View Log, Log Settings, Log Reports SonicWALL GMS 6.0 Administrator’s Guide 357 Configuring Users in SonicOS Enhanced –Tools—Restart, Diagnostics minus Tech Support Report 358 4. Click the Members tab. 5. Select the members or groups that will belong to this group and click the right arrow button (->). 6. Click the VPN Access tab. 7. Select the networks to which users within this group will be able to access through their VPN client software and click the right arrow button (->). 8. Click the CFS Policy tab. SonicWALL GMS 6.0 Administrator’s Guide Configuring Users in SonicOS Enhanced 9. Select a CFS policy to apply to the group in the Policy drop-down menu. 10. When you are finished, click OK. The settings are saved. Configuring ULA Settings ULA Settings are only available in SonicOS Standard. See Configuring ULA Settings, page 374. Configuring HTTP URL-Based ULA Settings This section describes how to configure HTTP URL-Based ULA settings. This feature enables users to access specific URLs without requiring authentication. To configure HTTP URL ULA settings, perform the following steps: 1. Expand the Users tree and click HTTP URL ULA. The HTTP URL ULA page displays. 2. Enter the fully qualified URL of the site that users will be allowed to access without being authenticated in the ULA HTTP URLs field. 3. Click Add. 4. Click Update. SonicWALL GMS 6.0 Administrator’s Guide 359 Configuring Users in SonicOS Enhanced Configuring RADIUS for SonicOS Enhanced If you selected Use RADIUS for user authentication or Use RADIUS but also allow locally configured users, you must now configure RADIUS information. To configure RADIUS, perform the following steps. 1. Expand the Users tree and click on RADIUS. 2. Define the number of times the SonicWALL attempts to contact the RADIUS server in the RADIUS Server Retries field. If the RADIUS server does not respond within the specified number of retries, the connection is dropped. This field can range between 0 and 10, however 3 RADIUS server retries is recommended. 3. Define the RADIUS Server Timeout in Seconds. The allowable range is 1-60 seconds with a default value of 5. RADIUS Servers 1. Specify the following setting for the primary RADIUS server in the Primary Server section: – Type the IP address of the RADIUS server in the IP Address field. – Type the Port Number for the RADIUS server. 360 SonicWALL GMS 6.0 Administrator’s Guide Configuring Users in SonicOS Enhanced – Type the RADIUS server administrative password or “shared secret” in the Shared Secret field. The alphanumeric Shared Secret can range from 1 to 31 characters in length. The shared secret is case sensitive. 2. If there is a secondary RADIUS server, type the appropriate information in the Secondary Server section. RADIUS Users 1. To only allow users that are configured locally, but to still use RADIUS to authenticate them, select the Allow only users listed locally check box. 2. Select the mechanism used for setting user group memberships for RADIUS users from the following list: – Use SonicWALL vendor-specific attribute on RADIUS server: select to tell the RADIUS server to send vendor-specific attributes back to the SonicWALL appliance. – Use RADIUS Filter-ID attribute on RADIUS server: select to tell the RADIUS server to send Filter-ID user attributes back to the SonicWALL appliance. Filter-ID attributes include the names of user groups that a user belongs to. – Enter duplicate RADIUS user names locally on the SonicWALL: select when the RADIUS server contains user names and passwords, but has no user group information. The SonicWALL appliance contains the user group configuration for each user, while RADIUS simply authenticates the password. 3. For a shortcut for managing RADIUS user groups, check Memberships can be set locally by duplicating RADIUS user names. When you create users with the same name locally on the security appliance and manage their group memberships, the memberships in the RADIUS database will automatically change to mirror your local changes. 4. If you have previously configured User Groups on the SonicWALL, select the group from the Default user group to which all RADIUS user belong menu. 5. You can create a new group by choosing Create a new user group... from the list. The Add Group window displays. SonicWALL GMS 6.0 Administrator’s Guide 361 Configuring Users in SonicOS Enhanced RADIUS Client Test To test your RADIUS Client user name and password, perform the following steps: 1. Navigate to the Diagnostics > Network page. 2. Enter a valid user name in the User field, and the password in the Password field. 3. Click the RADIUS Client Test button. If the validation is successful, the Status messages changes to Success. If the validation fails, the Status message changes to Failure. Once the SonicWALL has been configured, a VPN Security Association requiring RADIUS authentication prompts incoming VPN clients to type a User Name and Password into a dialogue box. Configuring Single Sign-On SonicWALL SSO Agent identifies users by IP address using a SonicWALL ADConnector compatible protocol and automatically determines when a user has logged out to prevent unauthorized access. Based on data from SonicWALL SSO Agent, the SonicWALL security appliance queries LDAP or the local database to determine group membership. Memberships are matched against policy, and based on user privileges, access is granted or denied. The configured inactivity and session limit timers apply with SSO, though users who are logged out are automatically and transparently logged back in when they send further traffic. To configure SSO settings: Step 1 362 On the User > Settings page, if you are using Active Directory for authentication select SonicWALL SSO Agent from the Single sign-on method drop-down list, and then click the Configure button. SonicWALL GMS 6.0 Administrator’s Guide Configuring Users in SonicOS Enhanced Step 2 In the Transparent Authentication Configuration screen, in the Name or IP Address field, enter the name or IP Address of the workstation on which SonicWALL SSO Agent is installed. Step 3 In Port Number, enter the port number of the workstation on which SonicWALL SSO Agent is installed. The default port is 2258. Step 4 In the Shared Key field, enter the shared key that you created or generated in the SonicWALL SSO Agent. The shared key must match exactly. Re-enter the shared key in the Confirm Shared Key field. Step 5 In the Timeout (seconds) field, enter a number of seconds before the authentication attempt times out. Step 6 In the Retries field, enter the number of authentication attempts. SonicWALL GMS 6.0 Administrator’s Guide 363 Configuring Users in SonicOS Enhanced Step 7 Click the Users tab. The User Settings page displays. Step 8 Check the box next to Allow only users listed locally to allow only users listed locally to be authenticated. Step 9 Check the box next to Simple user names in local database to use simple user names. This setting ignores the domain component of a user name. If this box is not checked, user names in the local database must match exactly the full names returned from the agent, including the domain component. Step 10 Check the box next to Allow limited access for non-domain users to allow limited access to users who are logged in to a computer but not into a domain. These users will not be given access to the Trusted Users user group. They are identified in logs as computer-name/user-name. When performing local authentication and the Simple user names in local database option is disabled, user names must be configured in the local database using the full computer-name/user-name identification. Step 11 To use LDAP to retrieve user information, select the Use LDAP to retrieve user group information radio button. Step 12 To use local configuration, select the Local configuration radio button. Step 13 In the Polling rate (minutes) field, enter a polling interval, in minutes, that the security appliance will poll the workstation running SSO Agent to verify that users are still logged on. Step 14 In the Hold time after (minutes) field, enter a time, in minutes, that the security appliance will wait before trying again to identify traffic after an initial failure to do so. This feature rate-limits requests to the agent. Step 15 Click on the Content Filter tab if you are using the SonicWALL Content Filtering Service (CFS) and there is a proxy server in your network. 364 SonicWALL GMS 6.0 Administrator’s Guide Configuring Users in SonicOS Enhanced Note The Content Filter tab is only displayed if Premium CFS is enabled on the SonicWALL security appliance. Step 16 To bypass SSO for content filtering traffic and apply the default content filtering policy to the traffic, select the appropriate address object or address group from the drop-down list. This setting should be used where traffic that would be subject to content filtering can emanate from a device other than a user's workstation (such as an internal proxy web server). It prevents the SonicWALL from attempting to identify such a device as a network user in order to select the content filtering policy to apply. The default content filtering policy will be used for all traffic from the selected IP addresses. Step 17 You can test the Transparent Authentication Configuration settings on the Policies > Diagnostics > Network page. For more information, click the Test tab. Step 18 When finished, click OK. SonicWALL GMS 6.0 Administrator’s Guide 365 Configuring Users in SonicOS Enhanced Configuring Guest Services Guest Services determine the limits and configuration of the guest accounts. Guest accounts are temporary accounts set up for users to log into your network. You can create guest accounts manually as needed or generate them in batches. Guest accounts are typically limited to a pre-determined life-span. After their life span, by default, the accounts are removed. To configure Guest Services, perform the following steps: 366 1. Expand the Users tree and click on Guest Services 2. Check Show guest login status window with logout button to display a user login window on the users’s workstation whenever the user is logged in. Users must keep this window open during their login session. The window displays the time remaining in their current session. Users can log out but clicking the Logout button in the login status window. SonicWALL GMS 6.0 Administrator’s Guide Configuring Users in SonicOS Enhanced 3. To create a guest profile, click Add below the Guest Profile list. The Add Guest Profile page displays. 4. In the Add Guest Profile window, configure the following options: – Profile Name: Enter the name of the profile. – User Name Prefix: Enter the first part of every user account name generated from this profile. – Auto-generate user name: Check this to allow guest accounts generated from this profile to have an automatically generated user name. The user name is usually the prefix plus a two- or three-digit number. – Auto-generate password: Check this to allow guest accounts generated from this profile to have an automatically generated password. The generated password is an eight-character unique alphabetic string. – Enable Account: Check this for all guest accounts generated from this profile to be enabled upon creation. – Auto-Prune Account: Check this to have the account removed from the database after its lifetime expires. – Enforce login uniqueness: Check this to allow only a single instance of an account to be used at any one time. By default, this feature is enabled when creating a new guest account. If you want to allow multiple users to login with a single account, disable this enforcement by clearing the Enforce login uniqueness checkbox. SonicWALL GMS 6.0 Administrator’s Guide 367 Configuring Users in SonicOS Enhanced – Account Lifetime: This setting defines how long an account remains on the security appliance before the account expires. If Auto-Prune is enabled, the account is deleted when it expires. If the Auto-Prune checkbox is cleared, the account remains in the list of guest accounts with an Expired status, allowing easy reactivation. – Session Lifetime: Defines how long a guest login session remains active after it has been activated. By default, activation occurs the first time a guest user logs into an account. Alternatively, activation can occur at the time the account is created by clearing the Activate account upon first login checkbox. The Session Lifetime cannot exceed the value set in the Account Lifetime – Idle Timeout: Defines the maximum period of time when no traffic is passed on an activated guest services session. Exceeding the period defined by this setting expires the session, but the account itself remains active as long as the Account Lifetime hasn't expired. The Idle Timeout cannot exceed the value set in the Session Lifetime. – Comment: Any text can be entered as a comment in the Comment field. 5. Click OK to add the profile. Configuring Guest Accounts To view statistics on a guest account, move your mouse over the Statistics icon in the line of the guest account. The statistics window will display the cumulative total bytes and packets sent and received for all completed sessions. Currently active sessions will not be added to the statistics until the guest user logs out. To create a guest account, perform the following steps: 1. 368 Expand the Users tree and click on Guest Accounts. SonicWALL GMS 6.0 Administrator’s Guide Configuring Users in SonicOS Enhanced 2. Under the list of accounts, click Add Guest. 3. Configure the following parameters for the guest account: – Profile: Select the Guest Profile to generate this account from. – Name: Enter a name for the account or click Generate. The generated name is the prefix in the profile and a random two or three digit number. – Comment: Enter a descriptive comment. – Password: Enter the user account password or click Generate. The generated password is a random string of eight alphabetic characters. – Confirm Password: If you did not generate the password, re-enter it. – Enable Guest Services Privilege: Check this for the account to be enabled upon creation. – Enforce login uniqueness: Check this to allow only one instance of this account to log into the security appliance at one time. Leave it unchecked to allow multiple users to use this account at once. – Automatically prune account upon account expiration: Check this to have the account removed from the database after its lifetime expires. – Account Lifetime: This setting defines how long an account remains on the security appliance before the account expires. If Auto-Prune is enabled, the account is deleted when it expires. If the Auto-Prune checkbox is cleared, the account remains in the list of guest accounts with an Expired status, allowing easy reactivation. This setting overrides the account lifetime setting in the profile. SonicWALL GMS 6.0 Administrator’s Guide 369 Configuring Users in SonicOS Standard – Session Lifetime: Defines how long a guest login session remains active after it has been activated. By default, activation occurs the first time a guest user logs into an account. Alternatively, activation can occur at the time the account is created by clearing the Activate account upon first login checkbox. The Session Lifetime cannot exceed the value set in the Account Lifetime. This setting overrides the session lifetime setting in the profile. – Idle Timeout: Defines the maximum period of time when no traffic is passed on an activated guest services session. Exceeding the period defined by this setting expires the session, but the account itself remains active as long as the Account Lifetime hasn't expired. The Idle Timeout cannot exceed the value set in the Session Lifetime. This setting overrides the idle timeout setting in the profile. 4. Click Update. Configuring Users in SonicOS Standard The following sections describe how to configure users in SonicOS Standard: • “Configuring User Settings” on page 370 • “Global User Settings” on page 372 • “Configuring an Acceptable Use Policy” on page 373 • “Configuring ULA Settings” on page 374 • “Configuring HTTP URL-Based ULA” on page 374 • “Configuring RADIUS for SonicOS Standard” on page 375 Configuring User Settings SonicWALL appliances can be configured to authenticate users through a Remote Authentication Dial-In User Service (RADIUS) server, a local user list, or a combination of both. If authenticated locally or a combination of locally and through RADIUS, SonicWALL appliances can also control user access privileges. Note 370 In order for changes on this page to take effect, the SonicWALL(s) will automatically be restarted. We recommend configuring these options when network activity is low. SonicWALL GMS 6.0 Administrator’s Guide Configuring Users in SonicOS Standard To add a user, perform the following steps: 1. Expand the Users tree and click Settings. The User Settings page displays. 2. Select the authentication method in the User Login Settings section: – To use RADIUS for all user authentication, select RADIUS from the Authentication method for login drop-down menu. –To only allow users that are configured locally, but to still use RADIUS to authenticate them, select the Allow only users listed below check box. –To grant users the privileges that are configured locally, but to still use RADIUS for authentication, select the Include privileges from users listed locally checkbox. – To bypass RADIUS and only authenticate using the local user database, select Local Users from the Authentication method for login drop-down menu. 3. To add a user, do the following: – Enter the user name in the User Name field. – Select from the following user privileges: –Remote Access—enables the users to access LAN resources from the Internet. This option is only available in Standard mode. SonicWALL GMS 6.0 Administrator’s Guide 371 Configuring Users in SonicOS Standard –Bypass Filters—enables Bypass Filters if the user can bypass Content Filtering settings. –Access to VPNs—enables the users to send information over the VPN Security Associations. –Access from VPN Client with XAUTH—use if a VPN client is using XAUTH for authentication. –Access Internet Access—enables the users to access the Internet. –L2TP Client—enables the user to connect using an L2TP client. –Wireless Guest Service—enables Wireless Guest Services for this user. –Easy WGS MAC Filtering—enables (and enforces) MAC address filtering for wireless guest service-enabled connections. –Limited Management—allows authorized users limited local management access to the SonicWALL interface. Access is limited to the General page (Status, Network, Time), the Log page (View Log, Log Settings, Log Reports), and the Tools page (Restart, Diagnostics minus Tech Support). –Enter the password in the New Password field and reenter it in the Confirm Password field. Note Passwords are case-sensitive. When you are finished, click Add. SonicWALL GMS creates a task that adds these users for each selected SonicWALL appliance. Repeat this step for each user that you want to add (up to 100 users). Global User Settings The settings listed below apply to all users when authenticated through the SonicWALL. To configure global user settings, expander the Users tab and click on the Settings tab. The following options are configured in the User Session Settings section: • 372 Inactivity timeout (minutes): users can be logged out of the SonicWALL after a preconfigured inactivity time. Enter the number of minutes in this field. The default value is 5 minutes. SonicWALL GMS 6.0 Administrator’s Guide Configuring Users in SonicOS Standard • Enable login session limit: you can limit the time a user is logged into the SonicWALL by selecting the check box and typing the amount of time, in minutes, in the Login session limit (minutes) field. The default value is 30 minutes. • Login session timeout: defines how much time a user has to log in before the login page times out. If it times out, a message displays saying they must click before attempting to log in again. • Show user login status window with logout button: causes a status window to display with a Log Out button during the user’s session. The user can click the Log Out button to log out of their session. • User's login status window refreshes every: determines how often the users’ status display is updated. • Enable disconnected user detection: causes the SonicWALL to detect when a user’s connection is no longer valid and end the session. • User's login status window sends heartbeat every (seconds): sets the frequency of the heartbeat signal used to detect whether the user still has a valid connection • Allow unauthenticated VPN users to access DNS: allows unauthenticated users access to DNS servers across a VPN tunnel with authentication enforcement. Configuring an Acceptable Use Policy The Acceptable Use Policy (AUP) configuration is identical for SonicOS Standard and SonicOS Enhanced. For information on configuring an AUP, see “Configuring an Acceptable Use Policy” on page 353. SonicWALL GMS 6.0 Administrator’s Guide 373 Configuring Users in SonicOS Standard Configuring ULA Settings This section describes how to configure User Level Authentication (ULA) settings. ULA settings are not available on Enhanced firmware. To configure ULA settings, perform the following steps: 1. Expand the Users tree and click User ULA Settings. The User ULA Settings page displays. 2. To only allow authenticated users to access the Internet, select the Allow only authenticated users to access the Internet check box. 3. To allow unauthenticated users to access a service, select the service in the Always allow these services area and click Add. Repeat this step for each service to add. 4. To specify a range of IP addresses that will always be allowed to access the Internet, enter the IP address in the Begin field and the size of the range in the Length field. Repeat this step for each range to add. 5. When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset. Configuring HTTP URL-Based ULA The HTTP URL-based ULA configuration is identical for SonicOS Standard and SonicOS Enhanced. For information on configuring HTTP URL-based ULA, see “Configuring HTTP URL-Based ULA Settings” on page 359. 374 SonicWALL GMS 6.0 Administrator’s Guide Configuring Users in SonicOS Standard Configuring RADIUS for SonicOS Standard If you selected Use RADIUS for user authentication, you must now configure RADIUS information. To configure RADIUS, perform the following steps. 1. Expand the Users tab and click on RADIUS. 2. Define the number of times the SonicWALL attempts to contact the RADIUS server in the RADIUS Server Retries field. If the RADIUS server does not respond within the specified number of retries, the connection is dropped. This field can range between 0 and 10, however 3 RADIUS server retries is recommended. 3. Define the RADIUS Server Timeout in Seconds. The allowable range is 1-60 seconds with a default value of 5. RADIUS Servers 1. Specify the following setting for the primary RADIUS server in the Primary Server section: – Type the IP address of the RADIUS server in the IP Address field. – Type the Port Number for the RADIUS server. – Type the RADIUS server administrative password or “shared secret” in the Shared Secret field. The alphanumeric Shared Secret can range from 1 to 31 characters in length. The shared secret is case sensitive. 2. If there is a secondary RADIUS server, type the appropriate information in the Secondary Server section. SonicWALL GMS 6.0 Administrator’s Guide 375 Configuring Users in SonicOS Standard RADIUS Users 1. Configure the following privileges for all RADIUS users: – Allow Internet Access (when access is restricted)—enables the users to access the Internet when Internet access is restricted to authorized users only. – Bypass Filters—enables Bypass Filters if the user can bypass Content Filtering settings. – Access to VPNs—enables the users to send information over the VPN Security Associations. – Access from VPN Client with XAUTH—use if a VPN client is using XAUTH for authentication. – Access L2TP Client from VPN Client—enables the user to connect using an L2TP client through a secure VPN tunnel. – Wireless Guest Service—allows access (after RADIUS authentication) for Wireless Guest Services users. – Easy WGS MAC Filtering—enables (and enforces) MAC address filtering for wireless guest service-enabled connections. – Limited Management—allows authorized users limited local management access to the SonicWALL interface. Access is limited to the General page (Status, Network, Time), the Log page (View Log, Log Settings, Log Reports), and the Tools page (Restart, Diagnostics minus Tech Support). – Allow Only Users Listed Locally—Disallows access to RADIUS users, except for those with duplicate local credentials. RADIUS Client Test To test your RADIUS Client user name and password, perform the following steps: 1. Navigate to the Diagnostics > Network page. 2. Enter a valid user name in the User field, and the password in the Password field. 3. Click the RADIUS Client Test button. If the validation is successful, the Status messages changes to Success. If the validation fails, the Status message changes to Failure. Once the SonicWALL has been configured, a VPN Security Association requiring RADIUS authentication prompts incoming VPN clients to type a User Name and Password into a dialogue box. 376 SonicWALL GMS 6.0 Administrator’s Guide CHAPTER 17 Configuring Anti-Spam Settings Activating Anti-Spam To activate the Comprehensive Anti-Spam Service, perform the following steps: Step 1 Navigate to the Policies > Anti-Spam > Settings page. Step 2 Select the Enable Anti-Spam Service checkbox to activate the Anti-Spam service. SonicWALL GMS 6.0 Administrator’s Guide 377 The Comprehensive Anti-Spam Service is now activated. Configuring Anti-Spam Settings You can configure the Comprehensive Anti-Spam Service on the Anti-Spam > Settings page, including installing the Junk Store and configuring email threat categories. See the following sections: • “Configuring the Email Threat Categories” on page 378 • “Configuring Email Domains” on page 380 • “Configuring User Defined Access Lists” on page 380 • “Configuring Advanced Options” on page 381 • “Configuring Anti-Spam Real-Time Black List Filtering” on page 383 Configuring the Email Threat Categories The Email Threat Categories section enables the administrator to configure the settings for users’ messages. Choose settings for messages that contain spam, phishing, and virus issues. The default settings are: 378 • Likely Spam – Store in Junk Box • Definite Spam – Permanently Delete • Likely Phishing – Tag with [LIKELY PHISHING] • Definite Phishing – Store in Junk Box SonicWALL GMS 6.0 Administrator’s Guide • Likely Virus – Store in Junk Box • Definite Virus – Permanently Delete Use the drop-down options to choose how to to handle messages in each threat category. Your options are: Response Effect Filtering off SonicWALL Anti-Spam service will not scan and filter any email, so all email messages in this category are delivered to the recipients without modification. Tag With The email is tagged with a term in the subject line, for example, [JUNK] or [Possible Junk?]. Selecting this option allows the user to have control of the email and junk it if it is unwanted. Store in Junk Box The email message is stored in the Junk Box. It can be unjunked by users and administrators with appropriate permissions. Reject Mail The email message is returned to sender with a message indicating that it was not deliverable. Permanently Delete The email message is permanently deleted. CAUTION: If you select this option, your organization risks losing wanted email. SonicWALL GMS 6.0 Administrator’s Guide 379 Configuring Email Domains The Comprehensive Anti-Spam Service supports up to 5 domains. If you are using more than one domain, choose the Multiple Domains option and contact SonicWALL or your SonicWALL reseller for more information. Configuring User Defined Access Lists User-defined Access Lists designate which clients are allowed to connect to deliver email. You can also set clients to be automatically rejected. 380 SonicWALL GMS 6.0 Administrator’s Guide Configuring Advanced Options Click the down-arrow next to Advanced Options to expand this section. Advanced options allow you to set the following: Setting Description Allow / Reject delivery of unprocessed mails when Comprehensive Anti-Spam Service is unavailable If the Anti-Spam service is not enabled or unavailable for some other reason, you can choose Allow to let all unprocessed emails go through. Spam messages will be delivered to users, as well as good email. If the setting is Reject, no email will be delivered until the Anti-Spam service is re-enabled. Tag and Deliver / Reject / Delete emails when SonicWALL Junk Store is unavailable If the SonicWALL Junk Store cannot accept spam messages, you can choose to delete them, reject them, or deliver them with cautionary subject lines such as “[Phishing]Please renew your account” Probe Interval Set the number of minutes between messages to the monitoring service. SonicWALL GMS 6.0 Administrator’s Guide 381 Setting Description Success Count Threshold Set the number of successes required to report a success to the monitoring service. Failure Count Threshold Set the number of failures required to report a failure to the monitoring service. Server Public IP Address The IP address of the server that is available for external connections. Server Private IP Address The IP address of the server for internal traffic. Inbound Email Port The port your SonicWALL UTM appliance has open to receive email from outside sources. Enable Email System Detection Enables the detection of other anti-spam solutions in the network perimeter. Policies_Anti-Spam_RBLFilter_Snwls 382 SonicWALL GMS 6.0 Administrator’s Guide Configuring Anti-Spam Real-Time Black List Filtering The Policies > Anti-Spam > RBL Filter page only allows configuration of Real-Time Black List filtering if the Anti-Spam Service is not enabled. SMTP Real-Time Black List (RBL) is a mechanism for publishing the IP addresses of SMTP spammers use. There are a number of organizations that compile this information both for free: http://www.spamhaus.org, and for profit: http://www.mail-abuse.com. A well-maintained list of RBL services and their efficacy can be found at: http://www.sdsc.edu/~jeff/spam/cbc.html Note SMTP RBL is an aggressive spam filtering technique that can be prone to false-positives because it is based on lists compiled from reported spam activity. The SonicOS implementation of SMTP RBL filtering provides a number of fine-tuning mechanisms to help ensure filtering accuracy. RBL list providers publish their lists using DNS. Blacklisted IP addresses appear in the database of the list provider's DNS domain using inverted IP notation of the SMTP server in question as a prefix to the domain name. A response code from 127.0.0.2 to 127.0.0.9 indicates some type of undesirability: • 127.0.0.2 - Open Relay • 127.0.0.3 - Dialup Spam Source SonicWALL GMS 6.0 Administrator’s Guide 383 • 127.0.0.4 - Spam Source • 127.0.0.5 - Smart Host • 127.0.0.6 - Spamware Site • 127.0.0.7 - Bad List Server • 127.0.0.8 - Insecure Script • 127.0.0.9 - Open Proxy Server For example, if an SMTP server with IP address 1.2.3.4 has been blacklisted by RBL list provider sbl-xbl.spamhaus.org, then a DNS query to 4.3.2.1.sbl-xbl.spamhaus.org will provide a 127.0.0.4 response, indicating that the server is a known source of spam, and the connection will be dropped. Note 384 Most spam today is known to be sent from hijacked or zombie machines running a thin SMTP server implementation.Unlike legitimate SMTP servers, these zombie machines rarely attempt to retry failed delivery attempts. Once the delivery attempt is blocked by the SonicWALL RBL filter, no subsequent delivery attempts for that same piece of spam will be made. SonicWALL GMS 6.0 Administrator’s Guide When Enable Real-time Black List Blocking is enabled on the Anti-Spam > RBL Filter page, inbound connections from hosts on the WAN, or outbound connections to hosts on the WAN are checked against each enabled RBL service with a DNS request to the DNS servers configured under RBL DNS Servers. The RBL DNS Servers menu allows you to specify the DNS servers. You can choose Inherit Settings from WAN Zone or Specify DNS Servers Manually. If you select Specify DNS Servers Manually, enter the DNS server addresses in the DNS Server fields. SonicWALL GMS 6.0 Administrator’s Guide 385 The DNS responses are collected and cached. If any of the queries result in a blacklisted response, the server will be filtered. Responses are cached using TTL values, and non-blacklisted responses are assigned a cache TTL of 2 hours. If the cache fills up, then cache entries are discarded in a FIFO (first-in-first-out) fashion. The IP address check uses the cache to determine if a connection should be dropped. Initially, IP addresses are not in the cache and a DNS request must be made. In this case the IP address is assumed innocent until proven guilty, and the check results in the allowing of the connection. A DNS request is made and results are cached in a separate task. When subsequent packets from this IP address are checked, if the IP address is blacklisted, the connection will be dropped. Adding RBL Services You can add additional RBL services in the Real-time Black List Services section. 386 SonicWALL GMS 6.0 Administrator’s Guide To add an RBL service, click the Add button. In the Add RBL Domain window, you specify the RBL domain to be queried, enable it for use, and specify its expected response codes. Most RBL services list the responses they provide on their Web site, although selecting Block All Responses is generally acceptable. Statistics are maintained for each RBL Service in the RBL Service table, and can be viewed with a mouseover of the (statistics) icon to the right on the service entry. User-Defined SMTP Server Lists The User Defined SMTP Server Lists section allows for Address Objects to be used to construct a white-list (explicit allow) or black-list (explicit deny) of SMTP servers. Entries in this list will bypass the RBL querying procedure. For example, to ensure that you always receive SMTP connections from a partner site's SMTP server, create an Address Object for the server using the Add SonicWALL GMS 6.0 Administrator’s Guide 387 button, click the edit icon in the Configure column of the RBL User White List row, and add the Address Object. The table will be updated, and that server will always be allowed to make SMTP exchanges. The System > Diagnostics page also provides a Real-time Black List Lookup feature that allows for SMTP IP addresses (or RBL services, or DNS servers) to be specifically tested. 388 SonicWALL GMS 6.0 Administrator’s Guide CHAPTER 18 Configuring Virtual Private Networking A Virtual Private Network (VPN) is a private data network that uses encryption technologies to operate over public networks. This chapter contains the following sections: • “VPN SA Management Overview” section on page 389 • “Viewing the VPN Summary” section on page 391 • “Configuring VPN Settings” section on page 392 • “Configuring ULA Settings for VPNs” section on page 395 • “Configuring VPNs in SonicOS Enhanced” section on page 396 • “Configuring VPNs in SonicOS Standard” section on page 403 • “Setting up the L2TP Server” section on page 436 • “Monitoring VPN Connections” section on page 437 • “Management of VPN Client Users” section on page 437 • “VPN Terms and Concepts” section on page 439 • “Using OCSP with SonicWALL Security Appliances” section on page 442 VPN SA Management Overview Each node in a network can exchange data by establishing a VPN tunnel or a Security Association (SA) with one or more other nodes. Once a tunnel is established, the SA uses encryption and authentication keys to ensure data security and integrity. SonicWALL GMS 6.0 Administrator’s Guide 389 VPN SA Management Overview A security key string is an encryption key that is used to encrypt and decrypt secure data. Both nodes must have the key to exchange data. For example, the announcer of the Little Orphan Show used the same key to encode the secret messages that the kids used to decode the messages. Although an encrypted message cannot be read, it can be tampered with externally. Using an authentication key prevents external tampering. An authentication key is a hash function that is applied to the message content and is checked by the message recipient to verify the message was not modified in transit. In order to ensure message security, it is very important that the security and authentication keys are not discovered by outside parties. Otherwise, the messages could be read in transit. Deployment Caveats When managing one or more VPNs through GMS, be aware of the following caveats: • Because of the individual nature of deployment, VPN SA configurations are not inheritable. • If updates are completed at the group node, separate tasks must be created for each individual unit within that node. Authentication Methods SonicWALL appliances can use the following methods to exchange security and authentication keys: • SonicWALL certificates—each SonicWALL appliance obtains a certificate from the SonicWALL Certificate Authority (CA). Security and authentication keys are exchanged using public-key cryptography and authenticity of each node is verified by the SonicWALL CA. After the SA expires, the SonicWALL appliances will reestablish an SA using the same public keys, but the security and authentication keys will be different. If one set of security and authentication keys is compromised by an outside party, that party will be unable to compromise the next set of keys. • 390 Third-party certificates—the SonicWALL appliance and peer device obtain certificates from the third-party certificate authorities. Security and authentication keys are exchanged using public-key cryptography and authenticity of each node is verified by the third-party CA. SonicWALL GMS 6.0 Administrator’s Guide Viewing the VPN Summary After the SA expires, the peers will reestablish an SA using the same public keys, but will not use the same security and authentication keys. • Pre-shared secret—each SonicWALL appliance has a shared secret that is used to establish an SA. After the SA expires, the SonicWALL appliances will reestablish an SA using the same public keys, but will not use the same security and authentication keys. • Pre-exchanged security and authentication keys—keys are exchanged in advance. The SA will always use the same encryption and authentication keys. If the keys are compromised by an outside party, they will remain compromised until the keys are changed. Note For an explanation of VPN terms, see “VPN Terms and Concepts” on page 439. Viewing the VPN Summary To view the VPN summary, perform the following steps: 1. Expand the VPN tree and click Summary. The VPN Summary page displays. Note 2. If VPN is already configured for the SonicWALL appliance, a list of current SAs displays. The unique firewall identifier also displays. Note the improved navigation for managing VPNs through use of page navigation arrows within the Current IPSec Security Associations. To navigate through the pages, click on the navigation arrow buttons in the upper right corner of the VPN Summary Page as shown in the figure here. SonicWALL GMS 6.0 Administrator’s Guide 391 Configuring VPN Settings When managing VPNs, the VPN Summary Window sometimes can have too many VPNs listed for you to easily find the VPN entry you want to view. To make VPN searching and viewing more easy, GMS now provides a pagination feature in the VPN Summary screen which breaks the list of VPNs into multiple pages. Each page can display up to 50 VPNs. To display the next page of VPNs, simply click the Next button. GMS displays the succeeding page of the VPN Summary Window. Configuring VPN Settings To configure VPN settings, perform the following steps: 392 1. Expand the VPN tree and click Settings. The VPN Settings page displays. 2. Under Global IPSec Settings, select the Enable VPN check box. 3. To disable all NetBIOS broadcasts, select the Disable all VPN Windows Networking (NetBIOS) broadcast check box. SonicWALL GMS 6.0 Administrator’s Guide Configuring VPN Settings 4. To improve interoperability with other VPN gateways and applications that use a large data packet size, select the Enable Fragmented Packet Handling check box. Packet fragmentation overburdens a network router by resending data packets and causes network traffic to slow down between networks. The Enable Fragmented Packet Handling option configures the SonicWALL appliance to listen to the intermediate router and, if necessary, send Internet Control Message Protocol (ICMP) messages to the router to decrease the size of the data packets. Enabling this option is recommended if the VPN tunnel logs contain many “Fragmented IPSec packets dropped” messages. 5. To ignore Don’t Fragment (DF) bits from routers connected to the SonicWALL appliance, select the Ignore DF Bit check box. 6. NAT Traversal is an Internet Engineering Task Force (IETF) draft standard that wraps an IPsec packet into a UDP/IP header, allowing NAT devices to change IP addresses without affecting the integrity of the IPsec packet. To enable NAT traversal, select the Enable NAT Traversal check box. 7. Specify how often the SonicWALL appliance issues a Keepalive in the Keep alive time field. 8. To enable detection of a dead peer, select the Enable IKE Dead peer detection. Then, specify how often the SonicWALL appliance attempt to detect a peer in the Dead peer detection Interval field and specify the number of failed attempts that must occur before closing the VPN tunnel in the Failure Trigger Level field. 9. Select Enable Dead Peer Detection for Idle vpn sessions if you want idle VPN connections to be dropped by the SonicWALL security appliance after the time value defined in the Dead Peer Detection Interval for Idle VPN Sessions (seconds) field. 10. Select VPN Single Armed mode to use single armed mode, allowing the appliance to act as a stand-alone VPN gateway, using the WAN port as the VPN tunnel termination point. 11. Select Clean up Active Tunnels when Peer Gateway DNS names resolves to a different IP address to break down SAs associated with old IP addresses and reconnect to the peer gateway. 12. Select Preserve IKE Port for Pass-Through Connections to preserve UDP 500/4500 source port and IP address information for pass-through VPN connections. 13. Select Enable OCSP Checking and enter the OCSP Responder URL to enable use of Online Certificate Status Protocol (OCSP) to check VPN certificate status and specifies the URL where to check certificate status. SonicWALL GMS 6.0 Administrator’s Guide 393 Configuring VPN Settings 14. Select Send vpn tunnel traps only when tunnel status changes to send tunnel traps when the tunnel status changes. By default, the firewall sends traps for VPN up/down status. To minimize email alerts based on VPN traps, check this box. 15. Select Use RADIUS in and then select either MSCHAP or MSCHAPv2 mode for XAUTH to allow VPN client users to change expired passwords at login time. 16. Under IKEv2 Settings, select Send IKEv2 Cookie Notify to send cookies to IKEv2 peers as an authentication tool. 17. Use the IKEv2 Dynamic Client Proposal settings to configure the Internet Key Exchange (IKE) attributes rather than using the default settings. Previously, only the default settings were supported: Diffie-Hellman (DH) Group 2, the 3DES encryption algorithm, and the SHA1 authentication method. Appliances running SonicOS Enhanced 4.0 and higher can now be configured with the following IKE Proposal settings: – DH Group—Select Group 1, Group 2, or Group 5 from the drop-down list. This sets DH group in the global IPsec policy for a zero(0.0.0.0) gateway, IKEv2 mode tunnel with dynamic peer gateways. – Encryption—Select DES, 3DES, AES-128, AES-192, or AES-256 from the drop-down list. This sets the encryption algorithm in the global IPsec policy for a zero(0.0.0.0) gateway, IKEv2 mode tunnel with dynamic peer gateways whose IP addresses are not static. – Authentication—Select MD5 or SHA1 from the drop-down list. This sets the authentication algorithm in the global IPsec policy for a zero(0.0.0.0) gateway, IKEv2 mode tunnel with dynamic peer gateways whose IP addresses are not static. If a VPN Policy with IKEv2 exchange mode and a 0.0.0.0 IPSec gateway is defined, you cannot configure these IKE Proposal settings on an individual policy basis. 394 SonicWALL GMS 6.0 Administrator’s Guide Configuring ULA Settings for VPNs Note The VPN policy on the remote gateway must also be configured with the same settings. 18. When you are finished, click Update. To clear all screen settings and start over, click Reset. Configuring ULA Settings for VPNs To configure User Level Authentication settings for VPNs, perform the following steps: Note ULA settings are only available in SonicOS Standard. 1. Expand the VPN tree and click ULA Settings. 2. To allow unauthenticated users to access a service, select the service in the Allow these services to bypass user authentication on VPN SAs area and click Add. Repeat this step for each service to add. 3. To specify a range of IP addresses that will always be allowed to access the Internet, enter the IP address in the Begin field and the size of the range in the Length field. 4. Click Add. The scheduler displays. 5. Expand Schedule by clicking the plus button. 6. Select Immediate or specify a future date and time. 7. Click Accept. 8. When you are finished, click Update. SonicWALL GMS 6.0 Administrator’s Guide 395 Configuring VPNs in SonicOS Enhanced 9. Repeat steps 3 through 8 to add more ranges. 10. To delete an entry, select the checkbox the left of the service or IP address range and click Update. Configuring VPNs in SonicOS Enhanced SonicOS uses Address Objects and Address Object Groups to simplify network configuration and interconnection. Address objects are network addresses or hosts. Address object groups are groups of address objects and/or address object groups. When you configure VPN between Address Object Groups on two SonicWALL appliances, SonicWALL GMS will automatically establish VPN connections between every network within those groups. This saves a lot of configuration time and dramatically simplifies VPN configuration. Select from the following: • “Configuring VPNs in Interconnected Mode” on page 396—For VPNs between two SonicWALL appliances. • “Configuring VPNs in Non-Interconnected Mode” on page 399—For VPN between a SonicWALL appliance and another device. When you have completed the interconnected or non-interconnected configuration procedure, continue on to the following section: • “Generic VPN Configuration in SonicOS Enhanced” on page 401 Configuring VPNs in Interconnected Mode Establishing a VPN between two SonicWALL appliances that are being managed by SonicWALL GMS is easy. Because SonicWALL GMS is aware of the configuration settings, it will automatically configure most of the VPN 396 SonicWALL GMS 6.0 Administrator’s Guide Configuring VPNs in SonicOS Enhanced settings without any user intervention. To establish VPNs between two SonicWALL appliances that are being managed by SonicWALL GMS, perform the following steps: 1. Expand the VPN tree and click Configure 2.0. The VPN Configure page displays with the General tab selected. 2. To establish a new SA, select Add New SA from the Security Association list box. 3. Select the Interconnected check box. 4. To configure SonicWALL GMS to convert the SAs to non-interconnected mode VPN tunnels, select the Make SAs viewable in Non-Interconnected Mode check box. Note Making an SA viewable in Non-Interconnected mode is not reversible. 5. Select the destination SonicWALL appliance by clicking Select Destination Node and selecting the node from the dialog box that displays. 6. To initially disable the SA upon creation, select the Disable SA check box. This option can always be unchecked at a later time. 7. Select from the following keying modes from the IPSec Keying Mode list box: SonicWALL GMS 6.0 Administrator’s Guide 397 Configuring VPNs in SonicOS Enhanced Note SonicWALL GMS automatically creates a pre-shared key, SPI, encryption key, authentication key, or certificate information as applicable, for each mode described below. – Manual Key—keys are exchanged in advance. The SA will always use the same encryption and authentication keys. If the keys are compromised by an outside party, they will remain compromised until the keys are changed. – IKE Using Pre-Shared Secret—each SonicWALL appliance has a shared secret that is used to establish an SA. After the SA expires, the SonicWALL appliances will reestablish an SA using the same public keys, but will not use the same security and authentication keys. Configure the following: –Local IKE ID—specifies whether the IP address or SonicWALL Identifier will be used as the IKE ID for the local SonicWALL appliance. –Peer IKE ID—specifies whether the IP address or SonicWALL Identifier will be used as the IKE ID for the peer SonicWALL appliance. – IKE Using 3rd Party Certificates—the SonicWALL appliance and peer device obtain certificates from the third-party certificate authorities. Security and authentication keys are exchanged using public-key cryptography and authenticity of each node is verified by the third-party CA. After the SA expires, the peers will reestablish an SA using the same public keys, but will not use the same security and authentication keys. 8. 398 Continue to “Generic VPN Configuration in SonicOS Enhanced” on page 401. SonicWALL GMS 6.0 Administrator’s Guide Configuring VPNs in SonicOS Enhanced Configuring VPNs in Non-Interconnected Mode To establish VPNs between two SonicWALL appliances that are being managed by SonicWALL GMS, perform the following steps: 1. Expand the VPN tree and click Configure 2.0. The VPN Configure page displays with the General tab selected. 2. To establish a new SA, select Add New SA from the Security Association list box. 3. Deselect the Interconnected check box. 4. Select the Disable SA check box to initially disable the SA upon creation. This option can be unchecked at a later time. 5. Select from the following keying modes from the IPSec Keying Mode list box: – Manual Key—keys are exchanged in advance. The SA will always use the same encryption and authentication keys. If the keys are compromised by an outside party, they will remain compromised until the keys are changed. If you select this option, configure the following: –Name—specifies the name of the SA. –IPSec Gateway Name or Address—specifies the name or IP address of the gateway. SonicWALL GMS 6.0 Administrator’s Guide 399 Configuring VPNs in SonicOS Enhanced – IKE Using Pre-Shared Secret—each SonicWALL appliance has a shared secret that is used to establish an SA. After the SA expires, the SonicWALL appliances will reestablish an SA using the same public keys, but will not use the same security and authentication keys. Configure the following: –Name—specifies the name of the SA. –IPSec Primary Gateway Name or Address—specifies the name or IP address of the primary gateway. –IPSec Secondary Gateway Name or Address—specifies the name or IP address of the secondary gateway. –Shared Secret—specifies the shared secret used to negotiate the VPN tunnel. –Local IKE ID—specifies the whether the IP address or SonicWALL Identifier will be used as the IKE ID for the local SonicWALL appliance. –Peer IKE ID—specifies the whether the IP address or SonicWALL Identifier will be used as the IKE ID for the peer SonicWALL appliance. – IKE Using 3rd Party Certificates—the SonicWALL appliance and peer device obtain certificates from the third-party certificate authorities. Security and authentication keys are exchanged using public-key cryptography and authenticity of each node is verified by the third-party CA. After the SA expires, the peers will reestablish an SA using the same public keys, but will not use the same security and authentication keys. If you select this option, configure the following: –Name—specifies the name of the SA. –IPSec Primary Gateway Name or Address—specifies the name or IP address of the primary gateway. –IPSec Secondary Gateway Name or Address—specifies the name or IP address of the secondary gateway. –Third Party Certificate—specifies the certificate used to establish the SAs. –Peer Certificate's ID Type—specifies the ID type of the peer certificate. –ID string to match—specifies the string used to establish the SAs. 400 SonicWALL GMS 6.0 Administrator’s Guide Configuring VPNs in SonicOS Enhanced Generic VPN Configuration in SonicOS Enhanced To configure the additional options for VPNs in SonicOS Enhanced, perform the following steps: 1. Click the Network tab. Select which local networks will be establishing VPN connections with the destination networks: – Choose local network from list—specifies an Address Object that contains one or more networks. For information on creating address objects, refer to the documentation that accompanied the SonicWALL appliance. – Local network obtains IP addresses using DHCP through this VPN Tunnel—indicates that the computers on the local network will obtain their IP addresses from the destination network. – Any address—configures all networks to establish VPN connections with the specified destination networks. 2. Select the destination networks with which the local networks will connect: – Use this VPN Tunnel as default route for all Internet traffic—configures all networks on the destination network to use this VPN for all Internet traffic. – Destination network obtains IP addresses using DHCP through this VPN Tunnel—indicates that the computers on the destination network will obtain their IP addresses from the local network. – Choose destination network from list—specifies an Address Object that contains one or more networks. For information on creating address objects, refer to the documentation that accompanied the SonicWALL appliance. 3. (Optional) Click the Proposals tab. 4. Select the IKE Phase 1 Proposal Options (Certificates and Pre-Shared Secret only): – Exchange—Select the exchange mode from the Exchange list box. Aggressive mode improves the performance of IKE SA negotiation by only requiring three packet exchanges. However, it provides no identity protection. Otherwise, select Main Mode. – DH Group—specifies the Diffie-Hellman group to use when the VPN devices are negotiating encryption and authentication keys. SonicWALL GMS 6.0 Administrator’s Guide 401 Configuring VPNs in SonicOS Enhanced Note Group 1 specifies a 768-bit Diffie-Hellman value, Group 2 specifies a more secure 1024-bit Diffie-Hellman value, and Group 5 specifies the currently most secure 1536-bit Diffie-Hellman value. – Encryption—specifies the type of encryption key to use when the VPN devices are negotiating encryption keys. – Authentication—specifies the type of authentication key to use when the VPN devices are negotiating authentication keys. – Life Time (seconds)—specifies how long a tunnel will remain active before being renegotiated. We recommend a value of 28,800 seconds (8 hours). 5. Select the IKE Phase 2 Proposal Options: – Protocol—specifies the type of protocol to use for VPN communications (AH or ESP). – Encryption—specifies the type of encryption key to use when the VPN devices after negotiating encryption keys. – Authentication—specifies the type of authentication key to use when the VPN devices after negotiating authentication keys. – Enable Perfect Forward Secrecy—when selected, this option prevents repeated compromises of the same security key when reestablishing a tunnel. – DH Group—specifies the Diffie-Hellman group to use when the VPN devices after negotiating encryption and authentication keys. – Life Time (seconds)—specifies how long a tunnel will remain active before being renegotiated. We recommend a value of 28,800 seconds (8 hours). 6. (Optional) Click the Advanced tab. 7. Configure the following Advanced settings: – Enable Keep Alive—configures the VPN tunnel to remain open as long as there is network traffic on the SA. – Enable Windows Networking Broadcast—enables NetBIOS broadcasts across the SA. – Apply NAT Policies—enables NAT for the selected networks. – Management via this SA—specifies which protocols can be used to manage the SonicWALL appliance through this SA. In addition to HTTP and HTTPS, you can enable the SSH management of the 402 SonicWALL GMS 6.0 Administrator’s Guide Configuring VPNs in SonicOS Standard device through the IPsec tunnel. When the SSH check box is selected in an IPsec Policy, an SSH session can be initiated to the device using the IPsec tunnel for the policy. – User login via this SA—specifies the protocols that users can use to login to the SonicWALL appliance through this SA. – Default LAN Gateway—specifies the default gateway when routing all traffic through this tunnel (required for Enhanced-to-Standard configuration, optional for Enhanced-to-Enhanced). – VPN Policy bound to—specifies the zone or interface to which the VPN tunnel will terminate. – Preempt Secondary Gateway— enables preemption of a secondary gateway to the primary gateway in the IPsec policy. If a secondary gateway is configured in the IPsec Policy, an IPsec tunnel is established with the secondary gateway when the primary gateway is unreachable. If this option is enabled in the policy, a periodic discovery is attempted for the primary gateway and if discovered successfully, tunnels are switched back to the primary gateway from the secondary gateway. – Primary Gateway Detection Interval— specifies the time interval in seconds for the discovery of the primary IPsec gateway if it is unreachable. The minimum value is 120 and the maximum value is 28800. – Enable Windows Networking Broadcast—enables NetBIOS broadcasts across the SA. 8. When you are finished, click OK. SonicWALL GMS begins establishing VPN tunnels between all specified networks. Configuring VPNs in SonicOS Standard This section describes how to configure VPN version 1.0 for SonicOS Standard. To configure VPN for SonicOS Enhanced, see “Configuring VPNs in SonicOS Enhanced” on page 396. SonicWALL GMS supports several methods for establishing and maintaining security associations (SAs). These include: • “IKE Using SonicWALL Certificates” on page 404 • “IKE Using Third-Party Certificates” on page 412 • “IKE Using Pre-Shared Secret” on page 421 • “Manual Keying” on page 429 SonicWALL GMS 6.0 Administrator’s Guide 403 Configuring VPNs in SonicOS Standard IKE Using SonicWALL Certificates The following sections describe how to configure SAs for Internet Key Exchange (IKE) using SonicWALL certificates: • “When All Appliances are Managed by SonicWALL GMS” on page 405 • “When One Appliance Is Not Managed by SonicWALL GMS” on page 409 Note This section assumes that you are familiar with Public Key Infrastructure (PKI) and the implementation of digital certificates with VPN. A digital certificate is an electronic means to verify identity by using a trusted third party known as a Certificate Authority (CA). SonicWALL certificates are the easiest certificate solution for establishing the identity of peer VPN devices and users. Internet Key Exchange (IKE) is an important part of IPSec VPN solutions, and it can use digital signatures to authenticate peer devices before setting up security associations. Without digital signatures, VPN users must authenticate by manually exchanging shared secrets or symmetric keys. Devices using digital signatures do not require configuration changes every time a new device is added to the network. Note Although SAs can be established with most IPSec-compliant devices, SonicWALL Certificates can only be used between SonicWALL appliances. This section describes how to establish SAs between SonicWALL appliances that are managed by SonicWALL GMS and SonicWALL appliances that are not managed by SonicWALL GMS. Note 404 Before establishing SAs using SonicWALL certificates, you must obtain a Public Key Infrastructure (PKI) administrator certificate and apply it to each SonicWALL appliance. For more information, see “Registering and Upgrading SonicWALL Appliances” on page 591. SonicWALL GMS 6.0 Administrator’s Guide Configuring VPNs in SonicOS Standard When All Appliances are Managed by SonicWALL GMS To enable VPN using certificates, perform the following steps: 1. Expand the VPN tree and click Configure. The VPN Configure page displays. 2. Select the Use Interconnected Mode check box. 3. For the IPSec Keying Mode, Select IKE using SonicWALL Certificates. 4. Select from the following: – To add a new SA, select Add a new Security Association. – To delete an existing SA, select Delete an existing Security Association. – To edit an existing SA, select Modify an existing Security Association. 5. Click Select Destination. A dialog box that contains all SonicWALL appliances managed by this SonicWALL GMS displays. SonicWALL GMS 6.0 Administrator’s Guide 405 Configuring VPNs in SonicOS Standard 6. Select the SonicWALL appliance or group to which you will establish SAs and click the Select button. The name of the target displays in the Target SonicWALL Group/Node field. 7. Aggressive mode improves the performance of IKE SA negotiation by only requiring three packet exchanges. However, it provides no identity protection. To enable aggressive mode, select Aggressive Mode from the Exchange list box. Otherwise, select Main Mode. 8. Select the Diffie-Hellman (DH) group that will be used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 DH Group list box. Note Group 1 specifies a 768-bit Diffie-Hellman value, Group 2 specifies a more secure 1024-bit Diffie-Hellman value, and Group 5 specifies the currently most secure 1536-bit Diffie-Hellman value. 9. Select the Diffie-Hellman group that will be used when the VPN devices have established an SA from the Phase 2 DH Group list box. 10. Select the type of encryption and authentication keys used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 Encryption/Authentication list box. 11. Select the type of encryption and authentication keys used for the SAs from the Phase 2 Encryption/Authentication list box. 12. To specify the default LAN gateway, enter the IP address of the gateway in the Default LAN Gateway field. A Default LAN Gateway is used at a central site in conjunction with a remote site using the Route all Internet traffic through this destination unit check box. The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming Internet Protocol Security (IPSec) packets for this SA. Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL. Since packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped. 13. To specify how long the tunnel is active before being renegotiated, enter a value in the SA Lifetime field. We recommend a value of 28,800 seconds (8 hours). 406 SonicWALL GMS 6.0 Administrator’s Guide Configuring VPNs in SonicOS Standard 14. To prevent repeated compromises of the same security key when reestablishing a tunnel, select the Enable Perfect Forward Secrecy check box. 15. To configure the VPN tunnel to remain open as long as there is network traffic on the SA, select the Enable Keep Alive check box. 16. To configure the SonicWALL appliance to establish the VPN tunnel before users generate any VPN traffic, select the Try to bring up all possible SAs check box. 17. To disable this SA, select Disable This SA. 18. Select Enable Wireless Secure Bridging Mode to enable wireless secure bridging mode, a feature that allows two or more physically separated networks to be joined using a secure wireless connection. 19. To enable NetBIOS broadcasts across the SA, select the Enable Windows Networking Broadcast check box. 20. To allow the remote VPN tunnel to be included in the routing table, select the Forward Packets to Remote VPNs check box. Normally, inbound traffic is decrypted and only forwarded to the local LAN or a manually specified route (see “Configuring Routing in SonicOS Enhanced” on page 196). This option enables you to create a “hub and spoke” network configuration where all traffic is routed among branch offices via the corporate office. Note To create a “hub and spoke” network, make sure to select the Forward Packets to Remote VPNs check box for each SA. 21. To force all network traffic to the WAN through a VPN to a central site, select the Route all Internet traffic through destination unit check box. When this option is selected, all traffic that is not destined for another SA is forwarded through this VPN tunnel. If this option is not specified and the destination does not match any SA, the packet is forwarded unencrypted to the WAN. Note Only one SA can have this option enabled. 22. Select one the following VPN termination options: – To configure the VPN tunnel to terminate at the LAN or WorkPort, select LAN. Users on the other side of the SA will be able to access the LAN, but not the OPT. SonicWALL GMS 6.0 Administrator’s Guide 407 Configuring VPNs in SonicOS Standard – To configure the VPN tunnel to terminate at the OPT or DMZ, select OPT. Users on the other side of the SA will be able to access the OPT, but not the LAN. – To allow users on the other side of the SA to access both the LAN and DMZ, select LAN/OPT. 23. Select from the following NAT and Firewall Rules: – To disable NAT and not apply firewall rules to traffic coming through this SA, select Disabled. – To enable NAT and firewall rules for the selected SonicWALL appliance, select Source. If NAT is enabled, all traffic originating from this appliance will appear to originate from a single IP address and network firewall rules will be applied to all traffic on this SA. – To enable NAT and firewall rules for the selected SonicWALL appliance and its peer, select Source and Destination. If NAT is enabled, all traffic originating from this appliance will appear to originate from a single IP address and all traffic originating from its peer will appear to originate from a single IP address. Network firewall rules will be applied to all traffic on this SA. Note Applying firewall rules can dramatically affect services that run between the networks. For more information, see “Configuring UTM Appliance Settings” on page 235. 24. Select how local users are authenticated: – To disable authentication for local users, select Disabled. – To configure local users to be authenticated locally, either through the SonicWALL device or the RADIUS server, select Source. – To configure local users to be authenticated on the destination network, either through the SonicWALL device or the RADIUS server, select Destination. – To authenticate local users both locally and on the destination network, select Source and Destination. 25. Similarly, select how remote users are authenticated. 26. When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset. 408 SonicWALL GMS 6.0 Administrator’s Guide Configuring VPNs in SonicOS Standard When One Appliance Is Not Managed by SonicWALL GMS Although SAs can be established with most IPSec-compliant devices, Certificates can only be used between SonicWALL appliances. This section describes how to establish SonicWALL certificate-based SAs between SonicWALL appliances that are managed by SonicWALL GMS and SonicWALL appliances that are not managed by SonicWALL GMS. To create SAs using certificates, perform the following steps: 1. Expand the VPN tree and click Configure. The VPN Configure page displays. 2. Deselect the Use Interconnected Mode check box. 3. Select IKE using SonicWALL Certificates. 4. Select the appropriate option to add, delete or modify a Security Association. 5. Enter the name of the remote firewall/VPN gateway in the Security Association Name field. This name must match exactly if the device has a dynamic IP address. SonicWALL GMS 6.0 Administrator’s Guide 409 Configuring VPNs in SonicOS Standard 6. Enter the IP address of the remote firewall/VPN gateway in the IPSec Gateway Address field. This address must be valid and will be the public IP address if the remote LAN has NAT enabled. If the remote VPN gateway has a dynamic IP address, this field can be left blank if the name matches. 7. To specify how long the tunnel is active before being renegotiated, enter a value in the SA Lifetime field. We recommend a value of 28,800 seconds (8 hours). 8. To specify the default LAN gateway, enter the IP address of the gateway in the Default LAN Gateway field. A Default LAN Gateway is used at a central site in conjunction with a remote site using the Route all internet traffic through destination unit check box. The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA. Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL. Since packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped. 9. To disable this SA, select Disable This SA. 10. To prevent repeated compromises of the same security key when reestablishing a tunnel, select the Enable Perfect Forward Secrecy check box. 11. Select Enable Wireless Secure Bridging Mode to enable wireless secure bridging mode, a feature that allows two or more physically separated networks to be joined using a secure wireless connection 12. To enable NetBIOS broadcasts across the SA, select the Enable Windows Networking Broadcast check box. 13. To apply NAT and firewall rules to all traffic coming through this SA, select the Apply NAT and firewall rules check box. This feature is useful for hiding the LAN subnet from the corporate site. All traffic will appear to originate from a single IP address. 14. To allow the remote VPN tunnel to be included in the routing table, select the Forward Packets to Remote VPNs check box. 410 SonicWALL GMS 6.0 Administrator’s Guide Configuring VPNs in SonicOS Standard This will enable the SonicWALL appliance to receive VPN traffic, decrypt it, and forward it to another VPN tunnel. This feature can be used to create a “hub and spoke” network configuration by routing traffic among SAs. To do this, make sure to enable this option for all SAs. 15. To configure the VPN tunnel to remain open as long as there is network traffic on the SA, select the Enable Keep Alive check box. 16. To configure the SonicWALL appliance to establish the VPN tunnel before users generate any VPN traffic, select the Try to bring up all possible SAs check box. 17. To require local users to authenticate locally before accessing the SA, select the Require authentication of local users check box. 18. To require remote users to authenticate with this SonicWALL appliance or the local RADIUS server before accessing resources, select the Require authentication of remote users check box. 19. Enter the serial number of the target SonicWALL appliance in the Peer SonicWALL Serial # field. 20. Aggressive mode improves the performance of IKE SA negotiation by only requiring three packet exchanges. However, it provides no identity protection. To enable aggressive mode, select Aggressive Mode from the Exchange list box. Otherwise, select Main Mode. 21. Select the Diffie-Hellman group that will be used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 DH Group list box. Note Group 1 specifies a 768-bit Diffie-Hellman value, Group 2 specifies a more secure 1024-bit Diffie-Hellman value, and Group 5 specifies the currently most secure 1536-bit Diffie-Hellman value. 22. Select the Diffie-Hellman group that will be used when the VPN devices have established an SA from the Phase 2 DH Group list box. 23. Select the type of encryption and authentication keys used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 Encryption/Authentication list box. 24. Select the type of encryption and authentication keys used for the SAs from the Phase 2 Encryption/Authentication list box. 25. Specify the destination networks by selecting from the following: – To allow this SA to be used as the default route for all Internet traffic, select Use this SA as default route for all Internet traffic. SonicWALL GMS 6.0 Administrator’s Guide 411 Configuring VPNs in SonicOS Standard – If the destination network will receive its IP addresses on this network using DHCP, select Destination network obtains IP addresses using DHCP. – To specify destination networks, select Specify destination networks below. Then, click Add Networks and enter the destination network IP addresses and subnet masks. 26. When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset. IKE Using Third-Party Certificates Note This section assumes that you are familiar with Public Key Infrastructure (PKI) and the implementation of digital certificates with VPN. A digital certificate is an electronic means to verify identity by using a trusted third party known as a Certificate Authority (CA). SonicWALL now supports third party certificates in addition to the existing Authentication Service. The difference between third party certificates and the SonicWALL Authentication Service is the ability to select the source for your CA certificate. Using Certificate Authority Certificates and Local Certificates is a more manual process than using the SonicWALL Authentication Service; therefore, experience with implementing Public Key Infrastructure (PKI) is necessary to understand the key components of digital certificates. Internet Key Exchange (IKE) is an important part of IPSec VPN solutions, and it can use digital signatures to authenticate peer devices before setting up security associations. Without digital signatures, VPN users must authenticate by manually exchanging shared secrets or symmetric keys. Devices using digital signatures do not require configuration changes every time a new device is added to the network. SonicWALL has implemented X.509v3 as its certificate form and CRLv2 for its certificate revocation list. SonicWALL supports the following two vendors of Certificate Authority Certificates: • VeriSign • Entrust 412 SonicWALL GMS 6.0 Administrator’s Guide Configuring VPNs in SonicOS Standard Obtaining a Certificate To obtain a certificate, see “Generating a Certificate Signing Request” on page 150. After you have obtained certificates for both devices, continue to configure the VPN. • “When All Appliances are Managed by SonicWALL GMS” on page 413 • “When One Appliance Is Not Managed by SonicWALL GMS” on page 418 When All Appliances are Managed by SonicWALL GMS Setting up a VPN tunnel between appliances requires you to configure several parameters on both appliances. When setting up VPN tunnels between SonicWALL appliances managed by SonicWALL GMS, all selected appliances are automatically configured based on the settings that you entered. To enable VPN using third-party certificates when both devices are managed by SonicWALL GMS, perform the following steps: 1. Expand the VPN tree and click Configure. The VPN Configure page displays. SonicWALL GMS 6.0 Administrator’s Guide 413 Configuring VPNs in SonicOS Standard 2. Select the Use Interconnected Mode check box. 3. Select IKE using 3rd Party Certificates. Note SonicWALL GMS automatically creates a pre-shared key, SPI, encryption key, authentication key, or certificate information as applicable. 4. Select the appropriate option to add, delete, or modify a security association. 5. Click Select Destination. A dialog box that contains all SonicWALL appliances managed by this SonicWALL GMS displays. 6. Select the SonicWALL appliance or group to which you will establish SAs and click the Select button. The name of the target displays in the Target SonicWALL Group/Node field. 7. Aggressive mode improves the performance of IKE SA negotiation by only requiring three packet exchanges. However, it provides no identity protection. To enable aggressive mode, select Aggressive Mode from the Exchange list box. Otherwise, select Main Mode. 8. Select the Diffie-Hellman (DH) group that will be used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 DH Group list box. Note 9. Group 1 specifies a 768-bit Diffie-Hellman value, Group 2 specifies a more secure 1024-bit Diffie-Hellman value, and Group 5 specifies the currently most secure 1536-bit Diffie-Hellman value. Select the Diffie-Hellman group that will be used when the VPN devices have established an SA from the Phase 2 DH Group list box. 10. Select the type of encryption and authentication keys used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 Encryption/Authentication list box. 11. Select the type of encryption and authentication keys used for the SAs from the Phase 2 Encryption/Authentication list box. 12. To specify the default LAN gateway, enter the IP address of the gateway in the Default LAN Gateway field. 414 SonicWALL GMS 6.0 Administrator’s Guide Configuring VPNs in SonicOS Standard A Default LAN Gateway is used at a central site in conjunction with a remote site using the Route all Internet traffic through this destination unit check box. The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming Internet Protocol Security (IPSec) packets for this SA. Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL. Since packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped. 13. To specify how long the tunnel is active before being renegotiated, enter a value in the SA Lifetime field. We recommend a value of 28,800 seconds (8 hours). 14. To prevent repeated compromises of the same security key when reestablishing a tunnel, select the Enable Perfect Forward Secrecy check box. 15. To configure the VPN tunnel to remain open as long as there is network traffic on the SA, select the Enable Keep Alive check box. 16. To configure the SonicWALL appliance to establish the VPN tunnel before users generate any VPN traffic, select the Try to bring up all possible SAs check box. 17. To enable wireless secure bridging, select the Wireless Secure Bridging Mode check box. 18. To enable NetBIOS broadcasts across the SA, select the Enable Windows Networking Broadcast check box. 19. To allow the remote VPN tunnel to be included in the routing table, select the Forward Packets to Remote VPNs check box. Normally, inbound traffic is decrypted and only forwarded to the local LAN or a manually specified route (see “Configuring Routing in SonicOS Enhanced” on page 196). This option enables you to create a “hub and spoke” network configuration where all traffic is routed among branch offices via the corporate office. Note To create a “hub and spoke” network, make sure to select the Forward Packets to Remote VPNs check box for each SA. SonicWALL GMS 6.0 Administrator’s Guide 415 Configuring VPNs in SonicOS Standard 20. To force all network traffic to the WAN through a VPN to a central site, select the Route all Internet traffic through destination unit check box. When this option is selected, all traffic that is not destined for another SA is forwarded through this VPN tunnel. If this option is not specified and the destination does not match any SA, the packet is forwarded unencrypted to the WAN. Note Only one SA can have this option enabled. 21. If the remote side of this VPN connection is to obtain its addressing from a DHCP server on this side of the tunnel, select Enable "Destination network obtains IP addresses using DHCP through this SA" on Target. 22. Select one the following VPN termination options: – To configure the VPN tunnel to terminate at the LAN, select LAN. Users on the other side of the SA will be able to access the LAN, but not the DMZ. – To configure the VPN tunnel to terminate at the OPT or DMZ, select OPT. Users on the other side of the SA will be able to access the OPT, but not the LAN. – To allow users on the other side of the SA to access both the LAN and OPT, select LAN/OPT. 23. Select from the following NAT and Firewall Rules: – To disable NAT and not apply firewall rules to traffic coming through this SA, select Disabled. – To enable NAT and firewall rules for the selected SonicWALL appliance, select Source. If NAT is enabled, all traffic originating from this appliance will appear to originate from a single IP address and network firewall rules will be applied to all traffic on this SA. – To enable NAT and firewall rules for the selected SonicWALL appliance and its peer, select Source and Destination. If NAT is enabled, all traffic originating from this appliance will appear to originate from a single IP address and all traffic originating from its peer will appear to originate from a single IP address. Network firewall rules will be applied to all traffic on this SA. 416 SonicWALL GMS 6.0 Administrator’s Guide Configuring VPNs in SonicOS Standard Note Applying firewall rules can dramatically affect services that run between the networks. For more information, see “Configuring UTM Appliance Settings” on page 235. 24. Select how local users are authenticated: – To disable authentication for local users, select Disabled. – To configure local users to be authenticated locally, either through the SonicWALL device or the RADIUS server, select Source. – To configure local users to be authenticated on the destination network, either through the SonicWALL device or the RADIUS server, select Destination. – To authenticate local users both locally and on the destination network, select Source and Destination. 25. Similarly, select how remote users are authenticated. 26. When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset. SonicWALL GMS 6.0 Administrator’s Guide 417 Configuring VPNs in SonicOS Standard When One Appliance Is Not Managed by SonicWALL GMS This section describes how to configure VPN when the target appliance is not managed by SonicWALL GMS. To create SAs using third-party certificates, perform the following steps: 418 1. Expand the VPN tree and click Configure. The VPN Configure page di 2. Deselect the Use Interconnected Mode check box. 3. Select IKE using 3rd Party Certificates. 4. Select the appropriate option to add, delete or modify a security association. 5. Enter the name of the remote firewall/VPN gateway in the Security Association Name field. This name must match exactly if the device has a dynamic IP address. 6. Select the certificate to use from the Select Certificate list box. 7. Enter the IP address of the remote firewall/VPN gateway in the IPSec Gateway Address field. This address must be valid and will be the public IP address if the remote LAN has NAT enabled. If the remote VPN gateway has a dynamic IP address, this field can be left blank if the name matches. Optionally, you can specify a IPSec Secondary Gateway Name or Address. 8. To specify how long the tunnel is active before being renegotiated, enter a value in the SA Lifetime field. We recommend a value of 28,800 seconds (8 hours). SonicWALL GMS 6.0 Administrator’s Guide Configuring VPNs in SonicOS Standard 9. To specify the default LAN gateway, enter the IP address of the gateway in the Default LAN Gateway field. A Default LAN Gateway is used at a central site in conjunction with a remote site using the Route all internet traffic through destination unit check box. The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA. Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL. Since packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped. 10. To prevent repeated compromises of the same security key when reestablishing a tunnel, select the Enable Perfect Forward Secrecy check box. 11. To enable wireless secure bridging, select the Wireless Secure Bridging Mode check box. 12. To enable NetBIOS broadcasts across the SA, select the Enable Windows Networking Broadcast check box. 13. To apply NAT and firewall rules to all traffic coming through this SA, select the Apply NAT and firewall rules check box. This feature is useful for hiding the LAN subnet from the corporate site. All traffic will appear to originate from a single IP address. 14. To allow the remote VPN tunnel to be included in the routing table, select the Forward Packets to Remote VPNs check box. This will enable the SonicWALL appliance to receive VPN traffic, decrypt it, and forward it to another VPN tunnel.This feature can be used to create a “hub and spoke” network configuration by routing traffic among SAs. To do this, make sure to enable this option for all SAs. 15. To configure the VPN tunnel to remain open as long as there is network traffic on the SA, select the Enable Keep Alive check box. 16. To configure the SonicWALL appliance to establish the VPN tunnel before users generate any VPN traffic, select the Try to bring up all possible SAs check box. 17. To require local users to authenticate locally before accessing the SA, select the Require authentication of local users check box. SonicWALL GMS 6.0 Administrator’s Guide 419 Configuring VPNs in SonicOS Standard 18. To require remote users to authenticate with this SonicWALL appliance or the local RADIUS server before accessing resources, select the Require authentication of remote users check box. 19. Aggressive mode improves the performance of IKE SA negotiation by only requiring three packet exchanges. However, it provides no identity protection. To enable aggressive mode, select Aggressive Mode from the Exchange list box. Otherwise, select Main Mode. 20. Select the Diffie-Hellman group that will be used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 DH Group list box. Note Group 1 specifies a 768-bit Diffie-Hellman value, Group 2 specifies a more secure 1024-bit Diffie-Hellman value, and Group 5 specifies the currently most secure 1536-bit Diffie-Hellman value. 21. Select the Diffie-Hellman group that will be used when the VPN devices have established an SA from the Phase 2 DH Group list box. 22. Select the type of encryption and authentication keys used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 Encryption/Authentication list box. 23. Select the type of encryption and authentication keys used for the SAs from the Phase 2 Encryption/Authentication list box. 24. Select whether the peer device uses a distinguished name, email ID, or domain name as its certificate ID from the Peer Certificate’s ID list box. 25. Enter the peer device’s certificate ID in the Peer Certificate’s ID field. 26. Select from the following: – To allow this SA to be used as the default route for all Internet traffic, select Use this SA as default route for all Internet traffic. – If the destination network will receive its IP addresses on this network using DHCP, select Destination network obtains IP addresses using DHCP. – To specify destination networks, select Specify destination networks below. Then, click Add Networks and enter the destination network IP addresses and subnet masks. 27. When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset. 420 SonicWALL GMS 6.0 Administrator’s Guide Configuring VPNs in SonicOS Standard Note To disable this SA without deleting it, select the Disable this SA check box and click Update. IKE Using Pre-Shared Secret When using IKE with a pre-shared secret, two VPN devices establish encryption and authentication keys using a shared secret. After the SA expires, the SonicWALL appliances will reestablish an SA using the same shared secret, but will not use the same security and authentication keys. • “When All Appliances are Managed by SonicWALL GMS” on page 421 • “When One Appliance Is Not Managed by SonicWALL GMS” on page 426 When All Appliances are Managed by SonicWALL GMS Setting up a VPN tunnel between appliances requires you to configure several parameters on both appliances. When setting up VPN tunnels between SonicWALL appliances managed by SonicWALL GMS, all selected appliances are automatically configured based on the settings that you entered. SonicWALL GMS 6.0 Administrator’s Guide 421 Configuring VPNs in SonicOS Standard To configure an SA using IKE with pre-shared secrets, perform the following steps: 422 1. Expand the VPN tree and click Configure. The VPN Configure page displays. 2. Select the Use Interconnected Mode check box. 3. Select IKE using Pre-shared Secret. 4. Select the appropriate option to add, delete, or modify a security association. 5. Click Select Destination. A dialog box that contains all SonicWALL appliances managed by this SonicWALL GMS displays. 6. Select the SonicWALL appliance or group to which you will establish SAs and click the Select button. The name of the target displays in the Target SonicWALL Group/Node field. 7. Aggressive mode improves the performance of IKE SA negotiation by only requiring three packet exchanges. However, it provides no identity protection. To enable aggressive mode, select Aggressive Mode from the Exchange list box. Otherwise, select Main Mode. SonicWALL GMS 6.0 Administrator’s Guide Configuring VPNs in SonicOS Standard 8. Select the Diffie-Hellman group that will be used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 DH Group list box. Note 9. Group 1 specifies a 768-bit Diffie-Hellman value, Group 2 specifies a more secure 1024-bit DiffieHellman value, and Group 5 specifies the currently most secure 1536-bit Diffie-Hellman value. Select the Diffie-Hellman group that will be used when the VPN devices have established an SA from the Phase 2 DH Group list box. 10. Select the type of encryption and authentication keys used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 Encryption/Authentication list box. 11. Select the type of encryption and authentication keys used for the SAs from the Phase 2 Encryption/Authentication list box. 12. To specify the default LAN gateway, enter the IP address of the gateway in the Default LAN Gateway field. A Default LAN Gateway is used at a central site in conjunction with a remote site using the Route all internet traffic through destination unit check box. The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA. Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL. Since packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped. 13. To specify how long the tunnel is active before being renegotiated, enter a value in the SA Lifetime field. We recommend a value of 28,800 seconds (8 hours). 14. To prevent repeated compromises of the same security key when reestablishing a tunnel, select the Enable Perfect Forward Secrecy check box. 15. To configure the VPN tunnel to remain open as long as there is network traffic on the SA, select the Enable Keep Alive check box. SonicWALL GMS 6.0 Administrator’s Guide 423 Configuring VPNs in SonicOS Standard 16. To configure the SonicWALL appliance to establish the VPN tunnel before users generate any VPN traffic, select the Try to bring up all possible SAs check box. 17. To enable wireless secure bridging, select the Wireless Secure Bridging Mode check box. 18. To enable NetBIOS broadcasts across the SA, select the Enable Windows Networking Broadcast check box. 19. To allow the remote VPN tunnel to be included in the routing table, select the Forward Packets to Remote VPNs check box. Normally, inbound traffic is decrypted and only forwarded to the local LAN or a manually specified route (see “Configuring Routing in SonicOS Enhanced” on page 196). This option enables you to create a “hub and spoke” network configuration where all traffic is routed among branch offices via the corporate office. Note To create a “hub and spoke” network, make sure to select the Forward Packets to Remote VPNs check box for each SA. 20. To force all network traffic to the WAN through a VPN to a central site, select the Route all internet traffic through destination unit check box. When this option is selected, all traffic that is not destined for another SA is forwarded through this VPN tunnel. If this option is not specified and the destination does not match any SA, the packet is forwarded unencrypted to the WAN. Note Only one SA can have this option enabled. 21. If the remote side of this VPN connection is to obtain its addressing from a DHCP server on this side of the tunnel, select Enable "Destination network obtains IP addresses using DHCP through this SA" on Target. 22. Select one the following VPN termination options: – To configure the VPN tunnel to terminate at the LAN or WorkPort, select LAN. Users on the other side of the SA will be able to access the LAN, but not the OPT. – To configure the VPN tunnel to terminate at the OPT or DMZ, select OPT. Users on the other side of the SA will be able to access the OPT, but not the LAN. 424 SonicWALL GMS 6.0 Administrator’s Guide Configuring VPNs in SonicOS Standard – To allow users on the other side of the SA to access both the LAN and OPT, select LAN/OPT. 23. Select from the following NAT and Firewall Rules: – To disable NAT and not apply firewall rules to traffic coming through this SA, select Disabled. – To enable NAT and firewall rules for the selected SonicWALL appliance, select Source. If NAT is enabled, all traffic originating from this appliance will appear to originate from a single IP address and network firewall rules will be applied to all traffic on this SA. – To enable NAT and firewall rules for the selected SonicWALL appliance and its peer, select Source and Destination. If NAT is enabled, all traffic originating from this appliance will appear to originate from a single IP address and all traffic originating from its peer will appear to originate from a single IP address. Network firewall rules will be applied to all traffic on this SA. Note Applying firewall rules can dramatically affect services that run between the networks. For more information, see “Configuring UTM Appliance Settings” on page 235. 24. Select how local users are authenticated: – To disable authentication for local users, select Disabled. – To configure local users to be authenticated locally, either through the SonicWALL device or the RADIUS server, select Source. – To configure local users to be authenticated on the destination network, either through the SonicWALL device or the RADIUS server, select Destination. – To authenticate local users both locally and on the destination network, select Source and Destination. 25. Similarly, select how remote users are authenticated. 26. Select either Remote users behind VPN gateway or Remote VPN clients with XAUTH. 27. When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset. Note To disable this SA, select the Disable this SA check box and click Update. SonicWALL GMS 6.0 Administrator’s Guide 425 Configuring VPNs in SonicOS Standard When One Appliance Is Not Managed by SonicWALL GMS This section describes how to configure VPN when the target appliance is not managed by SonicWALL GMS. To enable VPN using IKE with a pre-shared secret, perform the following steps: 426 1. Expand the VPN tree and click Configure. The VPN Configure page displays. 2. Deselect the Use Interconnected Mode check box. 3. Select IKE using Pre-Shared Secret in the IPSec Keying mode section. 4. Select the appropriate option to add, delete, or modify a security association. 5. Enter the name of the remote firewall/VPN gateway in the Security Association Name field. This name must match exactly if the device has a dynamic IP address. SonicWALL GMS 6.0 Administrator’s Guide Configuring VPNs in SonicOS Standard 6. Enter the IP address of the remote firewall/VPN gateway in the IPSec Gateway Address field. This address must be valid and will be the public IP address if the remote LAN has NAT enabled. If the remote VPN gateway has a dynamic IP address, this field can be left blank if the name matches. 7. Enter the amount of time before an IKE SA will automatically negotiate (120 to 2,499,999 seconds) in SA Lifetime. 8. To specify the default LAN gateway, enter the IP address of the gateway in the Default LAN Gateway field. A Default LAN Gateway is used at a central site in conjunction with a remote site using the Route all Internet traffic through destination unit check box. The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA. Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL. Since packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped. 9. To prevent repeated compromises of the same security key when reestablishing a tunnel, select the Enable Perfect Forward Secrecy check box. 10. To enable wireless secure bridging, select the Wireless Secure Bridging Mode check box. 11. To access remote resources within the Windows Network Neighborhood, select the Enable Windows Networking (NetBIOS) Broadcast check box. 12. To apply NAT and firewall rules to all traffic coming through this SA, select the Apply NAT and firewall rules check box. This feature is useful for hiding the LAN subnet from the corporate site. All traffic will appear to originate from a single IP address. 13. To allow the remote VPN tunnel to be included in the routing table, select the Forward Packets to Remote VPNs check box. This will enable the SonicWALL appliance to receive VPN traffic, decrypt it, and forward it to another VPN tunnel. This feature can be used to create a “hub and spoke” network configuration by routing traffic among SAs. To do this, make sure to enable this option for all SAs. SonicWALL GMS 6.0 Administrator’s Guide 427 Configuring VPNs in SonicOS Standard 14. To configure the VPN tunnel to remain open as long as there is network traffic on the SA, select the Enable Keep Alive check box. 15. To configure the SonicWALL appliance to establish the VPN tunnel before users generate any VPN traffic, select the Try to bring up all possible SAs check box. 16. To require local users to authenticate locally before accessing the SA, select the Require authentication of local users check box. 17. To require remote users to authenticate with this SonicWALL appliance or the local RADIUS server before accessing resources, select the Require authentication of remote users check box. 18. Select either Remote users behind VPN gateway or Remote VPN clients with XAUTH. Note Only SonicWALL VPN clients can authenticate to a RADIUS server. Users tunneling from another VPN gateway will not be able to complete the VPN tunnel if this check box is selected. 19. Enter the shared secret in the Shared Secret field. 20. Aggressive mode improves the performance of IKE SA negotiation by only requiring three packet exchanges. However, it provides no identity protection. To enable aggressive mode, select Aggressive Mode from the Exchange list box. Otherwise, select Main Mode. 21. Select the Diffie-Hellman group that will be used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 DH Group list box. Note Group 1 specifies a 768-bit Diffie-Hellman value, Group 2 specifies a more secure 1024-bit Diffie-Hellman value, and Group 5 specifies the currently most secure 1536-bit Diffie-Hellman value. 22. Select the Diffie-Hellman group that will be used when the VPN devices have established an SA from the Phase 2 DH Group list box. 23. Select the type of encryption and authentication keys used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 Encryption/Authentication list box. 24. Select the type of encryption and authentication keys used for the SAs from the Phase 2 Encryption/Authentication list box. 25. Select from the following: 428 SonicWALL GMS 6.0 Administrator’s Guide Configuring VPNs in SonicOS Standard – To allow this SA to be used as the default route for all Internet traffic, select Use this SA as default route for all Internet traffic. – If the destination network will receive its IP addresses on this network using DHCP, select Destination network obtains IP addresses using DHCP. – To specify destination networks, select Specify destination networks below. Then, click Add Network and enter the destination network IP addresses and subnet masks. 26. When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset. 27. Create an SA in the remote VPN device for each SonicWALL appliance that you have configured. Note To disable this SA without deleting it, select the Disable this SA check box and click Update. Manual Keying Manual keying involves exchanging keys in encryption and authentication keys in advance. Although this is the simplest method of establishing an SA between two VPN devices, the SA will always use the same encryption and authentication keys. If the keys are compromised by an outside party, they will remain compromised until the keys are changed. • “When All Appliances are Managed by SonicWALL GMS” on page 429 • “When One Appliance Is Not Managed by SonicWALL GMS” on page 433 When All Appliances are Managed by SonicWALL GMS Setting up a VPN tunnel between appliances requires you to configure several parameters on both appliances. When setting up VPN tunnels between SonicWALL appliances managed by SonicWALL GMS, all selected appliances are automatically configured based on the settings that you entered. SonicWALL GMS 6.0 Administrator’s Guide 429 Configuring VPNs in SonicOS Standard To enable VPN using manual keying, perform the following steps: 430 1. Expand the VPN tree and click Configure. The VPN Configure page displays. 2. Select the Use Interconnected Mode check box. 3. Select Manual Key. 4. Select the appropriate option to add, delete, or modify a security association. 5. Click Select Destination. A dialog box that contains all SonicWALL appliances managed by this SonicWALL GMS displays. 6. Select the SonicWALL appliance or group to which you will establish SAs and click the Select button. The name of the target displays in the Target SonicWALL Group/Node field. 7. Select one of the encryption methods from the Encryption Method list box. 8. To specify the default LAN gateway, enter the IP address of the gateway in the Default LAN Gateway field. SonicWALL GMS 6.0 Administrator’s Guide Configuring VPNs in SonicOS Standard A Default LAN Gateway is used at a central site in conjunction with a remote site using the Route all Internet traffic through destination unit check box. The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA. Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL. Since packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped. 9. To enable wireless secure bridging, select the Wireless Secure Bridging Mode check box. 10. To enable NetBIOS broadcasts across the SA, select the Enable Windows Networking (NetBIOS) Broadcast check box. 11. To allow the remote VPN tunnel to be included in the routing table, select the Forward Packets to Remote VPNs check box. Normally, inbound traffic is decrypted and only forwarded to the local LAN or a manually specified route (see “Configuring Routing in SonicOS Enhanced” on page 196). This option enables you to create a “hub and spoke” network configuration where all traffic is routed among branch offices via the corporate office. Note To create a “hub and spoke” network, make sure to select the Forward Packets to Remote VPNs check box for each SA. 12. To force all network traffic to the WAN through a VPN to a central site, select the Route all Internet traffic through destination unit check box. When this option is selected, all traffic that is not destined for another SA is forwarded through this VPN tunnel. If this option is not specified and the destination does not match any SA, the packet is forwarded unencrypted to the WAN. 13. Select one the following VPN termination options: – To configure the VPN tunnel to terminate at the LAN, select LAN. Users on the other side of the SA will be able to access the LAN, but not the DMZ. SonicWALL GMS 6.0 Administrator’s Guide 431 Configuring VPNs in SonicOS Standard – To configure the VPN tunnel to terminate at the OPT or DMZ, select OPT. Users on the other side of the SA will be able to access the OPT, but not the LAN. – To allow users on the other side of the SA to access both the LAN and OPT, select LAN/OPT. 14. Select from the following NAT and Firewall Rules: – To disable NAT and not apply firewall rules to traffic coming through this SA, select Disabled. – To enable NAT and firewall rules for the selected SonicWALL appliance, select Source. If NAT is enabled, all traffic originating from this appliance will appear to originate from a single IP address and network firewall rules will be applied to all traffic on this SA. – To enable NAT and firewall rules for the selected SonicWALL appliance and its peer, select Source and Destination. If NAT is enabled, all traffic originating from this appliance will appear to originate from a single IP address and all traffic originating from its peer will appear to originate from a single IP address. Network firewall rules will be applied to all traffic on this SA. Note Applying firewall rules can dramatically affect services that run between the networks. For more information, see “Configuring UTM Appliance Settings” on page 235 15. Select how local users are authenticated: – To disable authentication for local users, select Disabled. – To configure local users to be authenticated locally, either through the SonicWALL device or the RADIUS server, select Source. – To configure local users to be authenticated on the destination network, either through the SonicWALL device or the RADIUS server, select Destination. – To authenticate local users both locally and on the destination network, select Source and Destination. 16. Similarly, select how remote users are authenticated. 17. When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset. 432 SonicWALL GMS 6.0 Administrator’s Guide Configuring VPNs in SonicOS Standard When One Appliance Is Not Managed by SonicWALL GMS This section describes how to configure VPN when the target appliance is not managed by SonicWALL GMS. To enable VPN using manual keying, perform the following steps: 1. Expand the VPN tree and click Configure. The VPN Configure page displays. 2. Deselect the Use Interconnected Mode check box. 3. Select Manual Key in the IPSec Keying mode section. 4. Select the appropriate option to add, delete or modify a security association. 5. Enter a descriptive name for the SA in the Security Association Name field. 6. Enter the IP address of the remote firewall in the IPSec Gateway Address field. This address must be valid and will be the public IP address if the remote LAN has NAT enabled. 7. To specify the default LAN gateway, enter the IP address of the gateway in the Default LAN Gateway field. SonicWALL GMS 6.0 Administrator’s Guide 433 Configuring VPNs in SonicOS Standard A Default LAN Gateway is used at a central site in conjunction with a remote site using the Route all Internet traffic through destination unit check box. The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA. Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL. Since packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped. 8. To enable wireless secure bridging, select the Wireless Secure Bridging Mode check box. 9. To access remote resources within the Windows Network Neighborhood, select the Enable Windows Networking (NetBIOS) Broadcast check box. 10. To apply NAT and firewall rules to all traffic coming through this SA, select the Apply NAT and firewall rules check box. This feature is useful for hiding the LAN subnet from the corporate site. All traffic will appear to originate from a single IP address. 11. To allow the remote VPN tunnel to be included in the routing table, select the Forward Packets to Remote VPNs check box. This will enable the SonicWALL appliance to receive VPN traffic, decrypt it, and forward it to another VPN tunnel. This feature can be used to create a “hub and spoke” network configuration by routing traffic among SAs. To do this, make sure to enable this option for all SAs. 12. To require local users to authenticate locally before accessing the SA, select the Require authentication of local users check box. 13. To require remote users to authenticate with this SonicWALL appliance or the local RADIUS server before accessing resources, select the Require authentication of remote users check box. 14. Select one of the encryption methods from the Encryption Method list box. 15. Enter the key used for encryption in the Encryption Key field. The DES and ARCFour Keys must be exactly 16 characters long and be composed of hexadecimal characters. Encryption keys less than 16 characters will not be accepted; keys longer than 16 characters will be truncated. 434 SonicWALL GMS 6.0 Administrator’s Guide Configuring VPNs in SonicOS Standard Note Valid hexadecimal characters are “0” to “9”, and “a” to “f” (i.e., 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). For example, a valid key would be “1234567890abcdef.” This key must match the encryption key of the remote VPN gateway or client. If encryption is not used, this field is ignored. 16. Enter the key used for authentication in the Authentication Key field. The authentication key must be exactly 32 characters long and be composed of hexadecimal characters. Authentication keys less than 32 characters will not be accepted; keys longer than 32 characters will be truncated. Note Valid hexadecimal characters are “0” to “9”, and “a” to “f” (i.e., 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). For example, a valid key would be “1234567890abcdef1234567890abcdef.” This key must match the authentication key of the remote VPN gateway or client. If authentication is not used, this field is ignored. 17. Enter the Security Parameter Index (SPI) that the remote location will send to identify the Security Association used for the VPN Tunnel in the Incoming SPI field. Note The SPI may be up to eight characters long and be composed of hexadecimal characters. Valid hexadecimal characters are “0” to “9”, and “a” to “f” (e.g., 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). The hexadecimal characters “0” to “ff” inclusive are reserved by the Internet Engineering Task Force (IETF) and are not allowed for use as an SPI. For example, a valid SPI would be “1234abcd.” Note The SPI for an SA must be unique when compared to SPIs for other SAs. However, the Incoming SPI can be the same as the Outgoing SPI on the same SA. 18. Enter the Security Parameter Index (SPI) that the local SonicWALL VPN will transmit to identify the Security Association used for the VPN Tunnel in the Outgoing SPI field. 19. Select from the following: SonicWALL GMS 6.0 Administrator’s Guide 435 Setting up the L2TP Server – To allow this SA to be used as the default route for all Internet traffic, select Use this SA as default route for all Internet traffic. – To specify destination networks, select Specify destination networks below. Then, click Modify and enter the destination network IP addresses and subnet masks. 20. When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset. 21. Create an SA in the remote VPN device for each SonicWALL appliance that you have configured. Setting up the L2TP Server To support secure LT2P connections from remote clients, perform the following steps: 1. Expand the VPN tree and click L2TP. The L2TP page displays. 2. Select the Enable L2TP Server check box. 3. Specify how often the SonicWALL appliance issues a Keepalive in the Keep alive time field. 4. Enter the IP addresses of the DNS Servers in the DNS Server fields. 5. Enter the IP addresses of the WINS Servers in the WINS Server fields. 6. Select from the following: – To assign IP addresses to L2TP clients that are provided by the RADIUS server, select IP address provided by RADIUS Server. 436 SonicWALL GMS 6.0 Administrator’s Guide Monitoring VPN Connections – To use IP addresses from a local L2TP IP address pool, select Use the Local L2TP IP pool and enter the starting and ending IP addresses in the Start IP and End IP fields. 7. When you are finished, click Update. To clear all screen settings and start over, click Reset. Monitoring VPN Connections To monitor VPN connections, perform the following steps: 1. Expand the VPN tree and click Monitor. The Monitor page displays. 2. Select the category of tunnels to display the Display Options section and click Refresh. You can select Show Up Tunnels, Show Down Tunnels, or Show All Tunnels. 3. To synchronize the tunnel status information, click Synchronize Tunnel Status Information. 4. To refresh the statistics, click Refresh Selected Tunnel Statistics. 5. To view the tunnel statistics, select one or more tunnels and click View Selected Tunnel Statistics. 6. To renegotiate selected tunnels, select one or more tunnels and click Renegotiate Selected Tunnels. Management of VPN Client Users To configure VPN Clients on SonicWALL appliances, perform the following procedures: • “Registering and Upgrading SonicWALL Appliances” on page 591 • “Enabling the VPN Client” on page 438 SonicWALL GMS 6.0 Administrator’s Guide 437 Management of VPN Client Users Enabling the VPN Client After applying a VPN Client license to one or more SonicWALL appliances, perform the following steps: 1. Navigate to Policies > VPN > Summary. 2. Click the Export button next to the SA. 3. To email the SPD file to the SonicWALL GMS administrator or the VPN Client user, click Email SPD file. The file is attached to the email. A task is scheduled for each email. Note A copy of the SPD file is also stored in the SonicWALL Agent's <gms_directory\etc directory. 4. Once the SPD file is received, it can be loaded by the VPN Client software on the VPN Client user's computer. 5. If the user does not have the VPN Client software, you can send both the SPD file and the email the client software by clicking Email SPD File and VPN Client. 6. In SonicOS Standard only, VPN clients use RCF files to import data used to communicate with SonicWALL appliances. To send an RCF File to an email address, enter the following information: – Enter the email address in the Email Address field. – Enter and reenter the RCF File password in the RCF File Export Password and Confirm Password fields. – Select whether the file will be used for WAN or wireless connections. – Select from the following: –To email the file, click Email RCF File. –To email the file with the Global VPN Client software, click Email RCF File and Global VPN Client. 438 SonicWALL GMS 6.0 Administrator’s Guide VPN Terms and Concepts Note Before the VPN client can be emailed to users, it must be downloaded to the <gms_directory>\etc directory from mysonicwall.com. Downloading VPN Client Software To download the VPN Client software from mysonicwall.com, perform the following steps: 1. Click the Console Panel tab at the top of the SonicWALL GMS UI. 2. Expand the Licenses tree and click GMS License. 3. Click Login in a new window. This will open a new browser into the GMS account on mysonicwall.com. 4. Download the VPN Client software from mysonicwall.com to a local directory. 5. Copy the VPN Client software to SonicWALL Agent's <gms_directory>\etc directory. 6. Rename the file to SWVpnClient.zip. VPN Terms and Concepts Before installing and SonicWALL VPN, it is important to understand the following basic terms and concepts. • Asymmetric vs. Symmetric Cryptography—Asymmetric and symmetric cryptography refer to the keys used to authenticate, or encrypt and decrypt the data. Asymmetric cryptography, or public key cryptography, uses two keys for verification. Organizations such as RSA Data Security and VeriSign support asymmetric cryptography. With symmetric cryptography, the same key is used to authenticate on both ends of the VPN. Symmetric cryptography, or secret key cryptography, is usually faster than asymmetric cryptography. Therefore symmetric algorithms are often used when large quantities of data need to be exchanged. SonicWALL VPN uses symmetric cryptography. As a result, the key on both ends of the VPN tunnel must match exactly. SonicWALL GMS 6.0 Administrator’s Guide 439 VPN Terms and Concepts • ARCFour—ARCFour is used for communications with secure Web sites using the SSL protocol. Many banks use a 40-bit key ARCFour for online banking, while others use a 128-bit key. SonicWALL VPN uses a 56-bit key for ARCFour. The ARCFour key must be exactly 16 characters long and is composed of hexadecimal characters. Valid hexadecimal characters are “0” to “9”, and “a” to “f” (i.e., 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). For example, a valid key would be “1234567890abcdef.” • Authentication Header (AH)—The authentication header is a mechanism for providing strong integrity and authentication for IP packets. The Authentication Header does not offer confidentiality and protection from traffic analysis. The IP authentication header provides security by adding authentication information to an IP packet. This authentication information is calculated using all header and payload data in the IP packet. This provides significantly more security than is currently present in IP. Use of an AH will increase the processing requirements of SonicWALL VPN and will also increase the communications latency. The increased latency is primarily due to the calculation of the authentication data by the sender and the calculation and comparison of the authentication data by the receiver for each IP packet. • Data Encryption Standard (DES)—When DES is used for data communications, both sender and receiver must know the same secret key, which can be used to encrypt and decrypt the message, or to generate and verify a message authentication code. The SonicWALL DES encryption algorithm uses a 56-bit key. The DES Key must be exactly 16 characters long and is composed of hexadecimal characters. Valid hexadecimal characters are “0” to “9”, and “a” to “f” inclusive (0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). For example, a valid key would be “1234567890abcdef.” • Encapsulating Security Payload (ESP)—ESP provides confidentiality and integrity of data by encrypting the data and encapsulating it into IP packets. Encryption may be in the form of ARCFour (similar to the popular RC4 encryption method), DES, etc. The use of ESP typically increases the processing requirements and communications latency. The increased latency is primarily due to the encryption and decryption required for each IP packet containing an ESP. ESP typically involves encryption of the packet payload using standard encryption mechanisms, such as RC4, ARCFour, DES, or 3DES. 440 SonicWALL GMS 6.0 Administrator’s Guide VPN Terms and Concepts ESP has no mechanism for providing strong integrity and authentication of the data. • Encryption—Encryption is a mathematical operation that transforms data from “clear text” (something that a human or a program can interpret) to “cipher text” (something that cannot be interpreted). Usually the mathematical operation requires that an alphanumeric “key” be supplied along with the clear text. The key and clear text are processed by the encryption operation, which leads to the data scrambling that makes encryption secure. Decryption is the opposite of encryption: it is a mathematical operation that transforms cipher text to clear text. Decryption also requires a key. • Shared Secret—A shared secret is a predefined field that the two endpoints of a VPN tunnel use to set up an IKE SA. This field can be any combination of alphanumeric characters with a minimum length of 4 characters and a maximum of 128 characters. Precautions should be taken when delivering/exchanging this shared secret to assure that a third party cannot compromise the security of a VPN tunnel. • Internet Key Exchange (IKE)—IKE is a negotiation and key exchange protocol specified by the Internet Engineering Task Force (IETF). An IKE SA automatically negotiates encryption and authentication keys. With IKE, an initial exchange authenticates the VPN session and automatically negotiates keys that will be used to pass IP traffic. • Key—A key is an alphanumeric string that is used by the encryption operation to transform clear text into cipher text. A key is composed of hexadecimal characters (0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). A valid key would be 1234567890abcdef. Keys used in VPN communications can vary in length, but are typically 16 or 32 characters. The longer the key, the more difficult it is to break the encryption. The reason for this is that most methods used to break encryption involve trying every possible combination of characters, similar to trying to find someone’s telephone number by dialing every possible combination of phone numbers. • Manual Key—Manual keying allows the SonicWALL administrator to specify the encryption and authentication keys. SonicWALL VPN supports the ability to manually set up a security association as well as the ability to automatically negotiate an SA using IKE. • Security Association (SA)—An SA is the group of security settings needed to create a VPN tunnel. All SAs require an encryption method, an IPSec gateway address, and a destination network address. IKE includes a shared secret. manual keying includes two SPIs and an encryption and authentication key. SonicWALL GMS 6.0 Administrator’s Guide 441 Using OCSP with SonicWALL Security Appliances SonicWALL PRO appliances supports up to 100 SAs. SonicWALL SOHO2 and SonicWALL XPRS2 appliances support 10 and 25 SAs, respectively. Different SAs may be created to connect branch offices, allow secure remote management, and pass unsupported traffic. • Security Parameter Index (SPI)—The SPI is used to establish a VPN tunnel. The SPI is transmitted from the remote VPN gateway to the local VPN gateway. The local VPN gateway then uses the network, encryption, and key values that the administrator associated with the SPI to establish the tunnel. The SPI must be unique, is from one to eight characters long, and is composed of hexadecimal characters. Valid hexadecimal characters are “0” to “9”, and “a” to “f” (i.e., 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). For example, valid SPIs would be 999 or “1234abcd.” • Triple Data Encryption Standard (3DES)—3DES is the same as DES, except that it applies three DES keys in succession and is significantly more secure. However, 3DES has significantly more processing requirements than DES. The 3DES Key must be exactly 16 characters long and is composed of hexadecimal characters. Valid hexadecimal characters are “0” to “9”, and “a” to “f” inclusive (0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). For example, a valid key would be “1234567890abcdef.” • VPN Tunnel—Tunneling is the encapsulation of point-to-point transmissions inside IP packets. A VPN Tunnel is a term that is used to describe a connection between two or more private nodes or LANs over a public network, typically the Internet. Encryption is often used to maintain the confidentiality of private data when traveling over the Internet. Using OCSP with SonicWALL Security Appliances Online Certificate Status Protocol (OCSP) allows you to check VPN certificate status without CRLs. This allows timely updates regarding the status of the certificates used on your SonicWALL. OCSP is designed to augment or replace Certificate Revocation Lists (CRL) in your Public Key Infrastructure (PKI) or digital certificate system. The CRL is used to validate the digital certificates comprised by the PKI. This allows the Certificate Authority (CA) to revoke certificates before their scheduled expiration date and is useful in protecting the PKI system against stolen or invalid certificates. 442 SonicWALL GMS 6.0 Administrator’s Guide Using OCSP with SonicWALL Security Appliances Certificate Revocation Lists main disadvantage is the need for frequent updates to keep the CRL of every client current. These frequent updates greatly increase network traffic when the complete CRL is downloaded by every client. Depending on the frequency of the CRL updates, a period of time can exist when a certificate is revoked by the CRL but the client has not received the CRL update and permits the certificate to be used. Online Certificate Status Protocol determines the current status of a digital certificate without using a CRL. OCSP enables the client or application to directly determine the status of an identified digital certificate. This provides more timely information about the certificate than is possible with CRLs. In addition, each client typically only checks a few certificates and does not incur the overhead of downloading an entire CRL for only a few entries. This greatly reduces the network traffic associated with certificate validation. OCSP transports messages over HTTP for maximum compatibility with existing networks. This requires careful configuration of any caching servers in the network to avoid receiving a cached copy of an OCSP response that might be out of date. The OCSP client communicates an OCSP responder. The OCSP responder can be a CA server or another server that communicates with the CA server to determine the certificate status. The OCSP client issues a status request to an OCSP responder and suspends the acceptance of the certificate until the responder provides a response. The client request includes data such as protocol version, service request, target certificate identification and optional extensions. These optional extensions may or may not be acknowledged by the OCSP responder. The OCSP responder receives the request from the client and checks that the message is properly formed and if the responder is able to respond to the service request. Then it checks if the request contains the correct information needed for the service desired. If all conditions are satisfied, the responder returns a definitive response to the OCSP client. The OCSP responder is required to provide a basic response of GOOD, REVOKED, or UNKNOWN. If both the OCSP client and responder support the optional extensions, other responses are possible. The GOOD state is the desired response as it indicates the certificate has not been revoked. The REVOKED state indicates that the certificate has been revoked. The UNKNOWN state indicates the responder does not have information about the certificate in question. OCSP servers typically work with a CA server in push or pull setup. The CA server can be configured to push a CRL list (revocation list) to the OCSP server. Additionally the OCSP server can be configured to periodically download (pull) the CRL from the CA server. The OCSP server must also be configured with an OCSP response signing certificate issued by the CA server. The signing certificate must be properly formatted or the OCSP client will not accept the response from the OSCP server. SonicWALL GMS 6.0 Administrator’s Guide 443 Using OCSP with SonicWALL Security Appliances OpenCA OCSP Responder Using OCSP requires the OpenCA (OpenSource Certificate Authority) OpenCA OCSP Responder as it is the only supported OCSP responder. OpenCA OCSP Responder is available at <http://www.openca.org/ocspd/>. The OpenCA OCSP Responder is an rfc2560 compliant OCSP responder that runs on a default port of 2560 in homage to being based on rfc2560. Note For SonicOS to act as an OCSP client to a responder, the CA certificate must be loaded onto the SonicWALL system. Using OCSP with VPN Policies The SonicWALL OCSP settings can be configured on a policy level or globally. To configure OCSP checking for individual VPN policies. Then click on the VPNs page. 444 1. Select the radio button next to Enable OCSP Check 2. Specify the OCSP Responder URL of the OCSP server, for example <http://192.168.168.220:2560> where 192.168.168.220 is the IP address of your OCSP server and 2560 is the default port of operation for the OpenCA OCSP responder service. SonicWALL GMS 6.0 Administrator’s Guide CHAPTER 19 Configuring SSL-VPN Settings SSL VPN NetExtender Overview This section provides an introduction to the SonicOS Enhanced SSL VPN NetExtender feature as managed within GMS. This section contains the following subsections: • “What is SSL VPN NetExtender?” section on page 445 • “Benefits” section on page 445 • “NetExtender Concepts” section on page 446 What is SSL VPN NetExtender? SonicWALL’s SSL VPN NetExtender feature is a transparent software application for Windows, Mac, and Linux users that enables remote users to securely connect to the remote network. With NetExtender, remote users can securely run any application on the remote network. Users can upload and download files, mount network drives, and access resources as if they were on the local network. The NetExtender connection uses a Point-to-Point Protocol (PPP) connection. Benefits NetExtender provides remote users with full access to your protected internal network. The experience is virtually identical to that of using a traditional IPSec VPN client, but NetExtender does not require any manual client installation. Instead, the NetExtender Windows client is automatically installed on a remote user’s PC by an ActiveX control when using the Internet Explorer SonicWALL GMS 6.0 Administrator’s Guide 445 browser, or with the XPCOM plugin when using Firefox. On MacOS systems, supported browsers use Java controls to automatically install NetExtender from the Virtual Office portal. Linux systems can also install and use the NetExtender client. After installation, NetExtender automatically launches and connects a virtual adapter for secure SSL-VPN point-to-point access to permitted hosts and subnets on the internal network. NetExtender Concepts The following sections describe advanced NetExtender concepts: • “Stand-Alone Client” section on page 446 • “Client Routes” section on page 446 • “Tunnel All Mode” section on page 447 • “Connection Scripts” section on page 447 • “Proxy Configuration” section on page 447 Stand-Alone Client NetExtender is a browser-installed lightweight application that provides comprehensive remote access without requiring users to manually download and install the application. The first time a user launches NetExtender, the NetExtender stand-alone client is automatically installed on the user’s PC or Mac. The installer creates a profile based on the user’s login information. The installer window then closes and automatically launches NetExtender. If the user has a legacy version of NetExtender installed, the installer will first uninstall the old NetExtender and install the new version. Once the NetExtender stand-alone client has been installed, Windows users can launch NetExtender from their PC’s Start > Programs menu and configure NetExtender to launch when Windows boots. Mac users can launch NetExtender from their system Applications folder, or drag the icon to the dock for quick access. On Linux systems, the installer creates a desktop shortcut in /usr/share/NetExtender. This can be dragged to the shortcut bar in environments like Gnome and KDE. Client Routes NetExtender client routes are used to allow and deny access for SSL VPN users to various network resources. Address objects are used to easily and dynamically configure access to network resources. 446 SonicWALL GMS 6.0 Administrator’s Guide Tunnel All Mode Tunnel All mode routes all traffic to and from the remote user over the SSL VPN NetExtender tunnel—including traffic destined for the remote user’s local network. This is accomplished by adding the following routes to the remote client’s route table: IP Address Subnet mask 0.0.0.0 0.0.0.0 0.0.0.0 128.0.0.0 128.0.0.0 128.0.0.0 NetExtender also adds routes for the local networks of all connected Network Connections. These routes are configured with higher metrics than any existing routes to force traffic destined for the local network over the SSL VPN tunnel instead. For example, if a remote user is has the IP address 10.0.67.64 on the 10.0.*.* network, the route 10.0.0.0/255.255.0.0 is added to route traffic through the SSL VPN tunnel. Tunnel All mode is configured on the SSL VPN > Client Routes page. Connection Scripts SonicWALL SSL VPN provides users with the ability to run batch file scripts when NetExtender connects and disconnects. The scripts can be used to map or disconnect network drives and printers, launch applications, or open files or Web sites. NetExtender Connection Scripts can support any valid batch file commands. Proxy Configuration SonicWALL SSL VPN supports NetExtender sessions using proxy configurations. Currently, only HTTPS proxy is supported. When launching NetExtender from the Web portal, if your browser is already configured for proxy access, NetExtender automatically inherits the proxy settings. The proxy settings can also be manually configured in the NetExtender client preferences. NetExtender can automatically detect proxy settings for proxy servers that support the Web Proxy Auto Discovery (WPAD) Protocol. SonicWALL GMS 6.0 Administrator’s Guide 447 NetExtender provides three options for configuring proxy settings: • Automatically detect settings - To use this setting, the proxy server must support Web Proxy Auto Discovery Protocol (WPAD)), which can push the proxy settings script to the client automatically. • Use automatic configuration script - If you know the location of the proxy settings script, you can select this option and provide the URL of the script. • Use proxy server - You can use this option to specify the IP address and port of the proxy server. Optionally, you can enter an IP address or domain in the BypassProxy field to allow direct connections to those addresses and bypass the proxy server. If required, you can enter a user name and password for the proxy server. If the proxy server requires a username and password, but you do not specify them, a NetExtender pop-up window will prompt you to enter them when you first connect. When NetExtender connects using proxy settings, it establishes an HTTPS connection to the proxy server instead of connecting to the SonicWALL security appliance. server directly. The proxy server then forwards traffic to the SSL VPN server. All traffic is encrypted by SSL with the certificate negotiated by NetExtender, of which the proxy server has no knowledge. The connecting process is identical for proxy and non-proxy users. 448 SonicWALL GMS 6.0 Administrator’s Guide SSL VPN > Portal Settings The Policies > SSL VPN > Portal Settings page is used to configure the appearance and functionality of the SSL VPN Virtual Office web portal. The Virtual Office portal is the website that uses log in to launch NetExtender. It can be customized to match any existing company website or design style . The following settings configure the appearance of the Virtual Office portal: • Portal Site Title - The text displayed in the top title of the web browser. • Portal Banner Title - The the text displayed next to the logo at the top of the page. • Home Page Message - The HTML code that is displayed above the NetExtender icon. • Login Message - The HTML code that is displayed when users are prompted to log in to the Virtual Office. • Example Template - Resets the Home Page Message and Login Message fields to the default example template. • Preview - Launch a pop-up window that displays the HTML code. The following options customize the functionality of the Virtual Office portal: • Launch NetExtender after login - Automatically launches NetExtender after a user logs in. SonicWALL GMS 6.0 Administrator’s Guide 449 • Display Import Certificate Button - Displays an Import Certificate button on the Virtual Office page. This initiates the process of importing the SonicWALL security appliance’s self-signed certificate onto the web browser. This option only applies to the Internet Explorer browser on PCs running Windows 2000 or Windows XP. • Enable HTTP meta tags for cache control - Inserts HTTP tags into the browser that instruct the web browser not to cache the Virtual Office page. SonicWALL recommends enabling this option. The Customized Logo field is used to display a logo other than the SonicWALL logo at the top of the Virtual Office portal. Enter the URL of the logo in the Customized Logo field. The logo must be in GIF format of size 155 x 36, and a transparent or light background is recommended. SSL VPN > Client Settings The Policies > SSL VPN > Client Settings page allows the administrator to enable SSL VPN access on zones and configure the client address range information and NetExtender client settings. It also displays which zones have SSL VPN access enabled. The following tasks are configured on the SSL VPN > Client Settings page: 450 • “Configuring Zones for SSL VPN Access” section on page 451 • “Configuring the SSL VPN Client Address Range” section on page 451 SonicWALL GMS 6.0 Administrator’s Guide • “Configuring NetExtender Client Settings” section on page 452 Configuring Zones for SSL VPN Access All of the zones on the SonicWALL security appliance are displayed in the SSL VPN Status on Zones section of the SSL VPN > Client Settings page. SSL VPN access must be enabled on a zone before users can access the Virtual Office web portal. A green button to the left of the name of the zone indicates that SSL VPN access is enabled. A red button indicates that SSL VPN access is disabled. To change the SSL VPN access for a zone, simply click the name of the zone on the SSL VPN > Client Settings page. SSL VPN Access can also be configured on the Network > Zones page by clicking the configure icon for the zone. Note WAN management must be enabled on the zone to terminate SSL VPN sessions. Even though the zone has SSL VPN enabled, if the management interface is disabled, SSL VPN will not work correctly. Configuring the SSL VPN Client Address Range The SSL VPN Client Address Range defines the IP address pool from which addresses will be assigned to remote users during NetExtender sessions. The range needs to be large enough to accommodate the maximum number of concurrent NetExtender users you wish to support plus one (for example, the range for 15 users requires 16 addresses, such as 192.168.200.100 to 192.168.200.115). Note The range must fall within the same subnet as the interface to which the SSL VPN appliance is connected, and in cases where there are other hosts on the same segment as the SSL VPN appliance, it must not overlap or collide with any assigned addresses. SonicWALL GMS 6.0 Administrator’s Guide 451 To configure the SSL VPN Client Address Range, perform the following steps: Step 1 Navigate to the SSL VPN > Client Settings page. Step 2 In the NetExtender Start IP field, enter the first IP address in the client address range. Step 3 In the NetExtender End IP field, enter the last IP address in the client address range. Step 4 In the DNS Server 1 field, enter the IP address of the primary DNS server, or click the Default DNS Settings to use the default settings. Step 5 (Optional) In the DNS Server 2 field, enter the IP address of the backup DNS server. Step 6 (Optional) In the DNS Domain field, enter the domain name for the DNS servers. Step 7 In the User Domain field, enter the domain name for the users. The value of this field must match the domain field in the NetExtender client. Step 8 (Optional) In the WINS Server 1 field, enter the IP address of the primary WINS server. Step 9 (Optional) In the WINS Server 2 field, enter the IP address of the backup WINS server. Step 10 In the Interface pull-down menu, select the interface to be used for SSL VPN services. Note The IP address range must be on the same subnet as the interface used for SSL VPN services. Step 11 Click the Zone name at the top of the page to enable SSL VPN access on it with these settings. The indicator should be green for the Zone you want to enable. Step 12 Click Accept. Configuring NetExtender Client Settings NetExtender client settings are configured on the bottom of the SSL VPN > Client Settings page. The following settings to customize the behavior of NetExtender when users connect and disconnect. • 452 Default Session Timeout (minutes) - The default timeout value for client inactivity, after which the client’s session is terminated. SonicWALL GMS 6.0 Administrator’s Guide • Enable NetBIOS Over SSLVPN - Allows NetExtender clients to broadcast NetBIOS to the SSL VPN subnet. • Enable Client Autoupdate - The NetExtender client checks for updates every time it is launched. • Exit Client After Disconnect - The NetExtender client exits when it becomes disconnected from the SSL VPN server. To reconnect, users will have to either return to the SSL VPN portal or launch NetExtender from their Programs menu. • Uninstall Client After Disconnect - The NetExtender client automatically uninstalls when it becomes disconnected from the SSL VPN server. To reconnect, users will have to return to the SSL VPN portal. • Create Client Connection Profile - The NetExtender client will create a connection profile recording the SSL VPN Server name, the Domain name and optionally the username and password. • Communication Between Clients - Enables NetExtender clients that are connected to the same server to communicate. • User Name & Password Caching - Provide flexibility in allowing users to cache their usernames and passwords in the NetExtender client. The three options are Allow saving of user name only, Allow saving of user name & password, and Prohibit saving of user name & password. These options enable administrators to balance security needs against ease of use for users. SonicWALL GMS 6.0 Administrator’s Guide 453 SSL VPN > Client Routes The Policies > SSL VPN > Client Routes page allows the administrator to control the network access allowed for SSL VPN users. The NetExtender client routes are passed to all NetExtender clients and are used to govern which private networks and resources remote user can access via the SSL VPN connection. The following tasks are configured on the SSL VPN > Client Routes page: • “Configuring Tunnel All Mode” section on page 454 • “Adding Client Routes” section on page 455 Configuring Tunnel All Mode Select Enabled from the Tunnel All Mode drop-down list to force all traffic for NetExtender users over the SSL VPN NetExtender tunnel—including traffic destined for the remote user’s local network. This is accomplished by adding the following routes to the remote client’s route table: 454 IP Address Subnet mask 0.0.0.0 0.0.0.0 0.0.0.0 128.0.0.0 128.0.0.0 128.0.0.0 SonicWALL GMS 6.0 Administrator’s Guide NetExtender also adds routes for the local networks of all connected Network Connections. These routes are configured with higher metrics than any existing routes to force traffic destined for the local network over the SSL VPN tunnel instead. For example, if a remote user is has the IP address 10.0.67.64 on the 10.0.*.* network, the route 10.0.0.0/255.255.0.0 is added to route traffic through the SSL VPN tunnel. Adding Client Routes The Add Client Routes pull-down menu is used to configure access to network resources for SSL VPN users. Select the address object to which you want to allow SSL VPN access. Select Create new address object to create a new address object. Creating client routes causes access rules to automatically be created to allow this access. Alternatively, you can manually configure access rules for the SSL VPN zone on the Firewall > Access Rules page. For more information, see “Firewall > Access Rules” on page 359. SonicWALL GMS 6.0 Administrator’s Guide 455 456 SonicWALL GMS 6.0 Administrator’s Guide CHAPTER 20 Configuring Security Services SonicWALL security appliances offer several services for protecting networks against viruses and attacks. This chapter provides concept overviews and configuration tasks for deploying these services. This chapter contains the following sections: • “Configuring SonicWALL Network Anti-Virus” section on page 458 • “SonicWALL Network Anti-Virus Email Filter” section on page 461 • “Configuring the SonicWALL Content Filter Service” section on page 463 • “Configuring the SonicWALL Intrusion Prevention Service” section on page 463 • “Configuring the SonicWALL RBL Filter” section on page 472 • “Configuring the SonicWALL Gateway Anti-Virus” section on page 473 • “Configuring the SonicWALL Anti-Spyware Service” section on page 478 SonicWALL GMS 6.0 Administrator’s Guide 457 Configuring SonicWALL Network Anti-Virus Configuring SonicWALL Network Anti-Virus SonicWALL Network Anti-Virus is a distributed, gateway-enforced solution that ensures always-on, always-updated anti-virus software for every client on your network. The SonicWALL constantly monitors the version of the virus definition file and automatically triggers download and installation of new virus definition files to each user’s computer. In addition, the SonicWALL restricts each user’s access to the Internet until they are protected, therefore acting as an automatic enforcer of the company’s virus protection policy. This new approach ensures the most current version of the virus definition file is installed and active on each PC on the network, preventing a rogue user from disabling the virus protection and potentially exposing the entire organization to an outbreak. And most importantly, SonicWALL Network Anti-Virus offloads the costly and time-consuming burden of maintaining and updating anti-virus software across the entire network. SonicWALL Network Anti-Virus also includes Network Anti-Virus Email Filter to selectively manage inbound Email attachments as they pass through the SonicWALL to control the flow of executable files, scripts, and applications into your network. Configuring Anti-Virus Settings SonicWALL Global Management System (SonicWALL GMS) offers anti-virus protection on a subscription-basis through a partnership with McAfee. This section describes how to configure Anti-Virus settings for SonicWALL appliances. Note 458 SonicWALL appliances are entitled to a one-month anti-virus trial subscription. To enable the trial subscription, see “Registering and Upgrading SonicWALL Appliances” on page 591. SonicWALL GMS 6.0 Administrator’s Guide Configuring SonicWALL Network Anti-Virus Anti-Virus Settings To configure Anti-Virus settings for one or more SonicWALL appliances, follow these steps: 1. Select the global icon, a group, or a SonicWALL appliance. 2. Expand the Security Services tree and click AV Configure. The AV Configure page appears. 3. Select the Enable Anti-Virus Client Automated Installation, Updates and Enforcement check box. 4. To enforce Anti-Virus protection on the DMZ port or HomePort (if available), select the Enable DMZ/HomePort/WLAN/OPT Policing check box. 5. To disable policing from the LAN to the DMZ, select the Disable policing from LAN/WorkPort to DMZ/HomePort/WLAN/OPT check box. 6. To configure the SonicWALL appliance(s) to only check for updates once a day, select the Reduce AV Traffic for ISDN connections check box. This is useful for low bandwidth connections or connections that are not “always on.” 7. SonicWALL GMS automatically downloads the latest virus definition files. To configure the maximum number of days that can pass before SonicWALL GMS downloads the latest files, select the number of days from the Maximum Days Allowed Before Forcing Update list box. 8. Significant virus events can occur without warning (e.g., Melissa, ILOVEYOU, and others). When these occur, SonicWALL GMS can be configured to block network traffic until the latest virus definition files are SonicWALL GMS 6.0 Administrator’s Guide 459 Configuring SonicWALL Network Anti-Virus downloaded. To configure this feature, determine which types of events will require updating. Then, select the Low Risk, Medium Risk, or High Risk check boxes. Exempt Computers The Exempt Computers section allows the GMS administrator to specify address ranges which should be explicitly included or excluded in Anti-Virus enforcement. 460 1. Select the Enforce Anti-Virus policies for all computers radio button to enforce Anti-Virus policies across your entire network. Selecting this option forces computers to install VirusScan ASaP in order to access the Internet or the DMZ. This is the default configuration 2. Select the Include specific address ranges in the Anti-Virus enforcement radio button to force a specified range of addresses to adhere to Anti-Virus enforcement. Choosing this option allows the administrator to define ranges of IP addresses to receive Anti-Virus enforcement. If you select this option, specify a range of IP addresses to be enforced. Any computer requiring enforcement needs a static IP address within the specified range of IP addresses. Up to 64 IP address ranges can be entered for enforcement. 3. Select the Exclude specific address ranges in the Anti-Virus enforcement radio button to exempt a specified range of addresses from Anti-Virus enforcement. Selecting this option allows the administrator to define ranges of IP addresses that are exempt from Anti-Virus enforcement. If you select this option, specify the range of IP addresses are exempt. Any computer requiring unrestricted Internet access needs a static IP address within the specified range of IP addresses. Up to 64 IP address ranges can be entered. SonicWALL GMS 6.0 Administrator’s Guide SonicWALL Network Anti-Virus Email Filter SonicWALL Network Anti-Virus Email Filter The Network Anti-Virus Email Filter allows the administrator to selectively delete or disable inbound Email attachments as they pass through the SonicWALL. This feature provides control over executable files and scripts, and applications sent as Email attachments. This feature is available only with the purchase of an Email Filter subscription. Email Filtering During an outbreak, Email filtering allows for preemptive blocking of known filenames and newly discovered viruses before the Anti-Virus signature (DAT) files are actually available. This feature also provides full filename blocking of virus files, allowing SonicWALL to block only malicious attachments, while enabling all other attachments through. For example, during a virus outbreak, only the virus file is blocked while other productive files (such as Word documents and Excel spreadsheets) are allowed through. To configure email filter settings for one or more SonicWALL appliances, follow these steps: 1. Select the global icon, a group, or a SonicWALL appliance. 2. Expand the Security Services tree and click EMail Filter. The EMail Filter screen displays. SonicWALL GMS 6.0 Administrator’s Guide 461 SonicWALL Network Anti-Virus Email Filter Email Attachment Filtering This section allows the administrator to specify file extensions to filter. By default, common executable files.vbs and .exe are blocked. • To enable infected email attachment blocking on inbound SMTP and POP3 Email protocols, select the Enable Email Attachment Filtering Alert Service check box. Only files that were discovered to be infected will be blocked. If a message contains uninfected attachments, those will be forwarded to the recipient. • To specify file extensions to filter, select the Enable Email Attachment FIltering of Forbidden File Extensions checkbox. • If choosing to specify forbidden file extensions, enter the file extensions (one at a time) in the Forbidden File Extensions box and click the Add button. Remove extensions from the list by selecting the checkbox to the left of the file extension and clicking the Update button at the bottom of the page. • Click the Update button to save your changes. Email Attachment Filtering Options This section allows the administrator to handle forbidden file extensions in the following two ways: • Select the Disable the forbidden file by altering the file extension and attach warning text radio button to alter the file extension by replacing the third character of file extensions with “_”. If the email attachment is a valid file, the message recipient may return the attachment to its original file extension without damaging the file. • Select Delete forbidden file and attach warning text to remove the forbidden file from the Email message entirely and attach warning text to the message. • In the Warning Message Text field (maximum 256 characters), enter the text you wish to attach to messages containing forbidden files. • Click the Update button to save your changes. Note 462 Only infected files will be blocked. If a message contains uninfected attachments, those will be forwarded to the recipient. SonicWALL GMS 6.0 Administrator’s Guide Configuring the SonicWALL Content Filter Service Email Blocking This option allows the administrator to block fragments of Email messages. • Check the Block Email fragments (Content-Type message\partial) to block fragmented messages from being delivered. • Click the Update button to save your changes. • Select from the following: When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset. The SonicWALL appliance will block viruses that are discovered by the virus signature files and filenames that are known to be infected during an outbreak. Configuring the SonicWALL Content Filter Service The default SonicWALL Content Filtering Service (CFS) policy is available with or without a CFS subscription. With a valid CFS subscription, you can create custom CFS policies and apply them to network zones or to groups of users. For example, a school could create one policy for teachers and another for students. The settings for SonicWALL CFS are configured on the Policies > Website Blocking page in SonicWALL GMS. See “Configuring General Website Blocking” on page 296. Configuring the SonicWALL Intrusion Prevention Service The Intrusion Prevention Service (IPS) is a subscription-based service that is frequently updated to protect your networks from new attacks and undesired uses that expose your network to potential risks such as Instant Messaging (IM) or Peer-to-Peer (P2P) applications. For information on adding the IPS to SonicWALL appliances, see “Registering and Upgrading SonicWALL Appliances” on page 591 This section contains the following subsections: SonicWALL GMS 6.0 Administrator’s Guide 463 Configuring the SonicWALL Intrusion Prevention Service • “Overview of IPS” section on page 464 • “SonicWALL Deep Packet Inspection” section on page 464 • “Enabling Intrusion Prevention Services” section on page 466 • “Configuring IPS Policies” section on page 469 • “Manual Upload of Keyset and Signature Files” section on page 470 Overview of IPS SonicWALL Intrusion Prevention Service (SonicWALL IPS) delivers a configurable, high performance Deep Packet Inspection engine for extended protection of key network services such as Web, Email, file transfer, Windows services and DNS. SonicWALL IPS is designed to protect against application vulnerabilities as well as worms, Trojans, and peer-to-peer, spyware and backdoor exploits. The extensible signature language used in SonicWALL’s Deep Packet Inspection engine also provides proactive defense against newly discovered application and protocol vulnerabilities. SonicWALL IPS offloads the costly and time-consuming burden of maintaining and updating signatures for new hacker attacks through SonicWALL’s industry-leading Distributed Enforcement Architecture (DEA). Signature granularity allows SonicWALL IPS to detect and prevent attacks based on a global, attack group, or per-signature basis to provide maximum flexibility and control false positives. SonicWALL Deep Packet Inspection Deep Packet Inspection looks at the data portion of the packet. The Deep Packet Inspection technology includes intrusion detection and intrusion prevention. Intrusion detection finds anomalies in the traffic and alerts the administrator. Intrusion prevention finds the anomalies in the traffic and reacts to it, preventing the traffic from passing through. Deep Packet Inspection is a technology that allows a SonicWALL Security Appliance to classify passing traffic based on rules. These rules include information about layer 3 and layer 4 content of the packet as well as the information that describes the contents of the packet’s payload, including the application data (for example, an FTP session, an HTTP Web browser session, or even a middleware database connection). This technology allows the administrator to detect and log intrusions that pass through the SonicWALL Security Appliance, as well as prevent them (i.e. dropping the packet or resetting the TCP connection). SonicWALL’s Deep Packet Inspection technology also correctly handles TCP fragmented byte stream inspection as if no TCP fragmentation has occurred. 464 SonicWALL GMS 6.0 Administrator’s Guide Configuring the SonicWALL Intrusion Prevention Service How SonicWALL’s Deep Packet Inspection Architecture Works Deep Packet Inspection technology enables the UTM appliance to investigate farther into the protocol to examine information at the application layer and defend against attacks targeting application vulnerabilities. This is the technology behind SonicWALL Intrusion Prevention Service. SonicWALL’s Deep Packet Inspection technology enables dynamic signature updates pushed from the SonicWALL Distributed Enforcement Architecture. The following steps describe how the SonicWALL Deep Packet Inspection Architecture works: 1. Pattern Definition Language Interpreter uses signatures that can be written to detect and prevent against known and unknown protocols, applications and exploits. 2. TCP packets arriving out-of-order are reassembled by the Deep Packet Inspection framework. 3. Deep Packet Inspection engine preprocessing involves normalization of the packet’s payload. For example, a HTTP request may be URL encoded and thus the request is URL decoded in order to perform correct pattern matching on the payload. 4. Deep Packet Inspection engine postprocessors perform actions which may either simply pass the packet without modification, or could drop a packet or could even reset a TCP connection. 5. SonicWALL’s Deep Packet Inspection framework supports complete signature matching across the TCP fragments without performing any reassembly (unless the packets are out of order). This results in more efficient use of processor and memory for greater performance. SonicWALL GMS 6.0 Administrator’s Guide 465 Configuring the SonicWALL Intrusion Prevention Service If TCP packets arrive out of order, the SonicWALL IPS engine reassembles them before inspection. However, SonicWALL’s IPS framework supports complete signature matching across the TCP fragments without having to perform complete reassembly. SonicWALL’s unique reassembly-free matching solution dramatically reduces CPU and memory resource requirements. Enabling Intrusion Prevention Services To configure IPS settings for one or more SonicWALL appliances, perform the following steps: 1. 466 Select the global icon, a group, or a SonicWALL appliance. SonicWALL GMS 6.0 Administrator’s Guide Configuring the SonicWALL Intrusion Prevention Service 2. Expand the Security Services tree and click Intrusion Prevention. The Intrusion Prevention page appears. 3. Check the Enable IPS checkbox to enable the service. 4. Select the check boxes of the interface ports to monitor. 5. Configure the following settings for High Priority Attacks in the IPS Settings area: – To to detect, log, and prevent all high priority attacks, select the Prevent All check box. – To detect and log all high priority attacks, select the Detect All check box. – To prevent the log from becoming overloaded with entries for the same attack, enter a value in the Log Redundancy Filter field. For example, if you entered a value of 30 seconds and there were 100 SubSeven attacks during that period of time, only one attack would be logged during that 30 second period. 6. Repeat Step 3 for the remaining categories as applicable, including Medium Priority Attacks, Low Priority Attacks, IM (Instant Messaging) Applications, and P2P (Peer-to-Peer) Applications. 7. Click Configuring IPS Settings to choose one of the following options: – If Enable IP Reassembly is enabled, the SonicWALL security appliance reassembles fragmented packets for full application layer inspection. SonicWALL GMS 6.0 Administrator’s Guide 467 Configuring the SonicWALL Intrusion Prevention Service – If Prevent Invalid Checksum is enabled, the SonicWALL security appliance automatically drops and resets the connection, to prevent the traffic from reaching its destination. – If Detect Invalid Checksum is enabled, the SonicWALL security appliance logs and alerts any traffic, but does not take any action against the traffic. The connection proceeds to its intended destination. – If Enable IPS Exclusion List is enabled, this SonicWALL security appliance bypasses IPS enforcement for a specified IP range. This requires the addition of an IPS Range (below). 8. To force the firmware to download all signatures, click Update IPS Signature Database. 9. To reset your IPS settings to the defaults, click Reset IPS Settings & Policies. 10. When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset. 468 SonicWALL GMS 6.0 Administrator’s Guide Configuring the SonicWALL Intrusion Prevention Service Configuring IPS Policies This section allows the administrator to configure settings for individual attacks. 1. Locate the type of attack that you would like to view. To sort by category, select a category from the Categories list box. To sort by priority, select a priority level from the Priority list box. 2. After locating a type of attack to configure, click its Configure Icon ( The Configure IPS dialog box appears. SonicWALL GMS 6.0 Administrator’s Guide 469 ). Configuring the SonicWALL Intrusion Prevention Service 3. Select whether attack detection for this type of attack is enabled, disabled, or uses the default global settings for the attack category from the Prevention list box. 4. Select whether attack prevention for this type of attack is enabled, disabled, or uses the default global settings for the attack category from the Detection list box. 5. Select which users or groups to include for this attack type in the Included Users/Groups list box 6. Select which users or groups to exclude for this attack type in the Excluded Users/Groups list box. 7. Select an IP address range to include for this attack type in the Included IP Address Range list box 8. Select an IP address range to exclude for this attack type in the Excluded IP Address Range list box 9. Select a time range to enforce attack protection on this attack type from the Schedule list box. 10. Enter a timespan (in seconds) to run the Log Redundancy Filter (seconds) field, or select the checkbox to Use Category Settings. 11. When you are finished, click Update. You are returned to the Intrusion Prevention page. 12. Repeat Steps 2. through 16 for each attack to edit. 13. To reset all attacks to their default settings, click Reset ALL IPS Settings and Policies. Manual Upload of Keyset and Signature Files GMS now enables you to manually upload signature files in instances when the Internet is not active on your system. This is useful for SonicWALL security appliances that do not have direct Internet connectivity such as those deployed in high-security environments. In these situations, GMS retrieves the new signatures and then uploads them to the SonicWALL security appliance. To enable manual upload signature files, perform the following steps: 470 1. Navigate to the Console Panel. 2. Click on the Management menu. SonicWALL GMS 6.0 Administrator’s Guide Configuring the SonicWALL Intrusion Prevention Service 3. Click on the GMS Settings option. The GMS Settings dialog box displays. 4. Check the following checkbox: Firewalls managed by this GMS do not have Internet Access - This indicates that the SonicWALL appliances managed by GMS cannot directly reach the Internet. Note Note that keyset files will be uploaded at the time of registering a unit or when there is a change in the user license. SonicWALL GMS 6.0 Administrator’s Guide 471 Configuring the SonicWALL RBL Filter 5. In the Policies tab, navigate to the System > Tools page to upload keyset and signature files. 6. Click the Upload Signatures Now button. . Configuring the SonicWALL RBL Filter The Real-time Black List (RBL) section allows the administrator to block sources of spam, malware and other unscrupulous infestations by way of black-listing. In addition, SMTP servers may also be specified as “allowed” by way of white-listing. RBL list providers publish their lists via DNS. Blacklisted IP addresses appear in the database of the list provider's DNS domain using inverted IP notation of the SMTP server in question as a prefix to the domain name. A response code from 127.0.0.2 to 127.0.0.9 indicates some type of undesirability. To configure Real-time Black Listing. 1. 472 Select the global icon, a group, or a SonicWALL appliance. SonicWALL GMS 6.0 Administrator’s Guide Configuring the SonicWALL Gateway Anti-Virus 2. Expand the Security Services tree and click RBL Filter. The Global Security Client screen displays. 3. Check the Enable Real-time Black List Blocking checkbox to enable the service. 4. In the RBL DNS Servers drop-down list, choose to Inherit Settings from WAN Zone or Specify DNS Servers Manually. 5. If choosing to specify your DNS servers manually, enter the server names in the DNS Server (1, 2, 3) fields below. 6. Click the Add RBL Service link to add a new RBL domain. 7. Enter the RBL Domain you wish to block and check the appropriate responses in the RBL Blocked Responses section below. You also have the option to Block All Responses. 8. Click the OK button to save this new RBL Service. 9. Click the Update button to update these settings. Configuring the SonicWALL Gateway Anti-Virus To configure SonicWALL Gateway Anti-Virus to begin protecting your network, you need to perform the following steps: 1. Select the global icon, a group, or a SonicWALL appliance. SonicWALL GMS 6.0 Administrator’s Guide 473 Configuring the SonicWALL Gateway Anti-Virus 2. Expand the Security Services tree and click Gateway AntiVirus. The Gateway AntiVirus screen displays). 3. You can manually update your SonicWALL GAV database at any time by clicking the Update button. However, by default, the SonicWALL security appliance running SonicWALL GAV automatically checks for new signatures once an hour. 4. Check the Enable Gateway Anti-Virus checkbox. 5. If you have GMS managed UTM appliances running SonicOS Standard, select the interface you want to enable Gateway Anti-Virus on. You can select from WAN, LAN/WorkPort, DMZ/HomePort/WLAN/OPT. 6. Check the boxes corresponding to the Protocols you wish to enforce Inbound and Outbound inspection on. Note 474 If your SonicWALL UTM appliance is running SonicOS Enhanced, you must enable Gateway Anti-Virus on the appropriate zone in the Network > Zones page before continuing. SonicWALL GMS 6.0 Administrator’s Guide Configuring the SonicWALL Gateway Anti-Virus Configuring GAV Settings Perform the following steps to configure SonicWALL Gateway Anti-Virus settings and notification preferences: 1. Select Enable Client Notification Alerts to send relevant blocked file notifications to users of the SonicWALL Desktop Anti-Virus client. 2. Select Disable SMTP Responses to suppress the sending of email notifications when viruses are blocked at the gateway. 3. Select Disable detection of EICAR test virus to ignore this test file. The EICAR file is a small file (but not actually a read virus) often used to test how virus protection mechanisms respond to a threat. 4. It is not recommended to check the options for Enable HTTP Byte-Range requests with Gateway AV or Enable FTP ‘REST’ requests with Gateway AV unless directed to do so by a SonicWALL representative. 5. Select Enable HTTP Clientless Notification Alerts to enable alerts about blocked content for clients who do not have SonicWALL Client Anti-Virus installed. These alerts are delivered by way of a standard HTML browser window. You may also enter a message below if using this notification type. 6. If Enable Gateway AV Exclusion List is enabled, the SonicWALL security appliance bypasses AV enforcement for a specified IP range. This requires the addition of an IPS Range. SonicWALL GMS 6.0 Administrator’s Guide 475 Configuring the SonicWALL Gateway Anti-Virus Configuring GAV Protocols Application-level awareness of the type of protocol that is transporting the violation allows SonicWALL GAV to perform specific actions within the context of the application to gracefully handle the rejection of the payload. 1. Select which types of traffic to Enable Inbound Inspection for. 2. To scan outgoing SMTP mail, select to Enable Outbound Inspection on SMTP. 3. For more granular control over protocol traffic inspection, click the settings icon for each of the protocols you choose. The settings window displays and allows you to restrict transfer of the following possibly dangerous file types: Table 6 476 Gateway AV File Restrictions File Type Security Issues Password protected ZIP files This option only functions on protocols (e.g. HTTP, FTP, SMTP) that are enabled for inspection. MS-Office type files containing macros Transfers of any MS Office 97 and above files that contain VBA macros. Packed executable files (UPX, FSG, etc.) Disables the transfer of packed executable files. Packers are utilities which compress and sometimes encrypt executables. Although there are legitimate applications for these, they are also sometimes used with the intent of obfuscation, so as to make the executables less detectable by anti-virus applications. The packer adds a header that expands the file in memory, and then executes that file. 4. Click the Configure Gateway AV Settings link. The Gateway AV settings window displays. This window allows you to configure client notification alerts and create a SonicWALL GAV exclusion list. 5. To download the latest signature database from mysonicwall.com, click the Update Gateway AV Signature Database link. 6. Click the Update button when you are ready to save your changes. SonicWALL GMS 6.0 Administrator’s Guide Configuring the SonicWALL Gateway Anti-Virus Viewing SonicWALL GAV Signatures The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWALL GAV signature database. All the entries displayed in the Gateway Anti-Virus Signatures table are from the SonicWALL GAV signature database downloaded to your SonicWALL security appliance. Note Signature entries in the database change over time in response to new threats. Displaying Signatures You can display the signatures in a variety of views using the View Style menu. Use Search String - Allows you to display signatures containing a specified string entered in the Lookup Signatures Containing String field. All Signatures - Displays all the signatures in the table, 50 to a page. 0 - 9 - Displays signature names beginning with the number you select from the menu. A-Z - Displays signature names beginning with the letter you select from menu. Navigating the Gateway Anti-Virus Signatures Table The SonicWALL GAV signatures are displayed fifty to a page in the Gateway Anti-Virus Signatures table. The Items field displays the table number of the first signature. If you’re displaying the first page of a signature table, the entry might be Items 1 to 50 (of 58). Use the navigation buttons to navigate the table. Searching the Gateway Anti-Virus Signature Database You can search the signature database by entering a search string in the Lookup Signatures Containing String field, then clicking the edit (Notepad) icon. The signatures that match the specified string are displayed in the Gateway Anti-Virus Signatures table. SonicWALL GMS 6.0 Administrator’s Guide 477 Configuring the SonicWALL Anti-Spyware Service Configuring the SonicWALL Anti-Spyware Service SonicWALL Anti-Spyware is included within the SonicWALL Gateway Anti-Virus (GAV), Anti-Spyware and Intrusion Prevention Service (IPS) unified threat management solution. SonicWALL GAV, Anti-Spyware and IPS delivers a comprehensive, real-time gateway security solution for your entire network. Activating the SonicWALL Anti-Spyware license on your SonicWALL security appliance does not automatically enable the protection. To configure SonicWALL Anti-Spyware to begin protecting your network, you need to perform the following steps: 1. Enable SonicWALL Anti-Spyware 2. Specify Spyware Danger Level Protection 3. Apply SonicWALL Anti-Spyware Protection to Zones Note For complete instructions on setting up SonicWALL Anti-Spyware Service, refer to the SonicWALL Anti-Spyware Service Administrator’s Guide available on the SonicWALL Web site http://www.sonicwall.com/us/Support.html Once you configured these basic anti-spyware protection settings, you can perform additional configuration options to tailor SonicWALL Spyware protection for your network environment. 478 SonicWALL GMS 6.0 Administrator’s Guide Configuring the SonicWALL Anti-Spyware Service Selecting Security Services > Anti-Spyware displays the configuration settings for SonicWALL Anti-Spyware on your SonicWALL security appliance. The Anti-Spyware page for the SonicOS Enhanced is divided into three sections: • Anti-Spyware Status - displays status information on the state of the signature database, your SonicWALL Anti-Spyware license, and other information. • Anti-Spyware Global Settings - provides the key settings for enabling SonicWALL Anti-Spyware on your SonicWALL security appliance, specifying global SonicWALL Anti-Spyware protection based on three classes of spyware, and other configuration options. • Anti-Spyware Signatures - shows the status and contents of your signature database. SonicWALL GMS 6.0 Administrator’s Guide 479 Configuring the SonicWALL Anti-Spyware Service Warning After activating your SonicWALL Anti-Spyware license, you must enable and configure SonicWALL Anti-Spyware on the SonicWALL management interface before anti-spyware policies are applied to your network traffic. Enabling SonicWALL Anti-Spyware SonicWALL Anti-Spyware must be globally enabled on your SonicWALL security appliance. Select the Enable Anti-Spyware check box (a checkmark is displayed), and then click Configure Anti-Spyware Settings to apply the settings. . Checking the Enable Anti-Spyware check box does not automatically start SonicWALL Anti-Spyware protection. You must also specify a Prevent All action in the Signature Groups table to activate anti-spyware on the SonicWALL security appliance, and then specify the zones you want to protect on the Network > Zones page. You can also select Detect All for spyware event logging and alerting. 480 SonicWALL GMS 6.0 Administrator’s Guide Configuring the SonicWALL Anti-Spyware Service Specifying Spyware Danger Level Protection SonicWALL Anti-Spyware allows you to globally manage your network protection against attacks by simply selecting the class of attacks: High Danger Level Spyware, Medium Danger Level Spyware and Low Danger Level Spyware. Selecting the Prevent All and Detect All check boxes for High Danger Level Spyware and Medium Danger Level Spyware in the Signature Groups table, and then clicking Apply protects your network against the most dangerous spyware. Caution SonicWALL recommends enabling Prevent All for High Danger Level Spyware and Medium Danger Level Spyware signature groups to provide anti-spyware protection against the most damaging and disruptive spyware applications. You can also enable Detect All for spyware logging and alerting. SonicWALL Anti-Spyware also allows you to configure anti-spyware policies at the category and signature level to provide flexible granularity for tailoring SonicWALL Anti-Spyware protection based on your network environment requirements. If you are running SonicOS Enhanced, you can apply these custom SonicWALL Anti-Spyware policies to Address Objects, Address Groups, and User Groups, as well as create enforcement schedules. For more information, refer to the SonicWALL Anti-Spyware Administrator’s Guide available on the SonicWALL Web site http://www.sonicwall.com/us/Support.html SonicWALL GMS 6.0 Administrator’s Guide 481 Configuring the SonicWALL Anti-Spyware Service Applying SonicWALL Anti-Spyware Protection to Zones (Enhanced) For SonicWALL security appliances running SonicOS Enhanced 3.0, you apply SonicWALL Anti-Spyware to Zones on the Network > Zones page to enforce SonicWALL Anti-Spyware not only between each network zone and the WAN, but also between internal zones. For example, enabling SonicWALL Anti-Spyware on the LAN zone enforces SonicWALL Anti-Spyware on all incoming and outgoing LAN traffic. In the Anti-Spyware Status section of the Security Services > Anti-Spyware page, click the Network > Zones link to access the Network > Zones page or select the Network > Zones page. You apply SonicWALL Anti-Spyware policies to a zone listed on the Network > Zones page. To enable SonicWALL Anti-Spyware on a zone, perform these steps: 1. 482 In the SonicWALL security appliance management interface, select Network > Zones or from the Anti-Spyware Status section, on the Security Services > Anti-Spyware page, click the Network > Zones link. The Network > Zones page is displayed. SonicWALL GMS 6.0 Administrator’s Guide Configuring the SonicWALL Anti-Spyware Service 2. In the Configure column in the Zone Settings table, click the Edit icon for the zone you want to apply SonicWALL IPS. The Edit Zone window is displayed. 3. Click the Enable Anti-Spyware Service checkbox. A checkmark appears. To disable SonicWALL Anti-Spyware Service, uncheck the box. 4. Click OK. You can also enable SonicWALL IPS protection for new zones you create on the Network > Zones page. Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit Zone window. Configuring the Anti-Spyware Category SonicWALL Anti-Spyware also allows you to configure anti-spyware policies at the category and signature level to provide flexible granularity for tailoring SonicWALL Anti-Spyware protection based on your network environment requirements. If you are using GMS to configure a device that runs SonicOS Enhanced, you can apply these custom SonicWALL Anti-Spyware policies to Address Objects, Address Groups, and User Groups, as well as create SonicWALL GMS 6.0 Administrator’s Guide 483 Configuring the SonicWALL Anti-Spyware Service enforcement schedules. For more information, refer to the SonicWALL Anti-Spyware Administrator’s Guide available on the SonicWALL Web site http://www.sonicwall.com/us/Support.html. Configure the fields in the Anti-Spyware Product Settings dialog box as described in the following table. Table 7 Anti-Spyware Product Settings Field Description Prevention Allows you to enable and disable intrusion prevention for the device. Detection Allows you to enable and disable intrusion detection for the device. Included Users/Groups Applies the anti-spyware settings to members of the following group types: All, Administrators, Everyone, Guest Services, Trusted Users, Content Filtering Bypass, and Limited Administrators. Excluded Users/Groups Does not apply the anti-spyware settings to members of the following group types: All, Administrators, Everyone, Guest Services, Trusted Users, Content Filtering Bypass, and Limited Administrators. Included IP Address Range Allows you to apply the anti-spyware settings to all users that fall within a specified IP address range of a specified category. For more details on the categories, see the table below. 484 SonicWALL GMS 6.0 Administrator’s Guide Configuring the SonicWALL Anti-Spyware Service For a bird’s eye view of the categories, refer to the following figure: SonicWALL GMS 6.0 Administrator’s Guide 485 Configuring the SonicWALL Anti-Spyware Service 486 SonicWALL GMS 6.0 Administrator’s Guide CHAPTER 21 Configuring High Availability This chapter describes how to use SonicWALL GMS to configure High Availability, which allows the administrator to specify a primary and backup (secondary) SonicWALL appliance. In the case that the connection to the primary device fails, connectivity will transfer to the backup device. In addition, GMS can utilize the same device pairing technology to implement different forms of load balancing. Load balancing helps regulate the flow of network traffic by splitting that traffic between primary and secondary SonicWALL devices. This chapter includes the following sections: • “Configuring High Availability Settings” section on page 488 • “Configuring Advanced High Availability Settings” section on page 489 • “Monitoring High Availability” section on page 492 • “Verifying High Availability Status” section on page 493 Note High Availability is available at the appliance level, it cannot be configured at the group level. SonicWALL GMS 6.0 Administrator’s Guide 487 Configuring High Availability Settings Configuring High Availability Settings The High Availability feature configures a pair of SonicWALL appliances as a primary and backup. The backup monitors the primary through a series of heartbeats. If the backup detects that the primary is unavailable or has failed, it will replace the primary. The High Availability feature is available on the following SonicWALL appliances: • SonicWALL NSA Series • SonicWALL NSA E-Class Series • SonicWALL PRO 2040/3060/4060/4100/5060 To configure High Availability settings: 1. Select a SonicWALL appliance and click the Policies tab. 2. Expand the High Availability tree and click Settings. The High Availability page displays. 3. Select the Enable High Availability check box. When a SonicWALL appliance becomes active after startup, it looks for an active SonicWALL appliance that is configured for High Availability. If the other appliance is active, it transitions to Idle mode. Sometimes, due to network latency and other issues, it may take a while to find the other SonicWALL appliance. 488 4. Enter the Serial Number of the Backup SonicWALL security appliance to be used in the High Availability pair. 5. When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset. SonicWALL GMS 6.0 Administrator’s Guide Configuring Advanced High Availability Settings Configuring Advanced High Availability Settings The High Availability > Advanced page is used to configure the stateful synchronization and Active/Active UTM features. The Advanced page also provides the ability to fine tune a number of High Availability options that manage the settings that trigger the High Availability pair to fail over from the primary to the backup appliance. To configure advanced High Availability settings, perform the following steps: 1. Select a SonicWALL appliance and click the Policies tab. Expand the High Availability tree and click Advanced. 2. Select the Enable Stateful Synchronization check box to configure stateful High Availability. With Stateful High Availability, the primary unit actively communicates with the backup on a per connection and VPN level. As the primary creates and updates connection cache entries or VPN tunnels, the backup unit is informed of such changes. The backup unit remains in a continuously synchronized state so that it can seamlessly assume the network responsibilities upon failure of the primary unit with no interruption to existing network connections. Note Stateful High Availability requires an additional license for the primary SonicWALL appliance. The license is shared between the primary and backup appliances. 3. To configure Active/Active UTM select the Enable Active/Active UTM checkbox. SonicWALL GMS 6.0 Administrator’s Guide 489 Configuring Advanced High Availability Settings Note Active/Active UTM is available on SonicWALL NSA series appliances running SonicOS Enhanced 5.5 or higher. In an active/active model, both UTM appliances share the processing of Deep Packet Inspection (DPI) UTM services When Active/Active UTM is enabled on a Stateful HA pair, these DPI UTM services can be processed concurrently with firewall, NAT, and other modules on both the active and idle UTM appliances. Processing of all modules other than DPI UTM services is restricted to the active unit. 4. If enabling Active/Active UTM, select an interface in the HA Data Interface drop-down list. This interface will be used for transferring data between the two units during Active/Active UTM processing. Only unassigned, available interfaces appear in the drop-down list. 5. Select the Enable Preempt Mode check box to configure the primary SonicWALL appliance to take over from the backup SonicWALL appliance when it becomes available. Otherwise, the backup SonicWALL appliance will remain active. 6. Select the Generate/Overwrite Backup Firmware and Settings When Upgrading Firmware check box to overwrite the current firmware backup settings when upgrading. With this option, the current settings at the time of upgrade will be saved as backup settings. 7. Select the Enable Virtual MAC check box. When the Stateful High Availability Upgrade is licensed, Virtual MAC capability is also licensed. Virtual MAC allows the backup unit in an HF pair to use the MAC address of the primary unit when a failover occurs. Alternatively, you can manually set a virtual MAC address for both units to use. Virtual MAC addressing contributes to network continuity and efficiency during a failover in the same way as the use of virtual IP addresses. During a failover, the backup unit uses the same virtual IP address that was used by the primary unit. The Virtual MAC feature avoids the need to update the whole network to associate the virtual IP address with the actual physical MAC address of the backup unit. 8. Optionally, you can fine tune the following options: – Enter the heartbeat interval (in seconds) in the Heartbeat Interval field. – Specify how long the backup waits before replacing the primary (in seconds) in the Failover Trigger Level field. 490 SonicWALL GMS 6.0 Administrator’s Guide Configuring Advanced High Availability Settings – To specify how long the SonicWALL appliance will look, enter the number of seconds in the Election Delay Time field. You can enter a value between 0 and 300 seconds, but the default value of 0 seconds is sufficient in most cases. – Optionally, change the value in the Dynamic Route Hold-Down Time field. This setting is used when a failover occurs on a High Availability pair that is using either RIP or OSPF dynamic routing. When a failover occurs, Dynamic Route Hold-Down Time is the number of seconds the newly-active appliance keeps the dynamic routes it had previously learned in its route table. During this time, the newly-active appliance relearns the dynamic routes in the network. When the Dynamic Route Hold-Down Time duration expires, it deletes the old routes and implements the new routes it has learned from RIP or OSPF. The default value is 45 seconds. In large or complex networks, a larger value may improve network stability during a failover. 9. When changes are made to the Primary or Backup UTM appliance, the changes are automatically synchronized between the two UTM appliances. To cause the synchronization to occur now, click Synchronize Settings. Additionally, selecting the Include Certificates/Keys will synchronize certificates and keys between devices. 10. To force the backup device to load and reboot to current firmware from the primary device, click the Synchronize Firmware link. 11. When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset. SonicWALL GMS 6.0 Administrator’s Guide 491 Monitoring High Availability Monitoring High Availability On the High Availability > Monitoring page, you can specify IP addresses that the SonicWALL security appliance performs an ICMP ping on to determine link viability. When using logical monitors, the SonicWALL will ping the defined Probe IP Address target from the Primary as well as the Backup SonicWALL. If both can successfully ping the target, no failover occurs. If both cannot successfully ping the target, no failover occurs, as the SonicWALLs will assume that the problem is with the target, and not the SonicWALLs. But, if one SonicWALL can ping the target but the other SonicWALL cannot, it will failover to the SonicWALL that can ping the target. To configure interface monitoring between the primary and backup appliances, perform the following steps: 492 1. Expand the High Availability tree and click Monitoring. The Monitoring Settings page displays. 2. Click on the configure icon for the X0 interface. The Interface X0 Monitoring Settings window displays. 3. Enter the LAN management IP address for the primary appliance in the Primary IP Address field. 4. Enter the LAN management IP address for the backup appliance in the Backup IP Address field. SonicWALL GMS 6.0 Administrator’s Guide Verifying High Availability Status 5. (Optional) Check the Enable Interface Monitoring checkbox and enter the IP address of a reliable device on the LAN network in the Probe IP Address field. This should be a downstream router or server. The primary and backup appliances will regularly ping this probe IP address. If both can successfully ping the target, no failover occurs. If neither can successfully ping the target, no failover occurs, because it is assumed that the problem is with the target, and not the SonicWALL appliances. But, if one appliance can ping the target but the other appliance cannot, failover will occur to the appliance that can ping the target. 6. (Optional) To manually specify the virtual MAC address, check the Manual Virtual MAC checkbox and enter a MAC address. SonicWALL recommends that you manually configure the virtual MAC address only if the appliances do not have Internet access (for example, in secure network environments). Allowing the appliances to retrieve the virtual MAC address from the SonicWALL backend eliminates the possibility of configuration errors and ensures the uniqueness of the virtual MAC address, which prevents possible conflicts. 7. Click OK. 8. Click on the configure icon for the X1 interface and repeat steps 3 through 7 for the WAN IP addresses on the primary and backup appliances. Verifying High Availability Status Under the unit view, GMS displays whether an appliance is the primary or secondary unit on the System>Status page under the Management heading. For more information, see “Viewing System Status” on page 122. Another method to determine which SonicWALL is active is to check the High Availability Settings Status indicator on the High Availability > Settings page. If the primary SonicWALL is active, the first line in the page indicates that the primary SonicWALL is currently Active. It is also possible to check the status of the backup SonicWALL by logging into the LAN IP Address of the backup SonicWALL. If the primary SonicWALL is operating normally, the status indicates that the backup SonicWALL is currently Idle. If the backup has taken over for the primary, the status indicates that the backup is currently Active. Using the GEM framework, you can also configure GMS to send email alerts when there is a change in the status of the High Availability pair. You can configure an alert using the Unit HF Status alert type. For information on how to configure alerts, see the Granular Event Management chapter. SonicWALL GMS 6.0 Administrator’s Guide 493 Verifying High Availability Status You can also view details on High Availability events in the GMS log, which is available on the Console tab under the Log tree. See “Configuring Log Settings” on page 277 for more information. 494 SonicWALL GMS 6.0 Administrator’s Guide CHAPTER 22 Configuring SonicPoints This chapter describes how to configure SonicPoint managed secure wireless access points. This chapter includes the following sections: • “Managing SonicPoints” section on page 496 • “Viewing Station Status” section on page 511 • “Using and Configuring SonicPoint IDS” section on page 513 • “Using and Configuring Virtual Access Points” section on page 516 SonicWALL GMS 6.0 Administrator’s Guide 495 Managing SonicPoints Managing SonicPoints The SonicPoint section of GMS lets you manage the SonicPoints connected to your system. Before Managing SonicPoints Before you can manage SonicPoints in GMS, you must first: • Configure your SonicPoint Provisioning Profiles • Configure a Wireless zone • Assign profiles to wireless zones This step is optional. If you do not assign a default profile for a zone, SonicPoints in that zone will use the first profile in the list. 496 • Assign an interface to the Wireless zone • Attach the SonicPoints to the interfaces in the Wireless zone • Test SonicPoints SonicWALL GMS 6.0 Administrator’s Guide Managing SonicPoints SonicPoint Provisioning Profiles SonicPoint Provisioning Profiles provide a scalable and highly automated method of configuring and provisioning multiple SonicPoints across a Distributed Wireless Architecture. SonicPoint Profile definitions include all of the settings that can be configured on a SonicPoint, such as radio settings for the 2.4GHz and 5GHz radios, SSID’s, and channels of operation. Once you have defined a SonicPoint profile, you can apply it to a Wireless zone. Each Wireless zone can be configured with one SonicPoint profile. Any profile can apply to any number of zones. Table 8 Default SonicPoint Profile 802.11a Radio 802.11g Radio Enable 802.11a Radio Yes - Always on Enable 802.11g Radio Yes - Always on Enable 802.11n Radio Yes - Always on SSID sonicwall SSID sonicwall SSID sonicwall-D790 (where D790 is an example; this is determined by the hardware address) Radio Mode 54Mbps 802.11a Radio Mode 2.4 GHz 54Mbps 802.11g Radio Mode 2.4 GHz 802.11n/g/b Mixed Channel AutoChannel Channel AutoChannel Channel ACL Enforcement Disabled ACL Disabled Enforceme nt WEP - Both Open System & Shared Key Authentica WEP - Both tion Open System & Type Shared Key ACL Disabled Enforcement Authenticatio WEP - Both Authenticatio n Open System n Type & Shared Key Type 802.11n Radio AutoChannel Schedule IDS Scan Disabled Schedule IDS Disabled Scan Schedule IDS Scan Disabled Data Rate Best Data Rate Best Data Rate Best Antenna Diversity Best Antenna Diversity Best Antenna Diversity Best SonicWALL GMS 6.0 Administrator’s Guide 497 Managing SonicPoints Configuring a SonicPoint Profile The SonicPoint profile configuration process for 802.11n slightly different than for 802.11a or 802.11g. The following sections describe how to configure SonicPoint profiles: • “Configuring a SonicPointN Profile for 802.11n” on page 498 • “Configuring a SonicPoint Profile for 802.11a or 802.11g” on page 504 Configuring a SonicPointN Profile for 802.11n You can add any number of SonicPoint profiles. To configure a SonicPoint provisioning profile: Step 1 To add a new profile click Add SonicPointN below the list of SonicPoint 802.11n provisioning profiles. To edit an existing profile, select the profile and click the Configure icon in the same line as the profile you are editing. Step 2 In the General tab of the Add Profile window, specify: – Enable SonicPoint: Check this to automatically enable each SonicPoint when it is provisioned with this profile. – Retain Settings: Check this to have the SonicPointNs provisioned by this profile retain these settings until the appliance is rebooted. – Name Prefix: Enter a prefix for the names of all SonicPointNs connected to this zone. When each SonicPointN is provisioned it is given a name that consists of the name prefix and a unique number, for example: “SonicPoint 126008.” – Country Code: Select the country where you are operating the SonicPointNs. The country code determines which regulatory domain the radio operation falls under. 498 SonicWALL GMS 6.0 Administrator’s Guide Managing SonicPoints Step 3 In the 802.11n tab, configure the radio settings for the 802.11n radio: – Enable Radio: Check this to automatically enable the 802.11n radio bands on all SonicPoints provisioned with this profile. – Radio Mode: Select your preferred radio mode from the Radio Mode menu. The wireless security appliance supports the following modes: •2.4GHz 802.11n Only - Allows only 802.11n clients access to your wireless network. 802.11a/b/g clients are unable to connect under this restricted radio mode. •2.4GHz 802.11n/g/b Mixed - Supports 802.11b, 802.11g, and 802.11n clients simultaneously. If your wireless network comprises multiple types of clients, select this mode. Tip For optimal throughput speed solely for 802.11n clients, SonicWALL recommends the 802.11n Only radio mode. Use the 802.11n/b/g Mixed radio mode for multiple wireless client authentication compatibility. SonicWALL GMS 6.0 Administrator’s Guide 499 Managing SonicPoints •2.4GHz 802.11g Only - If your wireless network consists only of 802.11g clients, you may select this mode for increased 802.11g performance. You may also select this mode if you wish to prevent 802.11b clients from associating. •5 GHz 802.11n Only - Allows only 802.11n clients access to your wireless network. 802.11a/b/g clients are unable to connect under this restricted radio mode. •5 GHz 802.11n/a Mixed - Supports 802.11n and 802.11a clients simultaneously. If your wireless network comprises both types of clients, select this mode. •5 GHz 802.11a Only - Select this mode if only 802.11a clients access your wireless network. – SSID: Enter a recognizable string for the SSID of each SonicPoint using this profile. This is the name that will appear in clients’ lists of available wireless connections. Note If all SonicPoints in your organization share the same SSID, it is easier for users to maintain their wireless connection when roaming from one SonicPoint to another. When the wireless radio is configured for a mode that supports 802.11n, the following options are displayed: Radio Band (802.11n only): Sets the band for the 802.11n radio: • Auto - Allows the appliance to automatically detect and set the optimal channel for wireless operation based on signal strength and integrity. This is the default setting. • Standard - 20 MHz Channel - Specifies that the 802.11n radio will use only the standard 20 MHz channel. When this option is selected, the Standard Channel pull-down menu is displayed. – Standard Channel - This pull-down menu only displays when the 20 MHz channel is selected. By default, this is set to Auto, which allows the appliance to set the optimal channel based on signal strength and integrity. Optionally, you can select a single channel within the range of your regulatory domain. Selecting a specific a channel can also help with avoiding interference with other wireless networks in the area. • 500 Wide - 40 MHz Channel - Specifies that the 802.11n radio will use only the wide 40 MHz channel. When this option is selected, the Primary Channel and Secondary Channel pull-down menus are displayed: SonicWALL GMS 6.0 Administrator’s Guide Managing SonicPoints – Primary Channel - By default this is set to Auto. Optionally, you can specify a specific primary channel. – Secondary Channel - The configuration of this pull-down menu is controlled by your selection for the primary channel: •If the primary channel is set to Auto, the secondary channel is also set to Auto. •If the primary channel is set to a specific channel, the secondary channel is set to to the optimum channel to avoid interference with the primary channel. Enable Short Guard Interval: Specifies the short guard interval of 400ns (as opposed to the standard guard interval of 800ns). The guard interval is a pause in transmission intended to avoid data loss from interference or multipath delays. Enable Aggregation: Enables 802.11n frame aggregation, which combines multiple frames to reduce overhead and increase throughput. Tip The Enable Short Guard Interval and Enable aggregation options can slightly improve throughput. They both function best in optimum network conditions where users have strong signals with little interference. In networks that experience less than optimum conditions (interference, weak signals, etc.), these options may introduce transmission errors that eliminate any efficiency gains in throughput. ACL Enforcement: Select this to enforce Access Control by allowing or denying traffic from specific devices. Select a MAC address group from the Allow List to automatically allow traffic from all devices with MAC address in the group. Select a MAC address group from the Deny List to automatically deny traffic from all devices with MAC address in the group. The deny list is enforced before the Allow list. Step 4 In the Wireless Security section of the 802.11n Radio tab, configure the following settings: – Authentication Type: Select the method of authentication for your wireless network. You can select WEP - Both (Open System & Shared Key), WEP - Open System, WEP - Shared Key, WPA - PSK, WPA - EAP, WPA2-PSK, WPA2-EAP, WPA2-AUTO-PSK, and WPA2-AUTO-EAP. WEP Configuration – WEP Key Mode: Select the size of the encryption key. SonicWALL GMS 6.0 Administrator’s Guide 501 Managing SonicPoints – Default Key: Select which key in the list below is the default key, which will be tried first when trying to authenticate a user. – Key Entry: Select whether the key is alphanumeric or hexadecimal. – Key 1 - Key 4: Enter the encryptions keys for WEP encryption. Enter the most likely to be used in the field you selected as the default key. WPA or WPA2 Configuration: – Cipher Type: The cipher that encrypts your wireless data. Choose either TKIP (older, more compatible), AES (newer, more secure), or Both (backward compatible). – Group Key Interval: The time period for which a Group Key is valid. The default value is 86400 seconds. Setting to low of a value can cause connection issues. – Passphrase (PSK only): This is the passphrase your network users must enter to gain network access. – RADIUS Server Settings (EAP Only): Configure settings for your RADIUS authentication server. Step 5 502 In the Advanced tab, configure the performance settings for the 802.11n radio. For most 802.11n advanced options, the default settings give optimum performance. SonicWALL GMS 6.0 Administrator’s Guide Managing SonicPoints – Hide SSID in Beacon: Check this option to have the SSID broadcast as part of the wireless beacon, rather than as a separate broadcast. – Schedule IDS Scan: Select a time when there are fewer demands on the wireless network to schedule an Intrusion Detection Service (IDS) scan to minimize the inconvenience of dropped wireless connections. – Data Rate: Select the speed at which the data is transmitted and received. Best automatically selects the best rate available in your area given interference and other factors. Or you can manually select a data rate. – Transmit Power: Select the transmission power. Transmission power effects the range of the SonicPoint. You can select: Full Power, Half (-3 dB), Quarter (-6 dB), Eighth (-9 dB), or Minimum. – Antenna Diversity: The Antenna Diversity setting determines which antenna the SonicPoint uses to send and receive data. When Best is selected, the SonicPoint automatically selects the antenna with the strongest, clearest signal. – Beacon Interval (milliseconds): Enter the number of milliseconds between sending out a wireless beacon. – DTIM Interval: Enter the interval in milliseconds. – Fragmentation Threshold (bytes): Enter the number of bytes of fragmented data you want the network to allow. – RTS Threshold (bytes): Enter the number of bytes. – Maximum Client Associations: Enter the maximum number of clients you want the SonicPoint to support on this radio at one time. – Preamble Length: Select the length of the preamble--the initial wireless communication send when associating with a wireless host. You can select Long or Short. – Protection Mode: Select the CTS or RTS protection. Select None, Always, or Auto. None is the default. – Protection Rate: Select the speed for the CTS or RTS protection, 1 Mbps, 2 Mbps, 5 Mbps, or 11 Mbps. – Protection Type: Select the type of protection, CTS-only or RTS-CTS. – Enable Short Slot Time: Allow clients to disassociate and reassociate more quickly. – Allow Only 802.11g Clients to Connect: Use this if you are using Turbo G mode and therefore are not allowing 802.11b clients to connect. SonicWALL GMS 6.0 Administrator’s Guide 503 Managing SonicPoints When a SonicPoint unit is first connected and powered up, it will have a factory default configuration (IP address 192.168.1.20, username: admin, password: password). Upon initializing, it will attempt to find a SonicOS device with which to peer. If it is unable to find a peer SonicOS device, it will enter into a stand-alone mode of operation with a separate stand-alone configuration allowing it to operate as a standard Access Point. If the SonicPoint does locate, or is located by a peer SonicOS device, via the SonicWALL Discovery Protocol, an encrypted exchange between the two units will ensue wherein the profile assigned to the relevant Wireless zone will be used to automatically configure (provision) the newly added SonicPoint unit. As part of the provisioning process, SonicOS will assign the discovered SonicPoint device a unique name, and it will record its MAC address and the interface and zone on which it was discovered. It can also automatically assign the SonicPoint an IP address, if so configured, so that the SonicPoint can communicate with an authentication server for WPA-EAP support. SonicOS will then use the profile associated with the relevant zone to configure the 2.4GHz and 5GHz radio settings. Modifications to profiles will not affect units that have already been provisioned and are in an operational state. Configuration changes to operational SonicPoint devices can occur in two ways: • Via manual configuration changes – Appropriate when a single, or a small set of changes are to be affected, particularly when that individual SonicPoint requires settings that are different from the profile assigned to its zone. Via un-provisioning – Deleting a SonicPoint unit effectively un-provisions the unit, or clears its configuration and places it into a state where it will automatically engage the provisioning process anew with its peer SonicOS device. This technique is useful when the profile for a zone is updated or changed, and the change is set for propagation. It can be used to update firmware on SonicPoints, or to simply and automatically update multiple SonicPoint units in a controlled fashion, rather than changing all peered SonicPoints at once, which can cause service disruptions. Configuring a SonicPoint Profile for 802.11a or 802.11g You can add any number of SonicPoint profiles. To configure a SonicPoint provisioning profile: 504 Step 1 To add a new profile click Add below the list of SonicPoint provisioning profiles. To edit an existing profile, select the profile and click the edit icon in the same line as the profile you are editing. Step 2 In the General tab of the Add Profile window, specify: SonicWALL GMS 6.0 Administrator’s Guide Managing SonicPoints – Enable SonicPoint: Check this to automatically enable each SonicPoint when it is provisioned with this profile. – Retain Settings: Check this to have the SonicPoints provisioned by this profile retain these settings until the appliance is rebooted. – Enable RF Monitoring: Check this to enable RF monitoring on the SonicPoints. – Name Prefix: Enter a prefix for the names of all SonicPoints connected to this zone. When each SonicPoint is provisioned it is given a name that consists of the name prefix and a unique number, for example: “SonicPoint 126008.” – Country Code: Select the country where you are operating the SonicPoints. The country code determines which regulatory domain the radio operation falls under. Step 3 In the 802.11g tab, Configure the radio settings for the 802.11g (2.4GHz band) radio: – Enable 802.11g Radio: Check this to automatically enable the 802.11g radio bands on all SonicPoints provisioned with this profile. – SSID: Enter a recognizable string for the SSID of each SonicPoint using this profile. This is the name that will appear in clients’ lists of available wireless connections. Note If all SonicPoints in your organization share the same SSID, it is easier for users to maintain their wireless connection when roaming from one SonicPoint to another. – Radio Mode: Select the speed of the wireless connection. You can choose 11Mbps - 802.11b, 54 Mbps - 802.11g, or 108 Mbps - Turbo G mode. If you choose Turbo mode, all users in your company must use wireless access cards that support turbo mode. – Channel: Select the channel the radio will operate on. The default is AutoChannel, which automatically selects the channel with the least interference. Use AutoChannel unless you have a specific reason to use or avoid specific channels. – ACL Enforcement: Select this to enforce Access Control by allowing or denying traffic from specific devices. Select a MAC address group from the Allow List to automatically allow traffic from all devices with MAC address in the group. Select a MAC address group from the Deny List to automatically deny traffic from all devices with MAC address in the group. The deny list is enforced before the Allow list. SonicWALL GMS 6.0 Administrator’s Guide 505 Managing SonicPoints – Authentication Type: Select the method of authentication for your wireless network. You can select WEP - Both (Open System & Shared Key), WEP - Open System, WEP - Shared Key, WPA - PSK, WPA - EAP, WPA2-PSK, WPA2-EAP, WPA2-AUTO-PSK, and WPA2-AUTO-EAP. – WEP Key Mode: Select the size of the encryption key. – Default Key: Select which key in the list below is the default key, which will be tried first when trying to authenticate a user. – Key Entry: Select whether the key is alphanumeric or hexadecimal. – Key 1 - Key 4: Enter the encryptions keys for WEP encryption. Enter the most likely to be used in the field you selected as the default key. Step 4 In the 802.11g Advanced tab, configure the performance settings for the 802.11g radio. For most 802.11g advanced options, the default settings give optimum performance. – Hide SSID in Beacon: Check this option to have the SSID broadcast as part of the wireless beacon, rather than as a separate broadcast. – Schedule IDS Scan: Select a time when there are fewer demands on the wireless network to schedule an Intrusion Detection Service (IDS) scan to minimize the inconvenience of dropped wireless connections. – Data Rate: Select the speed at which the data is transmitted and received. Best automatically selects the best rate available in your area given interference and other factors. Or you can manually select a data rate. – Transmit Power: Select the transmission power. Transmission power effects the range of the SonicPoint. You can select: Full Power, Half (-3 dB), Quarter (-6 dB), Eighth (-9 dB), or Minimum. – Antenna Diversity: The Antenna Diversity setting determines which antenna the SonicPoint uses to send and receive data. You can select: •Best: This is the default setting. When Best is selected, the SonicPoint automatically selects the antenna with the strongest, clearest signal. In most cases, Best is the optimal setting. •1: Select 1 to restrict the SonicPoint to use antenna 1 only. Facing the rear of the SonicPoint, antenna 1 is on the left, closest to the power supply. •2: Select 2 to restrict the SonicPoint to use antenna 2 only. Facing the rear of the SonicPoint, antenna 2 is on the right, closest to the console port. 506 SonicWALL GMS 6.0 Administrator’s Guide Managing SonicPoints – Beacon Interval (milliseconds): Enter the number of milliseconds between sending out a wireless beacon. – DTIM Interval: Enter the interval in milliseconds. – Fragmentation Threshold (bytes): Enter the number of bytes of fragmented data you want the network to allow. – RTS Threshold (bytes): Enter the number of bytes. – Maximum Client Associations: Enter the maximum number of clients you want the SonicPoint to support on this radio at one time. – Preamble Length: Select the length of the preamble--the initial wireless communication send when associating with a wireless host. You can select Long or Short. – Protection Mode: Select the CTS or RTS protection. Select None, Always, or Auto. None is the default. – Protection Rate: Select the speed for the CTS or RTS protection, 1 Mbps, 2 Mbps, 5 Mbps, or 11 Mbps. – Protection Type: Select the type of protection, CTS-only or RTS-CTS. – CCK OFDM Power Delta: Select the difference in radio transmit power you will allow between the 802.11b and 802.11g modes: 0 dBm, 1 dBm, or 2 dBm. – Enable Short Slot Time: Allow clients to disassociate and reassociate more quickly. – Allow Only 802.11g Clients to Connect: Use this if you are using Turbo G mode and therefore are not allowing 802.11b clients to connect. Step 5 Configure the settings in the 802.11a Radio and 802.11a Advanced tabs. These settings affect the operation of the 802.11a radio bands. The SonicPoint has two separate radios built in. Therefore, it can send and receive on both the 802.11a and 802.11g bands at the same time. The settings in the 802.11a Radio and 802.11a Advanced tabs are similar to the settings in the 802.11g Radio and 802.11g Advanced tabs. Follow the instructions in step 3 and step 4 in this procedure to configure the 802.11a radio. When a SonicPoint unit is first connected and powered up, it will have a factory default configuration (IP address 192.168.1.20, username: admin, password: password). Upon initializing, it will attempt to find a SonicOS device with which to peer. If it is unable to find a peer SonicOS device, it will enter into a stand-alone mode of operation with a separate stand-alone configuration allowing it to operate as a standard Access Point. SonicWALL GMS 6.0 Administrator’s Guide 507 Managing SonicPoints If the SonicPoint does locate, or is located by a peer SonicOS device, via the SonicWALL Discovery Protocol, an encrypted exchange between the two units will ensue wherein the profile assigned to the relevant Wireless zone will be used to automatically configure (provision) the newly added SonicPoint unit. As part of the provisioning process, SonicOS will assign the discovered SonicPoint device a unique name, and it will record its MAC address and the interface and zone on which it was discovered. It can also automatically assign the SonicPoint an IP address, if so configured, so that the SonicPoint can communicate with an authentication server for WPA-EAP support. SonicOS will then use the profile associated with the relevant zone to configure the 2.4GHz and 5GHz radio settings. Modifications to profiles will not affect units that have already been provisioned and are in an operational state. Configuration changes to operational SonicPoint devices can occur in two ways: • Via manual configuration changes – Appropriate when a single, or a small set of changes are to be affected, particularly when that individual SonicPoint requires settings that are different from the profile assigned to its zone. • Via un-provisioning – Deleting a SonicPoint unit effectively un-provisions the unit, or clears its configuration and places it into a state where it will automatically engage the provisioning process anew with its peer SonicOS device. This technique is useful when the profile for a zone is updated or changed, and the change is set for propagation. It can be used to update firmware on SonicPoints, or to simply and automatically update multiple SonicPoint units in a controlled fashion, rather than changing all peered SonicPoints at once, which can cause service disruptions. Updating SonicPoint Settings You can change the settings of any individual SonicPoint list on the SonicPoint > SonicPoints page. Edit SonicPoint settings To edit the settings of an individual SonicPoint: 1. Under SonicPoint Settings, click the Edit icon SonicPoint you want to edit. 2. In Edit SonicPoint screen, make the changes you want. The Edit SonicPoint screen has the following tabs: – General 508 SonicWALL GMS 6.0 Administrator’s Guide in the same line as the Managing SonicPoints – 802.11a Radio – 802.11a Advanced – 802.11g Radio – 802.11g Advanced The options on these tabs are the same as the Add SonicPoint Profile screen. See “SonicPoint Provisioning Profiles” for instructions on configuring these settings. 3. Click OK to apply these settings. Synchronize SonicPoints Click Synchronize SonicPoints at the top of the SonicPoint > SonicPoints page to update the settings for each SonicPoint reported on the page. When you click Synchronize SonicPoints, SonicOS polls all connected SonicPoints and displays updated settings on the page. Enable and Disable Individual SonicPoints You can enable or disable individual SonicPoints on the SonicPoint > SonicPoints page: 1. Check the box under Enable to enable the SonicPoint, uncheck the box to disable it. 2. Click Apply at the top of the SonicPoint > SonicPoints page to apply this setting to the SonicPoint. 3. Click the SonicPoints option. GMS displays the SonicPoints dialog box. 4. Click Add. GMS displays the Add SonicPoint Profile dialog box containing a series of tabs. SonicPoint WLAN Scheduling GMS now supports scheduling activation of both 802.11a Radio and 802.11g Radio devices. To schedule these devices, perform the following steps: 1. Navigate to the Policies Panel. 2. Select either a SonicPoint G or SonicPoint A device in the unit list. SonicWALL GMS 6.0 Administrator’s Guide 509 Managing SonicPoints 3. In the Navigation Bar, click the SonicPoint menu to display SonicPoint options. 4. Click the SonicPoints option. GMS displays the SonicPoints dialog box. 5. Click on an existing SonicPoint device in the device list or click Add. GMS displays the SonicPoint Profile dialog box containing a series of tabs. 6. Click either the 802.11g Radio or 802.11a Radio Tab, depending on which device you want to schedule. 7. Click on the Schedule list box at the top of the screen to the right of the Enable checkbox. The following figure is an example of a scheduling list box (for 802.11g). Updating SonicPoint Firmware SonicOS Enhanced 2.5 (or greater) contains an image of the SonicPoint firmware. When you connect a SonicPoint to a security appliance running SonicOS Enhanced 2.5 (or greater), the appliance checks the version of the SonicPoint’s firmware, and automatically updates it, if necessary. Automatic Provisioning (SDP & SSPP) The SonicWALL Discovery Protocol (SDP) is a layer 2 protocol employed by SonicPoints and devices running SonicOS Enhanced 2.5 and higher. SDP is the foundation for the automatic provisioning of SonicPoint units via the following messages: • 510 Advertisement – SonicPoint devices without a peer will periodically and on startup announce or advertise themselves via a broadcast. The advertisement will include information that will be used by the receiving SonicOS device to ascertain the state of the SonicPoint. The SonicOS device will then report the state of all peered SonicPoints, and will take configuration actions as needed. SonicWALL GMS 6.0 Administrator’s Guide Viewing Station Status • Discovery – SonicOS devices will periodically send discovery request broadcasts to elicit responses from L2 connected SonicPoint units. • Configure Directive – A unicast message from a SonicOS device to a specific SonicPoint unit to establish encryption keys for provisioning, and to set the parameters for and to engage configuration mode. • Configure Acknowledgement – A unicast message from a SonicPoint to its peered SonicOS device acknowledging a Configure Directive. • Keepalive – A unicast message from a SonicPoint to its peered SonicOS device used to validate the state of the SonicPoint. If via the SDP exchange the SonicOS device ascertains that the SonicPoint requires provisioning or a configuration update (e.g. on calculating a checksum mismatch, or when a firmware update is available), the Configure directive will engage a 3DES encrypted, reliable TCP based SonicWALL Simple Provisioning Protocol (SSPP) channel. The SonicOS device will then send the update to the SonicPoint via this channel, and the SonicPoint will restart with the updated configuration. State information will be provided by the SonicPoint, and will be viewable on the SonicOS device throughout the entire discovery and provisioning process. Viewing Station Status Station Status allows the administrator to view status and individual statistics for all SonicPoint devices connected to the currently selected UTM appliance. Event and Statistics Reporting The SonicPoint > Station Status page reports on the statistics of each SonicPoint. The table lists entries for each wireless client connected to each SonicPoint. The sections of the table are divided by SonicPoint. Under each SonicPoint, is the list of all clients currently connected to it. Click the Refresh button in the top right corner to refresh the list. By default, the page displays the first 50 entries found. Click the First Page , Previous Page , Next Page , and Last Page icons to navigate if you need to view more than 50 entries. Each SonicPoint device reports for both radios, and for each station, the following information to its SonicOS peer: • MAC Address – The client’s (Station’s) hardware address SonicWALL GMS 6.0 Administrator’s Guide 511 Viewing Station Status • Station State – The state of the station. States can include: – None – No state information yet exists for the station – Authenticated – The station has successfully authenticated. – Associated – The station is associated. – Joined – The station has joined the ESSID. – Connected – The station is connected (joined, authenticated or associated). – Up – An Access Point state, indicating that the Access Point is up and running. – Down – An Access Point state, indicating that the Access Point is not running. • Associations – Total number of Associations since power up. • Dis-Associations – Total number of Dis-Associations. • Re-Associations – Total number of Re-Associations. • Authentications – Number of Authentications. • De-Authentications – Number of De-Authentications. • Good Frames Received – Total number of good frames received. • Good Frames Transmitted – Total number of good frames transmitted. • Error in Receive Frames – Total number of error frames received. • Error in Transmit Frames – Total number of error frames transmitted. • Discarded Frames – Total number of frames discarded. Discarded frames are generally a sign of network congestion. • Total Bytes received – Total number of bytes received. • Total Bytes Transmitted – Total number of bytes transmitted. • Management Frames Received – Total number of Management frames received. Management Frames include: – Association request – Association response – Re-association request – Re-association response – Probe request – Probe response – Beacon frame 512 SonicWALL GMS 6.0 Administrator’s Guide Using and Configuring SonicPoint IDS – ATIM message – Disassociation – Authentication – De-authentication • Management Frames Transmitted – Total number of Management frames transmitted. • Control Frames Received – Total number of Control frames received. Control frames include: – RTS – Request to Send – CTS – Clear to Send – ACK – Positive Acknowledgement • Control Frames Transmitted – Total number of Control frames transmitted. • Data Frames Received – Total number of Data frames received. • Data Frames Transmitted – Total number of Data frames transmitted. Using and Configuring SonicPoint IDS Intrusion Detection Services should be configured before using wireless access points. Detecting SonicPoint Access Points You can have many wireless access points within reach of the signal of the SonicPoints on your network. The SonicPoint > IDS page reports on all access points the TZ 170 Wireless can find by scanning the 802.11a and 802.11g radio bands. Wireless Intrusion Detection Services Intrusion Detection Services (IDS) greatly increase the security capabilities of the TZ 170 with SonicOS Enhanced by enabling it to recognize and even take countermeasures against the most common types of illicit wireless activity. IDS consists of three types of services, namely, Sequence Number Analysis, Association Flood Detection, and Rogue Access Point Detection. IDS logging and notification can be enabled under Log > Enhanced Log Settings by selecting the WLAN IDS checkbox under Log Categories and Alerts. SonicWALL GMS 6.0 Administrator’s Guide 513 Using and Configuring SonicPoint IDS Intrusion Detection Settings Rogue Access Points have emerged as one of the most serious and insidious threats to wireless security. In general terms, an access point is considered rogue when it has not been authorized for use on a network. The convenience, affordability and availability of non-secure access points, and the ease with which they can be added to a network creates a easy environment for introducing rogue access points. Specifically, the real threat emerges in a number of different ways, including unintentional and unwitting connections to the rogue device, transmission of sensitive data over non-secure channels, and unwanted access to LAN resources. So while this doesn't represent a deficiency in the security of a specific wireless device, it is a weakness to the overall security of wireless networks. The security appliance can alleviate this weakness by recognizing rogue access points potentially attempting to gain access to your network. It accomplishes this in two ways: active scanning for access points on all 802.11a and 802.11g channels, and passive scanning (while in Access Point mode) for beaconing access points on a single channel of operation. Scanning for Access Points Active scanning occurs when the security appliance starts up, and at any time Scan Now is clicked on the SonicPoint > IDS page. When the security appliance performs a scan, a temporary interruption of wireless clients occurs for no more than a few seconds. This interruption manifests itself as follows: • Non-persistent, stateless protocols (such as HTTP) should not exhibit any ill-effects. • Persistent connections (protocols such as FTP) are impaired or severed. • WiFiSec connections should automatically re-establish and resume with no noticeable interruption to the client. Warning If service disruption is a concern, it is recommended that the Scan Now feature not be used while the TZ 170 Wireless is in Access Point mode until such a time that no clients are active, or the potential for disruption becomes acceptable. Discovered Access Points The Discovered Access points displays information on every access point that can be detected by the SonicPoint radio: 514 SonicWALL GMS 6.0 Administrator’s Guide Using and Configuring SonicPoint IDS • SonicPoint: The SonicPoint that detected the access point. • MAC Address (BSSID): The MAC address of the radio interface of the detected access point. • SSID: The radio SSID of the access point. • Type: The range of radio bands used by the access point, 2.4 GHz or 5 GHz. • Channel: The radio channel used by the access point. • Manufacturer: The manufacturer of the access point. SonicPoints will show a manufacturer of either SonicWALL or Senao. • Signal Strength: The strength of the detected radio signal • Max Rate: The fastest allowable data rate for the access point radio, typically 54 Mbps. • Authorize: Click the Authorize icon to add the access point to the address object group of authorized access points. If you have more than one SonicPoint, you can select an individual device from the SonicPoint list to limit the Discovered Access Points table to display only scan results from that SonicPoint. Select All SonicPoints to display scan results from all SonicPoints. Authorizing Access Points on Your Network Access Points detected by the security appliance are regarded as rogues until they are identified to the security appliance as authorized for operation. To authorize an access point, it can be manually added to the Authorized Access Points list by clicking the Edit icon in the Authorize column and specifying its MAC address (BSSID) along with an optional comment. Alternatively, if an access point is discovered by the security appliance scanning feature, it can be added to the list by clicking the Authorize icon. When a SonicPoint detects a non-SonicPoint access point, a table with the following information displays: Table 9 Column SonicPoint MAC Address (BSSID) SSID Discovered Access Points Description The SonicPoint that detected the access point. The MAC address of the radio interface of the detected access point. The radio SSID of the access point. SonicWALL GMS 6.0 Administrator’s Guide 515 Using and Configuring Virtual Access Points Column Type Channel Manufacturer Signal Strength Max Rate Authorize Description The range of radio bands used by the access point, 2.4 GHz or 5 GHz The radio channel used by the access point. The manufacturer of the access point. SonicPoints will show a manufacturer of either SonicWALL or Senao. The strength of the detected radio signal. The strength of the detected radio signal. Adds the access point to the address object group of authorized access points. Using and Configuring Virtual Access Points A Virtual Access Point (VAP) is a multiplexed instantiation of a single physical Access Point (AP) so that it presents itself as multiple discrete Access Points. To wireless LAN clients, each Virtual AP appears to be an independent physical AP, when there is actually only a single physical AP. Before Virtual AP feature support, wireless networks were relegated to a one-to-one relationship between physical Access Points and wireless network security characteristics, such as authentication and encryption. For example, an Access Point providing WPA-PSK security could not simultaneously offer Open or WPA-EAP connectivity to clients. If Open or WPA-EAP were required, they would need to have been provided by a separate, distinctly configured APs. This forced WLAN network administrators to find a solution to scale their existing wireless LAN infrastructure to provide differentiated levels of service. With the Virtual APs (VAP) feature, multiple VAPs can exist within a single physical AP in compliance with the IEEE 802.11 standard for the media access control (MAC) protocol layer that includes a unique Basic Service Set Identifier (BSSID) and Service Set Identifier (SSID). This allows segmenting wireless network services within a single radio frequency footprint of a single physical access point device. In SonicOS Enhanced 3.5, VAPs allow the network administrator to control wireless user access and security settings by setting up multiple custom configurations on a single physical interface. Each of these custom configurations acts as a separate (virtual) access point, and can be grouped and enforced on single or multiple physical SonicPoint access points simultaneously. 516 SonicWALL GMS 6.0 Administrator’s Guide Using and Configuring Virtual Access Points In GMS, you can configure VAPs on the Policies panel, SonicPoint > Virtual Access Point screen. Configuring Virtual Access Point Groups To add or configure VAP Groups: 1. On the Policies panel, navigate to the SonicPoint > Virtual Access Point screen. 2. Click Add Group. The Add Virtual Access Point Group dialog box displays. 3. Enter the VAP group name in the Virtual AP Group Name field. SonicWALL GMS 6.0 Administrator’s Guide 517 Using and Configuring Virtual Access Points 4. In Available Virtual AP Objects, select the objects that should be in the VAP group, and then click the arrow button to move them to Member of Virtual AP Group. 5. To remove objects from the group, select them in the Member of Virtual AP Group field and then click the left arrow button to move back to the Available list. 6. Click OK. 7. In the SonicPoint > Virtual Access Point screen, click Update. Configuring Virtual Access Points To add or configure Virtual Access Points: 1. On the Policies panel, navigate to the SonicPoint > Virtual Access Point screen. 2. Click Add Virtual Access Point. The Add Virtual Access Point dialog box displays. 3. On the General tab, enter the SSID associated with the VAP. You can create a service set identifier (SSID) when creating a SonicPoint profile. See “SonicPoint Provisioning Profiles” on page 497. 4. Select Enable Virtual Access Point. You can also deselect this checkbox to disable the VAP without deleting it completely. 5. To suppress the SSID, select Enable SSID Suppress. 6. Click the Advanced tab. 7. On the Advanced tab, configure the following: – Profile Name: Select the VAP profile from the drop-down list. – Radio Type: Select the radio type from the drop-down list. – Authentication Type: Select the authentication type from the drop-down list. 518 SonicWALL GMS 6.0 Administrator’s Guide Using and Configuring Virtual Access Points – Unicast Cipher: Select the unicast cipher from the drop-down list. – Multicast Cipher: Select the multicast cipher from the drop-down list. – Maximum Clients: Enter the maximum number of clients. 8. Click OK. 9. In the SonicPoint > Virtual Access Point screen, click Update. Configuring Virtual Access Point Profiles To add or configure VAP profiles: 1. On the Policies panel, navigate to the SonicPoint > Virtual Access Point screen. 2. Click Add Virtual Access Point Profile. The Add Virtual Access Point Profile dialog box displays. 3. Configure the following: – Radio Type: Select the radio type from the drop-down list. – Profile Name: Select the VAP profile from the drop-down list. – Authentication Type: Select the authentication type from the drop-down list. – Unicast Cipher: Select the unicast cipher from the drop-down list. – Multicast Cipher: Select the multicast cipher from the drop-down list. – Maximum Clients: Enter the maximum number of clients. 4. Click OK. 5. In the SonicPoint > Virtual Access Point screen, click Update. SonicWALL GMS 6.0 Administrator’s Guide 519 Using and Configuring Virtual Access Points 520 SonicWALL GMS 6.0 Administrator’s Guide CHAPTER 23 Configuring Wireless Options This chapter describes how to configure wireless connectivity options for wireless SonicWALL appliances. Included in this chapter are the following sections: • “Configuring General Wireless Settings” section on page 522 • “Configuring Wireless Security Settings” section on page 525 • “Configuring Advanced Wireless Settings” section on page 530 • “Configuring MAC Filter List Settings” section on page 533 • “Configuring Intrusion Detection Settings” section on page 535 SonicWALL GMS 6.0 Administrator’s Guide 521 Configuring General Wireless Settings Configuring General Wireless Settings This section describes how to configure general wireless settings. To do this, perform the following steps: 1. Select a wireless SonicWALL appliance. 2. Expand the Wireless tree and click Settings. The Settings page displays. Note The Wireless > Settings page provides different options for SonicOS Enhanced and SonicOS Standard. The page for SonicOS Standard is shown below: 522 SonicWALL GMS 6.0 Administrator’s Guide Configuring General Wireless Settings The page for SonicOS Enhanced is shown below: 3. Select whether the SonicWALL appliance will act as an Access Point or a Wireless Bridge from the Radio Role list box. 4. To enable Wireless networking on this device, select the Enable WLAN Radio check box. 5. For SonicOS Standard, configure Use Time Constraints to set hours of operation for this wireless device. For SonicOS Enhanced, select the schedule from the Schedule list box. 6. For SonicOS Standard only, optionally select SSL-VPN Enforcement and configure the Server Address and Server Port fields to add SSL-VPN enforcement to this wireless device. 7. For SonicOS Standard only, select WiFiSec Enforcement to enable WiFiSec security over this wireless device. 8. For SonicOS Standard only, if using WiFiSec Enforcement, you can choose to Require WiFiSec for Site-to-Site VPN Tunnel Traversal. This option is selected by default when enabling both SSL-VPN and WiFiSec simultaneously. 9. For SonicOS Standard only, if using WPA encryption, you can choose to Trust WPA traffic as WiFiSec. 10. For SonicOS Standard only, if using WiFiSec enforcement, you can choose Enable WiFiSec Service Exception List. With this checkbox selected, select a service from the list and click the Add button. SonicWALL GMS 6.0 Administrator’s Guide 523 Configuring General Wireless Settings 11. Enter the IP address and subnet mask of the Wireless LAN port in the WLAN IP Address and WLAN Subnet Mask fields. 12. Enter the Service Set Identifier (SSID) or wireless network name in the SSID field (maximum: 32 characters). 13. Select an applicable wireless Radio Mode form the list-box. 14. Select an applicable Country Code from the list-box. 15. Select a wireless channel to use from the Channel list box. 16. When you are finished, click Update. The settings are changed for the selected SonicWALL appliance. To clear all screen settings and start over, click Reset. Wireless Radio Operating Schedule Wireless Schedule allows you to specify time periods of operation for the WLAN. This feature is available in the Wireless > Settings screen. In SonicOS Standard, it is available under the section Use Time Constraints, and in SonicOS Enhanced, it is available as Schedule drop-down list and at unit Level this section is displayed depending on whether it is SonicOS Standard or Enhanced. At group level, both options are shown with text in italics indicating which section applies to SonicOS Standard and SonicOS Enhanced. 524 SonicWALL GMS 6.0 Administrator’s Guide Configuring Wireless Security Settings Configuring Wireless Security Settings This section describes how to configure wireless security settings. To configure the security settings, perform the following steps: 1. Select a wireless SonicWALL appliance. 2. Expand the Wireless tree and click Security. The fields on this screen will change depending on the Authentication Type that you select. WEP Encryption Settings Open-system authentication is the only method required by 802.11b. In open-system authentication, the SonicWALL allows the wireless client access without verifying its identity. Shared-key authentication uses Wired Equivalent Privacy (WEP) and requires a shared key to be distributed to wireless clients before authentication is allowed. The SonicWALL TZ 170 Wireless and later TZ Series security appliances provide the option of using Open System, Shared Key, or both when WEP is used to encrypt data. If Both Open System & Shared Key is selected, the Default Key assignments are not important as long as the identical keys are used each field. If Shared Key is selected, then the key assignment is important. To configure WEP on the SonicWALL, perform the following tasks: 1. On the Policies panel, click Wireless, then Security. SonicWALL GMS 6.0 Administrator’s Guide 525 Configuring Wireless Security Settings 2. Select a WEP authentication type from the Authentication Type list. Shared Key is selected by default. WEP Encryption Keys If you selected Both (Open System & Shared Key) or Shared Key above, you must configure one or more keys and select the default. SonicOS supports the 802.11a and 802.11g standards, which includes 64-bit, 128-bit, and 152-bit encryption for WEP. 1. Select the default key to use, 1,2,3, or 4, from the Default Key drop-down list 2. Select the key type to be either Alphanumeric or Hexadecimal. The number of characters you enter is different for each because an alphanumeric (or ASCII) character contains 8 bits, and a hexadecimal character contains only 4 bits. Table 10 WEP Encryption Key Types WEP - 64-bit WEP - 128-bit WEP - 152-bit Alphanumeric - 5 characters (0-9, A-Z) Alphanumeric - 13 characters (0-9, A-Z) Alphanumeric - 16 characters (0-9, A-Z) Hexadecimal - 10 characters (0-9, A-F) Hexadecimal - 26 characters (0-9, A-F) Hexadecimal - 32 characters (0-9, A-F) 3. Type your keys into each field. 4. For each key, select 64-bit, 128-bit, or 152-bit from the drop-down list next to the Key field. 152-bit is the most secure. 5. Click Update. WPA and WPA2 Encryption Settings You can configure Wi-Fi Protected Access as WPA or WPA2 in GMS. Either of these provides better security than WEP. WPA and WPA2 support two protocols for storing and generating keys: • 526 Extensible Authentication Protocol (EAP): EAP allows WPA/WPA2 to synchronize keys with an external RADIUS server. The keys are updated periodically based on time or number of packets. Use EAP in larger, enterprise-like deployments where you have an existing RADIUS framework. SonicWALL GMS 6.0 Administrator’s Guide Configuring Wireless Security Settings • Pre-Shared Key (PSK): PSK allows WPA/WPA2 to generate keys from a pre-shared passphrase that you configure. The keys are updated periodically based on time or number of packets. Use PSK in smaller deployments where you do not have a RADIUS server. WPA and WPA2 support is only available in Access Point Mode. WPA and WPA2 support is not available in Bridge Mode. To configure WPA or WPA2 security on the SonicWALL, perform the following tasks: 1. On the Policies panel, click Wireless, then Security. 2. Under Encryption Mode, select a WPA or WPA2 authentication type from the Authentication Type list. You can choose from the following authentication types: – WPA-PSK – WPA-EAP – WPA2-PSK – WPA2-EAP – WPA2-AUTO-PSK – WPA2-AUTO-EAP The screen changes to display the configurable fields. The same configuration fields are displayed for all authentication types that employ PSK, and the same configuration fields are displayed for all authentication types that employ EAP. SonicWALL GMS 6.0 Administrator’s Guide 527 Configuring Wireless Security Settings WPA and WPA2 Settings For both PSK and EAP authentication types, the fields under WPA Settings are the same. To configure the WPA Settings fields: 1. Select one of the following in the Cipher Type drop-down list: – TKIP -Temporal Key Integrity Protocol (TKIP) is a protocol for enforcing key integrity on a per-packet basis. – AES - Advanced Encryption Standard (AES) is a block cipher adopted as an encryption standard in 2002. It is widely used in symmetric key cryptography. – Auto - Allows the SonicWALL to automatically select either TKIP or AES. 2. Select one of the following to determine when to update the key in the Group Key Update drop-down list: – By Timeout - Generates a new group key after an interval specified in seconds. – Disabled - Uses a static key that is never regenerated. 3. If you selected By Timeout, enter the number of seconds before WPA or WAP2 automatically generates a new group key into the Interval field. Preshared Key Settings (PSK) For all authentication types involving PSK, do the following: 1. Type the passphrase from which the key is generated into the Passphrase field. 2. Do one of the following: – To apply the settings, click Update. – To clear all screen settings and start over, click Reset. 528 SonicWALL GMS 6.0 Administrator’s Guide Configuring Wireless Security Settings Extensible Authentication Protocol (EAP) Settings For all authentication types involving EAP, the lower part of the screen displays fields for RADIUS configuration. For all authentication types involving EAP, do the following: 1. Type the IP address of the primary RADIUS server into the Radius Server 1 IP field. 2. Type the port number used to communicate with the primary RADIUS server into the Port field. 3. Type the password for access to the primary Radius Server into the Radius Server 1 Secret field. 4. Type the IP address of the secondary RADIUS server into the Radius Server 2 IP field. 5. Type the port number used to communicate with the secondary RADIUS server into the Port field. 6. Type the password for access to the secondary Radius Server into the Radius Server 2 Secret field. 7. Do one of the following: – To apply the settings, click Update. – To clear all screen settings and start over, click Reset. SonicWALL GMS 6.0 Administrator’s Guide 529 Configuring Advanced Wireless Settings Configuring Advanced Wireless Settings This section describes how to configure advanced wireless settings for both SonicOS Standard and SonicOS Enhanced. To do this, perform the following steps: 1. Select a wireless SonicWALL appliance. 2. Expand the Wireless tree and click Advanced. The Advanced screen displays. Note The Wireless > Advanced page provides different options for SonicOS Standard and SonicOS Enhanced. Also, SonicOS Standard 3.8 displays six more fields than earlier versions of SonicOS Standard. SonicOS Standard: 530 SonicWALL GMS 6.0 Administrator’s Guide Configuring Advanced Wireless Settings The SonicOS Enhanced page has different fields than those in SonicOS Standard. 3. Select Hide SSID in Beacon. If you select Hide SSID in Beacon, your wireless network is invisible to anyone who does not know your SSID. This is a good way to prevent “drive by hackers” from seeing your wireless connection. Note This provides marginal security as Probe Responses and other 802.11 frames contain the SSID. 4. Enter how often (in milliseconds) a beacon will be sent in the Beacon Interval field. Decreasing the interval time makes passive scanning more reliable and faster because Beacon frames announce the network to the wireless connection more frequently. 5. To specify the maximum number of wireless clients, enter the limit in the Maximum Client Associations field. Wireless clients are devices that attempt to access the wireless SonicWALL appliance. SonicWALL GMS 6.0 Administrator’s Guide 531 Configuring Advanced Wireless Settings 6. Select the following Advanced Radio Settings: – The Antenna Diversity setting determines which antenna the SonicWALL Wireless uses to send and receive data. You can select: –Best: This is the default setting. When Best is selected, the SonicWALL Wireless automatically selects the antenna with the strongest, clearest signal. In most cases, Best is the optimal setting. –1: Select 1 to restrict the SonicWALL Wireless to use antenna 1 only. Facing the rear of the SonicWALL, antenna 1 is on the left, closest to the console port. You can disconnect antenna 2 when using only antenna 1. –2: Select 2 to restrict the SonicWALL Wireless to use antenna 2 only. Facing the rear of the SonicWALL, antenna 2 is on the right, closest to the power supply. You can disconnect antenna 1 when using only antenna 2. – Select High from the Transmit Power menu to send the strongest signal on the WLAN. For example, select High if the signal is going from building to building. Medium is recommended for office to office within a building, and Low or Lowest is recommended for shorter distance communications. – Select Short or Long from the Preamble Length menu. Short is recommended for efficiency and improved throughput on the wireless network. – The Fragmentation Threshold (bytes) is 2346 by default. Increasing the value means that frames are delivered with less overhead but a lost or damaged frame must be discarded and retransmitted. – The RTS Threshold (bytes) is 2432 by default. If network throughput is slow or a large number of frame retransmissions is occurring, decrease the RTS threshold to enable RTS clearing. – The default value for the DTIM Interval is 3. Increasing the DTIM Interval value allows you to conserve power more effectively. – The Station Timeout (seconds) is 300 seconds by default. If your network is very busy, you can increase the timeout by increasing the number of seconds in this field. – For SonicOS Standard 3.8 and above, select the wireless transmission rate from the Data Rate drop-down list. You can select Best or a value between 1 and 54 megabits per second (Mbps). The default is 48 Mbps. 532 SonicWALL GMS 6.0 Administrator’s Guide Configuring MAC Filter List Settings – For SonicOS Standard 3.8 and above, in the Protection Mode drop-down list, select None, Always or Auto. Use Always or Auto to prevent transmission frame collisions when you have multiple wireless nodes. – For SonicOS Standard 3.8 and above, in the Protection Rate drop-down list, select 1 Mbps, 2 Mbps, 5 Mbps or 11 Mbps. The Protection Rate specifies the transmission rate for the Request-To-Send (RTS) and Clear-To-Send (CTS) frames. The default is 5 Mbps. – For SonicOS Standard 3.8 and above, in the Protection Type drop-down list, select RTS-CTS or CTS-only. RTS-CTS is the mechanism used by the 802.11 wireless networking protocol to reduce frame collisions. The node wishing to transmit data sends an RTS frame. The destination node replies with a CTS frame. Other wireless nodes within range refrain from sending data for a specified time to avoid collisions. The default is RTS-CTS. – For SonicOS Standard 3.8 and above, in the CCK OFDM Power Delta drop-down list, select 0 dBm, 1dBm or 2 dBm. Complementary Code Keying (CCK) and Orthogonal Frequency Division Multiplexing (OFDM) are digital modulation techniques used in wireless networks using the 802.11 specifications. This field specifies the change in power used in the modulation, expressed in decibels per milliwatt (dBm). Zero dBm equals one milliwatt. Two dBm is less than two milliwatts. – For SonicOS Standard 3.8 and above, select the Enable Short Slot Time checkbox to minimize the time to wait before transmitting. Slot time is the time required for a transmission to reach the destination. The default is to enable a short slot time. 7. When you are finished, click Update. The settings are changed for the selected SonicWALL appliance. To clear all screen settings and start over, click Reset. Configuring MAC Filter List Settings Wireless SonicWALL appliances can allow or block wireless devices based on their MAC addresses. To configure the MAC filter list, perform the following steps: 1. Select a wireless SonicWALL appliance, a group, or the global icon. 2. Expand the Wireless tree and click MAC Filter List. The MAC Filter List screen displays. SonicWALL GMS 6.0 Administrator’s Guide 533 Configuring MAC Filter List Settings Note The MAC Filter List provides different options in SonicOS Standard and SonicOS Enhanced. SonicOS Enhanced provides drop-down lists for the Allow and Deny lists. 3. To enable the MAC filter list for the selected device(s), select the Enable MAC Filter List check box. 4. For SonicOS Standard, to add a MAC address to the filter list, enter the address in the MAC Address List field, check either Allow or Block, add any comments to the Comment field. 5. Click Add MAC Address. The scheduler displays. 6. Expand Schedule by clicking the plus icon. 7. Select Immediate or specify a future date and time. 8. Click Accept. 9. Repeat these step for each MAC address that you want to add in SonicOS Standard. 10. When you are finished, click Update. The settings are changed for the selected SonicWALL appliance(s). To clear all screen settings and start over, click Reset. 534 SonicWALL GMS 6.0 Administrator’s Guide Configuring Intrusion Detection Settings 11. For SonicOS Enhanced only, select one of the options from the Allow List and Deny List list boxes. 12. Click Update. The scheduler displays. 13. Expand Schedule by clicking the plus icon. 14. Select Immediate or specify a future date and time. 15. Click Accept. Configuring Intrusion Detection Settings This section describes how to configure intrusion detection settings (IDS) for wireless SonicWALL appliances. To configure the IDS, perform the following steps: 1. Select a wireless SonicWALL appliance, a group, or the global icon. 2. Expand the Wireless tree and click IDS. The IDS screen displays. 3. Select Enable Client Null Probing Detection to enable client null probe detection. 4. Hackers can cause a Denial-of-Service (DoS) attack by flooding a wireless network with association requests. To combat this, select the Enable Association Flood Detection check box. The default association flood threshold is 10 association attempts within 5 seconds. To change this setting, enter new flood threshold values. To block the MAC address of a computer or device attempting this attack, select the Block station's MAC address in response to an association flood field. 5. To access a network, hackers can set up a rogue access point that will intercept communications with legitimate users attempting to access a legitimate access point. This “man-in-the-middle” attack can expose passwords and other network resources. To enable detection of rogue access points, select the Enable Rogue Access Point Detection check box. 6. In SonicOS Standard only, to prevent rogue access points, you must specify each authorized access point within the network. To do so, enter the MAC address of an access point in the MAC Address (BSSID) field and click Add. The scheduler displays. 7. Expand Schedule by clicking the plus icon. 8. Select Immediate or specify a future date and time. SonicWALL GMS 6.0 Administrator’s Guide 535 Configuring Intrusion Detection Settings 9. Click Accept. 10. For SonicOS Standard only, click Request Discovered Access Points Information from Firewall. 11. For SonicOS Standard only, click Scan Now... 12. For SonicOS Enhanced only, to authorize access points, select one of the options from the Authorized Access Points list box. 13. When you are finished, click Update. The settings are changed for the selected SonicWALL appliance(s). To clear all screen settings and start over, click Reset. 536 SonicWALL GMS 6.0 Administrator’s Guide CHAPTER 24 Configuring Wireless Guest Services This chapter describes how to configure Wireless Guest Services (WGS) enabled appliances running SonicOS Standard. For appliances running SonicOS Standard, these configuration options are available at the unit level. Wireless Guest Services allows the administrator to configure wireless access points for guest access. Wireless Guest Services is configured with optional custom login pages, user accounts and is compatible with several different authentication methods including those which require external authentication. Included in this chapter are the following sections: • “Configuring Wireless Guest Services Settings” section on page 538 • “Configuring the URL Allow List” section on page 541 • “Denying Access to Networks with the IP Deny List” section on page 542 • “Configuring the Custom Login Screen” section on page 543 • “Configuring External Authentication” section on page 544 SonicWALL GMS 6.0 Administrator’s Guide 537 Configuring Wireless Guest Services Settings Configuring Wireless Guest Services Settings This section describes how to configure wireless settings for Wireless Guest Services. To do this, perform the following steps: 1. In the TreeControl pane, select a wireless SonicWALL appliance. 2. In the center pane, navigate to WGS > Settings. The Settings page displays. 3. To enable Wireless Guest Services on this device, select the Enable Wireless Guest Services check box. 4. Check the Bypass Guest Authentication checkbox to allow a SonicPoint running WGS to integrate into environments which are already using some form of user-level authentication. This feature automates the WGS authentication process, allowing wireless users to reach WGS resources without requiring authentication. Note The Bypass Guest Authentication feature should only be used when unrestricted WGS access is desired, or when another device upstream of the SonicPoint is enforcing authentication. 5. 538 Check the Bypass Filters for Guest Accounts check box to disable filtering for guest accounts. SonicWALL GMS 6.0 Administrator’s Guide Configuring Wireless Guest Services Settings 6. Check the Dynamic Address Translation (DAT) checkbox to enable DAT. This option saves wireless clients the hassle of reconfiguring their IP address and network settings. If this option is disabled (un-checked), wireless guest users must either have DHCP enabled, or an IP addressing scheme compatible with the SonicPoint’s network settings. 7. Check the Enable SMTP Redirect checkbox and enter the following information: – Server IP—enter an SMTP Server IP address to which to redirect SMTP traffic incoming on this zone – Server Port—enter the port number for SMTP traffic on the Server. This is available at the group and global level, and for units running SonicOS Standard 3.8 and above. The default is port is 25. 8. Check the Custom Post Authentication Redirect page checkbox and enter a URL to redirect wireless guests to a custom page after successful login 9. To limit the number of concurrent guests, enter the maximum number in the Maximum Concurrent Guests field. 10. To add a new guest, click Add New Wireless Guest. See “Adding a Guest” on page 540. 11. When you are finished, click Update. The settings are changed for the selected SonicWALL appliance. To clear all screen settings and start over, click Reset. SonicWALL GMS 6.0 Administrator’s Guide 539 Configuring Wireless Guest Services Settings Adding a Guest You can add a new guest to Wireless Guest Services from the WGS > Settings page. To add a guest: 540 1. Select a wireless SonicWALL appliance and navigate to WGS > Settings. 2. Click Add New Wireless Guest. The Add New Wireless Guest dialog box displays. 3. In the Account Profile drop-down list, select the WGS account profile to use for this account. This field is only visible when one or more WGS profiles have been created in the current view. Views that provide the WGS Profiles screen include the global and group levels, and unit level for appliances running SonicOS Standard 3.8 and above. 4. Select the Enable Account checkbox to enable the guest account. 5. Select the Auto-Prune Account checkbox to automatically remove the account when its lifetime expires. 6. Select the Enforce login uniqueness checkbox to prevent more than one guest from logging in with the account at the same time. 7. In the Account Name field, enter the username for the guest account. 8. In the Account Password field, enter the password for the guest account. 9. In the Confirm Password field, re-enter the password for the guest account. SonicWALL GMS 6.0 Administrator’s Guide Configuring the URL Allow List 10. In the Account Lifetime field, select the maximum lifetime of the guest account. 11. In the Session Timeout field, set the time limit for a guest login session. 12. In the Idle Timeout field, enter a number and select a time period that the guest can be idle at the computer before the session times out. 13. In the Comment field, add any comments. 14. Click Update. Configuring the URL Allow List The URL allow list specifies URLs that can be accessed by unauthenticated users. To configure this list, perform the following steps: Note The URL Allow list is not supported in SonicOS Enhanced. 1. Select a wireless SonicWALL appliance. 2. Expand the WGS tree and click URL Allow List. The URL Allow List page displays. 3. To enable the URL Allow List, select the Enable URL Allow List for Unauthenticated Users check box. SonicWALL GMS 6.0 Administrator’s Guide 541 Denying Access to Networks with the IP Deny List 4. To add a URL to the URL Allow List, enter a URL in the Allowed URLs text field and click Add. Repeat this step for each URL that you would like to add. To delete a URL in the URL Allow List, check the box next to the URL to delete and click the trash can icon. 5. When you are finished, click Update. The settings are changed for the selected SonicWALL appliance. To clear all screen settings and start over, click Reset. Denying Access to Networks with the IP Deny List To specify networks that authenticated users will not be allowed to access, perform the following steps: Note 542 The IP Deny List is not supported in SonicOS Enhanced. 1. Select a wireless SonicWALL appliance. 2. Expand the WGS tree and click IP Deny List. The IP Deny List page displays. 3. To enable the IP Deny List, select the Enable IP Address Deny List for Authenticated Users check box. SonicWALL GMS 6.0 Administrator’s Guide Configuring the Custom Login Screen 4. To add a URL to the IP Deny List, enter an IP address and subnet mask and click Add IP Deny Entry. Repeat this step for each URL that you would like to add. To delete a URL from the IP Deny List, check the box next to the URL to delete and click the trash can icon. 5. When you are finished, click Update. The settings are changed for the selected SonicWALL appliance. To clear all screen settings and start over, click Reset. Configuring the Custom Login Screen The Custom Login page is used to configure the login page that will be accessed by guest users attempting to connect to the wireless SonicWALL appliance. To configure the Custom Login page, perform the following steps: Note The Custom Login screen is not supported in SonicOS Enhanced. 1. Select a wireless SonicWALL appliance running SonicOS Standard. 2. Expand the WGS tree and click Custom Login. The Custom Login page displays. 3. To customize the login page, select the Customize Login Page check box. 4. To display the custom login page only when the connection is made through the Wireless LAN, select the Display Custom Login Page on WLAN Only check box. SonicWALL GMS 6.0 Administrator’s Guide 543 Configuring External Authentication 5. The body of the login page will contain the username and password fields that the user must access to authenticate with the SonicWALL appliance. To configure the header and footer text, select from the following: – To display custom header and footer URLs, enter the URLs in the Custom Header URL and Custom Footer URL fields. – To enter custom text for the header and footer, enter the text in the Custom Header Text and Custom Footer Text fields. 6. When you are finished, click Update. The settings are changed for the selected SonicWALL appliance. To clear all screen settings and start over, click Reset. Configuring External Authentication External Guest Authentication allows the administrator to specify an external database for wireless guest authentication. This authentication requires guests connecting from the device or network you select to authenticate before gaining access. This feature, based on Lightweight Hotspot Messaging (LHM) is used for authenticating Hotspot users and providing them parametrically bound network access. To configure external authentication, perform the following steps: Note 1. 544 External Authentication is not supported in SonicOS Enhanced. Select a wireless SonicWALL appliance running SonicOS Standard. SonicWALL GMS 6.0 Administrator’s Guide Configuring External Authentication 2. Expand the WGS tree and click External Authentication. The External Authentication page displays. 3. Check the Enable External Guest Authentication checkbox to enable the external authentication feature and configure the tabs as follows: Configuring General Settings 1. Enter a Secure Communications Port and select a Client Redirect Protocol for client redirect. This port and protocol (HTTP or HTTPS) is used by the SonicWALL security appliance when performing the initial internal client redirect via the “Please wait while you are being redirected” page, prior to redirection to the LHM server. 2. Select the Web Server Protocol (HTTP or HTTPS) running on your LHM server from the drop-down list. 3. Enter the IP or resolvable FQDN of the LHM server in the Host field. 4. Enter the TCP port of operations for the selected protocol on the LHM server in the Port field. 5. Enter the duration of time, in seconds, before the LMH server is considered unavailable in the Connection Timeout field. On timeout the client will be presented with the “Server Down” message configured on the “Web Content” tab. SonicWALL GMS 6.0 Administrator’s Guide 545 Configuring External Authentication 6. Select the Enable Message Authentication checkbox to use HMAC digest and embedded querystring in communication with the LHM server. This option is useful if you are concerned about message tampering when HTTP is used to communicate with the LHM server. 7. When using Message Authentication, select the Authentication Method from the drop-down menu. You can select from MD5 or SHA1. 8. When using Message Authentication enter a Shared Secret. The shared secret for the hashed MAC, if used, also needs to be configured on the LHM server scripts. Configuring Settings for Auth Pages To configure the session and idle timeout settings, perform the following steps: Note 546 These pages may each be a unique page on the LHM server, or they may all be the same page with a separate event handler for each status message. 1. Click the Auth Pages tab. 2. Enter a Login Page. This is the first page to which the client is redirected (e.g. “lhm/accept/default.aspx”). 3. Enter a Session Expiration Page. This is the page to which the client is redirected when the session expires (e.g. “lhm/accept/default.aspx?cc=2”). After a session expires, the user must create a new LHM session. SonicWALL GMS 6.0 Administrator’s Guide Configuring External Authentication 4. Enter an Idle Timeout Page. This is the page to which the client is redirected when the idle timer is exceeded (e.g.“lhm/accept/default.aspx?cc=3”). After the idle timer is exceeded, the user can log in again with the same credentials as long as there is time left of the session. 5. Enter a Max Session Page. This is the page to which the client is redirected when the maximum number of sessions has been reached (e.g. “lhm/accept/default.aspx?cc=4”). Configuring Web Content Settings To configure the Web content for external authentication: 1. Click the Web Content tab. 2. Select Use Default or select Customize and enter a Redirect Message in the text box. This is the message that will be presented to the client (usually for no more than one second) explaining that the session is being redirected to the LHM server. This interstitial page is used (rather than going directly to the LHM server) so that the SonicWALL security appliance can verify the availability of the LHM server. 3. Select Use Default or select Customize and enter a Server Down Message in the text box. This is the message that will be presented to the client if the Redirector determines that the LHM server in unavailable. SonicWALL GMS 6.0 Administrator’s Guide 547 Configuring External Authentication Configuring Advanced Settings To configure the advanced settings for external authentication: 548 1. Click the Advanced tab. 2. Check Enable Auto-Session Logout checkbox and configure the two corresponding fields to set the time increment and the page to which the SonicWALL security appliance will POST when a session is logged out (either automatically or manually). 3. Check the Enable Server Status Check Checkbox and configure the two corresponding fields to set the time increment and the page to which the SonicWALL will POST to determine the availability of components on or behind (e.g. a back-end database) the LHM server. 4. Check the Session Synchronization checkbox and configure the two corresponding fields to set the time increment and the page to which the SonicWALL will POST the entire Guest Services session table. This allows the LHM server to synchronize the state of Guest Users for the purposes of accounting, billing, or mere curiosity. 5. When you are finished configuring External Authentication, click the Update button to apply your changes. SonicWALL GMS 6.0 Administrator’s Guide Configuring WGS Account Profiles Configuring WGS Account Profiles At the global or group level, and for SonicWALL appliances running SonicOS Standard 3.8 and above, GMS supports the configuration of WGS account profiles. You can set up different profiles that accommodate the need for guest accounts with specific account lifetimes, session time limits, idle timeouts and so forth. This screen also provides an Enable/Disable setting so that you can disable a profile without deleting it and losing the configuration. To add or edit a WGS Account Profile: 1. Select a wireless SonicWALL appliance running SonicOS Standard. 2. Expand the WGS tree and click Profiles. 3. On the WGS Account Profiles page, click Add New WGS Profile. The Add Profile page displays. 4. In the WGS Account Profile Settings dialog box, type a descriptive name into the Profile Name field. 5. In the User Name Prefix field, type the user name that the guest will log in with. Do not include the domain. 6. Select Enable Account to activate the account for immediate use. 7. Select Auto-Prune Account if you want the account to be removed after its lifetime expires. 8. Select Enforce Login Uniqueness to prevent multiple logins at the same time for this account. SonicWALL GMS 6.0 Administrator’s Guide 549 Configuring WGS Account Profiles 9. For Account Lifetime, enter a number in the first field and then select Days, Hours, or Minutes from the drop-down list. The account will expire after this time period. 10. For Session Lifetime, enter a number in the first field and then select Days, Hours, or Minutes from the drop-down list. The guest’s login session will expire after this time period. 11. For Idle Timeout, enter a number in the first field and then select Days, Hours, or Minutes from the drop-down list. The guest will be logged out after being idle for this amount of time. 12. Optionally type a descriptive comment into the Comment field. 13. Click Update. Clicking Reset repopulates all fields with the default values and allows you to start over. 550 SonicWALL GMS 6.0 Administrator’s Guide CHAPTER 25 Configuring Modem Options This chapter describes how to configure the dialup settings for SonicWALL SmartPath (SP) and SmartPath ISDN (SPi) appliances. SonicWALL SP appliances have a WAN Failover feature that enables automatic use of a built-in modem to establish Internet connectivity when the primary broadband connection becomes unavailable. This is ideal when the SonicWALL appliance must remain connected to the Internet, regardless of network speed. This chapter contains the following subsections: • “Configuring the Modem Profile” section on page 551 • “Configuring Modem Settings” section on page 555 • “Configuring Advanced Modem Settings” section on page 558 Configuring the Modem Profile Note For information on configuring WWAN connection profiles, see Configuring the Connection Profile, page 560 in the Configuring Wireless WAN Options chapter. A profile is a list of dialup connection settings that can be used by a SonicWALL SP or SonicWALL SPi appliance. To configure a profile, perform the following steps: 1. In the left pane, select the SonicWALL appliance to manage. SonicWALL GMS 6.0 Administrator’s Guide 551 Configuring the Modem Profile 2. Click the Policies tab. 3. In the center pane, navigate to the Modem > Connection Profiles. The profile configuration page displays. 4. To create a new profile, enter the name of the profile in the Profile Name field under ISP User Settings. To edit an existing profile or use an existing profile as a template, select a profile from the Current Profile drop-down menu. Note If you are editing an existing profile, the name in the Current Profile field must match the existing profile name. If there are no existing profiles, the Current Profile will display the static message No profiles available. 5. Enter the primary ISP phone number in the Primary Phone number field. 6. Enter the backup ISP phone number in the Secondary Phone number field. 7. Enter the user name associated with the account in the User Name field. 8. Enter the password associated with the account in the User Password and Confirm User Password fields. 9. Enter a chat script (optional). 10. Select one of the following IP address options: 552 SonicWALL GMS 6.0 Administrator’s Guide Configuring the Modem Profile – If the account obtains an IP address dynamically, select Obtain an IP Address Automatically. – If the account uses a fixed IP address, select Use the following IP Address and type the IP address in the field. 11. Select from the following DNS server options: – If the account obtains DNS server information from the ISP, select Obtain an IP Address Automatically. – If the account uses a specific DNS servers, select Use the following IP Address and type the IP address in the field. 12. For SPi appliances, you can configure MSN/EAZ and bandwidth on demand. To configure MSN/EAZ, enter a phone number in the MSN/EAZ field. To enable bandwidth on demand, click the Bandwidth on Demand box. 13. Select from the following connection options: – If the SonicWALL appliance(s) will remain connected to the Internet until the broadband connection is restored, select Persistent Connection. – If the SonicWALL appliance(s) will only connect to the Internet when data is being sent, select Dial On Data. – If the SonicWALL appliance(s) will connect to the Internet manually, select Manual Dial. 14. To enable the modem to disconnect after a period of inactivity, check the Inactivity Disconnect box and specify how long (in minutes) the modem waits before disconnecting from the Internet in the Inactivity Timeout field. 15. For SP appliances, specify a maximum connection speed by selecting the speed from the Max connection speed drop-down menu. The default is Auto. 16. To specify the maximum connection time, check the Max Connection Time box and enter the maximum connection time (in minutes) in the Max Connection Time field. To configure the SonicWALL device to allow indefinite connections, enter ‘0’. 17. To specify a time (in minutes) before the connection reconnects, enter the number of minutes in the Delay Before Reconnect fields. 18. For SP appliances, disable call waiting by checking the Disable Call Waiting box and select the radio button next to the touch tone disabling code. To enter a custom touch done disabling code, select the radio button next to Other and specify the code. SonicWALL GMS 6.0 Administrator’s Guide 553 Configuring the Modem Profile 19. To allow the modem to attempt a connection multiple times, check the Dial Retries per Phone Number box and specify the number of retries. 20. To specify how long the modem waits between retries, check the Delay Between Retries box and specify the delay (in seconds). 21. To disable VPN when dialed, check the Disable VPN when dialed box. 22. For SP appliances, enable the network modem by checking the Enable Network Modem box. 23. To specify the time periods when the modem can connect, check the Limit Times for Dialup Profile box and click Configure. The Edit Schedule String pop-up displays. 24. In the Edit Schedule String pop-up, check the box next to the day(s) you want to allow dial-up connections. Next to the day(s) you select, enter the start and end times between which dial-up connections will be allowed. Enter the hour and minute in 24-hour format. 25. Click Apply. 26. When you are finished, click Add Profile. The profile is added. To clear all screen settings and start over, click Reset. 554 SonicWALL GMS 6.0 Administrator’s Guide Configuring Modem Settings Configuring Modem Settings Select SonicWALL appliances are equiped to use analog modem, and/or wireless WAN (WWAN) devices for alternative or primary Internet connectivity. Note For information on configuring WWAN settings, see Configuring Advanced Settings, page 565 in the Configuring Wireless WAN Options chapter. To configure the modem settings for one or more SonicWALL SP or SonicWALL SPi appliances, perform the following steps: 1. In the left pane, select the SonicWALL appliance to manage. 2. Click the Policies tab. 3. In the center pane, navigate to Modem > Settings. 4. For SP appliances, select the Speaker volume drop-down box to configure the speaker volume On or Off. 5. For SP appliances, modem initialization has two options: – To initialize the modem for use in a specific country, select the radio button next to Initialize Modem for use in and select the country in the drop-down menu. SonicWALL GMS 6.0 Administrator’s Guide 555 Configuring Modem Settings – To initialize the modem using AT commands, select the radio button next to Initialize Modem using AT Command and enter the AT command(s) the modem needs to establish a connection in the text box. 6. For SPi appliances, you can specify the ISDN protocol by selecting the protocol from the ISDN Protocol drop-down menu. To connect immediately, click the Connect/Disconnect button and schedule the connection. 7. For appliances running SonicOS Enhanced, select the check boxes for any combination of the following dial on data categories: – NTP packets – GMS Heartbeats – System log emails – AV Profile Updates – SNMP Traps – Licensed Updates – Firmware Update requests – Syslog traffic 8. For appliances running SonicOS Enhanced, select the check boxes for any combination of the following Management methods: – HTTP – HTTPS – Ping – SNMP – SSH 9. For appliances running SonicOS Enhanced, select the check boxes for any combination of the following User Login methods: – HTTP – HTTPS – For HTTPS, check the box next to Add rule to enable redirect from HTTP to HTTPs to redirect an HTTP address to HTTPS. 10. Select a primary profile from the Primary Profile drop-down menu. Optionally, select alternate profiles from Alternate Profile 1 and, for SP appliances, Alternate Profile 2. 556 SonicWALL GMS 6.0 Administrator’s Guide Configuring Modem Settings Note To configure modem profiles, navigate to Modem > Dialup Profiles. 11. For non-SonicOS Enhanced appliances, you can configure the following modem failover settings: – To enable dialup WAN failover, check the Enable Dialup WAN Failover box. – To enable preempt mode, check the Enable Preempt Mode box. – To enable probing, check the Enable Probing box. –Select a method for probing using the Probe through drop-down menu. – Enter the IP address that the SonicWALL appliance will use to test Internet connectivity in the Probe Target (IP Address) field. We recommend using the IP address of the WAN Gateway. – Select the Probe Type, either ICMP Probing or TCP Probing. – Enter the TCP port for probing in the TCP Port for Probing field. – Specify how often the IP address will be tested (in seconds) in the Probe Interval field. – Specify how many times the probe target must be unavailable before the SonicWALL appliance fails over to the modem in the Failover Trigger Level field. – Specify how many times the SonicWALL appliance must successfully reach the probe target to reactivate the broadband connection in the Successful probes to reactivate Primary field. 12. When you are finished, click Update. SonicWALL GMS 6.0 Administrator’s Guide 557 Configuring Advanced Modem Settings Configuring Advanced Modem Settings To configure advanced modem settings, perform the following steps: 1. In the left pane, select the SonicWALL appliance to manage. 2. Click the Policies tab. 3. In the center pane, navigate to Modem > Advanced. 4. To enable remotely triggered dial-out, check the Enable Remotely Triggered Dial-out box. 5. If your remotely triggered dial-out requires authentication, check the Requires Authentication box and enter your password in the Password and Confirm Password fields. 6. To enable RIP advertisements through the modem, check the Enable LAN to WAN RIP during dialup box. 7. When you are finished, click Update. Note 558 For information on configuring WWAN settings, see Configuring Advanced Settings, page 565 in the Configuring Wireless WAN Options chapter. SonicWALL GMS 6.0 Administrator’s Guide CHAPTER 26 Configuring Wireless WAN Options This chapter describes how to configure the Wireless Wide Area Network (WWAN) settings for SonicWALL security appliances that use 3G and other Wireless WAN functionality to utilize data connections over cellular networks. This chapter contains the following subsections: • “About Wireless WAN” section on page 559 • “Configuring the Connection Profile” section on page 560 • “Configuring WWAN Settings” section on page 564 • “Configuring Advanced Settings” section on page 565 About Wireless WAN SonicWALL appliances such as the TZ 190, TZ 200, and TZ 210 have a WWAN capability that can be used for the following: • WAN Failover to a connection that is not dependent on wire or cable. • Temporary networks where a pre-configured connection may not be available, such as trade-shows and kiosks. • Mobile networks, where the SonicWALL appliance is based in a vehicle. • Primary WAN connection where wire-based connections are not available and cellular is. SonicWALL GMS 6.0 Administrator’s Guide 559 Configuring the Connection Profile Wireless WAN support requires a wireless card and a contract with a wireless network provider. See the SonicWALL documentation that comes with the security appliance for more information. GMS provides for complete management of SonicWALL security appliances that are WWAN/3G-capable, and running SonicOS Enhanced 3.6 and above. Configuring the Connection Profile A profile is a list of connection settings that can be used by a SonicWALL appliance. To configure a connection profile, perform the following steps: 560 1. In the TreeControl pane, select a group view or a SonicWALL appliance to manage. The appliance must be running SonicOS Enhanced 3.6 or higher, and must support WWAN functionality. 2. Click the Policies tab. 3. In the center pane, navigate to the 3G/Modem > Connection Profiles. The profile configuration page displays. For a group view, the page is slightly different to accommodate both Modem and WWAN settings. SonicWALL GMS 6.0 Administrator’s Guide Configuring the Connection Profile 4. Perform the following procedures to configure the Connection Configuration, General Settings, IP Address Settings, Parameters, and Data Usage Limiting sections in the 3G/Modem > Connection Profiles screen. See the following procedures: – “To Configure the Connection Configuration and General settings:” on page 561. – “To Configure the IP Address Settings:” on page 562 – “To Configure Parameters:” on page 562 – “To Configure Data Usage Limiting:” on page 563 5. Click Delete Profile to delete the profile specified in the Profile Name field. 6. Click RESET to clear all fields and start over. 7. Click UPDATE to save the settings to the specified connection profile. To Configure the Connection Configuration and General settings: 1. To edit an existing profile or use an existing profile as a template, select a profile from the Current Profile drop-down menu. Note If you are editing an existing profile, the name in the Current Profile field must match the existing profile name. If there are no existing profiles, the Current Profile will display the static message No profiles available. 2. To create a new profile, enter the name of the profile in the Profile Name field. 3. In the Country drop-down list, select the country where the SonicWALL TZ 190 appliance is deployed. SonicWALL GMS 6.0 Administrator’s Guide 561 Configuring the Connection Profile 4. In the Service Provider drop-down list, select the service provider that you have a cellular account with. Note that only service providers supported in the country you selected are displayed in the drop-down list. 5. In the Plan Type window, select the WWAN plan you have subscribed to with the service provider, or select Other. If your specific plan type is listed in the drop-down menu, the rest of the fields in the General section are automatically provisioned. Verify that these fields are correct and continue in the Parameters section. 6. Verify that the appropriate Connection Type is selected. Note that this field is automatically provisioned for most service providers. 7. Verify that the Dialed Number is correct. Note that the dialed number is *99# for most service providers. 8. Enter your username and password in the User Name, User Password, and Confirm User Password fields, respectively. 9. Enter the Access Point Name in the APN field. APNs are required only by GPRS devices and will be provided by the service provider. To Configure the IP Address Settings: 1. Under IP Address Settings, select one of the following IP Address options: – If the account obtains an IP address dynamically, select Obtain an IP Address Automatically. By default, WWAN connection profiles are configured to obtain IP addresses automatically. – To specify a static IP address, select Use the following IP Address and type the IP address in the field. 2. Select from the following DNS Server options: – If the account obtains DNS server information from the ISP, select Obtain an IP Address Automatically. By default, WWAN connection profiles are configured to obtain DNS server addresses automatically. – If the account uses a specific DNS servers, select Use the following IP Address and type the IP addresses of the primary and secondary DNS servers in the fields. To Configure Parameters: 1. Select from the following Dial Type options: – If the SonicWALL appliance(s) will continuously use the WWAN to stay connected to the Internet, select Persistent Connection. 562 SonicWALL GMS 6.0 Administrator’s Guide Configuring the Connection Profile – If the SonicWALL appliance(s) will only connect to the Internet when data is being sent, select Dial On Data. To configure the SonicWALL appliance for remotely triggered dial-out, the Dial Type must be Dial on Data. See “Configuring Advanced Settings” on page 565 – If the SonicWALL appliance(s) will connect to the Internet manually, select Manual Dial. 2. Select the Enable Inactivity Disconnect checkbox and enter the number of minutes of inactivity during which the WWAN connection stays alive before disconnecting from the Internet. Note that this option is not available if the Dial Type is Persistent Connection. 3. Select the Enable Max Connection Time checkbox and enter the number of minutes after which the WWAN connection disconnects, regardless of whether the session is inactive or not. Enter a value in the Delay Before Reconnect to have the SonicWALL appliance automatically reconnect after the specified number of minutes. 4. Select the Dial Retries per Phone Number checkbox and enter a number in the field to specify the number of times the SonicWALL appliance can attempt to reconnect. 5. Select the Delay Between Retries checkbox and enter a number in the field to specify the number of seconds between retry attempts. 6. Select the Disable VPN when Dialed checkbox to disable VPN connections over the WWAN interface. To Configure Data Usage Limiting: 1. Select the Enable Data Usage Limiting checkbox to have the WWAN interface become automatically disabled when the specified data or time limit has been reached for the month. Tip If your WWAN account has a monthly data or time limit, it is strongly recommended that you enable Data Usage Limiting. 2. Select the day of the month to start tracking the monthly data or time usage in the Billing Cycle Start Date drop-down menu. 3. Enter a value in the Limit field and select the appropriate limiting factor: either GB, MB, KB, or Minutes. SonicWALL GMS 6.0 Administrator’s Guide 563 Configuring WWAN Settings Configuring WWAN Settings To configure the WWAN settings for one or more SonicWALL appliances, perform the following steps: 1. In the left pane, select the SonicWALL appliance to manage. The appliance must be running SonicOS Enhanced 3.6 or higher, and must support WWAN functionality. 2. Click the Policies tab. 3. In the center pane, navigate to 3G/Modem > Settings. 4. In the Connect On Data Categories section, select the check boxes for any combination of the following dial on data categories: – NTP packets – GMS Heartbeats – System log emails – AV Profile Updates – SNMP Traps – Licensed Updates – Firmware Update requests – Syslog traffic 564 SonicWALL GMS 6.0 Administrator’s Guide Configuring Advanced Settings The Connect on Data Categories settings allow you to configure the WWAN interface to automatically connect to the WWAN service provider when the SonicWALL appliance detects specific types of traffic. To configure the SonicWALL appliance for Connect on Data operation, you must select Dial on Data as the Dial Type for the Connection Profile. See “To Configure Parameters:” on page 562. 5. In the Management/User Login section, select the check boxes for any combination of the following Management methods: – HTTP – HTTPS – Ping – SNMP – SSH 6. Select the check boxes for any combination of the following User Login methods: – HTTP – HTTPS – Select Add rule to enable redirect from HTTP to HTTPS to have the SonicWALL automatically convert HTTP requests to HTTPS requests for added security. 7. Note Under Profile Settings, select a primary profile from the Primary Profile drop-down menu. Optionally, select alternate profiles from Alternate Profile 1 and Alternate Profile 2. To set up WWAN Interface Monitoring for this unit, go to the Network > WAN Failover & LB screen. 8. To return all fields to their default settings and start over, click RESET. 9. To save settings, click UPDATE. Configuring Advanced Settings The 3G/Modem > Advanced page is used to configure the Remotely Triggered Dial-Out feature on the SonicWALL appliance. The Remotely Triggered Dial-Out feature enables network administrators to remotely initiate a WWAN connection to a SonicWALL appliance. SonicWALL GMS 6.0 Administrator’s Guide 565 Configuring Advanced Settings Before configuring the Remotely Triggered Dial-Out feature, ensure that your configuration meets the following prerequisites: • The WWAN profile is configured for dial-on-data. • The SonicWALL Security Appliance is configured to be managed using HTTPS, so that the device can be accessed remotely. • It is recommended that you enter a value in the Enable Max Connection Time field. This field is located in the 3G/Modem > Connection Profiles screen in the Parameters section. See “To Configure Parameters:” on page 562 for more information. If you do not enter a value in this field, dial-out calls will remain connected indefinitely, and you will have to manually terminate sessions by clicking the Disconnect button. To configure advanced WWAN settings, perform the following steps: 566 1. In the left pane, select the SonicWALL appliance to manage. The appliance must be running SonicOS Enhanced 3.6 or higher, and must support WWAN functionality. 2. Click the Policies tab. 3. In the center pane, navigate to 3G/Modem > Advanced. 4. To enable remotely triggered dial-out, check the Enable Remotely Triggered Dial-out box. 5. If your remotely triggered dial-out requires authentication, check the Requires Authentication box and enter your password in the Password and Confirm Password fields. SonicWALL GMS 6.0 Administrator’s Guide Configuring Advanced Settings 6. Under WWAN Connection Limit, type the number of simultaneous connections that are allowed, or enter zero for no limit in the Max Hosts field. 7. To return all fields to their default settings and start over, click RESET. 8. When you are finished, click UPDATE. SonicWALL GMS 6.0 Administrator’s Guide 567 Configuring Advanced Settings 568 SonicWALL GMS 6.0 Administrator’s Guide CHAPTER 27 Managing Inheritance in GMS Inheritance in GMS specifies the process by which a node’s settings can be inherited to and from unit, group and parent nodes. Previously, GMS users could inherit settings down the hierarchy. This ability can be understood as “forward” inheritance. Starting in GMS 6.0, users can now also “reverse” inherit settings back up the hierarchy, from a unit or group node to its parent node. This chapter contains the following sections: • “Configuring Inheritance Filters” section on page 569 • “Applying Inheritance Settings” section on page 570 Configuring Inheritance Filters The “Inheritance Filters” screen, under Console > Management > Inheritance Filters, is used to create inheritance filters by selecting screens available under the “Inheritance Filter Detail” panel. SonicWALL GMS 6.0 Administrator’s Guide 569 Applying Inheritance Settings To create a new filter, the user enters a name for this filter in the “Name” field. The user then checks boxes next to the screens, or screen groups, they wish to inherit. This screen is enhanced to automatically select or deselect dependent data screens, based upon the related screens chosen by the user. The user must then select the appropriate “Access” for each user type: Administrators, Operators, End Users, and Guest users. These selections are made using the corresponding drop down menus. Once the user has made the desired screen and access selections, they must click the “Add” button to finish creating the new inheritance filter. This new filter will now be available in the Filter drop down menu on the UTM > System > Tools screen. Applying Inheritance Settings Administrators often work to define and test policies at the appliance level, and then painstakingly attempt to replicate those policies on other appliances. Using this simple process for inheritance, administrators can capitalize on the valuable time spent building a unit’s well-configured firewall policies, by then seamlessly replicating those policies through the hierarchy. 570 SonicWALL GMS 6.0 Administrator’s Guide Applying Inheritance Settings Step 1 To inherit some or all of an appliance’s settings, go to the UTM > System > Tools screen within the GMS 6.0 Management Interface. Step 2 In the left pane, the user clicks on the appliance whose settings they wish to inherit. Step 3 Under the screen section heading, “Inherit Settings at Unit,” the user selects either forward or reverse inheritance by clicking on the respective radio button. SonicWALL GMS 6.0 Administrator’s Guide 571 Applying Inheritance Settings Step 4 From the “Filter” drop down menu, the user selects the inheritance filter to apply. If a desired filter is not listed and must be created, see Configuring Inheritance Filters, page 569 Step 5 Once the desired inheritance filter is selected, the user clicks the “Preview” button. A Preview panel opens to allow the user to review the settings to be inherited. Users may continue with all of the default screens selected for inheritance or select only specific screens for inheritance by checking boxes next to the desired settings. Note 572 The Preview panel footer states, “All referring objects should also be selected as part of the settings picked, to avoid any dependency errors while inheriting.” If the user deselects dependent screen data, the settings will not inherit properly. SonicWALL GMS 6.0 Administrator’s Guide Applying Inheritance Settings Step 6 If the user is attempting forward inheritance, they may click “Update” to proceed. If the user is attempting to reverse inherit settings, an additional selection must be made at the bottom of the Preview panel. The user must select either to update the chosen settings to only the target parent node, or to update the target parent node along with all unit nodes under it. Once the user makes this selection, they may click “Update” to proceed, or “Reset” to edit previous selections. Step 7 If the user selects to update the target parent node and all unit nodes, a “Modify Task Description and Schedule” panel opens in place of the Preview panel. (This panel will not appear if the user selects “Update only target parent node”). If the “Modify Task Description and Schedule” panel opens, the user can edit the task description in the “Description” field. They may also adjust the schedule for inheritance, or continue with the default scheduling. If the user chooses to edit the timing by clicking on the arrow next to “Schedule,” a calendar expands allowing the user to click on a radio button for “Immediate” execution, or to select an alternate day and time for inheritance to occur. Once the user has completed any edits, they select either “Accept” or “Cancel” to execute or cancel the scheduled inheritance, respectively. SonicWALL GMS 6.0 Administrator’s Guide 573 Applying Inheritance Settings Once the inheritance operation begins, a progress bar appears, along with text stating the operation may take a few minutes, depending on the volume of data to be inherited, as shown below: Once the inheritance operation is complete, the desired settings from the unit or group node should now be updated and reflected in the parent node’s settings, as well as in the settings of all other units, if selected. 574 SonicWALL GMS 6.0 Administrator’s Guide CHAPTER 28 Configuring Web Filters with CSM SonicWALL Content Security Manager (CSM) CF provides appliance-based Internet filtering that enhances security and employee productivity, optimizes network utilization, and mitigates legal liabilities by managing access to objectionable and unproductive Web content. This chapter provides configuration tasks for deploying these services. This chapter contains the following sections: • “Configuring Web Filter Settings” section on page 575 • “Configuring Web Filter Policies” section on page 578 • “Configuring Custom Categories” section on page 582 • “Configuring Miscellaneous Web Filters” section on page 584 • “Configuring the Custom Block Page” section on page 586 Configuring Web Filter Settings Web Filters includes settings for configuring Internet filtering on the SonicWALL CSM CF. Web filters settings provides information on the status of filtering subscription service updates, settings for enabling filtering, managing the behavior of the Dynamic Rating engine, adding IP addresses to exclude from filtering, and access to URL ratings with the SonicWALL Content Filtering Service database. To configure Web Filters perform the following steps: 1. In the left pane, select a SonicWALL CSM appliance. 2. Click the Policies tab. SonicWALL GMS 6.0 Administrator’s Guide 575 Configuring Web Filter Settings 3. In the center pane, navigate to the Web Filters > Settings. 4. To enable web filtering using SonicWALL CSM, check the Enable Web Filtering box. 5. Enter a URL cache size in the URL Cache Size (KBs) field. This specifies the URL cache size on the SonicWALL CSM. The default value is 5120 KBs. Note A larger URL cache size can provide noticeable improvements in Internet browsing response times. – Check the Use Dynamic Rating box to enable the use of the CSM integrated dynamic rating engine that allows an unrated URL to be dynamically rated in real-time. Select either Optimize for speed, which instructs the dynamic rating engine to process less information for faster ratings and lower accuracy, or Optimize for accuracy, which instructs the dynamic rating engine to process more information, resulting in slower ratings and higher accuracy. – Check the Server Responses box to block URLs from Web sites that have compressed content. 6. 576 Enter the session limit in minutes in the Session Limit (Minutes) for Continue option field. SonicWALL GMS 6.0 Administrator’s Guide Configuring Web Filter Settings 7. To specify an IP address or IP address range on your network to be excluded from any SonicWALL CSM filtering, enter a single IP address in the IP Address Begin and in the IP Address End fields (for a single IP address), or enter the starting IP address in the IP Address Begin field and the ending IP address in the IP Address End field (for an IP address range). 8. Click Add. The scheduler displays. 9. Expand Schedule by clicking the plus icon. 10. Select Immediate or specify a future date and time. 11. Click Accept. 12. When you are finished, click Update. The scheduler displays. 13. Expand Schedule by clicking the plus icon. 14. Select Immediate or specify a future date and time. 15. Click Accept. 16. If you believe that a Web site is rated incorrectly or you wish to submit a new URL, click the here link in the sentence If you believe that a Web site is rated incorrectly or you wish to submit a new URL, click here. The CFS URL Rating Review Request page displays. SonicWALL GMS 6.0 Administrator’s Guide 577 Configuring Web Filter Policies Configuring Web Filter Policies The Policies page is where you define policy groups by assembling default content filter and custom categories into unique policies that are applied to users and groups. The Policies page allows you create and edit policies that are used to create policy groups, which in turn are applied to user groups. The Web Filters > Policies page displays a category sets table. The Policies table initially lists the default 12 predefined policy groups. Clicking the plus button expands the list to display every policy under the policy group. Policies with an asterisk are part of the *Default policy group. The Policies table lists the following information about *Default and custom policy groups: 578 • Name - The name of the policy group. Clicking the plus button expands the policy group and displays the policies included in the group. • Type - Displays the type of policy, for example: Policy, Default Category, Forbidden Keywords, Forbidden URLs or Trusted URLs. • Action - Displays the action to be performed when a URL or keyword is accessed that fits the category, for example, Block, Log, or Allow. • Comment - Displays a caption icon with comments about the policy. When you move the pointer over the icon, the comment text is displayed. The comment text is entered in the Add Category Set window. • Configure - Includes the Configure icon, which displays the Edit Web Filter Category Set window, and the Delete icon for removing the policy group. The Delete icon is greyed out for the *Default policy. SonicWALL GMS 6.0 Administrator’s Guide Configuring Web Filter Policies Clicking the Restore Defaults button removes all custom policies and any policies you added to the *Default policy group. Clicking Add Policy Group window displays the Add Web Filter Policy Group window for adding new policies. This section contains the following subsections: • “Modifying the *Default Policy Group” on page 579 • “Adding Category Sets” on page 580 • “Restoring Defaults” on page 581 Modifying the *Default Policy Group To modify the *Default policy group category: 1. Click the configure icon under Configure in Policies table next to the category you want to configure. The Edit Web Filter Category Set window is displayed. 2. The Name field displays the *Default entry, which can be renamed. You must add descriptive text up to 63 characters in length in the Comment field. 3. Click the Predefined tab. 4. Select the policy categories you want to add to the *Default policy group. Check the box next to the category you want to add. If you want to remove a policy, uncheck the box next to the policy. 5. Click OK. The scheduler displays. 6. Expand Schedule by clicking the plus icon. 7. Select Immediate or specify a date and time in the future. 8. Click Accept. SonicWALL GMS 6.0 Administrator’s Guide 579 Configuring Web Filter Policies Adding Category Sets To add category sets, perform the following steps: 580 1. Click Add Category Set. The Add Web Filter Category Set window displays. 2. Enter a name in the Name field and a comment in the Comment field. 3. Click the Predefined tab and check the predefined categories you want to add to your category set. For each category, select the action to be performed, either Block, Log, or Allow. 4. Click the Custom tab and check the custom categories you want to add to your category set. For each category, select the action to be performed, either Block, Log, or Allow. Note To learn how to add custom categories, refer to “Configuring Custom Categories” on page 582. 5. Click the Miscellaneous tab and select the miscellaneous actions to add to the category set. For each action, select the action to be performed, either Block, Log, or Allow. 6. When you are finished, click OK. The scheduler displays. 7. Expand Schedule by clicking the plus icon. 8. Select Immediate or specify a future date and time. SonicWALL GMS 6.0 Administrator’s Guide Configuring Web Filter Policies 9. Click Accept. Restoring Defaults The Restore Defaults button removes all custom policies and any policies you added to the *Default policy. To restore defaults, perform the following tasks: 1. Click the Restore Defaults button at the bottom of the screen. A confirmation message displays. 2. Click OK. SonicWALL GMS 6.0 Administrator’s Guide 581 Configuring Custom Categories Configuring Custom Categories The Custom Categories page allows you to create custom policies that can incorporate untrusted urls and domains, untrusted keywords, and trusted URLs and domains. To configure custom categories, perform the following steps: 1. In the left pane, select the appliance to manage. 2. Click the Policies tab. 3. Navigate to Web Filters > Custom Categories. 4. To configure Forbidden URLs to selectively block or allow with logging of the action by the CSM, click Add Forbidden URLs. The Add Forbidden URLs page displays. 5. Enter a name in the Name field. 6. Enter a comment in the Comment field. 7. Enter the URL in the Entry field and click Add. Your entry will appear in the List. To delete an entry, click Delete. 8. Click Update. The scheduler displays. 9. Expand Schedule by clicking the plus icon. 10. Select Immediate or specify a future date and time. 11. Click Accept. 582 SonicWALL GMS 6.0 Administrator’s Guide Configuring Custom Categories 12. To edit Forbidden URLs, click the Configure icon next to the forbidden URL you want to configure. 13. To delete Forbidden URLs, click the delete icon next to the forbidden URL you want to delete. 14. To configure Forbidden Keywords to specify keywords that are substrings of URLs (to allow stricter filtering), click Add Forbidden Keywords. 15. Enter a name in the Name field. 16. Enter a comment in the Comment field. 17. Enter the keyword in the Entry field and click Add. Your entry will appear in the List. To delete an entry, click Delete. 18. Click Update. The scheduler displays. 19. Expand Schedule by clicking the plus icon. 20. Select Immediate or specify a future date and time. 21. Click Accept. 22. To edit Forbidden Keywords, click the Configure icon next to the forbidden keyword you want to configure. 23. To delete Forbidden Keywords, click the delete icon next to the forbidden keyword you want to delete. 24. To configure Allowed URLs to specify URLs that are always allowed, click Add Allowed URLs. 25. Enter a name in the Name field. 26. Enter a comment in the Comment field. 27. Enter the URL in the Entry field and click Add. Your entry will appear in the List. To delete an entry, click Delete. 28. Click Update. The scheduler displays. 29. Expand Schedule by clicking the plus icon. 30. Select Immediate or specify a future date and time. 31. Click Accept. 32. To edit Allowed URLs, click the Configure icon next to the allowed URL you want to configure. 33. To delete Allowed URLs, click the delete icon next to the allowed URL you want to delete. SonicWALL GMS 6.0 Administrator’s Guide 583 Configuring Miscellaneous Web Filters Configuring Miscellaneous Web Filters The miscellaneous page provides configuration for Web risks, forbidden files types and trusted sites. To configure miscellaneous web filters, perform the following steps: 584 1. In the left pane, select a SonicWALL CSM appliance. 2. Click the Policies tab. 3. In the center pane, navigate to the Web Filters > Miscellaneous. SonicWALL GMS 6.0 Administrator’s Guide Configuring Miscellaneous Web Filters 4. Web risks, including Block Cookies, Block ActiveX, Block HTTP Proxy Server, and Block Fraudulent Certificates are always activated as Block and cannot be deleted or modified. – Block Cookies - Cookies are used by Web servers to track Web usage and remember user identity. Cookies can also compromise users' privacy by tracking Web activities. – Block ActiveX - ActiveX is a programming language that embeds scripts in Web pages. Malicious programmers can use ActiveX to delete files or compromise security. – Block HTTP Proxy Servers - When a proxy server is located on the external interface, users can circumvent content filtering by pointing their computer to the proxy server. – Block Fraudulent Certificates - Digital certificates help verify that Web content and files originated from an authorized party. Enabling this feature protects users on the LAN from downloading malicious programs warranted by these fraudulent certificates. If digital certificates are proven fraudulent, then the SonicWALL CSM blocks the Web content and the files that use these fraudulent certificates. 5. To add forbidden files types, click Add Forbidden File Types. Forbidden File Types are groupings of file extensions including Java Applets, Executable Files, Video Files, Audio Files, and user specified file types by extension, used for similar purposes. SonicWALL CSM allows you to filter Internet content based on file extension. 6. Enter a name in the Name field. 7. Enter a comment in the Comment field. 8. Enter the file type in the Entry field and click Add. Your entry will appear in the List. To delete an entry, click Delete. 9. Click Update. The scheduler displays. 10. Expand Schedule by clicking the plus icon. 11. Select Immediate or specify a future date and time. 12. Click Accept. 13. To edit Forbidden File Types, click the Configure icon next to the forbidden file type you want to configure. 14. To delete Forbidden File Types, click the delete icon next to the forbidden file type you want to delete. 15. To add trusted sites, click the configure button next to Trusted Sites List. 16. Enter a name in the Name field. 17. Enter a comment in the Comment field. SonicWALL GMS 6.0 Administrator’s Guide 585 Configuring the Custom Block Page 18. Enter a URL in the Entry field and click Add. Your entry will appear in the List. To delete an entry, click Delete. 19. Click Update. The scheduler displays. 20. Expand Schedule by clicking the plus icon. 21. Select Immediate or specify a future date and time. 22. Click Accept. Configuring the Custom Block Page The Custom Block Page allows you to enter your customized text to display to the user when access to a blocked site is attempted. Any message, including embedded HTML, can be entered in this field. 1. In the left pane, select a SonicWALL CSM appliance. 2. Click the Policies tab. 3. In the center pane, navigate to the Web Filters > Custom Block Page. 4. Type the custom text to be displayed when a blocked site is accessed under Message to Display when Blocking Website. 5. Select the background color from the Background Color drop-down menu. 6. Click Preview to see a preview of the custom block page. 7. When you are finished, click Update. The scheduler displays. 8. Expand Schedule by clicking the plus icon. 9. Select Immediate or specify a future date and time. 10. Click Accept. 586 SonicWALL GMS 6.0 Administrator’s Guide CHAPTER 29 Configuring Application Filters for CSM This chapter provides configuration tasks for deploying CSM application filtering services. SonicWALL Content Security Manager (CSM) provides appliance-based application filtering that enhances security and employee productivity and optimizes network utilization. Configuring Application Filters SonicWALL Content Security Manager (CSM) provides appliance-based application filtering. To configure application filters, perform the following steps: 1. In the left pane, select the CSM appliance to manage. 2. Click the Policies tab. SonicWALL GMS 6.0 Administrator’s Guide 587 Configuring Application Filters 588 3. In the center pane, navigate to Application Filters > Settings. 4. To update the filter database, click Update Filter Database. The scheduler displays. 5. Expand Schedule by clicking the plus icon. 6. Select Immediate or specify a future date and time. 7. Click Accept. SonicWALL GMS 6.0 Administrator’s Guide Configuring Application Filters 8. To enable application filtering, check the Enable Application Filtering box. 9. Click Update. The scheduler displays. 10. Expand Schedule by clicking the plus icon. 11. Select Immediate or specify a future date and time. 12. Click Accept. 13. To enable the application filters exclusion list, which excludes an IP address or IP address range from application filtering, check the Enable Application Filters Exclusion List. 14. Click Update. The scheduler displays. 15. Expand Schedule by clicking the plus icon. 16. Select Immediate or specify a future date and time. 17. Click Accept. 18. Enter the address range for the application filters exclusion list by entering a beginning IP address range in the Address Range Begin field and an ending IP address in the Address Range End field. 19. Click Add.The scheduler displays. 20. Expand Schedule by clicking the plus icon. 21. Select Immediate or specify a future date and time. 22. Click Accept. SonicWALL GMS 6.0 Administrator’s Guide 589 Configuring Application Filters 590 SonicWALL GMS 6.0 Administrator’s Guide CHAPTER 30 Registering and Upgrading SonicWALL Appliances This chapter describes how to upgrade SonicWALL appliances. This chapter contains the following subsections: • “Registering SonicWALL Appliances” section on page 591 • “Upgrading Firmware” section on page 592 • “Upgrading Licenses” section on page 594 • “Searching” section on page 594 • “Creating License Sharing Groups” section on page 597 • “Viewing Used Activation Codes” section on page 600 Registering SonicWALL Appliances Registering a SonicWALL appliance using GMS registers the appliance using the same registration information supplied for GMS. To register a SonicWALL appliance using GMS, perform the following steps: 1. In the left pane, select the SonicWALL appliance. 2. Click the Policies tab. SonicWALL GMS 6.0 Administrator’s Guide 591 Upgrading Firmware 3. In the center pane, navigate to Register/Upgrades > Register SonicWALLs. 4. Click Register. The scheduler displays. 5. Expand Schedule by clicking the plus icon. 6. Select Immediate or specify a future date and time. 7. Click Accept. Note When a unit is added to GMS, once it is acquired successfully by GMS, it is automatically registered by GMS. Upgrading Firmware SonicWALL firmware is updated on a periodic basis to offer new functionality and address any known issues. After a SonicWALL appliance is added to SonicWALL GMS management, its auto-update feature is disabled. 592 SonicWALL GMS 6.0 Administrator’s Guide Upgrading Firmware SonicWALL GMS periodically polls mysonicwall.com site for new firmware versions. Once a new version of firmware is detected and available, SonicWALL GMS sends an email notification to the SonicWALL GMS administrator. You need to go to your mysonicwall.com account at <https://www.mysonicwall.com> and download the firmware, save the firmware file to the GMS server, and then access the SonicWALL security appliance from GMS. To upgrade to the latest firmware, perform the following steps: Note In order for changes on this page to take effect, the SonicWALL appliance(s) will automatically be restarted. We recommend scheduling the firmware update to run when network activity is low. 1. In the left pane, select the global icon, a group, or a SonicWALL appliance. 2. Click the Policies tab. 3. In the center pane, navigate to Register/Upgrades > Firmware Upgrade. 4. Select one of the following three methods for upgrading firmware: – To upgrade the firmware of all selected SonicWALL appliances using the firmware file that is stored in the local GMS server folder, click Upgrade Firmware using files on the GMS Server. – To upgrade from a firmware file on the local drive of your desktop system, enter the path to the file or click Browse to locate a file. Then, click Upgrade firmware from local file. SonicWALL GMS 6.0 Administrator’s Guide 593 Upgrading Licenses – (Group view only) To upgrade firmware using the latest version available on mysonicwall.com, click Upgrade to latest firmware available at mysonicwall.com. Caution Upgrading firmware requires that the appliance be restarted. Selecting any of the three firmware upgrade methods displays a warning message that states This will involve restarting the Appliance(s). Upgrading Licenses For information on upgrading SonicWALL GMS subscription services (warranty support, anti-virus, content filtering, etc.) see “SonicWALL Upgrades” on page 1049. Searching The search feature allows you to search for appliances based on registration, subscription and upgrade status. You can print the search results or save them to a PDF file with a single click of the printer icon or PDF icon on the Search Results banner. The search parameters are pre-populated for retrieving the subscription services that are currently active on the appliance(s). The search is executed and the results are sorted by Expiry Date. To search for appliances, perform the following tasks: 1. In the left pane, select a node or appliance to search. 2. Select the Policies tab. 3. In the center pane, navigate to Register/Upgrades > Search. To search based on Registration Criteria, perform the following steps: 594 4. From the first pull-down menu, select Registration Status. 5. From the second pull-down menu, select Registered or Not Registered. SonicWALL GMS 6.0 Administrator’s Guide Searching 6. Click Search. A table of search results displays. 7. Click a header in the table to sort by that variable. For example, to sort by appliance name, click the Appliance Name header. To search based on Subscription Status Criteria, perform the following steps: 1. From the first pull-down menu, select a subscription service. 2. From the second pull-down menu, select a subscription service status. 3. Optionally enter a date (mm/dd/yyyy) in the expiring on or before field. 4. Click Search. A table of search results display. 5. Click a header in the table to sort by that variable. For example, to sort by appliance name, click the Appliance Name header. SonicWALL GMS 6.0 Administrator’s Guide 595 Searching To search based on Upgrade Status Criteria, perform the following steps: 596 1. From the first pull-down menu, select an upgrade. 2. From the second pull-down menu, select an upgrade status. 3. Click Search. A table of search results display. 4. Click a header in the table to sort by that variable. For example, to sort by appliance name, click the Appliance Name header. Tip You can print the search results by clicking on the “printer” icon in the banner Search Results. You can also save the search results to a PDF file by clicking on the PDF icon in the banner. SonicWALL GMS 6.0 Administrator’s Guide Creating License Sharing Groups Creating License Sharing Groups License Sharing allows you to share VPN or Anti-Virus Client Licenses license among multiple SonicWALL appliances. As a result, you can save money by purchasing licenses in quantity and not wasting licenses on SonicWALL appliances that do not use them all. License sharing assigns a License Sharing Group (LSG) to a SonicWALL appliance and activates this feature. You can then add other SonicWALL appliances to the LSG and assign them licenses from the pool of remaining available licenses. This section contains the following subsection: • “Creating a License Sharing Group” on page 597. • “Adding a SonicWALL Appliance to an Existing Group” on page 599. Creating a License Sharing Group To create a VPN Client Enterprise or Anti-Virus LSG, perform the following steps: 1. In the left pane, select a SonicWALL appliance that has no GVC licenses. 2. Select the Policies tab. 3. In the center pane, navigate to Register/Upgrades > License Sharing. The License Sharing page displays. 4. Select VPN Client Enterprise or Anti-Virus from the List of Services list box. SonicWALL GMS 6.0 Administrator’s Guide 597 Creating License Sharing Groups 5. Click Join a License Sharing Group. The Join a License Sharing Group dialog box displays. 6. Select Create a new License Sharing Group With and from the drop-down menu, select the appliance that has the Enterprise GVC license. 7. Enter a name for the group in the And Name it field. 8. A pop-up with the member license count displays. Click OK. The scheduler displays. 9. Expand Schedule by clicking the plus icon. 10. Select Immediate or specify a future date and time. 11. Click Accept. 598 SonicWALL GMS 6.0 Administrator’s Guide Creating License Sharing Groups Adding a SonicWALL Appliance to an Existing Group To add a SonicWALL appliance to an existing VPN Client Enterprise or Anti-Virus LSG, perform the following steps: 1. In the left pane, select the global icon, a group, or a SonicWALL appliance. 2. Click the Policies tab. 3. In the center pane, navigate to Register/Upgrades > License Sharing. The License Sharing page displays. 4. Select VPN Client Enterprise or Anti-Virus from the List of Services drop-down menu. 5. Click Join a License Sharing Group. The Join a License Sharing Group dialog box displays. 6. Select Join Existing License Sharing Group and select an LSG from the list box. 7. Click Accept. 8. A pop-up with the member license count displays. Click OK. The scheduler displays. 9. Expand Schedule by clicking the plus icon. SonicWALL GMS 6.0 Administrator’s Guide 599 Viewing Used Activation Codes 10. Select Immediate or specify a future date and time. 11. Click Accept. Changing the License Count To change the number of licenses that a SonicWALL appliance uses, perform the following steps: 1. In the center pane, navigate to Register/Upgrades > License Sharing. The License Sharing page displays. 2. Select VPN Client Enterprise or Anti-Virus from the List of Services drop-down menu. 3. Enter a new license value and click Change License Count to. 4. To remove this SonicWALL appliance from the LSG, select Remove from License Sharing Group. Viewing the Properties of a License Sharing Group To view the properties of an LSG, perform the following steps: 1. In the center pane, navigate to Register/Upgrades > License Sharing. The License Sharing page displays. 2. Select VPN Client Enterprise or Anti-Virus from the List of Services drop-down menu. 3. Click the name of the LSG to view. The License Sharing Group Properties dialog box displays. This dialog box contains detailed information about the total number of licenses, the expiration date of the license, the number of licenses used by each member of the group, and other information. 4. To change the name of the LSG, enter a new name and click Accept. Viewing Used Activation Codes To view used activation codes, perform the following steps: 600 1. In the left pane, select a node, group or appliance. 2. Select the Policies tab. SonicWALL GMS 6.0 Administrator’s Guide Viewing Used Activation Codes 3. In the center pane, navigate to Register/Upgrades > Used Activation Codes. The Used Activation Codes page displays a list of used activation codes. 4. From the Select sort order drop-down menu, select Activation Code to sort by activation code or Service Name, Activation Code to sort first by service name, then by activation code. SonicWALL GMS 6.0 Administrator’s Guide 601 Viewing Used Activation Codes 602 SonicWALL GMS 6.0 Administrator’s Guide CHAPTER 31 Adding SSL-VPN Appliances to GMS This chapter provides instructions on configuring SonicWALL SSL-VPNs for management using SonicWALL GMS. To be managed by GMS, SonicWALL SSL-VPN appliances must be running the following firmware versions: • SonicWALL SSL VPN 200—1.5.0.3 or later • SonicWALL SSL VPN 200—1.5.0.3 or later • SonicWALL SSL VPN 200—1.5.0.3 or later • SonicWALL Aventail EX-Series SSL VPN—9.0.0 or later To configure a SonicWALL SSL-VPN for SonicWALL GMS management, perform the following tasks: • “Preparing SSL VPN Appliances for GMS Management” section on page 603 • “Adding SSL-VPN Appliances in GMS” section on page 606 • “Managing SSL-VPN Appliance Settings” section on page 608 Preparing SSL VPN Appliances for GMS Management This section describes the local configuration steps required on the individual appliance before adding it to SonicWALL GMS management. See the following subsections: • Preparing SonicWALL SSL VPN Appliances, page 604 SonicWALL GMS 6.0 Administrator’s Guide 603 Preparing SSL VPN Appliances for GMS Management • Preparing SonicWALL Aventail EX-Series SSL VPN Appliances, page 605 Preparing SonicWALL SSL VPN Appliances To prepare a SonicWALL SSL VPN appliance (non-Aventail) for GMS management: 604 1. Log in to your SonicWALL SSL-VPN. 2. Navigate to System > Administration. 3. In GMS settings, select the Enable GMS Management check box. 4. Type the GMS host name or IP address of the GMS server in the GMS Host Name or IP Address field. 5. Type the GMS syslog server port in the Syslog Server Port field. The default port is 514. 6. Enter the heartbeat interval, in seconds, in the Heartbeat Interval (seconds) field. The maximum heartbeat interval is 86400 (24 hours). 7. Click Apply. SonicWALL GMS 6.0 Administrator’s Guide Preparing SSL VPN Appliances for GMS Management Preparing SonicWALL Aventail EX-Series SSL VPN Appliances There are specific requirements for preparing the SonicWALL Aventail EX-Series SSL VPN appliance for GMS management: • SonicWALL Aventail EX-Series SSL VPN appliances must be licensed before you can enable GMS management in the Aventail Management Console. • When enabling GMS on a SonicWALL Aventail appliance, select Enable single sign-on for AMC configuration if you want direct access to the Aventail Management Console from the SonicWALL GMS right-click menu. If this check box is cleared, you can still open the AMC from the right-click menu, but you must enter your appliance login credentials. • The SonicWALL Aventail EX-Series SSL VPN appliance allows HTTPS access only to its LAN port(s), and not to its WAN port(s). This means that when SonicWALL GMS is deployed outside of the Aventail LAN subnet(s), management traffic must be routed from GMS to a gateway that allows access into the LAN network, and from there be routed to the Aventail LAN port. To prepare a SonicWALL Aventail EX-Series SSL VPN appliance for GMS management: 1. Log in to your SonicWALL Aventail EX-Series SSL VPN. 2. Click General Settings in the main Aventail Management Console (AMC) navigation menu. 3. Click Edit in the Centralized management area. 4. Select the Enable GMS management check box, and then enter the host name or IP address of the GMS console, and its port number. 5. In the Heartbeat interval text box, set the interval (in seconds) at which the appliance indicates its readiness to send a report on authentication-related events, in addition to status information. An interval of 60 seconds is typical. 6. Select Enable single sign-on for AMC configuration if you want to be able to open the Aventail Management Console and make changes to its configuration from within GMS. If this setting is cleared, you can still open AMC, but you must first enter your AMC login credentials; this is less convenient, but more secure. 7. Select Send only heartbeat status messages if you want to only manage the appliance and not create reports for the appliance. SonicWALL GMS 6.0 Administrator’s Guide 605 Adding SSL-VPN Appliances in GMS For more information about preparing SonicWALL Aventail appliances for GMS management, see the SonicWALL GMS Aventail EX-Series Appliance Management feature module and the SonicWALL / Aventail EX-Series 9.0.0 Installation and Administration Guide on the SonicWALL Support Web site: http://www.sonicwall.com/us/Support.html Adding SSL-VPN Appliances in GMS To add your appliance to GMS, perform the following tasks: 606 1. Log in to GMS. 2. Click the SSL-VPNs tab 3. In the left-most pane, right click and select Add Unit. The Add Unit popup displays. 4. Enter a descriptive name for the SonicWALL appliance in the Unit Name field. 5. Enter the serial number of the SonicWALL appliance in the Serial Number field. On SonicWALL Aventail appliances, the serial number is found on a sticker on the back of the appliance. Enter it without hyphens into the field. SonicWALL GMS 6.0 Administrator’s Guide . Adding SSL-VPN Appliances in GMS 6. For the Managed Address, choose weather to Determine automatically, or Specify manually. Most SMB SSL VPN deplyoments will be able to determine the address automatically. 7. For Aventail deploiyments, choose to Specify manually and check the Aventail SSL-VPN appliance option. 8. Enter the administrator login name for the SonicWALL appliance in the Login Name field. For SonicWALL Aventail SSL VPN appliances, the login name is pre-configured as “GMS” and cannot be changed. 9. Enter the password used to access the SonicWALL appliance in the Password field. 10. The radio button next to Using HTTPS is automatically selected for SSL-VPN deployments. 11. For SonicWALL Aventail SSL VPN appliances, enter 8443 in the HTTPS Port field. Other SonicWALL SSL VPN appliances use port 443. 12. Click OK.. It may take up to a minute for the data to load; a Please Wait pop up displays. The SonicWALL SSL-VPN displays in the left pane of the SonicWALL GMS interface as a yellow icon, which means the unit has not been acquired by SonicWALL GMS. After the appliance has been acquired, the icon will either turn red, indicating that the appliance status is down, or blue, indicating that the appliance status is up. For detailed appliance icon descriptions, see “Understanding SonicWALL GMS Icons” on page 25. It may take up to five minutes for the SonicWALL GMS to establish an HTTPS connection and acquire the SonicWALL appliance for management. SonicWALL GMS 6.0 Administrator’s Guide 607 Managing SSL-VPN Appliance Settings Managing SSL-VPN Appliance Settings After a SonicWALL SSL-VPN appliance has been added to GMS, it can be modified or deleted. This section contains the following subsections: • “Modifying an SSL-VPN Appliance” on page 608 • “Deleting an SSL-VPN Appliance” on page 609 Modifying an SSL-VPN Appliance 608 1. Click the SSL-VPN tab 2. In the left pane, right click the SSL-VPN appliance you want to modify and select one of the options . Option Description Rename Unit Allows you to rename the unit. Modify Unit Allows you to change the appliance settings, including the unit display name, and appliance login name and password. Add to Net Monitor Allows you to add the appliance to Net Monitor for real-time monitoring. Import XML Allows you to import XML settings. Login to Unit Allows you to select HTTP or HTTPS management to directly access the appliance. Single sign-on must be enabled for SonicWALL Aventail appliance to allow direct access to the Aventail Management Console from the SonicWALL GMS right-click menu. Otherwise you will be prompted to enter your Aventail appliance login credentials. Modify Properties Allows you to modify the properties of the appliance, including company, country and department names. SonicWALL GMS 6.0 Administrator’s Guide Managing SSL-VPN Appliance Settings Deleting an SSL-VPN Appliance 1. Click the SSL-VPNs tab 2. In the left pane, right click the SSL-VPN appliance you want to delete and select Delete. 3. An alert will appear to verify the appliance deletion. Click Yes. Note . It may take several seconds for the appliance to be deleted. SonicWALL GMS 6.0 Administrator’s Guide 609 Managing SSL-VPN Appliance Settings 610 SonicWALL GMS 6.0 Administrator’s Guide CHAPTER 32 Using General SSL-VPN Status and Tools This chapter provides instructions for modifying the general status and tools for SonicWALL SSL-VPNs. To modify the general status and tools of an SSL-VPN appliance using GMS, click the SSL-VPNs tab at the top of the screen, then select the Policies tab. In the center pane, select General. You will see the options Status, Tools and Info. This section contains the following subsections: • “SSL-VPN Status” section on page 612 • “SSL-VPN Tools” section on page 614 • “SSL-VPN Info” section on page 616 SonicWALL GMS 6.0 Administrator’s Guide 611 SSL-VPN Status SSL-VPN Status The General > Status section provides the current status of the SSL-VPN appliance and allows for an instant update of appliance information using the Fetch Information button. The General > Status section provides the following appliance information: Table 11 612 General > Status Information SSL-VPN Status Item Description SSL-VPN Model The SSL-VPN model number. Serial The SSL-VPN serial number. Firmware Version The SSL-VPN firmware version information. CPU The SSL-VPN CPU information. Number of LAN IPs allowed The number of LAN IPs allowed by the SSL-VPN. SSL-VPN Status The current status of the SSL-VPN appliance, either Up, Down or Unacquired. SonicWALL GMS 6.0 Administrator’s Guide SSL-VPN Status SSL-VPN Status Item Description Unit added to SonicWALL GMS on The date and time the SSL-VPN appliance was added to GMS. Management Mode The management mode used to access the SSL-VPN, either HTTP or HTTPS. Includes the IP address and port of the SSL-VPN. Primary Agent The IP address of the primary agent. Tasks Pending The number of tasks pending for the SSL-VPN. SSL-VPN Information The up time since last reboot in days, hours, minutes, seconds. Using Fetch Information To update the General > Status section using the Fetch Information button, perform the following tasks: 1. Click Fetch Information. The update scheduler displays. 2. Expand Schedule by clicking the plus button. 3. Select the Immediate radio button. Alternatively, you can select the At button and specify a date and time for SonicWALL GMS to perform the update. SonicWALL GMS 6.0 Administrator’s Guide 613 SSL-VPN Tools 4. Click Accept. It may take several seconds for GMS to fetch the appliance information. The latest status will be displayed under General > Status. SSL-VPN Tools The General > Tools section provides the following options: Restart Appliance, Synchronize Now, Synchronize the Appliance with mysonicwall.com. Note The Restart Appliance option is not available for SonicWALL Aventail SSL VPN appliances. Restarting SSL-VPN To restart the SSL-VPN appliance, perform the following tasks: 1. Click the Restart Appliance button. A confirmation pop-up displays. 2. Use the Scheduler to specify a date and time for SonicWALL GMS to perform the update. It may take several minutes for the SSL-VPN to restart. 614 SonicWALL GMS 6.0 Administrator’s Guide SSL-VPN Tools Synchronize Now If a change is made to a SonicWALL appliance through any means other than through SonicWALL GMS, GMS is notified of the change through the syslog data stream. After the syslog notification is received, SonicWALL GMS schedules a task to synchronize its database with the local change. Auto-synchronization automatically occurs whenever SonicWALL GMS receives a local change notification status syslog message from a SonicWALL appliance. You can also force synchronization at any time for a SonicWALL appliance or a group of SonicWALL appliances. To synchronize the SSL-VPN appliance, perform the following tasks: 1. Click the Synchronize Now button. A confirmation pop-up displays. 2. Click OK. 3. Use the Scheduler to specify a date and time for SonicWALL GMS to perform the update. It may take several seconds for SSL-VPN to synchronize. Synchronizing with mysonicwall.com SonicWALL appliances check their licenses and subscriptions with mysonicwall.com once every 24 hours. Using the Synchronize the Appliance with mySonicWALL.com button, you can force the SonicWALL SSL VPN appliance to synchronize this information with mysonicwall.com immediately. To synchronize the SSL-VPN appliance with mysonicwall.com, perform the following tasks: 1. Click the Synchronize the Appliance with mysonicwall.com button. A confirmation pop-up displays. SonicWALL GMS 6.0 Administrator’s Guide 615 SSL-VPN Info 2. Click OK. The update scheduler displays. 3. Use the Scheduler to specify a date and time for SonicWALL GMS to perform the update. It may take several seconds for the SSL-VPN to synchronize with mysonicwall.com. SSL-VPN Info The General > Info section provides the ability to update the contact information for the SSL-VPN appliance. Updating SSL-VPN Appliance Information To update the SSL-VPN appliance information, perform the following steps: 616 1. Navigate to General > Info. 2. Enter the appropriate information for each field. 3. Click Update to update the information, or Reset to clear the form and start over. SonicWALL GMS 6.0 Administrator’s Guide CHAPTER 33 Registering, Upgrading, and Logging in to SonicWALL SSL-VPN Appliances This chapter describes how to register SonicWALL SSL-VPN appliances using GMS. Register SSL-VPNs is an option in the Policies tab that registers your SSL-VPNs using the account information you provided when you registered your GMS. This chapter contains the following subsection: • “Registering SonicWALL SSL-VPN Appliances” on page 617 • “Upgrading SonicWALL SSL-VPN Firmware” on page 619 • “Logging in to SSL-VPN using SonicWALL GMS” on page 620 Registering SonicWALL SSL-VPN Appliances Note Registering SonicWALL Aventail SSL VPN appliances from GMS is not supported. To register a SonicWALL SSL-VPN using GMS, perform the following tasks: 1. In the left pane, right- click the SSL-VPN you want to register and then select Login to Unit to open its management interface. 2. In the SSL-VPN management interface, the System > Status page will be displayed. Record your Serial Number and Authentication Code from the Licenses and Registration box. SonicWALL GMS 6.0 Administrator’s Guide 617 Registering SonicWALL SSL-VPN Appliances 3. In the GMS management interface, navigate to the Policies panel. In the center pane, select Register/Upgrades > Register SSL-VPNs. 4. In the right pane, click the Register button. The update scheduler displays. 5. Expand Schedule by clicking the plus button. 6. Select the Immediate radio button. Alternatively, you can select the At button and specify a date and time for SonicWALL GMS to perform the update. 7. Click Accept. You will receive a confirmation in the right pane when the registration succeeded. Note 618 If you receive an error message, navigate to the Console tab, then to Log > View Log. A detailed error message will be displayed. SonicWALL GMS 6.0 Administrator’s Guide Upgrading SonicWALL SSL-VPN Firmware Upgrading SonicWALL SSL-VPN Firmware The SonicWALL SSL-VPN appliance must be registered before the firmware can be upgraded. For information about registering your SSL-VPN appliance, refer to “Registering SonicWALL SSL-VPN Appliances” section on page 617. Note Upgrading SonicWALL Aventail SSL VPN appliances from GMS is not supported. To upgrade the firmware of a SonicWALL SSL-VPN appliance using GMS, perform the following tasks: 1. In the left pane, select the SSL-VPN you want to upgrade. 2. In the center pane, navigate to Register/Upgrades > Firmware Upgrade. The current SSL-VPN appliance firmware is displayed under Current Status. 3. To upgrade the SSL-VPN appliance firmware using a file on the GMS server, click Upgrade firmware using files on the GMS Server. 4. To upgrade the SSL-VPN appliance firmware using a local file, enter the path and file name of the firmware file in the field next to Upgrade firmware from local file, or click Browse to locate the firmware file. Click Upgrade firmware from local file. 5. A message displays indicating that an appliance restart is necessary to complete the firmware upgrade. Click OK to continue. SonicWALL GMS 6.0 Administrator’s Guide 619 Logging in to SSL-VPN using SonicWALL GMS 6. The license agreement message displays. Read the message and click OK to agree and download the firmware, or click Cancel to disagree and cancel the firmware upgrade. Logging in to SSL-VPN using SonicWALL GMS To log in to the SonicWALL SSL-VPN using SonicWALL GMS, make sure that pop-ups are enabled on your Web browser and use the procedure in this section. SonicWALL Aventail SSL VPN appliances allow direct GMS login when Enable single sign-on for AMC configuration is selected when enabling GMS management. If SSO is not enabled, you can still open the Aventail Management Console from the right-click GMS menu, but you must then enter your appliance login credentials. 1. Log in to SonicWALL GMS. 2. Click the SSL-VPNs tab: 3. In the left pane, click the SSL-VPN that you want to manage. 4. If you see a security certificate warning, click Yes to continue. 5. The SSL-VPN management interface opens in a new browser window. This may take several seconds. . 620 SonicWALL GMS 6.0 Administrator’s Guide Logging in to SSL-VPN using SonicWALL GMS You can now manage the SonicWALL SSL-VPN directly from the management interface. For detailed instructions about configuration tasks using the SonicWALL SSL-VPN management interface, refer to the SonicWALL SSL-VPN Administrator’s Guide, available at http://www.sonicwall.com/us/Support.html. SonicWALL GMS 6.0 Administrator’s Guide 621 Logging in to SSL-VPN using SonicWALL GMS 622 SonicWALL GMS 6.0 Administrator’s Guide CHAPTER 34 CDP / Email Security Appliance Management This chapter describes how to impliment and manage single or multiple deployments of SonicWALL CDP and Email Security appliances through GMS. Included is an introduction to the Multi-Solutions appliance management feature, and instructions for using the appliance configuration tools in SonicWALL GMS. This chapter contains the following sections: • “Adding a CDP/ES Appliance to GMS” section on page 624 • “Managing CDP/ES General Settings” section on page 626 • “Registering CDP/ES Appliances” section on page 632 • “Configuring Alerts” section on page 634 • “Templates” section on page 637 • “Accessing the CDP/ES Management Interface” section on page 640 • “Using Multi-Solution Management” section on page 640 SonicWALL GMS 6.0 Administrator’s Guide 623 Adding a CDP/ES Appliance to GMS Adding a CDP/ES Appliance to GMS SonicWALL CDP appliances must be running firmware version 2.3 or later, while SonicWALL Email Security appliances must be running firmware version 7.2 or later to be managed using SonicWALL GMS. To configure a SonicWALL CDP/ES for SonicWALL GMS management, perform the following tasks: • “Preparing the Appliance” on page 624 • “Adding the Appliance to GMS” on page 625 • “Registering CDP/ES Appliances” on page 632 Preparing the Appliance 624 1. Log in to your SonicWALL CDP or Email Security appliance. 2. Navigate to System > Administration. 3. In GMS settings, select the Enable GMS Management check box. 4. Type the GMS host name or IP address of the GMS server in the GMS Host Name or IP Address field. 5. Type the GMS syslog server port in the Syslog Server Port field. The default port is 514. 6. Enter the heartbeat interval, in seconds, in the Heartbeat Interval (seconds) field. The maximum heartbeat interval is 86400 (24 hours). 7. Click Submit SonicWALL GMS 6.0 Administrator’s Guide Adding a CDP/ES Appliance to GMS Adding the Appliance to GMS To add your appliance to GMS, perform the following tasks: 1. Log in to GMS. 2. Click the CDP appliance tab to add a CDP appliance to GMS, or click the ES appliance tab to add an Email Security appliance to GMS. 3. In the left-most pane, right click and select Add Unit. The Add Unit popup displays. 4. Enter a descriptive name for the SonicWALL appliance in the Unit Name field. 5. Enter the appliance administrator login name in the Login Name field. 6. Enter the appliance administrator password in the Password field. 7. Enter the appliance serial number in the Serial Number field. The serial number can be found in the appliance management interface under General > Status. 8. The management mode defaults to Using HTTPS. 9. Click OK. This may take up to a minute for the data to load. SonicWALL GMS 6.0 Administrator’s Guide 625 Managing CDP/ES General Settings The SonicWALL appliance is displayed in the left pane of the SonicWALL GMS interface as a yellow icon, which means the unit has not been acquired by SonicWALL GMS. After the appliance has been acquired, the icon will either turn red, indicating that the appliance status is down, or blue, indicating that the appliance status is up. For detailed appliance icon descriptions, see “Understanding SonicWALL GMS Icons” on page 25. It may take up to five minutes for the SonicWALL GMS to establish an HTTPS connection and acquire the SonicWALL appliance for management. Your CDP/ES is now ready for management using SonicWALL GMS. Managing CDP/ES General Settings After a SonicWALL CDP/ES appliance has been added to GMS, it can be managed through the CDP/ES Policies panel. This section contains the following subsections: 626 • “Viewing and Managing CDP/ES Status” section on page 627 • “CDP/ES Appliance Tools for Synchronization” section on page 630 • “Registering CDP/ES Appliances” section on page 632 • “Modifying a CDP/ES Appliance” section on page 633 SonicWALL GMS 6.0 Administrator’s Guide Managing CDP/ES General Settings Viewing and Managing CDP/ES Status The General > Status windows displays both general deployment status, as well as individual appliance status for Email Security and CDP appliances. Views available in the Status screen are: • “Global CDP/ES Status” section on page 627 • “Individual CDP/ES Appliance Status” section on page 628 Global CDP/ES Status The Global status window displays information about all CDP or Email Security devices in the current GMS deployment. For CDP appliances, there is an option to Fetch Information at both global and appliance levels. When in global view, this feature acquires information for all available CDP appliances, however, the results are only displayed when an individual appliance is selected. SonicWALL GMS 6.0 Administrator’s Guide 627 Managing CDP/ES General Settings Individual CDP/ES Appliance Status The individual appliance status window displays information about the currently selected CDP or Email Security appliance. Note For CDP appliances, click the Fetch Information button for an updated view. This feature is also available on a global level. General Appliance Status Information The General > Status screen provides the following appliance information: Status Item Description Model The CDP/ES model number Serial Number The CDP/ES serial number Firmware Version The CDP/ES firmware version number CPU The CDP/ES CPU information Number of LAN IPs allowed The number of LAN IPs allowed by the CDP/ES Status The current status of the CDP/ES appliance, either Up, Down or unacquired Unit added to The date and time the CDP/ES appliance was added SonicWALL GMS on to GMS 628 SonicWALL GMS 6.0 Administrator’s Guide Managing CDP/ES General Settings Status Item Description Management Mode The management mode used to access the CDP/ES, either HTTP or HTTPS; includes the IP address and port of the CDP/ES Primary Agent The IP address of the primary agent (server, laptop, or PC intended to be backed up on the SonicWALL CDP/ES Appliance) Standby Agent The IP address of the secondary agent used in case of failure Tasks Pending The number of tasks pending for the CDP/ES Last Log Entry The scheduled task to be executed CDP/ES Information The up time since last reboot in days, hours, minutes, seconds CDP Appliance Information The CDP Information section of the General > Status screen provides additional information about the selected CDP appliance. SonicWALL GMS 6.0 Administrator’s Guide 629 Managing CDP/ES General Settings CDP/ES Appliance Tools for Synchronization The General > Tools section provides the following options to synchronize both the static and dynamic information: • “Synchronize Now” section on page 630 • “Synchronizing with mySonicWALL.com” section on page 630 Synchronize Now If a change is made to a SonicWALL appliance through any means other than through SonicWALL GMS, GMS is notified of the change through the syslog data stream. After the syslog notification is received, SonicWALL GMS schedules a task to synchronize its database with the local change. Auto-synchronization automatically occurs whenever SonicWALL GMS receives a local change notification status syslog message from a SonicWALL appliance. You can also force synchronization at any time for a SonicWALL appliance or a group of SonicWALL appliances. To synchronize the appliance, perform the following tasks: 1. In the General > Tools screen, click Synchronize Now. 2. A confirmation pop-up displays. Click OK. 3. Use the scheduler to update immediatley, or selecte a date in the future. 4. Click the Accept button. It may take several seconds for the appliance to synchronize. Synchronizing with mySonicWALL.com SonicWALL appliances check their licenses and subscriptions with mysonicwall.com once every 24 hours. Using the Synchronize the Appliance with mySonicWALL.com button, you can force the SonicWALL CDP or ES appliance to synchronize this information with mysonicwall.com immediately. 630 SonicWALL GMS 6.0 Administrator’s Guide Managing CDP/ES General Settings To synchronize the appliance with mySonicWALL.com, perform the following tasks: 1. On the General > Tools page, click the Synchronize the Appliance with mySonicWALL.com button. 2. A confirmation pop-up displays. Click OK. 3. Use the scheduler to update immediatley, or selecte a date in the future. 4. Click Accept. It may take several seconds for the SonicWALL appliance to synchronize with mySonicWALL.com. Editing CDP/ES Appliance Contact Information The General > Info screen allows you to edit CDP or Email Security appliance information on a global or unit level. SonicWALL GMS 6.0 Administrator’s Guide 631 Registering CDP/ES Appliances Registering CDP/ES Appliances To register a CDP or ES appliance, you must perform tasks on GMS and on the CDP or ES appliance through its local user interface. See the following sections: • “Registration Tasks on GMS” section on page 632 • “Registration Tasks on the CDP/ES Appliance” section on page 633 • “Modifying a CDP/ES Appliance” section on page 633 • “Deleting a CDP/ES Appliance” section on page 634 Registration Tasks on GMS When you add an appliance, GMS creates a task to register it. You can see the scheduled Appliance Registration task in the Console > Tasks > Scheduled Task screen. Note When a unit is added to GMS, once it is acquired successfully by GMS, it is automatically registered by GMS. However, CDP or ES appliances cannot be used until you complete the registration tasks on the local CDP/ ES appliance. You can also register appliances manually in GMS. To register a CDP/ES appliance: 632 1. In the left pane of the CDP or ES appliance, select the appliance. 2. Click the Policies tab. 3. In the center pane, navigate to Register/Upgrades > Register CDPs / Register ESAs. 4. Click Register. The scheduler displays. SonicWALL GMS 6.0 Administrator’s Guide Registering CDP/ES Appliances 5. Use the scheduler to update immediatley, or selecte a date in the future. Note 6. When registering a CDP appliance, you will need to specify the offsite backup location between Europe or North America. Click Accept. It may take several seconds for GMS to contact SonicWALL to register the CDP/ ES appliance. Registration Tasks on the CDP/ES Appliance After the GMS task has been executed, it disappears from the table of scheduled tasks in the Console > Tasks > Scheduled Tasks screen. You can now perform the local registration tasks on the CDP/ES appliance. For more information on CDP registration, see the SonicWALL CDP Getting Started Guide for your CDP appliance. The SonicWALL Email Security Getting Started Guide for your Email Security appliance for more information on Email Security Appliance registration. Modifying a CDP/ES Appliance 1. Click the CDP or ES tab . 2. In the left pane, right click the CDP/ES appliance you want to modify and select one of the following options:: Option Description Rename Unit Allows you to rename the unit. Modify Unit Allows you to change the appliance settings, including the unit display name, and appliance login name and password. Delete Allows you to delete the unit. Add to Net Monitor Allows you to add the appliance to Net Monitor for real-time monitoring. Import XML Allows you to import XML settings. Modify Properties Allows you to modify the description of the appliance, including company, country and department names. SonicWALL GMS 6.0 Administrator’s Guide 633 Configuring Alerts Deleting a CDP/ES Appliance 1. Click the CDP or ES tab. 2. In the left pane, right click the CDP/ES appliance you want to delete and select Delete. 3. An alert will display to verify the appliance deletion. Click Yes. Note It may take several seconds for the appliance to be deleted. To access the GMS Policies panel for CDP management, click the CDP icon at the top of the screen, then select the Policies tab. To access the GMS Policies panel for Email Security management, click the ES icon at the top of the screen, then select the Policies tab.The following sections describe the CDP and ES management options available on the Policies panel. Configuring Alerts The Events > Alerts screen allows you to add, edit, or delete a Unit Status alert for managed CDP/ES appliances. See the following sections: 634 • “Adding Alerts” on page 635 • “Enabling/Disabling Alerts” on page 635 • “Deleting Alerts” on page 636 • “Editing Alerts” on page 636 • “Current Alerts” on page 637 SonicWALL GMS 6.0 Administrator’s Guide Configuring Alerts Adding Alerts To add or edit an alert: 1. Select a CDP or ES appliance in the left pane, click the Policies tab, and click on Events > Alert Settings. 2. Click the Add Alert link. The screen displays. Enter the name and description, and click Update. Enabling/Disabling Alerts To enable/disable an alert: 1. Select the Enabled checkbox of the alert you wish to enable. 2. Click the Enable/Disable Alert(s) link. A confirmation window will display. Click OK to enable/disable. SonicWALL GMS 6.0 Administrator’s Guide 635 Configuring Alerts Deleting Alerts To delete an alert: 1. In the Events > Alerts Settings screen, select the checkbox of the Alert you wish to delete. 2. Click the Delete Alert link. A confirmation window will display. 3. Click OK to delete. Note You can also delete an alert by clicking the Delete icon under the Configure section of the alert you wish the delete. Editing Alerts To edit an alert: 636 1. Click the Configure icon of the alert you wish to edit. 2. The Edit Alert page will display. When you finish making edits to this alert, click Update. SonicWALL GMS 6.0 Administrator’s Guide Templates Current Alerts To check the status of current alerts for your CDP or Email Security appliance, follow the procedures listed: 1. Click on the appliance you wish to check the alerts for. 2. From the Policies tab, navigate to the Events > Current Alerts page. All active alerts for this appliance will be listed under Alert Listing. Templates A Template is simply a collection of Recordings from one or more appliances of the same type. A Template belongs to a user of a particular domain, and remains visible only in that domain. That is, Templates from one domain are not visible in another domain. A user only has access to his or her own Templates (editing, deleting, or moving Templates). It is recommended that a Template contains Recordings with data that does not conflict with the data in another Recording, as this may cause the deletion of data previously applied, unless intended. For example, a Template should not contain a Recording of setting a time zone to IST, followed by a Recording of setting a time zone to PST, unless it is intentional by the user. Template Management Screen The Template Management Screen includes the following sections: • “Add Recording” on page 637 • “Edit Recording” on page 638 • “Add/Edit Template” on page 638 • “Move Recording” on page 639 • “Delete Template(s)/Recording(s)” on page 639 • “Applying a Template or a Recording” on page 640 Add Recording This is used to save a freshly created recording. This screen appears when the Recording is stopped. This new recording can be directly added to one of the existing Templates or to the default Template. SonicWALL GMS 6.0 Administrator’s Guide 637 Templates Edit Recording This is used to edit an existing recording. Add/Edit Template This is used to create a new Template or to edit an existing Template. 638 SonicWALL GMS 6.0 Administrator’s Guide Templates Move Recording This dialog screen is used to move one or more recordings from one Template to another. Delete Template(s)/Recording(s) This is used to confirm the deletion of Template(s) and recording(s). SonicWALL GMS 6.0 Administrator’s Guide 639 Accessing the CDP/ES Management Interface Applying a Template or a Recording Follow the procedures listed below to successfully apply a Recording of a Template to an appliance or a group of appliances: 1. Click on the Unit/Group Node from the Tree Control that you wish to apply a Template or a Recording for. Based on the Node selected on the Tree Control, the Templates screen will list only those Templates/Recordings that can be applied to the currently selected node. 2. Select the checkbox next to the Template you wish to apply. Specify a Schedule for the Template/Recording to be applied. Note that once applied, a task will be created. To view the newly created task, click on the Console tab, and navigate to Tasks>Scheduled Tasks. 3. To verify if the task executes successfully, navigate to Log>View Log. You can also navigate back to the User Interface screen of the appliance that you applied the Template to also verify that the changes are successful. Accessing the CDP/ES Management Interface You can access the CDP or Email Security management interface from SonicWALL GMS. This section provides a brief introduction to the CDP and ES management interface. For detailed configuration tasks available on the CDP or ES management interface, refer to either appliance’s respective SonicWALL Administrator’s Guide. Using Multi-Solution Management SonicWALL GMS is used to primarily manage SonicWALL UTM appliances where the majority of the web user interface of those appliances are duplicated and implemented in GMS. This is mainly done so the user has a common experience while working on GMS or on the appliance interface. Whenever new functionalities or screens are added, modified, or deleted in the appliance user interface, the same functionalities need to be implemented on the GMS interface. Over time, SonicWALL has expanded its GMS management with other SonicWALL appliances, such as CDP and Email Security. This expansion of GMS management along with other SonicWALL appliances led to finding a generic solution where GMS would be able to manage all these appliances, as well as have the ability to support any new appliance types in 640 SonicWALL GMS 6.0 Administrator’s Guide Using Multi-Solution Management the future. The Multi-Solution Management feature in GMS provides the capability to support management of all these appliance types through their web user interface over HTTP and HTTPS. Another advantage to the Multi-Solution Management enhancement is that GMS Core Management functionalities, like creating tasks to post policies, scheduling tasks at the Unit Node and Group Node levels, and many more will also be configurable through the enhancement. The Multi-Solution Management feature provides the next generation management capability in GMS. The Multi-Solution Management includes the following sections: • “Logging into the CDP/ES Management Interface” on page 641 • “Configuring Multi-Solution Management” on page 642 • “Recording” on page 644 • “Configuring Heartbeat using Email Security CLI” on page 648 Logging into the CDP/ES Management Interface To log in to a SonicWALL CDP/ES appliance using SonicWALL GMS, ensure that pop-ups are enabled on your Web browser, and perform the following tasks: 1. Log in to SonicWALL GMS. 2. Click the CDP or ES panel. 3. In the left pane, click the CDP or ES appliance that you want to manage. Note 4. You may see a security certificate warning. Click Yes to continue. To open the CDP/ES management interface, click Management > User Interface. You will be directed to the User Interface of this appliance. To return to the Policies tab, click the Status Page button. You can now manage the SonicWALL CDP/ES directly from the management interface. For detailed instructions about configuration tasks using the SonicWALL CDP management interface, refer to the SonicWALL CDP Administrator’s Guide. For detailed instructions about configuration tasks using the SonicWALL Email Security management interface, refer to the SonicWALL Email Security Administrator’s Guide. SonicWALL GMS 6.0 Administrator’s Guide 641 Using Multi-Solution Management Configuring Multi-Solution Management Navigate to the Host Role Configuration page and configure the MSM Server Protocol and MSM Server Port settings. Note 642 If you choose HTTPS, the server uses the same SSL keystore or certificate that is used by the Tomcat web server. SonicWALL GMS 6.0 Administrator’s Guide Using Multi-Solution Management The Management Screen Group page is one of the latest supported screens for this new feature. From this screen, you can navigate to the Template screen or the User Interface screen. Note that the User Interface screen is only available at the Unit Node level. The Templates screen displays all the applicable Templates for the selected Unit/Group Node on the Tree Control. SonicWALL GMS 6.0 Administrator’s Guide 643 Using Multi-Solution Management Management Processes Unchanged The following management processes are still available with Multi-Solution Management: • Adding a Unit into GMS • The Unit “Acquire” process • Unit Status monitoring through Heartbeat syslogs • Task creation and scheduling • Execution of Task(s) by the Scheduler service • All other core management processes Recording The Recording option provides an easier way to apply configurations for one appliance to another similar appliance. You have the option of saving the Recording into the Default Template or into a new Template. The data recorded between one Start Recording and Stop Recording action is called a Recording. Note Recording can only be applied to a compatible appliance. For example, a Recording for the CDP 5.0 appliance can be applied to other CDP appliance, but a Recording for the Email Security appliance cannot be applied to a CDP appliance. To successfully create and save a Recording, follow the procedures listed below: 644 Step 1 Click on the User Interface screen of the Unit Node (appliance) on which you want to make the changes and record on. Step 2 Navigate to the screen in which you wish to make changes. In this example, we wish to modify General Settings on the Default Message Management screen. SonicWALL GMS 6.0 Administrator’s Guide Using Multi-Solution Management Step 3 Next, start the recording by clicking on the Start Recording button on the Recording Controls Panel. Once you see the “Recording in progress” notification at the top, you can start modifying the settings. In this example, the “Number of days to store in Junk Box before deleting” changes to 60 days, and the “Number of Junk Box messages to display per page” changes to 400 rows. SonicWALL GMS 6.0 Administrator’s Guide 645 Using Multi-Solution Management 646 Step 4 When finished making changes, click the Apply Changes button. A screen will appear notifying you that the changes were successfully applied. Step 5 More changes can be recorded similarly. Once you have finished making the necessary changes, stop the Recording by clicking the Stop Recording button on the Recording Controls Panel. A dialog box will display asking if you wish to save the Recording. Click OK. SonicWALL GMS 6.0 Administrator’s Guide Using Multi-Solution Management Step 6 Next, the Add Recording dialog box will display. Type in Name and a brief Description of the Recording that will be useful in identifying the Recording at a later time. Indicate if this Recording should be saved into the Default Template or into a New Template. Click Update when you are finished. Step 7 The Templates screen will display, notifying you that the changes to the Recording were successfully saved. SonicWALL GMS 6.0 Administrator’s Guide 647 Using Multi-Solution Management Configuring Heartbeat using Email Security CLI Configuring a heartbeat with GMS is exclusively available on the Email Security Command Line Interface (CLI). Follow the steps below to configure a Heartbeat with GMS using the Email Security CLI. Step 1 Login to the SNWLCLI as admin. Step 2 Enter the command gms. This will display the EMS current settings for the GMS heartbeat displayed. Step 3 Next, set the EMS appliance heartbeat. In this example, the heartbeat interval is 60 seconds. Step 4 Enter the destination IP address of your GMS server. In this example, the destination IP address is 10.195.11.38. Note 648 It is not mandatory to send heartbeat messages to a GMS management server, but it does provide GMS with more data during Multi-Solution Management. SonicWALL GMS 6.0 Administrator’s Guide Part 3 Reporting SonicWALL GMS 6.0 Administrator’s Guide 649 650 SonicWALL GMS 6.0 Administrator’s Guide CHAPTER 35 GMS Reporting Features This chapter describes how to use GMS reporting, including the type of information that can appear in reports. A description of the available features in the user interface is provided. Settings for reporting on the Console and Policy panels are described. This chapter includes the following sections: • “GMS Reporting Overview” section on page 651 • “Navigating GMS Reporting” section on page 655 • “Showing Domain Names in Reports” section on page 666 • “Managing GMS Reports on the Console Panel and Policies Panel” section on page 667 • “For information about archiving report data using the Move Data to Archive (MDTA) feature, see the “Management” section on page 1000 in the Managing Reports in the Console Panel chapter.” section on page 669 GMS Reporting Overview Monitoring critical network events and activity, such as security threats, inappropriate Web use, and bandwidth levels, is an essential component of network security. GMS Reporting complements SonicWALL's Internet security offerings by providing detailed and comprehensive reports of network activity. The GMS Reporting Module is a software application that creates dynamic, Web-based network reports. The GMS Reporting Module generates both real-time and historical reports to offer a complete view of all activity through SonicWALL GMS 6.0 Administrator’s Guide 651 GMS Reporting Overview SonicWALL Internet security appliances. With GMS Reporting, you can monitor network access, enhance security, and anticipate future bandwidth needs. You can search saved reports by using the report search bar, available in most report screens in the GMS UI. The search bar provides pre-populated quick settings for the search field, and a drop-down calendar for the start and end dates. The search operator field offers a comprehensive list of search operators that varies depending on the search field, which can be either text-based or numeric. You can search all columns of report data except columns that contain computed values, such as %, Cost, or Browse Time. GMS waits until you click Search before it begins building the new report. The GMS Reporting Module: • Displays bandwidth use by IP address and service • Identifies inappropriate Web use • Provides detailed reports of attacks • Collects and aggregates system and network errors • Shows VPN events and problems • Tracks Web usage by users and by Web sites visited • Provides detailed daily firewall logs to analyze specific events. Note 652 The GMS Reporting Module receives its information from the stream of syslog data sent by each SonicWALL appliance and stores it in the SonicWALL GMS database or as files on the hard-disk. GMS Reporting can be enabled or disabled. Once disabled, the Reports tab disappears from the SonicWALL GMS User Interface (UI) and the syslog data is no longer stored. SonicWALL GMS 6.0 Administrator’s Guide GMS Reporting Overview Viewing GMS Reports The GMS reports are available on the UTM and SSL-VPN tabs of the GMS interface, under the Reports tab in the middle pane: The GMS Reports view is divided into three panes: • A list of views and individual units referred to as the TreeControl: In the left pane, you can select a top level view, a group view, or a unit to display reports that apply to the selected view or unit. GlobalView is the default top level selection. • A list of reports: The middle pane provides a list of available reports that changes according to your selection in the TreeControl pane. The reports are divided into categories. You can click on the plus sign next to a category to view the list of reports in that category. You can click on an individual report name to view that report. SonicWALL GMS 6.0 Administrator’s Guide 653 GMS Reporting Overview • The report: The right pane displays the report that you selected in the middle pane for the view or unit that you selected in the TreeControl. For most reports, the search bar is provided at the top of the pane. Above the search bar a link to the Scheduler is provided. You can change the time for the report to run by clicking the Schedule link or its clock icon in the upper right. A quick access link to your system’s printer is also available in the upper right corner. To print the report, click the Print link or icon. To access the display settings for the report, click More Options to the right of the search bar. The SonicWALL GMS reporting feature provides the following configurable reports: Table 12 Dashboard Status Custom Report* Bandwidth Services* Web Usage Web Filter FTP Usage Mail Usage VPN Usage Attacks Virus Attacks Anti-Spyware Intrusion Prevention Application Firewall Authentication 654 Configurable Reports Provides a high-level activity summary. Provides up-time and down-time status reports. Provides Internet Activity and Website Filtering reports with details from raw data *Custom Reports are only available at the unit level. Provides bandwidth usage reports. Provides events and usage by service protocol. *Services reporting is only available at the unit level. Provides Web usage reports. Provides web filter event reports. Provides FTP usage reports. Provides mail usage reports. Provides VPN usage reports. Provides attack event reports. Provides virus attack event reports. Provides spyware event reports. Provides intrusion event reports. Provides Application Firewall reports. Provides login reports. SonicWALL GMS 6.0 Administrator’s Guide Navigating GMS Reporting Navigating GMS Reporting GMS Reporting is a robust and powerful tool you can use to view detailed reports for individual SonicWALL appliances or groups of appliances. This section describes each view and what to consider when making changes. It also describes the Search Bar and display options for interactive reports, as well as other enhancements provided in SonicWALL GMS . See the following sections: • “Global and Group Views” on page 656 • “Unit View” on page 657 • “Using Interactive Reports” on page 658 • “Searching for a Report” on page 659 • “Collapsible TreeControl Pane” on page 664 • “Enabling/Disabling Scheduled Reports” on page 664 • “Combined Reports” on page 664 • “Improved Navigation” on page 665 SonicWALL GMS 6.0 Administrator’s Guide 655 Navigating GMS Reporting Global and Group Views From the Global and Group views of the Reports Panel, Summary and Over Time reports are available for all SonicWALL appliances within a group or all SonicWALL appliances being managed by SonicWALL GMS. To open the Global or Group view, click the GlobalView icon in the upper-left hand corner of the left pane or select a Group Icon. The Status page displays. As you navigate the SonicWALL GMS reports screens with the GlobalView or Group view selected and view different reports, the settings that you specify are maintained in effect throughout the session. 656 SonicWALL GMS 6.0 Administrator’s Guide Navigating GMS Reporting Unit View From the Unit view of the Reports panel, reports contain detailed data for the selected SonicWALL appliance. To open the Unit view, click the Reports tab. Then, click a SonicWALL appliance in the left pane of the SonicWALL GMS interface. The report page for the SonicWALL appliance displays. As you navigate the Reports panel with a single SonicWALL appliance selected and change settings, those settings will remain in effect throughout the session. SonicWALL GMS 6.0 Administrator’s Guide 657 Navigating GMS Reporting Using Interactive Reports GMS provides interactive reporting to create a clear and visually pleasing display of information. The following figures provide examples of an interactive report graph and a pie chart for Summary and Top Users. You can control the way the information is displayed by adjusting the settings which are collapsed in the search bar. 658 SonicWALL GMS 6.0 Administrator’s Guide Navigating GMS Reporting Searching for a Report The search bar feature provides search and configuration capabilities for every report. In addition to the original quickset functions, the search bar has intuitive search fields to provide context-based searching. The search bar contains a number of helpful components that allow you to specify search parameters and locate a report with ease. The components of the search bar include: • A column drop-down list: The searchable column drop-down list contains all the searchable columns of a report. It is context-based, containing different options in different reports. The column drop-down list defines criteria for the search and filter functions. • An operator drop-down list: There are two types of operator sets. If the content of the selected column is character-based, a character-based list is displayed. If the column contains numerical data, a list with mathematical symbols is displayed. • A search text field: You can input a search string into this field. • Start date and end date calendar fields: You can also search for reports by date. Clicking on the Start field displays a drop-down calendar where you can select day, month, and year by using the side arrows to navigate. You may also navigate through dates by clicking on the arrows located beside the start date and the end date fields. • Detailed drop-down menu SonicWALL GMS 6.0 Administrator’s Guide 659 Navigating GMS Reporting The collapsed and expanded Search Bar views are shown below: 660 SonicWALL GMS 6.0 Administrator’s Guide Navigating GMS Reporting The search bar feature consists of a column drop-down list, an operator drop-down list, a search text field, and a detailed pull-down menu. Search/Filter functions can be performed by utilizing various components reporting at unit and group level. The drop-down list contains all the searchable columns of a report. It is context-based, meaning that it contains different options in different reports. The column drop-down list defines criteria for search and filter functions to work on. There are two different operator sets. If the content of the selected column is character-based, the character based operators will show: A character-based list contains Equals, Start with, End with, and Contains operators. If the content of the selected column contains numerical data, a list with mathematical symbols plus the between operator selection will display: SonicWALL GMS 6.0 Administrator’s Guide 661 Navigating GMS Reporting A generated report is shown below with user name (Users) starting with (Start With) “10.50.20” (the value of the search text field). A generated report is shown below in which the Hit count (Hits column) is greater than (>) “100” (the value of the search field). 662 SonicWALL GMS 6.0 Administrator’s Guide Navigating GMS Reporting The calendar module of the search bar is shown below. You can use the calendar module to easily select a date for the Start or End field. You can also manually type in a date. For single day reports, the End field is disabled. The detailed options are “per report” based. For example, if you select “PIE” as the chart type for report A, you will still see Bar chart in report B if the bar chart was the existing chart type. The detailed drop-down menu can be expanded by clicking More Options as shown in the red circle below. As Figure 5 and Figure 6 show, the options in the detailed drop-down menu are context-based. Figure 5 shows the detailed options of the “Web Usage By User” report. As you can see, Figure 6 contains different options because it is specific to the By User report. Figure 5 Context-based Detail Options SonicWALL GMS 6.0 Administrator’s Guide 663 Navigating GMS Reporting Figure 6 Web Usage by User - Report Display Settings Collapsible TreeControl Pane The unit TreeControl pane can be collapsed to free up screen space by clicking on the the small arrow button to the right of the Add Unit, Modify Unit, Refresh, and Find buttons above the TreeControl pane. The panel can be brought back by clicking the same button. Enabling/Disabling Scheduled Reports GMS allows you to disable a scheduled report without deleting it. This allows you to re-use the report at a later time without having to create it again. To enable or disable a report, navigate to the Configuration > Scheduled Reports page under the Reports tab. This screen shows all the scheduled reports on the current appliance. Select the checkbox in the row for a report(s) that you wish to disable, and click the Disable Selected Scheduled Reports button above the table. After confirmation, the check mark in the Enabled column is grayed out. To re-enable the report, use the Enable Selected Scheduled Reports button above the table. Combined Reports Users familiar with GMS4.0 will find two categories of reports that are no longer visible on the function tree: the Browse Time report and the ROI report. The information from these two reports have been folded into the Web Usage and Bandwidth reports, respectively. The Web Usage report pages now feature a Browse Time column. The Bandwidth report pages feature a Cost($) column that displays all the information previously displayed by the ROI reports. 664 SonicWALL GMS 6.0 Administrator’s Guide Navigating GMS Reporting Improved Navigation To save time, GMS now features linked reports. Web Usage and Web Filter reports now link their By User and By Site pages. It is now possible to navigate directly from the Web Usage > By User page to a Web Usage > By Site page or from the Web Filter > By User page to a Web Filter > By Site page detailing the information of the site that the user has been browsing. Click the Plus sign next to the entry in the User column to show details, and hover the mouse over a site. A sticky tooltip will display with a link to the corresponding site’s report page. This makes navigating from one report to the next much easier and makes retrieving detailed information simple. Sample Navigation Use Case This sample use case demonstrates the improved navigation feature. In this use case you will open up the Web Usage > By User report and observe what sites the top browser has been visiting. Then you will move directly from the By User report to a detailed By Site report. 1. Navigate to the Web Usage > By User report from the Report tab. 2. Click the Plus button next to any IP address in the User column. This displays detailed information about the sites that the user at that address has been visiting. SonicWALL GMS 6.0 Administrator’s Guide 665 Showing Domain Names in Reports 3. Hover your mouse over a site in this list. Click the Navigate to Top Visited Web Sites By Site link to navigate directly to the Web Usage > By Site report page. The Web Usage > By Site report page shows detailed information about Web traffic to this site. Information in this report include the IP addresses of users who have browsed that site, as well as how much time they have spent browsing. Showing Domain Names in Reports Reports sometimes show the domain names of systems or websites, and sometimes show only the IP address. This is caused by different firmware versions on the appliances for which reports are being generated. The reporting subsystem consumes the contents of src, dst, dstname, and other tags from the syslog messages. The syslog format and tags depend on the version of the firmware. For firmware that includes name resolution, the reports will list the domain. 666 SonicWALL GMS 6.0 Administrator’s Guide Managing GMS Reports on the Console Panel and Policies Panel Note In SonicWALL GMS 5.1 and above, the Name Resolution option on the UTM appliance (where the firmware supports it) is enabled when a unit is added. This does not apply to already existing appliances in the system. Managing GMS Reports on the Console Panel and Policies Panel There are management settings for the GMS Reporting Module on the GMS Console panel. The Policies panel also contains certain screens that are useful when managing GMS reporting. The Reports panel contains limited configuration screens, used for managing scheduled reports and per-unit settings. The Management section of the Console panel controls the configuration of GMS, including settings which have an effect on GMS Reports. SonicWALL GMS 6.0 Administrator’s Guide 667 Managing GMS Reports on the Console Panel and Policies Panel • For information about GMS management settings, see the “Settings” section on page 941 in the Configuring Management Settings chapter. • For information about user screen permissions, see the “Moving a User” section on page 957 in the Configuring Management Settings chapter. The Reports section on the Console panel is divided into sections that allow you to manage system-wide settings, including the following: Table 13 Console > Reports Section Settings Settings Report Settings/Options Log Viewer Settings Summarizer Summarizer Settings Reports Data Summarization Interval Syslog Deletion Schedule Host Name Resolution Settings Email/Archive Email/Archive Time Settings Days to Store Archived/Published reports Email/Archive Configuration - Web Server Details Logo Settings SortBy Settings In PDF Reports Scheduled Reports Summary Search Criteria Search Results Management Report Data Management Settings The Reports section of the Console panel controls settings for syslog data collection, summarizer configuration, email and archiving, scheduling reports, and archiving report data. The Logs section of the Policies panel provides settings for controlling the rate of syslog event logging. 668 • For information about syslog data collection settings, see the “Enabling Report Table Sorting” section on page 982 in the Managing Reports in the Console Panel chapter. • To configure the syslog event rate, see the “Configuring Log Settings” section on page 278 in the Configuring Log Settings chapter. SonicWALL GMS 6.0 Administrator’s Guide Managing GMS Reports on the Console Panel and Policies Panel • For information about the summarizer, see the following sections in the Managing Reports in the Console Panel chapter: – “About Summary Data in Reports” section on page 983 – “About the Distributed Summarizer” section on page 984 – “Summarizer Settings and Summarization Interval” section on page 987 • For information about Email and Archiving settings, see the “Configuring Email/Archive Settings” section on page 994 in the Managing Reports in the Console Panel chapter. • For a description of how to schedule reports in the Console panel, see the “Scheduled Reports” section on page 995 in the Managing Reports in the Console Panel chapter. • For information about archiving report data using the Move Data to Archive (MDTA) feature, see the “Management” section on page 1000 in the Managing Reports in the Console Panel chapter. SonicWALL GMS 6.0 Administrator’s Guide 669 Managing GMS Reports on the Console Panel and Policies Panel 670 SonicWALL GMS 6.0 Administrator’s Guide CHAPTER 36 Scheduling and Configuring Reports This chapter provides information about scheduling automatic reports and configuring data summarization settings. It also describes how to view the list of current alerts on the Events > Current Alerts page. This chapter also describes how to export compliance reports in PDF format. The settings described in this chapter are applied on a per-unit or per-group basis. This chapter includes the following sections: • “Configuring Scheduled Reports” section on page 671 • “Selecting Reports for Summarization” section on page 675 • “Configuring Inheritance for Reporting Screens” section on page 676 • “Configuring Data Storage Settings” section on page 677 • “Configuring Summarization Data for Top Usage” section on page 678 • “Configuring Summarization Data for Bandwidth Reports” section on page 679 • “Viewing Current Alerts” section on page 680 • “Scheduling PDF Compliance Reports” section on page 680 Configuring Scheduled Reports SonicWALL GMS Reporting can automatically send reports to any email addresses that you specify. This section contains the following: • “Viewing or Managing Scheduled Reports” on page 672 • “Adding or Editing a Scheduled Report” on page 673 SonicWALL GMS 6.0 Administrator’s Guide 671 Configuring Scheduled Reports To create scheduled email reports in PDF format as Compliance Reports, see the “Scheduling PDF Compliance Reports” section on page 680. Viewing or Managing Scheduled Reports To view , delete, or enable/disable currently scheduled reports, perform the following steps: 672 1. Click the Reports tab and select a SonicWALL appliance. 2. Expand the Configuration tree and click Scheduled Reports. The Scheduled Reports page displays. 3. On the Scheduled Reports page, to add a new scheduled report, click Add Scheduled Report. See “Adding or Editing a Scheduled Report” on page 673. 4. To edit a report, click the pencil icon in that row. See “Adding or Editing a Scheduled Report” on page 673. 5. To delete a report, select the checkbox in that row and then click Delete Selected Scheduled Reports. 6. To disable a scheduled report, select the checkbox in that row and then click Disable Selected Scheduled Reports. 7. To enable a disabled report, select the checkbox in that row and then click Enable Selected Scheduled Reports. 8. To select all reports in the list, click Select All Scheduled Reports. SonicWALL GMS 6.0 Administrator’s Guide Configuring Scheduled Reports Adding or Editing a Scheduled Report You can add a new scheduled report or edit an existing one on the Reports panel on the Configuration > Scheduled Reports screen. When adding or editing the report, you can configure its name, category, formats, cover page, summary report page, and detailed reports page. You can also use or create a profile for the detailed reports page settings. To add or edit a new scheduled report, perform the following steps: 1. Navigate to the Configuration > Scheduled Reports page on the Reports panel and do one of the following: – To add a new schedule report, click the Add Scheduled Report button. – To edit an existing report, click the pencil icon in that row. The Scheduled Report Configuration window displays. 2. Enter a name for the report in the Name field. 3. Enter descriptive information in the Description field. 4. To email the report, select the Email check box. The screen expands to show email configuration settings. 5. Enter the IP address of the mail server into the SMTP Server field. 6. By default, the GMS Reporting Module will use the email address that was configured in the Console panel in the Management > GMS Settings screen as the Sender email address. To change it, enter a new Sender email address in the Source Email Address field. 7. Enter one or more destination email addresses, separated by semicolons, into the Destination Email Addresses field. 8. Enter the Subject Line that will appear in reports sent from the GMS Reporting Module in the Email Subject field. 9. Enter text that will appear in the message body in the Email Body field. 10. To copy the contents of the report into the body of the email message, select the Send Reports Inline check box. To send the file as an email attachment, make sure this check box is deselected. Note Reports can only be sent inline when all data is sent in a single report. 11. To archive the file on the server’s hard disk, select the Archive check box and enter a path in the Save Directory field. SonicWALL GMS 6.0 Administrator’s Guide 673 Configuring Scheduled Reports Specify the directory where the file will be archived in the Save Directory field. 12. For Report Type, select Daily, Weekly, or Monthly. 13. For Report Format, select HTML, XML, or PDF. 14. Select either Include all data in a single report or Zip Reports into a single file. 15. If you selected PDF for the Report Format, you can create a password to protect it by selecting Password Protect the PDF File and typing a password into the Password field. Users must input the password to view the contents of a password-protected PDF file. The content can be copied or printed, but is not editable by a PDF editor. 16. If the zip file is selected, you can create a password for it by selecting Password Protect the Zip File and typing a password into the Password field. Note When both PDF and Zip Reports into a single file are selected, you can password-protect the PDF, but not the zip file. 17. For the Cover Page, enter a Title and Subtitle and select colors for the Foreground and Background of the cover page. 18. For Summary Report Page, you can select up to 4 reports. Select a report for the summary page from the Choose the Summary Reports drop down list, and then click Add. 19. For Detailed Report Page, do one of the following: – Click Select an existing profile, and then select the profile to use from the Profile Name drop-down list. – Click Create a new profile, type a profile name into the New Profile Name field, and then select the checkboxes in the Report list for each report to be included. You can click the checkbox next to the Report heading to select all reports in the list. 20. Optionally click Configure Filters Options. For this procedure see “Configuring Filters and Options” on page 675. 21. To see a preview of this scheduled report, click PREVIEW. 22. When finished, click Add. 674 SonicWALL GMS 6.0 Administrator’s Guide Selecting Reports for Summarization Configuring Filters and Options 1. At the bottom of the Scheduled Report Configuration page, click the Configure Filters/Options button. The Display Options/Settings page displays. 2. Select the number of sites to display in Top Sites reports (default: 20). 3. Select the number of users to display in Top Users reports (default: 20). 4. Select the number of sites to display in Sites by User/Users By Site reports (default: 20). 5. Select the number of items to display in all other reports (default: 20). 6. Select the number of entries per item to display in all other reports (default: 20). 7. Under Inclusion Filter Parameters, enter a comma separated list of sites to include in By Site reports in the Site List field. 8. Enter a comma separated list of users to include in By User reports in the User List field. 9. To include the user’s full name and IP address in the report, select the Whole Name/IP checkbox. 10. For Bandwidth Usage reports, select the source from the Source Interface drop-down list. 11. For Bandwidth Usage reports, select the destination from the Destination Interface drop-down list. 12. Click the Update button to apply changes. The new report will appear in the list on the Scheduled Reports page. Selecting Reports for Summarization This section describes how to tune the performance of the Summarizer by configuring which reports will be created. When an appliance is configured to communicate with GMS, you need to prepare it for syslog data collection for reporting. Make sure the summarizer is collecting data for the reports you want for this unit. To configure the Summarizer settings, perform the following steps: 1. Click the Reports tab. SonicWALL GMS 6.0 Administrator’s Guide 675 Configuring Inheritance for Reporting Screens 2. Expand the Configuration tree and click Summarizer Settings. The Summarizer Settings page provides a list of reports and a correlating description of each report. Each report contains a checkbox that you can select to generate a summarized report. 3. Select the checkbox of each report type to summarize. 4. When you are finished, click Update. Your configuration changes are saved automatically. Configuring Inheritance for Reporting Screens On the Configuration > Summarizer Settings screen, there is an option to synchronize report settings between the unit level and global/group level. This option can be displayed in any of the sections on this page when those settings are not synchronized between the unit level and global/group level. This option provides inheritance support for report settings. 676 SonicWALL GMS 6.0 Administrator’s Guide Configuring Data Storage Settings When you are viewing the screen at the unit level, the option is Sync group to appliance level settings. This is reverse inheritance. Click the Update button to apply your current unit level settings to the group to which this unit belongs. When you are viewing the screen at the global or group level, the option is Sync appliance(s) to group level settings. This is forward inheritance. Click the Update button to apply your current global or group level settings to the appliances in this group. Configuring Data Storage Settings The Data Storage Configuration section of the Configuration > Summarizer Settings page allows you to specify the number of days to store summarized data and syslog data. For all fields in this section, the minimum values should be 3 days, and will typically be longer. Raw syslog data is transferred to the GMS Summarizer system by individual SonicWALL appliances, where it is stored in raw syslog files. The data from these files is combined and stored in a raw syslog database. Data from this database is processed by the Summarizer and then stored in the summarized data database. SonicWALL GMS 6.0 Administrator’s Guide 677 Configuring Summarization Data for Top Usage The raw syslog files and databases older than the number of days specified here will get deleted by the global daily deletion schedule configured on the Console > Reports > Summarizer page. That page also provides a way to delete the summarized database for a certain date. See the “Configuring the Syslog Deletion Schedule Settings” section on page 991. To configure the Data Storage Configuration settings: 1. On the Reports tab, expand the Configuration tree and click Summarizer Settings. 2. Scroll down to the Data Storage Configuration section. 3. Type the desired number of days to store summarized data into the Days To Store Summarized Data field and then click Update. 4. Type the desired number of days to store raw syslog database files into the Days To Store Raw Syslog Databases field and then click Update. 5. Type the desired number of days to store raw syslog database files into the Days To Store Raw Syslog Databases field and then click Update. 6. Type the desired number of days to store archived XML reports into the Days To Store XML reports field and then click Update. Configuring Summarization Data for Top Usage The Reports Summarization Data for Top Usage section of the Configuration > Summarizer Settings page allows you to enable Web event consolidation. When enabled, Web event consolidation reduces repetitive syslog event entries within the syslog database. Enabling Web Event Consolidation promotes search and summarizer efficiency by consolidating the syslog messages that result from a single click (for example, a visit to a Web page), and further correlates events by time proximity, such as multiple visits to the same URL by the same user within a set time, and HTTP header information. GMS consolidates syslog messages under the main domain name. When Web Event Consolidation is disabled, multiple syslog events are logged for one request. For instance, a single access to www.cnn.com can generate more than 70 syslog messages. Many of the 70 syslog messages refer to the links to other pages like images.cnn.com or video.cnn.com that are included in the Web page. In this simplified example, if Domain Only consolidation is selected, then only one Web event is recorded (cnn.com). If Host & Domain is selected, then you would see three Web events. You would see all 70 Web events if consolidation was not enabled at all. 678 SonicWALL GMS 6.0 Administrator’s Guide Configuring Summarization Data for Bandwidth Reports To enable Web event consolidation, perform the following: 1. On the Reports tab, expand the Configuration tree and click Summarizer Settings. 2. Scroll down to the Reports Summarization Data for Top Usage section. 3. Optionally select the Enable Homeport Syslog Reporting checkbox. 4. Select the Enable Web Event Consolidation checkbox to consolidate repetitive syslog event entries within the syslog database and then select one of the following levels of consolidation: – Host & Domain - More restrictive, less consolidation – Domain Only - More general, more consolidation 5. Click Update. Configuring Summarization Data for Bandwidth Reports The Reports Summarization Data for Bandwidth Reports section of the Configuration > Summarizer Settings page allows you to configure the currency type and cost per megabyte for use in bandwidth reports. To configure the data for bandwidth reports, perform the following: 1. On the Reports tab, expand the Configuration tree and click Summarizer Settings. 2. In the Reports Summarization Data for Bandwidth Reports section, select the currency type in the Type of Currency field. Over 20 different currencies from around the world are available. 3. Specify an amount based on your chosen currency in the Cost Per Mega Byte Bandwidth Use field. 4. Click Update. SonicWALL GMS 6.0 Administrator’s Guide 679 Viewing Current Alerts Viewing Current Alerts You can view a list of current alerts on the Events > Current Alerts page of the UTM, SSL-VPN, or CDP panel. Select a global view, group, or unit to view current alerts for your selection. Scheduling PDF Compliance Reports GMS can create scheduled email reports in PDF format. Called Compliance Reports, this feature allows you to export regular reports in universally readable format. Compliance Report Overview A Compliance Report is a report that collects report data and presents it in an organized format. The GMS Compliance Report feature allows administrators to provide more customized report summaries and to create more formal and defined layout of report information in PDF format. This feature provides the following benefits: • Customizable cover page (Default also available) • Customize Summary/ Descriptions for the reports. • Ability to customize a set of reports. • Three reports can be persisted as a profile so that it can be consumed by less experienced users in the system. • Reports can be generated in industry standard PDF format. • Compressed format provides a smaller sized file than an equivalent HTML report. • The print quality is higher. • This feature has the ability to open a 200 page PDF report with ease. In comparison, opening the same report in HTML takes a more extensive amount of time using IE, as it is weighed down by memory and other systems. Requirements Adobe Reader ® plug-in is required for the preview function. 680 SonicWALL GMS 6.0 Administrator’s Guide Scheduling PDF Compliance Reports How Do Compliance Reports Work? GMS has the capability to generate both online and scheduled reports in HTML format. Since PDF has become a standard document format for distribution, the compliance reports are based on this universal standard. Moreover, users are able to customize/define sections throughout the report. For example, they can assign different logos/titles to the cover pages for their customers. Adding a New Scheduled Compliance Report This section includes the following sub-sections: • “Customizing Your Cover Page” section on page 683 • “Customizing Your Summary Report Page” section on page 684 • “Customizing Your Detailed Reports Page” section on page 685 • “Editing Existing Profiles” section on page 686 • “Verifying User Compliance Reports Configuration” section on page 688 To begin creating a new customized Compliance Report, perform the following steps: 1. Navigate to Reports > Configuration > Scheduled Reports. 2. Click the ADD button, to add a scheduled report. 3. The Scheduled Report Configuration page displays. In the General section, enter the name of your report into the Name field, and the report description. SonicWALL GMS 6.0 Administrator’s Guide 681 Scheduling PDF Compliance Reports 4. 5. In the Category section, select the Email check box. The details window displays: • SMTP Server field: Enter your SMTP Server IP address or hostname. • Source Email Address field: Enter your Source Email Address. • Destination Email Address field: Enter the Destination Email Address(es). • Email Subject field: Enter your Email Subject. • Email Body field: Enter your Email Body. To archive a directory, click the Archive check box. Enter the your desired directory you want to archive into the Save Directory field. To change the format and settings of your customized compliance report, perform the following steps: 6. 682 In the Format and Settings category, select the Report Type that reflects the time interval you want to view your reports, either Daily, Weekly, or Monthly. SonicWALL GMS 6.0 Administrator’s Guide Scheduling PDF Compliance Reports 7. Select the PDF report format in the Report Format category. Selecting the PDF option will open additional fields to allow you to customize the set up of the Cover Page, Summary Report Page, and Detailed Report Page of your report in PDF format. 8. To zip all of your reports into a single file, select the check box next to the Zip Reports into a single file check box. Note 9. PDF will disable some options that are only applicable to HTML. For custom reports, enter the template folder name into the Template Folder Name field. Customizing Your Cover Page The Cover Page section allows the user to design a cover page for their report using different color schemes. 1. Title field: Enter the document title. 2. Subtitle field: Enter the document subtitle. (Optional). SonicWALL GMS 6.0 Administrator’s Guide 683 Scheduling PDF Compliance Reports 3. Select the color for the Title and Subtitle’s foreground and background by clicking the gradient color box in the right side of the each field. You may select a color by either choosing a color on the color bar and then selecting its value in the color box or by typing in the HTML color. 4. The color codes are automatically filled in the corresponding fields once the color chooser window is closed. Customizing Your Summary Report Page The Summary Report Page allows you to add new reports and individually customize their appearance. 684 1. On the Summary report page, select the type of summary reports you need, up to a maximum of 4 reports. Then, click the Add button. The report will be created based on the type of summary report you have selected. 2. Enter the report title in and report description in the appropriate fields. 3. Select the text color for the title and description. 4. Select the background color for both fields. 5. Select the order in the Order drop-down window. 6. You may continue to add reports based on the summary you select in the Summary Reports drop-down menu. Repeat steps 1-5 to add more summary reports. SonicWALL GMS 6.0 Administrator’s Guide Scheduling PDF Compliance Reports Customizing Your Detailed Reports Page The Details Report Page provides you with a list of reports you may select to include in your report summaries. You can refine your setting for your report in more detail in the Detailed Report Settings category. First, select the appropriate profile setting for your report. If you are creating a new profile, select the Create a New Profile button. 1. New Profile Name field: Enter the name of your new profile. 2. To determine the type of reports that will be summarized in your compliance report, check the boxes next to the reports you need. Sub-folders are revealed to each folder by clicking the plus icon. When all sub-folders are selected, the main folder will be selected. 3. When you have completed your selection(s) of reports, scroll down the page until you see a check button with Configure Filters/Options beside it. Click the check mark button. SonicWALL GMS 6.0 Administrator’s Guide 685 Scheduling PDF Compliance Reports 4. In the Configure Filter/Options section, you are able to decide how your filter and display is set. Once you have clicked the check button, fill out the table accordingly. Editing Existing Profiles A profile is associated with selected reports from the report list. You have the ability to go back and edit existing profiles in your scheduled reports. Since the report list is populated based on the report type selection, a profile is associated with the report type also. Instead of three categories, there will only be two: single day or multi-days. A profile in a single report will not be seen be seen by the users when they select weekly or monthly as report types. To edit existing profiles, perform the following tasks: 1. Click the Edit icon, located next to the report name you want to edit. 2. In the Detailed Page section, choose the Select an existing profile button. Note 686 You are able to delete an existing profile in that section by clicking the Delete Selected Scheduled Reports button located at the top of the page. SonicWALL GMS 6.0 Administrator’s Guide Scheduling PDF Compliance Reports 3. From the drop-down list in the Detailed Report Page, select the profile name you wish to edit. Choose the reports you want to add or remove from that profile. If a new profile has the same name as one of the existing profiles, the behavior will be the same as users opening the existing profile and edit the report list. When selecting an existing profile, the associated reports are checked in the report list automatically. A default cover page is provided: SonicWALL GMS 6.0 Administrator’s Guide 687 Scheduling PDF Compliance Reports Verifying User Compliance Reports Configuration If you have chosen the PDF version of this report, you now have the option to see a preview of the report covers you have created and how all of the report summaries you added will fit into that template. To review your customize PDF settings, click the Preview button: Figure 7 Note 688 Cover page; Summary page; and Details page Preview The images used for the preview do not use actual data. SonicWALL GMS 6.0 Administrator’s Guide CHAPTER 37 Viewing Reports This chapter describes how to generate reports using the SonicWALL GMS Reporting Module. The following section describes how to configure the settings for viewing reports: • “Managing Report Settings” section on page 690 Select from the following reports: • “Viewing Dashboard Reports” section on page 694 • “Using Custom Reports on UTM Appliances” section on page 699 • “Viewing Status Reports” section on page 716 • “Viewing Bandwidth Reports” section on page 723 • “Viewing Services Reports” section on page 731 • “Viewing Web Usage Reports” section on page 733 • “Viewing Web Filter Reports” section on page 751 • “Viewing File Transfer Protocol Reports” section on page 767 • “Viewing Mail Usage Reports” section on page 773 • “Viewing VPN Usage Reports” section on page 780 • “Viewing Attacks Reports” section on page 792 • “Viewing Virus Attacks Reports” section on page 801 • “Viewing Anti-Spyware Reports” section on page 807 SonicWALL GMS 6.0 Administrator’s Guide 689 Managing Report Settings • “Viewing Intrusion Prevention Reports” section on page 814 • “Viewing Application Firewall Reports” section on page 822 • “Viewing Authentication Reports” section on page 828 • “Viewing the Log” section on page 831 Managing Report Settings All of the reports in GMS report on data gathered on a specific date or range of dates. You can also edit the report settings for each report by using the Search Bar and the More Options button. Editing Report Settings To edit the report settings, use the Search Bar at the top of the report. You can search other reports, set the start and end dates for a report to view, or click More Options to access other Report Display Settings. For a detailed description, see the “Searching for a Report” section on page 659. Selecting a Graphical Display Some reports allow you to specify how many items to display in the report. Select 5, 10, 20, 50, 100, or All from the Number of Items list. This allows you to limit the display to a the specified number in order to make the report easier to read. 690 SonicWALL GMS 6.0 Administrator’s Guide Managing Report Settings Many reports offer different graphical displays for the data, such as a bar-graph or a pie chart. To select a graphical display, select Chart and Table under Report Display Settings and choose the display type from the Chart Type list. Your selection should display immediately in the report screen. For most reports you can choose Area, Bar, Pie or Plot. Setting a Date or Date Range Summary reports display only information for a single date. Over-time reports display information over a date range. Selecting a Single Date To select a single date for a report, click on the Start or End fields in the Search Bar to display the drop-down calendar. The End field is only configurable for Over Time reports. In the calendar, you can set the month by SonicWALL GMS 6.0 Administrator’s Guide 691 Managing Report Settings clicking the single arrows (<, >), or the year by clicking the double arrows (<<, >>). To select the month or year from a drop-down list, click and hold the arrow button. Click Search to begin building the report. Selecting a Date Range To select a date range for an Over Time report, select a Start Date and End Date in the Search Bar, and then click Search. You can use the drop-down calendars by clicking in either field. Additional Settings Many reports have additional settings that you can select such as source and destination interfaces to report traffic through or how to display names and IP addresses. Make your selection from these lists and click Search. Troubleshooting Reports One of the most common error messages when a report does not display is “No Data”. There are several reasons why you might see this error, and SonicWALL GMS 5.1 and higher displays the most likely reason and points you to the screen where you can make the necessary adjustments. Some examples are shown in the following figures. Figure 8 692 Appliance is Down SonicWALL GMS 6.0 Administrator’s Guide Managing Report Settings Figure 9 Appliance in a Provisioned State Figure 10 Configured for Status Only SonicWALL GMS 6.0 Administrator’s Guide 693 Viewing Dashboard Reports Viewing Dashboard Reports Dashboard reports display an overview of bandwidth, uptime, intrusions and attacks, and alerts for managed SonicWALL UTM appliances. The Security Dashboard report provides data about worldwide security threats that can affect your network. The Dashboard also displays data about threats blocked by the SonicWALL security appliance. Select from the following: • “Viewing the Dashboard Summary Report” on page 694 • “Viewing the Security Dashboard Report” on page 697 Viewing the Dashboard Summary Report At the global level, the Dashboard Summary report contains information about total bandwidth, average up time, total intrusions and attacks on SonicWALL appliances during the specified period. At the unit or group level, the Dashboard Summary report provides information about total bandwidth, total HTTP bandwidth, and total attacks. To view the Dashboard Summary report, perform the following steps: 694 1. Click the Reports tab. 2. Select the global icon, a group, or a SonicWALL appliance. SonicWALL GMS 6.0 Administrator’s Guide Viewing Dashboard Reports 3. Expand the Dashboard tree and click Summary. 4. The tables at the top of the page display the totals, using megabytes for the bandwidth totals. 5. The graphical display breaks down the information as follows: – Bandwidth—shown by group when viewed at global or group level. At the unit level, the bandwidth is shown per hour. – HTTP Bandwidth—at the unit level, this is shown as a pie chart with eight slices. The top seven Web users by IP address are each shown as a slice, with all other HTTP bandwidth combined in the eighth slice. – Attacks Events—at the global level, both attack events and virus attack attempts are shown per group. At unit level, these are shown per hour. SonicWALL GMS 6.0 Administrator’s Guide 695 Viewing Dashboard Reports – Custom Report Templates—your “favorites” list of saved custom report templates. See “Using Custom Reports on UTM Appliances” on page 699. You can click the Edit icon next to the template on this page to edit the template in the Custom Report page and save it using the Save Template button. To delete the template, click the Delete icon. Viewing Custom Reports on the Dashboard SonicWALL GMS provides access to your saved Custom Report templates on the Dashboard > Summary page for the appliance. The template must have been previously created and saved for the same appliance on the Custom Report > Internet Activity or Custom Report > Website Filtering page. When you click on a saved template, the detailed report page is displayed in Full Mode with the same categories in the same order as in the template that you saved. In the report page, the Print, PDF, and Excel icons are available, along with the pagination controls. There is no link to Split Mode and no Save Template button since this template is already saved. 696 SonicWALL GMS 6.0 Administrator’s Guide Viewing Dashboard Reports You can also configure or delete a saved template from the Dashboard > Summary page. To access a custom report from the Dashboard: 1. Select a unit for which Log Viewer is enabled, and then navigate to Dashboard > Summary. 2. Locate the box labeled Custom Report Templates. All saved templates for this appliance are listed in the box. 3. Do one of the following: • To generate a Custom Report, click a saved template in the Custom Report Templates box. • To configure a saved template, click the Configure icon for that template, make the desired changes, and then click OK. For configuration instructions, see “Using Custom Reports on UTM Appliances” on page 699. • To delete a saved template, click the Delete icon then click OK in the confirmation dialog box. for that template and Viewing the Security Dashboard Report The Security Dashboard report shows two types of reports: • An Individual Appliance Report that displays a summary of attacks detected by the local SonicWALL security appliance. • A Global Report that displays a summary of threat data received from all SonicWALL security appliances worldwide. The Dashboard > Security Dashboard screen is available at the global level, but not at unit level for SonicWALL CSM Series appliances. To view the Security Dashboard report, perform the following steps: 1. Click the Reports tab. 2. Select the global icon, a group, or a SonicWALL appliance. 3. Expand the Dashboard tree and click Security Dashboard. The Security Dashboard page displays. SonicWALL GMS 6.0 Administrator’s Guide 697 Viewing Dashboard Reports Figure 11 4. Security Dashboard Page At the top of the screen, select either the Global radio button or, for reporting at unit level, select the radio button that is labeled with the unit’s MAC address. Select Global to display a summary of attacks caught by SonicWALL appliances worldwide. Select the unit’s MAC address to see results only for attacks through this unit. At all levels, the categories charted include the following: – Viruses Blocked by SonicWALL Network – Intrusions Prevented by SonicWALL Network – Spyware Blocked – Multimedia (IM/P2P) Detected/Blocked For each of these, the report includes the results over time for the top ten. 5. Optionally select the period of time for the report from the drop-down box at the top right of each graphical display. At the unit level, you can select only the Last 21 days. At the global or group level, you can select from: – Last 12 Hours – Last 14 Days – Last 21 Days – Last 6 Months 698 SonicWALL GMS 6.0 Administrator’s Guide Using Custom Reports on UTM Appliances Using Custom Reports on UTM Appliances Custom Reports are available at the unit level for appliances visible on the UTM tab. Log Viewer must be enabled for the appliance. For information about enabling Log Viewer, see “Viewing the Log” on page 831. When configuring a Custom Report on the Internet Activity or Website Filtering page, the Template Section acts as a query builder. You select the criteria for the report that you want, and SonicWALL GMS uses your input to query the raw syslog database for the information, and then outputs the report. The Template Section consists of two parts: the Date/Time section and the Report Layout section. After building your query in the Template Section and clicking the Generate Report button, the report is displayed in the Report Section. The Report Section is displayed in the lower half of the page, under the Template Section; this layout is called Split Mode. You can easily toggle between Split Mode and Full Mode. Full Mode can be used to display only the Template Section or only the Report Section in a full page view. The Report Section displays the report and provides controls for pagination, printing, and exporting the report in PDF or CSV format. You can also click the Save Template button in this section if you want to save the settings for this report as a template for reuse later. See the following sections for detailed information: • “Toggling Between Split Mode and Full Mode” on page 700 • “Configuring the Date and Time for Custom Reports” on page 702 • “Configuring the Report Layout and Generating the Report” on page 704 • “Generating the Custom Report” on page 712 • “Viewing a Custom Report” on page 713 • “Printing a Page or Exporting the Report as a PDF or CSV File” on page 715 • “Saving the Report Template” on page 716 SonicWALL GMS 6.0 Administrator’s Guide 699 Using Custom Reports on UTM Appliances Toggling Between Split Mode and Full Mode The Custom Report page contains two main sections, the Template Section and Report Section, which can be displayed together or independently depending on the mode. When the Custom Report page is initially displayed for a selected appliance, the Template Section is displayed in Full Mode. Split Mode is available, but the Report Section displays no data until a report has been generated. The Custom Report > Internet Activity page with the Template Section displayed in Full Mode is shown below. 700 SonicWALL GMS 6.0 Administrator’s Guide Using Custom Reports on UTM Appliances After generating a report, the page automatically changes to Split Mode and displays the report settings in the Template Section in the top half of the page and the report results in the Report Section in the lower portion. The Template Section and Report Section displayed in Split Mode is shown below. At any time, you can change to Full Mode if you want to display either the Template Section or the Report Section individually. From Full Mode, you can easily change back to Split Mode. To toggle between Split Mode and Full Mode: 1. Select a unit for which Log Viewer is enabled, and then navigate to the Custom Report page. 2. On a page that is currently displayed in Full Mode, to change the view to Split Mode click the <Split Mode> button at the right side of the section heading. 3. On a page that is currently displayed in Split Mode, do one of the following to change to a Full Mode display of either the Template Section or the Report Section: – Click the <Full Mode> button to the right of the Template Section heading. – Click the <Full Mode> button to the right of the Report Section heading. SonicWALL GMS 6.0 Administrator’s Guide 701 Using Custom Reports on UTM Appliances Configuring the Date and Time for Custom Reports At the top of the Template Section of the Custom Report page, the Date/Time region provides a way to designate the time period to use when generating the report. You can select either a Dynamic Date Range or a Static Date Range. Both the Dynamic Date Range and the Static Date Range provide Start Time and End Time settings. By using the Start Time and End Time fields, you can specify the exact hour, minute, and second for both the beginning and the end of the period for the report. When a start and end time is specified for a date range containing multiple days, the start/end times are applied to each day of the period when analyzing data for the report. The default is to include data for the full 24 hours in each day of the date range. Dynamic Date Range The Dynamic Date Range selection allows you to select from four date ranges and to specify the exact starting and ending times on the days in the selected date range for the log data to be used for the report. For the Dynamic Date Range, you can select from the following four date choices: • Today – Uses log data from the current date, beginning just after midnight • Yesterday – Uses log data from just after midnight of the previous day, up to and including the most recent log message from the current date • Week to Date – Uses log data from the current date, plus the seven preceding days • Month to Date – Uses log data from the same date as the current date in the previous month, up to and including the most recent log message from the current date When generating a report with a template containing a dynamic date range setting, the dates used when referencing the log data are relative to the current date. Thus, two reports generated from the same template on different days will provide different results. 702 SonicWALL GMS 6.0 Administrator’s Guide Using Custom Reports on UTM Appliances To select a Dynamic Date Range: 1. Select a unit for which Log Viewer is enabled, and then navigate to the page under Custom Report for the report type you want. 2. In the Template Section under Date/Time, select the Dynamic Date Range radio button. 3. In the drop-down list, select Today, Yesterday, Week to Date, or Month to Date. 4. For the Start Time, select the hour, minute, and second from the drop-down lists in the Dynamic Date Range row. These settings specify the earliest data to be included in the report, for each day of the date range. 5. For the End Time, select the hour, minute, and second from the drop-down lists. These settings specify the most recent data to be included in the report, for each day of the date range. 6. To change the settings back to the defaults, click Reset at the bottom of the Template Section. Note that this will change the Report Layout region as well as the Date/Time region back to default settings. Static Date Range The Static Date Range selection allows you to specify the exact dates, starting, and ending times on the days in the selected date range for the log data to be used for the report. You can specify a single date or a date range, and indicate the exact hour, minute, and second for both the beginning and the end of the daily period for the report. A popup calendar makes it easy to select the Start Date and End Date for the date range. SonicWALL GMS 6.0 Administrator’s Guide 703 Using Custom Reports on UTM Appliances To specify a Static Date Range: 1. Select a unit for which Log Viewer is enabled, and then navigate to the page under Custom Report for the report type you want. 2. In the Template Section under Date/Time, select the Static Date Range radio button. 3. Click the Start Date field to access the pop-up calendar. 4. Use the navigation arrows near the top of the calendar to change the year or month. Click the << button to move to the previous year, or hold the button to select from a list of years. Click the >> button to move to the next year, or hold the button to select from a list of years. Similarly, click the < or > to move back or ahead by one month, or hold the button to select from a list of months. 5. Click the desired start date in the calendar. This adds the date to the Start Date field and closes the calendar. 6. Click the End Date field to access the pop-up calendar. 7. Use the navigation arrows near the top of the calendar to change the year or month. 8. Click the desired end date in the calendar. This adds the date to the End Date field and closes the calendar. 9. For the Start Time, select the hour, minute, and second from the drop-down lists in the Static Date Range row. These settings specify the earliest data for each day in the date range to be included in the report. 10. For the End Time, select the hour, minute, and second from the drop-down lists. These settings specify the most recent data for each day in the date range to be included in the report. 11. To change the settings back to the defaults, click Reset at the bottom of the Template Section. Note that this will change the Report Layout region as well as the Date/Time region back to default settings. Configuring the Report Layout and Generating the Report Located in the Template Section of the Custom Report page below the Date/Time region, the Report Layout region provides a way to specify the type of data to include, and the format of the report. The Report Layout region has a Detailed Report tab and a Summary Report tab. The report appearance and the way information is organized is quite different between a Detailed Report and a Summary Report. 704 SonicWALL GMS 6.0 Administrator’s Guide Using Custom Reports on UTM Appliances The Detailed Report tab contains a list of data categories that you can add as report fields, and allows you to specify query values for each. The categories you select will appear as column headings in the report. The Summary Report tab allows you to structure a report showing the top elements of Internet Activity or Website Filtering. You can select the number of top elements, what to base the comparisons on, and the two data categories to evaluate when determining the top elements. The generated report provides graphical output that you can click to drill down for detailed information. For more information about each of these Report Layout tabs, see the following sections: • “Detailed Reports” on page 705 • “Summary Reports” on page 709 For information about the Filter operators, see the following section: • “Filter Operators” on page 711 Detailed Reports The Detailed Report tab is the default view in the Report Layout region. For a UTM Internet Activity report, the Select Report Field drop-down list contains eight data categories that you can add as column headings in the report. The categories are: • Full URL – Adds a column containing the full URL of each Web site visited • Category – Adds a column containing the category of each site visited, such as Gambling or Adult/Mature Content SonicWALL GMS 6.0 Administrator’s Guide 705 Using Custom Reports on UTM Appliances • Domain – Adds a column containing the domain name of each site visited • Protocol – Adds a column containing the protocol used by the traffic • Received Traffic– Adds a column containing the number of bytes received from the visited site • Transmitted Traffic – Adds a column containing the number of bytes transmitted to the site • Total Traffic – Adds a column containing the total number of bytes received and transmitted • User – Adds a column containing the user ID For a UTM Website Filtering report, the Select report field drop-down list contains four data categories that you can add as column headings in the report. The categories are: • Full URL – Adds a column containing the full URL of each logged Web site • Category – Adds a column containing the category of each logged site, such as Gambling or Adult/Mature Content • Domain – Adds a column containing the domain name of each logged Web site • User – Adds a column containing the user ID To include a field in the report, select a choice from the list and then click Add. When you click Add, a row is populated in the table below, which has three column headings: Field, Filter, and Options. Note When you place your mouse cursor over the row, under the Field heading, the cursor changes to a “move” cursor. You can drag and drop the rows to rearrange the column ordering in the final report. In the Filter column, two fields are displayed: an operator field and an input field. The operator field is a drop-down list containing the operator choices for the selected report field. See “Filter Operators” on page 711 for a description of each operator. The input field can be a drop-down list or a standard input field, depending on the selected report field. The operators and input fields are defined in Table 14 for each report field. 706 SonicWALL GMS 6.0 Administrator’s Guide Using Custom Reports on UTM Appliances Table 14 Operators and Input Fields for Each Data Type Data Type Operators Input Field Category Equals The input field is a drop-down list containing an alphabetized list of all the content filtering categories, such as Adult/Mature Content, Gambling, Military, etc. Leave the default of All in the input field if you choose not to filter by a certain category. Destination IP Equals Starts with Ends with Contains The input field is a standard input field where you can type in the numbers to match, such as 192 or 10.25. Leave the input field blank if you choose not to filter by a certain destination IP address. Domain Equals Start with End with Contains The input field is a standard input field where you can type in the domain to match, such as sonicwall.com. Leave the input field blank if you choose not to filter by a certain domain. Full URL Equals Start with End with Contains The input field is a standard input field where you can type in the URL to match, such as: http://www.funnyyoutubevideo.com/ funniest.html Leave the input field blank if you choose not to filter by a certain URL. Protocol Equals Start with End with Contains The input field is a standard input field where you can type in the protocol to match, such as FTP. Leave the input field blank if you choose not to filter by a certain protocol. Received Traffic = > >= < <= != The input field is a standard input field where you can type in the number of bytes to match or compare to. Leave the input field blank if you choose not to filter by a certain amount of traffic. Source IP Equals Starts with Ends with Contains The input field is a standard input field where you can type in the numbers to match, such as 192 or 10.25. Leave the input field blank if you choose not to filter by a certain source IP address. Total Traffic = > >= < <= != The input field is a standard input field where you can type in the number of bytes to match or compare to. Leave the input field blank if you choose not to filter by a certain amount of traffic. SonicWALL GMS 6.0 Administrator’s Guide 707 Using Custom Reports on UTM Appliances Data Type Operators Input Field Transmitted Traffic = > >= < <= != The input field is a standard input field where you can type in the number of bytes to match or compare to. Leave the input field blank if you choose not to filter by a certain amount of traffic. User Equals Start with End with Contains The input field is a standard input field where you can type in the user ID to match. Leave the input field blank if you choose not to filter by a certain user. In the Options column, two icons are displayed: an Eye and an X . You can click the Eye to toggle whether the report field on that row will be displayed in the final report. This allows you to filter the report results based on the selected report field and related filter value, but not display the field as a column. When you click on the Eye icon within a row, the eye closes to show that this field will not be displayed in the final report. The filter value will still be used to filter results from the raw syslog database to apply towards the report. For example, you might specify the following Field/Operator/Filter Value: Protocol/=/http. It would make sense to click the Eye icon to disable the Protocol field from being shown in the report, since it would always just be “http” and would not add any interesting information to the final report. Contrast this with simply specifying the Protocol field and leaving the Filter Value blank, in which case you would want to enable the Eye so that this column would appear in the report showing a variety of protocols such as udp/dns, tcp/http, udp/ntp, or numbered protocols such as udp/389 (the LDAP protocol) or tcp/445 (MS Server Message Block (SMB) file sharing). Clicking the X icon under Options deletes the selected report field from the table, so it will not be used to generate the report results nor will it be displayed in the report. Use the X icon instead of the Eye when you do not choose to filter the report results based on the field. The Detailed Report tab also contains the Sort By drop-down list. The list contains the Date/Time option and any other report fields that you have selected from the eight data types. The choice you select will be used to order the results in the report from the first page to the last. The selection in the left drop-down list is used for the first sorting, then the selection in the right drop-down list is used to sort and group the entries within each group resulting from the the first sorting. 708 SonicWALL GMS 6.0 Administrator’s Guide Using Custom Reports on UTM Appliances To configure a detailed report: 1. Select a unit for which Log Viewer is enabled, and then navigate to the page under Custom Report for the report type you want. 2. In Report Layout region of the Template Section of the Custom Report page, select the Detailed Report tab. 3. In the Select report field drop-down list, select a data type to include in the report, and then click Add. A row for this field is populated in the table below. Repeat this step to add other fields. 4. Optionally select an operator from the drop-down list under Filter in a table row, and type in or select an input value to be matched when the database is queried. Repeat this step for other rows to add filter values for those fields. 5. To prevent a field from appearing in the final report, click the Eye icon in that row so that the eye appears closed. To allow the field to be displayed in the report, click the closed Eye icon to return it to normal appearance. 6. To delete a field from the table, click the X icon in that row. 7. To sort the report pages by a different field than the default of Date/Time, select the desired field from the Sort by drop-down list. 8. To change the settings back to the defaults, click Reset at the bottom of the Template Section. Note that this will change the Date/Time region and the Report Layout region back to default settings. Summary Reports The Summary Report tab is available in the Report Layout region of the Template Section. SonicWALL GMS 6.0 Administrator’s Guide 709 Using Custom Reports on UTM Appliances The Top drop-down list provides selections for the number of entries to display in the report. For example, if the User field is selected below as a Summary Group, and 5 is selected in the Top drop-down list, the report will provide entries for the top five users. For all Custom Reports, available numbers in the Top drop-down list are 5, 10, 20, 50, and 100. The Summary Base drop-down list offers a selection of traffic types that will be used to determine the top usage for the selected field. The Summary Base choices vary as follows depending on the type of Custom Report: • For a UTM Internet Activity report, the Summary Base choices are Total traffic, Received traffic, or Transmitted traffic. • For a UTM Website Filtering report, the only Summary Base choice is Filtered Items. Below the Top and Summary Base fields, you can create one or two Summary Groups from the choices listed on the left side. The Summary Groups choices vary as follows depending on the type of Custom Report: • For a UTM Internet Activity report, the choices are Total traffic, Received traffic, or Transmitted traffic. • For a UTM Website Filtering report, the choices are Category, Domain, or User. To select a field for a Summary Group, simply drag and drop the desired field from the list to either the Level 1 Summary Group or Level 2 Summary Group boxes. When the field name is dragged to one of these, the operator drop-down list and filter input value field are displayed, allowing you to specify values to match when the data is searched. See “Filter Operators” on page 711 for a description of each operator. Either the Level 1 Summary Group field or the Level 2 Summary Group field can be used alone; the resulting report will look the same in both cases. When both the Level 1 and Level 2 Summary Group fields are populated, the report will display the top entries for the Level 2 field for each of the top entries for the Level 1 field. For example, if User is dragged to the Level 1 Summary Group and Domain is dragged to the Level 2 Summary Group, and 5 is selected in the Top drop-down list, the generated report will display the top five domains visited by each of the top five users. To configure a summary report: 710 1. Select a unit for which Log Viewer is enabled, and then navigate to the page under Custom Report for the report type you want. 2. In Report Layout region of the Template Section of the Custom Report page, select the Summary Report tab. SonicWALL GMS 6.0 Administrator’s Guide Using Custom Reports on UTM Appliances 3. In the Top drop-down list, select the number of entries to be displayed in the report. 4. In the Summary Base drop-down list, select one of the choices to use when determining which are the top elements in the selected field. 5. To specify the field for the Level 1 Summary Group, click and drag the desired field from the list on the left to the Level 1 Summary Group field, and then release your mouse button to drop the field into position. The filter operator and input field are displayed next to the field name. 6. To specify the field for the Level 2 Summary Group, click and drag the desired field from the list on the left to the Level 2 Summary Group field, then release your mouse button to drop the field into position. The filter operator and input field are displayed next to the field name. 7. To specify a filter operator and filter value for a Summary Group, select the operator from the drop-down list next to the field and type a filter value into the input field to the right of the operator. 8. To change the settings back to the defaults, click Reset at the bottom of the Template Section. Note that this will change the Date/Time region as well as the Report Layout region back to default settings. Filter Operators When configuring the Report Layout on either the Detailed Report tab or the Summary Report tab, you can specify filter values to be matched in the database during report generation. Depending on the selected field type, text string or numeric, several filter operators are available. The filter operators are used with a filter input value to determine which data should be included in the report. The operators are defined as shown in Table 15. Table 15 Filter Operators Operator Definition Equals Only data that exactly matches the filter input text will be included in the report Start with Data that begins with the input text will be included in the report SonicWALL GMS 6.0 Administrator’s Guide 711 Using Custom Reports on UTM Appliances Operator Definition End with Data that ends with the input text will be included in the report Contains Data that contains the input text will be included in the report = Only data that exactly matches the filter input numerical value will be included in the report > Data values that are greater than the input numerical value will be included in the report >= Data values that are greater than or equal to the input numerical value will be included in the report <= Data values that are less than or equal to the input numerical value will be included in the report < Data values that are less than the input numerical value will be included in the report != Data values that are not equal to the input numerical value will be included in the report Generating the Custom Report The Generate Report button at the bottom of the Template Section is used to create the report. Before clicking Generate Report, use the Template Section to specify the time period for the report and the contents and layout of the report. Note Custom Reports are available at the unit level and Log Viewer must be enabled for the appliance. For information about enabling Log Viewer, see “Viewing the Log” on page 831. To generate a custom report: 712 1. Select a unit for which Log Viewer is enabled, and then navigate to the page under Custom Report for the report you want. 2. In the Date/Time region of the Template Section, specify the time period that the report will cover. For detailed information and instructions, see “Configuring the Date and Time for Custom Reports” on page 702. SonicWALL GMS 6.0 Administrator’s Guide Using Custom Reports on UTM Appliances 3. In the Report Layout region of the Template Section, specify the contents and appearance of the report. For detailed information and instructions, see “Configuring the Report Layout and Generating the Report” on page 704. 4. Click Generate Report to create the report using the specified configuration. Viewing a Custom Report After you click Generate Report, the Report Section is displayed in Split Mode in the lower half of the main window, even if you previously were in Full Mode for the Template Section. Pagination controls are displayed at the upper right of the report, just below the Save Template button and the printer, PDF, and Excel icons. Navigation buttons are provided to take you to the first page, next page, previous page, and last page, or you can specify an exact page number in the field. In a Detailed Report, shown below, the selected report fields are displayed as column headings. You can click on any column heading to sort that page by the values in the column that you click. Click again to toggle between ascending and descending order on that page. When you navigate away from that page and then come back using the pagination controls, the page reverts to the original sorting order as specified in the Sort by field of the Template Section before generating the report. SonicWALL GMS 6.0 Administrator’s Guide 713 Using Custom Reports on UTM Appliances In a Summary Report, the Report Section displays the traffic volume as horizontal bar charts. This lets you see the information at a glance, such as who consumed the most bandwidth and which domains they visited the most. You can click on a bar in the chart to pop up detailed information, just like the detailed report with all of the columns for all fields. The report lists details about this Summary Group field only. For example, in the Internet Activity report, if the Summary Group contains the User field and you click on a bar for one of the top users, the report displays the date and time of all Internet activity for the user, and includes data for every field available for detailed reports. A scroll bar is provided along the bottom of the Detailed Information window to allow viewing of all eight fields plus the date and time column. 714 SonicWALL GMS 6.0 Administrator’s Guide Using Custom Reports on UTM Appliances The Detailed Information window is shown below. Printing a Page or Exporting the Report as a PDF or CSV File To print the current page of the report, click the printer icon at the top of the Report Section. Your normal print dialog box pops up. This prints only the page that is currently displayed. To export the entire report in PDF format, click the PDF icon at the top of the Report Section. A PDF file is generated showing the report results in table format. To export the entire report in Microsoft Excel Comma Separated Value (CSV) format, click the Excel icon at the top of the Report Section. A CSV file is generated showing the report results in spreadsheet format. The PDF can contain a maximum of 10,000 records. If your report contains more than 10,000 records, you can use the Static Date Range fields to adjust the dates and regenerate the report to shorten its length. You can save the PDF or CSV file using any filename and location. SonicWALL GMS 6.0 Administrator’s Guide 715 Viewing Status Reports Saving the Report Template After generating the report, you can save the settings for this report as a template for reuse. You can select the saved template from the Template Section or from the Dashboard > Summary page at a later time, and use it to generate a report using the same settings. For information about using the template on the Dashboard > Summary page, see “Troubleshooting Reports” on page 692. The template is saved for the currently selected appliance and for the specific user. The saved template will not be available for other appliances or for other users. To save the report template: 1. In the Report Section in the upper right corner, click the Save Template button. 2. In the popup dialog box, type in a descriptive name for the template, up to 40 characters. The number of remaining characters allowed in the name is displayed below the input field and changes as you type. 3. Click Save. If you are in a Full Mode display of the Report Section, you can verify that the template has been saved by changing back to Split Mode and viewing the contents of the Template drop-down list. SonicWALL GMS provides access to your saved Custom Report templates on the Dashboard > Summary page for the appliance. See “Viewing Custom Reports on the Dashboard” on page 696. Viewing Status Reports Status reports display the number of hours that one or more SonicWALL appliances were online and functional during the time period. From this information, you can locate trouble spots within your network, such as a SonicWALL appliance that is having network connectivity issues caused by the ISP. 716 SonicWALL GMS 6.0 Administrator’s Guide Viewing Status Reports Note Global reports are displayed in the GMS’s timezone. Reports for individual SonicWALL security appliances are displayed in the individual appliance’s time zone. Select from the following: • “Viewing the Status Up-Time Summary Report” on page 717 • “Viewing Status Up-Time Over Time” on page 718 • “Viewing the Status Down-Time Summary Report” on page 720 • “Viewing Status Down-Time Over Time” on page 721 Viewing the Status Up-Time Summary Report The Status Up-Time Summary report contains information on the status of a SonicWALL appliance or group of appliances during each hour of the specified day. To view the Status Up-Time Summary report, perform the following steps: 1. Click the Reports tab. 2. Select the global icon, a group, or a SonicWALL appliance. 3. Expand the Status tree and click Up-Time Summary. The Up-Time Summary page displays. SonicWALL GMS 6.0 Administrator’s Guide 717 Viewing Status Reports 4. The bar graph displays the amount of time the SonicWALL appliance(s) were online and functional during each hour of the day. 5. The table contains the following information: – Hour—when the sample was taken. – Up Time—number of minutes during the hour that the SonicWALL appliance was “Up.” – % of Up Time—percentage of time the SonicWALL appliance was “Up” over the hour. 6.

Top subcategories

Top subcategories

Top subcategories

Top subcategories

Top subcategories

Top subcategories

Top subcategories

Top subcategories

Download SonicWALL GMS/UMA 6.0 Administrator`s Guide