Management Services Network Setup€¦ · Management Services Network Setup Administration Configuring Interface Settings 1 6 Configuring Interface Settings Interface settings define

SonicWall® Management Services Network SetupAdministration

1Contents

Configuring Interface Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Configuring the Management Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Configuring WAN Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Advanced Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Expert Mode Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Bandwidth Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Configuring Link Aggregation (SonicOS 5.9 or higher) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Link Aggregation Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Link Aggregation Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Port Redundancy (SonicOS 5.9 or higher) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Port Redundancy Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Port Redundancy Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Configuring Virtual Interfaces (VLAN SubInterfaces) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Configuring MGMT Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Wireless and Non-Wireless Firewall Controller Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Configuring PortShield Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Configuring PortShield Interfaces for Dell Networking X-Series Switches . . . . . . . . . . . . . . . . . . . . . . . 27

Configuring Wire Mode VLAN Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

About VLAN Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Mapping Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Mapping Persistence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Map Multiple Interface Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Creating and Managing VLAN Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Creating a VLAN Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Managing VLAN Mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

WAN Failover and Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Configuring Failover and Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Configuring Group Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Configuring Probing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Configuring Probe Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Configuring Multiple WAN Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Configuring Network Interfaces for Multiple WAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Routing the Default and Secondary Default Gateways for Multiple WAN . . . . . . . . . . . . . . . . . . . 39

Configuring DNS for Multiple WAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Configuring Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

General Settings for All Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Configuring Guest Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Configuring Wireless Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Deleting a Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Configuring a Zone for Guest Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Management Services Network Setup Administration

Contents2

Configuring a Zone for Open Authentication and Social Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Configuring DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Configuring IPv4 DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Configuring IPv6 DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Configuring DNS Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

About DNS Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Supported Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

DNS Server Liveness Detection and Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

DNS Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Split DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Enabling Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Monitoring Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Configuring DNS Proxy Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Enabling DNS Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Configuring DNS Proxy Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Viewing and Configuring Split DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Adding Split DNS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Editing Split DNS Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Deleting Split DNS Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Viewing and Configuring Static DNS Cache Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Deleting Static DNS Cache Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Viewing DNS Cache Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Flushing Dynamic DNS Cache Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Configuring DNS Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

About Sinkholes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Network > DNS Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Configuring DNS Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Deleting Entries in the Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Configuring Route Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Adding Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Probe-Enabled Policy Based Routing Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Configuring Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

About RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

About Advanced Routing Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Configuring Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Global Unnumbered Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Guidelines for Configuring Tunnel Interfaces for Advanced Routing . . . . . . . . . . . . . . . . . . . . . . . . 63

Configuring NAT Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

About NAT in the Management Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

About NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Pref64::/n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70


Contents3

Common NAT Configuration Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

IPv6 NAT Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

NAT64 Stateful Inspection Network Streams Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

About NAT Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

NAT Load Balancing and Probing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

NAT LB Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Determining the NAT LB Method to Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Caveats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

How Load Balancing Algorithms are Applied . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Viewing NAT Policy Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Displaying Information about Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Deleting Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Configuring/Editing NAT Policy Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Configuring NAT Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Configuring NAT Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Configuring ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Viewing Static ARP Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Deleting a Static ARP Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Creating an ARP Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Secondary Subnets with Static ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Managing the ARP Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Configuring ARP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Flushing the ARP Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Manipulating the ARP Data Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Configuring Neighbor Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

About NDP Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Finding NDP Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Adding NDP Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Deleting NDP Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Configuring NDP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

NDP Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Request NDP Cache List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

NDP Cache Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Searching the NDP Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Flushing the NDP Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Configuring MAC-IP Anti-Spoof . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Interface Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Anti-Spoof Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Spoof Detected List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Configuring IP Helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Enabling IP Helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Configuring Relay Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Configuring IP Helper Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106


Contents4

Configuring Web Proxy Forwarding Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Configuring Automatic Proxy Forwarding (Web Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Bypass Proxy Servers Upon Proxy Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Adding a Proxy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Editing a Proxy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Deleting a Proxy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Configuring Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Adding a Dynamic DNS Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Deleting Dynamic DNS Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Using the Topology View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Configuring AWS Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

About AWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Configuring AWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Troubleshooting the Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

SonicWall Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

About This Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117


Contents5

1

Configuring Interface Settings

Interface settings define the networks associated with the LAN, WAN, optional (OPT), and interfaces. This includes protocols, gateways, DNS servers, Virtual LANs, and management settings.

IPv4 and IPv6 IP addresses are accepted/displayed in the Network > Interfaces pages.

To configure the network interface general settings for one or more SonicWall appliances, select the desired configuration:

• Static Mode

• Transparent Mode

• Layer 2 Bridge Mode

• Layer 2 Bridge Bypass Relay Control (E7500 Appliances Only)

• Wire Mode (2-Port Wire) (NSA and SuperMassive Platforms)

• Tap Mode (1-Port Tap)

• 31-Bit Network

• Configuring WAN Settings

• Advanced Settings

• Configuring Link Aggregation (SonicOS 5.9 or higher)

• Port Redundancy (SonicOS 5.9 or higher)

• Configuring Virtual Interfaces (VLAN SubInterfaces)

• Configuring MGMT Interfaces

Static ModeStatic means that you assign a fixed IP address to the interface.

To configure an interface in static mode:

1 Navigate the to Network > Interfaces page.

2 Click the Edit icon in the Edit column for the Interface you want to configure. The Edit Interface dialog displays.

3 Select a zone to assign to the interface. You can select LAN, WAN, DMZ, WLAN, or a custom zone.

NOTE: Group-level interface edits are only available for SonicWall firewall appliances.

NOTE: The options change on the type of zone you select.

TIP: To create a new, custom zone, go to Network > Zones and click Add new zone. The Add Zone dialog displays. For information about adding a zone, see Configuring Zones.


Configuring Interface Settings6

4 Depending on the zone, select Static IP Mode or Static from IP Assignment.

5 Enter the IP Address (Primary), and the Subnet Mask of the zone in the IP Address (Primary), and Subnet Mask fields.

6 Enter an IP address for a Default Gateway (optional). This feature is not supported for WLAN and VPN zones.

7 Enter any optional comment text in the Comment field. This text is displayed in the Comment column of the Interface Settings table.

8 If you want to enable remote management of the SonicWall appliance from this interface, select the supported management protocol(s): HTTPS, Ping, SNMP, and/or SSH.

9 If you want to allow selected users with limited management rights to log in to the security appliance, select HTTP and/or HTTPS in User Login.

10 If you selected HTTPS, the Add rule to enable redirect from HTTP to HTTPS option becomes available. To enable redirection, select the option.

11 Click OK.

Transparent ModeTo configure transparent mode for LAN, DMZ, or Multicast interfaces:


2 Click the Edit icon for the interface you want to configure. The Edit Interface dialog displays.

3 For IP Assignment, select Transparent IP Mode.

4 Select an address object that contains the range of IP addresses you want to have access through this interface in the Transparent Range menu.

5 Enter any optional comment text in the Comment field. This text is displayed in the Comment column of the Interface Settings table.

6 To enable remote management of the SonicWall appliance from this interface, select the supported management protocol(s): HTTPS, Ping, SNMP, and/or SSH.

7 To allow selected users with limited management rights to log in to the security appliance, select HTTP and/or HTTPS in User Login.

8 If you selected HTTPS, the Add rule to enable redirect from HTTP to HTTPS option becomes available. To enable redirection, select the option.

9 Click OK.

NOTE: You cannot enter an IP address that is in the same subnet as another zone.



Layer 2 Bridge Mode

To configure transparent mode for LAN, DMZ, or WLAN interfaces:



3 For IP Assignment, select Layer 2 Bridged Mode (IP Route Option).

4 From Bridged to, select a WLAN, LAN, or DMZ interface with a static IP address.

5 To allow only IPv4 traffic on this bridge-pair, select Block all non-IPv4 traffic. This option is not selected by default.

6 To prevent traffic from being routed to another interface, select Never route traffic on this bridge-pair. This option is not selected by default.

7 To allow the bridged interface to be connected to a mirrored port on a switch in a one-arm mode to do intrusion detection by examining traffic going through the switch, select Only sniff traffic on this bridge-pair. This option is not selected by default.

8 To enable asymmetric routing on this interface, select Disable stateful-inspection on this bridge-pair. This option is not selected by default.

9 Enter an optional comment in the Comment field. This text is displayed in the Comment column of the Interface Settings table.

10 To enable remote management of the SonicWall appliance from this interface, select the supported management protocol(s): HTTPS, Ping, SNMP, and/or SSH.

11 To allow selected users with limited management rights to log in to the security appliance, select HTTP and/or HTTPS in User Login.

12 If you selected HTTPS, the Add rule to enable redirect from HTTP to HTTPS becomes available. To enable redirection, select the option.

13 Click OK.

Layer 2 Bridge Bypass Relay Control (E7500 Appliances Only)

The Engage physical bypass on malfunction option enables Layer 2 Bridge Bypass Relay Control, also known as “Fail to Wire.” The bypass relay option provides the choice of avoiding disruption of network traffic by bypassing the firewall in the event of a malfunction. The bypass relay is closed for any unexpected anomaly (power failure, watchdog exception, fallback to safe-mode).

NOTE: When configuring a zone for Layer 2 Bridge Mode, the only access rule automatically added is an allow a rule between the bridge pair. Other necessary access rules must be added manually.

NOTE: On appliances running:

• SonicOS 5.0 or higher, you can select Layer 2 Bridged Mode for physical interfaces in either the LAN or the DMZ zone.

• SonicOS 5.5 or higher, you also can select Layer 2 Bridge Mode for the WLAN zone.

NOTE: Layer 2 Bride Bypass Relay Control, The Engage physical bypass on malfunction option is available only for SonicWall E7500 appliances running SonicOS version 5.5 or higher and only when the X0 interface is bridged to the X1 interface.



Selecting the Engage physical bypass on malfunction option automatically configures the other Layer 2 Bridge mode options:

• Block all non-IPv4 traffic - Disabled

• Never route traffic on this bridge-pair - Enabled

• Only sniff traffic on this bridge-pair - Disabled

• Disable stateful-inspection on this bridge-pair - Not modified

Configure all other options as usual.

Wire Mode (2-Port Wire) (NSA and SuperMassive Platforms)

Wire Mode 2.0 can be configured on any zone (except wireless zones). Wire Mode is a simplified form of Layer 2 Bridge Mode, and is configured as a pair of interfaces. In Wire Mode, the destination zone is the Paired Interface Zone. Access rules are applied to the Wire Mode pair based on the direction of traffic between the source Zone and its Paired Interface Zone. For example, if the source Zone is WAN and the Paired Interface Zone is LAN, then WAN to LAN and LAN to WAN rules are applied, depending on the direction of the traffic.

In Wire Mode, you can enable Link State Propagation, which propagates the link status of an interface to its paired interface. If an interface goes down, its paired interface is forced down to mirror the link status of the first interface. Both interfaces in a Wired Mode pair always have the same link status.

In Wire Mode, you can Disable Stateful Inspection. When Disable Stateful Inspection is selected, Stateful Packet Inspection (SPI) is turned off. When Disable Stateful Inspection is not selected, new connections can be established without enforcing a 3-way TCP handshake. Disable Stateful Inspection must be selected if asymmetrical routes are deployed; it is selected automatically if Enable Asymmetric Route Support is selected on Edit Interface > Advanced.

When the Bypass when SonicOS is restarting or down option is selected, and the Wire Mode Type is set to Secure, traffic continues to flow even when the SonicWall Security Appliance is rebooting or is down. The Bypass when SonicOS is restarting or down option is always enabled and is not editable when Disable Stateful Inspection is selected.

To configure Wire Mode 2.0:

1 Navigate to the Network > Interfaces page.

2 Click either:

• Add Interface.

• Configure for the interface you want to configure.

The Add/Edit Interface dialog displays.

1 From Zone, select WAN.

1 From Mode / IP Assignment, select Wire Mode (2-Port Wire).

1 From Wire Mode Type, select:

• Bypass (via Internal Switch / Relay) (default)

• Inspect (passive DPI of Mirrored Traffic)

• Secure (Active DPI of Inline Traffic)

The options change, depending on your selection.

NOTE: The Wire Mode feature is supported only on NSA and SuperMassive platforms.



2 From Paired Interface, select the interface to be paired.

3 From Paired Interface Zone, select LAN.

4 Select Disable Stateful Inspection. If, for Wire Mode Type, you selected:

• Bypass (via Internal Switch / Relay), this option is selected and dimmed.

• Any other mode, the option is selected by default.

5 Select Enable Link State Propagation. This option is not selected by default.

6 If you selected Inspect (Passive DPI of Mirrored Traffic) for Wire Mode Type, the Restrict analysis at resource limit option displays. This option is selected by default.

7 Click OK.

Tap Mode (1-Port Tap)Tap Mode is available for LAN and DMZ zones.

To configure an interface for Tap Mode:



3 From Zone, select LAN.

4 From IP Assignment, select Tap Mode (1-Port Tap).

5 Optionally, select Disable Stateful Inspection. This option is not selected by default.

6 Click OK.

31-Bit NetworkThe Management Service supports RFC 3021, which defines the use of a 31-bit subnet mask. This mask allows only two host addresses in the subnet, with no network or gateway address and no broadcast address. Such a configuration can be used within a larger network to connect two hosts with a point-to-point link. The savings in address space resulting from this change is easily seen as each point-to-point link in a large network would consume two addresses instead of four.

In this context, the point-to-point link is not equivalent to PPP (point to point protocol). A point-to-point link using a 31-bit mask can use or not use the PPP protocol. 31-bit, prefixed IPv4 addresses on a point-to-point link can also be used in the Ethernet network.

Topics:

• Example Network Environment

• Configuring the Management Service



https://tools.ietf.org/html/rfc3021

Example Network Environment

In this network environment, Host PC1 and Host PC2 can visit each other, while hosts in the LAN network can visit Host PC2.

To configure settings for this environment:

1 For Host PC1, add two route entries:

• Route add 10.5.10.0 mask 255.255.255.0 15.6.8.10

• Route add 10.102.234.0 mask 255.255.255.0 15.6.8.10

2 For Host PC2, add two route entries:

• Route add 10.5.10.0 mask 255.255.255.0 10.102.234.70

• Route add 15.6.8.0 mask 255.255.255.0 10.102.234.70

3 On the Cisco router (F0/0):

• interface fastEthernet 0/0

• ip address 10.5.10.120 255.255.255.254

4 On the Cisco 2811, add one route entry:

!

ip route 15.6.8.0 255.255.255.0 10.5.10.120

!

5 On the firewall, add one route entry to enable the WAN zone data flow from X2 to X5, and X5 to X2:

Any 10.102.234.0 Any X2 Default Gateway X2

Configuring the Management ServiceTo configure an interface for a 31-bit subnet:





3 Enter one host IP address into the IP Address field.

4 Set the Subnet Mask field to 255.255.255.254.

5 Enter the other host IP address into the Default Gateway field.

6 Set the other fields according to your network, as needed.

7 Click OK.

Configuring WAN SettingsTo configure the WAN settings for the SonicWall appliance:



3 Select how the WAN connects to the Internet from Mode / IP Assignment:

• Static—Configure the following settings:

• IP Address—Enter the IP address of the interface.

• Subnet Mask—Enter the subnet mask for the network.

• Default Gateway—IP address of the WAN gateway.

• DNS Server 1-3—IP addresses of the DNS Servers.

• Comment—Enter any comments regarding the interface.

• DHCP—Configure the following settings:

• Host Name—Specifies the host name of the SonicWall device on the WAN interface.


• Management, User Login, and Add rule to enable redirect from HTTP to HTTPS—Configure as usual.

• Request renew of previous IP on startup—Optional; selected by default.

• Renew DHCP lease on any link up occurrence—Optional; selected by default.

• IP Address, Subnet Mask, Gateway (Router) Address, DNS Server 1-3, and Lease Expires—These settings are automatically filled in by DHCP and cannot be changed.

• PPPoE—Configure the following client settings:

• Schedule—Select the schedule for when the interface is enabled. The default value is Always on. The available options can be customized in the System > Schedule page. The default choices are:

• Always On (default) or SU-S 00:00 to 24:00

• Work Hours or M-T-W-TH-F 08:00-17:00 (these two options are the same schedules)

• M-T-W-TH-F 00:00 to 08:00

• After Hours, M-T-W-TH-F 00:00 to 08:00, or M-T-W-TH-F 17:00 to 24:00 (these options are the same schedules)

• Weekend Hours or SA-SU 00:00-24:00 (these two options are the same schedules)



• AppFlow Report Hours or SU-M-T-W-TH-F-S 00:00 to 24:00 (these options are the same schedules)

• App Visualization Report Hours

• TSR Report Hours

• Guest Cycle Quota Update or SU-M-T-W-TH-F-S 00:00 to 00:15 (these options are the same schedules)

• Cloud Backup Hours or SU-M-T-W-TH-F-SA 02:00 to 03:00 (these options are the same schedules)

• User Name—Enter the username provided by the ISP.

• User Password—Enter the password used to authenticate the username with the ISP. This field is case-sensitive.


• Service Name—Enter the name of a service that must be supported by PPPoE servers that respond to a client connection request. The service name can be up to 50 characters. Many installations use the system name as a service name, for example, sonicwall-server or redback-server. If the service name is left blank, the client connects to any service.

• To configure the SonicWall appliance(s) to:

• Dynamically obtain an IP address, select Obtain IP Address automatically.

• Use a fixed IP address, select Specify IP Address and enter the IP address.

• To configure an unnumbered PPPoE interface,

• To configure how the SonicWall appliance(s) obtain(s) the DNS server information, choose:

• Obtain DNS Server Address Automatically, to obtain information automatically

• Specify IP Address and enter the DNS Server IP address to obtain information from specific DNS servers.

• Unnumbered interface.

To configure an Unnumbered PPPoE Interface:



3 Click Protocol.

• Inactivity Disconnect—To specify how long (in minutes) the SonicWall appliance waits before disconnecting from the Internet, select the option. The minutes field becomes available. The default is 10 minutes, and the maximum is 999 minutes. This option is not selected by default.

• Strictly use LCP echo packets for server keep-alive—To have the client recognize that the server relies on Link Control Protocol (LCP) echo requests for keeping the PPPoE connection alive, select this option. This option is not selected by default.

• Reconnect the PPPoE client if the server does not send traffic for __ minutes—To specify the time to wait without traffic before the connection is reconnected, select this option and enter the number of minutes. When enabled, the PPPoE client monitors traffic from the server on the tunnel and reconnects when no traffic is seen for the specified time period.

NOTE: For PPPoE interfaces, a Protocol page displays the acquired IP address, subnet mask, gateway address, and DNS server addresses.



4 If High Availability is enabled, High Availability > Settings is configured with Unnumbered PPPoE; for a sample network topology, see Sample HA network topology.

Sample HA network topology

In this topology, X2 is the PPPoE unnumbered interface and X3 is an unnumbered interface.

• The Management Service adds two routes:

• The Management Service also adds two NAT policies:

On the Edit Interface dialog, configure these options, which change depending on the selection for Mode / IP Assignment:

• PPTP—Configure the following settings:

• Schedule—Select the schedule for when the interface is enabled. The default value is Always On. The available options can be customized in the System > Schedules page. The default choices are:

• Always On


• M-T-W-TH-F 00:00-08:00

• After Hours or M-T-W-TH-F 17:00-24:00 (these two options are the same schedules)


• User Name—Enter username provided by the ISP.


• PPTP Server IP Address—This information is provided by your ISP.

• PPTP (Client) Host Name—This information is provided by your ISP.

• Inactivity Disconnect—Specify how long (in minutes) the SonicWall appliance waits before disconnecting from the Internet.



• From PPTP IP Assignment, to configure the SonicWall appliance(s) to:

• Dynamically obtain an IP address, select DHCP. These fields are populated automatically and cannot be changed:

IP Address

Subnet Mask

Gateway Address

• Use a fixed IP address, select Static and enter the IP address, Subnet Mask.

• L2TP—Configure the following settings if the WAN IP address uses L2TP:

• Schedule—Select the schedule for when the interface is enabled:

• Always On (default)


• M-T-W-TH-F 00:00-08:00

• After Hours or M-T-W-TH-F 17:00-24:00 (these two options are the same schedules)


• User Name—Enter username provided by the ISP.


• L2TP Server IP Address—this information is provided by your ISP.

• L2TP (Client) Host Name—this information is provided by your ISP.


• Inactivity Disconnect—Specify how long (in minutes) the SonicWall appliance waits before disconnecting from the Internet.

• From L2TP IP Assignment, to configure the SonicWall appliance(s) to:

• Dynamically obtain an IP address, select DHCP. The IP Address and Subnet Mask fields are populated and cannot be changed.

• Use a fixed IP address, select Static and enter the IP address.

5 Enter an optional comment in the Comment field.

6 Select one or more of the following Management options:

• HTTPS—Allows HTTPS management from the interface.

• Ping—The interface responds to ping requests.

• SNMP—The interface supports Simple Network Management Protocol (SNMP).

• SSH—Allows SSH management from the interface.

NOTE: For PPTP interfaces, a Protocol page appears that displays the acquired appliance IP address, subnet mask, gateway address, and DNS server 1/2addresses.

TIP: The available options can be customized in the System > Schedules page.

NOTE: For L2TP interfaces, a Protocol tab appears that displays the acquired IP address, subnet mask, gateway address, and DNS server addresses.



7 User Login—Select either or both from the following user login options:

• HTTP—Allows you to login using HTTP.

• HTTPS—Allows you to login using HTTPS.

• Add rule to enable redirect from HTTP to HTTPS—Redirects you to HTTPS when they attempt to access the device using HTTP. This option is only applicable when HTTPS access is enabled and HTTP access is not.

8 Click OK. The settings are saved.

Advanced Settings1 Navigate the to Network > Interfaces page.


3 Click Advanced.

4 Configure the following Ethernet settings:

• Link Speed—To configure the interface to automatically negotiate Ethernet settings, select Auto Negotiate (default). If you want to specify the forced Ethernet speed and duplex, select the appropriate setting.

• Choose how to determine the MAC address:

• Use Default MAC Address—Uses the default MAC address, which is populated automatically.

• Override Default MAC Address—Manually enter the MAC address.

• Enable flow reporting—Enables flow reporting on flows created for this interface. This option is available on SonicWall appliances running SonicOS 5.9 and higher firmware. This option is selected by default.

• Enable Multicast Support—Enables multicast on the interface.

• Enable 802.1p tagging—QoS Marking is controlled per Access Rule from the Firewall > Access Rules page. Packets sent out this interface are tagged with VLAN id=0 and carry 802.1p priority information. Devices connected to this interface should support priority frames. This option is available on SonicWall appliances running SonicOS 5.9 and higher firmware. This option is not selected by default.

• Optionally, to exclude the interface from Route Advertisement, select Exclude from Route Advertisement (NSM, OSPF, BGP, RIP). This option is not selected by default.

• Optionally, select Management Traffic Only to restrict traffic to only SonicWall management traffic and routing protocols. This option is not selected by default.

• Optionally, enable Asymmetric Route Support on the interface by selecting Enable Asymmetric Route Support. If enabled, the traffic initialized from this interface supports asymmetric routes, that is, the initial packet or response packet can pass through from other interfaces. This option is not selected by default.

• To shutdown the port, click Shutdown Port. A confirmation message displays, asking if you wish to want to shut down the port administratively.

TIP: The available options depend on the selected zone and IP assignment. There may be fewer options or an Expert Mode Settings section (see Expert Mode Settings)

IMPORTANT: This option is only available for SuperMassive series appliances running SonicOS 6.1 and higher firmware images.



• From Redundant/Aggregate Ports, select:

• None (default)

• Link Aggregation

• Port Redundancy

• Interface MTU—Specify the size of the Maximum Transmission Unit (MTU), in octets (default: 1500).

• To fragment packets that are larger than the specified MTU, select Fragment non-VPN outbound packets larger than this Interface's MTU. This option is not selected by default. When selected, the Ignore Don’t Fragment (DF) Bit option becomes available.

• To ignore Don’t Fragment (DF) bits from routers connected to the SonicWall appliance, select Ignore Don't Fragment (DF) Bit.

• To block notifications that this interface can receive fragmented packets, select Do not send ICMP Fragmentation needed for outbound packets over the Interface.

5 Click OK.

Topics:

• Expert Mode Settings

• Bandwidth Management

Expert Mode Settings

To configure Expert Mode Settings:

1 To enable Routed Mode for the interface, select Use Routed Mode - Add NAT Policy to prevent outbound\inbound translation. Routed Mode provides an alternative for NAT for routing traffic between separate public IP address ranges. NAT translations are automatically disabled for the interface, and all inbound and outbound traffic is routed to the WAN interface. This option is not selected by default. When selected, the Set NAT Policy’s outbound\inbound interface to option becomes available.

IMPORTANT: This option is not available for these zones and modes/IP assignments:

• LAN – Static IP Mode • DMZ – Static IP Mode • WLAN – Static IP Mode, Layer 2 Bridged Mode (IP Route Option), PortShield Switch

Mode

IMPORTANT: This option is not available for these zones and modes/IP assignments:

• LAN – Static IP Mode • DMZ – Static IP Mode • WLAN – Static IP Mode, Layer 2 Bridged Mode (IP Route Option), PortShield Switch

Mode

NOTE: If the maximum transmission unit (MTU) size is too large for a remote router, it might require more transmissions. If the packet size is too small, this could result in more packet header overhead and more acknowledgements that have to be processed.

IMPORTANT: The availability of Expert Mode Settings depends on the zone and mode/IP address assignment configuration of the interface:

• LAN and DMZ – Only for interfaces assigned a static IP mode.• WAN – Not available.• WLAN - All WLAN interfaces, regardless of mode/IP assignment.



• From Set NAT Policy's outbound\inbound interface to, select the WAN interface to be used to route traffic for the interface. The default is Any. The firewall then creates “no-NAT” policies for both the configured interface and the selected WAN interface. These policies override any, more general M21 NAT policies that might be configured for the interfaces.

2 Click OK.

The firewall creates “no-NAT” policies for both the configured interface and the selected WAN interface. These policies override any more general M21 NAT policies that might be configured for the interfaces.

Bandwidth ManagementBandwidth Management (BWM) allows you to guarantee minimum bandwidth and prioritize traffic. BWM is enabled in the Firewall Settings > BWM page. By controlling the amount of bandwidth to an application or user, you can prevent a small number of applications or users from consuming all available bandwidth.

Various types of bandwidth management can be enabled on the Firewall Settings > BWM page:

• Advanced—Enables you to configure maximum egress and ingress bandwidth limitations per interface, by configuring bandwidth objects, access rules, and application policies.

• Global—Allows you to enable BWM settings globally and apply them to any interfaces.

• None (default)—Disables BWM.

The Management Service can apply bandwidth management to both egress (outbound) and ingress (inbound) traffic on the interfaces in the WAN zone. Outbound bandwidth management is done using Class Based Queuing. Inbound Bandwidth Management is done by implementing ACK delay algorithm that uses TCP’s intrinsic behavior to control the traffic.

Class Based Queuing (CBQ) provides guaranteed and maximum bandwidth Quality of Service (QoS) for the SonicWall security appliance. Every packet destined to the WAN interface is queued in the corresponding priority queue. The scheduler then dequeues the packets and transmits it on the link depending on the guaranteed bandwidth for the flow and the available link bandwidth. Balancing the bandwidth allocated to different network traffic and then assigning priorities to traffic improves network performance.

Use the Bandwidth Management section of the Edit Interface dialog to enable or disable the ingress and egress bandwidth management. Egress and Ingress available link bandwidth can be used to configure the upstream and downstream connection speeds in kilobits per second.

To enable or disable ingress and egress BWM:



3 Click Advanced.

4 Scroll to the Bandwidth Management section.

5 Select Enable Interface Egress Bandwidth Limitation. This option is not selected by default.

When this option is:

• Selected, the maximum available egress BWM is defined, but as advanced BWM is policy based, the limitation is not enforced unless there is a corresponding Access Rule or App Rule.

NOTE: The Bandwidth Management settings are applied to all interfaces in the WAN zone, not just to the interface being configured.

NOTE: Advanced options could differ, depending on your firewall model and your zone and IP assignment selections.



• Not selected, no bandwidth limitation is set at the interface level, but egress traffic can still be shaped using other options.

6 In the Maximum Interface Egress Bandwidth (kbps) field, enter the maximum egress bandwidth for the interface (in kilobytes per second). The default is 384.000000 Kbps.

7 Select Enable Interface Ingress Bandwidth Limitation. This option is not selected by default.

When this option is:

• Selected, the maximum available ingress BWM is defined, but as advanced BWM is policy based, the limitation is not enforced unless there is a corresponding Access Rule or App Rule.

• Not selected, no bandwidth limitation is set at the interface level, but ingress traffic can still be shaped using other options.

8 In the Maximum Interface Ingress Bandwidth (kbps) field, enter the maximum ingress bandwidth for the interface (in kilobytes per second). The default is 384.000000 Kbps.

9 Click OK. The settings are saved.

Configuring Link Aggregation (SonicOS 5.9 or higher)

Link Aggregation groups up to four Ethernet interfaces together forming a single logical link to support greater throughput than a single physical interface could support, this is referred to as a Link Aggregation Group (LAG). This provides the ability to send multi-gigabit traffic between two Ethernet domains. All ports in an aggregate link must be connected to the same switch. The firewall uses a round-robin algorithm for load balancing traffic across the interfaces in a Link Aggregation Group. Link Aggregation also provides a measure of redundancy, in that if one interface in the LAG goes down, the other interfaces remain connected.

Link Aggregation is referred to using different terminology by different vendors, including Port Channel, Ether Channel, Trunk, and Port Grouping.

Topics:

• Link Aggregation Failover

• Link Aggregation Configuration

Link Aggregation FailoverSonicWall provides multiple methods for protecting against loss of connectivity in the case of a link failure, including High Availability (HA), Load Balancing Groups (LB Groups), and now Link Aggregation. If all three of these features are configured on a firewall, this order of precedence is followed in the case of a link failure:

1 High Availability

2 Link Aggregation

3 Load Balancing Groups

HA takes precedence over Link Aggregation. Because each link in the LAG carries an equal share of the load, the loss of a link on the Active firewall forces a failover to the Idle firewall (if all of its links remain connected). Physical monitoring needs to be configured only on the primary aggregate port.

NOTE: The Link Aggregation features are supported only on NSA and SuperMassive platforms.



When Link Aggregation is used with a LB Group, Link Aggregation takes precedence. LB takes over only if all the ports in the aggregate link are down.

Link Aggregation ConfigurationTo configure Link Aggregation:



3 In the General tab, select a zone from Zone.

4 Configure the other options as usual.

5 Click Advanced.

6 Set the Link Speed for the interface to Auto-Negotiate.

7 From Redundant/Aggregate Ports, select Link Aggregation. The Aggregate Port option displays the available interfaces with a checkbox for each of the currently unassigned interfaces on the firewall.

8 Select up to three other interfaces to assign to the LAG.

9 (Wire Mode only) The Paired Interface Aggregate Port option is displayed, select up to three paired interfaces.

10 From Load Balance Type, select the how load balancing is performed:

• SRC_MAC, ETH_TYPE, VLAN, INTF (default)

• DST_MAC, ETH_TYPE, VLAN, INTF

• SRC_MAC, DST_MAC, ETH_TYPE, VLAN, INTF

• SRC_IP, SRC_PORT

• DST_IP, DST_PORT

• SRC_IP, SRC_PORT, DST_IP, DST_PORT


12 Click OK.

NOTE: After an interface is assigned to a Link Aggregation Group, its configuration is governed by the Link Aggregation master interface and it cannot be configured independently. In the Interface Settings table, the interface's zone is displayed as Aggregate Port and the Configuration icon is dimmed.

IMPORTANT: Link Aggregation requires a matching configuration on the Switch. The switch's method of load balancing will vary depending on the vendor. Consult the documentation for the switch for information on configuring Link Aggregation. Remember that it might be referred to as Port Channel, Ether Channel, Trunk, or Port Grouping.



Port Redundancy (SonicOS 5.9 or higher)

Port Redundancy provides a simple method for configuring a redundant port for a physical Ethernet port. This is a valuable feature, particularly in high-end deployments, to protect against switch failures being a single point of failure.

When the primary interface is active, it processes all traffic to and from the interface. If the primary interface goes down, the secondary interface takes over all outgoing and incoming traffic. The secondary interface assumes the MAC address of the primary interface and sends the appropriate gratuitous ARP on a failover event. When the primary interface comes up again, it resumes responsibility for all traffic handling duties from the secondary interface.

In a typical Port Redundancy configuration, the primary and secondary interfaces are connected to different switches. This provides for a failover path in case the primary switch goes down. Both switches must be on the same Ethernet domain. Port Redundancy can also be configured with both interfaces connected to the same switch.

Topics:

• Port Redundancy Failover

• Port Redundancy Configuration

Port Redundancy FailoverSonicWall provides multiple methods for protecting against loss of connectivity in the case of a link failure, including High Availability (HA), Load Balancing Groups (LB Groups), and now Port Redundancy. If all three of these features are configured on a firewall, this order of precedence is followed in the case of a link failure:

1 Port Redundancy

2 HA

3 LB Group

When Port Redundancy is used with HA, Port Redundancy takes precedence. Typically an interface failover causes an HA failover to occur, but if a redundant port is available for that interface, then an interface failover occurs but not an HA failover. If both the primary and secondary redundant ports go down, then an HA failover occurs (assuming the secondary firewall has the corresponding port active).

When Port Redundancy is used with a LB Group, Port Redundancy again takes precedence. Any single port (primary or secondary) failures are handled by Port Redundancy just like with HA. When both the ports are down then LB kicks in and tries to find an alternate interface.

Port Redundancy ConfigurationTo configure Port Redundancy:



3 In the General tab, select a zone from Zone.

4 Configure the rest of the options as usual.

NOTE: The Port Redundancy features are supported only on NSA and SuperMassive platforms.



5 Click Advanced.

6 From Redundant/Aggregate Ports, select Port Redundancy.

7 The Redundant Port option displays, with all of the currently unassigned interfaces available. Select one of the interfaces.

8 Set the Link Speed for the interface to Auto-Negotiate.


10 Click OK.

Configuring Virtual Interfaces (VLAN SubInterfaces)When you add a VLAN subinterface, typically, you need to assign it to a zone, assign it a VLAN Tag, and assign it to a physical interface. Based on your zone assignment, you configure the VLAN subinterface the same way you

configure a physical interface for the same zone.

To add a virtual interface:


2 At the bottom of the Interface Settings Table, select Virtual Interface from Add Interface. The Add VLAN Interface dialog displays.

3 Select a zone to assign to the interface. You can select LAN, WAN, DMZ, WLAN, or a custom zone. The zone assignment does not have to be the same as the parent (physical) interface. In fact, the parent interface can even remain Unassigned.

Your configuration choices for the network settings of the subinterface depend on the zone you select

• LAN, DMZ, or a custom zone of Trusted type: Static or Transparent.

• WLAN or a custom Wireless zone: static IP only (no IP Assignment list).

4 Assign a VLAN tag (ID) to the subinterface in the VLAN Tag field. Valid VLAN IDs are 0 (default) to 4094, although some switches reserve VLAN 1 for native VLAN designation, and VLAN 0 is reserved for QoS. You need to create a VLAN subinterface with a corresponding VLAN ID for each VLAN you wish to secure with

you security appliance.

5 Select the parent (physical) interface to which this subinterface will belong from Parent Interface. There is no per-interface limit to the number of subinterfaces you can assign - you may assign subinterfaces up to the system limit.

6 Select the IP Assignment or Mode/IP Assignment:

NOTE: After an interface is selected as a Redundant Port, its configuration is governed by the primary interface, and it cannot be configured independently. In the Interface Settings table, the interface's zone is displayed as Redundant Port and the Configuration icon is dimmed.

NOTE: Unassigned VLAN interfaces can be created, not only zone-assigned interfaces.

IMPORTANT: If X-Series switches are provisioned, VLAN IDs from 0 - 35 are internal VLAN IDs and cannot be sued for VLAN subinterfaces.

TIP: The options change depending on the zone and IP (mode) assignment.



https://support.sonicwall.com/search?k=5447759

7 In the IP Address field, enter the IP Address for the interface; the default is 0.0.0.0.

8 In the Subnet Mask field, enter the subnet mask for the network; the default is 255.255.255.0.

9 Go to Step 11.

10 For transparent mode, select an address object that contains the range of IP addresses to have access through this interface from Transparent Range.

11 For all zones except WLAN, go to Step 14. For WLAN zones, SonicPoint options display.

12 From SonicPoint Limit, select the maximum number of SonicPoints for this interface. The default is No SonicPoints.

13 From the Reserve SonicPoint Address options, choose:

• Automatically (default)

• Manually; the Manually field becomes available.

1) Enter the SonicPoint address.


15 Click Advanced. The Link Speed and Use Default MAC Address options cannot be changed.

16 To use the selected priority as the default CoS for output packets:

a Select Enable Default 802.1p CoS.

b Select the priority:

17 For:

• Unassigned (both modes), LAN/DMZ Static IP Mode, and WLAN (both modes), go to Step 23.

• LAN/DMZ Transparent IP Mode (Splice L3 Subnet), go to Step 18.

• WAN (all modes), go to Step 21.

18 To forward gratuitous ARP packets received on this interface towards the WAN with the source MAC address as the hardware MAC address of the WAN interface, select Enable Gratuitous ARP Forwarding Towards WAN. This option is not selected by default.

For this zone Select

Unassigned Unassigned (default); go to Step 14

LAN or DMZ • Static IP Mode (default)• Transparent IP Mode (Splice L3 Subnet); go to Step 10

WAN Static (default)

WLAN Static IP Mode (default)

TIP: The options change, depending on the zone and IP/Mode assignment selected.

TIP: You can define your QoS rules to override this option by setting up an access rule on the Firewall > Access Rules page.

0- Best effort (default) 4 - Controlled load

1 - Background 5 - Video (<100ms latency)

2 - Spare 6 - Voice (<10ms latency)

3 - Excellent effort 7 - Network control



19 To generate a gratuitous ARP packet towards the WAN interface with a source MAC address as the hardware MAC address of the WAN interface whenever a new entry is added to the ARP table for a new machine on this interface, select Enable Automatic Gratuitous ARP Generation Towards WAN. This option is not selected by default.

20 Go to Step 23.

21 To fragment packets that are larger than the specified MTU, select Fragment non-VPN outbound packets larger than this Interface's MTU. This option is not selected by default. When selected, the Ignore Don’t Fragment (DF) Bit option becomes available.

a To ignore Don’t Fragment (DF) bits from routers connected to the SonicWall appliance, select Ignore Don't Fragment (DF) Bit. This option is not selected by default.

22 To block notifications that this interface can receive fragmented packets, select Do not send ICMP Fragmentation needed for outbound packets over the Interface. This option is not selected by default.


24 Click OK.

The Virtual interface displays in the VLAN Interfaces table below the Interfaces table.

Configuring MGMT InterfacesTo configure an interface for Management (MGMT) mode:



3 If high availability is:

• Not enabled, enter the IP address and the subnet mask of the zone in the IP Address and Subnet Mask fields respectively.

• Enabled, enter the primary IP address, the secondary IP address, and the subnet mask of the zone in the IP Address (Primary), IP Address (Secondary), and Subnet Mask fields respectively.

4 Enter an IP address for a Default Gateway (optional).

5 Enter any optional comment text in the Comment field. This text is displayed in the Comment column of the Interface table.

6 If you want to enable remote management of the SonicWall appliance from this interface, select the supported management protocol(s): HTTP, HTTPS, SSH, Ping, SNMP, and/or SSH.

7 If you want to allow selected users with limited management rights to log in to the security appliance, select HTTP and/or HTTPS in User Login.

NOTE: If the maximum transmission unit (MTU) size is too large for a remote router, it might require more transmissions. If the packet size is too small, this could result in more packet header overhead and more acknowledgements that have to be processed.

NOTE: A MGMT interface cannot be added, it is a default interface present on the firewall, and can only be edited. MGMT interfaces are only supported on select SonicWall firewalls, check the SonicOS Release Notes for support information.

NOTE: If Active/Active Clustering is enabled and the firewall is running SonicOS 6.1 or higher firmware, IP Address fields for multiple nodes are available.

NOTE: You cannot enter an IP address that is in the same subnet as another zone.



8 To add a rule to redirect from HTTP to HTTPS, click Add rule to enable redirect from HTTP to HTTPS. This option is only visible if Allow management via HTTP is enabled on the System > Administrator page.

9 Click OK.

Wireless and Non-Wireless Firewall Controller ModesSonicOS 6.5 introduced Wireless Controller Mode for deployments in which a wireless-capable firewall does not provide wireless access. Normally, Full-Feature-Gateway mode, which allows all wireless and non-wireless functions is the default.

This is a “one-click” feature at the firewall level which allows moving between wireless, non-wireless, and Full-Feature-Gateway controller modes. It can be set at System > Administrator:

The wireless controller mode disables and renders uneditable:

• SSL VPN and VPN zones

• Group VPN and SSL VPN policies as well as the updating of all zones using these policies

• VPN

• WAN Acceleration (WXA)

• SIP and H.323 transformatios

In the non-wireless controller mode, other features are disabled and rendered uneditable:

• Wireless zones, including the default WLAN zone, as well as disabling the creation of wireless zones

• Internal wireless functions

• Access points, including L2 and L3



2

Configuring PortShield Groups

A PortShield interface is a virtual interface with a set of ports, including ports on Dell Networking X-Series, or extended, switches, assigned to it. PortShield architecture enables you to configure some or all of the LAN ports into separate security contexts, providing protection not only from the WAN and DMZ, but between devices inside your network as well. In effect, each context has its own wire-speed PortShield that enjoys the protection of a dedicated, deep packet inspection firewall. On the Network > PortShield Groups page, you can manually group ports together that allow them to share a common network subnet as well as common zone settings.

You can assign any combination of ports to a PortShield interface. All ports not assigned to a PortShield interface are assigned to the LAN interface.

To assign an interface to a PortShield group:

1 Navigate to the Network > PortShield Groups page.

2 Click the Configure icon for the interface you want to assign to a PortShield group. The Edit Switch Port dialog displays.

The Name field is populated with the interface name and cannot be edited.

3 From Port Enabled, select whether you want to enabled or disable the interface. The default is Enabled.

4 From PortShield Interface, select which interface you want to assign as the master interface for the PortShield interface.

5 From Link Speed, select the link speed for the interfaces. The default is Auto Negotiate.

6 Click OK.

NOTE: TZ series firewalls support Dell Networking X-Series switches and the Dell Networking X-Series Solution, which expand the capability of the firewalls, especially for portshielding interfaces. Beginning in Release 8.3, SM and NSA series firewalls also support X-Series switches and the X-Series Solution. See Configuring PortShield Interfaces for Dell Networking X-Series Switches.

NOTE: The NSA2600 firewall does not support PortShield, and the SM 9800 and SOHO W firewalls do not support the X-Series Solution.

NOTE: For information about configuring PortShield interfaces for Dell networking X-Series switches, also see Configuring PortShield Interfaces for Dell Networking X-Series Switches.

TIP: Zones can always be applied to multiple interfaces in the Network > Interfaces page, even without the use of PortShield groupings. These interfaces, however, do not share the same network subnet unless they are grouped using PortShield.

NOTE: The PortShield Groups page is supported on appliances running SonicOS versions 5.5 or higher.

NOTE: Interfaces must be configured before being grouped with PortShield.

The default LAN and WAN groups cannot be edited.

TIP: PortShield options may be disabled for external switch ports.


Configuring PortShield Groups26

Configuring PortShield Interfaces for Dell Networking X-Series Switches

NOTE: TZ series appliances support Dell Networking X-Series switches, which expand the capability of the appliances, especially for portshielding interfaces.

IMPORTANT: When an extended switch has been powered off and then the firewall is restarted (rebooted), it could take up to five minutes before the firewall discovers the extended switch and reports the Status of the switch as Connected.

When configuring extended switches in a PortShield group, it could take up to five minutes for the configuration to be displayed on the Network > PortShield Groups page.


Configuring PortShield Groups27

3

Configuring Wire Mode VLAN Translation

Topics:

• About VLAN Translation

• Creating and Managing VLAN Maps

About VLAN TranslationThe VLAN Translation (mapping) feature allows traffic arriving on a VLAN to a Wire Mode interface operating in Secure mode to be mapped to a different VLAN on the outgoing paired interface. Re-routing some of the traffic coming into the SonicWall security appliance onto different VLANS allows you to perform further analysis, processing, or merely remapping traffic. This feature is supported on all Wire Mode-capable devices.

An advantage of Wire Mode, that is, you can pre-provision the VLAN mapping. This allows you to have the mapping in place before the interface receives traffic. You also can add and delete mapping on an active Wire Mode interface.

Topics:

• Mapping Modes

• Mapping Persistence

• Map Multiple Interface Pairs

Mapping ModesYou can create a VLAN mapping in these modes:

• Unidirectional mapping – For example, use to:

• Secure printing from a less-secure network to a high-secure network

• Transfer application and operating system updates from a less-secure network to a high-securenetwork

• Monitor multiple networks in a SOC (security operations center)

• Provide time synchronization in high-secure networks

NOTE: VLAN Translation is available on all platforms that support Wire Mode.

NOTE: VLAN Translation and Wire Mode over VLAN interfaces cannot be enabled at the same time.


Configuring Wire Mode VLAN Translation28

• Transfer files

• Provide a “you have mail” alert to a high-secure network from a less-secure network

• Bidirectional mapping – For example, use to setup a two-way connection to and from devices through the security appliance, for example, TCP.

Mapping PersistenceThe VLAN map created for a pair of interfaces is persistent over reload and is stored as part of the configuration. If the wire-mode pair (secure mode) have mapping associated with them, the wire mode cannot be changed unless the mapping policy is deleted.

Map Multiple Interface PairsYou can create VLAN mapping for multiple pairs of interfaces at the same time. These interfaces must form part of an existing Secure Wire Mode pair at the time of the VLAN mapping creation. You can also create mappings for an interface with multiple interfaces, but only the mappings for the current active Wire Mode pair are in use at any given time.

If the paired interface is changed, the message, Cannot change wire-mode pair interface when WireMode VLAN entries exist for the interface, displays.

Creating and Managing VLAN MapsNetwork > VLAN Translation allows you to create and manage the VLAN mapping of interfaces.

NOTE: The wire-mode pair interfaces cannot change if Wire Mode VLAN entries exist for the interface.

Add icon Displays the Add VLAN Translation dialog.

Delete icon Displays the Delete drop-down menu:

• Delete Selected • Delete All

Search field Allows you to display only those VLAN translations of interest.

Refresh icon Refreshes the VLAN Translation table.

Policy number and checkbox Number of the policy and its associated checkbox.

Ingress Interface Name of the incoming interface.

Ingress VLAN VLAN tag of the incoming interface.

Egress Interface Name of the interface to which traffic is mapped.

Egress VLAN VLAN tag of the interface to which traffic is mapped.

Reverse Translation Indicates whether the mapping is unidirectional or bidirectional:

• Disabled – Unidirectional; column blank. • Enabled – Bidirectional; green checkmark.



Topics:

• Creating a VLAN Map

• Managing VLAN Mappings

Creating a VLAN Map You can create a unidirectional VLAN map before or after a Wire Mode pair. Creating a VLAN map is a two-step process:

1 Creating a Wire Mode Pair in Secure Mode

2 Creating the VLAN Mapping

Creating a Wire Mode Pair in Secure Mode

To create a Wire Mode pair in secure mode:


2 Click the Edit icon for the interface to be part of the Wire Mode pair. The Edit Interface dialog displays.

3 Select the zone for the Wire Mode pair from Zone. The options change.

4 Select Wire Mode (2-Port Wire) from Mode / IP Assignment. The options change again.

5 Select Secure (Active DPI of Inline Traffic) from Wire Mode Type.

6 Select the interface to pair with the current interface from the Paired Interface drop-down menu.

7 Select the zone for the paired interface from Paired Interface Zone. The default is LAN.

8 Configure the other options as if configuring a regular Wire Mode pair as described in Wire Mode (2-Port Wire) (NSA and SuperMassive Platforms) and Tap Mode (1-Port Tap).

9 Click OK. The Network > Interfaces page is updated.

Creating the VLAN Mapping

To create a VLAN mapping:

1 Navigate to the Network > VLAN Translation page.

2 Click the Add icon. The Add VLAN Translation dialog displays.

3 Select the Wire Mode interface in the pair on which you expect to receive traffic from Ingress Interface.

4 Set Ingress VLAN to the VLAN on which you expect to receive traffic for mapping.

Active Status of the mapped pair:

• Active – The Wire Mode pair is mapped and active; green checkmark. • Inactive – The Wire Mode pair is mapped but not active

(pre-provisioned); column blank.

Configure Displays Edit and Delete icons for a mapped pair.

TIP: Ensure the interface you pair with is unassigned.



5 Select the Wire Mode interface in the pair on which you want to map traffic to the Egress Interface drop-down menu.

6 Set Egress VLAN to the VLAN to which you expect to map traffic.

7 To create a:

• Unidirectional mapping, ensure the Reverse Translation checkbox is not selected. For example, to map VLAN X on interface A to VLAN Y on interface B.

• Bidirectional mapping, select the Reverse Translation checkbox. For example, to map VLAN Y on interface B to VLAN X on interface A as well as map VLAN X on interface A to VLAN Y on interface B.

8 Click Add. The Wiremode VLAN Translation table is updated.

Managing VLAN MappingsTopics:

• Editing Mappings

• Filtering Mappings

• Deleting Mappings

Editing Mappings

To edit a mapping:


2 Click its Edit icon in the Configuration column. The Edit VLAN Translation dialog displays.

3 Edit the mappings you want to change..

Filtering Mappings

If you have a lot of VLAN mappings, you can display only those of interest by:


2 Entering an interface name or VLAN tag in the Search field.

3 Pressing Enter.

Only the mappings that meet the search criterion are displayed.

To redisplay all the mappings:


2 Delete the criterion from the Search field.

3 Press Enter.

NOTE: This option is selected by default.

NOTE: You can change any of the mappings except the Reverse Translation setting.



Deleting Mappings

To delete a single mapping:


2 Click its Delete icon in the Configuration column. A confirmation message displays.

3 Click its Selection checkbox.

4 Select Delete Selected from the Delete drop-down menu. A confirmation message displays.

5 Click OK.

To delete a multiple mappings:


2 Click their Selection checkboxes.

3 Select Delete Selected from the Delete drop-down menu. A confirmation message displays.

4 Click OK.

To delete all mappings:


2 Select Delete Selected from the Delete All drop-down menu. A confirmation message displays.

3 Click OK.

NOTE: If a policy is bidirectional, both directions are deleted if one is deleted.



4

WAN Failover and Load Balancing

WAN Failover enables you to configure one of the user-defined interfaces as a secondary WAN port. The secondary WAN port can be used in a simple “active/passive” setup to allow traffic to be only routed through the secondary WAN port if the Primary WAN port is unavailable. This allows the SonicWall to maintain a persistent connection for WAN port traffic by “failing over” to the secondary WAN port.

For a SonicWall appliance with a WWAN interface , you can configure failover using the WWAN interface. Failover between the Ethernet WAN (the WAN port, OPT port, or both) and the WWAN is supported through the WAN Connection Model setting.

This feature also allows you to do simple load balancing (LB) for the WAN traffic on the SonicWall. You can select a method of dividing the outbound WAN traffic between the two WAN ports and balance network traffic. Load-balancing is currently only supported on Ethernet WAN interfaces.

The Management Service can monitor WAN traffic using Physical Monitoring that detects if the link is unplugged or disconnected, or Physical and Logical Monitoring that monitors traffic at a higher level, such as upstream connectivity interruptions.

Topics:

• Configuring Failover and Load Balancing

• Configuring Group Settings

• Configuring Probing

• Configuring Probe Settings

• Configuring Multiple WAN Interfaces

Configuring Failover and Load BalancingTo configure the WAN Failover for a SonicWall appliance:

1 Navigate to the Network > Failover & LB page.

2 Select Enable Load Balancing. This option must be enabled for the user to access the LB Groups and LB Statistics sections. If disabled, no options for failover and load balancing are available to be configured. This option is selected by default.

3 Select Respond to Probes. When enabled, the appliance can reply to probe request packets that arrive on any of the appliance’s interfaces. This option is not selected by default. Enabling this option makes the Any TCP-SYN to Port option available.

IMPORTANT: Before you begin, be sure you have configured a user-defined interface to mirror the WAN port settings.


WAN Failover and Load Balancing33

4 Select Any TCP-SYN to Port.

• This option is only available when the Respond to Probes option is enabled. When selected, the appliance only responds to TCP probe request packets having the same packet destination address TCP port number as the configured value. The default TCP port number is 0.

• This option is not selected by default.

5 Click Update.

Configuring Group SettingsTo configure Group settings:


2 Click Configure for the Group you wish to configure in the Groups table on the Network > Failover & LB page. The Edit LB Group dialog displays.

3 Edit the display name of the Group in the Name field. The name of the default group cannot be changed.

4 From the Type drop-down menu, choose the type (or method) of LB; options change depending on the type selected:

• Basic Failover—The four WAN interfaces use rank to determine the order of preemption when Preempt has been enabled. Only a higher-ranked interface can preempt an Active WAN interface. This is selected by default.

• Round Robin—This option now allows you to re-order the WAN interfaces for Round Robin selection. The default order is:

• Primary WAN

• Alternate WAN #1



The Round Robin then returns to the Primary WAN to continue the order.

• Spill-over—The bandwidth threshold applies to the Primary WAN. When the threshold is exceeded, new traffic flows are allocated to the Alternates in a Round Robin manner. If the Primary WAN bandwidth goes below the configured threshold, Round Robin stops, and outbound new flows will again be sent out only through the Primary WAN.

• Ratio—A percentages can be set for each WAN in the LB group. To avoid problems associated with configuration errors, ensure that the percentage corresponds correctly to the WAN interface it indicates.

NOTE: Existing flows remain associated with the Alternates (as they are already cached) until they time out normally.



5 Depending on what you selected from Type, one of these options display:

6 Add, delete, and order member interfaces in the Group Members: Select here:/Selected Primary/Alt. Poll: lists. The use of the selected members in the Selected list depends on the Type selected:

• Basic Failover: Interface Ordering:

• Round Robin: Interface Pool:

• Spill-over: Primary/Alt. Pool:

• Ratio: Interface Distribution:

7 Add members by selecting a displayed interface from the Group Members: column, and then clicking Add>>.

8 You can order the entries in the Selected column by:

a Selecting an entry

b Clicking Up/Down arrows.

If you selected Ratio, instead of ordering the entries, you can specify the ratio of bandwidth for each interface. See Configuring Bandwidth as a Ratio.

a Enter a percentage of bandwidth to be assigned to an interface in the percent (%) field. The total bandwidth for all interfaces should add up to 100%. The total percentage of bandwidth allocated is displayed.

You can modify the ratio by clicking Modify Ratio or have the ratios adjusted automatically by clicking Auto Adjust.

Type drop-down options

Type selection Option

Basic Failover Preempt and failback to preferred interfaces when possible

Select to enable rank to determine the order of preemption. Selected by default.

Spill-over When bandwidth exceeds BandwidthLimit Kbit/s on PrimaryInterface, new flows will go to the alternate group members in Round Robin manner

Specify the bandwidth for the Primary in the field. If this value is exceeded, new flows are then sent to alternate group members according to the order listed in the Selected column. This option is not selected by default. The default value is 0.

Round Robin, Spillover, and Ratio

Use Source and Destination IP Address binding

The option is especially useful when using HTTP/HTTPS redirection or in a similar situation. For example, connection A and connection B need to be on the same WAN interface, the source and destination IP addresses in Connection A are the same as those for connection B, but a different service is being used. In this case, source and destination IP address binding is required to keep both the connections on the same WAN interface so that the transactions do not fail.

This option is not selected by default.

IMPORTANT: To avoid problems associated with configuration errors, ensure that the percentage corresponds correctly to the WAN interface it indicates.



Delete members from the Selected: column by:

a Selecting the displayed interface,

b Clicking <<Remove.

9 Optionally, enter Final Back-Up, an interface of “last resort,” that is, an interface that is used only when all other interfaces in the Selected: group are either unavailable or unusable. To specify a Final Back-Up interface, select an entry in the Group Members list, and then click the double right arrow button. T

To remove a Final Back-Up interface, click the double left arrow button.

10 Click OK.

Configuring Bandwidth as a RatioIf Ratio is selected, the Add >> button is replaced by a percent (%) field and a Double Right Arrow button, and the Up/Down Arrow buttons are replaced with the Auto Adjust button.

Enter a percentage of bandwidth to be assigned to the interface. The total percentage of bandwidth allocated is displayed.

If multiple interfaces are selected, you can either:

• Click Auto Adjust to distribute the bandwidth equally among the interfaces.

• Enter a percentage of bandwidth to be assigned to each interface.

To modify the bandwidth percentage for an interface:


2 Select the interface in the Selected column.

3 Click Modify Ratio.

4 Enter a new percentage in the percent (%) field.

5 Click Modify Ratio again. The percentage for the bandwidth and the total bandwidth allocated are updated.

Configuring Probing When Logical probing is enabled, test packets can be sent to remote probe targets to verify WAN path availability. An option allows probing through the additional WAN interfaces: Alternate WAN #3 and Alternate WAN #4.

NOTE: The interface at the top of the list is the Primary.

The Interface Rank does not specify the operation performed on the individual member. The operation that is performed is specified by the Group Type.

IMPORTANT: To avoid problems associated with configuration errors, ensure that the percentage corresponds correctly to the WAN interface it indicates.

NOTE: VLANs for alternate WANs do not support QoS or VPN termination.



To configure the probing options for a specific group:


2 Click the Configure icon of the Group you wish to configure on the Network > Failover & LB page. The Edit LB Group dialog displays.

3 Click Probing.

4 Modify the following settings:

• Check Interface every: n sec —The interval of health checks in units of seconds. The default value is 5 seconds.

• Deactivate Interface after: n missed intervals—The number of failed health checks after which the interface sets to Failover. The default value is 6 seconds.

• Reactivate Interface after: n successful intervals—The number of successful health checks after which the interface sets to Available. The default value is 3 seconds.

• Probe responder.global.sonicwall.com on all interfaces in this group—Enable this option to automatically set Logical/Probe Monitoring on all interfaces in the Group. When enabled, TCP probe packets are sent to the global SNWL host that responds to SNWL TCP packets, responder.global.sonicwall.com, using a target probe destination address of 204.212.170.23:50000. When this option is selected, the rest of the probe configuration enables built-in settings automatically. The same probe is applied to all four WAN Ethernet interfaces This option is not selected by default..

5 Click OK.

Configuring Probe SettingsTo configure the Group Member’s probe settings:


2 Click the Configure icon of the Group member you wish to configure on the Network > Failover & LB page. The Probe Settings dialog displays.

3 Choose the type of probing to be done:

• Physical Monitoring Only (default; all other options are dimmed); go to Step 8.

• Logical/Probe Monitoring enabled – all other options become available.

4 From Logical/Probe Monitoring, select when the probe succeeds:

• Probe succeeds when either Main Target or Alternate Target responds.

• Probe succeeds when both Main Target and Alternate Target respond.

• Probe succeeds when Main Target responds.

• Succeeds Always (no probing). – Default; all other options are dimmed; go to Step 8.

NOTE: The Dialup WAN probe setting also defaults to the built-in settings.



5 From Main Target, select:

• Ping (ICMP)

• TCP (default)

1) In the Host field, enter the host name. The default is responder.global.sonicwall.com.

2) In the Port field, enter the applicable port. The default is 50000.

6 From Alternate Target, select:

• Ping (ICMP)

• TCP (default)

1) In the Alternate Target Host field, enter the host name. The default is responder.global.sonicwall.com.

2) In the Alternate Target Port field, enter the applicable port. The default is 50000.

7 In the Default Target IP field, enter the IP address of the default target.

8 Click OK.

Configuring Multiple WAN InterfacesThe Multiple WAN (MWAN) feature allows you to configure all but one of the appliance's interfaces for WAN network routing (one interface must remain configured for the LAN zone for local administration). All of the WAN interfaces can be probed using the SNWL Global Responder host. Multiple WAN is configured across the following pages of the management interface.

Topics:

• Configuring Network Interfaces for Multiple WAN

• Routing the Default and Secondary Default Gateways for Multiple WAN

• Configuring DNS for Multiple WAN

NOTE: The Alternate Target options are available only when Probe succeeds when either Main Target or Alternate Target responds or Probe succeeds when both Main Target and Alternate Target respond is selected for Logical/Probe Monitoring enabled.

NOTE: This option is dimmed if Succeeds Always (no probing) is selected for Logical/Probe Monitoring enabled.

An IP Address of 0.0.0.0 or a DNS resolution failure uses the configured Default Target IP.



Configuring Network Interfaces for Multiple WANThe Network > Interfaces page allows more than two WAN interfaces to be configured for routing. It is possible to configure WAN interfaces in the Network > Interfaces page, but not include them in the Failover & LB. Only the Primary WAN Ethernet Interface is required to be part of the LB group whenever LB has been enabled. Any WAN interface that does not belong to the LB group is not included in the LB function, but does normal WAN routing functions.

Routing the Default and Secondary Default Gateways for Multiple WANBecause the gateway address objects previously associated with the Primary WAN and Secondary WAN are now deprecated, user-configured Static Routes need to be re-created to use the correct gateway address objects associated with the WAN interfaces. This must be configured manually as part of the firmware upgrade procedure on the Network > Route Policies page (for more information, see Configuring Route Policies.

The old address object, Default Gateway, corresponds to the default gateway associated with the Primary WAN in the LB group. The Secondary Default Gateway address object corresponds to the default gateway associated with Alternate WAN #1.

Configuring DNS for Multiple WANIf DNS name resolution issues are encountered with multiple WAN interfaces, you might need to:

1 Choose the Specify DNS Servers Manually option on the Network > DNS page.

2 Set the servers to Public DNS Servers (ICANN or non-ICANN).

Depending on your location, some DNS Servers might respond faster than others. Verify that these servers work correctly from your installation before using your SonicWall appliance.

IMPORTANT: A virtual WAN interface might belong to the LB group. However, prior to using within the LB group, ensure that the virtual WAN network is fully routable like that of a physical WAN.

NOTE: After re-adding the routes, delete the old ones referring to the Default and Secondary Default Gateways.



5

Configuring Zones

A Zone is a logical grouping of one or more interfaces designed to make management, such as the definition and application of Access Rules, a simpler and more intuitive process than following a strict physical interface scheme. There are four fixed Zone types: Trusted, Untrusted, Public, and Encrypted. Trusted is associated with LAN Zones. These fixed Zone types cannot be modified or deleted. A Zone instance is created from a Zone type and named accordingly, such as Sales or Finance.

Only the number of interfaces limits the number of Zone instances for Trusted and Untrusted Zone types. The Untrusted Zone type (such as the WAN) is restricted to two Zone instances. The Encrypted Zone type is a special system Zone comprising all VPN traffic and does not have any associated interfaces.

All zone types offer options to automate the creation of Access Rules to allow traffic to flow between the Interfaces of a Zone instance. For example, if the LAN Zone has interfaces X0, X3, and X5 assigned to it, checking the appropriate option creates the necessary Access Rules to allow hosts on these Interfaces to communicate with each other.

Topics:

• General Settings for All Zones

• Configuring Guest Services

• Configuring Wireless Settings

• Deleting a Zone

• Configuring a Zone for Guest Access

• Configuring a Zone for Open Authentication and Social Login

General Settings for All ZonesTo add or edit a Zone:

1 Select the global icon, a group, or a SonicWall appliance.

2 Navigate to the Network > Zones page.

3 Click the Edit Icon for a Zone or click Add New Zone. The Edit Zone or Add Zone dialog displays.

4 If this is a new Zone, enter a name for the Zone. If this is an existing zone, the only names of the zones you create can be changed.

5 Select the Security Type. If this is an existing zone, the only security type of the zones you create can be changed.

TIP: Depending on the type of zone, some options are not available. For a Security Type of SSLVPN, only General options are available.


Configuring Zones40

6 To configure the SonicWall appliance to generate automatically Access Rules allowing traffic to flow freely between interfaces in zones of the same trust level, select Auto-generate Access Rules to allow traffic between zones of the same trust level. This option is selected by default.

7 To configure the SonicWall appliance to generate automatically Access Rules allowing traffic to flow freely between interfaces in zones with a lower trust level, select Auto-generate Access Rules to allow traffic to zones with lower trust level. This option is selected by default.

8 To configure the SonicWall appliance to generate automatically Access Rules allowing traffic to flow freely between interfaces in zones with a higher trust level, select Auto-generate Access Rules to allow traffic to zones with a higher trust level. This option is selected by default.

9 To configure the SonicWall appliance to generate automatically Access Rules denying traffic from zones with a lower trust level, select Auto-generate Access Rules to deny traffic from zones with lower trust level. This option is selected by default.

10 For MULTICAST zones, go to Step 22.

11 To enforce client anti-virus protection on multiple interfaces in the same zones, select Enable Client AV Enforcement Service. This option is not selected by default.

12 To enforce client content filtering protection on multiple interfaces in the same zones, select Enable Client CF Service. This option is not selected by default.

13 To enforce gateway anti-virus protection on multiple interfaces in the same zones, select Enable Gateway Anti-Virus Service. This option is not selected by default.

14 To enforce Intrusion Prevention Services (IPS) on multiple interfaces in the same zones, select Enable IPS. This option is not selected by default.

15 To enforce App Control Service on the zone, select Enable App Control Service. This option is not selected by default.

16 To enable Anti-Spyware on the zone, select Enable Anti-Spyware Service. This option is not selected by default.

17 For SSLVPN zones, go to Step 20.

18 To enforce security policies for Global Security Clients on multiple interfaces in the same Trusted or Public Zones, select Enforce Global Security Clients.

19 To automatically create a GroupVPN policy for this zone, select Create Group VPN.

20 For appliances running SonicOS 5.0 or above, select Enable SSL Control to allow SSL Control in this zone. This option is not active for the VPN or Multicast zones.

21 For SSLVPN zones, go to Step 22.

22 Click OK.The Zone is modified or added for selected SonicWall appliance.

Configuring Guest Services Trusted, Public, and Wireless zone types offer the ability to configure guest services.

To configure Guest Services:


2 When the Security Type for a zone is selected as Trusted, Public, or Wireless, Guest Services displays.

NOTE: For Trusted, Public, and Wireless zones, configure guest services as described in Configuring Guest Services. For Wireless zones, configure wireless settings as described in Configuring Wireless Settings.


Configuring Zones41

3 To enable guest services on the zone, select Enable Guest Services. This option is not selected by default.

The rest of the options become available.

4 Configure any of the following options:

• Enable inter-guest communication—Allows guests connecting to SonicPoints in this Zone to communicate directly and wirelessly with each other.

• Bypass AV Check for Guests—Allows guest traffic to bypass Anti-Virus protection.

• Enable External Guest Authentication—Requires guests connecting from the device or network you select to authenticate before gaining access. This feature, based on Lightweight Hotspot Messaging (LHM) is used for authenticating Hotspot users and providing them parametrically bound network access.

When selected, the Configure button becomes available. Also the following four options become dimmed.

• Enable Captive Portal Authentication—Configure the captive portal vendor URLs and set RADIUS server attributes and authentication. When enabled, the Configure button becomes available. For further information about configuring these options, see

• Enable Policy Page without authentication —Configure the header and footers of your login page. When enabled, the Configure button becomes available. For further information about configuring these options, see

• Custom Authentication Page—Redirects you to a custom authentication page when you first connect to the zone. Click Configure to set up the custom authentication page. For further information about configuring these options, see

• Post Authentication Page—Directs you to the page you specify immediately after successful authentication. Enter a URL for the post-authentication page in the field.

• Bypass Guest Authentication—Allows the appliance to integrate into environments already using some form of user-level authentication. This feature automates the Guest Services authentication process, allowing you to reach Guest Services resources without requiring authentication. This feature should only be used when unrestricted Guest Services access is desired, or when another device upstream of the appliance is enforcing authentication.

• Redirect SMTP traffic to—Redirects SMTP traffic incoming on this zone to an SMTP server you specify. Select the address object to which to redirect traffic.

• Deny Networks—Blocks traffic from the networks you name. Select the subnet, address group, or IP address from which to block traffic.

• Pass Networks—Automatically allows traffic through the zone from the networks you select.

• Max Guests—Specifies the maximum number of guest users allowed to connect to the zone. The default is 10.

5 For Wireless Guest Services, to allow Dynamic Address Translation (DAT), select Enable Dynamic Address Translation. This option is not selected by default.

Wireless Guest Services (WGS) provides spur of the moment, “hotspot” access to wireless-capable guests and visitors. For easy connectivity, WGS allows wireless users to authenticate and associate,

NOTE: When configuring a Wireless zone, an extra option displays at the bottom of the dialog:

NOTE: Refer to the SonicWall Lightweight Hotspot Messaging tech note available at https://support.sonicwall.com/search?k=5447759 for complete configuration of the Enable External Guest Authentication feature.


Configuring Zones42


obtain IP settings from the SonicWall appliance Wireless DHCP services, and authenticate using any Web-browser.

Without DAT, if a WGS user is not a DHCP client, but instead has static IP settings incompatible with the Wireless WLAN network settings, network connectivity is prevented until the user’s settings change to compatible values. DAT is a form of Network Address Translation (NAT) that allows the SonicWall Wireless appliance to support any IP addressing scheme for WGS users. For example, the SonicWall Wireless WLAN interface is configured with an address of 172.16.31.1, and one WGS client has a static IP Address of 192.168.0.10 and a default gateway of 192.168.0.1, while another has a static IP address of 10.1.1.10 and a gateway of 10.1.1.1, and DAT enables network communication for both of these clients.

6 Click OK to apply these settings to the zone.

Configuring Wireless SettingsThe Add Zone or Edit Zone dialogs for WLAN zones contain a page for configuring wireless settings not available for other zones.

To configure specific wireless-zone settings:

1 Select the global icon, a group, or a SonicWall appliance.

2 In the Network > Zones pages, click Add New Zone or the Edit icon for the WLAN zone.

3 Configure General settings as described in General Settings for All Zones except select:

a Wireless for the Security Type.

b Allow Interface Trust to automate the creation of Access Rules to allow traffic to flow between the interfaces of a zone instance.

4 Configure Guest Services settings as described in Configuring Guest Services.

5 Click Wireless.

6 Under Wireless Settings, to require that all traffic that enters into the WLAN Zone be authenticated through a SonicWall SSL VPN appliance, select SSL-VPN Enforcement. This option is not selected by default. When selected, the following two options become available.

a From SSL-VPN server, select an address object to direct traffic to the SonicWall appliance or create a new one.

b From SSL-VPN service, select a service or group of services you want to allow for clients authenticated through the SSL VPN.

7 Under SonicPoint/SonicWave Settings, select the SonicPoint Provisioning Profile you want to apply to all SonicPoints connected to this zone. Whenever a SonicPoint connects to this zone, it will be provisioned automatically by the settings in the SonicPoint Provisioning Profile, unless you have individually configured it with different settings.

a For each applicable SonicPoint/SonicWave, select a Provisioning Profile for:

• SonicPoint Provisioning Profile

• SonicPoint N/Ni/Ne Provisioning Profile

• SonicPoint N Dual Radio Provisioning Profile

• SonicPoint ACe/ACi/N2 Provisioning Profile

• SonicWave 432o/e/i Provisioning Profile


Configuring Zones43

b Optionally, check Auto provisioning for the applicable Provisioning Profiles to allow SonicPoints attached to the profile to be provisioned automatically when the profile is modified. This option is not selected by default.

8 Select Only allow traffic generated by a SonicPoint / SonicPointN to allow only traffic from SonicWall SonicPoints to enter the WLAN Zone interface. This allows maximum security of your WLAN. This option is selected by default. Uncheck this option if you want to allow any traffic on your WLAN Zone regardless of whether or not it is from a wireless connection.

9 To specify only channels 1, 6, and 11 are selected for 2.4GHz SonicPoint/SonicWave, select Prefer SonicPoint/SonicWave 2.4GHz Auto channel Selection to be 1, 6 and 11 only. This option is not selected by default.

10 Click OK to apply these settings to the WLAN zone.

Deleting a ZoneAny zones that you create can be deleted.

To delete a user-created zone:


2 Click its Delete icon in the Configure column.

Configuring a Zone for Guest AccessSonicWall User Guest Services provides an easy solution for creating wired and wireless guest passes and/or locked-down Internet-only network access for visitors or untrusted network nodes. This functionality can be extended to wireless or wired users on the WLAN, LAN, DMZ, or public/semi-public zone of your choice. For further information about configuring guest access, see Configuring Guest Services.

Configuring a Zone for Open Authentication and Social LoginThe Management Service supports Open Authentication (OAuth) and Social Login:

• Oauth assists users in sharing data between applications.

• Social Login simplifies the login process for various social media

TIP: To allow any traffic on your WLAN zone regardless of whether it is from a wireless connection, clear this option.

NOTE: The Delete icon is dimmed for predefined zones. You cannot delete these zones.


Configuring Zones44

6

Configuring DNS

Domain Name System (DNS) is the Internet standard for locating domain names and translating them into IP addresses. By default, the SonicWall appliance inherits its DNS settings from the WAN Zone. The options change depending on the IP version:

Topics:

• Configuring IPv4 DNS

• Configuring IPv6 DNS

Configuring IPv4 DNSIn IPv4, you can specify the action to take to prevent DNS rebinding, which is a DNS-based attack on code embedded in web pages. Normally, requests from code embedded in web pages (JavaScript, Java, and Flash) are bound to the web-site they are originating from.DNS rebinding attackers register a domain that is delegated to a DNS server they control. The domains exploit very short TTL parameters to scan the attacked network and do other malicious activities.

To configure IPv4 DNS:

1 Navigate to the Network > DNS page.

2 Select the IPv4 tab.

3 Choose from the following:

• To specific IP addresses manually, select Specify DNS Servers Manually and enter the IP addresses of up to three servers.

• To inherit the DNS settings from the WAN Zone configuration, select Inherit DNS Settings Dynamically from WAN Zone. This option is selected by default.

4 To prevent DNS rebinding, select Enable DNS Rebinding Attack Prevention. This option is not selected by default. When enabled, the following two options become available.

5 From Action, select an action to do when a DNS rebinding attack is detected:

• Log Attack (default)

• Log Attack & Return a Query Refused Reply

• Log Attack & Drop DNS Reply

6 (Optional) From Allowed Domains, select an FQDN Address Object/Group containing allowed domain-names (for example, *.sonicwall.com) for which locally connected/routed subnets should be considered legal responses. The default is –None–.

NOTE: The Network > DNS page is only available for appliances running SonicOS.


Configuring DNS45

7 To allow DNS binding for FQDN objects from sanctioned servers, select FQDN Object Only Cache DNS Reply from Sanctioned Server.

8 Click Update. The settings are changed for the selected SonicWall appliance. To clear all settings and start over, click Reset.

Configuring IPv6 DNSTo configure IPv6 DNS:

1 Navigate to the Network > DNS page.

2 Select theIPv6 tab.

3 Choose from the following:

• To specific IP addresses manually, select Specify DNS Servers Manually and enter the IP addresses of up to three servers.

• To inherit the DNS settings from the WAN Zone configuration, select Inherit IPv6 DNS Settings Dynamically from WAN Zone. This option is selected by default.

4 Click Update. The settings are changed for the selected SonicWall appliance. To clear all settings and start over, click Reset.


Configuring DNS46

7

Configuring DNS Proxy

Topics:

• About DNS Proxy

• Configuring DNS Proxy Settings

• Viewing and Configuring Static DNS Cache Entries

About DNS ProxyAn IPv4 interface can do name resolution on an IPv4 internet, and an IPv6 interface can only do name resolution on an IPv6 internet through DNS proxy. To allow IPv4 clients to access DNS services in a network with mixed IPv4 and IPv6 interfaces, the Management Service supports DNS proxy; see DNS Proxy.

DNS Proxy

The DNS proxy feature provides a transparent mechanism that allows devices to proxy hostname resolution requests on behalf of clients. The proxy can use existing DNS cache, which is either statically configured by you or learned dynamically, to respond to the queries directly.


Configuring DNS Proxy47

The proxy can redirect the DNS queries selectively to specific DNS servers, according to partial or complete domain specifications. This is useful when VPN tunnels or PPPoE virtual links provide multiple network connectivity, and it is necessary to direct some DNS queries to one network, and other queries to another network

With DNS Proxy, LAN Subnet devices use the SonicWall firewall as the DNS Server and send DNS queries to the firewall. The firewall proxies the DNS queries to the real DNS Server. In this way, the firewall is the central management point for the network DNS traffic, providing the ability to manage the DNS queries of the network at a single point.

When DNS proxy is enabled on an interface, one Allow Rule is auto-added by the Management Service. For the Access Rules associated with the interface, see Access Rules for DNS Proxy.

When DNS Proxy over TCP is enabled, another Allow Rule is auto-added.

Topics:

• Supported Interfaces

• DNS Server Liveness Detection and Failover

• DNS Cache

• Split DNS

• DHCP Server

• Enabling Log Settings

• Monitoring Packets

Supported InterfacesThe DNS proxy feature is supported on physical interfaces, VLAN interfaces, or VLAN trunk interfaces. The zone for each interface should only be LAN, DMZ, or WLAN.

DNS Server Liveness Detection and FailoverWhen multiple DNS servers are configured, to determine the “best” server, the Management Service considers these factors:

• DNS server priority.

• DNS server status (up, down, unknown).

• Time duration after failover.

DNS CacheIn DNS Proxy, a DNS cache memory saves the most commonly used domains and host addresses, and when it receives the DNS query that match the domain in DNS cache, the firewall directly responds to clients by using the cache records, without processing DNS query and reply proxy.

NOTE: To maintain security, an incoming DNS Query is proxied only after Access Rule and DPI checking.



There are two kinds of DNS Cache:

When a DNS query matches an existing cache entry, the Management Service DNS Proxy responds directly with the cached URI. This usually decreases the network traffic and, thus, improves overall network performance.

Topics:

• Maximum DNS Cache Size

• High Availability Stateful Synchronization of DNS Cache

Maximum DNS Cache Size

Topics:

• Static DNS Cache Size

• Dynamic DNS Cache Size

Static DNS Cache SizeStatic DNS cache entry size is always 256 regardless of platform. The static DNS cache is never be deleted unless it is done manually.

Dynamic DNS Cache SizeDynamic DNS cache size depends on the platform, as shown in Dynamic cache size.

If the maximum DNS cache size has been reached when the firewall attempts to add an entry to it, the firewall:

1 Deletes the DNS cache entry with the earliest expire time.

2 Adds the new DNS cache entry.

Static Manually configured by you.

Dynamic Auto-learned by the Management Service. For each DNS Query, the Management Service DNS Proxy does the deep inspection on the URI and records the valid response to the caches.

Dynamic cache size

Platform Maximum cache size

SM 9400/SM 9600 4096

SM 9200 2048

NSA 4600/NSA 5600/NSA 6600 2048

NSA 2600/NSA 3600 1024

TZ600 512

TZ400/TZ400 W/TZ500/TZ500 W/ TZ300/TZ300 W

512

SOHO W 512



High Availability Stateful Synchronization of DNS CacheDNS proxy supports stateful synchronization of DNS cache. When the DNS cache is added, deleted, or updated dynamically, it synchronizes to the idle firewall.

Split DNSSplit DNS is an enhancement that allows you to configure a set of servers and associate them to a given domain name (which can be a wildcard). When the Management Service DNS Proxy receives a query that matches the domain name, the name is transmitted to the designated DNS server. The topology in Split DNS example shows how this works:

• This topology has two firewalls with network connectivity:

• One firewall is connected to the Internet.

• Another is a VPN tunnel connected to the corporation network.

• Default DNS queries go to the public ISP DNS Server.

• All queries to *.sonicwall.com go to the DNS server located behind the VPN tunnel.

Split DNS example

For viewing and configuring split DNS entries, see Viewing and Configuring Split DNS.

By adding a split DNS entry, all queries to sonicwall.com are sent to the specific server.

Multiple DNS servers could be configured to handle queries to sonicwall.com as well.

DHCP ServerWhen DNS Proxy is enabled on an interface, the device needs to push the interface IP as a DNS server address to clients, so the DHCP server must be configured manually, using the interface address as the DNS Server 1 address in the DHCP Server settings on DNS/WINS. The Interface Pre-Populate option in the Dynamic Range Configuration dialog makes this easy to configure; if the selected interface has enabled DNS Proxy, the DNS server IP is added automatically into the DNS/WINS page. For more information about configuring the DHCP server, see Configuring DNS.



Enabling Log SettingsSeveral events logs are related to DNS Proxy and need to be configured.

Monitoring PacketsThe process of DNS Proxy is monitored with Dashboard > Packet Monitor.

Configuring DNS Proxy SettingsTopics:

• Enabling DNS Proxy

• Configuring DNS Proxy Settings

• Viewing and Configuring Split DNS

• Viewing and Configuring Static DNS Cache Entries

• Viewing DNS Cache Entries

Enabling DNS ProxyEnabling DNS Proxy must be done first globally on the Network > DNS Proxy page and then on each interface. This provides a gradual control to enable the feature for different network segment independently

To enable DNS Proxy:

1 Navigate to the Network > DNS Proxy page.

2 Select Enable DNS Proxy. This option is not selected by default.

3 Click Update.

4 Navigate to Network > Interfaces.

5 Click the Edit icon for the interface on which to enable DNS Proxy. The Edit Interface dialog displays.

6 Click Advanced.

7 Select Enable DNS Proxy. This option displays only when DNS Proxy is enabled globally.

8 Click OK.

9 Repeat Step 5 through Step 8 for each interface on which to enable DNS Proxy.

10 Click Accept.



Configuring DNS Proxy SettingsTo configure DNS Proxy:


2 From DNS Proxy Mode, choose the IP version for sending/receiving DNS Proxy packets between the firewall and the DNS Servers:

• IPv4 to IPv4 (default)

• IPv4 to IPv6

3 From DNS Proxy Protocol, choose the protocol for sending/receiving DNS Proxy packets between the firewall and the DNS Servers:

• UDP and TCP (default)

• UDP only

4 To allow all DNS Proxy requests regardless of destination, select Enforce DNS Proxy for All DNS Requests. If this option is disabled, only DNS Proxy requests destined for SonicWall firewalls are processed. This option is not selected by default.

5 For DNS over UDP requests only, select Enable DNS Cache. This option is selected by default.

6 Click Update.

Viewing and Configuring Split DNS

Topics:

• Adding Split DNS Servers

• Deleting Split DNS Entries

NOTE: DNS Proxy protocol is an advanced setting. For more information about configuring this setting, contact Technical Support.

Domain name Name of the DNS Server.

IPv4 DNS Server IPv4 IP address of the DNS Server and its status icon:

• Green – up• Yellow – unknown• Red – down

IPv6 DNS Server IPv6 IP address of the DNS Server and its status icon:

• Green – up• Yellow – unknown• Red – down

Local Interface Interface assigned to the DNS Server.

Configure Contains Edit and Delete icons for each server.



https://support.sonicwall.com/contact-support

Adding Split DNS Servers

To add a set of servers and associate them to a given domain name:

1 CNavigate to the Network > DNS Proxy page.

2 Scroll down to the Split DNS section.

3 Click Add Split DNS under the Split DNS table. The Add Split DNS Entry dialog displays.

4 Enter the name in the Domain Name field. The name can contain a wildcard (*; for example, *.sonicwall.com).

5 To configure one or more IPv4 Split DNS Servers for this domain, enter the IP address of the server or servers:

• IPv4 Primary Server

• IPv4 Secondary Server

• IPv4 Tertiary Server

6 To configure one or more IPv6 Split DNS Servers for this domain, enter the IP address of the server or servers:

• IPv6 Primary Server

• IPv6 Secondary Server

• IPv6 Tertiary Server

7 Select an interface from the Local Interface drop-down menu.

8 To modify the TTL value in the DNS answer field from a DNS reply when the domain matches the split, select Manually set TTL value in DNS reply, and then enter the maximum value in the (seconds) field. The minimum number is 1, and the maximum number is 1569325055. This option is not selected by default.

9 Click OK.

10 To add another entry, repeat Step 4 through Step 9 for each entry.

Editing Split DNS EntriesTo edit a Split DNS entry.



3 Click the entry’s Edit icon. The Edit Split DNS Entry dialog displays.

4 Make the changes.

5 Click OK.

IMPORTANT: The maximum number of entries for Split DNS is 32. If the list is full, new entries cannot be added.



Deleting Split DNS EntriesTo delete a Split DNS entry:



3 Select the split DNS entry you want to delete.

4 Click the entry’s Delete icon.

To delete multiple Split DNS entries:



3 Select the checkboxes of the entries to be deleted. The Delete button becomes available.

4 Click Delete.

To delete all Split DNS entries:



3 Click Delete All.

Viewing and Configuring Static DNS Cache EntriesTo add static DNS cache entries:


2 Scroll down to the Static DNS Cache Entries section.

3 Click Add Static DNS Cache Entry. The Add Static DNS Cache dialog displays.

4 Enter a name in the Domain Name field.

5 For IPv4 static DNS cache, enter the primary IPv4 address in the IPv4 Address 1 field.

6 Optionally, for IPv4 static DNS cache, enter the secondary IPv4 address in the IPv4 Address 2 field.

7 For IPv6 static DNS cache, enter the primary IPv6 address in the IPv6 Address 1 field.

8 Optionally, for IPv6 static DNS cache, enter the secondary IPv6 address in the IPv4 Address 2 field.

9 Click OK.

10 To add another static DNS cache entry, repeat Step 4 through Step 9 for each entry.

Domain Name Name of Static DNA Cache domain.

IPv4 Address 1 Primary IPv4 address of Static DNA cache. 0.0.0.0 if not specified.

IP4 Address 2 Secondary IPv4 address of Static DNA cache. 0.0.0.0 if not specified.

IPv6 Address 1 Primary IPv6 address of Static DNA cache. :: if not specified.

IPv6 Address 2 Secondary IPv6 address of Static DNA cache. :: if not specified.

Configure Contains the Edit and Delete icons for each entry.



Deleting Static DNS Cache EntriesTo delete a static DNS cache entry:



3 Select Static DNS Cache entry that you want to delete.

4 Click the entry’s Delete icon.

To delete two or more static DNS cache entries:



3 Select the checkboxes of the entries to be deleted. The Delete Static DNS Cache Entry(s) button becomes available.

4 Click Delete Static DNS Cache Entry(s).

To delete all static DNS cache entries:



3 Click Delete All.

Viewing DNS Cache Entries

Dynamic DNS cache is added automatically during the DNS Proxy process; static DNS cache is added when you configure it. Dynamic DNS cache has a TTL value and can be flushed. Static DNS cache must be deleted; see Deleting Static DNS Cache Entries

View IP Version Select either IPv4 or IPv6.

Domain Name Name of the DNS Server.

Type Dynamic or Static.

IP Address IPv4 or IPv6 address of the DNS Server. Mousing over an entry displays Host and Time to Live (TTL) information for the entry (see Time to Leave for TTL values).

Time to Leave Either:

• Expires in n minutes x seconds (Dynamic DNS)• Expired (Dynamic DNS)• Permanent (Static DNS)

Flush Flush icon for each entry.



Flushing Dynamic DNS Cache EntriesTo flush a dynamic DNS cache entry:


2 Scroll down to the DNS Cache Objects section.

3 Select the entry you want to flush.

4 Click the entry’s Flush icon.

To flush two or more dynamic DNS cache entries:



3 Select the checkboxes of the entries to be deleted. The Flush button becomes available.

4 Click Flush.

To flush all dynamic DNS cache entries:



3 Click Flush DNS Cache.



8

Configuring DNS Security

• About Sinkholes on page 57

• Network > DNS Security on page 57

• Configuring DNS Security Settings on page 57

• Deleting Entries in the Lists on page 58

About SinkholesA DNS sinkhole, also known as a sinkhole server, internet sinkhole, or BlackholeDNS, is a DNS server that gives out false information to prevent the use of the domain names it represents. DNS sinkholes are effective at detecting and blocking malicious traffic, and used to combat bots and other unwanted traffic.

SonicOS now provides the ability to configure a sinkhole with black and white lists.

Network > DNS Security MANAGE | Network > DNS Security allows you to manually configure your DNS security settings at the unit and group levels.

Configuring DNS Security SettingsTo configure DNS Security settings:

1 Navigate to MANAGE | Network > DNS Security.

2 Select Enable DNS Sinkhole Service. This option is selected by default.

3 Select what the service is to do from Action:

• Log Only

• Negative Reply

• Reply with Forged IP – Two fields display:

a) Enter the IPv4 and IPv6 addresses in the fields.

4 Scroll to Custom Malicious Domain Name List.

5 CLICK ADD. THE ADD ONE DOMAIN NAME DIALOG DISPLAYS.

6 Click OK.

7 Enter the malicious domain name in the Domain Name field.

8 Repeat Step 5 through Step 7 for each domain name.

SonicOS 6.5 System Setup

Configuring DNS Security57

9 Scroll to White LIst.

10 CLICK ADD. THE ADD ONE WHITE ENTRY DIALOG DISPLAYS.

11 Enter the white-list domain name in the Domain Name field.

12 Click OK.

13 Repeat Step 10 through Step 7 for each domain name.

14 Click ACCEPT to save your changes.

Deleting Entries in the ListsTo delete a list’s entries.


2 Select the entry to delete. The DELETE and DELETE ALL button becomes available.

3 Click the appropriate button.

About DNS Tunneling DetectionDNS tunneling is a method of bypassing security controls and exfiltrating data from a targeted organization. A DNS tunnel can be used as a full remote-control channel for a compromised internal host. Capabilities include Operating System (OS) commands, file transfers or even a full IP tunnel.

SonicOS provides the ability to detect DNS tunneling attacks, displays suspicious clients, and allows you to create white lists for DNS tunnel detection.W

When DNS tunneling detection is enabled, SonicOS logs whenever suspicious DNS packets are dropped.

Topics:

• Enabling DNS Tunneling Detection on page 58

• Viewing Detected Suspicious Clients on page 59

• Creating DNS Tunnel Detection White Lists on page 59

Enabling DNS Tunneling Detection

To configure DNS tunneling detection:


2 Scroll to the DNS Tunnel Detection section.

3 To enable DNS tunnel detection, select Enable DNS Tunnel Detection.

4 To block all the detected clients’ DNS traffic, select Block All The Clients DNS Traffic.

5 Click ACCEPT.

NOTE: DNS Tunneling settings can be made at the group or unit level.




Viewing Detected Suspicious ClientsSonicOS displays information about all hosts that have established a DNS tunnel in the Detected Suspicious Clients Information table.

Creating DNS Tunnel Detection White ListsYou can create white lists for IP address you consider safe. If a detected DNS tunnel IP address matches an address in the white list, DNS tunnel detection is bypassed.

To create a DNS

1 Navigate to MANAGE |Network > DNS Security.

2 Scroll to White List for DNS Tunnel Detection.

3 Click ADD. The Add One White List Entry dialog displays.

4 Click OK.

5 Repeat Step 3 and Step 4 for each white list entry.

Deleting DNS Tunnel Detection White List Entries

To delete all DNS tunnel detection white list entries:



3 Click DELETE ALL.

To delete one or more DNS tunnel detection white list entries:



3 Select one or more DNS tunnel detection white list entries. DELETE becomes available.

4 Click DELETE.

TIP: This table is populated only if DNS tunnel detection is enabled. Hosts are dropped only if blocking clients DNS traffic is enabled. See Enabling DNS Tunneling Detection on page 58.

IP Address IP address of the suspicious client

MAC Address MAC address of the suspicious client

Detection Method DNS type used to detect suspicious clients:

• Normal DNS Type: A, AAAA, CNAME

• Corner DNS Type: such as TXT, NULL, SRV, PRIVATE, MX

Interface Interface on which the host establishing the DNS tunnel was detected

Block Indicates whether the host was blocked



9

Configuring Route Policies

If you have routers on your interfaces, you can configure the SonicWall appliance to route network traffic to specific predefined destinations. Static routes must be defined if the network connected to an interface is segmented into subnets, either for size or practical considerations. For example, a subnet can be created to isolate a section of a company, such as finance, from network traffic on the rest of the LAN, DMZ, or WAN.

When configuring a static route, you can optionally configure a Network Monitor policy for the route. When a Network Monitor policy is used, the static route is dynamically disabled or enabled, based on the state of the probe for the policy. For more information, see Probe-Enabled Policy Based Routing Configuration.

Topics:

• Adding Static Routes

• Probe-Enabled Policy Based Routing Configuration

Adding Static RoutesTo add a static route:

1 Expand the Network tree.

2 Navigate to the Network > Route Policies page.

3 Click Add Route Policy. The Add Route Policy dialog displays.

4 Select the source address object from Source.

5 Select the destination address object from Destination.

6 Specify the type of service that is routed from Service.

7 Choose the type of route:

• Standard Route (default)

• Multi-Path Route

8 Select the address object that acts as a gateway for packets matching these settings from Gateway.

9 Select the interface through which these packets are routed from Interface.

10 Specify the RIP metric in the Metric field. The default is 1.

11 Type a descriptive comment into the Comment field.

12 For appliances running SonicOS, optionally select Disable route when the interface is disconnected. This option is not selected by default.

13 For appliances running SonicOS, select Allow VPN path to take precedence to allow a matching VPN network to take precedence over the static route when the VPN tunnel is up. This option is not selected by default.


Configuring Route Policies60

14 For appliances running SonicOS 6.1 and above, select Permit TCP Acceleration to allow accelerated TCP traffic to pass through the SonicWall appliance.

15 For appliances running WAN Acceleration, select the acceleration group from WXA Group.

16 Select a probe type from Probe. The default is None. If a probe type is selected the following two options become available.

a Select Disable route when probe succeeds. This option is not selected by default.

b Select Probe default state is UP.

17 To configure the routing policy advanced settings, click Advanced.

18 Enter the ToS hexadecimal value in the TOS field.

19 Enter the ToS Mask hexadecimal value in the TOS Mask field.

20 Enter a value for the Admin Distance, or select Auto for an automatically created Admin Distance.

21 When you are finished, click OK. The route settings are configured for the selected SonicWall appliance(s).

To clear all settings and start over, click Reset.

Probe-Enabled Policy Based Routing ConfigurationFor appliances running SonicOS 5.5 and above, you can optionally configure a Network Monitor policy for the route. When a Network Monitor policy is used, the static route is dynamically disabled or enabled, based on the state of the probe for the policy.

Policy Based Routing is fully supported for IPv6 by selecting IPv6 address objects and gateways for route policies on the Network > Route Policies page. IPv6 address objects are listed in the Source, Destination, and Gateway columns of the Route Policies table. Configuring routing polices for IPv6 is nearly identical to IPv4.

To configure a policy based route:


2 Navigate to the Network > Route Policies page.

3 From Probe, select the appropriate Network Monitor object or select Create New Network Monitor object... to dynamically create a new object.

4 Select the Probe default state is UP to have the route consider the probe to be successful (such as in the UP state) when the attached Network Monitor policy is in the UNKNOWN state. This is useful to control the probe-based behavior when a unit of a High Availability pair transitions from IDLE to ACTIVE, because this transition sets all Network Monitor policy states to UNKNOWN.

5 Click OK to apply the configuration.

NOTE: For more information about creating probe-enabled routing, see Probe-Enabled Policy Based Routing Configuration.

NOTE: Typical configurations do not have Disable route when probe succeeds checked because typically a route is disabled when a probe to the route’s destination fails. This option is provided to give you added flexibility for defining routes and probes.


Configuring Route Policies61

10

Configuring Routing Protocols

Topics:

• About RIP

• About Advanced Routing Services

• Configuring Routing Protocols

About RIPRouting Information Protocol (RIP) is a distance-vector routing protocol that is commonly used in small homogeneous networks. Using RIP, a router periodically sends its entire routing table to its closest neighbor, which passes the information to its next neighbor, and so on. Eventually, all routers within the network has the information about the routing paths. When attempting to route packets, a router checks the routing table and selects the path that requires the fewest hops.

SonicWall appliances support RIPv1 or RIPv2 to advertise its static and dynamic routes to other routers on the network. Changes in the status of VPN tunnels between the SonicWall and remote VPN gateways are also reflected in the RIPv2 advertisements. Choose between RIPv1 or RIPv2 based on your router’s capabilities or configuration. RIPv1 is an earlier version of the protocol that has fewer features, and it also sends packets through broadcast instead of multicast. RIPv2 packets are backwards-compatible and can be accepted by some RIPv1 implementations that provide an option of listening for multicast packets. The RIPv2 Enabled (broadcast) selection broadcasts packets instead of multicasting packets, and is for heterogeneous networks with a mixture of RIPv1 and RIPv2 routers.

About Advanced Routing ServicesFor appliances running SonicOS versions 5.6 and higher, VPN Tunnel Interfaces can be configured for advanced routing. To do so, you must enable advanced routing for the tunnel interface when configuring it. See Generic VPN Configuration in the Management Service for more information.

After you have enabled advanced routing for a Tunnel Interface, it is displayed in the list with the other interfaces in the Advanced Routing table on the Network > Routing Protocols page.

The RIP configurations for Tunnel Interfaces are very similar to the configurations for traditional interfaces with the addition of two options listed at the bottom of the under a new Global Unnumbered Configuration heading.

When running SonicOS version 5.9 or higher, a BGP drop-down menu is available in the Advanced Routing Services section. This menu gives you the options to enable or disable the BGP feature and is only available if Use Advanced Routing is selected and BGP is licensed.


Configuring Routing Protocols62

Configuring Routing ProtocolsTopics:

• Global Unnumbered Configuration

• Guidelines for Configuring Tunnel Interfaces for Advanced Routing

• Configuring Route Advertisement

• Configuring Global RIP

• Configuring Global OSPFv2

Global Unnumbered ConfigurationBecause Tunnel Interfaces are not physical interfaces and have no inherent IP address, they must “borrow” the IP address of another interface. Therefore, the advanced routing configuration for a Tunnel Interface includes the following options for specifying the source and destination IP addresses for the tunnel:

• IP Address Borrowed From - The interface whose IP address is used as the source IP address for the Tunnel Interface.

• Remote IP Address - The IP address of the remote peer to which the Tunnel Interface is connected. In the case of a SonicWall-to-SonicWall configuration with another Tunnel Interface, this should be the IP address of the borrowed interface of the Tunnel Interface on the remote peer.

Guidelines for Configuring Tunnel Interfaces for Advanced RoutingThe following guidelines ensure success when configuring Tunnel Interfaces for advanced routing:

• The borrowed interface must have a static IP address assignment.

• The borrowed interface cannot have RIP enabled on its configuration.

• The IP address of the borrowed interface should be from a private address space, and should have a unique IP address in respect to any remote Tunnel Interface endpoints.

• The Remote IP Address of the endpoint of the Tunnel Interface should be in the same network subnet as the borrowed interface.

• The same borrowed interface might be used for multiple Tunnel Interfaces, provided that the Tunnel interfaces are all connected to different remote devices.

• When more than one Tunnel Interface on an appliance is connected to the same remote device, each Tunnel Interface must use a unique borrowed interface.

NOTE: The borrowed IP address must be a static IP address.

NOTE: The IP Address Borrowed From and Remote IP Address values apply to both RIP for the Tunnel Interface.

TIP: SonicWall recommends creating a VLAN interface that is dedicated solely for use as the borrowed interface. This avoids conflicts when using wired connected interfaces.



Depending on the specific circumstances of your network configuration, these guidelines might not be essential to ensure that the Tunnel Interface functions properly. But these guidelines are SonicWall best practices that will avoid potential network connectivity issues.

Configuring Route Advertisement

To configure the Route Advertisement for RIP:

1 Navigate to the Network > Routing Protocols page.

2 Click the Edit icon for an interface. The Edit Route Advertising Settings dialog displays.

3 Select the RIP type from RIP:

4 For IPv6, go to Step 6.

5 If you selected a RIP of:

• Send and Receive or Receive Only, select a Receive type from Receive:

• RIPv1

• RIPv2 (default)

• Send and Receive or Send Only, select a Send type from Send:

• RIPv1

• RIPv2 - v1 Compatible

• RIPv2 (default)

6 Select or deselect the check boxes for Split Horizon, Poisoned Reverse, and (or) Use Password to meet your configuration requirements.


8 If Use Password is selected, enter a password in the Password field.

9 Click Update.

10 Click the Edit icon for OSPF status. The Edit OSPF Route Advertisement for Interface dialog displays.

11 Select the OSPF type form OSPFv2 (IPv4) or OSPFv3 (IPv6):

• Disable – No other options are available; go to Step 25.

• Enable

• Passive

TIP: Configuring Route Advertisement is similar for IPv4 and IPv6. Differences are noted.

TIP: This page displays both IPv4 and IPv6 interfaces for both RIP and OSPF.

IPv4 IPv6

Disabled Disabled

Send and Receive Enabled

Send Only Passive

Receive Only

Passive

NOTE: If you leave the Password field empty, the current password for this field in the appliance remains unchanged.



12 Enter a numeric value for the OSPF Area. The default is 0.

13 If you selected Passive for OSPFv2/OSPFv3, go to Step 25.

14 Select the area type from OSPFv2 Area Type or OSPFv3 Area Type:

15 Enter the Dead Interval (1-65535). The minimum is 1, the maximum is 65535, and the default is 40.

16 Enter the Hello Interval (1-65535). The minimum is 1, the maximum is 65535, and the default is 10.

17 Determine how cost is to be calculated; either:

• Enable Auto Cost. When selected, the next option is dimmed.

• Enter the Interface Cost. The minimum is 1, the maximum is 65535, and the default is 1.

18 Enter the Router Priority. The minimum is 1, the maximum is 255, and the default is 1.


20 Select the authentication type from Authentication:

• Disable – Go to Step 25.

• Simple Password

• Message Digest.

21 Provide a password of up to 16 characters in the Password field.

22 To allow MTU compatibility, select Enable MTU compatibility (mtu-ignore).

23 Go to Step 25.

24 Enter an instance ID in the Instance-ID field. The minimum is 1, the maximum is 255, and the default is 1.

25 Click Update.

Configuring Global RIP

To configure the Global RIP settings:


2 Scroll down to the Global RIP section.

3 Select IPv4 or IPv6.

IPv4 IPv6

Normal Normal

Stub Area Stub Area

Totally Stubby Area Totally Stubby Area

Not-so-Stubby Area

Totally Stubby NSSA

TIP: If you leave the Password field blank, the current password for the field in the appliance remains unchanged.

TIP: If fields marked with a plus (+) sign are left empty, default values are used.

TIP: The options for IPv4 and IPv6 are almost identical. Differences are noted.



4 In the Advanced Routing Services section, select Use Advanced Routing.

5 If BGP is licensed, from BGP, select whether it is:

• Disabled (default)

• Enabled (Configure with CLI)

6 To prioritize routes within route classes, select Prioritize routes by metric within route classes. This option is not selected by default.

7 To apply a metric to default routes from advanced routing protocols, enter a metric in the Apply the following metric to default routes received from Advanced Routing protocols. The minimum is 1, the maximum is 255, and the default is 110.

8 Enter a Default Metric in the range 1–15.


10 Enter an Administrative Distance. The minimum is 1, the maximum is 255, and the default is 120.

11 Select or deselect the desired options and enter metrics (1-15) for:

• Originate Default Route

• Redistribute Static Routes

• Redistribute Connected Networks

• Redistribute OSPF Routes

• Redistribute Remote VPN Networks (IPv4 only)

12 Click Update.

Configuring Global OSPFv2

To configure the Global OSPFv2 for RIP:


2 Scroll down to the Global RIP section.

3 Select IPv4 or IPv6.

4 Scroll to the Global OSPFv2 Configuration (IPv4) or Global OSPFv3 Configuration (IPv6) section

5 Enter the OSPF Router ID in the field.

6 Enter the OSPF router ID in the OSPF Router-ID field. The default is 10.0.0.1.

7 Enter a default metric in the Default Metric field. The minimum is 1, the maximum is 16777214, and for IPv6, the default is 1.

8 From ABR Type, select:

• Standard

• Cisco (default)

• IBM

• Shortcut (IPv4 only)

TIP: The options for IPv4 and IPv6 are almost identical. Differences are noted.

TIP: If fields marked with a plus (+) sign are left empty, default values are used.



9 Enter the Auto-Cost Reference BW in Mb per second. The minimum is 1, the maximum is 4294967, and for IPv6, the default is 100.


11 From Originate Default Route, select:

• Never – Go to Step 14

• When WAN is up

• Always

12 Enter a Metric. The minimum is 1, the maximum is 1677724, and the default is 10.

13 Select a Metric Type:

• External Type 1

• External Type 2 (default)

14 Select or deselect these options and enter a Metric (see Step 12; for IPv6, the default is 1), Metric Type (see Step 13), and Tag (IPv4 only; range 0 - 4294967295) for the selected option(s):

• Redistribute Static Routes

• Redistribute Connected Networks

• Redistribute RIP Routes

• Redistribute Remote VPN Networks (IPv4 only)

15 When you are finished, click Update. The settings are changed for the SonicWall appliance.

To clear all settings and start over, click Reset.



11

Configuring NAT Policies

SonicWall appliances support Network Address Translation (NAT). NAT is the automated translation of IP addresses between different networks. For example, a company might use private IP addresses on a LAN that are represented by a single IP address on the WAN side of the SonicWall appliance.

SonicWall appliances support two types of NAT:

• Address-to-Address Translation—local addresses are matched to public IP addresses. For example, the private IP address 10.50.42.112 might be mapped to the public IP address 132.22.3.2.

• Port Translation or Network Address Port Translation (NAPT)—local addresses are dynamically matched to public IP address/port combinations (standard TCP ports). For example, the private IP address 192.168.102.12 might be mapped to the public IP address 48.12.11.1 using port 2302.

Topics:

• About NAT in the Management Service

• IPv6 NAT Policies

• About NAT Load Balancing

• Viewing NAT Policy Entries

• Configuring/Editing NAT Policy Settings

• Configuring NAT Load Balancing

About NAT in the Management Service

The Network Address Translation (NAT) engine in SonicOS allows you to define granular NAT polices for your incoming and outgoing traffic. By default, the firewall has a preconfigured NAT policy to allow all systems connected to the X0 interface to perform Many-to-One NAT using the IP address of the X1 interface, and a policy to not perform NAT when traffic crosses between the other interfaces. This section explains how to set up the most common NAT policies.

NOTE: The NAT policies page is only supported in SonicOS.

NOTE: IP address/port combinations are dynamic and not preserved for new connections. For example, the first connection for IP address might use port 2302, but the second connection might use 2832.

IMPORTANT: Before configuring NAT Policies, be sure to create all Address Objects associated with the policy. For instance, if you are creating a One-to-One NAT policy, be sure you have Address Objects for your public and private IP addresses.

TIP: By default, LAN to WAN has a NAT policy predefined on the firewall.


Configuring NAT Policies68

Understanding how to use NAT policies starts with an the construction of an IP packet. Every packet contains addressing information that allows the packet to get to its destination, and for the destination to respond to the original requester. The packet contains (among other things) the requester’s IP address, the protocol information of the requestor, and the destination’s IP address. The NAT Policies engine in SonicOS can inspect the relevant portions of the packet and can dynamically rewrite the information in specified fields for incoming, as well as outgoing traffic.

You can add up to 512 NAT Policies on a SonicWall Security Appliance running SonicOS, and they can be as granular as you need. It is also possible to create multiple NAT policies for the same object. for instance, you can specify that an internal server use one IP address when accessing Telnet servers, and to use a totally different IP address for all other protocols. Because the NAT engine in SonicOS supports inbound port forwarding, it is possible to hide multiple internal servers off the WAN IP address of the firewall. The more granular the NAT Policy, the more precedence it takes.

Maximum routes and NAT policies allowed per firewall model shows the maximum number of routes and NAT policies allowed for each network security appliance model.

Topics:

• About NAT64

• Pref64::/n

• Glossary

About NAT64The Management Service supports the NAT64 feature that enables an IPv6-only client to contact an IPv4-only server through an IPv6-to-IPv4 translation device known as a NAT64 translator. NAT64 provides the ability to access legacy IPv4-only servers from IPv6 networks; a SonicWall with NAT64 is placed as the intermediary router.

As a NAT64 translator, the Management Service allows an IPv6-only client from any zone to initiate communication to an IPv4-only server with proper route configuration. The Management Service maps IPv6 addresses to IPv4 addresses so IPv6 traffic changes to IPv4 traffic and vice versa. IPv6 address pools (represented as Address Objects) and IPv4 address pools are created to allow mapping by translating packet headers between IPv6 and IPv4. The IPv4 addresses of IPv4 hosts are translated to and from IPv6 addresses by using an IPv6 prefix configured in the Management Service.

The DNS64 translator enables NAT64. Either an IPv6 client must configure a DNS64 server or the DNS server address the IPv6 client gets automatically from the gateway must be a DNS64 server. The DNS64 server of an IPv6-only client creates AAAA (IPv6) records with A (IPv4) records. The Management Service does not act as a DNS64 server.

Maximum routes and NAT policies allowed per firewall model

ModelRoutes NAT

PoliciesModel

Routes NAT PoliciesStatic Dynamic Static Dynamic

SM 9600 3072 4096 2048 TZ600 256 1024 512

SM 9400 3072 4096 2048 TZ500/TZ500 W 256 1024 512

SM 9200 3072 4096 2048 TZ400/TZ400 W 256 1024 512

NSA 6600 2048 4096 2048 TZ300/TZ300 W 256 1024 512

NSA 5600 2048 4096 2048

NSA 4600 1088 2048 1024 SOHO W 256 1024 512

NSA 3600 1088 2048 1024

NSA 2600 1088 2048 1024



Pref64::/nThe DNS64 server uses Pref64::/n to judge if an IPv6 address is an IPv4-converted IPv6 address by comparing the first n bits with pref64::. DNS64 creates IPv4-converted IPv6 addresses by synthesizing pref64:: with IPv4 addresses records and sending a DNS response to IPv6-only clients. Pref64::/n defines a source network that can go from an IPv6-only client through NAT64 to an IPv4-only client. In the Management Service, an Address Object of the Network can be configured to represent all addresses with pref64::/n to represent all IPv6 clients that can do NAT64.

Glossary

Common NAT Configuration TypesSonicWall supports several types of address mapping:

• One-to-One Mapping—one local IP address is mapped to one public IP address using Address-to-Address translation.

• Many-to-One Mapping—many local IP addresses are mapped to a single public IP address using NAPT.

• Many-to-Many Mapping—many local IP addresses are mapped to many public IP addresses. If the number of public IP addresses are greater than or equal to the number of local IP addresses, the SonicWall appliance uses Address-to-Address translation. If the number of public IP addresses is less than the number of local IP addresses, the SonicWall appliance uses NAPT. For example. If there are 10 private IP addresses and 5 public IP addresses, two private IP addresses will be assigned to each public IP address using NAPT.

IMPORTANT: Currently, NAT64:

• Only translates Unicast packets carrying TCP, UDP, and ICMP traffic. • Supports FTP and TFTP application-layer protocol streams, but does not support H.323, MSN,

Oracle, PPTP, RTSP, and RealAudio application-layer protocol streams.• Does not support IPv4-initiated communications to a subset of the IPv6 hosts. • Does not support High Availability.

For NAT64 traffic matches, two mixed connection caches are created. Thus, the capacity for NAT64 connection caches is half that for pure IPv4 or IPv6 connections.

DNS64 DNS Extensions for Network Address Translation from IPv6 Clients to IPv4 Servers

IPv4-converted IPv6 addresses

IPv6 addresses used to represent IPv4 nodes in an IPv6 network

IPv4-embedded IPv6 addresses

IPv6 addresses in which 32 bits contain an IPv4 address

NAT Network Address Translation

NAT64 Stateful Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers

NATPT Network Address Translation - Protocol Translation

PMTUD Path MTU discovery

XLATs IP/ICMP translators



Topics:

• One-to-One Mapping

• Many-to-One Mapping

• Many-to-Many Mapping

One-to-One MappingTo configure one-to-one mapping from the private network to the public network, select the Address Object that corresponds to the private network IP address in the Original Source field and the public IP address that is used to reach the Internet in the Translated Source field. Leave the other fields alone, unless you want to filter by service or interface.

To configure one-to-one mapping from the public network to the private network, select the Address Object that corresponds to the public network IP address in the Original Destination field and the private IP address that is used to reach the server in the Translated Destination field. Leave the other fields alone, unless you want to filter by service or interface.

Many-to-One MappingTo configure many-to-one mapping from the private network to the public network, select the select the Address Object that corresponds to the private network IP addresses in the Original Source field and the public IP address that is used to reach the Internet in the Translated Source field. Leave the other fields alone, unless you want to filter by service or interface.

Many-to-Many MappingTo configure many-to-many mapping from the private network to the public network, select the select the Address Object that corresponds to the private network IP addresses in the Original Source field and the public IP addresses to which they are mapped in the Translated Source field. Leave the other fields alone, unless you want to filter by service or interface.

To configure many-to-many mapping from the public network to the private network, select the Address Object that corresponds to the public network IP addresses in the Original Destination field and the IP addresses on the private network in the Translated Destination field. Leave the other fields alone, unless you want to filter by service or interface.

NOTE: If you map more than one private IP address to the same public IP address, the private IP addresses will automatically be configured for port mapping or NAPT.

NOTE: If you map one public IP address to more than one private IP address, the public IP addresses is mapped to the first private IP address. Load balancing is not supported. Additionally, you must set the Original Source to Any.

NOTE: You can also specify Any in the Original Source field and the Address Object of the LAN interface in the Translated Source field.

NOTE: If the IP address range specified in the Original Source is larger than the Translated Source, the SonicWall appliance uses port mapping or NAPT. If the Translated Source is equal to or larger than the Original Source, addresses are individually mapped.

NOTE: If the IP address range specified in the Original Destination is smaller than the Translated Destination, the SonicWall appliance will be individually mapped to the first translated IP addresses in the translated range. If the Translated Destination is equal to or smaller than the Original Destination, addresses are individually mapped.



IPv6 NAT PoliciesNAT policies can be configured for IPv6 or NAT64 on the Network > NAT Policies page. On the Add/Edit NAT Policy dialog, the IP Version can be configured with one of these options: IPv4 only, IPv6 only, or NAT64 Only.

When configuring IPv6 NAT policies, the source and destination objects can only be IPv6 address objects unless an IP version of NAT64 is specified.

NAT64 Stateful Inspection Network Streams SupportStateful inspection network streams (usually including application layer data) need to create cache entries on the fly. These cache entries usually are illegal based on the packet filter's rule table, but they are allowed due to specific directives in the application layer data (for instance, the addition of an inbound cache entry for an FTP data connection).

In the Management Service, these network streams are handled differently from general application layer protocol streams like HTTPS or SNMP. These stateful inspection network streams include FTP, TFTP, H.323, MSN, Oracle, PPTP, RTSP, and RealAudio. Stateful inspection network streams need to anticipate the creation of data cache when client and server communicate with each other through a control channel.

The Management Service supports FTP (including active and passive mode) and TFTP protocol well for NAT64.

About NAT Load BalancingNetwork Address Translation (NAT) and Load Balancing (LB) provides the ability to balance incoming traffic across multiple, similar network resources. Do not confuse this with the WAN ISP and LB feature on the firewall. While both features can be used in conjunction, WAN ISP and LB is used to balance outgoing traffic across two ISP connections, and NAT LB is primarily used to balance incoming traffic.

Load Balancing distributes traffic among similar network resources so that no single server becomes overwhelmed, allowing for reliability and redundancy. If one server becomes unavailable, traffic is routed to available resources, providing maximum uptime.

This section details how to configure the necessary NAT, load balancing, health check, logging, and firewall rules to allow systems from the public Internet to access a Virtual IP (VIP) that maps to one or more internal systems, such as Web servers, FTP servers, or SonicWall SRA appliances. This Virtual IP may be independent of the firewall or it may be shared, assuming the firewall itself is not using the port(s) in question.

Topics:

• NAT Load Balancing and Probing

• NAT LB Mechanisms

• Determining the NAT LB Method to Use

• Caveats

• How Load Balancing Algorithms are Applied

NOTE: IPv6 probing for NAT policies is not currently supported.

NOTE: The load balancing capability in the Management Service, while fairly basic, satisfies the requirements for many customer network deployments. Customers with environments needing more granular load balancing, persistence and health-check mechanisms are advised to use a dedicated third-party load-balancing appliance.



NAT Load Balancing and ProbingNAT load balancing provides the ability to balance incoming traffic across multiple, similar network resources. Load Balancing distributes traffic among similar network resources so that no single server becomes overwhelmed, allowing for reliability and redundancy. If one server becomes unavailable, traffic is routed to available resources, providing maximum uptime.

With probing enabled, the SonicWall uses one of two methods to probe the addresses in the load-balancing group, using either a simple ICMP ping query to determine if the resource is alive, or a TCP socket open query to determine if the resource is alive. Per the configurable intervals, the SonicWall can direct traffic away from a non-responding resource, and return traffic to the resource after it has begun to respond again.

NAT LB Mechanisms

NAT load balancing is configured under Advanced on the Add/Edit NAT Policy dialog.

The Management Service offers these advanced configuration options:

• NAT Methods

• High Availability

NAT Methods1 Select a NAT method:

• Sticky IP – Source IP always connects to the same Destination IP (assuming it is alive). This method is best for publicly hosted sites requiring connection persistence, such as Web applications, Web forms, or shopping cart applications. This is the default mechanism, and is recommended for most deployments.

• Round Robin – Source IP cycles through each live load-balanced resource for each connection. This method is best for equal load distribution when persistence is not required.

• Block Remap/Symmetrical Remap – These two methods are useful when you know the source IP addresses/networks (for example, when you want to precisely control how traffic from one subnet is translated to another).

• Random Distribution – Source IP connects to Destination IP randomly. This method is useful when you wish to randomly spread traffic across internal resources.

2 Optionally, force the firewall to only do IP address translation and no port translation for the NAT policy, by selecting Disable Source Port Remap. The Management Service preserves the source port of the connection while executing other NAT mapping. This option is available when adding or editing a NAT policy if the source IP address is being translated. This option is not selected by default.

IMPORTANT: Advanced options do not display if NAT64 Only is selected for IP Version.

NOTE: Except for the Disable Source Port Remap option, these options can only be activated when a group is specified in one of the options under General. Otherwise, the NAT policy defaults to Sticky IP as the NAT method.

NOTE: This option is unavailable and dimmed if the Translated Source (under General) is set to Original.



You can select this option to temporarily take the interface offline for maintenance or other reasons. If connected, the link goes down. Clear the checkbox to activate the interface and allow the link to come back up.

High Availability1 Optionally, select Enable Probing. When checked, the firewall uses one of two methods to probe the

addresses in the load-balancing group, using either a simple ICMP ping query to determine if the resource is alive, or a TCP socket open query to determine if the resource is alive. Per the configurable intervals, the firewall can direct traffic away from a non-responding resource, and return traffic to the resource after it has begun to respond again.

When Enable Probing is selected, the following options become available:

• Probe hosts every n seconds – Specify the interval between host probes. The default is 5 seconds.

• Probe type — Select the probe type, such as TCP. The default is TCP.

• Port – Specify the port. The default is 80.

• Reply time out – Specify the maximum length of time before a time out. The default is 3 seconds.

• Deactivate host after n missed intervals – Specify the maximum number of intervals that a host can miss before being deactivated. The default is 3.

• Reactivate host after n successful intervals – Specify the minimum number of successful intervals before a host can be reactivated. The default is 3.

• RST Response Counts as Miss – Select to count RST responses as misses. The option is selected by default if Enable Port Probing is selected.

• Enable Port Probing – Select to enable port probing for TCP. Selecting this option enhances NAT to also consider the port while load balancing. This option is disabled by default.

Determining the NAT LB Method to UseDeciding which NAT LB method to use

Requirement Deployment Example NAT LB Method

Distribute load on server equally without need for persistence

External/ Internal servers (such as, Web or FTP)

Round Robin

Indiscriminate load balancing without need for persistence

External/ Internal servers (such as, Web or FTP)

Random Distribution

Requires persistence of client connection

E-commerce site

(Any publicly accessible servers requiring persistence)

Sticky IP

Precise control of remap of source network to a destination range

LAN to DMZ Servers Block Remap

Precise control of remap of source network and destination network

Internal Servers (such as, Intranets or Extranets)

Symmetrical Remap



Caveats• Only two health-check mechanisms (ICMP ping and TCP socket open).

• No higher-layer persistence mechanisms (Sticky IP only).

• No “sorry-server” mechanism if all servers in group are not responding.

• No “round robin with persistence” mechanism.

• No “weighted round robin” mechanism.

• No method for detecting if resource is strained.

While there is no limit to the number of internal resources that the SonicWall network security appliance can load-balance to and there no limit to the number of hosts it can monitor, abnormally large load-balancing groups (25+ resources) may impact performance.

How Load Balancing Algorithms are Applied

Sticky IP Algorithm ExamplesSource IP is modulo with the size of the server cluster to determine the server to remap it to. The following examples show how the Sticky IP algorithm works:

• Example One: Mapping to a network

• Example Two: Mapping to a IP address range

Example One: Mapping to a network192.168.0.2 to 192.168.0.4 Translated Destination = 10.50.165.0/30 (Network)

Packet Source IP = 192.168.0.2 192.168.0.2 = C0A80002 = 3232235522 = 11000000101010000000000000000010 (IP -> Hex -> Dec -> Binary)

Sticky IP Formula = Packet Src IP = 3232235522 [modulo] TransDest Size = 2= 3232235522 [modulo] 2= 0 (2 divides into numerator evenly. There is no remainder, thus 0)

Stickyt IP Formula yields offset of 0.

Destination remapping = 10.50.165.1.

Round Robin Source IP connects to Destination IP alternately

Random Distribution Source IP connects to Destination IP randomly

Sticky IP Source IP connects to same Destination IP; see Sticky IP Algorithm Examples

Block Remap Source network is divided by size of the Destination pool to create logical segments

Symmetrical Remap Source IP maps to Destination IP (for example, 10.1.1.10 -> 192.168.60.10.)



Example Two: Mapping to a IP address range192.168.0.2 to 192.168.0.4 Translated Destination = 10.50.165.1 - 10.50.165.3 (Range)

Packet Src IP = 192.168.0.2 192.168.0.2 = C0A80002 = 3232235522 = 11000000101010000000000000000010 (IP -> Hex -> Dec -> Binary)

Sticky IP Formula = Packet Src IP = 3232235522 [modulo] TransDest Size = 3 = 3232235522 [modulo] 4 = 1077411840.6666667 - 1077411840 = 0.6666667 * 3 = 2

Stickyt IP Formula yields offset of 2.

Destination remapping to 10.50.165.3.

Viewing NAT Policy EntriesThe Network > NAT Policies page allows you to view and manage your NAT Policies.

Topics:

• Displaying Information about Policies

• Deleting Entries

Displaying Information about PoliciesMoving your pointer over the Comment icon in the Comment column of NAT Policies table displays the comments entered in the Comments field of the Add NAT Policy dialog for custom policies. Default policies have a brief description of the type of NAT policy, such as IKE NAT Policy or NAT Management Policy.

Deleting Entries

Clicking the Delete icon deletes the NAT Policy entry. If the icon is dimmed, the NAT Policy is a default entry, and you cannot delete it.

NOTE: You can delete only those entries you create or that are auto-added.



Configuring/Editing NAT Policy Settings

To create or edit a NAT policy:

1 Navigate to the Network > NAT Policies page.

2 Do one of the following:

• To create a new NAT policy, click Add NAT Policy in the Network > NAT Policies page. The Add NAT Policy dialog displays.

• To edit an existing NAT policy, click the Edit icon in the Configure column for the NAT policy. The Edit NAT Policy dialog displays.

The two dialogs are identical, although some changes cannot be made to some options in the Edit NAT Policy dialog. The options change if NAT64 Only is selected for IP Version.

3 On the General tab, configure these settings:

• Original Source: This option identifies the Source IP address(es) in the packet crossing the firewall, whether it is across interfaces, or into/out of VPN tunnels. You can:

• Select predefined Address Objects

• Select Any

• Create your own Address Objects

These entries can be single host entries, address ranges, or IP subnets.

• Translated Source: This option is to what the specified Original Source is translated upon exiting the firewall, whether it is to another interface, or into/out of VPN tunnels. You can:

• Specify predefined Address Objects

• Select Original

• Create your own Address Objects entries.

These entries can be single host entries, address ranges, or IP subnets.

• Original Destination or Pref64: This option identifies the Destination IP address(es) in the packet crossing the firewall, whether it be across interfaces, or into/out-of VPN tunnels. When creating outbound NAT polices, this entry is usually set to Any as the destination of the packet is not being changed, but the source is being changed. However, these Address Object entries can be single host entries, address ranges, or IP subnets.

• Translated Destination: This option is to what the firewall translates the specified Original Destination upon exiting the firewall, whether it is to another interface or into/out-of VPN tunnels. When creating outbound NAT polices, this entry is usually set to Original, as the destination of the packet is not being changed, but the source is being changed. However, these Address Objects entries can be single host entries, address ranges, or IP subnets.

NOTE: You cannot modify default NAT policies.

The procedures for adding and editing NAT policies in IPv6 ARE the same as for IPv4.

TIP: For IPv6 Original Source, only IPv6 Address Objects are shown or can be created.

TIP: For Pref64, this is the original destination of the NAT policy. Only IPv6 network Address Objects are shown or can be created. Pref64 is always pref64::/n network, as this is used by DNS64 to create AAAA records.

NOTE: For IP Version NAT64 Only, this option is set to Embedded IPv4 Address and cannot be changed.



• Original Service: This option identifies the IP service in the packet crossing the firewall, whether it is across interfaces, or into/out-of VPN tunnels. You can use the predefined services on the firewall, or you can create your own entries. For many NAT policies, this field is set to Any, as the policy is only altering source or destination IP addresses.

• Translated Service: This option is to what the firewall translates the Original Service upon exiting the firewall, whether it be to another interface, or into/out of VPN tunnels. You can use the predefined services in the firewall, or you can create your own entries. For many NAT Policies, this field is set to Original, as the policy is only altering source or destination IP addresses.

• Inbound Interface: This option specifies the entry interface of the packet. The default is Any.

When dealing with VPNs, this is usually set to Any (the default), as VPN tunnels aren’t really interfaces.

• Outbound Interface: This option specifies the exit interface of the packet after the NAT policy has been applied. This field is mainly used for specifying to which WAN interface to apply the translation.

When dealing with VPNs, this is usually set to Any (the default), as VPN tunnels aren’t really interfaces. Also, as noted in Creating NAT Policies: Examples, when creating inbound 1-2-1 NAT Policies where the destination is being remapped from a public IP address to a private IP address, this field must be set to Any.

• Enable NAT Policy: By default, this option is selected, meaning the new NAT policy is activated the moment it is saved. This option is selected by default. To create a NAT policy entry but not activate it immediately, clear this checkbox.

• Create a reflexive policy: When you select this option, a mirror outbound or inbound NAT policy for the NAT policy you defined in the Add NAT Policy dialog is automatically created. This option is not selected by default.

• Comment: This field can be used to describe your NAT policy entry. The field has a 32-character limit, and once saved, can be viewed in the main Network > NAT Policies page by running the mouse over the Comment icon of the NAT policy entry. Your comment appears in a pop-up dialog as long as the mouse is over the Comment icon.

• IP Version: Select the IP version:

• IPv4 (default)

• IPv6

• NAT64 Only

4 Click Add.

For information about the settings on the Advanced tab, see NAT LB Mechanisms.

For information on setting up NAT Policies, see Creating NAT Policies: Examples.

NOTE: For IP Version NAT64 Only, this option is set to ICMP UDP TCP and cannot be changed.

NOTE: For IP Version NAT64 Only, this option is set to Original and cannot be changed.

IMPORTANT: Of all fields in NAT policy, this one has the most potential for confusion.

NOTE: IP Version cannot be changed in the Edit NAT Policy dialog.

IMPORTANT: The options on the Add NAT Policy dialog change when NAT64 Only is selected and the Advanced tab does not display.

IMPORTANT: The Advanced tab does not display if NAT64 Only is selected for IP Version.



Creating NAT Policies: ExamplesNAT policies allow you the flexibility to control Network Address Translation based on matching combinations of Source IP address, Destination IP address, and Destination Services. Policy-based NAT allows you to deploy different types of NAT simultaneously.

For this section, the examples use the following IP addresses as examples to demonstrate the NAT policy creation and activation. You can use these examples to create NAT policies for your network, substituting your IP addresses for the examples:

• 192.168.10.0/24 IP subnet on interface X0



• X0 IP address is 192.168.10.1

• X1 IP address is 67.115.118.68

• X2 “Sales” IP address is 192.168.30.1

• Web server’s “private” address at 192.168.30.200

• Web server’s “public” address at 67.115.118.70

• Public IP range addresses of 67.115.118.71 – 67.115.118.74

Topics:

• Creating a Many-to-One NAT Policy

• Creating a Many-to-Many NAT Policy

• Creating a One-to-One NAT Policy for Outbound Traffic

• Creating a One-to-One NAT Policy for Inbound Traffic (Reflective)

• Configuring One-to-Many NAT Load Balancing

• Creating a WAN-to-WAN Access Rule for a NAT64 Policy

• Inbound Port Address Translation via One-to-One NAT Policy

• Inbound Port Address Translation via WAN IP Address

Creating a Many-to-One NAT PolicyMany-to-One is the most common NAT policy on a SonicWall Security Appliance, and allows you to translate a group of addresses into a single address. Most of the time, this means that you’re taking an internal “private” IP subnet and translating all outgoing requests into the IP address of the WAN interface of the firewall (by default, the X1 interface), such that the destination sees the request as coming from the IP address of the WAN interface belonging to the firewall, and not from the internal private IP address.

To create a many-to-one policy:


2 Click Add NAT Policy. The Add NAT Policy dialog displays.

3 To create a NAT policy to allow all systems on the X2 interface to initiate traffic using the firewall’s WAN IP address, choose the following options:



4 Click Update to add and activate the NAT Policy. The new policy is added to the NAT Policies table, and the status at the bottom of the browser window reads The configuration has been added.

5 Click Close.

Creating a Many-to-Many NAT PolicyThe Many-to-Many NAT policy allows you to translate a group of addresses into a group of different addresses. This allows the firewall to utilize several addresses to perform the dynamic translation. If a Many-to-Many NAT Policy contains source original and source translated with the same network prefix, the remaining part of the IP address is unchanged.

To create a many-to-many policy:

1 Navigate to the Firewall > Address Objects page.

2 Click Add New Address Object. The Add Address Object dialog displays.

3 Enter a description for the range in the Name field.

4 Select WAN as the zone from Zone Assignment.

5 Choose Range from Type. The Add Address Object dialog changes.

6 Enter the range of addresses (usually public IP addresses supplied by your ISP) in the Starting IP Address and Ending IP Address fields,

7 Click OK to create the range object. The new address object is added to the Address Objects table, and the status at the bottom of the browser screen reads The configuration has been added.

Option choices: Many-to-one NAT policy example

Option Value

Original Source X2 Subnet

Translated Source WAN Primary IP

Original Destination Any

Translated Destination Original

Original Service Any

Translated Service Original

Inbound Interface X2

Outbound Interface X1

Comment Enter a short description

Enable NAT Policy Checked

Create a reflective policy Cleared

NOTE: This policy can be duplicated for subnets behind the other interfaces of the firewall; just:

1 Replace the Original Source with the subnet behind that interface.

2 Adjust the source interface.

3 Add another NAT policy.



8 Navigate to Network > NAT Policies page.

9 Click Add NAT Policy at the bottom of the NAT Policies table. The Add NAT Policy dialog displays.

10 To create a NAT policy to allow the systems on the LAN interface (by default, the X0 interface) to initiate traffic using the public range addresses, choose the options shown in Option choices: Many-to-many NAT policy example:

11 Click Update to add and activate the NAT Policy. The new policy is added to the NAT Policies table.

With this policy in place, the firewall dynamically maps outgoing traffic using the four available IP addresses in the range we created.

You can test the dynamic mapping by installing several systems on the LAN interface (by default, the X0 interface) at a spread-out range of addresses (for example, 192.168.10.10, 192.168.10.100, and 192.168.10.200) and accessing the public Website http://www.whatismyip.com from each system. Each system should display a different IP address from the range we created and attached to the NAT policy.

Creating a One-to-One NAT Policy for Outbound TrafficOne-to-One NAT for outbound traffic is another common NAT policy on a firewall for translating an internal IP address into a unique IP address. This is useful when you need specific systems, such as servers, to use a specific IP address when they initiate traffic to other destinations. Most of the time, a NAT policy such as this One-to-One NAT policy for outbound traffic is used to map a server’s private IP address to a public IP address, and it is paired with a reflective (mirror) policy that allows any system from the public Internet to access the server, along with a matching firewall access rule that permits this. Reflective NAT policies are covered in Creating a One-to-One NAT Policy for Inbound Traffic (Reflective).

To create a one-to-one policy for outbound traffic:


2 Click Add Address Object. The Add Address Object dialog displays.

3 Enter a friendly description for server’s private IP address in the Name field.

4 Select the zone that the server assigned from Zone Assignment.

5 Choose Host from Type.

Option choices: Many-to-many NAT policy example

Option Value

Original Source LAN Primary Subnet

Translated Source public_range








Enable NAT Policy Selected

Create a reflective policy Selected

NOTE: If a Many-to-Many NAT Policy contains source original and source translated with same network prefix, the remaining part of IP address will be unchanged.



http://www.whatismyip.com

6 Enter the server’s private IP address in the IP Address field.

7 Click OK. The new address object is added to the Address Objects table.

8 Then, repeat Step 2 through Step 7 to create another object in the Add Address Object dialog for the server’s public IP address and with the correct values except select WAN from Zone Assignment.


10 To create a NAT policy to allow the Web server to initiate traffic to the public Internet using its mapped public IP address, choose the options shown in Option choices: One-to-one NAT policy for outbound traffic example:

11 When done, click Update to add and activate the NAT Policy.

With this policy in place, the firewall translates the server’s private IP address to the public IP address when it initiates traffic out the WAN interface (by default, the X1 interface).

You can test the One-to-One mapping by opening up a Web browser on the server and accessing the public Website http://www.whatismyip.com. The Website should display the public IP address you attached to the private IP address in the NAT policy you just created.

Creating a One-to-One NAT Policy for Inbound Traffic (Reflective)This is the mirror policy for a reflective policy created when you check Create a reflective policy, such as the one created in Creating a One-to-One NAT Policy for Outbound Traffic. This mirror NAT policy allows you to translate an external public IP addresses into an internal private IP address. When paired with a “permit” access policy, this NAT policy allows any source to connect to the internal server using the public IP address; the firewall handles the translation between the private and public address. With this policy in place, the firewall translates the server’s public IP address to the private IP address when connection requests arrive via the WAN interface (by default, the X1 interface).

Below, you create the entry as well as the rule to allow HTTP access to the server. You need to create the access policy that allows anyone to make HTTP connections to the Web server via the Web server’s public IP address.

To create a one-to-one policy for inbound traffic (reflective):

1 Navigate to the Firewall > Access Rules page.

2 Choose the policy for whatever zone you put your server in by clicking its checkbox.

Option choices: One-to-one NAT policy for outbound traffic example

Option Value

Original Source webserver_private_ip

Translated Source webserver_public_ip









Create a reflective policy Selected



http://www.whatismyip.com

3 Click Add to display the Add Policy dialog.

4 Enter in the values shown in Option choices: One-to-one NAT policy for inbound traffic example.

5 Click OK. The rule is added.

When you are done, attempt to access the Web server’s public IP address using a system located on the public Internet. You should be able to successfully connect. If not, review this section, and Creating a One-to-One NAT Policy for Outbound Traffic, and ensure that you have entered all required settings correctly.

Configuring One-to-Many NAT Load BalancingOne-to-Many NAT policies can be used to persistently load balance the translated destination using the original source IP address as the key to persistence. For example, firewalls can load balance multiple SRA appliances, while still maintaining session persistence by always balancing clients to the correct destination SRA.

To configure a one-to-many load balancing policy:


2 Select the policy for WAN to LAN.

3 Click Add to display the Add Rule dialog.

4 Enter the values shown in Option choices: One-to-many NAT load balancing rule example.

Option choices: One-to-one NAT policy for inbound traffic example

Tab Option Value

General Comment Enter a short description

Zone Source Select a zone or interface

Destination Select a zone or interface

Service Source Port Select a port; the default is Any

NOTE: If Source Port is configured, the Access Rule will filter the traffic based on the source port defined in the selected Service Object/Group. The Service Object/Group selected must have the same protocol types as the ones selected in Service.

Service HTTP

Address Source Any

Destination Webserver_public_ip

User Users Included All (default)

Users Excluded None (default)

Schedule Schedule Always on (default)

Action Access Control Allow

Enable logging Selected

Allow Fragmented Packets Selected

All other options Unselected



5 Click OK. The rule is added.

6 Create the following NAT policy by going to the Network > NAT Policies page.

7 Click Add NAT Policy at the bottom of the NAT Policies table. The Add NAT Policy dialog displays.

8 To create a NAT policy to allow the Web server to initiate traffic to the public Internet using its mapped public IP address, choose the options shown in Option choices: One-to-many NAT load balancing policy example:

Option choices: One-to-many NAT load balancing rule example

Tab Option Value

General Comment Descriptive text, such as SSLVPN LB





Service HTTPS

Address Source Any

Destination WAN Primary IP






Allow Fragmented Packets

Selected


Option choices: One-to-many NAT load balancing policy example

Option Value

Original Source Any

Translated Source Original

Original Destination WAN Primary IP



9 When done, click Update to add and activate the NAT Policy.

Creating a WAN-to-WAN Access Rule for a NAT64 Policy

When an IPv6-only client initializes a connection to an IPv4 client/server, the IPv6 packets received by the NAT64 translator look like ordinal IPv6 packets; the:

• Source zone is LAN.

• Destination zone is WAN.

After these packets are processed through the NAT policy, they are converted IPv4 packets and will be handled by firewall again. These packets' source zone, however, had been WAN, and destination zone is same as the original IPv6 packets. If the cache about this IPv4 packets has not been created, these packets undergo policy checking. So these packets are not dropped, a WAN-to-WAN allow rule policy should be configured.

To create a WAN-to-WAN policy:


2 Click Add. The Add Policy dialog displays.

3 Configure the options:

Translated Destination Select Create new address object... to display the Add Address Object dialog. Use the options shown in Option choices: Add Address Object dialog.

Original Service HTTPS

Translated Service HTTPS

Inbound Interface Any

Outbound Interface Any

Comment Descriptive text, such as SSLVPN LB


Create a reflective policy

Not selected

NOTE: WAN-to-WAN access rules for a NAT64 policy is not supported on the SuperMassive 9800.

Option choices: One-to-many NAT load balancing policy example (Continued)

Option Value

Option choices: Add Address Object dialog

Option Value

Name A descriptive name, such as mySSLVPN

Zone assignment LAN

Type Host

IP Address The IP addresses for the devices to be load balanced (for example, 192.168.200.10, 192.168.200.20, and 192.168.200.30.)



4 Click Update.

Inbound Port Address Translation via One-to-One NAT PolicyThis type of NAT policy is useful when you want to conceal an internal server’s real listening port, but provide public access to the server on a different port. In the example below, you modify the NAT policy and rule created in the previous section to allow public users to connect to the private Web server on its public IP address, but via a different port (TCP 9000), instead of the standard HTTP port (TCP 80).

To create a one-to-one policy for inbound port address translation:

1 Create a custom service for the different port.

a Navigate to the Firewall > Service Objects page.

b Click Add Service Object. The Add Service dialog displays.

c Give your custom service a friendly name such as webserver_public_port.

d Select TCP(6) from Protocol. The Sub Type option is dimmed.

e For the Port Range fields, enter in 9000 as the starting port number for the service and as its ending port number.

f Click OK to save the custom service. The Service Objects are updated.

2 Modify the NAT policy created in the previous section that allowed any public user to connect to the Web server on its public IP address.

a Go to Network > NAT Policies.

b Click the Edit icon next to the NAT policy. The Edit NAT Policy dialog displays.

Tab Option Value

General Comment IPv4 from Any to Any for Any service (optional)

Zone Source WAN

Destination WAN



Service ANY

Address Source All WAN IP

NOTE: All WAN IP is the default Address Object group created by the Management Service to indicate this WAN IP belongs to the firewall WAN interface. All WAN IP cannot be configured.





All other options Leave as is or optionally configure accordingly



c Edit the NAT policy with the options shown in Option choices: Inbound port address translation via one-to-one NAT policy:

d When finished, click OK to add and activate the NAT Policy.

With this policy in place, the firewall translates the server’s public IP address to the private IP address when connection requests arrive from the WAN interface (by default, the X1 interface), and translates the requested protocol (TCP 9000) to the server’s actual listening port (TCP 80).

3 Finally, modify the firewall access rule created in the previous section to allow any public user to connect to the Web server on the new port (TCP 9000) instead of the server’s actual listening port (TCP 80).

a Navigate to the Firewall > Access Rules page.

b Select the policy for whatever zone you put your server in.

c Click the Edit icon to display the previously created policy in the Edit Rule dialog.

d Edit the values as shown in Option choices: Inbound port address translation via one-to-one NAT policy rule:

e Click OK.

Option choices: Inbound port address translation via one-to-one NAT policy

Option Value

Original Source Any

NOTE: Make sure you chose Any as the destination interface and not the interface that the server is on. This may seem counter-intuitive, but it is actually the correct thing to do (if you try to specify the interface, you get an error).

Translated Source Original

Original Destination webserver_public_ip

Translated Destination webserver_private_ip

Original Service webserver_public_port (or whatever you named it)

Translated Source HTTP


Outbound Interface Any

Enable NAT Policy Checked


Option choices: Inbound port address translation via one-to-one NAT policy rule

Tab Option Value

General Comment Enter a short description

Address Source Any

Destination webserver_public_ip

Service Service server_public_port (or whatever you named it)




Enable Logging Checked

All other options Leave as is or optionally configure accordingly



When you are done, attempt to access the Web server’s public IP address using a system located on the public Internet on the new custom port (for example: http://67.115.118.70:9000). You should be able to connect successfully. If not, review this section, and the section before, and ensure that you have entered in all required settings correctly.

Inbound Port Address Translation via WAN IP AddressThis is one of the more complex NAT policies you can create on a firewall running the Management Service — it allows you to use the WAN IP address of the firewall to provide access to multiple internal servers. This is most useful in situations where your ISP has only provided a single public IP address, and that IP address has to be used by the firewall’s WAN interface (by default, the X1 interface).

Below, you create the programming to provide public access to two internal Web servers via the firewall’s WAN IP address; each is tied to a unique custom port. In the following examples, you set up two, but it is possible to create more than these as long as the ports are all unique.

To use the WAN IP address of the firewall to provide access to multiple internal servers:

1 Create two custom service objects for the unique public ports the servers respond on.

2 Create two address objects for the servers’ private IP addresses.

3 Create two NAT entries to allow the two servers to initiate traffic to the public Internet.

4 Create two NAT entries to map the custom ports to the actual listening ports, and to map the private IP addresses to the firewall’s WAN IP address.

5 Create two access rule entries to allow any public user to connect to both servers via the firewall’s WAN IP address and the servers’ respective unique custom ports.

To create an inbound port address translation policy via WAN IP address:

1 Create a custom service for the two ports.

a Navigate to the Firewall > Service Objects page

b Click Add Service Object. The Add Service dialog displays.

c Give your custom services names such as servone_public_port and servtwo_public_port.

d Select TCP(6) from Protocol.

e In the Port Range fields, enter 9100 and 9200 as the starting and ending ports.

f Click OK.

g Repeat Step a through Step f for each service.


a Click Add New Address Object. The Add Address Object dialog displays.

b Enter a descriptive name for server’s private IP addresses, such as public_ports, in the Name field.

c Select the zone in which the servers are in from Zone Assignment

d Choose Host from Type.

e Enter the server’s private IP addresses in the IP Address field.

f After configuring the address object, click OK to create the address object.


a Click Add NAT Policy. The Add NAT Policy dialog displays.



b To create a NAT policy to allow the two servers to initiate traffic to the public Internet using the firewall’s WAN IP address, choose the options shown in Option choices: Two servers to initiate traffic to the Internet:

c After configuring the NAT policy for each server, click Update to add and activate that NAT policy.

With these policies in place, the firewall translates the servers’ private IP addresses to the public IP address when it initiates traffic out the WAN interface (by default, the X1 interface).

4 Click Add NAT Policy on the Network > NAT Policies page again. The Add NAT Policy dialog displays.

a To create the NAT policies to map the custom ports to the servers’ real listening ports and to map the firewall’s WAN IP address to the servers’ private addresses, choose the options in Option choices: Mapping custom ports to servers:

Option choices: Two servers to initiate traffic to the Internet

Option Server one values Server two values

Original Source servone_private_ip servtwo_private_ip

Translated Source WAN Primary IP WAN Primary IP

Original Destination Any Any

Translated Destination Original Original

Original Service Any Any

Translated Source Original Original

Inbound Interface X2 X2

Outbound Interface X1 X1

Enable NAT Policy Checked Checked

Create a reflective policy Cleared Cleared

Comment Enter a short description Enter a short description

Option choices: Mapping custom ports to servers

Option Server one values Server two values

Original Source Any Any

Translated Source Original Original

Original Destination WAN Primary IP WAN Primary IP

Translated Destination servone_private_ip servtwo_private_ip

Original Service servone_public_port servtwo_public_port

Translated Source HTTP HTTP

Inbound Interface X1 X1

Outbound Interface Any Any

NOTE: Make sure you choose Any as the destination interface and not the interface that the server is on. This may seem counter-intuitive, but it is actually the correct thing to do (if you try to specify the interface, you get an error).

Comment Enter a short description Enter a short description

Enable NAT Policy Checked Checked

Create a reflective policy Cleared Cleared



b After configuring the NAT policy for each server, click Update to add and activate that NAT policy.

With these policies in place, the firewall translates the server’s public IP address to the private IP address when connection requests arrive from the WAN interface (by default, the X1 interface).

5 Create the access rules that allows anyone from the public Internet to access the two Web servers using the custom ports and the firewall’s WAN IP address.

a Navigate to the Firewall > Access Rules page.

b Choose the policy for the WAN to Sales zone.

c Click Add. The Add Rule dialog displays.

d To create the Access Rules, enter the values shown in Option choices: Creating Access Rules.

e After configuring the Access Rule for each server, click OK to add and activate that Access Rule.

When you are finished, attempt to access the Web servers via the firewall’s WAN IP address using a system located on the public Internet on the new custom port (for example: http://67.115.118.70:9100 and http://67.115.118.70:9200). You should be able to successfully connect. If not, review this section, and the section before, and ensure that you have entered in all required settings correctly.

Configuring NAT Load BalancingTopics:

• Prerequisites

• Configuring NAT Load Balancing

Option choices: Creating Access Rules

Tab Option Server one values Server two values

General Comment Enter a short description Enter a short description



Address Source Any Any

Destination WAN IP address WAN IP address

Service Service servone_public_port servtwo_public_port

User Users Included All (default) All (default)

Schedule Schedule Always on (default) Always on (default)

Action Access Control Allow Allow





Prerequisites

To enable logging and alerting:

1 Navigate to the Log > Categories page.

2 Click the Edit icon of a log category. The Edit Log Category dialog displays.

3 From Event Priority, select Debug.

4 Click Update. The Modify Task Description and Schedule dialog displays.

5 Choose a schedule:

• Default (default)

• Immediate

• At:

6 Click Accept.

7 Repeat Step 2 through Step 6 for each category.

To enable log name resolution:

1 Navigate to the Log > Name Resolution page.

2 Select DNS then NetBIOS from Name Resolution Method. The DNS Settings section displays.

3 Choose Inherit DNS Settings Dynamically from WAN option. The Log Resolution DNS Server fields are filled automatically and cannot be changed.

4 Click Update to save and activate the changes.

Configuring NAT Load BalancingTo configure NAT load balancing requires you to create:

1 Address objects.

2 An address group.

3 An inbound NAT LB Policy.

4 An outbound NAT LB Policy.

5 A Firewall Rule.

Verify and troubleshoot the network if necessary.

IMPORTANT: The examples shown in the Tasklist section on the next few pages utilize IP addressing information from a demo setup — ensure you replace any IP addressing information shown in the examples with the correct addressing information for your setup. Also the interface names may be different.

IMPORTANT: It is strongly advised that you enable logging for all categories, and enable name resolution for logging.

TIP: Debug logs should only be used for initial configuration and troubleshooting, and it is advised that once setup is complete, you set the logging level to a more appropriate level for your network environment.



To configure NAT load balancing:

1 Create Address Objects:

a Navigate to the Firewall > Address Objects page.

b Create the network objects for both of the internal Web servers and the Virtual IP (VIP) on which external users will access the servers.

2 Create an Address Group:

a Click Add New Address Group.

b Create an address group named www_group.

c Add the two internal server address objects you just created.

3 Create an Inbound NAT Rule for www_group:

a Create a NAT rule to allow anyone attempting to access the VIP to get translated to the address group you just created, using Sticky IP as the NAT method.

4 Set LB Type and Server Liveliness Method.

a Under Advanced of the NAT policy configuration control, you can specify that the object (or group of objects, or group of groups) be monitored via ICMP ping or by checking for TCP sockets opened. For this example, we are going to check to see if the server is up and responding by monitoring TCP port 80 (which is good, as that is what people are trying to access).

b Click Add to save and activate the changes.

c Click Update.

5 Create an Outbound NAT Rule for LB Group.

a Create a NAT rule to allow the internal servers to get translated to the VIP when accessing resources out the WAN interface (by default, the X1 interface).

6 Create a Firewall Rule for VIP.

a Create a firewall rule to allow traffic from the outside to access the internal Web servers via the VIP.

7 Test your work.

a From a laptop outside the WAN, connect via HTTP to the VIP using a Web browser.

NOTE: Do not save the NAT rule just yet.

NOTE: Before you go any further, check the logs and the status page to see if the resources have been detected and have been logged as online. Two alerts will appear as Firewall Events with the message Network Monitor: Host 192.160.200.220 is online (with your IP addresses). If you do not see these two messages, check the steps above.

NOTE: If you wish to load balance one or more SonicWall SRA Appliances, repeat Step 1 through Step 7, using HTTPS instead as the allowed service.



12

Configuring ARP

ARP (Address Resolution Protocol) maps layer three (IP addresses) to layer two (physical or MAC addresses) to enable communications between hosts residing on the same subnet. ARP is a broadcast protocol that can create excessive amounts of network traffic on your network. To minimize the broadcast traffic, an ARP cache is maintained to store and reuse previously learned ARP information.

Topics:

• Viewing Static ARP Entries

• Deleting a Static ARP Entry

• Creating an ARP Entry

• Secondary Subnets with Static ARP

• Managing the ARP Cache

Viewing Static ARP Entries

Deleting a Static ARP EntryTo delete a static ARP entry:

1 Navigate to the Network > ARP page.

2 Click the Delete icon for the entry.

To delete one or more static ARP entries:


2 Select the checkboxes of the entries to delete.

3 Click Delete Selected Static ARP Entries.

IP Address IP address of the static ARP entry.

MAC Address Mapped MAC address of the static ARP entry.

Interface Interface assigned to the of the static ARP entry.

Published Indicates whether the SonicWall device responds to ARP queries for the specified IP address with the specified MAC address.

Bind MAC Indicates whether the MAC address is bound to the designated IP address and interface.

Configure Contains the Configure and Delete icons.


Configuring ARP93

Creating an ARP Entry To configure ARP:


2 Click Add New Static ARP Entry. The Add Static ARP dialog displays.

3 Enter an IP address in the IP Address field.

4 Select an interface from Interface; the default is X0.

5 Enter the MAC address to be mapped in the MAC Address field.

6 Configure these options:

• Publish Entry—Enabling the Publish Entry option causes the SonicWall device to respond to ARP queries for the specified IP address with the specified MAC address. This can be used, for example, to have the SonicWall device reply for a secondary IP address on a particular interface by adding the MAC address of the SonicWall. For further information, see Secondary Subnets with Static ARP. This option is not selected by default.

• Bind MAC Address—Enabling the Bind MAC Address option binds the MAC address specified to the designated IP address and interface. This can be used to ensure that a particular workstation (as recognized by the network card's unique MAC address) can only be used on a specified interface on the SonicWall. After the MAC address is bound to an interface, the SonicWall will not respond to that MAC address on any other interface. It also removes any dynamically cached references to that MAC address that might have been present, and it prohibits additional (non-unique) static mappings of that MAC address. This option is not selected by default. When selected, the next option becomes available.

• Update IP Address Dynamically—This option is a sub-feature of the Bind MAC Address option. This allows for a MAC address to be bound to an interface when DHCP is being used to dynamically allocate IP addressing. Enabling this option blurs the IP Address field, and populates the ARP Cache with the IP Address allocated by the SonicWall's internal DHCP server, or by the external DHCP server if IP Helper is in use. This option is not selected by default.

7 Click Update.

Secondary Subnets with Static ARPThe Static ARP feature allows for secondary subnets to be added on other interfaces, and without the addition of automatic NAT rules.

To add a secondary subnet using the static ARP method:

1 Add a “published” static ARP entry for the gateway address that is used for the secondary subnet, assigning it the MAC address of the SonicWall interface to which it is connected.

2 Add a static route for that subnet, so that the SonicWall regards it as valid traffic, and knows to which interface to route that subnet's traffic.

3 Add Access Rules to allow traffic destined for that subnet to traverse the correct network interface.

4 Optional: Add a static route on upstream device(s) so that they know which gateway IP to use to reach the secondary subnet.


Configuring ARP94

Managing the ARP CacheYou manage the ARP cache and data display through options in the ARP Settings and ARP Cache sections of the Network > ARP page.

Topics:

• Configuring ARP Settings

• Flushing the ARP Cache

• Manipulating the ARP Data Display

Configuring ARP SettingsTo configure ARP settings:


2 Scroll to ARP Settings.

3 Specify a time, in minutes for each ARP cache entry before it times out in the ARP Cache entry timeout field. The default is 10 minutes.

4 By default, source data is collected from ARP requests. To prevent this data from being collected, select Don’t glean source data from ARP requests. This option is not selected by default.

5 Click Update.

Flushing the ARP Cache It is sometimes necessary to flush the ARP cache if the IP address has changed for a device on the network. Because the IP address is linked to a physical address, the IP address can change but still be associated with the physical address in the ARP Cache. Flushing the ARP Cache allows new information to be gathered and stored in the ARP Cache. Click Flush ARP Cache to clear the information.

To flush the ARP Cache:


2 Scroll to ARP Cache.

3 Click Flush ARP Cache.

Manipulating the ARP Data DisplayThe ARP Data table provides easy pagination for viewing a large number of ARP entries.

Topics:

• Displaying ARP Cache Data

• Refreshing ARP Cache Data

• Deleting ARP Cache Data


Configuring ARP95

Displaying ARP Cache Data

To view ARP cache information:



3 Click Request ARP Cache display from unit(s).

Refreshing ARP Cache Data

To refresh ARP cache information:



3 Click Refresh ARP Data display.

Deleting ARP Cache Data

To delete ARP cache information:



3 Click Delete ARP Data display.


Configuring ARP96

13

Configuring Neighbor Discovery

The Neighbor Discovery Protocol (NDP) is a messaging protocol that was created as part of IPv6 to complete a number of the tasks that ICMP and ARP accomplish in IPv4. Just like ARP, Neighbor Discovery builds a cache of dynamic entries, and the administrator can configure static Neighbor Discovery entries. IPv6 neighbor messages and functions shows the IPv6 neighbor messages and functions that are analogous to the traditional IPv4 neighbor messages.

Topics:

• About NDP Objects

• Configuring NDP Settings

• NDP Cache

About NDP ObjectsEach entry in the NDP Objects table details the IP Address, MAC Address, and Interface of the NDP object. From this table you can add, edit, or delete NDP objects.

Topics:

• Finding NDP Objects

• Adding NDP Objects

• Deleting NDP Objects

IPv6 neighbor messages and functions

IPv4 Neighbor message IPv6 Neighbor message

ARP request message Neighbor solicitation message

ARP relay message Neighbor advertisement message

ARP cache Neighbor cache

Gratuitous ARP Duplicate address detection

Router solicitation message (optional) Router solicitation (required)

Router advertisement message (optional) Router advertisement (required)

Redirect Message Redirect Message


Configuring Neighbor Discovery97

Finding NDP ObjectsUse the NDP Object Search tool to find existing NDP objects.

To find an NDP object:

1 Navigate to the Network > Neighbor Discovery page.

2 In the Search fields,

• Select either IP Address (default) or MAC Address.

• Select the search operator:

• Equals

• Starts with

• Ends with

• Contains

• Enter the search criterion to match the operator.

3 Click Search. The search results display in the NDP Objects table.

Adding NDP ObjectsTo add a new NDP object:


2 Under the NDP Objects table, click Add New NDP Object. The Add Static NDP dialog displays.

3 Enter the IP address of the NDP object in the IP Address field.

4 Select the interface to associate with the NDP object from Interface.

5 Enter the MAC address to associate with this NDP object in the MAC Address field.

6 Click OK.

Deleting NDP ObjectsTo delete a NDP object:


2 In the NDP Objects table, click the Delete icon for entry to delete.

To delete one or more NDP objects:


2 In the NDP Objects table, select the checkboxes of the entries to delete.

3 Click Delete NDP Object(s).

TIP: To return the NDP Objects table to its original state, click Clear.



Configuring NDP SettingsTo configure NDP settings:


2 Scroll to NDP Settings.

3 To specify a time limit for neighbor discovery, enter the maximum time, in seconds, in the Neighbor Discovery BaseReachableTime (seconds) field.

4 Click Update.

NDP CacheTopics:

• Request NDP Cache List

• Request NDP Cache List

• NDP Cache Objects

Request NDP Cache ListTo display data in the NDP Cache Objects table:


2 Scroll to Request NDP Cache List.

3 Click Request NDP Cache List from Firewall. The requested list displays in the NDP Cache Objects table.

NDP Cache ObjectsIP Address IP address associated with the NDP object.

Type Type of NDP object: Static or Dynamic.

MAC Address MAC address associated with the NDP object.

Interface Interface associated with the NDP object.

Timeout

Flush Contains the Flush icon.



Searching the NDP CacheTo search for particular NDP cache lists, use the NDP Cache Search tool.

To find an NDP cache object:


2 Scroll to NDP Cache Search.

3 In the Search fields,

• Select:

• IP Address (default)

• Type

• MAC Address

• Interface

• Select the search operator:

• Equals

• Starts with

• Ends with

• Contains

• Enter the search criterion to match the operator.

4 Click Search. The search results display in the NDP Cache Objects table.

Flushing the NDP CacheTo flush an entry in the NDP Cache:


2 Scroll to NDP Cache Objects.

3 Click the Flush icon in the Flush column for the entry to delete.

To flush one or more entries in the NDP Cache:



3 Select the checkboxes of the entries to delete.

4 Click Flush.

To flush the NDP Cache:



3 Click Flush NDP Cache.

TIP: To return the NDP Objects table to its original state, click Clear.



14

Configuring MAC-IP Anti-Spoof

MAC and IP address-based attacks are increasingly common in today’s network security environment. These types of attacks often target a Local Area Network (LAN) and can originate from either outside or inside a network. In fact, anywhere internal LANs are somewhat exposed, such as in office conference rooms, schools, or libraries, could provide an opening to these types of attacks. These attacks also go by various names: man-in-the-middle attacks, ARP poisoning, SPITS. The MAC-IP Anti-Spoof feature lowers the risk of these attacks by providing you with different ways to control access to a network, and by eliminating spoofing attacks at OSI Layer 2/3.

The effectiveness of the MAC-IP Anti-Spoof feature focuses on two areas. The first is admission control which allows you the ability to select which devices gain access to the network. The second area is the elimination of spoofing attacks, such as denial-of-service attacks, at Layer 2. To achieve these goals, two caches of information must be built: the MAC-IP Anti-Spoof Cache, and the ARP Cache.

The MAC-IP Anti-Spoof cache validates incoming packets and determines whether they are to be allowed inside the network. An incoming packet’s source MAC and IP addresses are looked up in this cache. If they are found, the packet is allowed through. The MAC-IP Anti-Spoof cache is built through one or more of the following sub-systems:

• DHCP Server-based leases (SonicWall’s - DHCP Server)

• DHCP relay-based leases (SonicWall’s - IP Helper)

• Static ARP entries

• User created static entries

The ARP Cache is built through the following subsystems:

• ARP packets; both ARP requests and responses

• Static ARP entries from user-created entries

• MAC-IP Anti-Spoof Cache

The MAC-IP Anti-Spoof subsystem achieves egress control by locking the ARP cache, so egress packets (packets exiting the network) are not spoofed by a bad device or by unwanted ARP packets. This prevents a firewall from routing a packet to the unintended device, based on mapping. This also prevents man-in-the-middle attacks by refreshing a client’s own MAC address inside its ARP cache.

Topics:

• Interface Settings

• Anti-Spoof Cache

• Spoof Detected List


Configuring MAC-IP Anti-Spoof101

Interface SettingsTo edit MAC-IP Anti-Spoof settings within the Network Security Appliance management interface, go to the Network > MAC-IP Anti-spoof page.

To configure settings for a particular interface, click the Edit icon in the Configure column for the desired interface. The Edit MAC-IP Anti-Spoof Settings dialog is displayed for the selected interface.

The following options are available:

• Anti-Spoof Settings

• Enable: To enable the MAC-IP Anti-Spoof subsystem on traffic through this interface

• Static ARP: Allows the Anti-Spoof cache to be built from static ARP entries

• DHCP Server: Allows the Anti-Spoof cache to be built from active DHCP leases from the SonicWall DHCP server

• DHCP Relay: Allows the Anti-Spoof cache to be built from active DHCP leases, from the DHCP relay, based on IP Helper

• ARP Settings

• ARP Lock: Locks ARP entries for devices listed in the MAC-IP Anti-Spoof cache. This applies egress control for an interface through the MAC-IP Anti-Spoof configuration, and adds MAC-IP cache entries as permanent entries in the ARP cache. This controls ARP poisoning attacks, as the ARP cache is not altered by illegitimate ARP packets.

• ARP Watch: Prevents ARP poisoning of connected machines to protect all clients’ PCs from man-in-the-middle attacks.

• Miscellaneous Settings

• Enforce: Enables ingress control on the interface, blocking traffic from devices not listed in the MAC-IP Anti-Spoof cache.

• Spoof Detection: Logs all devices that fail to pass Anti-spoof cache and lists them in the Spoof Detected List.

• Allow Management: Allows through all packets destined for the appliance’s IP address, even if coming from devices currently not listed in the Anti-Spoof Cache.

After your setting selections for this interface are complete, click OK. After the settings have been adjusted, the interface’s listing is updated on the MAC-IP Anti-Spoof page. The green circle with white check mark icons denote which settings have been enabled.

NOTE: The following interfaces are excluded from the MAC-IP Anti-Spoof list:

• Non-ethernet interfaces • Port-shield member interfaces • Layer 2 bridge pair interfaces • High availability interfaces • High availability data interfaces



Anti-Spoof CacheThe MAC-IP Anti-Spoof Cache lists all the devices presently listed as “authorized” to access the network, and all devices marked as “blacklisted” (denied access) from the network.

To add a device to the list:

1 Navigate to the Network > Mac-IP Anti-Spoof page.

2 Click Add Anti-Spoof Cache. The Add Static MAC-IP Anti-spoof dialog displays.

3 Select an interface from Interface.

4 Enter the IP address for the device in the IP Address field.

5 Enter the MAC address for the device in the MAC Address field.

6 Select the A Router option to allow traffic coming from behind this device.

7 Select the A blacklisted device option to block packets from this device, regardless of its IP address.

8 Click OK.

If you need to edit a static Anti-Spoof cache entry, click the entry’s Edit icon under the Configure column.

Single, or multiple, static anti-spoof cache entries can be deleted. To do this, select the checkbox next to each entry, then click Delete Anti-Spoof Cache(s).

To clear cache statistics, select the desired devices, then click Clear Stats.

Some packet types are bypassed even though the MAC-IP Anti-Spoof feature is enabled:

• Non-IP packets.

• DHCP packets with source IP as 0.

• Packets from a VPN tunnel.

• Packets with invalid unicast IPs as their source IPs.

• Packets from interfaces where the Management status is not enabled under anti-spoof settings.

The Anti-Spoof Cache Search section provides the ability to search the entries in the cache.

To search the MAC-IP Anti-Spoof Cache:


2 From Search, select whether you want to search by IP address or Interface.

3 Select what type of search: Equals, Starts with, Ends with, or Contains.

4 Enter a search string in the field.

5 Click Search. Matching entries in the MAC-IP Anti-Spoof cache are displayed.

To clear the Anti-Spoof Cache table and redisplay all entries, click Clear.



Spoof Detected List

The Spoof Detected List displays devices that failed to pass the ingress anti-spoof cache check. Entries on this list can be added as a static anti-spoof entry. To view the Spoof Detected List, click Request Spoof Detected List from Firewall.

Entries can be flushed from the list by clicking Flush. The name of each device can also be resolved using NetBios, by clicking Resolve.

To add an entry to the static anti-spoof list:


2 Click on the Edit icon under the Add column for the desired device. An alert message window opens, asking if you wish to add this static entry.

3 Click OK to proceed.

NOTE: Spoof Detected List display is available only at the Unit level.



15

Configuring IP Helper

The IP Helper allows the SonicWall to forward DHCP requests originating from the interfaces on a SonicWall to a centralized DHCP server on the behalf of the requesting client. IP Helper is used extensively in routed VLAN environments where a DHCP server is not available for each interface, or where the layer three routing mechanism is not capable of acting as a DHCP server itself. The IP Helper also allows NetBIOS broadcasts to be forwarded with DHCP client requests.

Topics:

• Enabling IP Helper

• Configuring Relay Protocols

• Configuring IP Helper Policies

Enabling IP HelperTo enable IP Helper:


2 Navigate to the Network > IP Helper page.

3 Select Enable IP Helper.

For appliances running SonicOS versions lower than 5.5, you can also configure DHCP and NetBIOS support:

a To enable DHCP support, select Enable DHCP Support.

b To enable NetBIOS support, select Enable NetBIOS Support.

Configuring Relay ProtocolsAppliances running SonicOS version 5.5 and higher support Enhanced IP Helper that offers configurable Relay Protocols.

Appliances running SonicOS 6.1 and higher have default Relay Protocols available.

The following built-in applications are included:

• DHCP—UDP port number 67/68

• Net-Bios NS—UDP port number 137

• Net-Bios Datagram—UDP port number 138

• DNS—UDP port number 53

• Time Service—UDP port number 37


Configuring IP Helper105

• Wake on LAN (WOL)

• mDNS—UDP port number 5353; multicast address 224.0.0.251

To enable any of these protocols, select Enable and click Update.

To configure additional protocols:


2 Click Add Relay Protocol. The Add IP Helper Application dialog displays.

3 Configure these options:

• Name—The name of the protocols.

• Port 1/2—The unique UDP port number.

• Translate IP—Translation of the source IP while forwarding a packet.

• Timeout—IP Helper cache timeout in seconds at an increment of 10. The default is 30 seconds.

• Allow Source IP Translation—Allows the source IP address to be translated when a packet is forwarded by an IP Helper policy. This option is selected by default.

• Raw Mode—Unidirectional forwarding that does not create an IP Helper cache. This is suitable for most of the user-defined protocols that are used for discovery, for example WOL/mDNS. This option is not selected by default.

4 Click Update.

Configuring IP Helper PoliciesTo add an IP Helper policy:


2 Click Add IP Helper Policy. The Add IP Helper dialog displays. The policy is enabled by default.

3 To configure the policy without enabling it, clear Enabled.

4 From the Protocol drop-down menu, select one of the following:

• DHCP

• NetBIOS

• DNS

• TIME

• WOL

• mDNS

• ss

5 Select a source Interface or Zone from the From menu.

6 Select a destination IP address or subnet from the To menu.

7 Enter an optional comment in the Comment field.

8 Click OK to add the policy to the IP Helper Policies table.

NOTE: These names are case sensitive and must be unique.



9 Repeat this procedure for each policy to add. To delete a policy, click the trash can icon next to the policy.

10 When you are finished, click Update. The settings are changed for the selected SonicWall appliance. To clear all screen settings and start over, click Reset.



16

Configuring Web Proxy ForwardingSettings

A Web proxy server intercepts HTTP requests and determines if it has stored copies of the requested Web pages. If it does not, the proxy completes the request to the server on the Internet, returning the requested information to the user and also saving it locally for future requests.

Setting up a Web proxy server on a network can be cumbersome, because each computer on the network must be configured to direct Web requests to the server.

If there is a proxy server on the SonicWall appliance’s network, you can move the SonicWall appliance between the network and the proxy server, and enable Web Proxy Forwarding. This forwards all WAN requests to the proxy server without requiring the computers to be individually configured.

Topics:

• Configuring Automatic Proxy Forwarding (Web Only)

• Bypass Proxy Servers Upon Proxy Failure

• Adding a Proxy Server

• Editing a Proxy Server

• Deleting a Proxy Server

Configuring Automatic Proxy Forwarding (Web Only)

To configure a Proxy Web sever:

1 Navigate to the Network > Web Proxy page.

2 Connect your Web proxy server to a hub.

3 Connect the hub to the SonicWall appliance’s WAN or DMZ port.

4 Enable CFS on the related zones where clients are from unless you are using the WXA’s Web Cache.

5 Type the name or IP address of the proxy server in the Proxy Web Server (name or IP address) field.

6 Type the proxy IP port in the Proxy Web Server Port field. The default is 80.

7 To bypass the Proxy Servers if a failure occurs, select Bypass Proxy Servers Upon Proxy Server Failure. This option is selected by default.

8 Select Forward DMZ Client Requests to Proxy Server if you have clients configured on the DMZ. This option is selected by default.

NOTE: The proxy server must be located on the WAN or DMZ; it cannot be located on the LAN.


Configuring Web Proxy Forwarding Settings108

9 Select Divert traffic to the WXA series appliance’s Web Cache if you would like to divert web traffic to a WXA series appliance. This option is not selected by default. When selected the first four options become dimmed and the following three options become available.

10 Select the service for this proxy from Web Server Ports. This option is selected by default. It is available only if Divert traffic to the WXA series appliance’s Web Cache is selected.

11 For Client Inclusion Address Object, specify the appropriate client inclusion option from the pull-down. Select the Address Object or Group that represents those local subnets with web traffic that should be delivered through the WXA Web Cache. Alternatively, choose Any (default) and traffic from any source IP address is forwarded to the WXA. This option is selected by default. It is available only if Divert traffic to the WXA series appliance’s Web Cache is selected.

12 For Server Exclusion Address Object, specify the appropriate server exclusion option from the pull-down menu. Select the Address Object or Group that contains the destination addresses of web servers for which traffic should not be diverted through the WXA Web Cache. By selecting None (default), no web server is excluded and all appropriate traffic is sent through the WXA. This option is selected by default. It is available only if Divert traffic to the WXA series appliance’s Web Cache is selected.

13 Click Update.

After the SonicWall appliance has been updated, a message confirming the update is displayed.

14 Confirm the Description and Schedule.

Bypass Proxy Servers Upon Proxy FailureIf a Web proxy server is specified on the Network > Web Proxy page, selecting Bypass Proxy Servers Upon Proxy Server Failure allows clients behind the SonicWall appliance to bypass the Web proxy server in the event it becomes unavailable. Instead, the client’s browser accesses the Internet directly as if a Web proxy server is not specified.

Adding a Proxy ServerTo add a Web Proxy server through which users’ web request might come:


2 In the User Proxy Servers section, click Add. The Add Portal Proxy Server dialog displays.

3 Enter a proxy server host name or IP address in the Enter Proxy server Host Name or IP Address field.

4 Click OK. The new proxy server populates in the User Proxy Servers table.

5 Click Update.

Editing a Proxy ServerTo edit a Web Proxy server:


2 In the User Proxy Servers table, select the proxy server to change.

3 Click Edit. The Edit Portal Proxy Server dialog displays.



4 Make the change to the Enter Proxy server Host Name or IP Address field.

5 Click OK. The changed proxy server populates in the User Proxy Servers table.

6 Click Update.

Deleting a Proxy ServerTo delete a Web Proxy server:


2 In the User Proxy Servers table, select the proxy server to delete.

3 Click Remove.

4 Click Update.

To delete all of the Web Proxy servers:


2 Under the User Proxy Servers table, click Remove All.

3 Click Update.



17

Configuring Dynamic DNS

Dynamic DNS (DDNS) is a service provided by various companies and organizations that dynamically changes IP addresses to automatically update DNS records without manual intervention. This service allows for network access using domain names rather than IP addresses, even when the target’s IP addresses change. DDNS is supported for IPv6 as well as IPv4.

Topics:

• Adding a Dynamic DNS Profile

• Deleting Dynamic DNS Profiles

Adding a Dynamic DNS ProfileTo configure Dynamic DNS on the SonicWall security appliance:

1 Expand the Network tree

2 Navigate to the Network > Dynamic DNS page.

3 Click Add Profile. The Dynamic DNS Profile Settings dialog displays.

4 Select a provider from Provider. DynDNS.org and changeip.com use HTTPS, while yi.org and no-ip.com use HTTP. This example uses DynDNS.org. DynDNS.org requires the selection of a service. This example assumes you have created a dynamic service record with dyndns.org.

5 Enter a name to assign to the DDNS entry in the Profile Name field. This can be any value used to identify the entry in the Dynamic DNS Settings table. The minimum length is 1 character, and the maximum length is 63 characters.

6 If Enable this profile is checked, the profile is administratively enabled, and the SonicWall security appliance takes the actions defined in the Online Settings section on the Advanced tab. This option is selected by default

7 If Use Online Settings is checked, the profile is administratively online. This option is selected by default.

8 Enter your dyndns.org username and password in the User Name and Password fields. For user names, the minimum length is 1 character, and the maximum length is 63 characters. For passwords, the minimum length is 1 character, and the maximum length is 31 characters.

9 Enter the fully qualified domain name (FQDN) of the hostname you registered with dyndns.org in the Domain Name field. Make sure you provide the same hostname and domain as you configured. The minimum length is 1 character, and the maximum length is 63 characters.

IMPORTANT: Not all providers require all options; only relevant options are displayed for those providers.

TIP: If you leave the Password field empty, the current password for the field in the appliance remains unchanged.


Configuring Dynamic DNS111

10 Optionally, select a WAN interface from Bound to to assign this DDNS profile to that specific WAN interface. This allows administrators who are configuring multiple-WAN load balancing to advertise a predictable IP address to the DDNS service. By default, this is set to ANY, which means the profile is free to use any of the WAN interfaces on the appliance.

11 When using dyndns.org, select a service type from Service Type that corresponds to your type of service through dyndns.org:

• Dynamic (default)—A free Dynamic DNS service.

• Custom—A managed primary DNS solution that provides a unified primary/secondary DNS service and a web-based interface. Supports both dynamic and static IP addresses.

• Static—A free DNS service for static IP addresses.

12 When using DynsDNS.org, you might optionally select Enable Wildcard and/or configure an MX entry in the Mail Exchanger field.

13 Click Advanced. You can typically leave the default settings on this page.

14 The On-line Settings section provides control over what address is registered with the dynamic DNS provider; choose:

• Let the server detect IP Address (IPv4 only; default)—The dynamic DNS provider determines the IP address based upon the source address of the connection.

• Automatically set IP Address to the Primary WAN Interface IP Address (default for IPv6)—This causes the SonicWall device to assert its WAN IP address as the registered IP address, overriding auto-detection by the dynamic DNS server. Useful if detection is not working correctly.

• Specify IP Address manually—Allows for the IP address to be registered to be manually specified and asserted. When selected, the address field becomes available.

15 The Off-line Settings section controls what IP Address is registered with the dynamic DNS service provider if the dynamic DNS entry is taken off-line locally (disabled) on the SonicWall; choose:

• Do nothing—the default setting. This allows the previously registered address to remain current with the dynamic DNS provider.

• Use the Off-Line IP Address previously configured at Providers site—if your provider supports manual configuration of Off-Line Settings, you can select this option to use those settings when this profile is taken administratively offline.

16 When you are finished, click OK.

Deleting Dynamic DNS ProfilesTo delete a Dynamic DNS Profile:

1 Navigate to the Network > Dynamic DNS page.

2 Click Delete All Profiles.

TIP: Not all options are available for IPv6; differences are noted.


Configuring Dynamic DNS112


Using the Topology View

18

113

Using the Topology View

The Network > Topology View provides network visualization displayed a tree-like diagram.

This feature provides you with the capability to visually see all the network entities and their relationships with each other as well as view detailed connection information between devices and subnets.

You can:

• Zoom in and out with the mouse wheel. Each click of the wheel, up or down, increases or decreases the zoom factor by 10%.

• Move the diagram by clicking on an empty area and dragging the diagram to the desired location.

• Move any node by clicking on it and dragging it to the desired location.

• Get detailed information on each node (device) by mousing over the node.

• Print a copy of the topology view by clicking the Export as PDF button.

19

Configuring AWS Credentials

Topics:

• About AWS

• Configuring AWS

• Troubleshooting the Connection

About AWSThe Management Service integration with Amazon Web Service (AWS) enables you to:

• Store your logs on the AWS CloudWatch Logs service monitor and troubleshoot your systems and applications.

• Use AWS-hosted analysis tools such as ElasticSearch and Kibana.

To integrate the Management Service with AWS and allow the security appliance to communicate with the various application programming interfaces (APIs) of AWS, you need to:

1 Provide AWS security credentials; see Configuring AWS.

2 Create AWS Objects, such as Address Objects and Address Groups, that correspond to AWS EC2 Instances For further information about creating AWS Objects, see SonicOS Policies.

3 Create VPN connections from the security appliance to the AWS Virtual Private Clouds (VPCs). For further information about creating VPN connections, see SonicOS Connectivity.

4 Create a Log Stream and enable logging. For more information about logging to Amazon CloudWatch Logs, see SonicOS Logs and Reporting.

Configuring AWS

To configure AWS:

1 Ensure you have:

• Registered with Amazon Web Services (AWS).

• An AWS Identity and Access Management (IAM) User’s Access Key ID and Secret Access Key.

• Familiarity with IAM Best Practices.

IMPORTANT: To use the SonicOS-AWS integration feature, you must:

• Be registered with Amazon Web Services (AWS). • Have an AWS Identity and Access Management (IAM) User’s Access Key ID and Access Key. • Be familiar with IAM Best Practices.

NOTE: To configure SonicOS to allow TLS v1.0 for AWS, contact SonicWall Support.


Configuring AWS Credentials114

https://www.sonicwall.com/en-us/support/technical-documentation/sonicos-6-5-policies-administration-book



2 Navigate to Network > AWS Configuration.

3 Enter the AWS Access Key ID in the Access Key ID field. The AWS Access Key ID is used by the security appliance to access AWS APIs. This option is not selected by default.

4 To mask the key for security, ensure Mask Key is selected. This option is selected by default.

5 Enter the AWS Secret Access Key in the Secret Access Key field. The Secret Access Key is used by the security appliance to access AWS APIs. If Mask Key is selected, the field is a series of bullets.

6 Reenter the AWS Secret Access Key in the Confirm Key field.

7 From Region, select the default region used to initialize the Manage | Policies > Objects > AWS Objects and Manage | Connectivity > VPN > AWS VPN pages. The default is US East (N. Virginia).

8 Click ACCEPT. The TEST CONNECTION button becomes available.

9 To test validity of the credentials and that security appliance can successfully communicate with AWS, click TEST CONNECTION. Several tests are run to test the credentials and the connection to AWS. The results display.

10 Click Close.

Troubleshooting the ConnectionTo troubleshoot the connection:

1 Click Test Connection.

2 The Modify Task Description and Schedule dialog displays.

3 Choose a schedule:

• Default (default)

• Immediate

• At:

4 Click Accept.

5 The results are display when the task is completed.

6 To display more information, click the Information icon. Another popup displays.

7 Note the diagnosis.

8 Click OK.

9 Click Close.

10 Correct the problem described in Diagnosis.

11 Click Test Connection.

12 Repeat Step 1 through Step 11 until you solve the problem(s).

13 Click Close.

IMPORTANT: If the default region is the region used when sending security appliance event logs to AWS CloudWatch Logs, it is affected by changes on the Manage | Logs & Reporting > Log Settings > AWS Logs page.

CAUTION: It is important to test the connection and configuration at this time as any error at this point will result in issues later.

TIP: If there were problems with the test, see Troubleshooting the Connection


Configuring AWS Credentials115

20

SonicWall Support

Technical support is available to customers who have purchased SonicWall products with a valid maintenance contract and to customers who have trial versions.

The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year. To access the Support Portal, go to https://www.sonicwall.com/support.

The Support Portal enables you to:

• View knowledge base articles and technical documentation

• View video tutorials

• Access MySonicWall

• Learn about SonicWall professional services

• Review SonicWall Support services and warranty information

• Register for training and certification

• Request technical support or customer service

To contact SonicWall Support, visit https://www.sonicwall.com/support/contact-support.


SonicWall Support116

https://www.sonicwall.com/support

https://www.sonicwall.com/support/contact-support

About This Document

Management Services Network Setup AdministrationUpdated - February 2019232-004737-00 Rev A

Copyright © 2019 SonicWall Inc. All rights reserved.

SonicWall is a trademark or registered trademark of SonicWall Inc. and/or its affiliates in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective owners

The information in this document is provided in connection with SonicWall Inc. and/or its affiliates’ products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of SonicWall products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, SONICWALL AND/OR ITS AFFILIATES ASSUME NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON- INFRINGEMENT. IN NO EVENT SHALL SONICWALL AND/OR ITS AFFILIATES BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF SONICWALL AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SonicWall and/or its affiliates make no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. SonicWall Inc. and/or its affiliates do not make any commitment to update the information contained in this document.

For more information, visit https://www.sonicwall.com/legal.

End User Product Agreement

To view the SonicWall End User Product Agreement, go to: https://www.sonicwall.com/en-us/legal/license-agreements.

Open Source Code

SonicWall is able to provide a machine-readable copy of open source code with restrictive licenses such as GPL, LGPL, AGPL when applicable per license requirements. To obtain a complete machine-readable copy, send your written requests, along with certified check or money order in the amount of USD 25.00 payable to “SonicWall Inc.”, to:

General Public License Source Code Request SonicWall Inc. Attn: Jennifer Anderson1033 McCarthy BlvdMilpitas, CA 95035

Legend

WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.

CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.

IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.


SonicWall Support117

https://www.sonicwall.com/legal

https://www.sonicwall.com/en-us/legal/license-agreements

Documents

Management Services Network Setup€¦ · Management Services Network Setup Administration Configuring Interface Settings 1 6 Configuring Interface Settings Interface settings define