Professional Documents
Culture Documents
GMS-UMA 6 0 Administrators Guide
GMS-UMA 6 0 Administrators Guide
0 Administrators Guide
Copyright Notice
2010 SonicWALL, Inc. All rights reserved. Under the copyright laws, this manual or the software described within, can not be copied, in whole or part, without the written consent of the manufacturer, except in the normal use of the software to make a backup copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed to the original. This exception does not allow copies to be made for others, whether or not sold, but all of the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under the law, copying includes translating into another language or format. Specifications and descriptions subject to change without notice.
Trademarks
SonicWALL is a registered trademark of SonicWALL, Inc. Windows XP, Windows Vista, Windows 7, Windows Server 2008, Windows Server 2003, Internet Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation. Firefox is a trademark of the Mozilla Foundation. Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other countries. Netscape Navigator and Netscape Communicator are also trademarks of Netscape Communications Corporation and may be registered outside the U.S. Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems Incorporated in the U.S. and/or other countries. Other product and company names mentioned herein may be trademarks and/or registered trademarks of their respective companies and are the sole property of their respective manufacturers.
ii
the laws and regulations of the United States, which may require U.S. Government export approval/licensing. Failure to strictly comply with this provision shall automatically invalidate this License.
License
SonicWALL grants you a non-exclusive license to use the SOFTWARE PRODUCT for a number of SonicWALL eligible products. This number is specified and shipped with the SOFTWARE PRODUCT. Support for additional SonicWALL eligible products is subject to a separate upgrade license.
Upgrades
If the SOFTWARE PRODUCT is labeled as an upgrade, you must be properly licensed to use a product identified by SonicWALL as being eligible for the upgrade in order to use the SOFTWARE PRODUCT. A SOFTWARE PRODUCT labeled as an upgrade replaces and/or supplements the product that formed the basis for your eligibility for the upgrade. You may use the resulting upgraded product only in accordance with the terms of this EULA. If the SOFTWARE PRODUCT is an upgrade of a component of a package of software programs that you licensed as a single product, the SOFTWARE PRODUCT may be used and transferred only as part of that single product package and may not be separated for use on more than one computer.
Support Services
SonicWALL may provide you with support services related to the SOFTWARE PRODUCT (Support Services). Use of Support Services is governed by the SonicWALL policies and programs described in the user manual, in online documentation, and/or in other SonicWALL-provided materials. Any supplemental software code provided to you as part of the Support Services shall be considered part of the SOFTWARE PRODUCT and subject to terms and conditions of this EULA. With respect to technical information you provide to SonicWALL as part of the Support Services, SonicWALL may use such information for its business purposes, including for product support and development. SonicWALL shall not utilize such technical information in a form that identifies its source.
Ownership
As between the parties, SonicWALL retains all title to, ownership of, and all proprietary rights with respect to the SOFTWARE PRODUCT (including but not limited to any images, photographs, animations, video, audio, music, text, and applets incorporated into the SOFTWARE PRODUCT), the accompanying printed materials, and any copies of the SOFTWARE PRODUCT. The SOFTWARE PRODUCT is protected by copyrights laws and international treaty provisions. The SOFTWARE PRODUCT is licensed, not sold. This EULA does not convey to you an interest in or to the SOFTWARE PRODUCT, but only a limited right of use revocable in accordance with the terms of this EULA.
iii
Exports License
Licensee will comply with, and will, at SonicWALLs request, demonstrate such compliance with all applicable export laws, restrictions, and regulations of the U.S. Department of Commerce, the U.S. Department of Treasury and any other any U.S. or foreign agency or authority. Licensee will not export or re-export, or allow the export or re-export of any product, technology or information it obtains or learns pursuant to this Agreement (or any direct product thereof) in violation of any such law, restriction or regulation, including, without limitation, export or re-export to Cuba, Iran, Iraq, Libya, North Korea, Sudan, Syria or any other country subject to applicable U.S. trade embargoes or restrictions, or to any party on the U.S. Export Administration Table of Denial Orders or the U.S. Department of Treasury List of Specially Designated Nationals, or to any other prohibited destination or person pursuant to U.S. law, regulations or other provisions.
Miscellaneous
This EULA represents the entire agreement concerning the subject matter hereof between the parties and supercedes all prior agreements and representations between them. It may be amended only in writing executed by both parties. This EULA shall be governed by and construed under the laws of the State of California as if entirely performed within the State and without regard for conflicts of laws. Should any term of this EULA be declared void or unenforceable by any court of competent jurisdiction, such declaration shall have no effect on the remaining terms hereof. The failure of either party to enforce any rights granted hereunder or to take action against the other party in the event of any breach hereunder shall not be deemed a waiver by that party as to subsequent enforcement of rights or subsequent actions in the event of future breaches.
Termination
This EULA is effective upon your opening of the sealed package(s), installing or otherwise using the SOFTWARE PRODUCT, and shall continue until terminated. Without prejudice to any other rights, SonicWALL may terminate this EULA if you fail to comply with the terms and conditions of this EULA. SonicWALL reserves the right to terminate this EULA five (5) years after the SOFTWARE PRODUCT is issued to Licensee. In event of termination, you agree to return or destroy the SOFTWARE PRODUCT (including all related documents and components items as defined above) and any and all copies of same.
Limited Warranty
SonicWALL warrants that a) the software product will perform substantially in accordance with the accompanying written materials for a period of ninety (90) days from the date of purchase, and b) any support services provided by SonicWALL shall be substantially as described in applicable written materials provided to you by SonicWALL. Any implied warranties on the software product are limited to ninety (90) days. Some states and jurisdictions do not allow limitations on duration of an implied warranty, so the above limitation may not apply to you.
Customer Remedies
SonicWALLs and its suppliers entire liability and your exclusive remedy shall be, at SonicWALLs option, either a) return of the price paid, or b) repair or replacement of the SOFTWARE PRODUCT that does not meet SonicWALLs Limited Warranty and which is returned to SonicWALL with a copy of your receipt. This Limited Warranty is void if failure of the SOFTWARE PRODUCT has resulted from accident, abuse, or misapplication. Any replacement SOFTWARE PRODUCT shall be warranted for the remainder of the original warranty period or thirty (30) days, whichever is longer. Outside of the United States, neither these remedies nor any product Support Services offered by SonicWALL are available without proof of purchase from an authorized SonicWALL international reseller or distributor.
No Other Warranties
To the maximum extent permitted by applicable law, SonicWALL and its suppliers/licensors disclaim all other warranties and conditions, either express or implied, including, but not limited to, implied warranties of merchantability, fitness for a particular purpose, title, and non-infringement, with regard to the SOFTWARE PRODUCT, and the provision of or failure to provide support services. This limited warranty gives you specific legal rights. You may have others, which vary from state/jurisdiction to state/jurisdiction.
iv
Limitation of Liability
Except for the warranties provided hereunder, to the maximum extent permitted by applicable law, in no event shall SonicWALL or its suppliers/licensors be liable for any special, incidental, indirect, or consequential damages for lost business profits, business interruption, loss of business information,) arising out of the use of or inability to use the SOFTWARE PRODUCT or the provision of or failure to provide support services, even if SonicWALL has been advised of the possibility of such damages. In any case, SonicWALLs entire liability under any provision of this EULA shall be limited to the amount actually paid by you for the SOFTWARE PRODUCT; provided, however, if you have entered into a SonicWALL support services agreement, SonicWALLs entire liability regarding support services shall be governed by the terms of that agreement. Because some states and jurisdiction do not allow the exclusion or limitation of liability, the above limitation may not apply to you. Manufacturer is SonicWALL, Inc. with headquarters located at 2001 Logic Drive, San Jose, CA 95124-3452, USA.
vi
Table of Contents
Chapter 1: Introduction to SonicWALL GMS .....................................................1
Overview of SonicWALL GMS ....................................................................................................................1 What Is SonicWALL GMS? ....................................................................................................................2 Benefits of Using SonicWALL GMS .....................................................................................................2 Scaling SonicWALL GMS Deployments ..............................................................................................9 Deployment Requirements ......................................................................................................................... 10 Operating System Requirements ......................................................................................................... 10 Database Requirements ......................................................................................................................... 11 MySQL Requirements ........................................................................................................................... 11 Java Requirements .................................................................................................................................. 12 Browser Requirements .......................................................................................................................... 12 Hardware for Single Server Deployment ........................................................................................... 12 Hardware for a Distributed Server Deployment ............................................................................... 12 SonicWALL Appliance and Firmware Support ................................................................................ 13 GMS Gateway Requirements ............................................................................................................... 13 Network Requirements ......................................................................................................................... 15 GMS Internet Access through a Proxy Server .................................................................................. 16 Logging in to GMS ....................................................................................................................................... 16 Navigating the SonicWALL GMS User Interface ................................................................................... 18 SonicToday Panel ................................................................................................................................... 18 Appliance Panels .................................................................................................................................... 19 Monitor Panel ......................................................................................................................................... 23 Console Panel ......................................................................................................................................... 24 Understanding SonicWALL GMS Icons .................................................................................................. 25 Using the GMS TreeControl Menu ........................................................................................................... 27 About Signed Applets in SonicWALL GMS ............................................................................................ 28 Otherwise, click No. In this case you must manually edit the java.policy file. Configuring SonicWALL GMS View Options ........................................................................................................................................... 29 Group View ............................................................................................................................................ 30
SonicWALL GMS 6.0 Administrators Guide
vii
Unit View ................................................................................................................................................ 31 Creating SonicWALL GMS Fields and Dynamic Views ................................................................. 33 Getting Help .................................................................................................................................................. 41 Tips and Tutorials .................................................................................................................................. 42
Chapter 2: Adding SonicWALL Appliances and Performing Basic Management Tasks ...................................................................................................................43
Adding SonicWALL Appliances to SonicWALL GMS ......................................................................... 43 Adding SonicWALL Appliances Manually ........................................................................................ 45 Importing SonicWALL Appliances ..................................................................................................... 50 Registering SonicWALL Appliances .......................................................................................................... 51 Modifying Management Properties ............................................................................................................ 52 Modifying SonicWALL Appliance Management Options .............................................................. 52 Changing Agents or Management Methods ...................................................................................... 53 Moving SonicWALL Appliances Between Groups .......................................................................... 54 Deleting SonicWALL Appliances from GMS ......................................................................................... 55 Performing Basic Appliance Management ................................................................................................ 55
viii
Settings ........................................................................................................................................................... 83 Diagnostics .................................................................................................................................................... 85 Technical Support Report ..................................................................................................................... 87 Logs and Syslogs .................................................................................................................................... 87 File Manager .................................................................................................................................................. 88 Working with Multiple Files ................................................................................................................. 89 Backup/Restore ............................................................................................................................................ 90 Data Export Wizard .............................................................................................................................. 91 RAID .............................................................................................................................................................. 94 Restart ............................................................................................................................................................. 95
ix
Configuring Time Settings ........................................................................................................................ 125 Viewing Licensed Node Status ................................................................................................................. 127 Configuring Administrator Settings ......................................................................................................... 129 Using Configuration Tools ........................................................................................................................ 131 Restarting SonicWALL Appliances ................................................................................................... 132 Requesting Diagnostics for SonicWALL ......................................................................................... 132 Inheriting Settings ................................................................................................................................ 133 Clearing the ARP Cache ...................................................................................................................... 136 Synchronizing Appliances ................................................................................................................... 136 Synchronizing with mysonicwall.com ............................................................................................... 137 Manually Uploading Signature Updates ............................................................................................ 137 Generating Tech Support Reports .................................................................................................... 138 Configuring Contact Information ............................................................................................................ 139 Configuring System Settings ..................................................................................................................... 139 Configuring Schedules ............................................................................................................................... 141 Editing Management Settings ................................................................................................................... 143 Configuring SNMP .................................................................................................................................... 145 Navigating the System > Certificates Page ...................................................................................... 147 About Certificates ................................................................................................................................ 148 Configuring CA Certificates ............................................................................................................... 148 Importing New Local and CA Certificates ...................................................................................... 149 Generating a Certificate Signing Request ......................................................................................... 150 Configuring SCEP ............................................................................................................................... 151
Configuring Address Objects ............................................................................................................. 184 Configuring NAT Policies .................................................................................................................. 187 Configuring Web Proxy Forwarding Settings .................................................................................. 195 Configuring Routing in SonicOS Enhanced .................................................................................... 196 Configuring RIP in SonicOS Enhanced ................................................................................................. 198 Configuring IP Helper ......................................................................................................................... 200 Configuring ARP .................................................................................................................................. 203 Configuring SwitchPorts ..................................................................................................................... 207 Configuring PortShield Groups ......................................................................................................... 208 Configuring Network Monitor ........................................................................................................... 210 Configuring Network Settings in SonicOS Standard ............................................................................ 212 Configuring Basic Network Settings in SonicOS Standard ........................................................... 213 Configuring Dynamic DNS ................................................................................................................ 222 Configuring Web Proxy Forwarding ................................................................................................. 223 Configuring Intranet Settings ............................................................................................................. 223 Configuring Routing in SonicOS Standard ...................................................................................... 225 Configuring RIP in SonicOS Standard ............................................................................................. 225 Configuring OPT Addresses .............................................................................................................. 227 Configuring One-to-One NAT ......................................................................................................... 229 Configuring Ethernet Settings ............................................................................................................ 231 Configuring ARP .................................................................................................................................. 233
xi
Configuring Advanced Firewall Settings in SonicOS Standard .................................................... 273 Configuring Voice over IP Settings ................................................................................................... 275
xii
xiii
Configuring Anti-Spam Settings ........................................................................................................ 378 Configuring Anti-Spam Real-Time Black List Filtering ................................................................. 383
xiv
xv
Updating SonicPoint Firmware ......................................................................................................... 510 Automatic Provisioning (SDP & SSPP) ........................................................................................... 510 Viewing Station Status ............................................................................................................................... 511 Event and Statistics Reporting ........................................................................................................... 511 Using and Configuring SonicPoint IDS .................................................................................................. 513 Detecting SonicPoint Access Points ................................................................................................. 513 Wireless Intrusion Detection Services .............................................................................................. 513 Using and Configuring Virtual Access Points ........................................................................................ 516 Configuring Virtual Access Point Groups ....................................................................................... 517 Configuring Virtual Access Points .................................................................................................... 518 Configuring Virtual Access Point Profiles ....................................................................................... 519
xvi
Configuring Settings for Auth Pages ................................................................................................. 546 Configuring Web Content Settings ................................................................................................... 547 Configuring Advanced Settings ......................................................................................................... 548 Configuring WGS Account Profiles ........................................................................................................ 549
xvii
Chapter 33: Registering, Upgrading, and Logging in to SonicWALL SSL-VPN Appliances ........................................................................................................617
Registering SonicWALL SSL-VPN Appliances ..................................................................................... 617 Upgrading SonicWALL SSL-VPN Firmware ........................................................................................ 619 Logging in to SSL-VPN using SonicWALL GMS ................................................................................ 620
xviii
Editing CDP/ES Appliance Contact Information ......................................................................... 631 Registering CDP/ES Appliances ............................................................................................................. 632 Registration Tasks on GMS ................................................................................................................ 632 Registration Tasks on the CDP/ES Appliance ............................................................................... 633 Modifying a CDP/ES Appliance ....................................................................................................... 633 Deleting a CDP/ES Appliance .......................................................................................................... 634 Configuring Alerts ...................................................................................................................................... 634 Adding Alerts ........................................................................................................................................ 635 Enabling/Disabling Alerts .................................................................................................................. 635 Deleting Alerts ...................................................................................................................................... 636 Editing Alerts ........................................................................................................................................ 636 Current Alerts ....................................................................................................................................... 637 Templates ..................................................................................................................................................... 637 Template Management Screen ........................................................................................................... 637 Accessing the CDP/ES Management Interface .................................................................................... 640 Using Multi-Solution Management .......................................................................................................... 640 Logging into the CDP/ES Management Interface ......................................................................... 641 Configuring Multi-Solution Management ........................................................................................ 642 Recording .............................................................................................................................................. 644 Configuring Heartbeat using Email Security CLI ........................................................................... 648
xix
Managing GMS Reports on the Console Panel and Policies Panel .................................................... 667
xx
Saving the Report Template ............................................................................................................... 716 Viewing Status Reports .............................................................................................................................. 716 Viewing the Status Up-Time Summary Report ............................................................................... 717 Viewing Status Up-Time Over Time ................................................................................................ 718 Viewing the Status Down-Time Summary Report ......................................................................... 720 Viewing Status Down-Time Over Time ........................................................................................... 721 Viewing Bandwidth Reports ..................................................................................................................... 723 Viewing the Bandwidth Summary Report ........................................................................................ 723 Viewing the Top Users of Bandwidth .............................................................................................. 725 Viewing Bandwidth Usage Over Time ............................................................................................. 727 Viewing the Top Users of Bandwidth Over Time .......................................................................... 729 Viewing Services Reports .......................................................................................................................... 731 Viewing the Services Summary Report ............................................................................................. 731 Viewing Web Usage Reports .................................................................................................................... 733 Viewing the Web Usage Summary Report ....................................................................................... 734 Viewing the Top Web Sites ................................................................................................................ 736 Viewing the Top Users of Web Bandwidth ..................................................................................... 737 Viewing Web Usage by User .............................................................................................................. 739 Viewing Web Usage By Site ............................................................................................................... 741 Viewing Web Usage By Category ...................................................................................................... 742 Viewing Web Usage Over Time ........................................................................................................ 744 Viewing Top Sites Over Time ............................................................................................................ 745 Viewing Top Users Over Time .......................................................................................................... 747 Viewing Web Usage By User Over Time ......................................................................................... 749 Viewing Web Usage By Category Over Time ................................................................................. 750 Viewing Web Filter Reports ...................................................................................................................... 751 Viewing the Web Filter Summary Report ........................................................................................ 752 Viewing the Web Filter Top Sites Report ........................................................................................ 754 Viewing the Top Users that Try to Access Blocked Sites ............................................................. 755 Viewing the Blocked Sites for Each User ........................................................................................ 757 Viewing Blocked Sites Sorted By Site ............................................................................................... 758 Viewing Blocked Sites Sorted By Category ...................................................................................... 759 Viewing Blocked Site Attempts Over Time ..................................................................................... 761 Viewing the Top Blocked Site Attempts Over Time ..................................................................... 762
SonicWALL GMS 6.0 Administrators Guide
xxi
Viewing the Top Blocked Site Users Over Time ............................................................................ 763 Viewing Blocked Sites for Each User Over Time .......................................................................... 764 Viewing Blocked Sites By Category Over Time .............................................................................. 765 Viewing File Transfer Protocol Reports ................................................................................................. 767 Viewing the FTP Summary Report ................................................................................................... 767 Viewing the Top FTP Sites By User ................................................................................................. 769 Viewing FTP Bandwidth Usage Over Time .................................................................................... 770 Viewing the Top Users of FTP Bandwidth Over Time ................................................................ 772 Viewing Mail Usage Reports ..................................................................................................................... 773 Viewing the Mail Usage Summary Report ....................................................................................... 774 Viewing the Top Users of Mail Bandwidth ..................................................................................... 776 Viewing Mail Usage Over Time ......................................................................................................... 777 Viewing the Top Users of Mail Bandwidth Over Time ................................................................. 779 Viewing VPN Usage Reports ................................................................................................................... 780 Viewing the VPN Usage Summary Report ...................................................................................... 781 Viewing the Top VPN Users ............................................................................................................. 783 Viewing VPN Usage Over Time ....................................................................................................... 784 Viewing the Top VPN Users Over Time ......................................................................................... 785 Viewing VPN Usage By Policy .......................................................................................................... 787 Viewing the Top VPN Policies Over Time ..................................................................................... 788 Viewing Hourly VPN Usage By Policy ............................................................................................ 789 Viewing the VPN Services Summary Report .................................................................................. 790 Viewing Attacks Reports ........................................................................................................................... 792 Viewing the Attack Summary Report ............................................................................................... 792 Viewing the Attacks By Category ...................................................................................................... 794 Viewing the Errors Report ................................................................................................................. 795 Viewing Attack Reports Over Time .................................................................................................. 797 Viewing the Attacks By Category Over Time ................................................................................. 798 Viewing Errors Over Time ................................................................................................................. 799 Viewing Virus Attacks Reports ................................................................................................................ 801 Viewing the Top Viruses By Attack Attempts Report ................................................................... 803 Viewing the Virus Attack Attempts Report ..................................................................................... 804 Viewing the Virus Attacks By User Report ..................................................................................... 806 Viewing Anti-Spyware Reports ................................................................................................................ 807
SonicWALL GMS 6.0 Administrators Guide
xxii
Viewing a Spyware Summary ............................................................................................................. 809 Viewing Spyware Attempts By Category .......................................................................................... 810 Viewing Spyware Attempts Over Time ............................................................................................ 811 Viewing Spyware Attempts By Category Over Time ..................................................................... 813 Viewing Intrusion Prevention Reports ................................................................................................... 814 Viewing the Intrusion Prevention Summary Report ...................................................................... 816 Viewing Intrusion Attempts By Category ........................................................................................ 817 Viewing Intrusions Over Time .......................................................................................................... 819 Viewing Intrusion Reports By Category Over Time ...................................................................... 821 Viewing Application Firewall Reports ..................................................................................................... 822 Viewing the Application Firewall Summary Report ....................................................................... 823 Viewing the Application Firewall Over Time Report .................................................................... 824 Viewing Application Firewall Top Applications ............................................................................. 825 Viewing Application Firewall Top Users ......................................................................................... 826 Viewing Application Firewall Top Policies ...................................................................................... 827 Viewing Authentication Reports .............................................................................................................. 828 Viewing the User Login Report ......................................................................................................... 829 Viewing the Administrator Login Report ........................................................................................ 830 Viewing the Failed Login Report ....................................................................................................... 830 Viewing the Log .......................................................................................................................................... 831 Viewing the Log for a SonicWALL Appliance ................................................................................ 832
xxiii
Viewing SSL-VPN Bandwidth Usage Over Time Reports ............................................................848 Viewing SSL-VPN Top Users of Bandwidth Over Time Reports ...............................................850 Using SSL-VPN Custom Reports ............................................................................................................851 Toggling Between Split Mode and Full Mode .................................................................................852 Configuring the Date and Time for Custom Reports .....................................................................855 Configuring the Report Layout and Generating the Report ..........................................................858 Generating the Custom Report ..........................................................................................................864 Viewing a Custom Report ...................................................................................................................865 Printing a Page or Exporting the Report as a PDF or CSV File ...................................................867 Saving the Report Template ................................................................................................................868 Viewing SSL-VPN Resources Reports ....................................................................................................869 Viewing SSL-VPN Resources Summary Reports ............................................................................869 Viewing SSL-VPN Resources Top Users Reports ..........................................................................871 Viewing SSL-VPN Authentication Reports ............................................................................................874 Viewing SSL-VPN User Login Reports ............................................................................................874 Viewing SSL-VPN Failed Login Reports .........................................................................................875 Viewing the SSL-VPN Log .......................................................................................................................876 Viewing the Log for a SSL-VPN Appliance .....................................................................................876
xxv
xxvii
Deleting a Single User ........................................................................................................................1095 Deleting Multiple Users .....................................................................................................................1096 Adding and Removing Activation Codes .......................................................................................1097 Deleting Nodes Using XML .............................................................................................................1101 Monitoring Tunnel Status ..................................................................................................................1102 Monitoring Tunnel Statistics .............................................................................................................1103 Refreshing a Tunnel ...........................................................................................................................1104 Renegotiating a Tunnel ......................................................................................................................1104 Synchronizing Tunnel Information .................................................................................................1104 Configuring SonicWALL Parameters ....................................................................................................1105 Using the Configure Command .......................................................................................................1105 Preparing a Configuration File .........................................................................................................1106 Modifying SonicWALL Parameters .......................................................................................................1109 Using the ModifyArray Command ..................................................................................................1109 Preparing a Parameter Modification File ........................................................................................1110 Configuration Parameters ........................................................................................................................1112 System/Time .......................................................................................................................................1112
xxviii
Overview of SonicWALL GMS section on page 1 Deployment Requirements section on page 10 Logging in to GMS section on page 16 Navigating the SonicWALL GMS User Interface section on page 18 Understanding SonicWALL GMS Icons section on page 25 Using the GMS TreeControl Menu section on page 27 About Signed Applets in SonicWALL GMS section on page 28 Otherwise, click No. In this case you must manually edit the java.policy file. Configuring SonicWALL GMS View Options section on page 29 Getting Help section on page 41
What Is SonicWALL GMS? section on page 2 Benefits of Using SonicWALL GMS section on page 2 Scaling SonicWALL GMS Deployments section on page 9
SonicWALL GMS 6.0 Administrators Guide
Multi-Solution Management:Comprehensive Management Support for CDP and Email SecurityThe Multi-Solution Management feature in GMS provides next generation management capability by allowing administrators to manage multiple appliance typessuch as CDP, SSL VPN, SonicWALL-Aventail SSL VPN, and Email Securitythrough their respective web user interfaces over HTTP and HTTPS. This enhancement enables the configuration of GMS Core Management functionalities through the GMS user interface. Now functions such as creating tasks, posting policies, scheduling tasks, and more are easily completed across multiple appliances at Unit Node and Group Node levels.
Simplified Certificate ManagementAllows the administrator to configure both CA and Local certificates in one place, simplifying the process of viewing, editing, and creating new certificates. GMS Web Services GMS administrators typically use several other consoles to manage their network or, in the case of an MSP, their customers' networks. The web services API facilitates integration between GMS and other management consoles and greatly increases the productivity of the internal IT staff. Constructed using the Representational State Transfer (REST), an architectural style that specifies constraints, such as the uniform interface, that if applied to a Web service induce desirable properties, such as performance, scalability and modifiability, that enable services to work best on the Web. Using this RESTful approach, GMS Web Services will be simple, lightweight, and scalable. Group Level InterfacesAllows interface management to be applied at a group level. Administrators are now able to manage all UTM appliance interface features with a few clicks, including configuration of network interfaces, WAN connection models, DNS servers, and more. Application Firewall ReportingApplication Firewall Reporting introduces detailed reporting on the application firewall feature of fifth generation UTM devices. Reports include but are not limited to top categories, top applications, top users, and top policies. Users can drill down within reports. This feature allows reports to be generated for Dynamic Policies and Custom Policies. Useful examples for this feature include, viewing a report by category such as Instant Messaging, or applying Bandwidth Management by monitoring the activity of streaming media. CDP ReportingThis feature supports following reports. The reports are categorized based on the selected context node (Group or Unit) on the tree control panel. Report Navigation (drill down) is also supported among specific reports. CDP Alert and MonitoringApart from basic alert configuration, the extended GEM framework within GMS allows users to define severities and thresholds, as well as destinations and schedules for every destination for the alerts when triggered. SonicOS 5.5 SupportThis feature brings GMS support for the UTM product line to the recently released SonicOS 5.5. New features now manageable by GMS include SonicPoint N support, SSL VPN NetExtender, UTM anti-spam, and active/active failover, and more SonicOS 5.5 support renders GMS applicable to a wider range of UTM appliance features and makes the GMS administrator more productive.
Custom and Granular ReportsThis feature allows the GMS administrator to create custom reports using the raw logs collected from Aventail and SMB SSL VPN devices under management. GMS customers can now create granular reports on who accessed what applications at what time for forensic analysis and troubleshooting. Using data from these reports can help increase employee productivity and network uptime. Enhanced CLI SupportThe new Command Line Interface (CLI) does not require a user to do an OS level login into the GMS server. With this feature users are able to send commands to GMS from a remote host in a secure manner. This feature enables the automation of the interaction between GMS and other systems used by the customer. It facilitates execution of commands on the GMS CLI if the user can not access the GMS Console host using Remote Desktop. In addition, a third party application can interact with the GMS CLI from a remote host using the GMS CLI Client and Server. Lastly, a user can automate tasks on the GMS CLI from a remote host by using the GMS CLI Client application in batch/shell scripts. This feature enhances the productivity of the internal IT staff of enterprise and service provider customers. Enhanced Summarizer Capacity PlanningGMS 6.0 includes enhanced tools to assess hardware utilization for collection of syslog data and summarization for reporting. This feature also includes an estimation tool to determine total capacity of the hardware in use. The impact of a variety of parameters such as number of users and types of reports enabled is taken into consideration both at the global level and for each device under management. Enhanced performance assessment facilitates finding the root cause of peak hardware usage and proper capacity expansion planning and therefore allows the GMS administrator to time his new hardware purchases and associated expenses appropriately as he grows his business and brings more devices under management. ESPER Live MonitoringProvides the user with the ability to monitor the deployment setup and alert based on any irregularities detected. Live monitoring allows the user to see the threats as and when it is displayed in the UI and at the same time tag the threats with a severity and provide additional Destinations based on Schedules. Inheritance EnhancementsGMS now allows for reverse inheritance, offering the ability to inherit policy settings from a unit up to the parent nodes. GMS 5.1 only allowed for forward inheritance, i.e. policies could only be pushed from the group level down to the device level. With GMS 6.0, reverse Inheritance allows for policies to be inherited from a specific device to the group level. Effectively, Reverse Inheritance enables the user to copy existing configurations and to create predefined SonicWALL
configurations. Reverse Inheritance saves GMS administrators a considerable amount of time by taking one well configured firewall and promoting its policy configuration to the group level. From the group level the configurations can then be pushed down to other devices.
Inheritance Support for Reporting ScreensAdds inheritance support for setting configurations for GMS reports. This allows a new unit to be added to a group which then can inherit the GMS report settings for that group. This feature increases the GMS administrators productivity. Multiple Authentication ServersThe GMS administrator can define multiple authentication servers per GMS Domain. Many customers use multiple authentication domains within their network. This feature allows GMS to be used within a broader range of customer environments. RADIUS Authentication Support GMS LoginThe login module for GMS now supports RADIUS authentication. Many customers use RADIUS as part of their authentication infrastructure. RADIUS authentication support allows GMS to be used within a broader range of customer environments. It is also part of the upcoming PCI 1.2 requirements.
Enhanced User ManagementSonicWALL GMS includes the ability to move users across groups, search for users, and apply unit permissions at user-group level. Domain-level user management support is also introduced, with domain level user groups, where users belonging to each domain can view each other and set privileges within the domain, and stay isolated from users of other domains. Third Party Authentication Server SupportSonicWALL GMS supports third party authentication servers, including LDAP, RADIUS, and Active Directory. Custom ReportsSonicWALL GMS provides the Custom Reports feature that lets you filter raw syslog data to generate granular reports customized by date and time ranges and by highly flexible filtering of the data customized for your own needs. In the Internet Activity custom report, you can see the date and time down to the second of all Internet activity passing through a monitored SonicWALL security appliance, and view detailed information not available in reports generated from summarized data. Policy-Based ManagementSonicWALL GMS enables network administrators to globally define, distribute, enforce and deploy network security policies for managed SonicWALL appliances, creating a highly secure and controllable firewall configuration environment.
Managed VPN ServicesSonicWALL GMS simplifies the task of globally defining, distributing, enforcing and deploying VPN policies for managed VPN gateways, making it easy to manage a global VPN network. Managed Remote VPN Client ConnectionsSonicWALL GMS allows administrators to define user policies for remote Global VPN Client users. The user policies can either be emailed to remote users or directly downloaded from the SonicWALL VPN gateways. Comprehensive Security Service Management In addition to managing security and VPN policies, SonicWALL GMS enables network administrators to globally define, distribute, enforce and deploy all the firewall settings for managed SonicWALL appliances. It also enables network administrators to remotely upgrade SonicWALL appliances and add subscription services such as content filtering and virus scanning. License ManagementSonicWALL GMS provides centralized license management of SonicWALL upgrade and subscription services. This makes it easy to store, apply, track, and update upgrade and subscription license information for all managed SonicWALL appliances. Multi-Tier Policy Hierarchy ArchitectureSonicWALL GMS enables administrators to define and distribute one or more policies to an individual or a group of managed SonicWALL appliances. The policies can be executed immediately or can be scheduled to take effect at a later time. SonicWALL GMS supports up to seven levels of groups. Policies can be applied at any level. Scalable ArchitectureThe SonicWALL GMS distributed architecture scales to support thousands of SonicWALL appliances, making large-scale deployments easy to manage. It allows network administrators to deploy a management architecture that scales to support a rapidly growing customer base while minimizing support staff and hardware. Load balancing and Redundancy for Security ManagementIn a SonicWALL GMS multi-server configuration, each Agent is responsible for a set of SonicWALL appliances. If an Agent fails, peer SonicWALL GMS Agents will manage the SonicWALL appliances for the failed Agent. SonicWALL GMS also provides redundancy for the SonicWALL GMS Console. Role-Based ManagementSonicWALL GMS provides a multi-user architecture with customizable views. Multiple users with different management privileges can be defined to distribute management tasks across a group of administrators and operators. Granular Event ManagementSonicWALL GMS introduces Granular Event Management (GEM). GEM offers a significant improvement in control over the way different events are handled. You now have more flexibility when
deciding where and when to send alerts, and you can configure event thresholds, severities, schedules, and alerts from a centralized location in the management interface rather than configuring these on a per-unit basis as before.
Centralized ReportingSonicWALL GMS provides graphical reporting of firewall and network activities for the SonicWALL appliances. A wide range of informative real-time and historical reports can be generated to provide insight into usage trends and security events. SonicWALL GMS provides aggregated reports for groups of SonicWALL appliances. It also enables the user, in addition to changing the date for a report, to set the number of users or sites as well as select a type of chart for the report.
Centralized MonitoringSonicWALL GMS includes monitoring capabilities for fault and performance data analysis. Monitoring includes VPN and device up/down status, VPN statistics, uptime calculations, and security events for GMS management activities, as well as for any TCP/IP based device or application. Support for SNMPA powerful real-time alert mechanism greatly enhances the administrator's ability to pinpoint and respond to critical events. SonicWALL GMS can centrally receive firewall SNMP traps over the secure management tunnel and forward them to an SNMP management system, ensuring the security of firewall traps. The SonicWALL GMS security events can also be forwarded to the SNMP management system as SNMP traps. Log ViewerSonicWALL GMS provides detailed daily firewall logs to analyze specific events. Command-Line InterfaceSonicWALL GMS features a command line interface that can add multiple SonicWALL appliances at once, configure security and VPN policies, change SonicWALL appliance settings, and display product-related status. Database SupportSonicWALL GMS supports access to industry-leading relational databases for highly efficient and reliable data storage and retrieval. Audit TrailingAll changes made in SonicWALL GMS are automatically logged, along with the identities of the individuals making the changes. Enhanced Security AccessSonicWALLs ESA feature allows for greater granular control of user access across a GMS network, which is applicable for installations that must comply with stringent regulatory compliance and account management controls as found in such standards as PCI, SOX, or HIPPA.
GUI-Based ArchitectureThe SonicWALL GMS user interface (UI) is easy to use and enables administrators to navigate through the managed SonicWALL appliances, view their settings, and make changes. Advanced Security Features
A random password is assigned to each SonicWALL appliance. SonicWALL GMS communicates with managed SonicWALL
Enhanced Search FeaturesSonicWALL GMS enables you to locate task or log entries by entering search criteria. It also enables you to search for licenses and subscriptions. Upgrade and Subscription Expiration NoticesSonicWALL GMS sends an email notification to the SonicWALL GMS administrator when firewall upgrade and subscription services are about to expire for the managed SonicWALL appliances. By default, the emails are sent out 30 days and 7 days prior to the expiration dates. The SonicWALL GMS administrator can change the default values by specifying the period when to email the expiry notifications for the firewall upgrades and subscriptions.
The GMS gateway that resides between a SonicWALL GMS agent server and the SonicWALL appliances provides secure communications. Each SonicWALL appliance can have a primary agent server and a standby server. Each agent server can be a primary server for certain SonicWALL appliances and a standby server for other SonicWALL appliances. Configuration of and changes to the SonicWALL GMS and the SonicWALL appliances are written to the database. The users at the Admin Workstations can access the SonicWALL GMS console through a Web browser (HTTP) from any location. The SonicWALL GMS console can also be securely accessed using HTTPS. The SonicWALL GMS console server can also be an agent server.
Deployment Requirements
Deployment Requirements
Before installing SonicWALL GMS, review the following deployment requirements.
Note
SonicWALL does not support installations of GMS running on any virtualization software, such as VMware.
Operating System Requirements section on page 10 Database Requirements section on page 11 Java Requirements section on page 12 Browser Requirements section on page 12 Hardware for Single Server Deployment section on page 12 Hardware for a Distributed Server Deployment section on page 12 SonicWALL Appliance and Firmware Support section on page 13 GMS Gateway Requirements section on page 13 Network Requirements section on page 15 GMS Internet Access through a Proxy Server section on page 16
Windows 2000 Server (SP4) Windows 2000 Professional (SP4) Windows XP Professional (SP2) Windows 2003 Server (SP1, 32-bit)
Note
10
Deployment Requirements
Database Requirements
The SonicWALL GMS release supports the following databases:
Microsoft SQL Server 2000 (SP4) and Microsoft SQL Server 2005 (SP1) on either Windows 2000 Server (SP4) or 2003 Server (SP1) Regarding MS SQL Server 2005, SonicWALL GMS supports:
SQL Server 2005 Workgroup SQL Server 2005 Standard SQL Server 2005 Enterprise
SonicWALL MySQL Install Package installed on either Windows 2000 Server (SP4) or 2003 Server (SP1)
Caution
The MySQL bundled with GMS/VP/UMA is fine tuned for optimal performance in a system with 2 GB RAM and above. Changing the MySQL configuration is not supported. The configuration information is kept in the my.ini file, and should not be changed unless instructed to do so by SonicWALL technical support.
Note
SonicWALL GMS services use JRE 1.5.0_06. SonicWALL GMS automatically downloads the Java Plug-in 1.5 when accessing GMS. For Microsoft SQL Server installations, SonicWALL GMS uses Tomcat 5.5.26.
MySQL Requirements
MySQL is intended for use with SonicWALL GMS 5.1 or higher. It is not recommended to use with other platforms. In order to run a successful installation of MySQL, the following prerequisites must be met:
Windows Operating System (XP, 2000, 2003) 6 GB disk space, minimum 2 GB RAM, minimum
Note that only NTFS file systems are supported, not FAT. MySQL for GMS 5.1 is not supported on Virtual Machines (VMs).
11
Deployment Requirements
Java Requirements
Java Plug-in version 1.5 or higher. The JDBC driver is installed by GMS for Microsoft SQL Server and MySQL Server.
Browser Requirements
Microsoft Internet Explorer 6.0 or higher Mozilla Firefox 2.0 or higher Pop-up blocker disabled
SonicWALL GMS supports SSL 3.0 / TLS 1.0 for HTTPS management of SonicWALL appliances, and for direct login to the unit from GMS. For enhanced security across a GMS network for installations that must comply with stringent regulatory compliance and account management controls as found in such standards as PCI, SOX, or HIPPA, the following browsers have SSL 3.0/TLS 1.0 as standard encryption protocols:
You can set other browsers to use these protocols in their Tools > Internet Options > Advanced settings.
x86 Environment: Minimum 3 GHz processor dual-core CPU Intel processor, 2 GB RAM, and 300 GB disk space
x86 Environment: Minimum 3 GHz processor single-CPU Intel processor, 2 GB RAM, and 300 GB disk space
Database Server
x86 Environment: Minimum 3 GHz processor dual-core CPU Intel processor, 2 GB RAM, and 300 GB disk space
12
Deployment Requirements
Note
SonicWALL Security appliances: NSA Series, TZ Series, and PRO Series SonicWALL SSL VPN Series appliances
SonicOS Standard 2.0 or higher, SonicOS Enhanced 2.0 or higher SonicOS SSL VPN 1.5.0.3 or higher for basic management; SonicOS SSL VPN 2.1 or higher for SSL VPN Reporting
SonicWALL CSM Series appliances SonicOS CF 1.0 or higher SonicWALL CDP Series appliances SonicWALL CDP 2.3 or higher SonicWALL Aventail EX-Series Version 9.0 or higher
Note
Legacy SonicWALL XPRS/XPRS2, SonicWALL SOHO2, SonicWALL Tele2, and SonicWALL Pro/Pro-VX models are not supported for GMS management. Appliances running SonicWALL legacy firmware including SonicOS Standard 1.x and SonicWALL firmware 6.x.x.x are not supported for GMS management.
13
Deployment Requirements
SonicWALL NSA Series network security appliance with minimum firmware version SonicOS Enhanced 5.0 SonicWALL PRO Series network security appliance with minimum firmware version SonicOS Enhanced 3.2 SonicWALL VPN-based network security appliance
Note
The GMS gateway should be at minimum a SonicWALL NSA 2400 with minimum firmware SonicOS Enhanced 5.0, or a SonicWALL PRO 2040 with minimum firmware SonicOS Enhanced 3.2.
There are three SonicWALL GMS management methods with different GMS gateway requirements. When using HTTPS as the management method, it is optional to have a GMS gateway between each SonicWALL GMS agent server and the managed SonicWALL appliance(s). If you select Existing VPN tunnel, a gateway is optional. If you select Management VPN tunnel, you must have a GMS gateway between the SonicWALL GMS agent server and the managed SonicWALL appliance(s) to allow each SonicWALL GMS agent server to securely communicate with its managed appliance(s). The following list provides more detail on SonicWALL GMS management methods and gateway requirements:
Management VPN tunnelA GMS gateway is required. Each GMS agent server must have a dedicated gateway. The security association (SA) for this type of VPN tunnel must be configured in the managed SonicWALL appliance(s). SonicWALL GMS automatically creates the SA in the GMS gateway. For this configuration, the GMS gateway must be a SonicWALL VPN-based appliance. The GMS gateway can be configured in NAT-Enabled or transparent mode. The reason for a dedicated gateway with this method is due to the Scheduler's function. When a unit is added into GMS with 'Management VPN' as the method, the scheduler service logs into the gateway and creates the management tunnel. Also, the scheduler service periodically logs into its gateway and checks for management SAs. If there are SAs created for units that the agent does not manage, the SAs are deleted. If there are two agents sharing a gateway, they will be constantly deleting the other agents SAs.
Existing VPN tunnelA GMS gateway is optional. SonicWALL GMS can use VPN tunnels that already exist in the network to communicate with the managed appliance(s). For this configuration, the GMS gateway can be a SonicWALL VPN-based appliance or another VPN device that is interoperable with SonicWALL VPN.
14
Deployment Requirements
HTTPSA GMS gateway is optional. SonicWALL GMS can use HTTPS management instead of a VPN tunnel to communicate with the managed appliance(s). However, the SonicWALL Aventail EX-Series SSL VPN appliance allows HTTPS access only to its LAN port(s), and not to its WAN port(s). This means that when SonicWALL GMS is deployed outside of the Aventail LAN subnet(s), management traffic must be routed from GMS to a gateway that allows access into the LAN network, and from there be routed to the Aventail LAN port.
Network Requirements
To complete the SonicWALL GMS deployment process, the following network requirements must be met:
The SonicWALL GMS server must have access to the Internet The SonicWALL GMS server must have a static IP address The SonicWALL GMS servers network connection must be able to accommodate 1 KB/s for each device under management. For example, if SonicWALL GMS is monitoring 100 SonicWALL appliances, the connection must support at least 100 KB/s.
Note
Depending on the configuration of SonicWALL log settings and the amount of traffic handled by each device, the network traffic can vary dramatically. The 1 KB/s for each device is a general recommendation. Your installation requirements may be different.
15
Logging in to GMS
The proxyUser and proxyPassword parameters are required only if the Proxy Server requires authentication, in which case these are TEAV encrypted. This configuration supports both HTTP and HTTPS Proxy, as long as the settings are identical for both. To exempt certain hosts from the proxy configuration and allow them to be connected to directly, add the following tag to sgmsConfig.xml:
<Parameter name="nonProxyHosts" value="*something.com|www.foo*|192.168.0.*"/>
The exact values of all of these parameters should be changed to the appropriate values for your deployment. The asterisk symbol (*) is a wildcard that means any string. The pipe symbol (|) is a delimiter for the hosts in the list. To do TEAV encryption of the string test, please go to the directory <gms-install>\bin in a DOS window. Type the following command:
..\jre\bin\java -cp . TEAV test
Logging in to GMS
The first time you start SonicWALL GMS, the Registration page will appear.
Note
SonicWALL GMS must be registered before you can use it. To register, SonicWALL GMS must have direct access to the Internet.
16
Logging in to GMS
To register SonicWALL GMS, follow these steps: Installation Type GMS Software UMA Login Procedure Double-click the GMS icon on the desktop of the system where you installed GMS. Open a web browser and navigate to the IP address of the UMA appliance on your network. open a Web browser and enter or http://sgms_ipaddress or http://localhost.
http://sgms_ipaddress/sgms/login
1. 2.
Enter the SonicWALL user ID (default: admin) and password (default: password). Select Local Domain as the domain (default). Click Submit. The SonicWALL GMS UI opens. For more information on installation, login procedures, and registration of your GMS installation, please refer to the appropriate Getting Started Guide, available at: <http://www.sonicwall.com/us/support.html>
Note
17
SonicToday Panel section on page 18 Appliance Panels section on page 19 Monitor Panel section on page 23 Console Panel section on page 24
SonicToday Panel
Using RSS and AJAX technology, SonicToday is a tab intended to work as a customizable dashboard where you are able to monitor the latest happenings with your SonicWALL GMS 5.1 deployment, your network, the IT and Security World, as well as the rest of the world. Upon initial login, you see a default SonicToday tab. You are able to further customize this page by configuring and adding preferred components.
18
Appliance Panels
The appliance panels allows administrators to add, delete, configure and view SonicWALL UTM appliances and other compatible appliances which are managed by GMS. These panels include:
UTM PanelFor management and reporting on compatible firewall/UTM appliances. SSL-VPN PanelFor management and reporting on SonicWALL SSL-VPN Virtual Private Networking appliances. CDP PanelFor Management of SonicWALL Continuous Data Protection appliances. ES PanelFor Management of SonicWALL Email Security appliances. Policies Panel section on page 20 Reports Panel section on page 21
19
Policies Panel
The Policies Panel is used to configure SonicWALL appliances. From these pages, you can apply settings to all SonicWALL appliances being managed by SonicWALL GMS, all SonicWALL appliances within a group, or individual SonicWALL appliances. To open the Policies Panel, click the Firewall tab at the top of the SonicWALL GMS UI and then click the Policies tab. The SonicWALL appropriate appliance Policies Panel appears:
View the status of a SonicWALL appliance or group. Change general settings such as network settings, time, and SonicWALL passwords. Configure SonicWALL log settings. Configure website blocking options. Configure firewall options. Configure advanced settings, such as proxy settings, intranet settings, routes, DMZ addresses, one-to-one network address translation (NAT), and Ethernet settings. Configure Dynamic Host Configuration Protocol (DHCP) settings. Create Virtual Private Networking (VPN) Security Associations (SAs). Configure Remote Authentication Dial-In User Service (RADIUS), anti-virus, and high availability settings. Register SonicWALL appliances.
20
Update SonicWALL firmware. Activate other feature upgrades and subscription services.
Reports Panel
The Reports Panel is an essential component of network security that is used to view and schedule reports about critical network events and activity, such as security threats, inappropriate Web use, and bandwidth levels. To open the Reports Panel, clickthe UTM or SSL-VPN tab at the top of the SonicWALL GMS UI and then click the Reports tab.
From the Reports Panel, you can view the following for managed SonicWALL appliances:
View general bandwidth usage. These reports include a real-time report, a daily bandwidth summary report, a top users of bandwidth report, and a weekly summary report. View bandwidth usage, by service. These reports include a real-time report and a summary report. View Web bandwidth usage. These reports include a daily bandwidth summary report, a top visited sites report, a top users of Web bandwidth report, a report that contains the top sites of each user, and a weekly summary report.
21
View the number of attempts that users made to access blocked websites. These reports include a daily summary report, a top blocked sites report, a top users report, a report that contains the top blocked sites of each user, and a weekly summary report. View file transfer protocol (FTP) bandwidth usage. These reports include a daily FTP bandwidth summary report, a top users of FTP bandwidth report, and a weekly summary report. View mail bandwidth usage. These reports include a daily mail summary report, a top users of mail report, and a weekly summary report. View VPN usage. These reports include a daily VPN summary report, a top users of VPN bandwidth report, and a weekly summary report. View reports on attempted attacks and errors. The attack reports include a daily attack summary report, an attack by category report, a top sources of attacks report, and a weekly attack summary report. The error reports include a daily error summary report and a weekly error summary report. View detailed logging information. The detailed logging information contains each transaction that occurred on the SonicWALL appliance. View successful and unsuccessful user and administrator authentication attempts. These reports include a user authentication report, an administrator authentication report, and a failed authentication report.
22
Monitor Panel
The Monitor Panel is the administrators central tool for monitoring the status of any managed TCP/IP and SNMP capable devices and applications. The GMS Monitor panel provides power and flexibility to help you manage availability of network devices by providing a real-time graphical representation of your network, creating custom threshold-based realtime monitor alerts and emailing or archiving network status reports based on your specifications. To access the Monitoring features, click the Monitor tab at the top of the SonicWALL GMS UI.
From the Monitor Panel, you can access the following information about managed appliances:
GMS Navigation ToolShows a color-coded graphical representation of the GMS network, providing a quick way to locate devices. VPN MonitorShows a color-coded graphical representation of the VPN network. NetMonitorPeriodically tests the status of SonicWALL appliances and other attached network devices. Enables you to do the following:
Categorize and monitor devices by device type, geography, or any
23
Real-Time SyslogEnables you to diagnose the system by viewing the syslog message in real time.
Console Panel
The Console Panel is used to configure SonicWALL GMS settings, view pending tasks, manage licenses, and configure system wide granular event management settings. To open the Console Panel, click the Console tab at the top of the SonicWALL GMS UI.
Change the SonicWALL GMS password. View the SonicWALL GMS log. The SonicWALL GMS log contains information on alert notifications, failed SonicWALL GMS login attempts, and other events that apply to SonicWALL GMS. Manage tasks. You can view the status of SonicWALL tasks and, if necessary, delete them. Manage upgrade and subscription licenses for SonicWALL appliances. After loading these licenses into the license pool, you can apply them to SonicWALL appliances from the Policies Panel. Manage SonicWALL GMS user logins and privileges, agents, and dynamic views.
24
Manage system wide Granular Event Management settings, including general settings, severity levels, event thresholds, schedules and schedule groups, and alerts.
25
Two yellow boxes indicate that one or more appliances in the group have been added to SonicWALL GMS management, but not acquired. Three yellow boxes indicate that one or more of the global group of appliances of this type (Firewall/SSL-VPN/CDP) have been added to SonicWALL GMS management, but not acquired. One yellow box with a lightning flash indicates that one or more tasks are pending on the provisioned appliance. Two yellow boxes with a lightning flash indicates that tasks are pending on one or more provisioned appliances within the group. One red box indicates that the appliance is no longer sending heartbeats to SonicWALL GMS. Two red boxes indicate that one or more appliance in the group is no longer sending heartbeats to SonicWALL GMS. Three red boxes indicate that one or more of the global group of appliances of this type (UTM/SSL-VPN/CDP) is no longer sending heartbeats to SonicWALL GMS. Two red boxes with a lightning flash indicate that one or more appliance in the group is no longer sending heartbeats to SonicWALL GMS and has one or more tasks pending. One red box with a lightning flash indicates that the appliance is no longer sending heartbeats to SonicWALL GMS and has one or more tasks pending.
26
You can hide the entire TreeControl pane by clicking the sideways arrow icon, and redisplay the pane by clicking it again. This is helpful when viewing some reports or other extra-wide screens, especially on the Monitor or Console panel.
To open a TreeControl menu, right-click the View All icon, a Group icon, or a Unit icon.
27
FindOpens a Find dialog box that allows you to search for groups or units. RefreshRefreshes the GMS UI display. Rename Unit(unit view only) Renames the selected SonicWALL appliance. Add UnitAdd a new unit to the GMS management view. Requires unit IP and login information. Modify Unit(unit view only) Change basic settings for the selected unit, including unit name, IP and Login information, serial number, management port and encryption/authentication keys. DeleteDelete the selected unit, with option to delete interconnected SAs or to delete from Net Monitor. Add to NetMonitorAdd an existing unit to Net Monitor. Import XMLImport an edited XML file to replace the current TreeControl navigation view. Login to Unit(unit view only) Login to the selected unit using HTTP or HTTPS protocols. Modify PropertiesDisplays the properties for the selected SonicWALL appliance. Manage ViewsOpens a dialog box where you can create, delete, or modify a view. Change ViewSelect pre-set or user created views. Views are created in the Manage View window (see above). Reassign AgentsOpens a dialog box where you can change the IP address of the primary and standby schedulers and the type of VPN tunnel (management vs. site-to-site) used between SonicWALL GMS and the managed SonicWALL appliances.
Otherwise, click No. In this case you must manually edit the java.policy file.
applets have no access to system resources outside the directory from which they were launched, but a signed applet can access local system resources as allowed by the local systems security policy. In some previous releases of GMS, you were required to edit the java.policy file yourself on the client browser system in order to enable a number of applet related operations, such as Copy/Paste, Import file, Browse local folders, and HTTP/HTTPS login to the managed units from the GMS UI. There is no need to edit the java.policy file for signed applets. When a signed applet starts up, a warning pop-up is displayed. If you want to trust the applet, click Yes. Copy/paste, Import and HTTP/HTTPS logins will work without any edits to the java.policy file.
Otherwise, click No. In this case you must manually edit the java.policy file.
The SonicWALL GMS UI is a robust and powerful tool you can use to apply settings to all SonicWALL appliances being managed by SonicWALL GMS, all appliances or devices within a group, or individual appliances or devices
29
Otherwise, click No. In this case you must manually edit the java.policy file. Configuring
simply by selecting the Global, Group, or Unit view within the SonicWALL GMS UI. The SonicWALL GMS UI supports up to seven group levels of hierarchy.
Note
Views are only available in the Policies and Reports Panel. Changing views does not affect the Console or Monitor Panels.
This section describes each view and what to consider when making changes. Select from the following:
Group View section on page 30 Unit View section on page 31 Creating SonicWALL GMS Fields and Dynamic Views section on page 33
Group View
From the Group view of the Policies panel, changes you make are applied to all SonicWALL appliances within the group. The Global viewthe top view that contains all appliancesis a type of Group view. To open the Group view, click a group icon in the left pane of the SonicWALL GMS UI. The Group Status page appears. The Group View Status page contains a list of statistics for all SonicWALL appliances within the group.
30
Otherwise, click No. In this case you must manually edit the java.policy file.
As you move through the SonicWALL GMS UI with the Group view selected and make changes, those changes are broken down into configuration tasks and applied to each subgroup and each SonicWALL appliance within the group. As SonicWALL GMS processes the tasks, some SonicWALL appliances may be down or offline. When this occurs, SonicWALL GMS spools the task and reattempts the update later. Depending on the page that you are configuring, the SonicWALL appliance(s) may automatically restart. We recommend scheduling the tasks to run when network activity is low. To determine if a change will require restarting, refer to the configuration instructions for that task. Making group changes through the SonicWALL GMS UI enables you to save time by instituting changes that affect all SonicWALL appliances within the group through a single operation. Although this is very convenient, some changes can have unintended consequences. Be careful when making changes on a group or global level.
Unit View
From the Unit view of the Policies panel, changes you make are only applied to the selected SonicWALL appliance. To open the Unit view, click a SonicWALL appliance in the left pane of the SonicWALL GMS UI. The Status page for the SonicWALL appliance appears.
From the Unit view on the Reports Panel, you can generate real-time and historical reports for the selected SonicWALL appliance. As you navigate the SonicWALL GMS UI, you can generate graphical reports and view detailed log data for the selected SonicWALL appliance. For more information, see Reports Panel on page 21.
31
Otherwise, click No. In this case you must manually edit the java.policy file. Configuring
As you navigate the SonicWALL GMS UI with a single SonicWALL appliance selected and make changes, those changes are broken down into configuration tasks and sent to the selected SonicWALL appliance. As SonicWALL GMS processes the tasks, the SonicWALL appliance may be down or offline. When this occurs, SonicWALL GMS spools the task and reattempts the update later.
Note
Depending on the page that you are configuring, the SonicWALL appliance may automatically restart. We recommend scheduling the tasks to run when network activity is low. To determine if a change will require restarting, refer to the configuration instructions for that task.
SonicWALL Modelspecifies the model of the SonicWALL appliance. If the unit is not registered, Not Registered appears instead of a model number. Serial Numberspecifies the serial number of the SonicWALL appliance. Number of LAN IPs allowedspecifies the number of IP addresses that are allowed on the LAN. DMZ Portspecifies whether the SonicWALL appliance has a DMZ port. CPUspecifies the CPU used in the SonicWALL appliance. VPN Upgradespecifies whether the SonicWALL is licensed for a VPN upgrade. VPN Clientsspecifies whether the SonicWALL is licensed for VPN Clients. Firmware Versionspecifies the version of the firmware installed on the SonicWALL appliance. Content Filter Subscription List/Servicespecifies whether the SonicWALL appliance is licensed for a Content Filter List subscription. PKI Subscriptionspecifies whether the SonicWALL appliance has a PKI subscription. Anti-Virus Subscriptionspecifies whether the SonicWALL appliance has an anti-virus subscription.
32
Otherwise, click No. In this case you must manually edit the java.policy file.
Extended Warrantyspecifies whether the SonicWALL appliance has an extended warranty. SonicWALL Statusspecifies the operational status of the SonicWALL appliance. Tasks Pendingspecifies whether the SonicWALL appliance has any pending tasks. Agent Assignedspecifies the IP address of the SonicWALL GMS agent server that is the primary agent managing the SonicWALL appliance. Standby Agentspecifies the IP address of the peer SonicWALL GMS that acts as the backup agent for this SonicWALL appliance. If the primary agent fails, this SonicWALL GMS server will manage the appliance. Managed using Management Tunnelspecifies if the SonicWALL appliance is being managed by SonicWALL GMS using the management VPN tunnel. Fetch Uptimethe Uptime parameter indicates how long the SonicWALL has been running since the last time it was powered up or restarted. To display the current uptime setting at the unit level for the selected SonicWALL, click Fetch Uptime.
About Default SonicWALL Fields on page 34 Creating Custom Fields on page 36 Understanding Dynamic Views on page 38 Configuring Dynamic Views on page 39 Changing Views on page 41
33
Otherwise, click No. In this case you must manually edit the java.policy file. Configuring
AV Enforcementplaces the SonicWALL appliances into two groups: appliances that have anti-virus (AV) subscriptions and appliances that do not. AV Statusplaces the SonicWALL appliances into different groups based on their status. CFS Statusplaces the SonicWALL appliances into two groups: appliances that have content filtering service (CFS) subscriptions and appliances that do not. Dialup Modeperforms grouping based on whether an appliance has switched to dialup mode for Internet access. Firmwarecreates a group for each Firmware version and places each SonicWALL appliance into its corresponding group. Managementperforms grouping based on whether appliances are managed by HTTPS Management mode, GMS Management Tunnel mode, or Existing/LAN mode. Modelcreates a group for each SonicWALL model and places each SonicWALL appliance into its corresponding group. Network Typecreates a group for each network type and places each SonicWALL appliance into its corresponding group. These include:
Standard NAT with DHCP Client NAT with PPPoE Client NAT with L2TP Client NAT with PPTP Client NAT Enabled Unknown
Nodescreates a group for each node range and places each SonicWALL appliance into its corresponding group. PKI Statusplaces the SonicWALL appliances into two groups: appliances that have Public Key Infrastructure (PKI) certificates and appliances that do not.
34
Otherwise, click No. In this case you must manually edit the java.policy file.
Registeredplaces the SonicWALL appliances into two groups: appliances that are registered and appliances that are not. Schedulercreates a group for each scheduler agent and places each SonicWALL appliance into its corresponding group. UnitStatusperforms grouping based on the Up/Down/Provisioned status of appliances. VPN Presentplaces the SonicWALL appliances into two groups: appliances that have VPN and appliances that do not. Warranty Statusplaces the SonicWALL appliances into two groups: appliances that have current warranties and appliances that do not.
35
Otherwise, click No. In this case you must manually edit the java.policy file. Configuring
Although SonicWALL GMS supports up to ten custom fields, only seven fields can be used to sort SonicWALL appliances at any given time.
The following are examples of custom fields that you can use:
Geographicuseful for organizing SonicWALL appliances by location. Especially useful when used in combination with other grouping methods. Geographic fields may include:
Country Time Zone Region City
Customer-baseduseful for organizations that are providing managed security services for multiple customers. Customer-based fields may include:
Company Division Department
Configuration-baseduseful when SonicWALL appliances will have very different configurations. (e.g., Filtering, No Filtering, Pornography Filtering, Violence Filtering, or VPN). User-typedifferent service offerings can be made available to different user types. For example, engineering, sales, and customer service users can have very different configuration requirements. Or, if offered as a service to end users, you can allow or disallow network address translation (NAT) depending on the number of IP addresses that you want to make available.
36
Otherwise, click No. In this case you must manually edit the java.policy file.
SonicWALL GMS is pre-configured with four custom fields: Country, Company, Department, and State. These fields can be modified or deleted. To add fields, follow these steps:
1.
Click the Console tab, expand the Management tree and click Custom Groups.
2. 3. 4.
Right-click Custom Groupings in the right pane. Select Add Category from the pop-up menu. Enter the name of the group in the Category Name field. Category names can only contain alpha-numeric characters. Special characters and/or spaces are not accepted. Enter the default value for the group in the Default Value field. Click Ok. You can create up to ten fields. Although the fields appear to be in a hierarchical form, this has no effect on how the fields will appear within a view.
Note
5. 6.
Note
To modify or delete fields, right-click any of the existing fields and select Properties or Delete Category, respectively from the pop-up menu.
37
Otherwise, click No. In this case you must manually edit the java.policy file. Configuring
Standard Geographic Views When the number of SonicWALL appliances managed by SonicWALL GMS becomes large, you can divide the appliances geographically among SonicWALL administrators. For example, if one administrator will be responsible for each time zone in the United States, you can choose the following grouping methods:
Administrator 1: Country: USA, Time Zone: Pacific, State, City. Administrator 2: Country: USA, Time Zone: Mountain, State, City. Administrator 3: Country: USA, Time Zone: Central, State, City. Administrator 4: Country: USA, Time Zone: Eastern, State, City.
Firmware Views To ensure that all SonicWALL appliances are using the current firmware, you can create a view to check and update firmware versions and batch process firmware upgrades when network activity is low. For example, if you want to update all SonicWALL appliances to the latest firmware at 2:00 A.M., you can use the following grouping method:
Firmware Version, Time Zone
If you want to update SonicWALL appliances only for companies that have agreed to the upgrade and you want the upgrades to take place at 2:00 A.M., you can use the following grouping method:
Company, Firmware Version, Time Zone
Registration Views To ensure that all SonicWALL appliances are registered, you can create a registration view and check it periodically. To create a registration view, you can use the following grouping method:
Registration Status, any other grouping fields
38
Otherwise, click No. In this case you must manually edit the java.policy file.
Upgrade View You can create views that contain information on which upgrades customers do not have and forward this information to the Sales Department. For example, you can choose the following grouping methods:
Content Filter List, Company, Division, Department Anti-Virus, Company, Division, Department Warranty Status, Company, Division, Department
Right-click anywhere in the left pane of the SonicWALL GMS window and select Manage Views from the pop-up menu. The Edit View page appears.
2. 3.
Type a descriptive name for the new view in the View Name field. To make this view available to non-administrators, select Visible to Non-Administrators.
39
Otherwise, click No. In this case you must manually edit the java.policy file. Configuring
4.
To add a view category, click Add Level. View categories are used to filter SonicWALL appliances in your view. The Group Categories column contains categories that are a combination of custom fields and SonicWALL GMS fields. To change the Group Category field, select the desired field from the drop-down list. For a list of SonicWALL GMS fields and their meanings, see About Default SonicWALL Fields on page 34. Choose an Operator to apply to apply to the value for this view:
equals (default value) starts with ends with contains does not equal does not contain
5.
6.
7. 8. 9.
Type a value for the category in the Value column. You can add up to seven categories or levels. To delete a view category, select the level and click Delete Level.
10. When you are finished configuring this view, click Modify View. 11. When you are finished, click Done.
40
Getting Help
Changing Views
To change views from within the SonicWALL GMS UI, follow these steps:
1.
Right-click anywhere in the left pane of the SonicWALL GMS window and select Change View from the pop-up menu. The Change View dialog box appears.
2.
Select a view and click OK. The GMS UI displays only the SonicWALL appliances that meet the requirements of the filters defined in the view.
Getting Help
In addition to this manual, SonicWALL GMS provides on-line help resources. To get help, follow these steps:
1. 2.
Navigate to the page where you need help. Click the Question Mark (?) in the upper right-hand corner of the window. Help for the selected page appears.
41
Getting Help
Navigate to the page where you need help. If available, click the Lightbulb icon in the upper right-hand corner of the window. Tips, tutorials, and online help are displayed for this topic.
42
Adding SonicWALL Appliances to SonicWALL GMS on page 43 Registering SonicWALL Appliances on page 51 Modifying Management Properties on page 52 Deleting SonicWALL Appliances from GMS on page 55 Performing Basic Appliance Management on page 55
43
To add SonicWALL appliances using the command-line interface, refer to the SonicWALL Global Management System Command Line Interface Guide. The following sections describe two methods for adding SonicWALL appliances to GMS:
44
Click the appliance tab that corresponds to the type of appliance that you want to add: UTM, SSL-VPN, CDP, or Email Security.
2.
Expand the SonicWALL GMS tree and select the group to which you will add the SonicWALL appliance. Then, right-click the group and select Add Unit from the pop-up menu. To not specify a group, right-click an open
45
area in the left pane (TreeControl pane) of the SonicWALL GMS management interface and select Add Unit. The Add Unit dialog box appears.
3.
Enter a descriptive name for the SonicWALL appliance in the Unit Name field. Do not enter the single quote character () in the Unit Name field. If applicable, choose a Domain to add this appliance to from the Domain drop-down list.
Note 4.
Note
Domain selection is only available to the admin of the LocalDomain. Individual domain admins are only able to add an appliance to their respective domains. Enter the serial number of the SonicWALL appliance in the Serial Number field. On SonicWALL Aventail appliances, the serial number is found on a sticker on the back of the appliance. Enter it without hyphens into the field. For the Managed Address, choose weather to Determine automatically, or Specify manually. Most deplyoments will be able to determine the address automatically.
5.
6.
46
7.
Enter the administrator login name for the SonicWALL appliance in the Login Name field. For SonicWALL Aventail SSL VPN appliances, the login name is pre-configured as GMS and cannot be changed. Enter the password used to access the SonicWALL appliance in the Password field. For Management Mode, select from the following:
If the SonicWALL appliance will be managed through an existing VPN
8. 9.
management VPN tunnel, select Using Management VPN Tunnel (default). Using HTTPS.
If the SonicWALL appliance will be managed over HTTPS, select 10. Enter the IP address of the managed appliance in the IP Address field. 11. Enter the port used to administer the SonicWALL appliance in the
HTTP(S) Port field (default ports are HTTP: 80; HTTPS: 443).
SA Encryption Key field. The key must be exactly 16 characters long and composed of hexadecimal characters. Valid hexadecimal characters are 0 to 9, and a to f (i.e., 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). For example, a valid key would be 1234567890abcdef.
Note
This key must match the encryption key of the SonicWALL appliance. You can set the key on the appliance by logging directly into it.
the SA Authentication Key field. The key must be exactly 32 characters long and composed of hexadecimal characters. For example, a valid key would be 1234567890abcdef1234567890abcdef.
Note
This key must match the authentication key of the SonicWALL appliance.
14. If the SonicWALL appliance uses the Anti-Virus feature, enter the
47
15. Select the IP address of the SonicWALL GMS agent server that will If SonicWALL GMS is configured in a multi-tier distributed
manage the SonicWALL appliance from the Agent IP Address list box: environment, you must select the SonicWALL GMS Agent whose IP address matches the IP address that you specified when configuring the SonicWALL appliance for SonicWALL GMS management.
If SonicWALL GMS is in a single-server environment, the IP address
enter the IP address of the backup SonicWALL GMS server in the Standby Agent IP field. The backup server will automatically manage the SonicWALL appliance in the event of a primary server failure. Any Agent can be configured as the backup.
Note
If SonicWALL GMS is deployed in a single server environment, leave this field blank.
17. To add the appliance to Net Monitor, select the Add this unit to Net
Monitor checkbox.
19. This dialog box displays the category fields to which the SonicWALL
appliance belongs. To change any of the values, select a new value from the drop-down list. When you are finished, click OK. You are returned to the Add Unit dialog box.
48
21. Select the user group or individual users to which read-write privileges
should be assigned. Keep in mind that admins always maintain read-write privileges, regardless of your selection here.
22. Click OK. The new SonicWALL appliance appears in the SonicWALL GMS
management interface. It will have a yellow icon that indicates it has not yet been successfully acquired. SonicWALL GMS will then attempt to establish a management VPN tunnel, set up an HTTPS connection, or use the existing site-to-site VPN tunnel to access the appliance. GMS then reads the appliance configuration and acquires the SonicWALL appliance for management. This will take a few minutes. After the SonicWALL appliance is successfully acquired, its icon turns blue, its configuration settings are displayed at the unit level, and its settings are saved to the database. A text version of this configuration file is also saved in the file: <gms_directory>/etc/Prefs.
Note
In a multi-tier distributed environment, both the primary and secondary SonicWALL GMS Agents must be configured to use the same management method.
49
Right-click in the left pane of the SonicWALL GMS UI and select Add Unit from the pop-up menu. The Add Unit dialog box appears. Enter a descriptive name for the SonicWALL appliance in the Unit Name field. Do not enter the single quote character (') in the SonicWALL Name field. Enter the password to access the SonicWALL appliance in the Password field. Click Import. The Import dialog box appears.
3. 4.
Note
If the above Import Dialog Box does not appear, you need to edit the java.policy file on your system. Find and select the saved prefs file of the SonicWALL appliance. Click Import. You are returned to the Add Unit dialog box. Click Properties. The Unit Properties dialog box appears. This dialog box displays fields to which the SonicWALL appliance belongs. To change any of the values, enter a new value. When you are finished, click OK. After you are returned to the Add Unit dialog box, click OK again. Select the user group or individual users to which read-write privileges should be assigned. Keep in mind that admins always maintain read-write privileges, regardless of your selection here. have a yellow icon that indicates it has not yet been successfully acquired. The SonicWALL GMS will then attempt to establish a management VPN tunnel to the appliance, read its configuration, and acquire it for management. This will take a few minutes.
5. 6. 7.
8. 9.
10. The new SonicWALL appliance appears in the SonicWALL GMS UI. It will
50
After the SonicWALL appliance is successfully acquired, its icon will turn blue, its configuration settings will be displayed at the unit level, and its settings will be saved to the database. A text version of this configuration file is also saved in <gms_directory>/etc/Prefs.
Registering SonicWALL Aventail SSL VPN appliances from GMS is not supported.
Select the global icon, a group, or a SonicWALL appliance. Expand the Register/Upgrades tree and click Register SonicWALLs. The Register SonicWALLs page appears.
3.
Click Register. SonicWALL GMS creates a task for each SonicWALL appliance registration. If the appliance is already registered, the Register SonicWALLs page will state This appliance is registered. By default, SonicWALL GMS executes the tasks immediately. However, they can also be scheduled for another time and will remain in the schedule queue until they are executed. To view the status of these tasks, click the Console tab. Then, expand the Tasks tree and click Scheduled Tasks.
51
During the task execution, SonicWALL GMS registers each selected SonicWALL appliance using the information that you used to register with the SonicWALL registration site. After registration is complete, the task will be removed from the Scheduled Tasks page and the status of the task execution will be logged. To view these logs, click the Console tab. Then, expand the Log tree and click View Log.
Modifying SonicWALL Appliance Management Options on page 52 Changing Agents or Management Methods on page 53 Moving SonicWALL Appliances Between Groups on page 54
If a unit has not been acquired (yellow icon), you can change its management mode using this procedure. After it has been acquired (red or blue icon), you cannot change its management mode using this procedure and must reassign it. For more information, see Changing Agents or Management Methods on page 53.
Right-click in the left pane of the SonicWALL GMS UI and select Modify Unit from the pop-up menu. The Modify Unit dialog box appears. The Modify Unit dialog box contains the same options as the Add Unit dialog box. For descriptions of the fields, see Adding SonicWALL Appliances to SonicWALL GMS on page 43. When you have finished modifying options, click OK. The SonicWALL appliance settings are modified.
3.
52
Right-click on the group or appliance that you want to re-assign and select Re-assign Agents from the pop-up menu. If the appliances to be re-assigned are managed using existing tunnels or the LAN, a warning message is displayed. Click Ok.
Caution
Make sure that the appliances will be able to successfully connect to the re-assigned GMS to avoid losing connection to the appliances.
3.
4.
Select the IP address of the SonicWALL GMS agent server that will manage the SonicWALL appliance from the Scheduler IP Address list box. If SonicWALL GMS is configured in a multi-tier distributed environment, enter the IP address of the backup SonicWALL GMS server in the Standby Scheduler IP field. The backup server will automatically manage the SonicWALL appliance in the event of a primary failure. Any Agent can be configured as the backup.
5.
Note
53
6.
management VPN tunnel, select Using Management VPN Tunnel (default). Using HTTPS.
Note
7.
Enter the port used to administer the SonicWALL appliance in the SonicWALL HTTP Port field (standard: 80; HTTPS: 443). For SonicWALL Aventail appliance management, use HTTPS port 8443. When you are finished, click OK. A task is created for each selected SonicWALL appliance.
8.
Right-click on a SonicWALL appliance or group in the left pane of the SonicWALL GMS UI and select Modify Properties from the pop-up menu. The Properties dialog box appears Make any changes to the categories to which the SonicWALL appliance or group of appliances belongs. For information on creating categories, see Creating SonicWALL GMS Fields and Dynamic Views on page 33.
2.
Note
If you are performing this procedure at the group or global level, all parameters will be changed for all selected SonicWALL appliances. For example, if you were attempting to only change the Country attribute, all other parameters would be changed as well. Click OK. The SonicWALL appliance(s) are moved to the new group.
3.
54
Right-click on a SonicWALL appliance or group in the left pane and select Delete from the pop-up menu. In the warning message that displays, click Yes. The SonicWALL appliance or group is deleted from GMS.
Management Task Inheriting Group Settings Upgrading Firmware Managing Subscription Services Manually Uploading Signatures Managing Certificates
Location Managing Inheritance in GMS on page 569 Upgrading Firmware on page 592 Configuring Security Services on page 457 Manually Uploading Signature Updates on page 137 Configuring Certificates on page 146 Generating a Certificate Signing Request on page 150
Understanding Heartbeat Messages Configuring System Settings on page 139 Configuring Log Settings on page 278
55
56
Overview of the SonicToday Panel section on page 58 Editing a Component Window section on page 58 Adding a Component Window section on page 60 Adding More Pages section on page 68 Editing and Deleting Pages section on page 69 Other Features section on page 70
57
Click the Edit link, located on the right side of the component window you wish to modify. In this example, we will modify the title of the component window CNN Top Stories.
58
2.
The component window will expand, revealing the following entries you can modify:
Title The title of the component window. RSS URL The URL of the RSS Feed the current component window updates from. Items The number of items to be displayed on the component window. Refresh Interval The frequency of time the component window will refresh the RSS Feed.
In this example, we will change the title to CNN Top 5 Stories. For Items, we specify that we want five items shown in the component window, and we want the Refresh Interval to occur every 30 minutes. Click Save to save your changes and exit the component window. The changes will update the component window immediately.
59
Application Widget section on page 60 Event Alert section on page 62 RSS Feed section on page 66
Application Widget
The application widget specifically details Logs, Scheduled Tasks, and Current Sessions in SonicWALL GMS 6.0. The convenience of this new widget is that it enables you to keep track of all these different details from the SonicToday dashboard page, rather than navigating through other tabs. To add the application widget:
1.
Click Add Component to bring up the Add Component Manager dialogue box. Select Application Widget from the Type drop-down list.
60
2.
Specify what type of Widget you want in the component. The Title will default to the Widget you choose, but you may customize this if you prefer. You also will indicate how many Items you want to be shown on the component window, as well as the Refresh Interval. In this example, we will add a widget that monitors Logs, displaying the latest five every ten minutes.
3.
Click Add when finished specifying entries. The component window is added to the SonicToday dashboard.
61
Event Alert
This feature in SonicWALL GMS allows you to receive alerts from your email, SNMP traps, and console on the SonicToday dashboard. You are able to filter which alerts you want directed to your SonicToday dashboard. To set up an event alert:
1.
Click Add Component to bring up the Add Component Manager dialogue box. Select Event Alert from the Type drop-down list.
62
2.
Select the Alert Type you would like to add from the drop-down list. The Title will default to the Alert Type you choose, but you may customize this if you prefer. You also will indicate how many Items you want to be shown on the component window, as well as the Refresh Interval. The field Show Alerts Triggered within last is used to provide the number of triggered alerts in hours. Only alerts triggered within this time period will appear on the SonicToday dashboard. In this example, we will add an event alert for Unit Status, displaying the latest five every 30 minutes. This event alert will also show alerts triggered within the last 24 hours.
3.
Click Add when finished specifying entries. The component window is added to the SonicToday dashboard. You will see a No alerts configured for destination SonicToday notification in the newly added Unit Status component window. This is because you have not identified which unit you are inquiring status on.
63
Click the UTM tab to bring up a detailed list of all the units associated with SonicWALL GMS.
2.
Click on the unit for which you wish to receive alerts. In this example, we will use the unit TZ 150. Double click the unit name to see detailed information regarding this unit.
64
3.
Navigate under the Policies tab to the Events link. Click the option Alert Settings.
4.
For the first option of Unit Status, click the configure icon settings for this status alert. A dialog box will appear.
to specify
65
You must ensure one of the destinations for this alert is User Interface-SonicToday or else the alert will not be directed to your SonicToday dashboard. Click this option from the drop-down list under the Destination/Schedule section. Click Update to save changes. You will now be alerted on the component window as soon as a unit fails. It is a very detailed failure notice, complete with date and exact time the unit failed.
Whenever there is no alert added for a selected alert type, the No alerts configured for destination SonicToday message is displayed. Once the alert destination is configured as mentioned in To Identify a Unit for this Alert section on page 64, the alert message will appear in the component window. Only alerts triggered within a timeperiod displays in the SonicToday dashboard.
RSS Feed
RSS Feed is a component window designed to keep you updated with what is going on in the IT and Security World, as well as all around the globe. This section contains procedures for customizing an RSS Feed component window on your SonicToday dashboard. To choose a Predefined RSS Feed:
1.
Click Add Component to bring up the Add Component Manager dialogue box.
66
2.
Select RSS Feed from the Type drop-down list. This will automatically bring up a list of predefined RSS Feeds you may choose from. The Title will default to the Alert Type you choose, but you may customize this if you prefer. You also will indicate how many Items you want to be shown on the component window, as well as the Refresh Interval. In this example, we will select AP Sports News, displaying the first five items every 30 minutes on the component window.
3.
Click Add when you are finished. This will add the new RSS Feed component window to your SonicToday dashboard. Click Add Component to bring up the Add Component Manager dialogue box. Select RSS Feed from the Type drop-down list. This will automatically bring up a list of predefined RSS Feeds you may choose from. Scroll to the bottom of the predefined list and select Custom RSS Feed... Enter the URL of the RSS Feed you would like on your component window.
Note
67
4.
Enter the Title for this custom RSS Feed page. Also indicate how many Items you want to be shown on the component window, as well as the Refresh Interval. In this example, we will choose Rediff Top Stories, displaying the first five items every 30 minutes on the component window.
5.
Click Add when you are finished. This will add the new RSS Feed component window to your SonicToday dashboard.
Click Manage Page from the toolbar to bring up the Page Manager. In the Page section, select Add New Page from the drop-down list. Name your new page under Page Title. Select the layout of your page under Page Layout. A thumbnail image pops up alongside each option to assist you.
68
5.
You also have the option of making this your default page, simply by placing a checkmark in the box labeled Default Page.
6.
Click Add when you are finished. The toolbar now displays the newly added page. In this example, we titled the new page News.
You can now add and customize component windows to navigate between pages.
69
Other Features
Other Features
See the following sections:
AutoHide, page 70 Page Selector, page 70 Component Height Resize, page 71 Manual Refresh, page 71 Removing or Deleting a Component, page 71 Minimizing or Maximizing a Component, page 71
AutoHide
AutoHide is a feature you customize by turning on or off. When AutoHide is turned on, the control bar will hide after an interval of two seconds when the mouse is moved away from the control bar. When AutoHide is turned off, the control bar always appears on the SonicToday dashboard. To turn AutoHide on, click the Off icon To turn AutoHide off, click the On icon .
Page Selector
Whenever the number of pages added to the SonicToday dashboard exceeds five, a page selector bar appears at the top of the main window with left and right arrows. The arrows can be used to scroll across different pages in both directions. By default, the selector is scrolled to a point where the default page appears on it. Any page can be selected by clicking on the page title.
70
Other Features
Manual Refresh
Aside from the automatic refresh, which you configure in the Editing a Component Window section on page 58, you can force a refresh on the component window by clicking the refresh icon on the component window header.
71
Other Features
72
73
74
The UMA appliance and the GMS application both provide a system settings interface, referred to as UMA for the appliance and UMH in GMS software deployments. In either scenario, the switch icon is used to toggle between application and system interfaces.
75
Status section on page 77 Licenses section on page 78 Time section on page 80 Administration section on page 81 Settings section on page 83 Diagnostics section on page 85 File Manager section on page 88 Backup/Restore section on page 90 RAID section on page 94 Restart section on page 95
76
Status
Status
This section describes the UMH/UMA System > Status page, used to view general status of the appliance hardware and licensed firmware. The UMH System > Status page is shown below:
This page identifies the following specifications: Item Name Serial Number Version Usage Displays the user-friendly name of the system. Displays the system identification number. Displays current firmware version and date.
77
Licenses
Usage Displays the Global Management System or ViewPoint license status. Displays configuration set in the Deployment > Roles section of the user interface. Displays the system host name (for example, an FQDN such as mysystem.myhost.com) and IP address. Displays the current date and time, based on your localized time zone settings Displays the systems currently loaded operating system. Displays basic specifications (speed and number of cores) for the systems processor. Displays amount of random access memory (RAM) installed on the system. Displays type, status, and size of the currently installed RAID array.
Host Name / IP
Current Time Operating System CPU RAM RAID Array (UMA only)
Available Disk Space Displays free space and total space, in gigabytes.
Licenses
This section describes the UMH/UMA System > Licenses page, used to view and manage GMS and ViewPoint licenses. The UMH System > Licenses page is shown below:
78
Licenses
This page identifies the following specifications: Item Security Service Support Service Usage The current license type based on product registration and serial number. The available SonicWALL support types based on product registration and serial number. For the UMA, the Hardware Warranty is also listed here. License status. If unlicensed, you must purchase a license or register your product or appliance. Number of valid licenses. Expiration date of your current license.
Status
Count Expiration
In addition, you may also use the buttons on this screen to:
Manage Licenses through your MySonicWALL.com account Refresh Licenses by connecting with the SonicWALL licensing server Upload Licenses if no external network connection is available
79
Time
Time
This section describes the UMA appliance System > Time page, used to view and manage the appliance date/time settings. This page is only available on the UMA appliance.
This page allows the administrator to set the following time and date settings:
Time in Hours/Minutes/Seconds Date in Month / Day / Year Time Zone from standard international time zones or coordinated universal time (UTC) for deployments spanning multiple time zones. The Set time automatically using NTP checkbox may be selected for auto-updated time using standard time servers. Selecting this option causes the system to automatically adjust for daylight savings time in time zones that recognize DST.
80
Administration
Administration
This section describes the UMH/UMA System > Administration page, used to manage basic administrative settings. The UMH System > Administration page is shown below:
81
Administration
This page provides the following functions: Item Host Settings Inactivity Timeout Number of minutes before an administrator is forcefully logged out of the user interface. Entering a value of -1 allows the account to remain logged in until the appliance is power cycled. Ensure that your console is in a secure location as this setting can expose your system to potential physical security issues. The default value is 10 minutes. Usage
Enhanced Security Access (ESA) Enforce Password Security Check this box to enforce the password security settings in the following boxes. Number of failed login attempts before user can be locked out User lockout minutes Number of tries a user has to enter the correct password before being locked out of the system for a specified time. Default is 6. Time specified for locking a user out after the user has failed to correctly log in the specified number of times. Default is 30 minutes. Number of days before a user is forced to change his or her password. Default is 90 days. Default administrator login name, admin. The current password for the admin account. The new password for the admin account. The new password for the admin account.
Number of days to force password change Administrator Password Administrator Name Current Password New Password Confirm Password
To change the administrator password, enter the Current Password in the appropriate field, and then enter a New Password and confirm that password. Click the Update button when you are finished making changes. Click Reset to return to default settings.
82
Settings
Settings
This section describes the UMH/UMA System > Settings page, used to manage manual software or firmware upgrades and, on the appliance, re-initialization of factory default settings. The UMH System > Settings page is shown below:
On the UMH, this page displays the current version of SonicWALL GMS running on the system, and provides a link to click for the history of upgrades on this system. This page also allows the administrator to:
Upload a SonicWALL GMS Service Pack or Hotfix by uploading a valid
software image from your local drive. After uploading the software, click Apply to reboot the system with the new version.
83
Settings
On the UMA, this page displays the current version of SonicWALL firmware running on the appliance, and provides a link to click for the history of upgrades on this system. This page also allows the administrator to:
Upgrade firmware by uploading a valid firmware image from your local
drive. SonicWALL approved service packs and hotfixes can also be installed through this screen. After uploading the firmware, click Apply to reboot the appliance with the new version.
Reinitialize the appliance to factory default settings by clicking the
Reinitialize button. This will remove any of your current settings on the appliance and re-image the UMA with factory default settings. This option is only available for the UMA appliance.
Note
Please be patient while the process is taking place. This process can take up to 15 minutes. Do NOT manually reset or cycle power to the device during this time.
84
Diagnostics
Diagnostics
This section describes the UMH/UMA System > Diagnostics page, used to set the log debug level, test connectivity to servers, and download system and log files. The UMH System > Diagnostics page is shown below:
85
Diagnostics
Debug Log Settings Set the System Debug Level by selecting a value from the drop-down list. Select 0 for no debug information in the logs, 1 or 2 for more debug information, and 3 for maximum debug information. Click Update to apply your changes, or click Reset to return to the default setting of 3. Test Connectivity Select one of the following options and then click Test to test connectivity:
Database Connectivity Test connectivity using the database
name that you type into the License Manager Host field.
server displayed here. The SMTP server is configured on the Deployment > Settings page.
Download System/Log Files You can generate a TSR and view or search log files in this section:
For information about generating a TSR, see the Technical Support
Diagnostics
For information about viewing and searching log files, see the Logs and Syslogs section on page 87.
Tip
You must register your SonicWALL security appliance on mysonicwall.com to receive technical support.
Before e-mailing the Tech Support Report to the SonicWALL Technical Support team, complete a Tech Support Request Form at https://www.mysonicwall.com. After the form is submitted, a unique case number is returned. Include this case number in all correspondence, as it allows SonicWALL Technical Support to provide you with better service.
87
File Manager
File Manager
This section describes the UMA appliance System > File Manager page, used to view and manage system files for an UMA appliance. This page is only available on the UMA appliance.
The File Manager feature provides a way to view the file system and export, delete, add, or modify files without opening an SSH session to the appliance. You can select the folder to view from the Select Folder drop-down list. To search for certain file names, enter search parameters using regular expressions in the Search Filter field and then click the right arrow next to the field.
88
File Manager
This page allows the administrator to perform the following actions: Item Export Usage Exports the currently selected file. If the file size is larger than 5MB, the file is exported as a .zip file. Files exported should be less than 200MB. Single files can be exported by clicking the Export icon to the right of the file name. Deletes the currently selected file if correct permissions are available. Single files can be deleted by clicking the Delete icon to the right of the file name. Allows files to be added to, or overwritten in, the currently selected folder. This feature is only available for certain folders and files. Files can be uploaded by clicking the Upload icon (a plus sign) in the upper right corner of the screen.
Delete
Add/Edit (Upload)
Select checkboxes for multiple files, or click the Select All checkbox to choose all files. Click the Export or Delete buttons on the bottom of the screen to perform these actions on selected files.
Note
Multiple files are exported as a .zip file. Be aware that files larger than 200MB may take a large portion of your units bandwidth.
89
Backup/Restore
Backup/Restore
This section describes the UMA appliance System > Backup/Restore page, used to create or restore a snapshot of configurations and data on your UMA appliance. This page is only available on the UMA appliance.
This data export feature allows you to periodically offload backup data and archived reports from your UMA appliance to an offsite client. Web Services are used with this feature. See the Web Services chapter for more information about Web Services. See the Data Export Wizard section on page 91 for information about using the date export feature. To create a local snapshot, select one of the following backup options in the Manage Backups section and then click Download Snapshot:
Backup Configurations Only Backs up system configurations only. Backup Data Only Backs up system data only. Backup Both Configurations and Data Backs up system configurations and data.
To restore a backup, the snapshot is uploaded to your local storage and then used to restore data. In the Manage Restores section, click Browse to select the backup file in the Snapshot file field and then click Restore Snapshot.
90
Backup/Restore
Log in as admin to your UMA appliance and navigate to the System > Backup/Restore page. Click the HERE link under Manage Backups and select whether to run or save the auto_export.zip file. Click the Extract button, browse to the desired folder such as C:\Program Files, and select the Use folder names option to extract the files from the zip file into a sub-folder called auto_export. Open the README.txt file and read the instructions for using the wizard. On a Windows machine, double-click runWizard.bat to launch the wizard. On a Linux machine, execute runWizard.sh.
Note
4.
In the first release of SonicWALL GMS 6.0, if the runWizard.bat file seems to exit immediately, it may be because you chose a folder with spaces in the name. Edit the runWizard.bat file in a text editor and add quotes around the command.
5.
91
Backup/Restore
The Select button appears. Click Select to open a dialog showing existing configuration files in the auto_export/configs directory. Click the desired file and then click Open.
6.
7.
Enter the following information to allow SonicWALL GMS to communicate with Web Services on the UMA, and then click Next:
GMS Serial The serial number of the UMA system IP/Domain Either the domain name or the IP address of the UMA
system
HTTPS Port GMS Web Services always uses the HTTPS protocol
to provide the fundamental security mechanism. By default, the port number is 8443.
Username The GMS administrators username Password The GMS administrators password 8.
The wizard displays the available export Web services. Select the checkbox for each service that should be included in the configuration and then click Next.
92
Backup/Restore
For example, select the System Backup export service to include it in the export script to offload system backups from a UMA system.
9.
The wizard displays a configuration summary. After reviewing the summary, click Save to create the configuration file.
10. Type the file name into the Input dialog box, or accept the pre-populated
The wizard saves the file in the .../auto_export/configs directory with ".ec" as the file name extension.
11. Click Done to exit the wizard.
93
RAID
12. You can now set up a scheduled task (in Windows) or a cron job (in Linux)
to execute runTask.bat or runTask.sh to periodically download backup data from the UMA. The downloaded backup data is stored in the /auto_export/export directory. Windows command example:
Data is transferred from the UMA system to the target client that executes the export task whenever the schedule is triggered.
RAID
This section describes the UMA appliance System > RAID page, used to review RAID array drive status. This page is only available on the UMA appliance.
94
Restart
This page identifies the following specifications: Item RAID Settings Usage Displays the RAID manufacturer, model, serial number, driver, and firmware version. Do not use the serial number from this screen for MySonicWALL registration, it is not the same information as your UMA appliance. Displays array type, combined size (for all active drives) and status. This section also itemizes all installed drives in the array and their model, serial number, size (individual), and status.
Array
Restart
This section describes the UMA appliance System > Restart page, used to restart the appliance. This page is only available on the UMA appliance.
This page allows the administrator to restart the appliance, temporarily disconnecting users and stopping any services. If you made any changes to the settings, be sure to apply them before you restart.The process of restarting generally takes about 3 minutes.
95
Restart
96
97
Settings
Settings
This section describes the UMA appliance Network > Settings page, used to configure basic networking and host settings.
This page allows the administrator to configure the following settings: Item Host section: Name Domain Networking section: Host IP address Subnet mask Default gateway The static IP address for the eth0 interface of the appliance In the form of 255.255.255.0 The IP address of the network gateway this is the default gateway of your perimeter firewall or networking appliance, not the GMS Gateway. The IP address of the primary DNS server A descriptive name for this appliance In the form of sonicwall.com; this domain is not used for authentication Usage
DNS server 1
98
Routes
Usage (Optional) The IP address of the secondary DNS server (Optional) The IP address of the tertiary DNS server
To apply your changes to the above fields, click the Update button. To revert to default settings, click Reset. You can also configure suffixes and enable suffix searches on this page, to aid in host name resolution. If the UMA cannot resolve a host name to its IP address, it appends one suffix at a time to the host name in the order the suffixes are configured, and tries to resolve the host name with that suffix.
To enable suffix searches, select the Search Suffix checkbox. To add a suffix, click the Add button to open the Add/Edit Search Suffix dialog box. Type the desired suffix into the Search Suffix field and then click Add. You can click the Configure icon for the suffix to edit it, or click the delete icon to delete it.
Note
Adding, configuring, or deleting a suffix restarts the Web server on the UMA, and disconnects your browser login session.
Routes
This section describes the UMA appliance Network > Routes page, used to configure default or alternate network routes.
99
Routes
The default route is generally populated with the Default Gateway, specified in the Network > Settings page.
100
The UMA appliance and the GMS application both provide a system settings interface, referred to as UMA for the appliance and UMH in GMS software deployments. In either scenario, the switch icon is used to toggle between application and system interfaces.
Deployment Roles section on page 101 Deployment Settings section on page 114 Deployment Services section on page 117
Deployment Roles
The role that you assign to your SonicWALL GMS instance defines the SonicWALL Universal Management Suite services that it will provide. SonicWALL GMS uses these services to perform management, monitoring, and reporting tasks. Your SonicWALL GMS instance can be deployed in any of the following roles:
101
Deployment Roles
In the UMH or UMA system management interface, clicking Details in the same row as a role provides a list of the services that run on a system in that role, and information about using the role. As the number of managed appliances increases, a more distributed deployment provides better performance. To manage large numbers of SonicWALL appliances, you can use several SonicWALL GMS appliances operating in different roles in a distributed deployment. You can also use Windows Server machines running SonicWALL GMS in any of the roles. You can include the MySQL database installation with any role. The All In One or Database Only roles automatically include the MySQL database. If you are configuring a role that includes a Console, such as the Console or All In One role, the system can be configured as a redundant Console. The Include Redundancy checkbox is used to configure the GMS deployment to have a redundant Console. You can scale your deployment to handle more units and more reporting by adding more systems in the Agent role. Agents provide built-in redundancy capability, meaning that if an Agent goes down, other Agents can perform the configuration tasks and other tasks of the Agent that went down.
Note
When configuring the role for the first appliance in a distributed deployment, you should either include the database or be prepared to provide the IP address of an existing database server.
You can meet this database objective in one of the following ways:
By selecting a role that includes the database automatically, such as All In One or Database Only By selecting the Include Database (MYSQL) checkbox if configuring the appliance with any other role By setting up a compatible database on another machine and providing that IP address when prompted
You can configure the role of the SonicWALL GMS appliance without using the Role Configuration Tool.
102
Deployment Roles
All role configuration is performed in the appliance management interface, available at the URL: http://<IP address>:<port>/appliance/ Refer to the following sections for instructions on manually configuring the system role:
Configuring the All In One Role section on page 103 Configuring the Database Only Role section on page 105 Configuring the Console Role section on page 105 Configuring the Agent Role section on page 107 Configuring the Reports Summarizer Role section on page 108 Configuring the Monitor Role section on page 109 Configuring the Event Role section on page 110 Configuring the Syslog Collector Role section on page 111
However, SonicWALL recommends that you use a multi-system, distributed deployment in production environments, with the database on a dedicated server and the other services on one or more systems. When only one other system is deployed, the Console role should be assigned to it. The All In One role provides all nine services utilized by SonicWALL GMS:
103
Deployment Roles
To deploy your SonicWALL GMS in the All In One role, perform the following steps in the appliance management interface:
1. 2.
Navigate to the Deployment > Role page. Under Host Role Configuration, select the All In One radio button. If this SonicWALL GMS will connect to managed appliances through a GMS gateway, type the gateway IP address into the GMS Gateway IP field. To determine if a GMS Gateway is required, see the SonicWALL Getting Started Guide for your product. If a GMS gateway will be used, type the password into both the GMS Gateway Password and Confirm GMS Gateway Password fields. If this SonicWALL GMS listens for syslog messages on a non-standard port, type the port number into the Syslog Server Port field. The default port is 514. If deploying another system in the Console role, select the Include Redundancy checkbox to configure this system as a redundant Console. Configure the database settings as described in the Configuring Database Settings section, on page 112. Select the Include Redundancy checkbox to configure this system as a redundant Console. Configure the Web port settings as described in the Configuring Web Port Settings section, on page 115. To apply your changes, click Update. To change the settings on this page back to the defaults, click Reset.
3. 4.
5. 6. 7. 8. 9.
104
Deployment Roles
Only the SonicWALL Universal Management Suite Database service runs on a Database Only system. The MySQL database engine is pre-installed along with the SonicWALL GMS installation. SonicWALL GMS can also use a MySQL database or a Microsoft SQL Server database installed on a server. Only the MySQL database included in the installer is supported. On the Deployment > Role page in the SonicWALL GMS appliance management interface, you can configure your SonicWALL GMS systems to use either a MySQL or a SQL Server database. To deploy your SonicWALL GMS in the Database Only role, perform the steps described in the Configuring Database Settings section, on page 112.
105
Deployment Roles
Provides Web user interface for the SonicWALL GMS application Emails Scheduled Reports Performs Event Management tasks Performs various periodic checks, such as checking for new appliances that can be managed, checking for new firmware versions of managed appliances, and similar functions
To deploy your SonicWALL GMS in the Console role, perform the following steps in the appliance management interface:
1.
Navigate to the Deployment > Role page. Under Host Role Configuration, select the Console radio button.
2.
If this SonicWALL GMS will connect to managed appliances through a GMS gateway, type the gateway IP address into the GMS Gateway IP field. To determine if a GMS Gateway is required, see the SonicWALL Getting Started Guide for your product. If a GMS gateway will be used, type the password into both the GMS Gateway Password and Confirm GMS Gateway Password fields. If this SonicWALL GMS listens for syslog messages on a non-standard port, type the port number into the Syslog Server Port field. The default port is 514. To use a MySQL or Microsoft SQL Server database on another system, do not select the Include Database (MYSQL) checkbox. To include the MySQL database on this system (not recommended), select this checkbox (for this configuration, select the All In One role instead of the Console role). If deploying another system in the Console or All In One role, select the Include Redundancy checkbox to configure this system as a redundant Console. Configure the database settings as described in the Configuring Database Settings section, on page 112.
3. 4.
5.
6.
7.
106
Deployment Roles
8. 9.
Configure the Web port settings as described in the Configuring Web Port Settings section, on page 115. To apply your changes, click Update. To change the settings on this page back to the defaults, click Reset.
Manages units by acquiring them, pushing configuration tasks to the units and tracking their up/down status Performs monitoring based on ICMP probes, TCP probes, and SNMP OID retrievals Collects and stores syslog messages Performs report summarization
The following SonicWALL Universal Management Suite services run on an Agent system:
To deploy your SonicWALL GMS in the Agent role, perform the following steps in the appliance management interface:
1.
Navigate to the Deployment > Role page. Under Host Role Configuration, select the Agent radio button.
107
Deployment Roles
2.
If this SonicWALL GMS will connect to managed appliances through a GMS gateway, type the gateway IP address into the GMS Gateway IP field. To determine if a GMS Gateway is required, see the SonicWALL Getting Started Guide for your product. If a GMS gateway will be used, type the password into both the GMS Gateway Password and Confirm GMS Gateway Password fields. If this SonicWALL GMS listens for syslog messages on a non-standard port, type the port number into the Syslog Server Port field. The default port is 514. To include the MySQL database on this system, select the Include Database (MYSQL) checkbox. To use a MySQL or Microsoft SQL Server database on another system, do not select this checkbox. Configure the database settings as described in the Configuring Database Settings section, on page 112. Configure the Web port settings as described in the Configuring Web Port Settings section, on page 115. To apply your changes, click Update. To change the settings on this page back to the defaults, click Reset.
3. 4.
5.
6. 7. 8.
SonicWALL Universal Management Suite - Reports Summarizer SonicWALL Universal Management Suite - Web Service Server
108
Deployment Roles
To deploy your SonicWALL GMS in the Reports Summarizer role, perform the following steps in the appliance management interface:
1.
Navigate to the Deployment > Role page. Under Host Role Configuration, select the Reports Summarizer radio button.
2.
To include the MySQL database on this system, select the Include Database (MYSQL) checkbox. To use a MySQL or Microsoft SQL Server database on another system, do not select this checkbox. Configure the database settings as described in the Configuring Database Settings section, on page 112. Configure the Web port settings as described in the Configuring Web Port Settings section, on page 115. To apply your changes, click Update. To change the settings on this page back to the defaults, click Reset.
3. 4. 5.
109
Deployment Roles
To deploy your SonicWALL GMS in the Monitor role, perform the following steps in the appliance management interface:
1.
Navigate to the Deployment > Role page. Under Host Role Configuration, select the Monitor radio button.
2.
To include the MySQL database on this system, select the Include Database (MYSQL) checkbox. To use a MySQL or Microsoft SQL Server database on another system, do not select this checkbox. Configure the database settings as described in the Configuring Database Settings section, on page 112. Configure the Web port settings as described in the Configuring Web Port Settings section, on page 115. To apply your changes, click Update. To change the settings on this page back to the defaults, click Reset.
3. 4. 5.
SonicWALL Universal Management Suite - Event Manager SonicWALL Universal Management Suite - Web Service Server
110
Deployment Roles
To deploy your SonicWALL GMS in the Event role, perform the following steps in the appliance management interface:
1.
Navigate to the Deployment > Role page. Under Host Role Configuration, select the Event radio button.
2.
To include the MySQL database on this system, select the Include Database (MYSQL) checkbox. To use a MySQL or Microsoft SQL Server database on another system, do not select this checkbox. Configure the database settings as described in the Configuring Database Settings section, on page 112. Configure the Web port settings as described in the Configuring Web Port Settings section, on page 115. To apply your changes, click Update. To change the settings on this page back to the defaults, click Reset.
3. 4. 5.
111
Deployment Roles
To deploy your SonicWALL GMS in the Syslog Collector role, perform the following steps in the appliance management interface:
1.
Navigate to the Deployment > Role page. Under Host Role Configuration, select the Syslog Collector radio button.
2.
If this SonicWALL GMS listens for syslog messages on a non-standard port, type the port number into the Syslog Server Port field. The default port is 514. To include the MySQL database on this system, select the Include Database (MYSQL) checkbox. To use a MySQL or Microsoft SQL Server database on another system, do not select this checkbox. Configure the database settings as described in the Configuring Database Settings section, on page 112. Configure the Web port settings as described in the Configuring Web Port Settings section, on page 115. To apply your changes, click Update. To change the settings on this page back to the defaults, click Reset.
3.
4. 5. 6.
112
Deployment Roles
To configure the database settings for any role, perform the following steps in the appliance management interface:
1. 2.
Navigate to the Deployment > Role page and select the role for this appliance. To run the MySQL database on this SonicWALL GMS, select the Include Database (MYSQL) checkbox. To use a MySQL or Microsoft SQL Server database on another system, do not select this checkbox. Under Database Configuration, if Include Database (MYSQL) was not selected in the previous step, select either MYSQL or SQL Server from the Database Type drop-down list. This field is not editable if you previously selected Include Database (MYSQL) or if the selected role is All In One or Database Only.
3.
4.
In the Database Host field, type in the IP address of the database server or accept the default, localhost, if this SonicWALL GMS includes the database. This field is not editable if you previously selected Include Database (MYSQL) or if the selected role is All In One or Database Only. If your deployment requires an instance name for the SQL server database, when completing the Database Host field, enter the Host or IP address, followed by a back slash and the instance name. The format should look as follows: 10.20.30.40\INSTANCE. To use a different port when SonicWALL GMS accesses the database, type the port into the Database Port field. The default port is 3306. To use a different user name when SonicWALL GMS accesses the database, type the user name into the Database User field. The default user name is sa.
Note
5. 6.
113
Deployment Settings
7.
Type the password that SonicWALL GMS will use to access the database into both the Database Password and Confirm Database Password fields. If your deployment uses a custom database driver, type the value into the Database Driver field. Otherwise, accept the default, com.mysql.jdbc.Driver. If your deployment uses a custom database URL, type the value into the Database URL field. If you are using a different port, change the default port, 3306, in the URL. Otherwise, accept the default URL, jdbc:mysql://localhost:3306.
8.
9.
Deployment Settings
This section describes the UMH/UMA Deployment > Settings page, used for Web port, SMTP, and SSL access configuration. The Deployment > Settings page is identical in both the UMH and UMA management interfaces, except for the left navigation pane which shows the Network menu item on the UMA.
114
Deployment Settings
Configuring Web Port Settings section on page 115 Configuring SMTP Settings section on page 115 Configuring SSL Access section on page 116
On the Deployment > Settings page under Web Port Configuration, to use a different port for HTTP access to the SonicWALL GMS, type the port number into the HTTP Port field. The default port is 80. If you enter another port in this field, the port number must be specified when accessing the appliance management interface or SonicWALL GMS management interface. For example, if port 8080 is entered here, the appliance management interface would be accessed with the URL: http://<IP Address>:8080/appliance/.
2.
To use a different port for HTTPS access to the SonicWALL GMS, type the port number into the HTTPS Port field. The default port is 443. If you enter another port in this field, the port number must be specified when accessing the appliance management interface or SonicWALL GMS management interface. For example, if port 4430 is entered here, the appliance management interface would be accessed with the URL: https://<IP Address>:4430/appliance/.
Navigate to the Deployment > Settings page under the SMTP Configuration section. Type the FQDN or IP address of the SMTP server into the SMTP server field. Type the email address from which mail will be sent into the Sender address field.
115
Deployment Settings
4. 5. 6.
Type the email address of the system administrator into the Administrator address field. To test connectivity to the SMTP server, click Test Connectivity. To apply your changes, click Update.
Navigate to the Deployment > Settings page under SSL Access Configuration section.
2.
Select the Default radio button to keep, or revert to, the default settings, where the default GMS Web Server certificate with 'gmsvpserverks' keystore is used. Select the Custom radio button to upload a custom keystore certificate for GMS SSL access. In the Keystore/Certificate file field, click the Browse button to select your certificate file.
3. 4.
Note 5. 6. 7.
Your custom file is renamed to gmsvpservercustomks after upload. Type the password for the keystore certificate into the Keystore/Certificate password field. Click the View button to display details about your keystore certificate. Click the Update button to submit your changes.
116
Deployment Services
Deployment Services
This section describes the UMH/UMA Deployment > Services page, used for starting and stopping the GMS services running on the system. The Deployment > Services page is identical in both the UMH and UMA management interfaces, except for the left navigation pane which shows the Network menu item on the UMA. Details are available for the current role, and the status of each service is displayed on the page The page is shown below for the All In One role, which includes all services.
Navigate to the Deployment > Services page. Select the checkbox next to Service Name to select all services, or select one or more checkboxes for individual services. To disable or stop the selected services, click the Disable/Stop button. To enable or start the selected services, click the Enable/Start button. To restart the selected services, click the Restart button.
117
Deployment Services
118
Part 2 Policies
119
120
StatusProvides a comprehensive collection of information to help you manage your SonicWALL security appliances and SonicWALL Security Services licenses. It includes GMS status information on Firewall, Management, Subscription, and Firewall Models. See Viewing System Status on page 122. TimeDescribes how to change the time and time options for one or more SonicWALL appliances. See Configuring Time Settings on page 125. Licensed Nodes (Unit-level view only)Provides a Node License Status table listing the number of nodes your SonicWALL security appliance is licensed to have connected at any one time, how many nodes are currently connected, and how many nodes you have in your Node license Exclusion List. See Viewing Licensed Node Status on page 127. AdministratorDescribes how to change the administrator and password options for one or more SonicWALL appliances. See Configuring Administrator Settings on page 129. ToolsProvides a set of common system configuration tasks for restarting an appliance, requesting diagnostic information, inheriting settings, system synchronization, and synchronizing the appliance to mysonicwall.com. Also includes options to generate a Tech Support Report (TSR) and the ability to email the TSR. See Using Configuration Tools on page 131. InfoDescribes how to change contact information for one or more SonicWALL appliances. See Configuring Contact Information on page 139.
SonicWALL GMS 6.0 Administrators Guide
121
SettingsDescribes how to backup and save SonicWALL appliance settings as well as restore them from preferences files. See Configuring System Settings on page 139. SchedulesDescribes how to create and configure schedule groups, which are used to apply firewall rules for specify days and hours of the week. See Configuring Schedules on page 141. ManagementDescribes how to edit the remote management settings on SonicWALL security appliances for management by GMS or VPN client. See Editing Management Settings on page 143. SNMPDescribes how to configure Simple Network Management Protocol. See Configuring SNMP on page 145. Certificates (Unit-level view only)Describes how to configure both third-party Certificate Authority (CA) certificates and local certificates. See Configuring Certificates on page 146.
122
To view a summary of all devices managed by the GMS, click the Change View icon at the top left and select GlobalView. Expand the System tree in the middle panel, and click on Status. The Status page displays.
At the individual appliance level, the Status page provides more details such as the serial number, firmware version, and information on management, reporting, and security service subscriptions.
123
To view a summary of the status of an individual appliance, select the appliance in the left pane, and then click System > Status in the navigation pane. The Status page displays.
If tasks are pending for the selected unit, GMS provides a hyperlink that takes the user to the Tasks Screen for that unit. Also in System > Status, GMS displays the Last Log Entry for the unit with a hyperlink that takes the user to the unit Logs screen. The links are only provided if the user actually has permissions to access those screens on the Console panel. In the Subscription section header, GMS provides a click here link that displays your current subscription details on the Register/Upgrades > Search screen. The search parameters are pre-populated for retrieving the subscription services that are currently active on the appliance(s) and the search is executed and the results are sorted by Expiry Date for your convenience. This page provides a PDF icon that you can click to get a PDF file containing the same content as the Web page.
124
At the bottom of the status screen, GMS provides a way to retrieve dynamic information about the selected appliance, and also provides a link to the GMS Getting Started Guide.
You can click the Fetch Information link to view the following dynamic information:
Firewall UpTime since Last Reboot Last Modified Time and the user who last modified the appliance Modem speed and active profile used (only for dial-up appliances)
You can retrieved this information by clicking the Fetch Information button at the global, group, or unit level. The actual results, however, are displayed only at the unit level.
To view the SonicWALL GMS Getting Started Guide, click the Open Getting Started Instructions In New Window button.
125
SonicWALL appliance, a group of SonicWALL appliances, or all SonicWALL appliances being managed by the SonicWALL GMS. To change time settings on one or more SonicWALL appliances, perform the following steps:
1.
Expand the System tree and click Time. The Time page displays.
2. 3.
Select the Time Zone of the appliance(s) from the Time Zone field. To configure the SonicWALL(s) to automatically adjust their clocks for Daylight Savings Time, select the Automatically Adjust Clock for Daylight Savings Changes check box. To configure the SonicWALL(s) to use Universal Time Coordinated (UTC) or Greenwich Mean Time (GMT) instead of local time, select the Display UTC in Logs Instead of Local Time check box. To configure the SonicWALL(s) to display the time in the international time format, select the Display Time in International Format check box. Select from the following:
To manually configure the time and date, make sure the Use NTP to
4.
5. 6.
set time automatically check box is deselected. The SonicWALL appliance(s) will automatically use the time settings of the SonicWALL GMS agent.
using Network Time Protocol (NTP), select the Use NTP to set time automatically check box.
7.
When you are finished, click Update. A task gets scheduled to apply the new settings for each selected appliance.
126
8.
If you don't want to use the SonicWALL appliance's internal NTP list, you can add your own NTP list. To add an NTP server, enter the IP address of an NTP server in the Add NTP Server field. A task gets scheduled to add the NTP server to each selected SonicWALL appliance.
Note
To add additional NTP servers, click Add and enter another NTP server.
9.
To clear all screen settings and start over, click Reset. If you are not using NTP for the appliance, then GMS configures the time of the appliance to be identical to the time of the GMS Agent pushing the configuration to the appliance (after adjusting for any time zone differences).
Note
Expand the System tree and click on Licensed Nodes. The Licensed Nodes page displays.
127
2.
To update the licensed node information, click on Request Licensed Node Information from the appliance. The Currently Licensed Nodes table lists details on each node connected to your security appliance. Above the table, GMS displays how many nodes the appliance is licensed for.
When you exclude a node, you block it from connecting to your network through the security appliance. Excluding a node creates an address object for that IP address and assigns it to the Node License Exclusion List address group. To exclude a node that is currently licensed, perform the following steps:
1.
Click the configure icon in the Exclude column of the Currently Licensed Nodes table. Then click Ok on the warning message that displays. To exclude a node that is not currently licensed, click on Add New Node For Exclusion. The Add License Exclusion Node window displays.
2.
3. 4. 5.
Enter the IP address of the node in the Node IP Address field. Optionally, you can enter a comment about the node in the Comment field. Click Update.
In SonicOS Enhanced, you can manage the License Exclusion List group and address objects in the Network > Address Objects page of the management interface. On the Address Objects page, scroll down to the Node License Exclusion List row and click the configure icon. See Configuring Address Objects on page 184 for instructions on managing address objects.
128
Expand the System tree and click Administrator. The Administrator page displays.
2. 3. 4.
Enter the login name for the administrator in the Administrator Login Name field. Specify the maximum number of days after which the a password expires and must be updated in the Password must be changed every (days) field. Specify the number of previous passwords that are remembered and that a new password cannot match in the Bar repeated passwords for this many changes field. Specify the minimum password length in the Enforce a minimum password length of field. Select the level of password complexity from the Enforce Password Complexity drop-down list. You can select one of the following:
None Require both alphanumeric and numeric characters Require alphabetic, numeric and symbolic characters
SonicWALL GMS 6.0 Administrators Guide
5. 6.
129
7. 8. 9.
Select the Administrators checkbox to apply these password constraints only to full and read-only administrators. Select the Other full administrators checkbox to apply these password constraints to all administrators with local passwords. Select the Limited administrators checkbox to apply these password constraints to all local users with limited administrator privileges. constraints only to non-administrator users.
10. Select the Other local users checkbox to apply these password 11. Specify how long the SonicWALL appliance(s) wait (in minutes) before
logging out inactive administrators in the Log out the Administrator after inactivity of field. Enable user lockout on login failure check box. Then, specify the number of login failure attempts that must occur before the user is locked out in the Failed login attempts per minute before lockout field and how long the user will be locked out in the Lockout Period field. following actions to take when an administrator is preempted by another:
Drop to non-config mode - move the preempted administrator to
12. To lockout the SonicWALL appliance after user login failure, select the
non-configuration mode
Log out - log out the preempted administrator. 14. Select from the following options to change the SonicWALL appliance
password(s):
If you are configuring a SonicWALL appliance at the unit level, enter
and reenter the new SonicWALL password. Then, enter the SonicWALL GMS password and click Change Password. The password is changed.
If you are configuring a SonicWALL appliance at the group or global
level, enter the SonicWALL GMS password and click Change Password. Each SonicWALL appliance will receive a unique randomly generated password. This unique password is encrypted and recorded in the SonicWALL GMS database. At the non-unit level, passwords can be configured in two ways:
GMS can assign random passwords to the appliances
130
To have GMS assign random passwords, leave the New SonicWALL Password and Confirm New SonicWALL Passwords fields empty.
Note
The unique encrypted password is also written into a file in <gms_directory>/etc/. The filename format is Prefs<serialnumber>.pwd; each file contains the old and the new password for the SonicWALL appliance. The file gets overwritten every time the password for the SonicWALL appliance is changed. The encryption is base64.
15. When you are finished, click Update. A task gets spooled and once it is
executed successfully, the settings are updated for the selected SonicWALL appliances.
16. To clear all screen settings and start over, click Reset.
Restarting SonicWALL Appliances on page 132 Requesting Diagnostics for SonicWALL on page 132 Inheriting Settings on page 133 Clearing the ARP Cache on page 136 Synchronizing Appliances on page 136 Synchronizing with mysonicwall.com on page 137 Manually Uploading Signature Updates on page 137 Generating Tech Support Reports on page 138
131
Expand the System tree and click Tools. The Tools page displays.
2.
Note
Expand the System tree and click Tools. The Tools page displays. To request diagnostics for the selected SonicWALL appliance(s), click Request Diagnostics. SonicWALL GMS schedules a task to request diagnostics for the selected SonicWALL appliances.
132
3. 4. 5.
To view the diagnostics, navigate to Diagnostics > Snapshot Status on the Console panel. In the Diagnostics Requested drop-down list, select the diagnostics that you want to review. Click View SnapShot Data.
Inheriting Settings
On the Policies panel, in the System > Tools screen, you can apply inheritance filters at a global, group, or appliance level. You can select an existing inheritance filter and customize which of its rules are actually inherited. You can do this on the fly, without the need to create an entirely separate filter. For more information on inheritance, see Configuring Inheritance Filters on page 569. To apply the inheritance filters, perform the following steps:
1.
Expand the System tree and click Tools. The Tools page displays.
2.
Select the appropriate radio button for either forward or reverse inheritance. Use the Filter drop down menu to select the desired filter to apply. Click the Preview button to proceed to the Preview of Inheritance Settings window.
133
Note
When configuring forward inheritance at the group level, all selected settings are pushed to all units in the group.
3.
Review the settings to be inherited. Users may continue with all of the default screens selected for inheritance or select only specific screens for inheritance by checking boxes next to the desired settings.
Note
The Preview panel footer states, All referring objects should also be selected as part of the settings picked, to avoid any dependency errors while inheriting. If the user deselects dependent screen data, the settings will not inherit properly. If the user is attempting forward inheritance, they may click Update to proceed. If the user is attempting to reverse inherit settings, an additional selection must be made at the bottom of the Preview panel. The user must select either to update the chosen settings to only the target parent node,
4.
134
or to update the target parent node along with all unit nodes under it. Once the user makes this selection, they may click Update to proceed, or Reset to edit previous selections.
5.
If the user selects to update the target parent node and all unit nodes, a Modify Task Description and Schedule panel opens in place of the Preview panel. (This panel will not appear if the user selects Update only target parent node). If the Modify Task Description and Schedule panel opens, the user can edit the task description in the Description field. They may also adjust the schedule for inheritance, or continue with the default scheduling. If the user chooses to edit the timing by clicking on the arrow next to Schedule, a calendar expands allowing the user to click on a radio button for Immediate execution, or to select an alternate day and time for inheritance to occur. Once the user has completed any edits, they select either Accept or Cancel to execute or cancel the scheduled inheritance, respectively.
6.
Once the inheritance operation begins, a progress bar appears, along with text stating the operation may take a few minutes, depending on the volume of data to be inherited. Once the inheritance operation is complete, the desired settings from the unit or group node should now be updated and reflected in the parent nodes settings, as well as in the settings of all other units, if selected.
135
Note
For the Access/Services and Access/Rules pages, by default, inheriting group settings overwrites the values at the unit level with the group values. If you wish for SonicWALL GMS to append the group settings to the values at the unit level, you need to enable the Append Group Settings option on the General/GMS Settings page on the Console Panel.
For more information on inheritance, see Managing Inheritance in GMS on page 569.
Expand the System tree and click Tools. The Tools page displays. Click Clear ARP Cache.
Synchronizing Appliances
If a change is made to the SonicWALL appliance through any means other than through GMS, SonicWALL GMS will be notified of the change through the syslog data stream. You can configure an alert through the Granular Event Management framework to send email notification when a local administrator makes changes to a SonicWALL appliance through the local user interface rather than through GMS. After the syslog notification is received, SonicWALL GMS will schedule a task to synchronize its database with the local change. After the task successfully executes, the current configuration (prefs) file is read from the SonicWALL appliance and loaded into the database. Auto-synchronization automatically occurs whenever SonicWALL GMS receives a local change notification status syslog message from a SonicWALL appliance. You can also force an auto-synchronization at any time for a SonicWALL appliance or a group of SonicWALL appliances. To do this, perform the following steps:
1.
Expand the System tree and click Tools. The Tools page displays.
136
2.
To synchronize the selected SonicWALL appliance(s), click Synchronize Now. SonicWALL GMS schedules a task to synchronize the selected SonicWALL appliances.
Note
The auto-synchronization feature can be disabled on the Console/Management Settings screen and by unchecking the Enable Auto Synchronization checkbox.
Expand the System tree and click Tools. The Tools page displays. To synchronize the selected SonicWALL appliance(s), click Synchronize with mysonicwall.com Now. SonicWALL GMS schedules a task to synchronize the selected SonicWALL appliances license information into GMS.
Click on the Console tab, expand the Management tree, and click on GMS Settings. Select the check boxes for the Firewalls managed by this GMS do not have Internet Access and Upload latest signatures on subscription status change settings. See Settings on page 941 for more information. Click on the Policies tab, expand the System tree, and click Tools. When there are updates signatures to upload, the Upload Signatures Now button is displayed. Click this button to manually upload the signatures.
3. 4.
137
Note
The Upload Signatures Now button is displayed only when the GMS has downloaded updated signature files that are ready to be uploaded.
Expand the System tree and click Tools. The Tools page displays. Select any of the following four report options:
VPN KeysSaves shared secrets, encryption, and authentication
Click Email TechSupport Report. The requested reports are emailed to the administrator email address.
138
Expand the System tree and click Info. The Info page displays.
2. 3.
Enter contact information for the SonicWALL appliance(s). When you are finished, click Update. A task gets spooled and once it is executed successfully, the information is updated for the selected SonicWALL appliances. To reset all screen settings and start over, click Reset.
4.
139
To purge older back ups, you can specify how many of the latest prefs files should be stored in the database. The listbox here displays all the Prefs files backed up, along with the firmware version. In addition to automatic back ups, you can manually force a Prefs back up by selecting the Store settings... buttons. To save or apply SonicWALL appliance settings, perform the following steps:
1.
Expand the System tree and click Settings. The Settings page displays.
2.
To save the settings of a SonicWALL appliance to the SonicWALL GMS database, enter a name for the settings in the Name field and click Store settings read from unit. Then, if you want to save these settings to a local file, click Save the settings to a local file. You can save multiple version of settings for each SonicWALL appliance to the SonicWALL GMS database and to different local files. To apply settings to the SonicWALL appliance directly from SonicWALL GMS database, select the saved settings and click Restore the settings to the unit. The Restore the settings to the unit option is available only at the unit level, and not at the group and global levels. This option previously was available at the group and global levels. GMS now does not display the option at both the group and global levels to minimize risk of you writing a non-compatible prefs file to an incorrect firmware version running on a SonicWALL appliance.
3.
Note
140
Configuring Schedules
4.
To store an external Prefs file into the database, enter the path to the file and click Store settings from local file. The Store settings from local file button is used to store the prefs file from the local hard disk into the GMS database so that it displays in the list box of the Settings page. Once stored in the database (when it will display in the list box), you can then click the Restore the settings to the unit button. To automatically backup the preferences for the selected SonicWALL appliance, select the Enable Prefs File Backup check box and click Update. The backed up prefs file contains the configuration settings and the firmware version of the security appliance you are backing up. Go to the Console > Management > GMS Settings page and update the values in the Automatically save prefs file section. This enables you to specify when and how frequently GMS backs up the prefs files. If you want to automatically purge older backups, select the number of newer backup files you want to keep in the Number of newest Prefs Files to be preserved field. Enter 0 to prevent purging of older backups. Set the value in the Missed Reports Threshold field to the number of heartbeat messages GMS can miss before considering the unit to be down. GMS relies on special syslogs called heartbeat messages to determine if an appliance is up and running. By default, if GMS does not receive three successive heartbeat messages, it makes the appliance as down. You can customize this threshold to any number. If you set the value to 0, then GMS will not mark this node as down.
5.
Note
6.
7.
8.
9.
To delete settings from the SonicWALL GMS database, select the saved settings and click Delete the settings.
Configuring Schedules
You can configure schedule groups on the Policies panel, in System > Schedules. Schedule Groups are groups of schedules to which you can apply firewall rules. For example, you might want to block access to auction sites during business hours, but allow employees to access the sites after hours. You can apply rules to specific schedule times or all schedules within a Schedule Group. For example, you might create an Engineering Work Hours group that runs from 11:00 AM to 9:00 PM, Monday through Friday and 12:00
SonicWALL GMS 6.0 Administrators Guide
141
Configuring Schedules
PM to 5:00 PM, Saturday and Sunday. Once configured, you can apply specific firewall rules to the entire Engineering Work Hours Schedule Group or only to the weekday schedule. To create a Schedule Group, perform the following steps:
1.
Expand the System tree and click Schedules. The Schedules page displays.
2.
3. 4.
Enter the name of the Schedule Group in the Name field. In the Schedule Type section, select if the schedule will occur Once, Recurring, or Mixed. The one-time and mixed schedule types are only available for systems running SonicOS Enhanced 5.5 and above. For a schedule that occurs only once, select the year, month, date, hour, and minutes for the Start and End fields.
Note
5.
142
6. 7. 8. 9.
For recurring schedules, select the check boxes for each day the schedule will apply. Enter the start time for the recurring schedule in the Start Time field. Make sure to use the 24-hour format. Enter the end time for the recurring schedule in the Stop Time field. Make sure to use the 24-hour format. Click Add.
10. Repeat Step 4. through Step 9. for each schedule to add. 11. To delete a schedule, select the schedule and click Delete. 12. Click OK. The Schedule Group is added and configured. 13. To edit a Schedule Group, click its Edit icon (
). The Edit Schedule Group dialog box displays. Edit the Schedule Group details and click OK.
Expand the System tree and click Management. The Management page displays.
Caution
Changing the management parameters can cause units to be disconnected from GMS.
143
2. 3.
Enter the port number for HTTP connections in the HTTP Port field. To enable HTTPS access to the appliance, select the Enable HTTPS Access to the unit checkbox and enter the port number in the HTTPS Port field. For the SonicWALL Aventail appliance, use port 8443 for HTTPS access. The Certificate Common Name field defaults to the SonicWALL LAN Address. This allows you to continue using a certificate without downloading a new one each time you log into the appliance.
4.
Note
To change the HTTP or HTTPS ports for SonicOS Enhanced units, go to the Firewalls > Service Objects screen and edit the corresponding service object. Specify whether the appliance is to be managed by GMS or a VPN client in the Enable Management Using pull-down menu. Enter the IP address or host name of the GMS server in the GMS HostName or IPAddress field. Enter the syslog server port (default: 514) in the GMS Syslog Server Port field. If the GMS is behind a device performing Network Address Translation (NAT), select the GMS behind NAT Device checkbox and enter the IP address in the NAT Device IP Address field. If the appliance will be managed over an existing VPN tunnel, select the GMS on VPN (No SA Required) checkbox. security appliance, select the Send Heartbeat Status Messages Only checkbox. This option should be used if you do not need the data to generate reports in GMS. When you check this setting, the unit will only send heartbeat (m=96) messages that tell GMS that the unit is alive. Click the Change button. is online, select the Enable Ping from LAN/WorkPort to management interface checkbox. Click the Change button.
5. 6. 7. 8.
9.
10. To minimize the amount of syslog between the GMS and the SonicWALL
11. To allow users on the LAN interface to ping the appliance to verify that it
12. To allow GMS administrators to preempt users who are logged in directly
to the SonicWALL security appliance, select the Allow GMS to preempt a logged in administrator checkbox.
144
Configuring SNMP
13. If you have configured security associations on the appliance the Security
Association Information section displays at the bottom of the Management page. Enter the SA keys in the Encryption Key and Authentication Key fields and click Change Only SA Keys. Update.
14. When you have finished configuring remote management settings, click
Configuring SNMP
This section describes how to configure Simple Network Management Protocol (SNMP) settings for one or more SonicWALL appliances. To configure SNMP, perform the following steps:
1.
Expand the System tree and click SNMP. The SNMP page displays.
2. 3. 4. 5. 6. 7. 8.
Select the Enable SNMP check box. Enter a name for the System Name field. Enter the name of the administrator responsible for the SNMP server in the System Contact field. Enter the location of the SNMP server in the System Location field. Enter the community name from which the SNMP server will respond to Get requests in the Get Community Name field. Enter the name of administrator group that can view SNMP traps in the Trap Community Name field Enter the SNMP server IP addresses or hostnames in the Hosts 1-4 fields.
145
Configuring SNMP
9.
When you are finished, click Update. A task gets spooled and once it is executed successfully, the information is updated for each selected SonicWALL appliances.
Configuring Certificates
The Certificates dialog box displays details for Certificate Authority (CA) Certificates and local certificates that you have imported or configured on your SonicWALL appliance.
Navigating the System > Certificates Page, page 147 About Certificates, page 148 Configuring CA Certificates, page 148 Importing New Local and CA Certificates, page 149 Generating a Certificate Signing Request, page 150 Configuring SCEP, page 151
146
Configuring SNMP
View Style
The View Style menu allows you to choose which certificates are displayed.
Options include:
All Certificates - displays all certificates and certificate requests. Imported certificates and requests - displays all imported certificates and generated certificate requests. Built-in certificates - displays all certificates included with the SonicWALL security appliance. Include expired and built-in certificates - displays all expired and built-in certificates.
Certificate - the name of the certificate. Type - the type of certificate, which can include CA or Local. Validated - the validation information. Expires - the date and time the certificate expires.
147
Configuring SNMP
Details - the details of the certificate. Moving the pointer over the MAGNIFYING GLASS icon displays the details of the certificate. Configure - Allows configuration with the following options:
Edit icon to make changes to the certificate Delete icon to remove a certificate Import icon to import either certificate revocation lists (for CA
New Signing Request - Create a new signing request directly from the GMS user interface SCEP - Manage certificates using the Simple Certificate Enrollment Protocol (SCEP) standard
About Certificates
A digital certificate is an electronic means to verify identity by using a trusted third party known as a Certificate Authority (CA). SonicWALL now supports third party certificates in addition to the existing Authentication Service. SonicWALL security appliances interoperate with any X.509v3-compliant provider of Certificates. However, SonicWALL security appliances have been tested with the following vendors of Certificate Authority Certificates:
Configuring CA Certificates
To configure CA Certificates in this dialog box, perform the following steps.
1. 2. 3. 4.
From the Name list box, click on a certificate. Note the details, including the certificate name and subject in the Details region. Click on the Email Certificate button if you want to send the certificate to a location by email. Click the Delete Certificate button if you want to remove the certificate.
148
Configuring SNMP
5. 6. 7.
Specify a URL of the location of the Certificate Revocation List (CRL) in the CRL URL field. Then click the CRL URL button to launch the CRL. To import a CRL, click the Browse button for the Import CRL field and navigate to the CRL. Then click the Import CRL button to import the CRL. Click on the Invalidate Certificates and Security Association if CRL import or processing fails checkbox to ensure safe cleanup of half-imported certificates if when trying to import a CRL, the process is interrupted.
To import a certificate:
8. 9.
Click the Import Certificate link. Choose between a local end-user certificate or a CA certificate.
10. (local only) Enter a name in the Certificate Name field. 11. (local only) Enter the password used to encrypt the certificate in the
12. Browse to the certificate location and Open the file. 13. Click the Import button to complete the process.
149
Configuring SNMP
This section assumes that you are familiar with Public Key Infrastructure (PKI) and the implementation of digital certificates with VPN.
On the System > Certificates page, click the New Signing Request link.
2.
Complete the information in the Generate Certificate Request section and click Generate Request. The request displays in the Current Certificate Requests section. Click Export. You are prompted to save the file. It will be saved in the PKCS 10 format. Obtain a certificate from one of the approved certificate authorities using the PKCS 10 file. After you receive the certificate file, locate and import the file by clicking Browse in the Import Certificate With Private Key section. Then click Import. The certificate will appear in the Current Local Certificates section.
3. 4. 5.
150
Configuring SNMP
Configuring SCEP
Note
The Simple Certificate Enrollment Protocol (SCEP) simplifies the process of issuing large numbers of certificates using an automatic enrollment technique. SCEP is supported for appliances running SonicOS Enhanced 5.5 or higher. To configure SCEP, perform the following steps:
1.
On the System > Certificates page, click the SCEP link. The SCEP Configuration window displays.
2. 3.
Configure the following options for the SCEP configuration: CSR list - Select a certificate signing request (CSR) list if one has been uploaded. Challenge Password - (optional) Enter the password that is used to authenticate the enrollment request. CA URL - Enter the URL of the certificate authority. Request Count - The default is 256. Polling Interval(S) - The default is 30. Max Polling Time(S) - The default is 28800. Click the SCEP button to apply the SCEP configuration.
151
Configuring SNMP
152
Overview of Interfaces section on page 153 Configuring Network Settings in SonicOS Enhanced section on page 156 Configuring Network Settings in SonicOS Standard section on page 212
Overview of Interfaces
You can configure the LAN interface in three different modes:
Static IPUses a static IP address and acts as a gateway for devices on the LAN. Transparent ModeAllows you to assign a single IP address to two physical interfaces, where each interface accesses an exclusive range of IP addresses in the shared subnet. Behaves as a proxy at Layer 3, intercepting ARPs and changing source MAC addresses of packets traversing the interface pair. Layer 2 Bridged ModeSimilar to Transparent Mode, but dynamically learns IP addresses on both interfaces so that you do not need to subdivide the subnet that is being bridged. Provides deep-packet inspection and application of policies before forwarding packets. Places the bridged interfaces into promiscuous mode and passes traffic between them with source and destination MAC addresses intact.
153
Overview of Interfaces
Figure 1 shows the basic interfaces for a SonicWALL appliance. The WAN interface can use a static or dynamic IP address and can connect to the Internet via Transmission Control Protocol (TCP), Point-to-Point Protocol over Ethernet (PPPoE), Level 2 Tunneling Protocol (L2TP), or Point-to-Point Tunneling Protocol (PPTP). A SonicWALL appliance might have one, many, or no optional interfaces. Optional interfaces can be configured for LAN, WAN, DMZ, WLAN, or Multicast connections, or they can be disabled.
Figure 1 Interfaces
Internet
LAN
DMZ
WAN
Overview of Interfaces
SonicOS does not participate in any VLAN trunking protocols, but instead requires that each VLAN that is to be supported be configured and assigned appropriate security characteristics.
Figure 2 VLAN Interfaces
E7500
X0 VLAN 10
X3 VLAN 20
10.10.10.5 10.10.10.7
10.10.10.9
10.20.20.3
10.20.20.5
10.10.10.4
10.10.10.2
10.20.20.7
SonicOS Enhanced 4.0 and higher can apply bandwidth management to both egress (outbound) and ingress (inbound) traffic on the WAN interface. Outbound bandwidth management is done using Class Based Queuing. Inbound Bandwidth Management is done by implementing ACK delay algorithm that uses TCPs intrinsic behavior to control the traffic. Class Based Queuing (CBQ) provides guaranteed and maximum bandwidth Quality of Service (QoS) for the SonicWALL security appliance. Every packet destined to the WAN interface is queued in the corresponding priority queue. The scheduler then dequeues the packets and transmits it on the link depending on the guaranteed bandwidth for the flow and the available link bandwidth.
155
Configuring Interface Settings on page 156 WAN Failover and Load Balancing on page 168 Configuring Zones on page 172 Configuring the WLAN Zone on page 176 Configuring DNS on page 180 Configuring Dynamic DNS on page 181 Configuring Address Objects on page 184 Configuring NAT Policies on page 187 Configuring Web Proxy Forwarding Settings on page 195 Configuring RIP in SonicOS Enhanced on page 198 Configuring IP Helper on page 200 Configuring ARP on page 203 Configuring SwitchPorts on page 207 Configuring PortShield Groups on page 208 Configuring Network Monitor on page 210
Select a single SonicWALL appliance, or a group of SonicWALL appliances running SonicOS Enhanced.
Note
Group level interface edits are only available for UTM appliances.
156
2.
Expand the Network tree and click Interfaces. The Interfaces page displays.
3.
Click the Edit icon ( ) of the LAN, WAN, OPT, or WWAN interface. The Edit Interface window is displayed. For a WWAN interface, GMS navigates directly to the Network > WWAN > Settings screen. For configuration information, see Configuring WWAN Settings on page 564.
157
The following options are available when configuring an interface in Transparent Mode:
For IP Assignment, select Static, Transparent Mode, or Layer 2 Bridged Mode. The display changes according to your selection. Configure the resulting field as follows:
StaticFor static IP addresses, enter the IP Address for the interface
that contains the range of IP addresses you want to have access through this interface in the Transparent Range menu.
PortShield Switch ModeFor SonicWALL TZ 210, TZ 210W and
NSA 240 appliances, you can configure interfaces for PortShield switch mode, which manually groups ports together to share a common network subnet as well as common zone settings. For more information, see Configuring PortShield Groups on page 208.
158
When configuring a zone for Layer 2 Bridge Mode, the only access rule automatically added is an allow rule between the bridge pair. Other necessary access rules must be added manually.
The following options are available when configuring an interface in Layer 2 Bridge Mode:
3.5 and 4.0 or higher, you can select Layer 2 Bridged Mode for physical interfaces in either the LAN or the DMZ zone. On appliances running SonicOS Enhanced 5.5 or higher, you can select Layer 2 Bridge Mode for the WLAN zone.
In the Bridged-to field, select a WAN, LAN, or DMZ interface with a
static IP address.
Select the Block all non-IPv4 traffic checkbox to allow only IPv4
the bridged interface to be connected to a mirrored port on a switch in a one-arm mode to perform intrusion detection by examining traffic going through the switch.
159
The Engage physical bypass on malfunction option enables Layer 2 Bridge Bypass Relay Control, also known as Fail to Wire. The bypass relay option provides the user the choice of avoiding disruption of network traffic by bypassing the firewall in the event of a malfunction. The bypass relay will be closed for any unexpected anomaly (power failure, watchdog exception, fallback to safe-mode).
Note
The Engage physical bypass on malfunction option is available only for SonicWALL E7500 appliances running SonicOS Enhanced version 5.5 or higher and only when the X0 interface is bridged to the X1 interface. Selecting the Engage physical bypass on malfunction option automatically configures the other Layer 2 Bridge mode options as follows:
Block all non-IPv4 traffic - Disabled Never route traffic - Enabled Only sniff traffic - Disabled Disable stateful-inspection - Not modified
CommentEnter any comments regarding the interface. ManagementSelect one or more of the following management options:
HTTPAllows HTTP management over the interface. HTTPSAllows HTTPS management over the interface. PingThe interface will respond to ping requests. SNMPThe interface will support Simple Network Management
Protocol (SNMP).
SSHThe interface will support Secure Shell (SSH) for CLI-based
administration.
160
to HTTPS when they attempt to access the device using HTTP. This option is only applicable when HTTPS access is enabled and HTTP access is not.
WAN Settings
Perform the following steps to configure the WAN settings for the SonicWALL appliance.
1.
Select how the WAN connects to the Internet from the IP Assignment list box: StaticConfigure the following settings for static IP address interfaces:
IP AddressEnter the IP address of the interface. Subnet MaskEnter the subnet mask for the network. Default GatewayIP address of the WAN gateway. DNS Server 1-3IP addresses of the DNS Servers. CommentEnter any comments regarding the interface.
DHCPConfigure the following settings if the WAN IP address will use DHCP:
Host NameSpecifies the host name of the SonicWALL device on the
WAN interface.
CommentEnter any comments regarding the interface. IP Address, Subnet Mask, Gateway (Router) Address, and DNS
161
PPPoEConfigure the following settings if the WAN IP address will use PPPoE:
User NameEnter username provided by the ISP. PasswordEnter the password used to authenticate the username
by PPPoE servers that respond to a client connection request. The service name can be up to 50 characters. Many installations use the system name as a service name, for example sonicwall-server or redback-server. If the service name is left blank the client will connect to any service.
Select from the following: To configure the SonicWALL appliance(s) to dynamically obtain an
Select from the following: To configure the SonicWALL appliance(s) to obtain the DNS server
information automatically, select Obtain DNS Server Address Automatically. DNS Server IP addresses.
To specify DNS servers, select Specify DNS Servers and enter the
162
Note
For PPPoE interfaces, a Protocol tab appears that displays the acquired IP address, subnet mask, gateway address, and DNS server addresses.
Click the Protocol tab. View the settings for the acquired IP address, subnet mask, gateway
SonicWALL appliance waits before disconnecting from the Internet, and select the checkbox.
Strictly use LCP echo packets for server keep-aliveThis
checkbox is enabled when the client recognizes that the server relies on Link Control Protocol (LCP) echo requests for keeping the PPPoE connection alive.
Disconnect the PPPoE client if the server does not send traffic for
__ minutesSelect this checkbox and enter the number of minutes to wait without traffic before the connection is ended. When enabled, the PPPoE client monitors traffic from the server on the tunnel and disconnects when no traffic is seen for the specified time period.
PPTPConfigure the following settings if the WAN IP address will use PPTP:
User NameEnter username provided by the ISP. User PasswordEnter the password used to authenticate the
select Static and enter the IP address, subnet mask, and gateway IP address.
163
Note
For PPTP interfaces, a Protocol tab appears that displays the acquired IP address, subnet mask, gateway address, and DNS server addresses. L2TPConfigure the following settings if the WAN IP address will use L2TP:
User NameEnter username provided by the ISP. User PasswordEnter the password used to authenticate the
select Static and enter the IP address, subnet mask, and gateway IP address.
Note
For L2TP interfaces, a Protocol tab appears that displays the acquired IP address, subnet mask, gateway address, and DNS server addresses. Select one or more of the following management options:
HTTPWhen selected, allows HTTP management from the interface. HTTPSWhen selected, allows HTTPS management from the
2.
interface.
PingWhen selected, the interface will respond to ping requests. SNMPWhen selected, the interface will support Simple Network
164
to HTTPS when they attempt to access the device using HTTP. This option is only applicable when HTTPS access is enabled and HTTP access is not.
4. 5.
Click Update. The settings are saved. To clear any changes and start over, click Reset. Click the Advanced tab and configure the following Ethernet settings:
Link SpeedTo configure the interface to automatically negotiate
Ethernet settings, select Auto Negotiate. If you want to specify the forced Ethernet speed and duplex, select the appropriate setting. address. Otherwise, the default MAC address is used.
Override Default MAC AddressSelect to manually enter the MAC Enable Multicast SupportSelect to enable multicast on the
interface.
Interface MTUSpecify the size of the Maximum Transmission
Fragment non-VPN outbound packets larger than this Interface's MTU check box.
Note
If the maximum transmission unit (MTU) size is too large for a remote router, it may require more transmissions. If the packet size is too small, this could result in more packet header overhead and more acknowledgements that have to be processed.
To ignore Dont Fragment (DF) bits from routers connected to the
SonicWALL appliance, select the Ignore Don't Fragment (DF) Bit check box.
6.
Configure the following Bandwidth Management settings: To enable egress bandwidth management on this interface, select the check box and enter the bandwidth of the connection in the Available Interface Bandwidth field in kilobytes per second (Kbps). To enable ingress bandwidth management on this interface, select the check box and enter the bandwidth of the connection in the Available Interface Bandwidth field in kilobytes per second (Kbps). Click Update. The settings are saved. To clear any changes and start over, click Reset.
7.
165
At the bottom of the Network > Interfaces page, click Add VLAN Interface. The Add Interface window displays.
2.
Select a Zone to assign to the interface. You can select LAN, DMZ, WLAN, or unassigned. The zone assignment does not have to be the same as the parent (physical) interface. Enter a Portshield Interface Name for the sub-interface. Declare the parent (physical) interface to which this sub-interface will belong. There is no per-interface limit to the number of sub-interfaces you can assign you may assign sub-interfaces up to the system limit (in the hundreds). For LAN and DMZ, select Static or Transparent for the IP Assignment. WLAN interfaces use static IP addresses:
For static IP addresses, enter the IP Address for the interface and
3. 4.
5.
range of IP addresses you want to have access through this interface in the Transparent Range menu.
6.
interface.
PingWhen selected, the interface will respond to ping requests. SNMPWhen selected, the interface will support Simple Network
166
HTTPWhen selected, users will be able to login using HTTP. HTTPSWhen selected, users will be able to login using HTTPS. Add rule to enable redirect from HTTP to HTTPSRedirects users
to HTTPS when they attempt to access the device using HTTP. This option is only applicable when HTTPS access is enabled and HTTP access is not.
8. 9.
Check Create Default DHCP Lease Scope to indicate that the amount of time allowed for an IP address issued by DHCP will be the default. Click OK.
The Virtual interface displays in the VLAN Interfaces table below the Interfaces table.
WWAN onlyThe WAN interface is disabled and the WWAN interface is used exclusively. Ethernet onlyThe WWAN interface is disabled and the WAN interface is used exclusively. Ethernet with WWAN FailoverThe WAN interface is used as the primary interface and the WWAN interface is disabled. If the WAN connection fails, the WWAN interface is enabled and a WWAN connection is automatically initiated.
In the Interface Settings table, in the WWAN row, click Connect. The SonicWALL appliance attempts to connect to the WWAN service provider. To disconnect a WWAN connection, click Disconnect.
167
Before you begin, be sure you have configured a user-defined interface to mirror the WAN port settings.
168
To configure the WAN Failover for a SonicWALL appliance, perform the following steps:
1.
Expand the Network tree and click WAN Failover & LB. The WAN Failover & LB page displays.
2. 3.
Select the Enable Load Balancing check box. Select the secondary interface(s) from the Secondary WAN Interface drop-down menu.
Note
If this is not configured, you will need to configure a WAN interface from the Network > Interfaces page. Appliances running SonicOS Enhanced 5.5 can support up to three alternate WAN interfaces. For these appliances, the Secondary WAN Interface drop-down menu is replaced with up to three Alternate WAN drop-down menus. The drop-down menu will contain all interfaces configured as WAN interfaces.
4.
Specify how often the SonicWALL appliance will check the interface (5-300 seconds) in the Check interface every field (default: 5 seconds).
169
5.
Specify the number of times the SonicWALL appliance tests the interface as inactive before failing over in the Deactive interface after field (default: 3). For example, if the SonicWALL appliance tests the interface every 5 seconds and finds the interface inactive after 3 successive attempts, it will fail over to the secondary interface after 15 seconds. Specify the number of times the SonicWALL appliance tests the interface as active before failing back to the primary interface in the Deactive interface after field (default: 3). For example, if the SonicWALL appliance tests the interface every 5 seconds and finds the interface active after 3 successive attempts, it will fail back to the primary interface after 15 seconds. To configure outbound load balancing, select from the following:
Select Basic Active/Passive Failover to enable a basic failover
6.
7.
setup. When the primary device fails to provide a connection, it will enter standby and allow the secondary device to take over network traffic. Check the Preempt and failback to Primary WAN when possible checkbox to enable immediate failback to the primary device when available.
Select Per Connection Round-Robin to enable a Round-Robin form
of load balancing. In the 17th or 18th century, when peasants in France wanted to complain to the king using a petition, the usual reaction from the monarch was to seize the two or three people on top of that petition list and execute them. In order to stop this form of arbitrary vengeance, the names were signed in a circle at the bottom of the petition so that no one would be on top of the list. This became known as a Round-Robin. Thus, in load balancing, Round-Robin is where network requests are applied to a circular list. When the network load becomes too much, GMS acts as a monarch and picks several of the network clients from the list to execute. This process allows GMS to quickly and easily free up network resources.
Select Spillover-based and enter a value (in Kb/sec) to enable the
secondary device to serve as a load balancer. With this option selected, traffic will be re-routed to the secondary device should the primary WAN device exceed the specified bandwidth.
Select Percentage-Based to split network traffic between the primary
Percentage that add up to 100 to divide traffic between the two WAN interfaces.
170
traffic between up to four WAN interfaces. Enter a Primary WAN Percentage, and up to three Alternate WAN Percentage settings that add up to 100.
When using Percentage-Based load balancing, you may select the Use Source and Destination IP Addresses Binding checkbox to keep related traffic together across an interface.
WAN Percentage field only. The Secondary WAN Percentage field will be calculated for you.
8.
The SonicWALL appliance can monitor the WAN by detecting whether the link is unplugged or disconnected or by sending probes to a target IP address of an always available target upstream device on the WAN network, such as an ISP side router. To enable probe monitoring, select the Enable Probe Monitoring check box and configure the following settings:
Primary WAN Probe SettingsSelect the protocol used for
monitoring and enter the IP address and port (TCP only) of the probe target. If there will be an optional probe target, specify these settings also and select whether the SonicWALL appliance must test both targets or either target.
Secondary WAN Probe SettingsSelect the protocol used for
monitoring and enter the IP address and port (TCP only) of the secondary probe target. If there will be an optional secondary probe target, specify these settings also and select whether the SonicWALL appliance must test both targets or either target.
171
monitoring and enter the IP address and port (TCP only) of the WWAN probe target. If there will be an optional WWAN probe target, specify these settings also and select whether the SonicWALL appliance must test both targets or either target.
Note
TCP probing is useful if you do not have ping (ICPM) response enabled on your network devices. In this case, TCP can be used to probe the device on a user-specified port. Select the Respond to Probes checkbox to enable GMS managed devices to respond to probe requests. With this option selected, you can also check the Any TCP-SYN to Port checkbox and enter a specific port to probe.
9.
10. Click the Update button at the bottom of the page to save these settings.
Configuring Zones
A Zone is a logical grouping of one or more interfaces designed to make management, such as the definition and application of Access Rules, a simpler and more intuitive process than following a strict physical interface scheme. There are four fixed Zone types: Trusted, Untrusted, Public, and Encrypted. Trusted is associated with LAN Zones. These fixed Zone types cannot be modified or deleted. A Zone instance is created from a Zone type and named accordingly, i.e Sales, Finance, etc. Only the number of interfaces limits the number of Zone instances for Trusted and Untrusted Zone types. The Untrusted Zone type (i.e. the WAN) is restricted to two Zone instances. The Encrypted Zone type is a special system Zone comprising all VPN traffic and doesnt have any associated interfaces. Trusted and Public Zone types offer an option, Interface Trust, to automate the creation of Access Rules to allow traffic to flow between the Interfaces of a Zone instance. For example, if the LAN Zone has interfaces X0, X3, and X5 assigned to it, checking Allow Interface Trust on the LAN Zone creates the necessary Access Rules to allow hosts on these Interfaces to communicate with each other. To add or edit a Zone, perform the following steps:
1.
172
2.
Expand the Network tree and click Zones. The Zones page displays.
3.
Click the Edit Icon ( ) for a Zone or click Add New Zone. The Edit Zone or Add Zone dialog box displays.
4. 5. 6.
If this is a new Zone, enter a name for the Zone. Select the Security Type. To configure the SonicWALL appliance to automatically create the rules that allow data to freely flow between interfaces in the same Zone, select the Allow Interface Trust check box. To enforce content filtering on multiple interfaces in the same Trusted or Public Zones, select the Enforce Content Filtering Service check box. For appliances running SonicOS Enhanced 4.0 or above, if the selected node is a group or global node, or if the selected appliance is licensed for SonicWALL CFS Premium, select a predefined CFS policy or the default policy from the CFS Policy drop-down list. The drop-down list is only populated if the Enforce Content Filtering Service checkbox is enabled. It is not available for the WAN zone. To enforce network anti-virus protection on multiple interfaces in the same Trusted or Public Zones, select the Enforce Network Anti-Virus Service check box.
SonicWALL GMS 6.0 Administrators Guide
7. 8.
9.
173
Trusted or Public Zones, select the Enable Gateway Anti-Virus Service check box. the same Trusted or Public Zones, select the Enable IPS check box. Service.
11. To enforce Intrusion Prevention Services (IPS) on multiple interfaces in 12. To enable Anti-Spyware on the zone, select Enable Anti-Spyware 13. To enforce security policies for Global Security Clients on multiple
interfaces in the same Trusted or Public Zones, select Enforce Global Security Clients. Group VPN.
14. To automatically create a GroupVPN policy for this zone, select Create 15. For appliances running SonicOS Enhanced 4.0 or above, select the
Enable SSL Control check box to allow SSL Control in this zone. This check box is not active for the VPN or Multicast zones.
16. For WLAN zones, see for information about configuring settings on the
other tabs. For all other zones, click Update when you are finished. The Zone is modified or added for selected SonicWALL appliance. To clear all settings and start over, click Reset.
When the Security Type for a zone is selected as either Trusted or Public, the Guest Services tab displays.
2.
174
3.
Configure any of the following options: Enforce Guest Login over HTTPSRequires guests to use HTTPS instead of HTTP to access the guest services. Enable inter-guest communicationAllows guests connecting to SonicPoints in this Zone to communicate directly and wirelessly with each other. Bypass AV Check for GuestsAllows guest traffic to bypass Anti-Virus protection. Enable External Guest AuthenticationRequires guests connecting from the device or network you select to authenticate before gaining access. This feature, based on Lightweight Hotspot Messaging (LHM) is used for authenticating Hotspot users and providing them parametrically bound network access.
Note
Refer to the SonicWALL Lightweight Hotspot Messaging technote available at the SonicWALL documentation Web site http://www.sonicwall.com/us/Support.html for complete configuration of the Enable External Guest Authentication feature.
Custom Authentication PageRedirects users to a custom authentication page when they first connect to the zone. Click Configure to set up the custom authentication page. Enter either a URL to an authentication page or a custom challenge statement in the text field, and click OK. Post Authentication PageDirects users to the page you specify immediately after successful authentication. Enter a URL for the post-authentication page in the filed. Bypass Guest AuthenticationAllows the appliance to integrate into environments already using some form of user-level authentication. This feature automates the Guest Services authentication process, allowing users to reach Guest Services resources without requiring authentication. This feature should only be used when unrestricted Guest Services access is desired, or when another device upstream of the appliance is enforcing authentication. Redirect SMTP traffic toRedirects SMTP traffic incoming on this zone to an SMTP server you specify. Select the address object to redirect traffic to. Deny NetworksBlocks traffic from the networks you name. Select the subnet, address group, or IP address to block traffic from.
SonicWALL GMS 6.0 Administrators Guide
175
Pass NetworksAutomatically allows traffic through the zone from the networks you select. Max GuestsSpecifies the maximum number of guest users allowed to connect to the zone. The default is 10.
4.
Select the global icon, a group, or a SonicWALL appliance. In the Network > Zones pages, click the Add New Zone or the Edit icon for the WLAN zone. Configure the settings on the General tab as described for other zones. To expose the wireless-only tabs when adding a new zone, select Wireless for the Security Type. Click the Wireless tab.
4.
5.
On the Wireless tab, select Only allow traffic generated by a SonicPoint to allow only traffic from SonicWALL SonicPoints to enter the WLAN Zone interface. This allows maximum security of your WLAN. Uncheck this option if you want to allow any traffic on your WLAN Zone regardless of whether or not it is from a wireless connection.
176
Tip
Uncheck Only allow traffic generated by a SonicPoint and use the zone on a wired interface to allow guest services on that interface. Select SSL-VPN Enforcement to require that all traffic that enters into the WLAN Zone be authenticated through a SonicWALL SSL-VPN appliance. If you select both SSL-VPN Enforcement, and WiFiSec Enforcement, the Wireless zone will allow traffic authenticated by either a SSL-VPN or an IPsec VPN. In the SSL-VPN Server list, select an address object to direct traffic to the SonicWALL SSL-VPN appliance. In the SSL-VPN Service list, select the service or group of services you want to allow for clients authenticated through the SSL-VPN. Select WiFiSec Enforcement to require that all traffic that enters into the WLAN Zone interface be either IPsec traffic, WPA traffic, or both. With WiFiSec Enforcement enabled, all non-guest wireless clients connected to SonicPoints attached to an interface belonging to a Zone on which WiFiSec is enforced are required to use the strong security of IPsec. The VPN connection inherent in WiFiSec terminates at the WLAN GroupVPN, which you can configure independently of WAN GroupVPN or other Zone GroupVPN instances. If you select both WiFiSec Enforcement, and SSL-VPN Enforcement, the Wireless zone will allow traffic authenticated by either a SSL-VPN or an IPsec VPN. are allowed to bypass the WiFiSec enforcement by checking WiFiSec Exception Service and then selecting the service you want to exempt from WiFiSec enforcement.
6.
7. 8. 9.
10. If you have enabled WiFiSec Enforcement, you can specify services that
11. If you have enabled WiFiSec Enforcement, you can select Require
WiFiSec for Site-to-Site VPN Tunnel Traversal to require WiFiSec security for all wireless connections through the WLAN zone that are part of a site-to-site VPN. alternative to IPsec. Both WPA-PSK (Pre-shared key) and WPA-EAP (Extensible Authentication Protocol using an external 802.1x/EAP capable RADIUS server) will be supported on SonicPoints.
Provisioning Profile you want to apply to all SonicPoints connected to this zone. Whenever a SonicPoint connects to this zone, it will automatically be provisioned by the settings in the SonicPoint Provisioning Profile, unless you have individually configured it with different settings.
SonicWALL GMS 6.0 Administrators Guide
177
14. Click the Guest Services tab. You can choose from the following
Enable Wireless Guest ServicesEnables guest services on the WLAN zone. Enforce Guest Login over HTTPSRequires guests to use HTTPS instead of HTTP to access the guest services. Enable inter-guest communicationAllows guests connecting to SonicPoints in this WLAN Zone to communicate directly and wirelessly with each other. Bypass AV Check for GuestsAllows guest traffic to bypass Anti-Virus protection. Enable External Guest AuthenticationRequires guests connecting from the device or network you select to authenticate before gaining access. This feature, based on Lightweight Hotspot Messaging (LHM) is used for authenticating Hotspot users and providing them parametrically bound network access.
Note
Refer to the SonicWALL Lightweight Hotspot Messaging technote available at the SonicWALL documentation Web site http://www.sonicwall.com/us/Support.html for complete configuration of the Enable External Guest Authentication feature.
178
Custom Authentication PageRedirects users to a custom authentication page when they first connect to a SonicPoint in the WLAN zone. Click Configure to set up the custom authentication page. Enter either a URL to an authentication page or a custom challenge statement in the text field, and click OK. Post Authentication PageDirects users to the page you specify immediately after successful authentication. Enter a URL for the post-authentication page in the filed. Bypass Guest AuthenticationAllows a SonicPoint running WGS to integrate into environments already using some form of user-level authentication. This feature automates the WGS authentication process, allowing wireless users to reach WGS resources without requiring authentication. This feature should only be used when unrestricted WGS access is desired, or when another device upstream of the SonicPoint is enforcing authentication. Redirect SMTP traffic toRedirects SMTP traffic incoming on this zone to an SMTP server you specify. Select the address object to redirect traffic to. Deny NetworksBlocks traffic from the networks you name. Select the subnet, address group, or IP address to block traffic from. Pass NetworksAutomatically allows traffic through the WLAN zone from the networks you select. Max GuestsSpecifies the maximum number of guest users allowed to connect to the WLAN zone. The default is 10. Enable Dynamic Address Translation (DAT)Wireless Guest Services (WGS) provides spur of the moment hotspot access to wireless-capable guests and visitors. For easy connectivity, WGS allows wireless users to authenticate and associate, obtain IP settings from the SonicWALL appliance Wireless DHCP services, and authenticate using any Web-browser. Without DAT, if a WGS user is not a DHCP client, but instead has static IP settings incompatible with the Wireless WLAN network settings, network connectivity is prevented until the users settings change to compatible values. Dynamic Address Translation (DAT) is a form of Network Address Translation (NAT) that allows the SonicWALL Wireless to support any IP addressing scheme for WGS users. For example, the SonicWALL Wireless WLAN interface is configured with an address of 172.16.31.1, and one WGS client has a static IP Address of 192.168.0.10 and a default gateway of 192.168.0.1, while another has a static IP address of 10.1.1.10 and a gateway of 10.1.1.1, and DAT enables network communication for both of these clients.
179
Configuring DNS
Domain Name System (DNS) is the Internet standard for locating domain names and translating them into IP addresses. By default, the SonicWALL appliance will inherit its DNS settings from the WAN Zone. To configure DNS, perform the following steps:
Note
Network > DNS is only available in appliances running SonicOS Enhanced. Expand the Network tree and click DNS. The DNS page displays.
1.
2.
To inherit the DNS settings from the WAN Zone configuration, select
3.
When you are finished, click Update. The settings are changed for the selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
180
Select the Enable DNS Rebinding Attack Prevention checkbox. From the Action pull-down menu, select an action to perform when a DNS rebinding attack is detected:
Log Attack Log Attack & Return a Query Refused Reply Log Attack & Drop DNS Reply
3.
(Optional) For the Allowed Domains pull-down menu, select an FQDN Address Object/Group containing allowed domain-names (e.g. *.sonicwall.com) for which locally connected/routed subnets should be considered legal responses.
Expand the Network tree and click Dynamic DNS. The Dynamic DNS page displays.
181
2.
Click Add Dynamic DNS Profile. The Add Dynamic DNS Profile window is displayed.
3.
Select the Provider from the drop-down list at the top of the page. This example uses DynDNS.org. Dyndns.org requires the selection of a service. This example assumes you have created a dynamic service record with dyndns.org. Enter a name to assign to the DDNS entry in the Profile Name field. This can be any value used to identify the entry in the Dynamic DNS Settings table. If Enable this profile is checked, the profile is administratively enabled, and the SonicWALL security appliance takes the actions defined in the Online Settings section on the Advanced tab. If Use Online Settings is checked, the profile is administratively online. Enter your dyndns.org username and password in the User Name and Password fields. Enter the fully qualified domain name (FQDN) of the hostname you registered with dyndns.org in the Domain Name field. Make sure you provide the same hostname and domain as you configured. When using DynDNS.org, select the Service Type from the drop-down list that corresponds to your type of service through DynDNS.org. The options are:
DynamicA free Dynamic DNS service.
4.
5.
6. 7. 8.
9.
182
primary/secondary DNS service and a web-based interface. Supports both dynamic and static IP addresses.
StaticA free DNS service for static IP addresses. 10. When using DynsDNS.org, you may optionally select Enable Wildcard
and/or configure an MX entry in the Mail Exchanger field. Check Backup MX if your DDNS provider allows for the specification of an alternative IP address for the MX record. this page.
11. Click the Advanced tab. You can typically leave the default settings on
12. The On-line Settings section provides control over what address is
determines the IP address based upon the source address of the connection. This is the most common setting.
Automatically set IP Address to the Primary WAN Interface IP
AddressThis will cause the SonicWALL device to assert its WAN IP address as the registered IP address, overriding auto-detection by the dynamic DNS server. Useful if detection is not working correctly.
the dynamic DNS service provider if the dynamic DNS entry is taken off-line locally (disabled) on the SonicWALL. The options are:
Do nothingthe default setting. This allows the previously
183
siteif your provider supports manual configuration of Off-Line Settings, you can select this option to use those settings when this profile is taken administratively offline.
Make Host UnknownUnregisters the entry. Specify IP Address manuallyManually specify the IP address. 14. When you are finished, click Update. The settings are changed for the
selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
SonicOS Enhanced supports Address Objects, which can be a host, network, MAC or IP address range. An Address Object Group is a group of Address Objects or other Address Object Groups. Once defined, you can quickly establish NAT Policies, VPN Security Associations (SAs), firewall rules, and DHCP settings between Address Objects and Address Object Groups without individual configuration. All SonicWALL appliances come with a group of pre-defined default network objects. These include subnets for each interface, interface IP addresses for each interface, management IP addresses, and more. For appliances running SonicOS Enhanced, GMS supports paginated navigation and sorting by column header on the Address Objects screen. In either of the tables, you can click a column header to use for sorting. An arrow is displayed to the right of the selected column header. You can click the arrow to reverse the sorting order of the entries in the table. You can perform the following tasks from the Address Object page:
Creating an Address Object Group on page 185 Creating an Address Object on page 186 Deleting a Network Address Group or Object on page 187
184
Expand the Network tree and click Address Objects. The Address Objects page displays.
2.
3. 4. 5.
Enter a name for the Address Object Group in the Name field. Select an object or group that will be a part of the Address Object Group and click the right arrow. Repeat for each object or group to add. When you are finished, click OK.
185
Scroll to the bottom of the Address Objects page and click Add New Address Object.
2. 3. 4.
Enter a name for the Address Object in the Name field. Select the zone to which this Address Object will be assigned from the Zone Assignment list box. Select from the following:
To specify an individual IP address, select Host from the Type
When you are finished, click OK. Repeat this procedure for each Address Object to add.
186
Go to the Network > Address Object page. Click the Edit icon ( ) next to the selected address group or object. Modify the settings and click OK.
Go to the Network > Address Object page. Click on the Trash can icon of the selected address group or object.
SonicWALL appliances support Network Address Translation (NAT). NAT is the automated translation of IP addresses between different networks. For example, a company might use private IP addresses on a LAN that are represented by a single IP address on the WAN side of the SonicWALL appliance. SonicWALL appliances support two types of NAT:
Address-to-Address Translationlocal addresses are matched to public IP addresses. For example, the private IP address 10.50.42.112 might be mapped to the public IP address 132.22.3.2. Port Translation or Network Address Port Translation (NAPT)local addresses are dynamically matched to public IP address/port combinations (standard TCP ports). For example, the private IP address 192.168.102.12 might be mapped to the public IP address 48.12.11.1 using port 2302.
187
Note
IP address/port combinations are dynamic and not preserved for new connections. For example, the first connection for IP address might use port 2302, but the second connection might use 2832.
One-to-One Mappingone local IP address is mapped to one public IP address using Address-to-Address translation. Many-to-One Mappingmany local IP addresses are mapped to a single public IP address using NAPT. Many-to-Many Mappingmany local IP addresses are mapped to many public IP addresses. If the number of public IP addresses are greater than or equal to the number of local IP addresses, the SonicWALL appliance uses Address-to-Address translation. If the number of public IP addresses is less than the number of local IP addresses, the SonicWALL appliance uses NAPT. For example. If there are 10 private IP addresses and 5 public IP addresses, two private IP addresses will be assigned to each public IP address using NAPT.
Original Sourceused to remap IP addresses based on the source address, this field specifies an Address Object that can consist of an IP address or IP address range.
Note
Translated Sourcespecifies the IP address or IP address range to which the original source will be mapped. Original Destinationused to remap IP addresses based on the destination address, this field specifies an Address Object that can consist of an IP address or IP address range.
188
Note
Translated Destinationspecifies the IP address or IP address range to which the original source will be mapped. Original Serviceused to filter destination addresses by service, this field specifies a Service Object that can be a single service or group of services. Translated Service.specifies the service or port to which the original service will be remapped. Source Interfacefilters source addresses by interface. Destination Interfacefilters destination addresses by interface.
One-to-One Mapping on page 189 Many-to-One Mapping on page 190 Many-to-Many Mapping on page 190
One-to-One Mapping
To configure one-to-one mapping from the private network to the public network, select the Address Object that corresponds to the private network IP address in the Original Source field and the public IP address that it will used to reach the Internet in the Translated Source field. Leave the other fields alone, unless you want to filter by service or interface.
Note
If you map more than one private IP address to the same public IP address, the private IP addresses will automatically be configured for port mapping or NAPT.
To configure one-to-one mapping from the public network to the private network, select the Address Object that corresponds to the public network IP address in the Original Destination field and the private IP address that it will used to reach the server in the Translated Destination field. Leave the other fields alone, unless you want to filter by service or interface.
189
Note
If you map one public IP address to more than one private IP address, the public IP addresses will be mapped to the first private IP address. Load balancing is not supported. Additionally, you must set the Original Source to Any.
Many-to-One Mapping
To configure many-to-one mapping from the private network to the public network, select the select the Address Object that corresponds to the private network IP addresses in the Original Source field and the public IP address that it will used to reach the Internet in the Translated Source field. Leave the other fields alone, unless you want to filter by service or interface.
Note
You can also specify Any in the Original Source field and the Address Object of the LAN interface in the Translated Source field.
Many-to-Many Mapping
To configure many-to-many mapping from the private network to the public network, select the select the Address Object that corresponds to the private network IP addresses in the Original Source field and the public IP addresses to which they will be mapped in the Translated Source field. Leave the other fields alone, unless you want to filter by service or interface.
Note
If the IP address range specified in the Original Source is larger than the Translated Source, the SonicWALL appliance will use port mapping or NAPT. If the Translated Source is equal to or larger than the Original Source, addresses will be individually mapped.
To configure many-to-many mapping from the public network to the private network, select the Address Object that corresponds to the public network IP addresses in the Original Destination field and the IP addresses on the private network in the Translated Destination field. Leave the other fields alone, unless you want to filter by service or interface.
190
Note
If the IP address range specified in the Original Destination is smaller than the Translated Destination, the SonicWALL appliance will be individually mapped to the first translated IP addresses in the translated range. If the Translated Destination is equal to or smaller than the Original Destination, addresses will be individually mapped.
Sticky IPSource IP always connects to the same Destination IP (assuming it is alive). This method is best for publicly hosted sites requiring connection persistence, such as Web applications, Web forms, or shopping cart applications. This is the default mechanism, and is recommended for most deployments. Round RobinSource IP cycles through each live load-balanced resource for each connection. This method is best for equal load distribution when persistence is not required. Block Remap/Symmetrical RemapThese two methods are useful when you know the source IP addresses/networks (e.g. when you want to precisely control how traffic from one subnet is translated to another). Random DistributionSource IP connects to Destination IP randomly. This method is useful when you wish to randomly spread traffic across internal resources.
191
For more information about NAT Load Balancing, see the SonicOS Enhanced 4.0 Administrators Guide.
Expand the Network tree and click NAT Policies. The NAT Policies page displays.
192
2.
To edit an existing policy, click its Edit icon ( Add NAT Policy.
3.
address, this field specifies an Address Object that can consist of an IP address or IP address range.
Translated Sourcespecifies the IP address or IP address range to
destination address, this field specifies an Address Object that can consist of an IP address or IP address range.
Translated Destinationspecifies the IP address or IP address
field specifies a Service Object that can be a single service or group of services.
Translated Serviceused to filter destination addresses by service,
this field specifies a Service Object that can be a single service or group of services.
Source Interfacefilters source addresses by interface. Destination Interfacefilters destination addresses by interface. 4. 5.
To enable the NAT policy, select the Enable check box. Add any comments to the Comments field.
193
6.
If you selected an Address Group Object for any of the drop-down lists on the General tab, you can make changes on the Advanced tab. Click the Advanced tab.
7.
Select the NAT method from the NAT Method drop-down list. For information on the available methods, see NAT Load Balancing Methods on page 191.
8.
Optionally select the Enable Probing checkbox and make desired changes to the following fields:
Probe host every ... secondsindicates how often to probe the
to the probe
Deactivate host after ... missed intervalsspecifies the number of
of replies received before deciding that the host is available for load balancing again
9.
When you are finished, click Update. The policy is added and you are returned to the NAT Policies screen.
194
Expand the Network tree and click Web Proxy. The Web Proxy page displays.
2. 3. 4. 5. 6.
Enter the name or IP address of the proxy server in the Proxy Web Server field. Enter the proxy IP port in the Proxy Web Server Port field. To bypass the Proxy Server if a failure occurs, select the Bypass Proxy Servers Upon Proxy Server Failure check box. If you have clients configured on the DMZ, select the Forward DMZ Client Requests to Proxy Server check box. When you are finished, click Update. The settings are changed for the selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
195
Expand the Network tree and click Routing. The Routing page displays.
196
2.
3. 4. 5. 6. 7. 8. 9.
Select the source address object from the Source list box. Select the destination address object from the Destination list box. Specify the type of service that will be routed from the Service list box. Select the address object that will act as a gateway for packets matching these settings. Select the interface through which these packets will be routed from the Interface list box. Specify the RIP metric in the Metric field. Type a descriptive comment into the Comment field. select the Disable route when the interface is disconnected checkbox. Allow VPN path to take precedence checkbox to allow a matching VPN network to take precedence over the static route when the VPN tunnel is up. the selected SonicWALL appliance(s). To clear all screen settings and start over, click Reset.
SonicWALL GMS 6.0 Administrators Guide
10. For appliances running SonicOS Enhanced 4.0 and above, optionally
11. For appliances running SonicOS Enhanced 4.0 and above, select the
12. When you are finished, click Update. The route settings are configured for
197
In the Probe pull-down menu select the appropriate Network Monitor object or select Create New Network Monitor object... to dynamically create a new object. For more information, see Configuring Network Monitor on page 210. Typical configurations will not check the Disable route when probe succeeds checkbox, because typically administrators will want to disable a route when a probe to the routes destination fails. This option is provided to give administrators added flexibility for defining routes and probes. Select the Probe default state is UP to have the route consider the probe to be successful (i.e. in the UP state) when the attached Network Monitor policy is in the UNKNOWN state. This is useful to control the probe-based behavior when a unit of a High Availability pair transitions from IDLE to ACTIVE, because this transition sets all Network Monitor policy states to UNKNOWN. Click Update to apply the configuration.
2.
3.
4.
198
packets. The RIPv2 Enabled (broadcast) selection broadcasts packets instead of multicasting packets, and is for heterogeneous networks with a mixture of RIPv1 and RIPv2 routers. To configure RIP, perform the following steps:
1.
Expand the Network tree and click RIP (ENH). The RIP (ENH) page displays.
2.
Click the Edit Icon ( ) for an interface. The Edit Route Advertising Settings dialog box displays.
3.
Select the RIP version from the RIP Advertisements list box:
RIPv1 Enabledfirst version of RIP. RIPv2 Enabled (multicast)sends route advertisements using
199
4. 5. 6. 7.
In the Advertise Default Route menu, select Never, or When WAN is up, or Always. To advertise static routes that you specified on the Routes page, select the Advertise Static Routes check box. To advertise remote VPN networks that you specified on the Routes page, select the Advertise Remote VPN Networks check box. To set the amount of time between a VPN tunnel state change and the time the change is advertised, enter a value in the Route Change Damp Time field (default: 30 seconds). To specify the number of advertisements that are sent after a route is deleted, enter a value in the Deleted Route Advertisements field (default: 5 advertisements). By default, the connection between this router and its neighbor counts as one hop. However, there are cases where you want to discourage or reduce the use of this route by adding additional hops. To change the hop count of this route, enter the number of hops in the Route Metric field. you can enter a value for the Route Tag. This value is implementation-dependent and provides a mechanism for routers to classify the originators of RIPv2 advertisements.
8.
9.
10. Optional. If RIPv2 is selected from the Route Advertisements list box,
11. Optional. Select from the following RIPv2 Authentication options: User DefinedEnter 4 hex digits in the Authentication Type field
and 32 hex digits in the Authentication Data field. Authentication Password field.
Cleartext PasswordEnter a password (16 characters or less) in the MD5 DigestEnter a numerical value from 0-255 in the
Authentication Key-Id field. Enter a 32 hex digit value for the Authentication Key field, or use the generated key.
12. When you are finished, click Update. The settings are changed for the
SonicWALL appliance. To clear all screen settings and start over, click Reset.
Configuring IP Helper
The IP Helper allows the SonicWALL to forward DHCP requests originating from the interfaces on a SonicWALL to a centralized DHCP server on the behalf of the requesting client. IP Helper is used extensively in routed VLAN environments where a DHCP server is not available for each interface, or
200
where the layer 3 routing mechanism is not capable of acting as a DHCP server itself. The IP Helper also allows NetBIOS broadcasts to be forwarded with DHCP client requests.
Note
To enable IP Helper and add an IP Helper policy, perform the following steps:
1.
Expand the Network tree and click IP Helper. The IP Helper page displays.
2.
Select the Enable IP Helper check box. For appliances running SonicOS Enhanced versions lower than 5.5, you can also configurre DHCP and NetBIOS support:
3. 4.
To enable DHCP support, select Enable DHCP Support. To enable NetBIOS support, select Enable NetBIOS Support.
Net-Bios NSUDP port number 137 Net-Bios DatagramUDP port number 138 DNSUDP port number 53 Time ServiceUDP port number 37 Wake on LAN (WOL) mDNSUDP port number 5353; multicast address 224.0.0.251
To enable any of these protocols, select the Enable checkbox and click Update. To configure additional protocols, perform the following steps:
1.
Click Add Relay Protocol. The Add Ip Helper Application window displays.
2.
Configure the following options: NameThe name of the protocols. Note that these are case sensitive and must be unique. Port 1/2The unique UDP port number. Translate IPTranslation of the source IP while forwarding a packet. TimeoutIP Helper cache timeout in seconds at an increment of 10. Raw ModeUnidirectional forwarding that does not create an IP Helper cache. This is suitable for most of the user-defined protocols that are used for discovery, for example WOL/mDNS. Click Update.
3.
202
To add an IP Helper Policy, click Add IP Helper Policy. The Add IP Helper dialog box displays.
2. 3. 4. 5. 6. 7. 8. 9.
The policy is enabled by default. To configure the policy without enabling it, clear the Enabled check box. Select DHCP or NetBIOS from the Protocol menu. Select a source Interface or Zone from the From menu. Select a destination IP address or subnet from the To menu. Enter an optional comment in the Comment field. Click OK to add the policy to the IP Helper Policies table. Repeat this procedure for each policy to add. To delete a policy, click the trash can icon next to the policy. When you are finished, click Update. The settings are changed for the selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
Configuring ARP
ARP (Address Resolution Protocol) maps layer 3 (IP addresses) to layer 2 (physical or MAC addresses) to enable communications between hosts residing on the same subnet. ARP is a broadcast protocol that can create excessive amounts of network traffic on your network. To minimize the broadcast traffic, an ARP cache is maintained to store and reuse previously learned ARP information. To configure ARP, perform the following steps:
203
1.
Expand the Network tree and click ARP. The ARP page displays.
Publish EntryEnabling the Publish Entry option in the Add Static ARP window causes the SonicWALL device to respond to ARP queries for the specified IP address with the specified MAC address. This can be used, for example, to have the SonicWALL device reply for a secondary IP address on a particular interface by adding the MAC address of the SonicWALL. See the Secondary Subnet section that follows.
204
Bind MAC AddressEnabling the Bind MAC Address option in the Add Static ARP window binds the MAC address specified to the designated IP address and interface. This can be used to ensure that a particular workstation (as recognized by the network card's unique MAC address) can only be used on a specified interface on the SonicWALL. Once the MAC address is bound to an interface, the SonicWALL will not respond to that MAC address on any other interface. It will also remove any dynamically cached references to that MAC address that might have been present, and it will prohibit additional (non-unique) static mappings of that MAC address. Update IP Address DynamicallyThe Update IP Address Dynamically setting in the Add Static ARP window is a sub-feature of the Bind MAC Address option. This allows for a MAC address to be bound to an interface when DHCP is being used to dynamically allocate IP addressing. Enabling this option will blur the IP Address field, and will populate the ARP Cache with the IP Address allocated by the SonicWALL's internal DHCP server, or by the external DHCP server if IP Helper is in use.
Add a 'published' static ARP entry for the gateway address that will be used for the secondary subnet, assigning it the MAC address of the SonicWALL interface to which it will be connected. Add a static route for that subnet, so that the SonicWALL regards it as valid traffic, and knows to which interface to route that subnet's traffic. Add Access Rules to allow traffic destined for that subnet to traverse the correct network interface. Optional: Add a static route on upstream device(s) so that they know which gateway IP to use to reach the secondary subnet.
2. 3. 4.
205
physical address in the ARP Cache. Flushing the ARP Cache allows new information to be gathered and stored in the ARP Cache. Click Flush ARP Cache to clear the information. To configure a specific length of time for the entry to time out, enter a value in minutes in the ARP Cache entry time out (minutes) field.
206
Configuring SwitchPorts
The SwitchPorts page allows you to manage the assignments of ports to PortShield interfaces. A PortShield interface is a virtual interface with a set of ports assigned to it. To configure a SwitchPort, perform the following steps:
1.
Expand the Network tree and click SwitchPorts. The SwitchPorts page displays.
2.
Click the Edit icon ( ) for the SwitchPort you want to configure. The SwitchPort Configuration window displays.
Click on the Port Enable list box and click on either the Enable or Disable option to either activate or deactivate the interfaces in the PortShield interface group.
207
4. 5.
Click on the PortShield interface list box and click on the PortShield interface you created in the previous procedure. Click on the Link Speed list box and click on a throughput speed you want to assign the interface. The choices are:
Auto negotiate 100Mbps Full Duplex 100 Mbps Half Duplex 10 Mbps Full Duplex 10 Mbps Half Duplex
Note
Do not change this setting from the default of Auto negotiate unless your system requires you to do so. Also, note that for any setting involving the Full Duplex feature to work properly, be sure to configure Full Duplex on both ends of the link. By not having Full Duplex configured on both ends, a duplex mismatch occurs, causing throughput loss. Click on the Rate Limit option and Select on a value. The rate limit value enables you to throttle traffic coming into the switch. Remember, these values apply to inbound traffic only. Click Ok. Wait for a few seconds. The system then will incorporate the changes you made to the PortShield interface Group and add it back to the switch ports list.
6.
7.
208
Note
The PortShield Groups page is supported on appliances running SonicOS Enhanced versions 5.5 or higher.
Navigate to the Network > PortShield Groups page. Click on the Configure icon for the interface you want to assign to a PortShield group. The Edit Switch Port window displays. Interfaces must be configured before being grouped with PortShield.
Note
3. 4. 5. 6.
In the Port Enabled pulldown menu, select whether you want to enabled or disable the interface. In the PortShield Interface pulldown menu, select which interface you want to assign as the master interface for the PortShield interface. In the Link Speed pulldown menu, select the link speed for the interfaces. Click OK.
209
To add a network monitor policy on the SonicWALL security appliance, perform these steps:
1.
From the Network > Network Monitor page, click the Add button. The Add Network Monitor Policy window is displayed.
2.
Enter the following information to define the network monitor policy: Name - Enter a description of the Network Monitor policy.
210
Probe Target - Select the Address Object or Address Group to be the target of the policy. Address Objects may be Hosts, Groups, Ranges, or FQDNs object. Objects within a Group object may be Host, Range, or FQDN Address Objects. You can dynamically create a new address object by selecting Create New Address Object. Probe Type - Select the appropriate type of probe for the network monitor policy:
Ping (ICMP) - This probe uses the route table to find the egress
interface and next-hop for the defined probe targets. A Ping echo-request is sent out the egress interface with the source IP address of the egress interface. An echo response must return on the same interface within the specified Response Timeout time limit for the ping to be counted as successful.
TCP - This probe uses the route table to find the egress interface and
next-hop for the defined probe targets. A TCP SYN packet is sent to the probe target with the source IP address of the egress interface. A successful response will be counted independently for each probe target when the target responds with either a SYN/ACK or RST via the same interface within the Response Timeout time window. When a SYN/ACK is received, a RST is sent to close the connection. If a RST is received, no response is returned.
Ping (ICMP) - Explicit Route - This probe bypasses the route table
and uses the source IP address of the interface specified in the Outbound Interface pull-down menu to send a Ping to the targets. If a Next Hop Gateway is not specified, the probe assumes that the targets are directly connected to the Outbound Interface's network.
TCP - Explicit Route - This probe bypasses the route table and uses
the source IP address of the interface specified in the Outbound Interface pull-down menu to send a TCP SYN packet to the targets. If a Next Hop Gateway is not specified, the probe assumes that the targets are directly connected to the Outbound Interface's network. When a SYN/ACK is received, a RST is sent to close the connection. If a RST is received, no response is returned.
Next Hop Gateway - Manually specifies the next hop that is used from
the outbound interface to reach the probe target. This option must be configured for Explicit Route policies. For non-Explicit Route policies, the probe uses the appliances route table to determine the egress interface to reach the probe target.If a Next Hop Gateway is not specified, the probe assumes that the targets are directly connected to the Outbound Interface's network.
211
Outbound Interface - Manually specifies which interface is used to send the probe. This option must be configured for Explicit Route policies. For non-Explicit Route policies, the probe uses the appliances route table to determine the egress interface to reach the probe target. Port - Specifies the destination port of target hosts for TCP probes. A port is not specified for Ping probes. Optionally, you can adjust the following thresholds for the probes: Probe hosts every - The number of seconds between each probe. This number cannot be less than the Reply time out field. Reply time out - The number of seconds the Network Monitor waits for a response for each individual probe before a missed-probe will be counted for the specific probe target. The Reply time out cannot exceed the Probe hosts every field. Probe state is set to DOWN after - The number of consecutive missed probes that triggers a host state transition to DOWN. Probe state is set to UP after - The number of consecutive successful probes that triggers a host state transition to UP. All Hosts Must Respond - Selecting this checkbox specifies that all of the probe target Host States must be UP before the Policy State can transition to UP. If not checked, the Policy State is set to UP when any of the Host States are UP. Optionally, you can enter a descriptive comment about the policy in the Comment field. Click Update to submit the Network Monitor policy. Then click Update on the Network > Network Monitor page.
3.
4. 5.
When configuring a static route, you can optionally configure a Network Monitor policy for the route. When a Network Monitor policy is used, the static route is dynamically disabled or enabled, based on the state of the probe for the policy. For more information, see Probe-Enabled Policy Based Routing Configuration on page 198.
212
Configuring Web Proxy Forwarding on page 223 Configuring Intranet Settings on page 223 Configuring Routing in SonicOS Standard on page 225 Configuring RIP in SonicOS Standard on page 225 Configuring One-to-One NAT on page 229 Configuring Ethernet Settings on page 231 Configuring ARP on page 233
LAN Settings for all Network Addressing Modes on page 213 Standard Mode on page 214 NAT-Enabled Mode on page 215 NAT with DHCP Client Mode on page 217 NAT With PPPoE Client on page 218 NAT With L2TP Client on page 219 NAT With PPTP Client on page 221
Then configure the settings for the appropriate network addressing mode:
Note
Making changes to this page causes the SonicWALL appliance will automatically restart. We recommend scheduling the tasks to run when network activity is low.
Enter the IP address assigned to the LAN interface in the SonicWALL LAN IP Address field and the subnet the IP address belongs to in the LAN Subnet Mask field.
SonicWALL GMS 6.0 Administrators Guide
213
2. 3.
To add an additional subnet, enter the IP address and subnet in the Network Gateway and Subnet Mask fields and click Add Subnet. Enter the IP address of the router that provides Internet access to SonicWALL appliance in the WAN Gateway (Router) Address field. The SonicWALL WAN IP Address and WAN Subnet Mask are automatically set to the SonicWALL LAN IP Address. and LAN Subnet Mask, respectively.
Standard Mode
When you select Standard Mode (also known as Transparent Mode), Network Address Translation (NAT) is disabled. All nodes on the LAN or WorkPort that will access or be accessed from the Internet must use valid, Internet-accessible IP addresses. To configure a SonicWALL appliance for standard network addressing, perform the following steps:
1.
On the Network > Settings, select Standard from the Network Addressing Mode area.
2. 3.
Configure the LAN Settings as described in LAN Settings for all Network Addressing Modes on page 213. Enter the IP addresses of the DNS servers in the DNS Server 1-3 fields.
214
Note
SonicWALL appliances require the IP address of at least one DNS server to function properly. When you are finished, click Update. The settings are changed for the selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
4.
NAT-Enabled Mode
NAT provides anonymity to machines on the LAN or WorkPort by connecting the entire network to the Internet using a single IP address. This provides security to the internal machines by hiding them from the outside world and conserves IP addresses. When using NAT, we recommend using internal network IP addresses from a special range. The following IP address ranges are reserved for private IP networks and are not routed on the Internet: 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 If your network uses IP addresses that are not registered to your organization and are not within the private IP address ranges, the servers on the Internet to which those IP addresses belong will not be accessible from your network. For example, if an IP address on your network is 185.5.20.105 and it is not registered to your organization, the server that uses that IP address on the Internet will not be accessible from your network.
Note
If you choose to use NAT, but need to make some machines available to the outside world, use One-to-One NAT. One-to-One NAT maps external IP addresses to private IP addresses. For more information, see Configuring One-to-One NAT on page 229.
215
On the Network > Settings page, select NAT Enabled from the Network Addressing Mode area.
2. 3.
Configure the LAN Settings as described in LAN Settings for all Network Addressing Modes on page 213. Configure the following WAN Settings:
SonicWALL WAN IP (NAT Public) AddressPublic IP address used
to access the Internet. All activity on the Internet will appear to originate from this address. This IP address must be valid and is generally supplied by your Internet Service Provider (ISP).
WAN Gateway (Router) AddressAddress of the router that
Enter the IP addresses of the DNS servers in the DNS Server 1-3 fields. SonicWALL appliances require the IP address of at least one DNS server to function properly.
Note
216
5.
When you are finished, click Update. The settings are changed for the selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
On the Network > Settings, page, select NAT with DHCP Client from the Network Addressing Mode area.
2. 3.
Configure the LAN Settings as described in LAN Settings for all Network Addressing Modes on page 213. The WAN settings and the DNS server IP addresses are automatically provided by the DHCP server of the service provider. You do not need to configure any parameters in the WAN Settings area. In the Other Settings area, enter the name of the DHCP server in the Host Name field. When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
4. 5.
217
When this mode is selected, the SonicWALL LAN IP Address is used as the gateway address for computers on the LAN or WorkPort.
To configure a SonicWALL appliance for NAT with PPPoE, perform the following steps:
1.
On the Network > Settings, page, select NAT with PPPoE Client from the Network Addressing Mode area.
2. 3.
Configure the LAN Settings as described in LAN Settings for all Network Addressing Modes on page 213. Configure the following ISP Settings:
218
User Nameusername provided by the ISP. Passwordpassword used to authenticate the username with the
To specify how long the SonicWALL appliance waits before disconnecting from the Internet, select the Disconnect after minutes of inactivity checkbox and enter the amount of time in the inactivity field. Select from the following:
To configure the SonicWALL appliance(s) to dynamically obtain an IP
5.
6.
When you are finished, click Update. The settings are changed for the selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
When this mode is selected, the SonicWALL LAN (WorkPort) IP Address is used as the gateway address for computers on the LAN or WorkPort.
219
To configure a SonicWALL appliance for NAT with L2TP, perform the following steps:
1.
On the Network > Settings, page, select NAT with L2TP Client from the Network Addressing Mode area.
2. 3.
Configure the LAN Settings as described in LAN Settings for all Network Addressing Modes on page 213. Select from the following WAN settings:
To configure the SonicWALL appliance to dynamically obtain an IP
used to access the Internet. All activity on the Internet will appear to originate from this address. This IP address must be valid and is generally supplied by your Internet Service Provider (ISP).
WAN Gateway (Router) AddressAddress of the router that
Enter the IP address of the DNS server in the DNS Server 1 field.
220
5.
To specify how long the SonicWALL appliance waits before disconnecting from the Internet, select the Disconnect after minutes of inactivity checkbox and enter the amount of time in the inactivity field. When you are finished, click Update. The settings are changed for the selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
7.
On the Network > Settings, page, select NAT with PPTP Client from the Network Addressing Mode area.
2. 3.
Configure the LAN Settings as described in LAN Settings for all Network Addressing Modes on page 213. Select from the following WAN settings:
To configure the SonicWALL appliance to dynamically obtain an IP
221
To renew the IP address, click Renew Lease. To release the IP address, click Release. To configure the SonicWALL appliance to use fixed settings, select
used to access the Internet. All activity on the Internet will appear to originate from this address. This IP address must be valid and is generally supplied by your Internet Service Provider (ISP).
WAN Gateway (Router) AddressAddress of the router that
Enter the IP address of the DNS server in the DNS Server 1 field. Configure the following ISP PPTP Settings:
PPTP Host Namethis information is provided by your ISP. PPTP Server IP Addressthis information is provided by your ISP. User Nameusername provided by the ISP. User Passwordpassword used to authenticate the username with
To specify how long the SonicWALL appliance waits before disconnecting from the Internet, select the Disconnect after minutes of inactivity checkbox and enter the amount of time in the inactivity field. When you are finished, click Update. The settings are changed for the selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
7.
Dynamic DNS forwarding settings are identical in SonicOS Standard and Enhanced. For configuration information, see Configuring Dynamic DNS on page 181 in the SonicOS Enhanced section of this chapter.
222
Web proxy forwarding settings are identical in SonicOS Standard and Enhanced. For configuration information, see Configuring Web Proxy Forwarding Settings section on page 195 in the SonicOS Enhanced section of this chapter.
Note
Devices connected to the WAN port do not have firewall or content filter protection. To protect these units, install another SonicWALL appliance between the Internet and devices connected to the WAN port of the other SonicWALL appliance.
223
Although the systems on the WAN and LAN links are separated, they are still on the same subnet. Consequentially, you must make the systems on the larger network aware of the systems on the smaller network. To do this, perform the following steps:
1.
Expand the Network tree and click Intranet. The Intranet page displays.
2.
intranet, select SonicWALLs WAN link is connected to the Internet Router. addresses are attached to the LAN link.
If the smaller network is connected to the LAN, select Specified If the smaller network is connected to the WAN, select Specified
3.
Enter the IP address or IP address range of a system or group of systems on the smaller network:
To enter a single IP address, enter the IP address in the Addr Range
Begin field.
Addr Range Begin field and the ending IP address in the Addr Range End field.
Repeat Step 3. for each IP address or IP address range on the smaller network. When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
224
6.
To define which services can be accessed from outside the restricted network segment, see Configuring Firewall Settings in SonicOS Standard on page 269.
Expand the Network tree and click Routing. The Routing page displays.
2. 3. 4. 5. 6.
Select whether the router is connected to the LAN (WorkPort), WAN, or OPT interface from the Link list box. Enter the destination network IP addresses in the Destination Network and Subnet Mask fields. Enter the IP address of the router in the Gateway field. Click Add Route. Repeat Step 2. through Step 4. for each route that you want to add. When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
RIP is not supported by all SonicWALL appliances. To configure RIP, perform the following steps:
1.
Expand the Network tree and click RIP. The RIP page displays.
2.
Select the RIP version from the RIP Advertisements list box:
RIPv1 Enabledfirst version of RIP. RIPv2 Enabled (multicast)sends route advertisements using
To advertise static routes that you specified on the Routing page, select the Advertise Static Routes check box. To set the amount of time between a VPN tunnel state change and the time the change is advertised, enter a value in the Route Change Damp Time field (default: 30 seconds). To specify the number of advertisements that are sent after a route is deleted, enter a value in the Deleted Route Advertisements field (default: 5 advertisements). By default, the connection between this router and its neighbor counts as one hop. However, there are cases where you want to discourage or reduce the use of this route by adding additional hops. To change the hop count of this route, enter the number of hops in the Route Metric field.
5.
6.
226
7.
Optional. If RIPv2 is selected from the Route Advertisements list box, you can enter a value in the RIPv2 Route Tag field. This value is implementation-dependent and provides a mechanism for routers to classify the originators of RIPv2 advertisements. Optional. Select from the following RIPv2 Authentication options:
User DefinedEnter 4 hex digits in the Authentication Type field
8.
and 32 hex digits in the Authentication Data field. Authentication Password field.
Cleartext PasswordEnter a password (16 characters or less) in the MD5 DigestEnter a numerical value from 0-255 in the
Authentication Key-Id field. Enter a 32 hex digit value for the Authentication Key field, or use the generated key.
9.
When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
Some newer SonicWALL appliances have one or more OPT ports that can be configured as a DMZ port. For more information, see Overview of Interfaces on page 153.
Each server on the DMZ port or HomePort requires a unique, publishable Internet IP address. The ISP that provides your Internet connection should be able to provide these addresses.
227
Expand the Network tree and click DMZ Addresses or HomePort Addresses. The DMZ/HomePort Addresses page displays.
3.
Standard Mode. Then, enter the starting IP address in the Addr Range Begin field, the ending IP address in the Addr Range End field, and click Add Range. Repeat this step for each range of IP addresses. Begin field.
To enter a single IP address, enter the IP address in the Addr Range If the devices on the DMZ or HomePort will use NAT, select OPT in
The LAN (WorkPort) and OPT can have the same subnet mask, but the subnets must be different. For instance, the LAN subnet can be 192.168.0.1 with a subnet mask of 255.255.255.0, and the DMZ subnet can be 172.16.18.1 with a subnet mask of 255.255.255.0.
To define a DMZ or HomePort public IP address that will be used to
access devices on the DMZ interface, enter an IP address in the OPT NAT Many to One Public Address field (Optional).
4.
228
Enter a single IP address in the Addr Range Begin field. Enter a range of IP addresses in the Addr Range Begin field and the
5. 6. 7.
Click Add Range. To enter additional IP addresses and IP address ranges, repeat Steps 3. and 4. When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
Inaccessible, NAT public IP address 209.19.28.17 209.19.28.18 [...] 209.19.28.31 No corresponding IP address
229
LAN Address
WAN Address
Accessed Via
[...]
[...]
230
Expand the Network tree and click One-to-One NAT. The One-to-One NAT page displays.
One-to-One NAT Page
Figure 4
2. 3. 4.
Select the Enable One-to-One NAT check box. Enter the first IP address of the internal IP address range in the Private Range Begin field. Enter the first corresponding external IP address in the Public Range Begin field. Enter the number of IP addresses in the range in the Range Length field. Click Add Range. To add additional IP address ranges, repeat Step 3. through 6. for each range. When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
Note: Do not include the NAT Public IP Address in a range.
5. 6. 7.
231
Expand the Network tree and click Ethernet. The Ethernet page displays.
2.
To specify WAN link settings, select Force and select the speed and
duplex settings.
3.
To specify OPT link settings, select Force and select the speed and
duplex settings.
4.
To specify LAN link settings, select Force and select the speed and 5.
If you are managing the Ethernet connection from the LAN (WorkPort) side of your network, select the Proxy Management Workstation Ethernet Address on WAN check box. The SonicWALL appliance will take the Ethernet address of the computer that is managing the SonicWALL appliance and will proxy the address on the WAN port of the SonicWALL.
232
If you are not managing the SonicWALL appliance from the LAN side of your network, the firmware looks for a random computer on the LAN which can be a lengthy search process.
6.
To limit the size of packets sent over the Ethernet WAN interface, select the Fragment Outbound Packets Larger than the WAN MTU check box and enter the maximum size in the WAN MTU field. If the maximum transmission unit (MTU) size is too large for a remote router, it may require more transmissions. If the packet size is too small, this could result in more packet header overhead and more acknowledgements that have to be processed. The default size is 1,500 MTU.
7. 8.
To enable bandwidth management, select the Enable check box and enter the bandwidth of the connection in the Available Bandwidth field. When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
Configuring ARP
Note
ARP settings are identical in SonicOS Standard and Enhanced. For configuration information, see Configuring ARP on page 203 in the SonicOS Enhanced section of this chapter.
233
234
Understanding the Network Access Rules Hierarchy section on page 235 Configuring Firewall Settings in SonicOS Enhanced section on page 237 Configuring Firewall Settings in SonicOS Standard section on page 269
Firewall rules take precedence over the default UTM functions. Because it is possible to disable all protection or block all access to the Internet, use caution when creating or deleting network access rules. Network access rules do not disable protection from Denial of Service attacks such as SYN Flood, Ping of Death, LAND, and so on. However, it is possible to create vulnerabilities to attacks that exploit application weaknesses.
SonicWALL GMS 6.0 Administrators Guide
235
It is important to consider the purpose and ramifications of a rule before adding it to the firewall rule list. Use the following guidelines to determine the rule logic:
What is the purpose of the rule? For example, This rule will restrict all Internet Relay Chat (IRC) access from the LAN (WorkPort) to the Internet. Or, This rule will allow a remote Lotus Notes server to synchronize with our internal Notes server via the Internet. Will the rule allow or deny traffic? What is the flow of the traffic: LAN (WorkPort) to Internet or Internet to LAN (WorkPort)? Which IP services will be affected? Which computers on the LAN (WorkPort) will be affected? Which computers on the Internet will be affected? Be as specific as possible. For example, if traffic is being allowed from the Internet to the LAN (WorkPort), it is better to only allow specific computers to access the LAN or WorkPort. Will this rule stop LAN (WorkPort) users from accessing important resources on the Internet? For example, if IRC is blocked, are there users who require this service? Can the rule be modified to be more specific? For example, if IRC is blocked for all users, will a rule that only blocks certain users be more effective? Will this rule allow Internet users to access LAN or WorkPort resources in a way that makes the LAN vulnerable? For example, if NetBIOS ports (UDP 137,138, 139) are allowed from the Internet to the LAN, Internet users may be able to connect to PCs that have file sharing enabled. Does this rule conflict with other rules? Specific rules override general rules. Equally specific Deny rules override Allow rules.
For example: a rule defining a specific service is more specific than the Default rule; a defined Ethernet link, such as LAN (WorkPort), or WAN, is more specific than * (all); and a single IP address is more specific than an IP address range.
236
Rules are listed in the LAN (WorkPort) Interface window from most specific to the least specific, and rules at the top override rules listed below. To illustrate this, consider the rules shown below:
Table 4
# Action Service Source
Sample Rules.
Destination
1 2 3 4 5 6 7
206.18.25.4 (LAN) 199.2.23.0 - 199.2.23.255 (WAN) 216.37.125.0 - 216.37.125.255 (WAN) WAN * LAN (WorkPort)
The Default Allow Rule (#7) at the bottom of the page allows all traffic from the LAN (WorkPort) out to the WAN. However, Rule #5 blocks all NNTP traffic from the LAN (WorkPort). The Default Deny Rule (#6) blocks traffic from the WAN to the LAN (WorkPort). However, Rule #4 overrides part of this rule by allowing Lotus Notes into the LAN (WorkPort) from the WAN.
Configuring Firewall Rules in SonicOS Enhanced on page 238 Configuring Multicast Settings on page 247 Configuring Advanced Firewall Settings on page 245 Configuring Voice over IP Settings on page 249 Configuring TCP Settings on page 251
237
Configuring Quality of Service Mapping on page 254 Configuring SSL Control on page 265
Select the global icon, a group, or a SonicWALL appliance. Expand the UTM tree and click Access Rules. The Access Rules page displays. The Firewall > Access Rules page enables you to select multiple views of Access Rules, including Drop-down boxes, Matrix, and
238
All Rules. The default view is the Matrix View which provides a matrix of source and destination nodes between LAN, WAN, VPN, Multicast, and WLAN.
3.
From the Matrix View, click the Edit icon ( ). for the source and destination interfaces for which you will configure a rule. The Access Rules table for that interface pair displays. Below the Access Rules table, click Add Rule. The Add Rule dialog box displays.
4.
5.
Select whether access to this service will be allowed or denied. If a policy has a No-Edit policy action, the Action radio buttons will not be editable.
Note
239
6. 7. 8. 9.
Select a service from the from the Service Name list box. If the service does not exist, see Configuring Service Objects on page 242. Select the source Address Object from the Source list box. Select the destination Address Object from the Destination list box. Specify if this rule applies to all users or to an individual user or group in the Users Allowed list box. Group from the Schedule list box. If the rule will always be applied, select Always on. If the schedule does not exist, see Configuring Schedules on page 141.
10. Specify when the rule will be applied by selecting a schedule or Schedule
11. To enable logging for this rule, select the Logging check box. 12. Check the Allow Fragmented Packets checkbox to allow fragmented
packets.
Caution
Fragmented packets are used in certain types of Denial of Service attacks and, by default, are blocked. You should only enable the Allow Fragmented Packets check box if users are experiencing problems accessing certain applications and the SonicWALL logs show many dropped fragmented packets.
13. Add any comments to the Comment field. 14. Click the Advanced tab.
15. Specify how long (in minutes) TCP connections may remain idle before the
16. Specify how long (in seconds) UDP connections may remain idle before
the connection is terminated in the UDP Connectivity Inactivity Timeout field. the Number of connections allowed (% of maximum connections) field.
17. Specify the percentage of the maximum connections this rule is to allow in
240
18. Click the QoS tab. For information on configuring the QoS tab, see
20. SonicWALL appliances can manage inbound and outbound traffic on the
Enter the amount of bandwidth that will always be available to this service in the Guaranteed Bandwidth field, and select either % or Kbps in the drop-down list. Keep in mind that this bandwidth will be permanently assigned to this service and not available to other services, regardless of the amount of bandwidth this service does or does not use. Enter the maximum amount of bandwidth that will be available to this service in the Maximum Bandwidth field. Select the priority of this service from the Bandwidth Priority list box. Select a priority from 0 (highest) to 7 (lowest).
22. To enable inbound bandwidth management for this service, select the
Enter the amount of bandwidth that will always be available to this service in the Guaranteed Bandwidth field, and select either % or Kbps in the drop-down list. Keep in mind that this bandwidth will be permanently assigned to this service and not available to other services, regardless of the amount of bandwidth this service does or does not use. Enter the maximum amount of bandwidth that will be available to this service in the Maximum Bandwidth field. Select the priority of this service from the Bandwidth Priority list box. Select a priority from 0 (highest) to 7 (lowest).
SonicWALL GMS 6.0 Administrators Guide
241
Note
In order to configure bandwidth management for this service, bandwidth management must be enabled on the SonicWALL appliance. For information on configuring bandwidth management in SonicOS Standard, see Configuring Ethernet Settings on page 231. For SonicOS Enhanced, see Overview of Interfaces on page 153.
23. To track bandwidth usage for this service, select the Enable Tracking
24. To add this rule to the rule list, click OK. You are returned to the Access 25. If the network access rules have been modified or deleted, you can restore
the Default Rules. The Default Rules prevent malicious intrusions and attacks, block all inbound IP traffic and allow all outbound IP traffic. To restore the network access rules to their default settings, click Restore Rules to Defaults and then click Update. A task is scheduled to update the rules page for each selected SonicWALL appliance.
26. To modify a rule, click its Edit icon (
). The Add/Modify Rule dialog box displays. When you are finished making changes, click OK. SonicWALL GMS creates a task that modifies the rule for each selected SonicWALL appliance.
27. To enable logging for a rule, select its Logging check box. 28. To disable a rule without deleting it, deselect its Enable check box. 29. To delete a rule, click its trash can icon. SonicWALL GMS creates a task
242
Select the global icon, a group, or a SonicWALL appliance running SonicOS Enhanced. Expand the Firewall tree and click Service Objects.
3.
4. 5. 6. 7.
Enter the name of the service in the Name field. Select the type of protocol from the Protocol drop-down list. Enter the starting and ending port for the service in the Port Range fields. For a service that uses a single port, type the port number into the first field. Click OK. The service is added and appears in the Custom Services section.
Note
Although most default services can not be edited or deleted, you can edit or delete custom services by clicking the edit or delete buttons that correspond to the desired custom service.
243
To add a service group, click the Add Group button on the Service Objects page. The Add Service Group dialog box displays.
2. 3. 4. 5.
Enter a name for the service group in the Name field. To add a service, select it and click the right arrow button. To remove a service, select it and click the left arrow button. Click OK. The service group is added. Service Groups can be edited or deleted by clicking the Edit or Trashcan icons that correspond to the desired Service Group.
Note
244
Select the global icon, a group, or a SonicWALL appliance running SonicOS Enhanced. Expand the Firewall tree and click Advanced. The Advanced page displays.
245
3.
To enable stealth mode, select the Enable Stealth Mode check box. During normal operation, SonicWALL appliances respond to incoming connection requests as either blocked or open. During stealth operation, SonicWALL appliances do not respond to inbound requests, making the appliances invisible to potential hackers. To configure the SonicWALL appliance(s) to generate random IP IDs, select the Randomize IP ID check box. This prevents hackers from using various detection tools to fingerprint IP IDs and detect the presence of a SonicWALL appliance. Select Decrement IP TTL for forwarded traffic to decrease the Time-to-live (TTL) value for packets that have been forwarded and therefore have already been in the network for some time. TTL is a value in an IP packet that tells a network router whether or not the packet has been in the network too long and should be discarded. Select Never generate ICMP Time-Exceeded packets if you do not want the SonicWALL appliance to generate these reporting packets. The SonicWALL appliance generates Time-Exceeded packets to report when it has dropped a packet because its TTL value has decreased to zero. Select the dynamic ports that will be supported from the Dynamic Ports area:
Enable support for Oracle (SQLNet)Select if you have Oracle
4.
5.
6.
7.
on-demand delivery of real-time data, such as audio and video. Real Time Streaming Protocol (RTSP) is an application-level protocol for control over delivery of data with real-time properties.
8.
The Drop Source Routed Packets check box is selected by default. Clear the check box if you are testing traffic between two specific hosts and you are using source routing. Select Disable Anti-Spyware, Gateway AV and IPS Engine if you want to enable more connections at the expense of the Gateway Anti-Virus and Intrusion Prevention services. This is generally not recommended because it opens the SonicWALL security appliance to possible threats. inactive TCP connections outside the LAN, enter the amount of time in the Default Connection Timeout field (default: 25 minutes). The Connection
9.
10. To specify how long the SonicWALL appliance(s) wait before closing
246
Inactivity Timeout option disables connections outside the LAN if they are idle for a specified period of time. Without this timeout, connections can stay open indefinitely and create potential security holes.
11. Select the Force inbound and outbound FTP data connections to use
default port 20 check box to specify that any FTP data connection through the SonicWALL must come from port 20 or the connection will be dropped and logged. By default, FTP connections from port 20 are allowed, but remapped to outbound traffic ports such as 1024. to force the SonicWALL to perform checksums on IP packet headers and on UDP packets. Packets with invalid checksums will be dropped. This helps to prevent attacks that involve falsification of header fields that define important characteristics of the packet.
12. Under IP, UDP Checksum Enforcement, select one or both checkboxes
13. To specify how long the SonicWALL appliance(s) wait before closing
inactive UDP connections outside the LAN, enter the amount of time in the Default UDP Connection Timeout field.
14. When you are finished, click Update. The settings are changed for each
selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
Select the global icon, a group, or a SonicWALL appliance. At unit level, the Multicast screen is available only for UTM appliances with SonicOS Enhanced firmware version 2.5 and higher.
247
2.
Expand the Firewall tree and click Multicast. The Multicast page displays.
3. 4.
To enable multicast, select the Enable Multicast check box. Configure the following options:
Require IGMP Membership reports for multicast data
forwardingThis checkbox is enabled by default. Select this checkbox to improve performance by regulating muliticast data to be forwarded to only interfaces belonging to an enabled multicast group address. default of 5. The value range for this field is 5 to 60 (minutes). Increase the value if you have a client that is not sending reports periodically.
5.
of all multicast addresses. Receiving all multicast addresses may cause your network to experience performance degradation.
select Enable reception for the following multicast addresses and select Create a new multicast object or Create new multicast group from the list box.
6.
To view the IGMP State Information, click Request IGMP State Information. The following information displays:
Multicast Group AddressProvides the multicast group address the
IGMP VersionProvides the IGMP version (such as V2 or V3). Time RemainingProvides the remaining time left for the multicast
session. This is calculated by subtracting the Multicast state table entry timeout (minutes) value, which has the default value of 5 minutes, and the elapsed time since the multicast address was added.
7.
When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
Select the global icon, a group, or a SonicWALL appliance. Expand the Firewall tree and click VoIP. The VoIP page displays.
3. 4.
To enable secure NAT, select the Use secure NAT check box. Select Enable SIP Transformations to support translation of Session Initiation Protocol (SIP) messages.
Tip
By default, NAT translates Layer 3 addresses, but does not translate Layer 5 SIP/SDP addresses. Unless there is another NAT traversal solution that requires this feature to be turned off, it is highly recommended to enable SIP transformations.
249
applications such as Apple iChat and MSN Messenger, which use the SIP signaling port for additional proprietary messages. Enabling this checkbox may open your network to malicious attacks caused by malformed or invalid SIP traffic. This checkbox is disabled by default.
(SonicOS Enhanced only) Select the Enable SIP Back-to-Back User
Agent (B2BUA) support setting when the SonicWALL security appliance can see both legs of a voice call (for example, when a phone on the LAN calls another phone on the LAN). This setting should only be enabled when the SIP Proxy Server is being used as a B2BUA.
Tip
If there is not the possibility of the SonicWALL security appliance seeing both legs of voice calls (for example, when calls will only be made to and received from phones on the WAN), the Enable SIP Back-to-Back User Agent (B2BUA) support setting should be disabled to avoid unnecessary CPU usage.
SIP Signaling inactivity time out (seconds)Specifies the period of
time that must elapse before timing out an inactive SIP session if no SIP signaling occurs (default: 1800 seconds or 30 minutes).
SIP Media inactivity time out (seconds)Specifies the period of
time that must elapse before timing out an inactive SIP session if no media transfer activity occurs (default: 120 seconds or 2 minutes).
The Additional SIP signaling port (UDP) for transformations
setting allows you to specify a nonstandard UDP port used to carry SIP signaling traffic. Normally, SIP signaling traffic is carried on UDP port 5060. However, a number of commercial VoIP services use different ports, such as 1560. Using this setting, the security appliance performs SIP transformation on these non-standard ports.
Tip 5.
Tip: Vonages VoIP service uses UDP port 5061. Select Enable H.323 Transformations to allow stateful H.323 protocol-aware packet content inspection and modification by the SonicWALL. The SonicWALL performs any dynamic IP address and transport port mapping within the H.323 packets, which is necessary for communication between H.323 parties in trusted and untrusted networks/zones. Clear this check box to bypass the H.323 specific processing performed by the SonicWALL.
250
appliance will support Lightweight Directory Access Protocol (LDAP) and Microsoft Netmeetings Internet Locator Service (ILS)
H.323 Signaling/Media inactivity time out (seconds)specifies
how long the SonicWALL appliance waits before closing a connection when no activity is occurring.
Default WAN/DMZ Gatekeeper IP Addressspecifies the IP
address of the H.323 Gatekeeper that acts as a proxy server between clients on the private network and the Internet.
6.
When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
Select the global icon, a group, or a SonicWALL appliance. At unit level, the TCP Settings screen is available only for UTM appliances with SonicOS Enhanced firmware version 3.0 and higher.
2.
Expand the Firewall tree and click TCP Settings. The TCP Settings page displays.
251
3.
Select Enforce strict TCP compliance with RFC 793 and RFC 1122 to force VoIP traffic to comply with RFC 793 (TCP) and RFC 1122 (Internet Hosts, including Link and IP layers) standards. Select Enable TCP Checksum Validation to drop any packets with invalid TCP checksums. Enter a value for the Default TCP Connection Timeout. This is the default time assigned to Access Rules for TCP traffic. If a TCP session is active for a period in excess of this setting, the TCP connection will be cleared by the SonicWALL.
4. 5.
Note
Setting excessively long connection time-outs will slow the reclamation of stale resources, and in extreme cases could lead to exhaustion of the connection cache. Specify the Maximum Segment Lifetime to set the number of seconds that any TCP packet is valid before it expires. This setting is also used to determine the amount of time (calculated as twice the Maximum Segment Lifetime, or 2MSL) that an actively closed TCP connection remains in the TIME_WAIT state to ensure that the proper FIN / ACK exchange has occurred to cleanly close the TCP connection. Configure the Layer 3 SYN Flood Protection options. Select the desired level of protection against half-opened TCP sessions and high-frequency SYN packet transmissions:
Watch and Report Possible SYN FloodsThis option enables the
6.
7.
device to monitor SYN traffic on all interfaces on the device and to log suspected SYN flood activity that exceeds a packet count threshold. The feature does not turn on the SYN Proxy on the device so the device forwards the TCP three-way handshake without modification. This is the least invasive level of SYN Flood protection. Select this option if your network is not in a high risk environment.
Proxy WAN Client Connections When Attack is SuspectedThis
option enables the device to enable the SYN Proxy feature on WAN interfaces when the number of incomplete connection attempts per second surpasses a specified threshold. This method ensures the device continues to process valid traffic during the attack and that performance does not degrade. Proxy mode remains enabled until all WAN SYN flood attacks stop occurring or until the device blacklists all of them using the SYN Blacklisting feature. This is the intermediate level of SYN Flood protection. Select this option if your network experiences SYN Flood attacks from internal or external sources.
252
device to always use SYN Proxy. This method blocks all spoofed SYN packets from passing through the device. Note that this is an extreme security measure and directs the device to respond to port scans on all TCP ports because the SYN Proxy feature forces the device to respond to all TCP SYN connection attempts. This can degrade performance and can generate a false positive. Select this option only if your network is in a high risk environment.
8.
Configure the SYN Attack Threshold. The appliance gathers statistics on WAN TCP connections, keeping track of the maximum and average maximum and incomplete WAN connections per second. Out of these statistics, the device suggests a value for the SYN flood threshold in the Suggested value calculated from gathered statistics field. Enter the desired threshold for the number of incomplete connection attempts per second before the device drops packets in the Attack Threshold field. Configure the SYN-Proxy Options:
All LAN/DMZ servers support the TCP SACK optionThis
9.
checkbox enables Selective ACK where a packet can be dropped and the receiving device indicates which packets it received. Enable this checkbox only when you know that all servers covered by the UTM appliance accessed from the WAN support the SACK option.
Limit MSS sent to WAN clients (when connections are
proxied)Enables you to enter the maximum Minimum Segment Size value. If you specify an override value for the default of 1460, this indicates that a segment of that size or smaller will be sent to the client in the SYN/ACK cookie. Setting this value too low can decrease performance when the SYN Proxy is always enabled. Setting this value too high can break connections if the server responds with a smaller MSS value. The default is 1460.
Note
When using Proxy WAN client connections, remember to set these options conservatively since they only affect connections when a SYN Flood takes place. This ensures that legitimate connections can proceed during an attack.
Always log SYN packets receivedLogs all SYN packets received.
253
Blacklisting options to configure how the appliance deals with devices that exceeded the SYN, RST, and FIN Blacklist attack threshold:
Threshold for SYN/RST/FIN flood blacklisting (SYNs / Sec)The
maximum number of SYN, RST, and FIN packets allowed per second. The default is 1,000. This value should be larger than the SYN Proxy threshold value because blacklisting attempts to thwart more vigorous local attacks or severe attacks from a WAN network.
Enable SYN/RST/FIN flood blacklisting on all interfacesThis
checkbox enables the blacklisting feature on all interfaces on the UTM appliance.
Never blacklist WAN machinesThis checkbox ensures that
systems on the WAN are never added to the SYN Blacklist. This option is recommended as leaving it unchecked may interrupt traffic to and from the UTM appliances WAN ports.
Always allow SonicWall management trafficThis checkbox
causes IP traffic from a blacklisted device targeting the UTM appliances WAN IP addresses to not be filtered. This allows management traffic, and routing protocols to maintain connectivity through a blacklisted device.
254
Conditioning
Working with Classification on page 255 Working with Conditioning on page 257 Working with 802.1p and DSCP QoS on page 258 Working with DSCP Marking on page 259 Configuring QoS on page 261 Enabling 802.1p Tagging on page 262 Creating a QoS Rule on page 262 Configuring QoS Settings on page 263
255
Note
Many service providers do not support CoS tags such as 802.1p or DSCP. Also, most network equipment with standard configurations will not be able to recognize 802.1p tags, and could drop tagged traffic.
Note
If you wish to use 802.1p or DSCP marking on your network or your service providers network, you must first establish that these methods are supported. Verify that your internal network equipment can support CoS priority marking, and that it is correctly configured to do so. Check with your service provider - some offer fee-based support for QoS using these CoS methods.
Video over IP vendors, so a solution for supporting 802.1p across network boundaries (i.e., WAN links) was introduced in the form of 802.1p to DSCP mapping. 802.1p to DSCP mapping allows 802.1p tags from one LAN to be mapped to DSCP values by GMS, allowing the packets to safely traverse WAN links. When the packets arrive on the other side of the WAN or VPN, the receiving GMS appliance can then map the DSCP tags back to 802.1p tags for use on that LAN.
257
TPID: Tag Protocol Identifier begins at byte 12 (after the 6-byte destination and source fields), is 2 bytes long, and has an Ethertype of 0x8100 for tagged traffic. 802.1p: The first three bits of the TCI (Tag Control Information - beginning at byte 14, and spanning 2 bytes) define user priority, giving eight (2^3) priority levels. IEEE 802.1p defines the operation for these 3 user priority bits. CFI: Canonical Format Indicator is a single-bit flag, always set to zero for Ethernet switches. CFI is used for compatibility reasons between Ethernet networks and Token Ring networks. If a frame received at an Ethernet port has a CFI set to 1, then that frame should not be forwarded as it is to an untagged port. VLAN ID: VLAN ID (starts at bit 5 of byte 14) is the identification of the VLAN. It has 12 bits and allows for the identification of 4,096 (2^12) unique VLAN IDs. Of the 4,096 possible IDs, an ID of 0 is used to identify priority frames, and an ID of 4,095 (FFF) is reserved, so the maximum possible VLAN configurations are 4,094.
802.1p support begins by enabling 802.1p marking on the interfaces which you wish to have process 802.1p tags. 802.1p can be enabled on any Ethernet interface on any SonicWALL appliance that supports VLANs, including the SonicWALL NSA Series and PRO 2040, PRO 3060, PRO 4060, PRO 4100, and PRO 5060.
258
Note
802.1p tagging is not currently supported on the SonicWALL TZ Series or PRO 1260.
Although Enable 802.1p tagging does not appear as an option on VLAN sub-interfaces, it is related to the 802.1q tags of VLAN subinterfaces. The behavior of the 802.1p field within these tags can be controlled by firewall access rules. The default 802.1p capable network Access Rule action of None resets existing 802.1p tags to 0, unless otherwise configured. Enabling 802.1p marking allows the target interface to recognize incoming 802.1p tags generated by 802.1p capable network devices, and will also allow the target interface to generate 802.1p tags, as controlled by Access Rules. Frames that have 802.1p tags inserted by GMS will bear VLAN ID 0. 802.1p tags will only be inserted according to access rules, so enabling 802.1p marking on an interface will not, at its default setting, disrupt communications with 802.1p-incapable devices. 802.1p requires the specific support by the networking devices with which you wish to use this method of prioritization. Many voice and video over IP devices provide support for 802.1p, but the feature must be enabled. Check your equipments documentation for information on 802.1p support if you are unsure. Similarly, many server and host network cards (NICs) have the ability to support 802.1p, but the feature is usually disabled by default.
259
The above diagram depicts an IP packet, with a close-up on the ToS portion of the header. The ToS bits were originally used for Precedence and ToS (delay, throughput, reliability, and cost) settings, but were later reused by the RFC 2474 for the more versatile DSCP settings. The following table shows the commonly used code point as well as their mapping to the legacy Precedence and ToS settings.
Table 5 Code Points
DSCP DSCP Description 0 8 10 12 14 16 18 20 22 24 26 27 30 32 34 36 38 40 Best Effort Class 1 Class 1, Silver AF12 Class 1, Bronze AF13 Class 2 Class 2, Silver AF22 Class 2, Bronze AF23 Class 3 Class 3, Silver AF32 Class 3, Bronze AF33 Class 4 Class 4, Silver AF42 Class 4, Bronze AF43 Express Forwarding
Legacy IP Precedence 0 (Routine - 000) 1 (Priority - 001) 1 (Priority - 001) 1 (Priority - 001) 2 (Immediate - 010) 2 (Immediate - 010) 2 (Immediate - 010) 3 (Flash - 011) 3 (Flash - 011) 3 (Flash - 011)
4 (Flash Override - 100) 4 (Flash Override - 100) D 4 (Flash Override - 100) D, T 5 (CRITIC/ECP - 101) -
260
DSCP marking can be performed on traffic to and from any interface and to and from any zone type, without exception. DSCP marking is controlled by Access Rules, from the QoS tab, and can be used in conjunction with 802.1p marking, as well as with SonicOS internal bandwidth management.
Configuring QoS
To configure QoS, perform the following tasks:
Enabling 802.1p Tagging on page 262 Creating a QoS Rule on page 262 261
Configuring QoS Settings on page 263 Adding a Service on page 270 Creating Rules on page 271
Click on the Interfaces option in the Network menu. GMS displays the Interfaces list.
2. 3. 4. 5.
Click on the Configuration icon for the WAN interface. GMS displays the Edit Interface dialog box. Click on the Advanced Tab. GMS displays the Advanced Tab. Click on the Enable 802.1p tagging checkbox to place a check mark in the checkbox. Click Update.
From the Firewall menu, click on the Access Rules option. GMS displays the Access Rules dialog box that contains various interfaces for which you can create an access rule.
262
2. 3.
Select the LAN > WAN rule and click Add Rule. GMS displays the Add Rule dialog box. Click the QoS tab. The QoS page displays.
4.
Under DSCP Marking Settings select the DSCP Marking Action. You can select None, Preserve, Explicit, or Map. Preserve is the default.
None: DSCP values in packets are reset to 0. Preserve: DSCP values in packets will remain unaltered. Explicit: Set the DSCP value to the value you select in the Explicit
5. 6.
Under 802.1p Marking Settings select the 802.1p Marking Action. You can select None, Preserve, Explicit, or Map. None is the default. Click Ok. GMS configures your WAN interface to accept traffic shaping values.
Click on the QoS Settings option in the Firewall menu. GMS displays the QoS Mapping dialog box:
263
2.
Click on the Configuration icon for any of the 802.1p Class of Service objects. GMS displays the class of service Edit QoS Mapping dialog box.
3.
that indicates the priority assigned to a packet traveling across the network.
From DSCP End: The upper limit of the range of values for marking
that indicates the priority assigned to a packet traveling across the network.
264
An effect of the security provided by SSL is the obscuration of all payload, including the URL (Uniform Resource Locator, for example, https://www.mysonicwall.com) being requested by a client when establishing an HTTPS session. This is due to the fact that HTTP is transported within the encrypted SSL tunnel when using HTTPS. It is not until the SSL session is established (step 14) that the actual target resource (www.mysonicwall.com) is requested by the client, but since the SSL session is already established, no inspection of the session data by the UTM appliance or any other intermediate device is possible. As a result, URL based content filtering systems cannot consider the request to determine permissibility in any way other than by IP address. While IP address based filtering does not work well for unencrypted HTTP because of the efficiency and popularity of Host-header based virtual hosting (defined in Key Concepts below), IP filtering can work effectively for HTTPS due to the rarity of Host-header based HTTPS sites. But this trust relies on the integrity of the HTTPS server operator, and assumes that SSL is not being used for deceptive purposes.
265
For the most part, SSL is employed legitimately, being used to secure sensitive communications, such as online shopping or banking, or any session where there is an exchange of personal or valuable information. The ever decreasing cost and complexity of SSL, however, has also spurred the growth of more dubious applications of SSL, designed primarily for the purposes of obfuscation or concealment rather than security. An increasingly common camouflage is the use of SSL encrypted Web-based proxy servers for the purpose of hiding browsing details, and bypassing content filters. While it is simple to block well known HTTPS proxy services of this sort by their IP address, it is virtually impossible to block the thousands of privately-hosted proxy servers that are readily available through a simple Web-search. The challenge is not the ever-increasing number of such services, but rather their unpredictable nature. Since these services are often hosted on home networks using dynamically addressed DSL and cable modem connections, the targets are constantly moving. Trying to block an unknown SSL target would require blocking all SSL traffic, which is practically infeasible. SSL Control provides a number of methods to address this challenge by arming the security administrator with the ability to dissect and apply policy based controls to SSL session establishment. While the current implementation does not decode the SSL application data, it does allow for gateway-based identification and disallowance of suspicious SSL traffic. For more information about SSL Control, see the SonicOS Enhanced 4.0 Administrators Guide.
266
Select the global icon, a group, or a SonicWALL appliance running SonicOS Enhanced 4.0 or higher. Expand the Firewall tree and click SSL Control. The SSL Control page displays.
3. 4.
Under General Settings, select the Enable SSL Control checkbox to enable SSL Control for the selected group or appliance. Under Action, select one of the following:
Log the eventIf an SSL policy violation, as defined within the
Configuration section below, is detected, the event will be logged, but the SSL connection will be allowed to continue.
Block the connection and log the eventIn the event of a policy
violation, the connection will be blocked and the event will be logged.
5.
configured in the Custom Lists section below. Whitelisted entries take precedence over all other SSL control settings.
Detect Expired CertificatesControls detection of certificates
whose start date is before the current system time, or whose end date is beyond the current system time. Date validation depends on the
267
SonicWALLs System Time. Make sure your System Time is set correctly, preferably synchronized with NTP, on the System > Time page.
Detect SSLv2Controls detection of SSLv2 exchanges. SSLv2 is
known to be susceptible to cipher downgrade attacks because it does not perform integrity checking on the handshake. Best practices recommend using SSLv3 or TLS instead of SSLv2.
Detect Self-Signed CertificatesControls the detection of
certificates where both the issuer and the subject have the same common name.
Detect Certificate signed by an Untrusted CAControls the
detection of certificates where the issuers certificate is not in the SonicWALLs System > Certificates trusted store.
Detect Weak Ciphers(< 64bits)Controls the detection of SSL
sessions negotiated with symmetric ciphers less than 64 bits, commonly indicating export cipher usage.
6.
Under Custom Lists, configure the Blacklist and Whitelist by defining strings for matching common names in SSL certificates. Entries are case-sensitive and are used with pattern-matching. For example, sonicwall.com will match https://www.sonicwall.com and https://mysonicwall.com , but not https://www.sonicwall.de. To add an entry to the Blacklist, type it into the Black List field and then click Add. To add an entry to the Whitelist, type it into the White List field and then click Add.
7.
When finished, click Update. To return to default values and start over, click Reset.
268
Configuring Rules in SonicOS Standard on page 269 Configuring Advanced Firewall Settings in SonicOS Standard on page 273 Configuring Voice over IP Settings on page 275
Determine whether the service for which you want to create a rule is defined. If not, define the service. See Adding a Service on page 270. Create one or more rules for the service. See Creating Rules on page 271. Repeat this procedure for each service for which you would like to define rules.
269
Adding a Service
By default, a large number of services are pre-defined. This section describes how to add a new or custom service. To add a service, perform the following steps:
1. 2.
Select the global icon, a group, or a SonicWALL appliance. Expand the Firewall tree and click Services. The Services page displays.
3.
To add a known service (e.g., HTTP, FTP, News), select the service from the Service Name list box and click Add Known Service. Repeat this step for each service that you would like to add. A task is scheduled for each service for each selected SonicWALL appliance.
Note
Features and services vary widely depending on the managed appliances firmware type and version. Some options, including Add Known Service are only available when managing a Non-SonicOS device (such as a SonicWALL TELE3 TZX).
270
4.
To add a custom service, enter its name in the Service Name field, enter the port range it uses in the Port Begin and Port End fields, select the appropriate protocol check boxes, and click Add Custom Service. Repeat this step for each service that you would like to add. A task gets scheduled for each service for each selected SonicWALL appliance. To remove a service from the list, select its trash can check box and click Update. A task gets scheduled to update the services page for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
5.
6.
Creating Rules
This section describes how to define rules for defined services in SonicOS Standard. To create a rule, perform the following steps:
1. 2.
Select the global icon, a group, or a SonicWALL appliance. Expand the Firewall tree and click Rules. The Rules page displays.
3. 4. 5. 6. 7.
Click Add Rule. The Add Rule dialog box displays. Select a service from the from the Service Name list box. If the service does not exist, see Adding a Service on page 270. Select whether access to this service will be allowed or denied. Select the SonicWALL interface to which this rule applies from the Source list box.. To apply the rule to a range of IP addresses, enter the first and last IP addresses of the range in the Addr. begin field and Addr. End fields, respectively. The rule will apply to requests originating from IP addresses within this range. For all IP addresses, enter an asterisk (*).
271
8.
Specify when the rule will be applied. By default, it is Always. To specify a time, enter the time of day (in 24-hour format) to begin and end enforcement. Then, enter the days of the week to begin and end rule enforcement. Specify how long (in minutes) the connection may remain idle before the connection is terminated in the Inactivity Timeout field.
9.
Caution
Fragmented packets are used in certain types of Denial of Service attacks and, by default, are blocked. You should only enable the Allow Fragmented Packets check box if users are experiencing problems accessing certain applications and the SonicWALL logs show many dropped fragmented packets.
management. To enable bandwidth management for this service, select the Enable Outbound Bandwidth Management check box. Enter the amount of bandwidth that will always be available to this service in the Guaranteed Bandwidth field. Keep in mind that this bandwidth will be permanently assigned to this service and not available to other services, regardless of the amount of bandwidth this service does or does not use. Enter the maximum amount of bandwidth that will be available to this service in the Maximum Bandwidth field. Select the priority of this service from the Bandwidth Priority list box. Select a priority from 0 (highest) to 7 (lowest).
Note
In order to configure bandwidth management for this service, bandwidth management must be enabled on the SonicWALL appliance. To configure bandwidth management in SonicOS Standard, see Configuring Ethernet Settings on page 231. For SonicOS Enhanced, see Overview of Interfaces on page 153.
11. To add this rule to the rule list, click Update. Repeat Step 3. through
the Default Rules. The Default Rules prevent malicious intrusions and attacks, block all inbound IP traffic and allow all outbound IP traffic. To restore the network access rules to their default settings, click Restore Rules to Defaults and click Update. A task is scheduled to update the rules page for each selected SonicWALL appliance. 272
SonicWALL GMS 6.0 Administrators Guide
13. If the network access rules for a SonicWALL appliance need to be uniform
with access rules for other SonicWALL appliances in the same group, you can restore the group rules. To do this, click Restore Rules to Group Settings and click Update. A task is scheduled to overwrite the rules page for each selected SonicWALL appliance. If you want to append the group rules to the current rules, make sure the Append Services and Rules inherited from group check box is selected on the GMS Settings page of the Console Panel.
Note
14. To modify a rule, select its notepad icon. The Add/Modify Rule dialog box
displays. When you are finished making changes, click Update. SonicWALL GMS creates a task that modifies the rule for each selected SonicWALL appliance.
15. To disable a rule without deleting it, deselect its Enable Rule check box. 16. To delete a rule, select its trash can icon and click Update.
SonicWALL GMS creates a task that deletes the rule for each selected SonicWALL appliance.
Select the global icon, a group, or a SonicWALL appliance. Expand the Firewall tree and click Advanced. The Advanced page displays. Computers running Microsoft Windows communicate with each other through NetBIOS broadcast packets. By default, SonicWALL appliances block these broadcasts. To allow NetBIOS packets to pass among the interfaces select the appropriate checkbox in the Windows Networking (NetBIOS) Broadcast Pass Through section.
273
4.
Detection prevention helps hide SonicWALL appliances from potential hackers. Select from the following Detection Prevention options:
To enable stealth mode, select the Enable Stealth Mode check box.
During normal operation, SonicWALL appliances respond to incoming connection requests as either blocked or open. During stealth operation, SonicWALL appliances do not respond to inbound requests, making the appliances invisible to potential hackers.
Hackers can use various detection tools to fingerprint IP IDs and
detect the presence of a SonicWALL appliance. To configure the SonicWALL appliance(s) to generate random IP IDs, select the Randomize IP ID check box.
5.
Select the dynamic ports that will be supported from the Dynamic Ports area:
Enable support for Oracle (SQLNet)Select if you have Oracle
support special SIP messaging used in Windows Messenger on the Windows XP.
Enable RTSP TransformationsSelect this option to support
on-demand delivery of real-time data, such as audio and video. Real Time Streaming Protocol (RTSP) is an application-level protocol for control over delivery of data with real-time properties.
6.
The Drop Source Routed Packets check box is selected by default. Clear the check box if you are testing traffic between two specific hosts and you are using source routing. Select Disable Anti-Spyware, Gateway AV and IPS Engine if you want to enable more connections at the expense of the Gateway Anti-Virus and Intrusion Prevention services. This is generally not recommended because it opens the SonicWALL security appliance to possible threats. The Connection Inactivity Timeout option disables connections outside the LAN if they are idle for a specified period of time. Without this timeout, connections can stay open indefinitely and create potential security holes. To specify how long the SonicWALL appliance(s) wait before closing inactive connections outside the LAN, enter the amount of time in the Default Connection Timeout field (default: 25 minutes).
7.
8.
274
9.
By default, FTP connections from port 20 are allowed, but remapped to outbound traffic ports such as 1024. If you select the Force inbound and outbound FTP data connections to use default port 20 check box, any FTP data connection through the SonicWALL must come from port 20 or the connection will be dropped and logged.
Note
To enforce IP Header, UDP, TCP, or ICMP checksums, select the appropriate option from the IP, UDP, TCP, ICMP Checksum Enforcement section.
10. When you are finished, click Update. The settings are changed for each
selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
275
276
Configuring Log Settings section on page 278 Configuring Enhanced Log Settings section on page 281 Configuring Name Resolution section on page 285
277
In the left pane, select the global icon, a group, or a SonicWALL appliance. Select the Policies tab. In the center pane, navigate to Log > Log Settings.
3. 4.
Enter the IP address or name of the mail server in the Mail Server (name or IP Address) field. Enter the name of the SonicWALL appliance in the Firewall Name field. The firewall name appears in the subject of email sent by the SonicWALL appliance. By default, the firewall name is the same as the SonicWALL appliance serial number.
Note
The name of the SonicWALL appliance cannot be configured at the group or global level.
5.
To override syslog settings with ViewPoint settings, check the Override Syslog settings with ViewPoint settings box.
278
6.
To select a syslog format, choose one of the two options from the Syslog Format drop-down menu:
DefaultThe standard SonicWALL syslog format. WebTrendsA reporting software that analyzes traffic activity,
protocol usage, security problems, resource usage, bandwidth consumption, and more. For more information, visit http://www.webtrends.com.
7.
To specify how often SonicWALL GMS logs repetitive events, enter the time period (in seconds) in the Syslog Event Redundancy Filter field (default: 60 seconds). This prevents repetitive events from being logged to the syslog. If duplicate events occur during the period, they will be logged as a single event that specifies the number of times that the event occurred.The minimum is 0 seconds and the maximum is 86,400 seconds (24 hours). If you specify 0, all events are logged. For GMS network deployments using Gen-2/Distributed Summarizer Mode, enter 0 in the Syslog Event Redundancy Filter field. Although a higher setting prevents a log file from being full of repetitive events, setting this field to anything other than 0 will result in inaccurate reporting. For information about the Distributed Summarizer, see the About the Distributed Summarizer section on page 984.
8.
To enable event rate limiting, check the Enable Event Rate Limiting box and enter a maximum number of events per second in the Maximum Events Per Second field. To enable data rate limiting, check the Enable Data Rate Limiting box and enter a maximum bytes per second in the Maximum Bytes Per Second field. SonicWALL GMS in the Heartbeat Rate field (default: 60 seconds). If SonicWALL GMS does not receive a heartbeat message within three intervals, SonicWALL GMS will consider the SonicWALL appliances offline or unavailable and its icon will turn red.
9.
Note
It is highly recommended to leave the Heartbeat Rate at the default setting of 60 seconds. Values close to zero will generate a large number of status messages. The maximum value is 86,400 seconds (24 hours).
administrator@company.com) where the log will be sent in the Email Log to field. If this field is left blank, the log will not be sent.
SonicWALL GMS 6.0 Administrators Guide
279
Note
12. Some events, such as an attack, may require immediate attention. Enter
the complete email address or email pager address in the Email Alerts to field. If this field is left blank, alerts will not be sent.
Note
For information about alerts in the GMS Granular Event Management framework, see Configuring Granular Event Management on page 1023.
13. To email the log now, click Email Log Now. 14. To clear the log, click Clear Log Now. A confirmation displays. Click OK
16. For automated log delivery, specify when the log file will be sent from the
Send Log drop-down menu. Select When Full, Daily, or Weekly. If the log will be sent daily, select the time that the log will be sent (24-hour format). If the log will be sent weekly, select the day of the week and the time. problem with the mail server and the log cannot be successfully emailed. Under When Log Overflows, select Overwrite Log (SonicWALL appliances will overwrite the log and discard its contents) or Shutdown SonicWALL (this will prevent further traffic from not being logged).
17. In some cases, the log buffer may fill up. This may occur if there is a
18. Select information to log from the Categories section. To select all
Note
If you are using SonicWALL GMS, make sure that it can generate all reports for each SonicWALL appliance by selecting all log category check boxes except for Network Debug.
280
2. 3. 4. 5.
Enter the IP address or name of the mail server in the Mail Server (name or IP Address) field. Enter the email address that will appear as the sender on emails in the From E-mail Address field. Select a method of authentication from the Authentication Method drop-down menu, either None or POP before SMTP. If you selected POP before SMTP, enter the POP server name or IP address in the POP Server (name or IP address) field, and the POP account user name and password in the Username and Password fields. Enter the name of the SonicWALL appliance in the Firewall Name field. The firewall name appears in the subject of email sent by the SonicWALL appliance. By default, the firewall name is the same as the SonicWALL appliance serial number.
6.
Note
The name of the SonicWALL appliance cannot be configured at the group or global level.
7.
In the Syslog Facility drop-down menu, select one of the syslog facility options.
281
8. 9.
To override syslog settings with ViewPoint settings, check the Override Syslog settings with ViewPoint settings box. To select a syslog format, choose one of the two options from the Syslog Format drop-down menu:
DefaultThe standard SonicWALL syslog format. WebTrendsA reporting software that analyzes traffic activity,
protocol usage, security problems, resource usage, bandwidth consumption, and more. For more information, visit http://www.webtrends.com.
10. To specify how often SonicWALL GMS logs repetitive events, enter the
time period (in seconds) in the Syslog Event Redundancy Filter field (default: 60 seconds). This prevents repetitive events from being logged to the syslog. If duplicate events occur during the period, they will be logged as a single event that specifies the number of times that the event occurred.The minimum is 0 seconds and the maximum is 86,400 seconds (24 hours). If you specify 0, all events are logged. and enter a maximum number of events per second in the Maximum Events Per Second field. and enter a maximum bytes per second in the Maximum Bytes Per Second field.
11. To enable event rate limiting, check the Enable Event Rate Limiting box
12. To enable data rate limiting, check the Enable Data Rate Limiting box
SonicWALL GMS in the Heartbeat Rate field (default: 60 seconds). If SonicWALL GMS does not receive a heartbeat message within three intervals, SonicWALL GMS will consider the SonicWALL appliances offline or unavailable and its icon will turn red.
Note
It is highly recommended to leave the Heartbeat Rate at the default setting of 60 seconds. Values close to zero will generate a large number of status messages. The maximum value is 86400 seconds (24 hours).
administrator@company.com) where the log will be sent in the Email Log to field. If this field is left blank, the log will not be sent. This address will also be used as the return address.
Note
282
15. Some events, such as an attack, may require immediate attention. Enter
the complete email address or email pager address in the Email Alerts to field. If this field is left blank, alerts will not be sent.
Note
16. To email the log now, click Email Log Now. The scheduler displays. 17. Expand Schedule by clicking the plus icon. 18. Select Immediate or specify a future date and time. 19. Click Accept. 20. To clear the log, click Clear Log Now. A confirmation displays. Click OK
22. Expand Schedule by clicking the plus icon. 23. Select Immediate or specify a future date and time. 24. Click Accept. 25. For automated log delivery, specify when the log file will be sent from the
Send Log drop-down menu. Select When Full, Daily, or Weekly. If the log will be sent daily, select the time that the log will be sent (24-hour format). If the log will be sent weekly, select the day of the week and the time. problem with the mail server and the log cannot be successfully emailed. Under When Log Overflows, select Overwrite Log (SonicWALL appliances will overwrite the log and discard its contents) or Shutdown SonicWALL (this will prevent further traffic from not being logged).
26. In some cases, the log buffer may fill up. This may occur if there is a
27. From the Logging Level drop-down menu, select one of the logging level
options.
28. From the Alert Level drop-down menu, select one of the alert level
options.
29. Enter a period of time, in seconds, in the Log Redundancy Filter
(seconds) field.
(seconds) field.
31. For each category in the Categories table, select a combination of Log,
283
Note
If you are using SonicWALL GMS, make sure that it can generate all reports for each SonicWALL appliance by selecting all log category check boxes.
32. When you are finished, click Update. The scheduler displays. 33. Expand Schedule by clicking the plus icon. 34. Select Immediate or specify a future date and time. 35. Click Accept.
Navigate to the Policies Panel. Click the Log menu to display logging options. Click the Log Settings option. GMS displays the Log Settings dialog box.
284
4.
In the Heartbeat Rate field in the General region, type a value that represents the number of seconds that is the interval between heartbeat tests. Note that the default interval is 60 seconds.
In the left pane, select the global icon, a group, or a SonicWALL appliance. Select the Policies tab.
285
3.
4. 5.
From the Name Resolution Method drop-down menu, select none, DNS, NetBios or DNS then NetBios. For DNS and DNS then NetBios, configure the following DNS settings:
Specify DNS Servers ManuallySelect this radio button to manually
configure the DNS servers and specify the IP address(es) in the Log Resolution DNS Server 1 - 3 fields. button to inherit the DNS settings from the WAN.
Click Update.
286
Viewing Network Diagnostic Settings section on page 288 Viewing Connections Monitor section on page 290 Viewing CPU Monitor section on page 292 Viewing Process Monitor section on page 293
287
In the left pane, select the global icon, a group, or a SonicWALL appliance. Click the Policies tab. In the center pane, navigate to Diagnostics > Network.
3. 4. 5. 6. 7. 8. 9.
To refresh the diagnostic data, click Refresh Diagnostic Data display. To delete the diagnostic data, click Delete Diagnostic Data display. To view the log file for the selected SonicWALL appliance(s), click Request Log file display from unit(s). To test the RADIUS server, enter the username and password of a valid user in the User and Password fields and click Radius Client Test. To perform a DNS lookup from the SonicWALL appliance(s), enter a hostname or IP address in the Host field and click DNS Lookup. To find a network path from the SonicWALL appliance(s), enter an IP address in the Host field and click Find Network Path. To ping a host from the SonicWALL appliance(s), enter a hostname or IP address in the Host field and click Ping. hostname or IP address in the Host field and click TraceRoute Lookup. (SonicOS 2.5 Enhanced or later).
11. To view dynamic routing information, click Fetch Default Route Policies
288
Address field, a FQDN for the RBL in the RBL Domain field, and DNS server information in the DNS Server field. Click Real-time Black List Lookup. report options:
VPN KeysSaves shared secrets, encryption, and authentication
14. To generate a Tech Support Report, select any of the following four
configurations.
15. Click Fetch Tech Support Report. 16. To request a packet trace, enter the IP address of the remote host in the
Host field, and click Start. You must enter an IP address in the Host field; do not enter a host name, such as www.yahoo.com. Click Stop to terminate the packet trace and Query to query the trace. To reset a host, enter the IP address in the Host field and click Reset.
289
In the left pane, select the global icon, a group, or a SonicWALL appliance. Click the Policies tab. In the center pane, navigate to Diagnostics > Connections Monitor.
3.
You can filter the results to display only connections matching certain criteria. You can filter by Source IP, Destination IP, Destination Port, Protocol, Source Interface, and Destination Interface. Enter your filter criteria in the Active Connections Monitor Settings table. The fields you enter values into are combined into a search string with a logical AND. For example, if you enter values for Source IP and Destination IP, the search string will look for connections matching: Source IP AND Destination IP Check the Group Filters box next to any two or more criteria to combine them with a logical OR. For example, if you enter values for Source IP, Destination IP, and Protocol, and check Group Filter next to Source IP and Destination IP, the search string will look for connections matching: (Source IP OR Destination IP) AND Protocol
4. 5. 6.
Click Fetch Active Connections Monitor to apply the filter immediately to the Active Connections Monitor table. The scheduler displays. Expand Schedule by clicking the plus icon. Select Immediate or specify a future date and time.
290
7.
291
In the left pane, select the global icon, a group, or a SonicWALL appliance. Click the Policies tab. In the center pane, navigate to Diagnostics > CPU Monitor.
3. 4. 5.
To refresh the CPU diagnostic display, click Refresh Diagnostic Data display. To delete the CPU diagnostic display, click Delete Diagnostic Data display. To modify the time period for the CPU data, select one of the following periods from the Chart for drop-down menu:
CPU History for the last 60 secondsDisplays CPU history for the
last minute.
CPU History for the last 60 minutesDisplays CPU history for the
last hour.
CPU History for the last 24 hoursDisplays CPU history for the last
day.
CPU History for the last 30 daysDisplays CPU history for the last
30 days. 292
SonicWALL GMS 6.0 Administrators Guide
6. 7. 8. 9.
Click Fetch CPU Information to display CPU information from the SonicWALL appliance. The scheduler displays. Expand Schedule by clicking the plus icon. Select Immediate or specify a future date and time. Click Accept.
Select the global icon, a group, or a SonicWALL appliance. Expand the Diagnostics tree and click Process Monitor. The Process Monitor page displays.
3. 4.
To refresh the process diagnostic display, click Refresh Diagnostic Data display. To delete the process diagnostic display, click Delete Diagnostic Data display.
293
5. 6. 7. 8.
Click Fetch Process Information to display Process Monitor information. The scheduler displays. Expand Schedule by clicking the plus icon. Select Immediate or specify a future date and time. Click Accept.
294
Configuring General Website Blocking section on page 296 Configuring the CFS Exclusion List section on page 308 Blocking Web Features section on page 315 Configuring Access Consent section on page 316 N2H2 and Websense Content Filtering section on page 318
Note
295
In the left pane, select the global icon, a group, or a SonicWALL appliance. Click the Policies tab. In the center pane, navigate to Website Blocking > General. The Website Blocking General page displays.
296
4.
based on the firmware version of the SonicWALL appliance. To configure SonicWALL content filtering, see Selecting the Content to Block on page 298.
N2H2To use N2H2, you must have the N2H2 software package
Enterprise software package running on a server in your network. For more information, visit www.websense.com.
Note
If you select N2H2 or Websense, make sure to configure the appropriate filtering options. For more information, see N2H2 and Websense Content Filtering on page 318.
5.
A trusted domain is a domain that is allowed to use Web features such as Java, ActiveX, and cookies. To create a list of trusted domains, select the Don't block Java/ActiveX/Cookies to Trusted Domains check box. Enter one or more domains name in the Trusted Domains field and click Add. The scheduler displays. Multiple domains should be separated by a ; semicolon.
6.
Timesaver Importing a .txt file with one domain name per line is the easiest way
to add multiple domains to a Trusted Domains list. Click the Import... button to add multiple domains from a text file.
7. 8. 9.
Expand Schedule by clicking the plus icon. Select Immediate or specify a future date and time. Click Accept.
10. Repeat steps 5 - 10 for other domains you would like to add.
Note
Enter the domain name only. For example, yahoo.com. Do not include http://. Entering yahoo.com will also allow access to www.yahoo.com, my.yahoo.com, sports.yahoo.com, and so on.
297
Note
This feature will only enable Web features for the selected domains. To make the domain available for unrestricted browsing, add it to the Allowed Domains list. For more information, see Customizing Access by Domain on page 309.
11. To delete a domain from the Trusted Domain list, click the checkbox in the
trash can column for the domain and click Update. (WorkPort), select LAN/WorkPort.
12. To apply content filtering and Web feature restrictions to the LAN port 13. To apply content filtering and Web feature restrictions to the DMZ port
(HomePort), select DMZ/HomePort/WLAN/OPT. For SonicWALL wireless appliances, the DMZ/HomePort/WLAN/OPT option also applies content filtering and Web feature restrictions to the WLAN interface. restricted content, sites, and features. For example, This Web site is blocked is restricted. Get back to work.
14. Enter the message that will be displayed when users attempt to access
15. When you are finished, click Update. The scheduler displays. 16. Expand Schedule by clicking the plus icon. 17. Select Immediate or specify a future date and time. 18. Click Accept.
You must activate a service licence to use CFL or CFS content blocking.
298
This page does not affect N2H2 or Websense content filtering. For information on configuring filtering options for these software packages, refer to their documentation.
In the left pane, select the global icon, a group or a SonicWALL appliance. Click the Policies tab. In the center pane, navigate to Website Blocking > CFL Filter List.
4.
Select the content to block by checking the box next to any of the following categories (to select all categories, check the Select All box):
Violence/ProfanityIncludes pictures or text depicting extreme
cruelty, or physical or emotional acts against any animal or person that are primarily intended to hurt or inflict pain. Obscene words, phrases,
299
and profanity are defined as text that uses, but is not limited to, George Carlins seven censored words, more often than once every 50 messages (Newsgroups) or once a page (Web sites).
Partial NudityPictures exposing the female breast or full exposure
of either male or female buttocks, except when exposing genitalia. Excludes all swimsuits, including thongs.
Full NudityPictures exposing any or all portions of the human
genitalia. Excludes sites containing nudity or partial nudity of a wholesome nature. For example, Web sites hosted by publications such as National Geographic or Smithsonian Magazine and museums such as the Guggenheim, the Louvre, or the Museum of Modern Art are not blocked.
Sexual Acts (graphics or text)Pictures or text exposing anyone or
anything involved in explicit sexual acts and or lewd and lascivious behavior, including masturbation, copulation, pedophilia, and intimacy involving nude or partially nude people in heterosexual, bisexual, lesbian or homosexual encounters. This also includes phone sex ads, dating services, adult personals, CD-ROMs, and videos.
Gross Depictions (graphics or text)Pictures or descriptive text of
anyone or anything that are crudely vulgar or grossly deficient in civility or behavior, or that show scatological impropriety. For example, maiming, bloody figures, or indecent depiction of bodily functions.
Intolerance (graphics or text)Pictures or text advocating prejudice
or discrimination against any race, color, national origin, religion, disability or handicap, gender, or sexual orientation. Includes any picture or text that elevates one group over another. Also includes intolerant jokes or slurs.
Satanic/Cult (graphics or text)Pictures or text advocating devil
worship, an affinity for evil or wickedness, or the advocacy to join a cult. A cult is defined as a closed society headed by a single individual where loyalty is demanded and leaving is punishable.
Drug Culture (graphics or text)Pictures or text advocating the
illegal use of drugs for entertainment. Includes substances used for other than their primary purpose to alter the individuals state of mind, such as glue sniffing. Excludes currently illegal drugs legally prescribed for medicinal purposes (e.g., drugs used to treat glaucoma or cancer).
Militant/Extremist (graphics or text)Pictures or text advocating
extremely aggressive and combative behaviors, or unlawful political measures. Topics include groups that advocate violence as a means
300
to achieve their goals. Includes how to information on weapons making, ammunition making, or the making or use of pyrotechnic materials. Also includes the use of weapons for unlawful reasons.
Sex Education (graphics or text)Pictures or text advocating the
proper use of contraceptives. This topic includes condom use, the correct way to wear a condom and how to put a condom in place. Also included are sites relating to discussion about the use of the Pill, IUDs, and other types of contraceptives. In addition to the above, this includes discussion sites on discussing diseases with a partner, pregnancy, and respecting boundaries. Excluded from this category are commercial sites selling sexual paraphernalia.
Gambling/Questionable/Illegal (graphics or text)Pictures or text
advocating materials or activities of a dubious nature which that be illegal in any or all jurisdictions, such as illegal business schemes, chain letters, copyright infringement, computer hacking, phreaking (using someones phone lines without permission), and software piracy..
Alcohol/Tobacco (graphics or text)Pictures or text advocating the
To configure the SonicWALL appliance(s) to download the content list weekly, select the Automatically Download List Every check box and select the day of the week and time when the download will occur.
Tip
If you select this option, configure the SonicWALL appliance(s) to download the list at a time when network activity is low.
Note
6. 7. 8. 9.
To download a new content filter list now, click the Download Filter List Now button. The scheduler displays. Expand Schedule by clicking the plus icon. Select Immediate or specify a future date and time. Click Accept.
Log and Block AccessBlocks access to restricted content, sites,
301
features, but logs access. This enables organizations to monitor appropriate usage without restricting access.
11. Select from the following filter list expiration options: To block access to all Web sites except trusted domains thirty days
after the filter list expires, select Block traffic to all websites except for Allowed Domains. select Allow traffic access to all websites.
To allow access to all Web sites thirty days after the filter list expires, 12. When you are finished, click Update. The scheduler displays. 13. Expand Schedule by clicking the plus icon. 14. Select Immediate or specify a future date and time. 15. Click Accept.
Configuring the General CFS Filter List Settings on page 302. Configuring the CFS Standard Page on page 303. Configuring the CFS Premium Page on page 306.
This page does not affect N2H2 or Websense content filtering. For information on configuring filtering options for these software packages, refer to their documentation.
In the left pane, select the global icon, a group, or a SonicWALL appliance. Click the Policies tab.
302
3.
In the center pane, navigate to Website Blocking > CFS Filter List.
4.
Specify how long the SonicWALL appliance will wait if the CFS server is unavailable before blocking Web traffic in the If Server is unavailable for field. Specify the action the SonicWALL appliance will take if the server is unavailable. To block access to all Web sites, select Block traffic to all Web sites. To allow access to all Web sites, select Allow traffic to all Web sites. Specify how the SonicWALL appliance will respond to blocked URLs in the If Server marks URL as blocked section:
Block Access to URLBlocks access to restricted content, sites,
5.
6.
and features.
Log Access to URLDoes not block access to restricted content,
sites, and features, but logs access. This enables organizations to monitor appropriate usage without restricting access.
7. 8. 9.
Specify the size of the URL cache in the Cache Size field. For information on valid ranges, click the Click here for valid ranges link. When you are finished, click Update. The scheduler displays. Expand Schedule by clicking the plus icon.
10. Select Immediate or specify a future date and time. 11. Click Accept.
Note
This page does not affect N2H2 or Websense content filtering. For information on configuring filtering options for these software packages, refer to their documentation.
In the left pane, select the global icon, a group, or a SonicWALL appliance. Click the Policies tab. In the center pane, navigate to the Website Blocking > CFS Standard.
4.
Select the content to block by checking the box next to one of the following categories (to select all categories, check the Select all box):
Violence/Hate/RacismIncludes pictures or text exposing extreme
cruelty, or physical or emotional acts against any animal or person that are primarily intended to hurt or inflict pain. Includes pictures or text advocating prejudice or discrimination against any race, color, national origin, religion, disability or handicap, gender, or sexual orientation. Includes any picture or text that elevates one group over another. Also includes intolerant jokes or slurs.
Cult/Occult (graphics or text)Pictures or text advocating devil
worship, an affinity for evil or wickedness, or the advocacy to join a cult. A cult is defined as a closed society headed by a single individual where loyalty is demanded and leaving is punishable.
Intimate Apparel/Swimsuit Partial NudityPictures exposing
the illegal use of drugs for entertainment. Includes substances used for other than their primary purpose to alter the individuals state of
304
mind, such as glue sniffing. Excludes currently illegal drugs legally prescribed for medicinal purposes (e.g., drugs used to treat glaucoma or cancer).
Nudism (graphics or text)Pictures or text advocating nudism,
text advocating materials or activities of a dubious nature which that be illegal in any or all jurisdictions, such as illegal business schemes, chain letters, copyright infringement, computer hacking, phreaking (using someones phone lines without permission), and software piracy.
Pornography (graphics or text)Pictures of any or all portions of
the human genitalia and pictures or text exposing anyone or anything involved in explicit sexual acts and or lewd and lascivious behavior, including masturbation, copulation, pedophilia, and intimacy involving nude or partially nude people in heterosexual, bisexual, lesbian or homosexual encounters. Excludes sites containing nudity or partial nudity of a wholesome nature and all swimsuits, including thongs.
Sex Education (graphics or text)Pictures or text advocating the
proper use of contraceptives. This topic includes condom use, the correct way to wear a condom and how to put a condom in place. Also included are sites relating to discussion about the use of the Pill, IUDs, and other types of contraceptives. In addition to the above, this includes discussion sites on discussing diseases with a partner, pregnancy, and respecting boundaries. Excluded from this category are commercial sites selling sexual paraphernalia.
Weapons (graphics or text)Pictures or text advocating the legal or
illegal use of weapons, providing weapons for sale, or advocating extremely aggressive and combative behaviors, or unlawful political measures.
Gambling (graphics or text)Pictures or text providing or
advocating gambling services relating to lotteries, casinos, betting, numbers games, on-line sports, and financial betting, including non-monetary dares
Adult/Mature Content (graphics or text)Pictures or text such as
phone sex ads, dating services, adult personals, CD-ROMs, and videos. Excludes sites containing nudity or partial nudity of a wholesome nature and all swimsuits, including thongs.
Alcohol & Tobacco (graphics or text)Pictures or text advocating
305
5. 6. 7. 8. 9.
When you are finished, click Update. The scheduler displays. Expand Schedule by clicking the plus icon. Select Immediate or specify a future date and time. Click Accept. If you believe that a website is rated incorrectly, or to submit a new URL for blocking, click the here link in the sentence If you believe that a Web site is rated incorrectly or you wish to submit a new URL, click here.
This page does not affect N2H2 or Websense content filtering. For information on configuring filtering options for these software packages, refer to their documentation.
In the left pane, select the global icon, a group, or a SonicWALL appliance. Click the Policies tab. In the center pane, navigate to Website Blocking > CFS Premium.
306
4.
5. 6.
Enter a name for the policy. Click the URL List tab.
7. 8.
Check the boxes of the categories to block. To select all categories, check the Select all Categories box. Click the Settings tab.
a. To disable the allowed domains list, select the Disable Allowed
307
select the Enable Forbidden Domains check box. Blocking check box.
9.
From the drop-down menu, select when the forbidden URLs will be blocked.
10. When you are finished, click OK. The scheduler displays. 11. Expand Schedule by clicking the plus icon. 12. Select Immediate or specify a future date and time. 13. Click Accept. 14. Repeat this procedure for each filter that you would like to add.
In the left pane, select the global icon, a group, or a SonicWALL appliance.
308
2.
Click the Policies tab. In the center pane, navigate to Website Blocking > CFS Exclusion List.
3. 4.
Check the Enable CFS Exclusion List box to enable CFS block list exclusions. Enter an IP address or IP address range to exclude. For a single IP address, enter the same IP address in the IP Address From and IP Address To fields. For a range, enter the beginning IP address in the IP Address From field and the ending IP address in the IP Address To field. Click Add IP Range Entry. Repeat steps 5 and 6 to add more IP addresses or IP address ranges. To delete an IP address or IP address range from the CFS exclusion list, click the checkbox in the trashcan column for the addresses.a truste4d Click Update. The scheduler displays. Expand Schedule by clicking the plus icon.
5. 6. 7. 8. 9.
10. Select Immediate or specify a future date and time. 11. Click Accept.
309
Timesaver Importing a .txt file with one domain per line is the easiest way to add
multiple domains to a forbidden/allowed list. See the Adding Multiple Domains From a List section on page 311 for more. Forbidden domains are domains that users will not be allowed to access. This is useful when a website disrupts a corporate or educational environment. To find out which websites are most frequently accessed, refer to the Top Web Site Hits section of the log report. Up to 256 entries are supported in the Forbidden Domains list.
Note
This feature is not available if you select N2H2 or Websense content filtering. For information on configuring filtering options for these software packages, refer to their documentation.
In the left pane, select the global icon, a group, or a SonicWALL appliance. Click the Policies tab. In the center pane, navigate to Website Blocking > Customization.
4.
310
5.
To disable Web traffic except for allowed domains, check the Disable all Web traffic except for Allowed Domains box. (This option is available only on appliances running SonicOS Standard, or other non-Enhanced firmware.)
To add a small number of domains, enter the domain name in the Allowed Domains field and click Add. The scheduler displays.You can add several domains at once by separating your entries with a semicolon ;.
Note
Enter the domain name only. For example, yahoo.com. Do not include http://. Entering yahoo.com will also allow access to www.yahoo.com, my.yahoo.com, sports.yahoo.com, and so on. Expand Schedule by clicking the plus icon. Select Immediate or specify a future date and time. Click Accept. Repeat this step for each domain you would like to add.
2. 3. 4. 5.
2. 3. 4.
Click the Browse... button to upload a text-based (.txt) file containing the URL list. The URLs in this text file must be separated by line breaks. In the Schedule window, select Immediate or specify a future date and time. Click Accept.
311
Select one of the following Timing options. (This option is available only on appliances running SonicOS Standard, or other non-Enhanced firmware.)
Always BlockAlways blocks access to all restricted content, sites,
and features.
Block FromBlocks access to restricted content, sites, and features
between the selected hours. Select the from and to hours and the day range from the pull-down menus.
2. 3. 4. 5.
When you are finished, click Update. The scheduler displays. Expand Schedule by clicking the plus icon. Select Immediate or specify a future date and time. Click Accept.
Navigate to Website Blocking > Customization. Check the box below the trash can icon and next to the item you want to delete. Repeat this step for each domain that you want to remove from the domain lists. When you are finished, click Update. The scheduler displays. Expand Schedule by clicking the plus icon. Select Immediate or specify a future date and time. Click Accept.
3. 4. 5. 6.
312
Be careful when using this feature. For example, blocking the word breast can prevent access to both pornographic or objectionable sites, but will also block sites on breast cancer.
Note
This feature is not available if you select N2H2 or Websense content filtering. For information on configuring filtering options for these software packages, refer to their documentation.
In the left pane, select the global icon, a group, or a SonicWALL appliance. Click the Policies tab. In the center pane, navigate to Website Blocking > URL Keywords.
4.
313
5. 6. 7. 8. 9.
Click Update. The scheduler displays. Expand Schedule by clicking the plus icon. Select Immediate or specify a future date and time. Click Accept. To add one or more keywords, enter them in the URL Keyword field and click Add. The scheduler displays. Multiple keywords should be separated by a ; semicolon.
Timesaver Importing a .txt file with one keyword per line is the easiest way to
add multiple keywords. Click the Import... button to add multiple keywords from a text file.
10. Expand Schedule by clicking the plus icon. 11. Select Immediate or specify a future date and time. 12. Click Accept. Repeat these steps for each keyword you would like to add. 13. To remove a keyword, select its check box below the trash can icon.
Repeat this step for each keyword that you want to remove from the keyword lists.
314
In the left pane, select the global icon, a group, or a SonicWALL appliance. Click the Policies tab. In the center pane, navigate to Website Blocking > Web Features.
4.
language used to imbed small programs in Web pages. It is generally considered insecure because it is possible for malicious programmers to write controls that can delete files, compromise security, or cause other damage.
JavaBlocks Java applets. Java applets are downloadable Web
applications that are used on many websites. Selecting this option will block all Java applets, regardless of their function.
CookiesPrevents websites from placing information on user hard
drives. Cookies are used by Web servers to track Web usage and remember user identity. Cookies can compromise users' privacy by tracking Web activities.
Note
Blocking cookies on the public Internet creates a large number of accessibility problems. Most sites make extensive use of cookies to generate Web pages and blocking cookies will make most e-commerce applications unusable.
315
proxy servers on the Internet to circumvent content filtering by pointing their computers to the proxy servers.
Known Fraudulent CertificatesBlocks access to Web content that
originated from a known fraudulent certificate. Digital certificates help verify that Web content originated from an authorized party.
5. 6. 7. 8.
When you are finished, click Update. The scheduler displays. Expand Schedule by clicking the plus icon. Select Immediate or specify a future date and time. Click Accept.
This feature is not available if you select N2H2 or Websense content filtering. For information on configuring filtering options for these software packages, refer to their documentation.
In the left pane, select the global icon, a group, or a SonicWALL appliance. Click the Policies tab. In the center pane, navigate to Website Blocking > Consent.
316
4. 5. 6.
Check the Require Consent check box to require consent. Users can choose if they want filtering or not. Enter the maximum time (in minutes) a user can access the Internet in the Maximum Web Usage field. Specify the maximum amount of time (in minutes) a connection may remain idle before the user is logged out and must agree to the consent agreement again in the User Idle Timeout field. Enter the URL of the Web page from which users choose to enable filtering in the Consent Page URL (Optional Filtering) field. This page displays when users first attempt to access the Internet and must contain a link for choosing unfiltered access and a link for choosing filtered access. The link for unfiltered access is IPaddress/iAccept.html. The link for filtered access is IPaddress/iAcceptFilter.html. IPaddress is the LAN (WorkPort) IP address of the SonicWALL appliances. Enter the URL of the page that displays when users choose to access the Internet without content filtering in the Consent Accepted URL (Filtering Off) field. This page must be accessible on the LAN (WorkPort). Enter the URL of the page that displays when users access the Internet with content filtering enabled in the Consent Accepted URL (Filtering On) field. This page must be accessible on the LAN (WorkPort). filtering they will be shown a consent page. Enter the URL for the consent page in the Consent Page URL (Mandatory Filtering) field. You will need to create this Web page. It usually contains an Acceptable Use Policy and a notification that violations will be logged or blocked. This Web page must reside on a Web server that is accessible as a URL by LAN (WorkPort) users. This page must also contain a link that tells the SonicWALL appliance that the user agrees to having filtering enabled. To do this, create the following link: IPaddress/iAcceptFilter.html where IPaddress is the LAN (WorkPort) IP address of the SonicWALL appliance.
7.
8.
9.
10. When a user opens a Web browser on a computer with mandatory content
11. To enforce content filtering for a specific computer on the LAN, enter the
IP address in the IP Addresses field of the Mandatory Filtered IP Addresses section and click Add. Up to 128 IP addresses can be entered. checkbox in the trash can column for the IP address.
12. To remove a computer from the list of computers to be filtered, click the 13. When you are finished, click Update. The scheduler displays.
317
14. Expand Schedule by clicking the plus icon. 15. Select Immediate or specify a future date and time. 16. Click Accept.
N2H2
To configure N2H2 content filtering options, perform the following steps:
1. 2. 3.
In the left pane, select the global icon, a group, or a SonicWALL appliance. Click the Policies tab In the center pane, navigate to Website Blocking > N2H2.
4. 5.
Enter the N2H2 server name or IP address in the Server Host Name or IP Address field. Enter the port that the N2H2 server listens for N2H2 requests in the Listen Port field (default: 4005).
318
6. 7. 8. 9.
Enter the port that the N2H2 server uses to send packets to the SonicWALL appliances in the Reply Port field (default: 4005). Enter the username associated with the N2H2 account in the User Name field. Enter the size of the URL cache in the URL Cache Size field. A larger URL cache can improve browser response times. Select the action that the SonicWALL appliance(s) will take if the N2H2 server is unavailable beyond a specified period of time. First, enter the time period (in seconds) in the If user is unavailable for field. Then, select one of the options:
To block traffic to all Web sites, select Block traffic to all Web sites. To allow access to all Web sites, select Allow traffic to all Web sites.
10. If a server marks a URL as blocked, select one of the following actions: Block Access to URLBlocks access to restricted sites and logs
access attempts.
Log Access to URLDoes not block access to restricted sites, but
logs access. This enables organizations to monitor appropriate usage without restricting access.
11. When you are finished, click Update. The scheduler displays. 12. Expand Schedule by clicking the plus icon. 13. Select Immediate or specify a future date and time. 14. Click Accept.
319
Websense
To configure Websense content filtering options, perform the following steps:
1. 2. 3.
In the left pane, select the global icon, a group, or a SonicWALL appliance. Click the Policies tab. In the center pane, navigate to Website Blocking > Websense.
4. 5. 6. 7. 8.
Enter the Websense server name or IP address in the Server Host Name or IP Address field. Enter the port used for Websense packets in the Server Port field (default: 15868). Enter the username associated with the Websense account in the User Name field. Enter the size of the URL cache in the URL Cache Size field. A larger URL cache can improve browser response times. The default cache size is 50. Enter a time period (in seconds) in the If user is unavailable for field. Then, select the action that the SonicWALL appliance(s) will take after that period of time:
To block traffic to all Web sites, select Block traffic to all Web sites. To allow access to all Web sites, select Allow traffic to all Web sites.
9.
10. Expand Schedule by clicking the plus icon. 11. Select Immediate or specify a future date and time. 12. Click Accept.
320
DHCP Server Options Overview section on page 322 Configuring DHCP Over VPN section on page 322 Configuring Dynamic DHCP IP Address Ranges section on page 325 Configuring Static IP Addresses section on page 329 Configuring DHCP Option Objects section on page 333 Configuring DHCP Option Groups section on page 334 Configuring General DHCP Settings section on page 334
321
DHCP over VPN enables clients of the SonicWALL appliance to obtain IP addresses from a DHCP server at the other end of the VPN tunnel or a local DHCP server.
322
Select the global icon, a group, or a SonicWALL appliance. Expand the DHCP tree and click DHCP over VPN. The DHCP over VPN page displays
3.
through a VPN tunnel, select Remote Gateway from the DHCP Relay Mode list box and do the following:
Select the security association (SA) through which the DHCP server
resides from the Obtain using DHCP through this SA list box.
appliance as the IP address of the DHCP Relay Agent in the Relay IP Address field. tunnel from behind the Central Gateway, enter the management IP address in the Remote Management IP Address field.
detected, the SonicWALL blocks any traffic across the VPN tunnel that is spoofing an authenticated users IP address. If you have any static devices, however, you must ensure that the correct Ethernet address is entered for the device. obtained from the local SonicWALL appliance. Once the tunnel is active, it will stop issuing leases. To enable this option, select the Obtain temporary lease from local DHCP server if tunnel is down check box.
SonicWALL GMS 6.0 Administrators Guide
323
When you enable this option, clients will be able to obtain IP addresses if the tunnel is unavailable. To ensure that clients use the remote DHCP server shortly after it becomes available, enter a short lease time in the Temporary Lease Time field. The default value is two minutes. Make sure to enable DHCP and enter an IP address range on the DHCP Setup page. Otherwise, the SonicWALL appliance will be unable to act as a DHCP server.
To specify static IP addresses on the LAN (WorkPort), enter the IP
address and MAC address and click Add. Repeat this step for each device that uses a static IP address.
through the SA, enter its MAC address and click Add. Repeat this step for each device that will not be allowed to obtain an IP address through the SA.
local servers, select Central Gateway from the DHCP Relay Mode list box and do the following:
To configure the SonicWALL appliance to send DHCP requests to
specific DHCP servers, select the Send DHCP requests to the server addresses listed below check box. Then, enter the IP address of a DHCP server and click Add. Repeat this step for DHCP server that you want to add.
requests, deselect the Send DHCP requests to the server addresses listed below check box and leave the DHCP Servers field blank. some clients, select the Use Internal DHCP Server check box. To use the internal DHCP server for Global VPN clients, select the For Global VPN Client check box. To use the internal DHCP server for remote firewalls, select the For Remote Firewalls check box.
To use the DHCP server built into the SonicWALL appliance for
4.
When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
324
This section describes how to configure dynamic IP address ranges. To configure one or more dynamic IP address ranges, perform the following steps:
1. 2.
Select a SonicWALL appliance. Expand the DHCP tree and click Dynamic Ranges. The Dynamic Ranges page displays.
3.
box.
To disable the DHCP server, deselect the Enable DHCP Server check
box.
4.
Select Enable Conflict Detection to turn on automatic DHCP scope conflict detection on each zone.
325
5.
Range column.
6.
In the DHCP Setup dialog box, on the General tab, complete the following fields:
Select the Enable this DHCP Scope check box to enable the DHCP
is used before another IP address is issued (or the same one is re-issued). 1440 minutes (24 hours) is the default value.
Specify the IP address and subnet mask of the default gateway for this
IP address range in the Default Gateway and Subnet Mask fields. By default, these fields will use the settings on the Network Settings page. BootP clients on this network. BootP stands for bootstrap protocol, which is a TCP/IP protocol and service that allows diskless workstations to obtain their IP address, other TCP/IP configuration information, and their boot image file from a BootP server.
Select the Allow BootP clients to use range check box if you have
326
7.
8.
In the DHCP Setup dialog box, on the DNS/WINS tab, complete the following fields:
Optionally enter the domain name associated with this IP address
To configure one or more DNS servers for this range, do one of the To use the DNS servers specified on the Network Settings page, To specify the DNS servers manually for this IP address range,
select Specify Manually and then type the IP address of your DNS Server in the DNS Server 1 field. You can specify two additional DNS servers.
If you have WINS running on your network, type the WINS server IP
address in the WINS Server 1 field. You can add an additional WINS server.
327
9.
For units running SonicOS Enhanced 4.0 and above, click the Advanced tab. This tab allows you to configure the SonicWALL DHCP server to send Cisco Call Manager information to VoIP clients on the network, and to configure DHCP generic options for lease scopes.
10. Enter the IP address or FQDN of your VoIP Call Manager in the Call
Manager 1 field. You can add two additional VoIP Call Manager addresses. For more information about configuring VoIP, see Configuring Voice over IP Settings on page 249. in the DHCP Generic Option Group drop-down menu. Send Generic options always checkbox.
11. To configure a DHCP lease scope, select a DHCP option or option group 12. To always use DHCP options for this DHCP server lease scope, select the 13. When you are finished, click OK. The settings are saved. To clear all
328
Select a SonicWALL appliance. Expand the DHCP tree and click Static Entries. The Static Entries page displays
3.
box.
To disable the DHCP server, deselect the Enable DHCP Server check
box.
4.
Select Enable Conflict Detection to turn on automatic DHCP scope conflict detection on each zone.
329
5.
6.
In the DHCP Setup dialog box, on the General tab, complete the following fields:
Select the Enable this DHCP Scope check box to enable this static
field.
Type the IP address of the device in the Static IP Address field. Enter the Ethernet (MAC) address of the device in the Ethernet
Address field.
In the Lease Time field, type the number of minutes that an IP address
is used before it is re-issued. 1440 minutes (24 hours) is the default value.
Specify the IP address and subnet mask of the default gateway for this
IP address in the Default Gateway and Subnet Mask fields. By default, these fields will use the settings on the Network Settings page.
7.
To add a static IP address, click Add Static Entry and complete the following fields:
330
Specify the IP address and subnet mask of the default gateway for this
IP address in the Default Gateway and Subnet Mask fields. By default, these fields will use the settings on the Network Settings page.
Enter the lease time for this IP address in the Lease Time field. 8.
9.
In the DHCP Setup dialog box, on the DNS/WINS tab, complete the following fields:
If you have a domain name associated with this IP address, enter it in
To configure one or more DNS servers for this range, do one of the To use the DNS servers specified on the Network Settings page, To specify the DNS servers manually for this IP address, select
Specify Manually and then type the IP address of your DNS Server in the DNS Server 1 field. You can specify two additional DNS servers.
If you have WINS running on your network, type the WINS server IP
address in the WINS Server 1 field. You can add an additional WINS server.
331
10. For units running SonicOS Enhanced 4.0 and above, click the Advanced
tab. This tab allows you to configure the SonicWALL DHCP server to send Cisco Call Manager information to VoIP clients on the network, and to configure DHCP generic options for lease scopes.
11. Enter the IP address or FQDN of your VoIP Call Manager in the Call
Manager 1 field. You can add two additional VoIP Call Manager addresses. For more information about configuring VoIP, see Configuring Voice over IP Settings on page 249. in the DHCP Generic Option Group drop-down menu. Send Generic options always checkbox.
12. To configure a DHCP lease scope, select a DHCP option or option group 13. To always use DHCP options for this DHCP server lease scope, select the 14. When you are finished, click OK. The settings are saved. To clear all
332
This screen is available at the unit/appliance level only for units running SonicOS Enhanced 4.0 and above.
This section describes how to configure DHCP Option Objects. DHCP Option Objects can be used when setting DHCP Generic Options for DHCP Dynamic Ranges or Static Entries. For more information about DHCP Options, see DHCP Server Options Overview on page 322.
Expand the DHCP tree and click Option Objects. Click Add New Object or the Configure icon for an existing object. The Add/Edit DHCP Option Objects page displays. Type a name for the option in the Option Name field. From the Option Number drop-down list, select the option number that corresponds to your DHCP option. Optionally check the Option Array checkbox to allow entry of multiple option values in the Option Value field. The option type displays in the Option Type drop-down menu. The drop-down menu will be functional only if multiple option numbers are available. Type the option value, for example, an IP address, in the Option Value field. If Option Array is checked, multiple values may be entered, separated by a semi-colon (;). Click the OK button. The object will display in the DHCP Option Object Settings list.
SonicWALL GMS 6.0 Administrators Guide
Step 7
Step 8
333
This screen is available at the unit/appliance level only for units running SonicOS Enhanced 4.0 and above.
This section describes how to configure DHCP Option Groups. For more information about DHCP Options, see DHCP Server Options Overview on page 322. To configure DHCP Option Groups:
Step 1 Step 2 Step 3 Step 4 Step 5
Expand the DHCP tree and click Option Groups. Click Add New Group or the Configure icon for an existing group. The Add/Edit DHCP Option Group page displays. Type a name for the group in the Name field. To add DHCP Option Objects to the group, select one or more objects on the left side and click the arrow to move them to the right. To remove DHCP Option Objects from the group, select one or more objects on the right side and click the arrow to move them to the left. Or, click Remove All to remove all objects from the group. When finished, click OK.
Step 6
This section describes how to configure general DHCP settings for a group of appliances. The settings in the Policies > DHCP > Setup page apply to all appliances in the selected group, depending on their inheritance settings. To configure general IP, perform the following steps:
1.
334
2.
Expand the DHCP tree and click Setup. The Static Entries page displays.
3.
box.
To disable the DHCP server, deselect the Enable DHCP Server check
box.
To disable the DHCP server and configure computers on the LAN
(WorkPort) to use a DHCP server outside the firewall, deselect the Enable DHCP Server check box and select the Allow DHCP Pass Through check box.
Enter the lease time for this IP address in the Lease Time field. Optional. Enter the domain name associated with this IP address in
To use the DNS and WINS servers specified on the Network Settings
Specify Manually and enter the IP addresses of the DNS and WINS servers.
4.
When you are finished, click Update. The settings are saved. To clear all screen settings and start over, click Reset.
335
Navigate to the Policies > DHCP > Trusted Agents screen in the SonicWALL GMS user interface.
2. 3.
Click the Enable Trusted DHCP Relay Agent List checkbox to enable this feature. Choose a Trusted Relay Agent List from the dropdown menu. The default selection for the trusted agent list is the Default Trusted Relay Agent List address group. The entries for this address group are defined in the Network > Address Objects page. Click the Update button to confirm your changes.
Note
4.
336
Configuring Users in SonicOS Enhanced on page 337 Configuring Users in SonicOS Standard on page 370
Configuring User Login Settings on page 338 Configuring LDAP and Active Directory on page 340 Global User Settings on page 352 Configuring an Acceptable Use Policy on page 353 Configuring Local Users on page 354 Configuring Local Groups on page 356 Configuring ULA Settings on page 359 Configuring HTTP URL-Based ULA Settings on page 359 Configuring RADIUS for SonicOS Enhanced on page 360 Configuring Single Sign-On on page 362 Configuring Guest Services on page 366 Configuring Guest Accounts on page 368
SonicWALL GMS 6.0 Administrators Guide
337
338
Select one of the following authentication methods from the Authentication method for login drop-down list:
Local UsersTo configure users in the local database using the
Users > Local Users and Users > Local Groups pages. For information on configuring local users and groups, see Configuring Local Users on page 354 and Configuring Local Groups on page 356. layer of security for authenticating the user to the SonicWALL. If you select Use RADIUS for user authentication, users must log into the SonicWALL using HTTPS in order to encrypt the password sent to the SonicWALL. If a user attempts to log into the SonicWALL using HTTP, the browser is automatically redirected to HTTPS. For information on configuring RADIUS, see Configuring RADIUS for SonicOS Enhanced on page 360.
RADIUSIf you have more than 1,000 users or want to add an extra
RADIUS + Local UsersIf you want to use both RADIUS and the
SonicWALL local user database for authentication. For information on configuring RADIUS, see Configuring RADIUS for SonicOS Enhanced on page 360.
LDAPIf you use a Lightweight Directory Access Protocol (LDAP)
server or Microsoft Active Directory (AD) server to maintain all your user account data. For information about configuring LDAP, see Configuring LDAP and Active Directory on page 340.
LDAP + Local UsersIf you want to use both LDAP and the
SonicWALL local user database for authentication. For information about configuring LDAP, see Configuring LDAP and Active Directory on page 340.
Step 2
In the Single-sign-on method drop-down list, select SonicWALL SSO Agent if you are using Active Directory for authentication and the SonicWALL SSO Agent is installed on a computer in the same domain. Otherwise, select None. For information on configuring SSO, see Configuring Single Sign-On on page 362. To require that user names are treated as case-sensitive, select the Case-sensitive user names checkbox. To prevent a user from logging in from more than one location at a time, select the Enforce login uniqueness check box. Enter the number of minutes that the login authentication page is displayed in the Show authentication page for field.
SonicWALL GMS 6.0 Administrators Guide
339
Step 6
Select Redirect users from HTTPS to HTTP on completion of login if the session does not need to be encrypted.
LDAP Terms on page 340 Prerequisites for LDAP Configuration on page 342 Configuring LDAP on page 343 Further Information on LDAP Schemas on page 352
Active Directory support on SonicOS Enhanced is not a single-sign on mechanism by itself, but rather the ability for SonicOS Enhanced to act as an LDAP client against an Active Directorys LDAP interface using Microsofts implementation of an LDAP schema. SonicOS Enhanced provides extremely flexible schema interoperability, with support for the Microsoft AD schema, the LDAP core schema, the RFC2798 inetOrgPerson schema, and even user-defined schemas. Connectivity to LDAP servers is also flexible, with support for following protocols:
LDAPv2 (RFC3494) LDAPv3 (RFC2251-2256, RFC3377) LDAPv3 over TLS (RFC2830) LDAPv3 with STARTTLS (RFC2830) LDAP Referrals (RFC2251)
LDAP Terms
The following terms are useful when working with LDAP and its variants:
AttributeA data item stored in an object in an LDAP directory. Object can have required attributes or allowed attributes. For example, the dc attribute is a required attribute of the dcObject (domain component) object. cnThe common name attribute is a required component of many object classes throughout LDAP.
340
dcThe domain component attribute is commonly found at the root of a distinguished name, and is commonly a required attribute. dnA distinguished name, which is a globally unique name for a user or other object. It is made up of a number of components, usually starting with a common name (cn) component and ending with a domain specified as two or more domain components (dc). For example, cn=john,cn=users,dc=domain,dc=com EntryThe data that is stored in the LDAP directory. Entries are stored in attribute/value (or name/value) pairs, where the attributes are defined by object classes. A sample entry would be cn=john where cn (common name) is the attribute, and john is the value. ObjectIn LDAP terminology, the entries in a directory are referred to as objects. For the purposes of the SonicOS implementation of the LDAP client, the critical objects are User and Group objects. Different implementations of LDAP can refer to these object classes in different fashions, for example, Active Directory refers to the user object as user and the group object as group, while RFC2798 refers to the user object as inetOrgPerson and the group object as groupOfNames. Object classObject classes define the type of entries that an LDAP directory may contain. A sample object class, as used by AD, would be user or group. ouThe organizational unit attribute is a required component of most LDAP schema implementations. SchemaThe schema is the set of rules or the structure that defines the types of data that can be stored in a directory, and how that data can be stored. Data is stored in the form of entries. TLSTransport Layer Security is the IETF standardized version of SSL (Secure Sockets Layer). TLS 1.0 is the successor to SSL 3.0.
Microsoft Active Directorys Classes can be browsed at <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/a dschema/classes_all.asp> LDAP / AD Configuration is performed from the User > Settings page. Selecting either LDAP or LDAP+Local Users and clicking Apply at the top of the page will enable LDAP support, the former using an LDAP directory server exclusively, and the latter using a combination of the LDAP server and the local user database. Upon applying these settings, an informational alert will be presented. Because the SonicWALL will be receiving sensitive username and password information from authenticating clients, HTTPS logins will automatically be enabled to secure the credential exchanges.
341
Navigate to Start > Settings > Control Panel > Add/Remove Programs. Select Add/Remove Windows Components. Skip step numbers 3 through 7 if Certificate Services are already installed. Select Certificate Services. Select Enterprise Root CA when prompted. Enter the requested information. For detailed information on CA setup, see http://www.microsoft.com/windows2000/techinfo/planning/security/casetu psteps.asp Launch the Domain Security Policy application: Start > Run > dompol.msc. Open Security Settings > Public Key Policies. Right click on Automatic Certificate Request Settings.
Note
3. 4. 5.
6. 7. 8. 9.
10. Select New > Automatic Certificate Request. 11. Step through the wizard, and select Domain Controller from the list.
Launch the Certification Authority application: Start > Run > certsrv.msc. Right click on the CA you created, select properties. On the General tab, click the View Certificate button. From the Details tab, select Copy to File. Step through the wizard, select the Base-64 Encoded X.509 (.cer) format.
342
6.
Browse to System > CA Certificates. Select Add new CA certificate. Browse to and select the certificate file you just exported Click the Import certificate button.
Note
Should installation of Certificate Services on the Active Directory server be undesirable for some reason, secure operation can be achieved without TLS by using LDAP with RADIUS see RADIUS with LDAP for user groups section later.
Configuring LDAP
Perform the following steps to configure LDAP authentication.
1. 2.
Browse to the User > Settings page and select either LDAP or LDAP + Local Users. Click the Configure LDAP button to launch the LDAP configuration window:
343
3.
server against which you wish to authenticate. If using a name, be certain it can be resolved by your DNS server. Also, if using TLS with the Require valid certificate from server option, the name provided here must match the name to which the server certificate was issued (i.e. the CN) or the TLS exchange will fail.
Port NumberThe default LDAP over TLS port number is TCP 636.
The default LDAP (unencrypted) port number is TCP 389. If you are using a custom listening port on your LDAP server, specify it here.
Server timeoutThe amount of time, in seconds, that the
SonicWALL will wait for a response from the LDAP server before timing out. Allowable ranges are 1 to 99999 (in case youre running your LDAP server on a VIC-20 located on the moon), with a default of 10 seconds.
Anonymous LoginSome LDAP servers allow for the tree to be
accessed anonymously. If your server supports this (MS AS generally does not), then you may select this option.
Login nameSpecify a user name which has rights to log in to the
LDAP directory. The login name will automatically be presented to the LDAP server in full dn notation. This can be any account with LDAP read privileges (essentially any user account) Administrative privileges are not required. Note that this is the users name, not their login ID (e.g. John Smith rather than jsmith).
Login passwordThe password for the user account specified
above.
Protocol versionSelect either LDAPv3 or LDAPv2. Most modern
server. It is strongly recommended that TLS be used to protected the username and password information that will be sent across the network. Most modern implementations of LDAP server, including AD, support TLS. Deselecting this default setting will provide an alert which must be accepted to proceed.
Send LDAP Start TLS RequestSome LDAP server
implementations support the Start TLS directive rather than using native LDAP over TLS. This allows the LDAP server to listen on one port (normally 389) for LDAP connections, and to switch to TLS as directed by the client. AD does not use this option, and it should only be selected if required by your LDAP server.
344
presented by the server during the TLS exchange, matching the name specified above to the name on the certificate. Deselecting this default option will present an alert, but exchanges between the SonicWALL and the LDAP server will still use TLS only without issuance validation.
Local certificate for TLSOptional, to be used only if the LDAP
server requires a client certificate for connections. Useful for LDAP server implementations that return passwords to ensure the identity of the LDAP client (AD does not return passwords). This setting is not required for AD. If your network uses multiple LDAP/AD servers with referrals, then select one as the primary server (probably the one that holds the bulk of the users) and use the above settings for that server. It will then refer the SonicWALL on to the other servers for users in domains other than its own. For the SonicWALL to be able to log in to those other servers, each server must have a user configured with the same credentials (user name, password and location in the directory) as per the login to primary server. This may entail creating a special user in the directory for the SonicWALL login. Note that only read access to the directory is required.
4.
inetOrgPerson, RFC2307 Network Information Service, Samba SMB, Novell eDirectory, or user-defined. Selecting any of the predefined schemas will automatically populate the fields used by that
SonicWALL GMS 6.0 Administrators Guide
345
schema with their correct values. Selecting user-defined will allow you to specify your own values use this only if you have a specific or proprietary LDAP schema configuration.
Object classThis defines which attribute represents the individual
authentication:
sAMAccountName for Microsoft Active Directory inetOrgPerson for RFC2798 inetOrgPerson posixAccount for RFC2307 Network Information Service sambaSAMAccount for Samba SMB inetOrgPerson for Novell eDirectory Qualified login name attribute if not empty, this specifies an
attribute of a user object that sets an alternative login name for the user in name@domain format. This may be needed with multiple domains in particular, where the simple login name may not be unique across domains. This is set to mail for Microsoft Active Directory and RFC2798 inetOrgPerson.
User group membership attribute this attribute contains the
information in the user object of which groups it belongs to. This is memberOf in Microsoft Active Directory. The other pre-defined schemas store group membership information in the group object rather than the user object, and therefore do not use this field.
Framed IP address attribute this attribute can be used to retrieve
a static IP address that is assigned to a user in the directory. Currently it is only used for a user connecting via L2TP with the SonicWALLs L2TP server In future this may also be supported for Global VPN Client. In Active Directory the static IP address is configured on the Dial-in tab of a users properties.
346
5.
implementation. For AD, this will be the Active Directory domain name, e.g. yourADdomain.com. Changes to this field will, optionally, automatically update the tree information in the rest of the page. This is set to mydomain.com by default for all schemas except Novell eDirectory, for which it is set to o=mydomain.
User tree for login to server The tree in which the user specified in
the Settings tab resides. For example, in AD the administrator accounts default tree is the same as the user tree.
Trees containing users The trees where users commonly reside in
the LDAP directory. One default value is provided which can be edited, an up to a total of 64 DN values may be provided, and the SonicWALL search the directory using them all until a match is found, or the list is exhausted. If you have created other user containers within your LDAP or AD directory, you should specify them here.
Trees containing user groups Same as above, only with regard to
user group containers, and a maximum of 32 DN values may be provided. These are only applicable when there is no user group membership attribute in the schema's user object, and are not used with AD. All the above trees are normally given in URL format but can alternatively be specified as distinguished names (e.g. myDom.com/Sales/Users could alternatively be given as the DN ou=Users,ou=Sales,dc=myDom,dc=com). The latter form will be necessary if the DN does not conform to the normal formatting rules
SonicWALL GMS 6.0 Administrators Guide
347
as per that example. In Active Directory the URL corresponding to the distinguished name for a tree is displayed on the Object tab in the properties of the container at the top of the tree.
Note
AD has some built-in containers that do not conform (e.g. the DN for the top level Users container is formatted as cn=Users,dc=, using cn rather than ou) but the SonicWALL knows about and deals with these, so they can be entered in the simpler URL format. Ordering is not critical, but since they are searched in the given order it is most efficient to place the most commonly used trees first in each list. If referrals between multiple LDAP servers are to be used, then the trees are best ordered with those on the primary server first, and the rest in the same order that they will be referred.
Note
When working with AD, to locate the location of a user in the directory for the User tree for login to server field, the directory can be searched manually from the Active Directory Users and Settings control panel applet on the server, or a directory search utility such as queryad.vbs in the Windows NT/2000/XP Resource Kit can be run from any PC in the domain.
Auto-configure This causes the SonicWALL to auto-configure the
Trees containing users and Trees containing user groups fields by scanning through the directory/directories looking for all trees that contain user objects. The User tree for login to server must first be set, and clicking the Auto-configure button then brings up the following dialog:
348
6.
Select whether to append new located trees to the current configuration, or to start from scratch removing all currently configured trees first, and then click OK. Note that it will quite likely locate trees that are not needed for user login and some tidying up afterwards, manually removing such entries, is worth while. If using multiple LDAP/AD servers with referrals, this process can be repeated for each, replacing the Domain to search accordingly and selecting Append to existing trees on each subsequent run.
7.
Allow only users listed locally Requires that LDAP users also be
user names Allows for group membership (and privileges) to be determined by the intersection of local user and LDAP user configurations. which LDAP users will belong in addition to group memberships configured on the LDAP server.
Group memberships (and privileges) can also be assigned simply with LDAP. By creating user groups on the LDAP/AD server with the same name as SonicWALL built-in groups (such as Guest Services, Content Filtering Bypass, Limited Administrators) and assigning users to these groups in the directory, or creating user groups on the
349
SonicWALL with the same name as existing LDAP/AD user groups, SonicWALL group memberships will be granted upon successful LDAP authentication. The SonicWALL appliance can retrieve group memberships more efficiently in the case of Active Directory by taking advantage of its unique trait of returning a memberOf attribute for a user.
8.
The RADIUS to LDAP Relay feature is designed for use in a topology where there is a central site with an LDAP/AD server and a central SonicWALL, with remote satellite sites connected into it via low-end SonicWALL security appliances that may not support LDAP. In that case the central SonicWALL can operate as a RADIUS server for the remote SonicWALLs, acting as a gateway between RADIUS and LDAP, and relaying authentication requests from them to the LDAP server. Additionally, for remote SonicWALLs running non-enhanced firmware, with this feature the central SonicWALL can return legacy user privilege information to them based on user group memberships learned via LDAP. This avoids what can be very complex configuration of an external RADIUS server such as IAS for those SonicWALLs.
9.
checkboxes and policy rules will be added to allow incoming Radius requests accordingly.
350
remote SonicWALLs.
User groups for legacy users These define the user groups that
correspond to the legacy Access to VPNs, Access from VPN client with XAUTH, Access from L2TP VPN client and Allow Internet access (when access is restricted) privileges respectively. When a user in one of the given user groups is authenticated, the remote SonicWALL will be informed that the user is to be given the relevant privilege.
Note
The Bypass filters and Limited management capabilities privileges are returned based on membership to user groups named Content Filtering Bypass and Limited Administrators these are not configurable.
The Test page allows for the configured LDAP settings to be tested by attempting authentication with specified user and password credentials. Any user group memberships and/or framed IP address configured on the LDAP/AD server for the user will be displayed.
351
Microsoft Active Directory: Schema information is available at <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsche ma/adschema/active_directory_schema.asp> and <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ldap/lda p/ldap_reference.asp> RFC2798 InetOrgPerson: Schema definition and development information is available at <http://rfc.net/rfc2798.html> RFC2307 Network Information Service: Schema definition and development information is available at <http://rfc.net/rfc2307.html> Samba SMB: Development information is available at <http://us5.samba.org/samba/> Novell eDirectory: LDAP integration information is available at <http://www.novell.com/documentation/edir873/index.html?page=/docum entation/edir873/edir873/data/h0000007.html> User-defined schemas: See the documentation for your LDAP installation. You can also see general information on LDAP at <http://rfc.net/rfc1777.html>
352
The following options are configured in the User Session Settings section:
Inactivity timeout (minutes): users can be logged out of the SonicWALL after a preconfigured inactivity time. Enter the number of minutes in this field. The default value is 5 minutes. Enable login session limit: you can limit the time a user is logged into the SonicWALL by selecting the check box and typing the amount of time, in minutes, in the Login session limit (minutes) field. The default value is 30 minutes. Login page timeout (minutes): defines how much time a user has to log in before the login page times out. If it times out, a message displays saying they must click before attempting to log in again. Show user login status window with logout button: causes a status window to display with a Log Out button during the users session. The user can click the Log Out button to log out of their session. User's login status window refreshes every (minutes): determines how often the users status display is updated. User's login status window sends status heartbeat every (seconds): determines how often a heartbeat is sent back to the SonicWALL. This heartbeat notifies the SonicWALL of a users connection status and continues to be sent as long at the status window is open. Enable disconnected user detection: causes the SonicWALL to detect when a users connection is no longer valid and end the session. Timeout on heartbeat from user's login status window (minutes): sets the time needed without a reply from the heartbeat before ending the user session. LDAP read from server options: are available when the LDAP option is active. The options are:
Automatically update the schema configuration Export details of the schema
353
The Acceptable Use Policy section allows you to create the AUP message window for users. You can use HTML formatting in the body of your message. Clicking the Example Template button creates a preformatted HTML template for your AUP window. Perform the following steps to configure an AUP:
1. 2.
Expand the Users tree and click on the Settings tab. Select which users will see the AUP page by selecting the Display on login from checkboxes. For SonicOS Enhanced, select the zones that will display the AUP page. For SonicOS Standard, select the network interfaces. Configure the dimensions of the AUP window in pixels in the Window size (pixels) fields. Check the Enable scroll bars on the window to allow users to scroll through the AUP window contents. Enter the text for the AUP in the Acceptable use policy page content. The content can include HTML formatting. The page that is displayed to the user includes an I Accept button or Cancel button for user confirmation. Click the Example Template button to create a preformatted HTML template for your AUP window. Clicking the Example Template button will overwrite the existing content in the AUP window.
3. 4. 5.
6.
Caution
7. 8.
Click the Preview button to display your AUP message as it will appear for the user. Click Update.
354
SonicOS Enhanced uses a Group/User hierarchy for organizing users. This section describes how to configure new users and groups. To add or edit a user, perform the following steps:
1.
Expand the Users tree and click Local Users. The Local Users page displays.
2.
To add a local group, click Add New Local User. To edit the settings of an existing user, click its Configure icon.
3.
access to the Internet from the LAN, bypassing Web, News, Java, and ActiveX blocking.
Limited Management Capabilitiesselect this option to provide the
user limited local management access to the SonicWALL Management interface. The access is limited to the following pages:
GeneralStatus, Network, Time LogView Log, Log Settings, Log Reports ToolsRestart, Diagnostics minus Tech Support Report
355
4.
5. 6.
Select a user group to which this user will be a member and click the right arrow button (->). Repeat this step for each group to add. Click the VPN Access tab.
7.
Select a network to which this user will be able to access through the VPN client software and click the right arrow button (->). Repeat this step for each network to add. When you are finished, click OK. The settings are saved. Repeat this procedure for each user to add or modify.
8.
356
Limited Administrators
The permissions of these groups will automatically be applied to its members unless you manually modify a users settings. To add or edit a group, perform the following steps:
1.
Expand the Users tree and click Local Groups. The Local Groups page displays.
2.
To add a local group, click Add New Local Group. To edit the settings of an existing group, click its Configure icon.
3.
have unlimited access to the Internet from the LAN, bypassing Web, News, Java, and ActiveX blocking.
Limited Management Capabilitiesselect this option to provide
users within the group limited local management access to the SonicWALL Management interface. The access is limited to the following pages:
GeneralStatus, Network, Time LogView Log, Log Settings, Log Reports
SonicWALL GMS 6.0 Administrators Guide
357
5. 6.
Select the members or groups that will belong to this group and click the right arrow button (->). Click the VPN Access tab.
7. 8.
Select the networks to which users within this group will be able to access through their VPN client software and click the right arrow button (->). Click the CFS Policy tab.
358
9.
Select a CFS policy to apply to the group in the Policy drop-down menu.
10. When you are finished, click OK. The settings are saved.
Expand the Users tree and click HTTP URL ULA. The HTTP URL ULA page displays.
2. 3. 4.
Enter the fully qualified URL of the site that users will be allowed to access without being authenticated in the ULA HTTP URLs field. Click Add. Click Update.
359
2.
Define the number of times the SonicWALL attempts to contact the RADIUS server in the RADIUS Server Retries field. If the RADIUS server does not respond within the specified number of retries, the connection is dropped. This field can range between 0 and 10, however 3 RADIUS server retries is recommended. Define the RADIUS Server Timeout in Seconds. The allowable range is 1-60 seconds with a default value of 5.
3.
RADIUS Servers
1.
Specify the following setting for the primary RADIUS server in the Primary Server section:
Type the IP address of the RADIUS server in the IP Address field. Type the Port Number for the RADIUS server.
360
in the Shared Secret field. The alphanumeric Shared Secret can range from 1 to 31 characters in length. The shared secret is case sensitive.
2.
If there is a secondary RADIUS server, type the appropriate information in the Secondary Server section.
RADIUS Users
1. 2.
To only allow users that are configured locally, but to still use RADIUS to authenticate them, select the Allow only users listed locally check box. Select the mechanism used for setting user group memberships for RADIUS users from the following list:
Use SonicWALL vendor-specific attribute on RADIUS server:
select to tell the RADIUS server to send vendor-specific attributes back to the SonicWALL appliance.
Use RADIUS Filter-ID attribute on RADIUS server: select to tell the
RADIUS server to send Filter-ID user attributes back to the SonicWALL appliance. Filter-ID attributes include the names of user groups that a user belongs to.
Enter duplicate RADIUS user names locally on the SonicWALL: select
when the RADIUS server contains user names and passwords, but has no user group information. The SonicWALL appliance contains the user group configuration for each user, while RADIUS simply authenticates the password.
3.
For a shortcut for managing RADIUS user groups, check Memberships can be set locally by duplicating RADIUS user names. When you create users with the same name locally on the security appliance and manage their group memberships, the memberships in the RADIUS database will automatically change to mirror your local changes. If you have previously configured User Groups on the SonicWALL, select the group from the Default user group to which all RADIUS user belong menu. You can create a new group by choosing Create a new user group... from the list. The Add Group window displays.
4.
5.
361
Navigate to the Diagnostics > Network page. Enter a valid user name in the User field, and the password in the Password field. Click the RADIUS Client Test button.
If the validation is successful, the Status messages changes to Success. If the validation fails, the Status message changes to Failure. Once the SonicWALL has been configured, a VPN Security Association requiring RADIUS authentication prompts incoming VPN clients to type a User Name and Password into a dialogue box.
On the User > Settings page, if you are using Active Directory for authentication select SonicWALL SSO Agent from the Single sign-on method drop-down list, and then click the Configure button.
362
Step 2
In the Transparent Authentication Configuration screen, in the Name or IP Address field, enter the name or IP Address of the workstation on which SonicWALL SSO Agent is installed.
Step 3 Step 4
In Port Number, enter the port number of the workstation on which SonicWALL SSO Agent is installed. The default port is 2258. In the Shared Key field, enter the shared key that you created or generated in the SonicWALL SSO Agent. The shared key must match exactly. Re-enter the shared key in the Confirm Shared Key field. In the Timeout (seconds) field, enter a number of seconds before the authentication attempt times out. In the Retries field, enter the number of authentication attempts.
Step 5 Step 6
363
Step 7
Step 8 Step 9
Check the box next to Allow only users listed locally to allow only users listed locally to be authenticated. Check the box next to Simple user names in local database to use simple user names. This setting ignores the domain component of a user name. If this box is not checked, user names in the local database must match exactly the full names returned from the agent, including the domain component. allow limited access to users who are logged in to a computer but not into a domain. These users will not be given access to the Trusted Users user group. They are identified in logs as computer-name/user-name. When performing local authentication and the Simple user names in local database option is disabled, user names must be configured in the local database using the full computer-name/user-name identification.
Step 10 Check the box next to Allow limited access for non-domain users to
Step 11 To use LDAP to retrieve user information, select the Use LDAP to
Step 12 To use local configuration, select the Local configuration radio button. Step 13 In the Polling rate (minutes) field, enter a polling interval, in minutes,
that the security appliance will poll the workstation running SSO Agent to verify that users are still logged on.
Step 14 In the Hold time after (minutes) field, enter a time, in minutes, that the
security appliance will wait before trying again to identify traffic after an initial failure to do so. This feature rate-limits requests to the agent.
Step 15 Click on the Content Filter tab if you are using the SonicWALL Content
Filtering Service (CFS) and there is a proxy server in your network. 364
SonicWALL GMS 6.0 Administrators Guide
Note
The Content Filter tab is only displayed if Premium CFS is enabled on the SonicWALL security appliance.
Step 16 To bypass SSO for content filtering traffic and apply the default content
filtering policy to the traffic, select the appropriate address object or address group from the drop-down list. This setting should be used where traffic that would be subject to content filtering can emanate from a device other than a user's workstation (such as an internal proxy web server). It prevents the SonicWALL from attempting to identify such a device as a network user in order to select the content filtering policy to apply. The default content filtering policy will be used for all traffic from the selected IP addresses.
Step 17 You can test the Transparent Authentication Configuration settings on
the Policies > Diagnostics > Network page. For more information, click the Test tab.
Step 18 When finished, click OK.
365
2.
Check Show guest login status window with logout button to display a user login window on the userss workstation whenever the user is logged in. Users must keep this window open during their login session. The window displays the time remaining in their current session. Users can log out but clicking the Logout button in the login status window.
366
3.
To create a guest profile, click Add below the Guest Profile list. The Add Guest Profile page displays.
4.
generated from this profile to have an automatically generated user name. The user name is usually the prefix plus a two- or three-digit number.
Auto-generate password: Check this to allow guest accounts
generated from this profile to have an automatically generated password. The generated password is an eight-character unique alphabetic string.
Enable Account: Check this for all guest accounts generated from
of an account to be used at any one time. By default, this feature is enabled when creating a new guest account. If you want to allow multiple users to login with a single account, disable this enforcement by clearing the Enforce login uniqueness checkbox.
367
on the security appliance before the account expires. If Auto-Prune is enabled, the account is deleted when it expires. If the Auto-Prune checkbox is cleared, the account remains in the list of guest accounts with an Expired status, allowing easy reactivation. active after it has been activated. By default, activation occurs the first time a guest user logs into an account. Alternatively, activation can occur at the time the account is created by clearing the Activate account upon first login checkbox. The Session Lifetime cannot exceed the value set in the Account Lifetime
passed on an activated guest services session. Exceeding the period defined by this setting expires the session, but the account itself remains active as long as the Account Lifetime hasn't expired. The Idle Timeout cannot exceed the value set in the Session Lifetime.
Comment: Any text can be entered as a comment in the Comment
field.
5.
368
2.
3.
name is the prefix in the profile and a random two or three digit number.
Comment: Enter a descriptive comment. Password: Enter the user account password or click Generate. The
this account to log into the security appliance at one time. Leave it unchecked to allow multiple users to use this account at once.
Automatically prune account upon account expiration: Check this
to have the account removed from the database after its lifetime expires.
Account Lifetime: This setting defines how long an account remains
on the security appliance before the account expires. If Auto-Prune is enabled, the account is deleted when it expires. If the Auto-Prune checkbox is cleared, the account remains in the list of guest accounts with an Expired status, allowing easy reactivation. This setting overrides the account lifetime setting in the profile.
SonicWALL GMS 6.0 Administrators Guide
369
active after it has been activated. By default, activation occurs the first time a guest user logs into an account. Alternatively, activation can occur at the time the account is created by clearing the Activate account upon first login checkbox. The Session Lifetime cannot exceed the value set in the Account Lifetime. This setting overrides the session lifetime setting in the profile.
Idle Timeout: Defines the maximum period of time when no traffic is
passed on an activated guest services session. Exceeding the period defined by this setting expires the session, but the account itself remains active as long as the Account Lifetime hasn't expired. The Idle Timeout cannot exceed the value set in the Session Lifetime. This setting overrides the idle timeout setting in the profile.
4.
Click Update.
Configuring User Settings on page 370 Global User Settings on page 372 Configuring an Acceptable Use Policy on page 373 Configuring ULA Settings on page 374 Configuring HTTP URL-Based ULA on page 374 Configuring RADIUS for SonicOS Standard on page 375
In order for changes on this page to take effect, the SonicWALL(s) will automatically be restarted. We recommend configuring these options when network activity is low.
370
Expand the Users tree and click Settings. The User Settings page displays.
2.
To only allow users that are configured locally, but to still use
RADIUS to authenticate them, select the Allow only users listed below check box. use RADIUS for authentication, select the Include privileges from users listed locally checkbox.
To grant users the privileges that are configured locally, but to still
database, select Local Users from the Authentication method for login drop-down menu.
3.
371
Internet.
L2TP Clientenables the user to connect using an L2TP client. Wireless Guest Serviceenables Wireless Guest Services for this
user.
Easy WGS MAC Filteringenables (and enforces) MAC address
management access to the SonicWALL interface. Access is limited to the General page (Status, Network, Time), the Log page (View Log, Log Settings, Log Reports), and the Tools page (Restart, Diagnostics minus Tech Support).
Enter the password in the New Password field and reenter it in the
Note
Passwords are case-sensitive. When you are finished, click Add. SonicWALL GMS creates a task that adds these users for each selected SonicWALL appliance. Repeat this step for each user that you want to add (up to 100 users).
Inactivity timeout (minutes): users can be logged out of the SonicWALL after a preconfigured inactivity time. Enter the number of minutes in this field. The default value is 5 minutes.
372
Enable login session limit: you can limit the time a user is logged into the SonicWALL by selecting the check box and typing the amount of time, in minutes, in the Login session limit (minutes) field. The default value is 30 minutes. Login session timeout: defines how much time a user has to log in before the login page times out. If it times out, a message displays saying they must click before attempting to log in again. Show user login status window with logout button: causes a status window to display with a Log Out button during the users session. The user can click the Log Out button to log out of their session. User's login status window refreshes every: determines how often the users status display is updated. Enable disconnected user detection: causes the SonicWALL to detect when a users connection is no longer valid and end the session. User's login status window sends heartbeat every (seconds): sets the frequency of the heartbeat signal used to detect whether the user still has a valid connection Allow unauthenticated VPN users to access DNS: allows unauthenticated users access to DNS servers across a VPN tunnel with authentication enforcement.
373
Expand the Users tree and click User ULA Settings. The User ULA Settings page displays.
2. 3.
To only allow authenticated users to access the Internet, select the Allow only authenticated users to access the Internet check box. To allow unauthenticated users to access a service, select the service in the Always allow these services area and click Add. Repeat this step for each service to add. To specify a range of IP addresses that will always be allowed to access the Internet, enter the IP address in the Begin field and the size of the range in the Length field. Repeat this step for each range to add. When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
4.
5.
374
2.
Define the number of times the SonicWALL attempts to contact the RADIUS server in the RADIUS Server Retries field. If the RADIUS server does not respond within the specified number of retries, the connection is dropped. This field can range between 0 and 10, however 3 RADIUS server retries is recommended. Define the RADIUS Server Timeout in Seconds. The allowable range is 1-60 seconds with a default value of 5.
3.
RADIUS Servers
1.
Specify the following setting for the primary RADIUS server in the Primary Server section:
Type the IP address of the RADIUS server in the IP Address field. Type the Port Number for the RADIUS server. Type the RADIUS server administrative password or shared secret
in the Shared Secret field. The alphanumeric Shared Secret can range from 1 to 31 characters in length. The shared secret is case sensitive.
2.
If there is a secondary RADIUS server, type the appropriate information in the Secondary Server section.
SonicWALL GMS 6.0 Administrators Guide
375
RADIUS Users
1.
users to access the Internet when Internet access is restricted to authorized users only.
Bypass Filtersenables Bypass Filters if the user can bypass
management access to the SonicWALL interface. Access is limited to the General page (Status, Network, Time), the Log page (View Log, Log Settings, Log Reports), and the Tools page (Restart, Diagnostics minus Tech Support).
Allow Only Users Listed LocallyDisallows access to RADIUS
To test your RADIUS Client user name and password, perform the following steps:
1. 2. 3.
Navigate to the Diagnostics > Network page. Enter a valid user name in the User field, and the password in the Password field. Click the RADIUS Client Test button.
If the validation is successful, the Status messages changes to Success. If the validation fails, the Status message changes to Failure. Once the SonicWALL has been configured, a VPN Security Association requiring RADIUS authentication prompts incoming VPN clients to type a User Name and Password into a dialogue box.
376
Step 2
Select the Enable Anti-Spam Service checkbox to activate the Anti-Spam service.
377
Configuring the Email Threat Categories on page 378 Configuring Email Domains on page 380 Configuring User Defined Access Lists on page 380 Configuring Advanced Options on page 381 Configuring Anti-Spam Real-Time Black List Filtering on page 383
Likely Spam Store in Junk Box Definite Spam Permanently Delete Likely Phishing Tag with [LIKELY PHISHING] Definite Phishing Store in Junk Box
378
Use the drop-down options to choose how to to handle messages in each threat category. Your options are: Response Filtering off Effect SonicWALL Anti-Spam service will not scan and filter any email, so all email messages in this category are delivered to the recipients without modification. The email is tagged with a term in the subject line, for example, [JUNK] or [Possible Junk?]. Selecting this option allows the user to have control of the email and junk it if it is unwanted. The email message is stored in the Junk Box. It can be unjunked by users and administrators with appropriate permissions. The email message is returned to sender with a message indicating that it was not deliverable. The email message is permanently deleted. CAUTION: If you select this option, your organization risks losing wanted email.
Tag With
379
380
Advanced options allow you to set the following: Setting Allow / Reject delivery of unprocessed mails when Comprehensive Anti-Spam Service is unavailable Description If the Anti-Spam service is not enabled or unavailable for some other reason, you can choose Allow to let all unprocessed emails go through. Spam messages will be delivered to users, as well as good email. If the setting is Reject, no email will be delivered until the Anti-Spam service is re-enabled. If the SonicWALL Junk Store cannot accept spam messages, you can choose to delete them, reject them, or deliver them with cautionary subject lines such as [Phishing]Please renew your account Set the number of minutes between messages to the monitoring service.
Tag and Deliver / Reject / Delete emails when SonicWALL Junk Store is unavailable Probe Interval
381
Setting Success Count Threshold Failure Count Threshold Server Public IP Address Server Private IP Address Inbound Email Port Enable Email System Detection
Description Set the number of successes required to report a success to the monitoring service. Set the number of failures required to report a failure to the monitoring service. The IP address of the server that is available for external connections. The IP address of the server for internal traffic.
The port your SonicWALL UTM appliance has open to receive email from outside sources. Enables the detection of other anti-spam solutions in the network perimeter.
Policies_Anti-Spam_RBLFilter_Snwls
382
SMTP Real-Time Black List (RBL) is a mechanism for publishing the IP addresses of SMTP spammers use. There are a number of organizations that compile this information both for free: http://www.spamhaus.org, and for profit: http://www.mail-abuse.com. A well-maintained list of RBL services and their efficacy can be found at: http://www.sdsc.edu/~jeff/spam/cbc.html
Note
SMTP RBL is an aggressive spam filtering technique that can be prone to false-positives because it is based on lists compiled from reported spam activity. The SonicOS implementation of SMTP RBL filtering provides a number of fine-tuning mechanisms to help ensure filtering accuracy.
RBL list providers publish their lists using DNS. Blacklisted IP addresses appear in the database of the list provider's DNS domain using inverted IP notation of the SMTP server in question as a prefix to the domain name. A response code from 127.0.0.2 to 127.0.0.9 indicates some type of undesirability:
383
127.0.0.4 - Spam Source 127.0.0.5 - Smart Host 127.0.0.6 - Spamware Site 127.0.0.7 - Bad List Server 127.0.0.8 - Insecure Script 127.0.0.9 - Open Proxy Server
For example, if an SMTP server with IP address 1.2.3.4 has been blacklisted by RBL list provider sbl-xbl.spamhaus.org, then a DNS query to 4.3.2.1.sbl-xbl.spamhaus.org will provide a 127.0.0.4 response, indicating that the server is a known source of spam, and the connection will be dropped.
Note
Most spam today is known to be sent from hijacked or zombie machines running a thin SMTP server implementation.Unlike legitimate SMTP servers, these zombie machines rarely attempt to retry failed delivery attempts. Once the delivery attempt is blocked by the SonicWALL RBL filter, no subsequent delivery attempts for that same piece of spam will be made.
384
When Enable Real-time Black List Blocking is enabled on the Anti-Spam > RBL Filter page, inbound connections from hosts on the WAN, or outbound connections to hosts on the WAN are checked against each enabled RBL service with a DNS request to the DNS servers configured under RBL DNS Servers.
The RBL DNS Servers menu allows you to specify the DNS servers. You can choose Inherit Settings from WAN Zone or Specify DNS Servers Manually. If you select Specify DNS Servers Manually, enter the DNS server addresses in the DNS Server fields.
385
The DNS responses are collected and cached. If any of the queries result in a blacklisted response, the server will be filtered. Responses are cached using TTL values, and non-blacklisted responses are assigned a cache TTL of 2 hours. If the cache fills up, then cache entries are discarded in a FIFO (first-in-first-out) fashion. The IP address check uses the cache to determine if a connection should be dropped. Initially, IP addresses are not in the cache and a DNS request must be made. In this case the IP address is assumed innocent until proven guilty, and the check results in the allowing of the connection. A DNS request is made and results are cached in a separate task. When subsequent packets from this IP address are checked, if the IP address is blacklisted, the connection will be dropped.
386
To add an RBL service, click the Add button. In the Add RBL Domain window, you specify the RBL domain to be queried, enable it for use, and specify its expected response codes. Most RBL services list the responses they provide on their Web site, although selecting Block All Responses is generally acceptable.
Statistics are maintained for each RBL Service in the RBL Service table, and can be viewed with a mouseover of the (statistics) icon to the right on the service entry.
387
button, click the edit icon in the Configure column of the RBL User White List row, and add the Address Object. The table will be updated, and that server will always be allowed to make SMTP exchanges. The System > Diagnostics page also provides a Real-time Black List Lookup feature that allows for SMTP IP addresses (or RBL services, or DNS servers) to be specifically tested.
388
VPN SA Management Overview section on page 389 Viewing the VPN Summary section on page 391 Configuring VPN Settings section on page 392 Configuring ULA Settings for VPNs section on page 395 Configuring VPNs in SonicOS Enhanced section on page 396 Configuring VPNs in SonicOS Standard section on page 403 Setting up the L2TP Server section on page 436 Monitoring VPN Connections section on page 437 Management of VPN Client Users section on page 437 VPN Terms and Concepts section on page 439 Using OCSP with SonicWALL Security Appliances section on page 442
389
A security key string is an encryption key that is used to encrypt and decrypt secure data. Both nodes must have the key to exchange data. For example, the announcer of the Little Orphan Show used the same key to encode the secret messages that the kids used to decode the messages. Although an encrypted message cannot be read, it can be tampered with externally. Using an authentication key prevents external tampering. An authentication key is a hash function that is applied to the message content and is checked by the message recipient to verify the message was not modified in transit. In order to ensure message security, it is very important that the security and authentication keys are not discovered by outside parties. Otherwise, the messages could be read in transit.
Deployment Caveats
When managing one or more VPNs through GMS, be aware of the following caveats:
Because of the individual nature of deployment, VPN SA configurations are not inheritable. If updates are completed at the group node, separate tasks must be created for each individual unit within that node.
Authentication Methods
SonicWALL appliances can use the following methods to exchange security and authentication keys:
SonicWALL certificateseach SonicWALL appliance obtains a certificate from the SonicWALL Certificate Authority (CA). Security and authentication keys are exchanged using public-key cryptography and authenticity of each node is verified by the SonicWALL CA. After the SA expires, the SonicWALL appliances will reestablish an SA using the same public keys, but the security and authentication keys will be different. If one set of security and authentication keys is compromised by an outside party, that party will be unable to compromise the next set of keys.
Third-party certificatesthe SonicWALL appliance and peer device obtain certificates from the third-party certificate authorities. Security and authentication keys are exchanged using public-key cryptography and authenticity of each node is verified by the third-party CA.
390
After the SA expires, the peers will reestablish an SA using the same public keys, but will not use the same security and authentication keys.
Pre-shared secreteach SonicWALL appliance has a shared secret that is used to establish an SA. After the SA expires, the SonicWALL appliances will reestablish an SA using the same public keys, but will not use the same security and authentication keys.
Pre-exchanged security and authentication keyskeys are exchanged in advance. The SA will always use the same encryption and authentication keys. If the keys are compromised by an outside party, they will remain compromised until the keys are changed.
Note
For an explanation of VPN terms, see VPN Terms and Concepts on page 439.
Expand the VPN tree and click Summary. The VPN Summary page displays.
Note
If VPN is already configured for the SonicWALL appliance, a list of current SAs displays. The unique firewall identifier also displays.
2.
Note the improved navigation for managing VPNs through use of page navigation arrows within the Current IPSec Security Associations. To navigate through the pages, click on the navigation arrow buttons in the upper right corner of the VPN Summary Page as shown in the figure here.
391
When managing VPNs, the VPN Summary Window sometimes can have too many VPNs listed for you to easily find the VPN entry you want to view. To make VPN searching and viewing more easy, GMS now provides a pagination feature in the VPN Summary screen which breaks the list of VPNs into multiple pages. Each page can display up to 50 VPNs. To display the next page of VPNs, simply click the Next button. GMS displays the succeeding page of the VPN Summary Window.
Expand the VPN tree and click Settings. The VPN Settings page displays.
2. 3.
Under Global IPSec Settings, select the Enable VPN check box. To disable all NetBIOS broadcasts, select the Disable all VPN Windows Networking (NetBIOS) broadcast check box.
392
4.
To improve interoperability with other VPN gateways and applications that use a large data packet size, select the Enable Fragmented Packet Handling check box. Packet fragmentation overburdens a network router by resending data packets and causes network traffic to slow down between networks. The Enable Fragmented Packet Handling option configures the SonicWALL appliance to listen to the intermediate router and, if necessary, send Internet Control Message Protocol (ICMP) messages to the router to decrease the size of the data packets. Enabling this option is recommended if the VPN tunnel logs contain many Fragmented IPSec packets dropped messages.
5. 6.
To ignore Dont Fragment (DF) bits from routers connected to the SonicWALL appliance, select the Ignore DF Bit check box. NAT Traversal is an Internet Engineering Task Force (IETF) draft standard that wraps an IPsec packet into a UDP/IP header, allowing NAT devices to change IP addresses without affecting the integrity of the IPsec packet. To enable NAT traversal, select the Enable NAT Traversal check box. Specify how often the SonicWALL appliance issues a Keepalive in the Keep alive time field. To enable detection of a dead peer, select the Enable IKE Dead peer detection. Then, specify how often the SonicWALL appliance attempt to detect a peer in the Dead peer detection Interval field and specify the number of failed attempts that must occur before closing the VPN tunnel in the Failure Trigger Level field. Select Enable Dead Peer Detection for Idle vpn sessions if you want idle VPN connections to be dropped by the SonicWALL security appliance after the time value defined in the Dead Peer Detection Interval for Idle VPN Sessions (seconds) field. appliance to act as a stand-alone VPN gateway, using the WAN port as the VPN tunnel termination point.
7. 8.
9.
10. Select VPN Single Armed mode to use single armed mode, allowing the
11. Select Clean up Active Tunnels when Peer Gateway DNS names
resolves to a different IP address to break down SAs associated with old IP addresses and reconnect to the peer gateway. UDP 500/4500 source port and IP address information for pass-through VPN connections.
13. Select Enable OCSP Checking and enter the OCSP Responder URL to
enable use of Online Certificate Status Protocol (OCSP) to check VPN certificate status and specifies the URL where to check certificate status. 393
14. Select Send vpn tunnel traps only when tunnel status changes to send
tunnel traps when the tunnel status changes. By default, the firewall sends traps for VPN up/down status. To minimize email alerts based on VPN traps, check this box.
15. Select Use RADIUS in and then select either MSCHAP or MSCHAPv2
mode for XAUTH to allow VPN client users to change expired passwords at login time. to IKEv2 peers as an authentication tool.
16. Under IKEv2 Settings, select Send IKEv2 Cookie Notify to send cookies
17. Use the IKEv2 Dynamic Client Proposal settings to configure the Internet
Key Exchange (IKE) attributes rather than using the default settings. Previously, only the default settings were supported: Diffie-Hellman (DH) Group 2, the 3DES encryption algorithm, and the SHA1 authentication method. Appliances running SonicOS Enhanced 4.0 and higher can now be configured with the following IKE Proposal settings:
DH GroupSelect Group 1, Group 2, or Group 5 from the
drop-down list. This sets DH group in the global IPsec policy for a zero(0.0.0.0) gateway, IKEv2 mode tunnel with dynamic peer gateways.
EncryptionSelect DES, 3DES, AES-128, AES-192, or AES-256
from the drop-down list. This sets the encryption algorithm in the global IPsec policy for a zero(0.0.0.0) gateway, IKEv2 mode tunnel with dynamic peer gateways whose IP addresses are not static.
AuthenticationSelect MD5 or SHA1 from the drop-down list. This
sets the authentication algorithm in the global IPsec policy for a zero(0.0.0.0) gateway, IKEv2 mode tunnel with dynamic peer gateways whose IP addresses are not static. If a VPN Policy with IKEv2 exchange mode and a 0.0.0.0 IPSec gateway is defined, you cannot configure these IKE Proposal settings on an individual policy basis.
394
Note
The VPN policy on the remote gateway must also be configured with the same settings.
18. When you are finished, click Update. To clear all screen settings and start
ULA settings are only available in SonicOS Standard. Expand the VPN tree and click ULA Settings.
2.
To allow unauthenticated users to access a service, select the service in the Allow these services to bypass user authentication on VPN SAs area and click Add. Repeat this step for each service to add. To specify a range of IP addresses that will always be allowed to access the Internet, enter the IP address in the Begin field and the size of the range in the Length field. Click Add. The scheduler displays. Expand Schedule by clicking the plus button. Select Immediate or specify a future date and time. Click Accept. When you are finished, click Update.
SonicWALL GMS 6.0 Administrators Guide
3.
4. 5. 6. 7. 8.
395
9.
Repeat steps 3 through 8 to add more ranges. range and click Update.
10. To delete an entry, select the checkbox the left of the service or IP address
Configuring VPNs in Interconnected Mode on page 396For VPNs between two SonicWALL appliances. Configuring VPNs in Non-Interconnected Mode on page 399For VPN between a SonicWALL appliance and another device.
When you have completed the interconnected or non-interconnected configuration procedure, continue on to the following section:
396
settings without any user intervention. To establish VPNs between two SonicWALL appliances that are being managed by SonicWALL GMS, perform the following steps:
1.
Expand the VPN tree and click Configure 2.0. The VPN Configure page displays with the General tab selected.
2. 3. 4.
To establish a new SA, select Add New SA from the Security Association list box. Select the Interconnected check box. To configure SonicWALL GMS to convert the SAs to non-interconnected mode VPN tunnels, select the Make SAs viewable in Non-Interconnected Mode check box.
Note
Making an SA viewable in Non-Interconnected mode is not reversible. Select the destination SonicWALL appliance by clicking Select Destination Node and selecting the node from the dialog box that displays. To initially disable the SA upon creation, select the Disable SA check box. This option can always be unchecked at a later time. Select from the following keying modes from the IPSec Keying Mode list box:
5.
6. 7.
397
Note
SonicWALL GMS automatically creates a pre-shared key, SPI, encryption key, authentication key, or certificate information as applicable, for each mode described below.
Manual Keykeys are exchanged in advance. The SA will always
use the same encryption and authentication keys. If the keys are compromised by an outside party, they will remain compromised until the keys are changed.
IKE Using Pre-Shared Secreteach SonicWALL appliance has a
shared secret that is used to establish an SA. After the SA expires, the SonicWALL appliances will reestablish an SA using the same public keys, but will not use the same security and authentication keys. Configure the following:
Local IKE IDspecifies whether the IP address or SonicWALL
Identifier will be used as the IKE ID for the local SonicWALL appliance.
Peer IKE IDspecifies whether the IP address or SonicWALL
Identifier will be used as the IKE ID for the peer SonicWALL appliance.
IKE Using 3rd Party Certificatesthe SonicWALL appliance and
peer device obtain certificates from the third-party certificate authorities. Security and authentication keys are exchanged using public-key cryptography and authenticity of each node is verified by the third-party CA. After the SA expires, the peers will reestablish an SA using the same public keys, but will not use the same security and authentication keys.
8.
398
Expand the VPN tree and click Configure 2.0. The VPN Configure page displays with the General tab selected.
2. 3. 4. 5.
To establish a new SA, select Add New SA from the Security Association list box. Deselect the Interconnected check box. Select the Disable SA check box to initially disable the SA upon creation. This option can be unchecked at a later time. Select from the following keying modes from the IPSec Keying Mode list box:
Manual Keykeys are exchanged in advance.
The SA will always use the same encryption and authentication keys. If the keys are compromised by an outside party, they will remain compromised until the keys are changed. If you select this option, configure the following:
Namespecifies the name of the SA. IPSec Gateway Name or Addressspecifies the name or IP
399
shared secret that is used to establish an SA. After the SA expires, the SonicWALL appliances will reestablish an SA using the same public keys, but will not use the same security and authentication keys. Configure the following:
Namespecifies the name of the SA. IPSec Primary Gateway Name or Addressspecifies the name or
VPN tunnel.
Local IKE IDspecifies the whether the IP address or SonicWALL
Identifier will be used as the IKE ID for the local SonicWALL appliance.
Peer IKE IDspecifies the whether the IP address or SonicWALL
Identifier will be used as the IKE ID for the peer SonicWALL appliance.
IKE Using 3rd Party Certificatesthe SonicWALL appliance and
peer device obtain certificates from the third-party certificate authorities. Security and authentication keys are exchanged using public-key cryptography and authenticity of each node is verified by the third-party CA. After the SA expires, the peers will reestablish an SA using the same public keys, but will not use the same security and authentication keys. If you select this option, configure the following:
Namespecifies the name of the SA. IPSec Primary Gateway Name or Addressspecifies the name or
the SAs.
Peer Certificate's ID Typespecifies the ID type of the peer
certificate.
ID string to matchspecifies the string used to establish the SAs.
400
Click the Network tab. Select which local networks will be establishing VPN connections with the destination networks:
Choose local network from listspecifies an Address Object that
contains one or more networks. For information on creating address objects, refer to the documentation that accompanied the SonicWALL appliance.
Local network obtains IP addresses using DHCP through this
VPN Tunnelindicates that the computers on the local network will obtain their IP addresses from the destination network. with the specified destination networks.
Select the destination networks with which the local networks will connect:
Use this VPN Tunnel as default route for all Internet
trafficconfigures all networks on the destination network to use this VPN for all Internet traffic. this VPN Tunnelindicates that the computers on the destination network will obtain their IP addresses from the local network. that contains one or more networks. For information on creating address objects, refer to the documentation that accompanied the SonicWALL appliance.
3. 4.
(Optional) Click the Proposals tab. Select the IKE Phase 1 Proposal Options (Certificates and Pre-Shared Secret only):
ExchangeSelect the exchange mode from the Exchange list box.
Aggressive mode improves the performance of IKE SA negotiation by only requiring three packet exchanges. However, it provides no identity protection. Otherwise, select Main Mode.
DH Groupspecifies the Diffie-Hellman group to use when the VPN
401
Note
Group 1 specifies a 768-bit Diffie-Hellman value, Group 2 specifies a more secure 1024-bit Diffie-Hellman value, and Group 5 specifies the currently most secure 1536-bit Diffie-Hellman value.
Encryptionspecifies the type of encryption key to use when the
prevents repeated compromises of the same security key when reestablishing a tunnel.
DH Groupspecifies the Diffie-Hellman group to use when the VPN
(Optional) Click the Advanced tab. Configure the following Advanced settings:
Enable Keep Aliveconfigures the VPN tunnel to remain open as
manage the SonicWALL appliance through this SA. In addition to HTTP and HTTPS, you can enable the SSH management of the
402
device through the IPsec tunnel. When the SSH check box is selected in an IPsec Policy, an SSH session can be initiated to the device using the IPsec tunnel for the policy.
User login via this SAspecifies the protocols that users can use to
all traffic through this tunnel (required for Enhanced-to-Standard configuration, optional for Enhanced-to-Enhanced).
VPN Policy bound tospecifies the zone or interface to which the
gateway to the primary gateway in the IPsec policy. If a secondary gateway is configured in the IPsec Policy, an IPsec tunnel is established with the secondary gateway when the primary gateway is unreachable. If this option is enabled in the policy, a periodic discovery is attempted for the primary gateway and if discovered successfully, tunnels are switched back to the primary gateway from the secondary gateway.
Primary Gateway Detection Interval specifies the time interval in
seconds for the discovery of the primary IPsec gateway if it is unreachable. The minimum value is 120 and the maximum value is 28800.
Enable Windows Networking Broadcastenables NetBIOS
When you are finished, click OK. SonicWALL GMS begins establishing VPN tunnels between all specified networks.
IKE Using SonicWALL Certificates on page 404 IKE Using Third-Party Certificates on page 412 IKE Using Pre-Shared Secret on page 421 Manual Keying on page 429
SonicWALL GMS 6.0 Administrators Guide
403
When All Appliances are Managed by SonicWALL GMS on page 405 When One Appliance Is Not Managed by SonicWALL GMS on page 409
Note
This section assumes that you are familiar with Public Key Infrastructure (PKI) and the implementation of digital certificates with VPN.
A digital certificate is an electronic means to verify identity by using a trusted third party known as a Certificate Authority (CA). SonicWALL certificates are the easiest certificate solution for establishing the identity of peer VPN devices and users. Internet Key Exchange (IKE) is an important part of IPSec VPN solutions, and it can use digital signatures to authenticate peer devices before setting up security associations. Without digital signatures, VPN users must authenticate by manually exchanging shared secrets or symmetric keys. Devices using digital signatures do not require configuration changes every time a new device is added to the network.
Note
Although SAs can be established with most IPSec-compliant devices, SonicWALL Certificates can only be used between SonicWALL appliances.
This section describes how to establish SAs between SonicWALL appliances that are managed by SonicWALL GMS and SonicWALL appliances that are not managed by SonicWALL GMS.
Note
Before establishing SAs using SonicWALL certificates, you must obtain a Public Key Infrastructure (PKI) administrator certificate and apply it to each SonicWALL appliance. For more information, see Registering and Upgrading SonicWALL Appliances on page 591.
404
Expand the VPN tree and click Configure. The VPN Configure page displays.
2. 3. 4.
Select the Use Interconnected Mode check box. For the IPSec Keying Mode, Select IKE using SonicWALL Certificates. Select from the following:
To add a new SA, select Add a new Security Association. To delete an existing SA, select Delete an existing Security
Association. Association.
Click Select Destination. A dialog box that contains all SonicWALL appliances managed by this SonicWALL GMS displays.
405
6.
Select the SonicWALL appliance or group to which you will establish SAs and click the Select button. The name of the target displays in the Target SonicWALL Group/Node field. Aggressive mode improves the performance of IKE SA negotiation by only requiring three packet exchanges. However, it provides no identity protection. To enable aggressive mode, select Aggressive Mode from the Exchange list box. Otherwise, select Main Mode. Select the Diffie-Hellman (DH) group that will be used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 DH Group list box. Group 1 specifies a 768-bit Diffie-Hellman value, Group 2 specifies a more secure 1024-bit Diffie-Hellman value, and Group 5 specifies the currently most secure 1536-bit Diffie-Hellman value. Select the Diffie-Hellman group that will be used when the VPN devices have established an SA from the Phase 2 DH Group list box. devices are negotiating encryption and authentication keys from the Phase 1 Encryption/Authentication list box.
7.
8.
Note
9.
10. Select the type of encryption and authentication keys used when the VPN
11. Select the type of encryption and authentication keys used for the SAs
from the Phase 2 Encryption/Authentication list box. in the Default LAN Gateway field.
12. To specify the default LAN gateway, enter the IP address of the gateway
A Default LAN Gateway is used at a central site in conjunction with a remote site using the Route all Internet traffic through this destination unit check box. The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming Internet Protocol Security (IPSec) packets for this SA. Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL. Since packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.
13. To specify how long the tunnel is active before being renegotiated, enter
406
reestablishing a tunnel, select the Enable Perfect Forward Secrecy check box. traffic on the SA, select the Enable Keep Alive check box.
15. To configure the VPN tunnel to remain open as long as there is network 16. To configure the SonicWALL appliance to establish the VPN tunnel before
users generate any VPN traffic, select the Try to bring up all possible SAs check box.
17. To disable this SA, select Disable This SA. 18. Select Enable Wireless Secure Bridging Mode to enable wireless
secure bridging mode, a feature that allows two or more physically separated networks to be joined using a secure wireless connection.
19. To enable NetBIOS broadcasts across the SA, select the Enable
20. To allow the remote VPN tunnel to be included in the routing table, select
Normally, inbound traffic is decrypted and only forwarded to the local LAN or a manually specified route (see Configuring Routing in SonicOS Enhanced on page 196). This option enables you to create a hub and spoke network configuration where all traffic is routed among branch offices via the corporate office.
Note
To create a hub and spoke network, make sure to select the Forward Packets to Remote VPNs check box for each SA. select the Route all Internet traffic through destination unit check box. When this option is selected, all traffic that is not destined for another SA is forwarded through this VPN tunnel. If this option is not specified and the destination does not match any SA, the packet is forwarded unencrypted to the WAN.
21. To force all network traffic to the WAN through a VPN to a central site,
Note
22. Select one the following VPN termination options: To configure the VPN tunnel to terminate at the LAN or WorkPort,
select LAN. Users on the other side of the SA will be able to access the LAN, but not the OPT.
407
OPT. Users on the other side of the SA will be able to access the OPT, but not the LAN. DMZ, select LAN/OPT.
To allow users on the other side of the SA to access both the LAN and 23. Select from the following NAT and Firewall Rules: To disable NAT and not apply firewall rules to traffic coming through
appliance, select Source. If NAT is enabled, all traffic originating from this appliance will appear to originate from a single IP address and network firewall rules will be applied to all traffic on this SA.
appliance and its peer, select Source and Destination. If NAT is enabled, all traffic originating from this appliance will appear to originate from a single IP address and all traffic originating from its peer will appear to originate from a single IP address. Network firewall rules will be applied to all traffic on this SA.
Note
Applying firewall rules can dramatically affect services that run between the networks. For more information, see Configuring UTM Appliance Settings on page 235.
24. Select how local users are authenticated: To disable authentication for local users, select Disabled. To configure local users to be authenticated locally, either through the
network, either through the SonicWALL device or the RADIUS server, select Destination.
To authenticate local users both locally and on the destination
25. Similarly, select how remote users are authenticated. 26. When you are finished, click Update. The settings are changed for each
selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
408
Expand the VPN tree and click Configure. The VPN Configure page displays.
2. 3. 4. 5.
Deselect the Use Interconnected Mode check box. Select IKE using SonicWALL Certificates. Select the appropriate option to add, delete or modify a Security Association. Enter the name of the remote firewall/VPN gateway in the Security Association Name field. This name must match exactly if the device has a dynamic IP address.
409
6.
Enter the IP address of the remote firewall/VPN gateway in the IPSec Gateway Address field. This address must be valid and will be the public IP address if the remote LAN has NAT enabled. If the remote VPN gateway has a dynamic IP address, this field can be left blank if the name matches. To specify how long the tunnel is active before being renegotiated, enter a value in the SA Lifetime field. We recommend a value of 28,800 seconds (8 hours). To specify the default LAN gateway, enter the IP address of the gateway in the Default LAN Gateway field. A Default LAN Gateway is used at a central site in conjunction with a remote site using the Route all internet traffic through destination unit check box. The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA. Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL. Since packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.
7.
8.
9.
To disable this SA, select Disable This SA. reestablishing a tunnel, select the Enable Perfect Forward Secrecy check box. secure bridging mode, a feature that allows two or more physically separated networks to be joined using a secure wireless connection
12. To enable NetBIOS broadcasts across the SA, select the Enable
Windows Networking Broadcast check box. the Apply NAT and firewall rules check box.
13. To apply NAT and firewall rules to all traffic coming through this SA, select
This feature is useful for hiding the LAN subnet from the corporate site. All traffic will appear to originate from a single IP address.
14. To allow the remote VPN tunnel to be included in the routing table, select
410
This will enable the SonicWALL appliance to receive VPN traffic, decrypt it, and forward it to another VPN tunnel. This feature can be used to create a hub and spoke network configuration by routing traffic among SAs. To do this, make sure to enable this option for all SAs.
15. To configure the VPN tunnel to remain open as long as there is network
traffic on the SA, select the Enable Keep Alive check box.
16. To configure the SonicWALL appliance to establish the VPN tunnel before
users generate any VPN traffic, select the Try to bring up all possible SAs check box. select the Require authentication of local users check box.
17. To require local users to authenticate locally before accessing the SA, 18. To require remote users to authenticate with this SonicWALL appliance or
the local RADIUS server before accessing resources, select the Require authentication of remote users check box. SonicWALL Serial # field.
19. Enter the serial number of the target SonicWALL appliance in the Peer 20. Aggressive mode improves the performance of IKE SA negotiation by only
requiring three packet exchanges. However, it provides no identity protection. To enable aggressive mode, select Aggressive Mode from the Exchange list box. Otherwise, select Main Mode.
21. Select the Diffie-Hellman group that will be used when the VPN devices
are negotiating encryption and authentication keys from the Phase 1 DH Group list box.
Note
Group 1 specifies a 768-bit Diffie-Hellman value, Group 2 specifies a more secure 1024-bit Diffie-Hellman value, and Group 5 specifies the currently most secure 1536-bit Diffie-Hellman value.
22. Select the Diffie-Hellman group that will be used when the VPN devices
23. Select the type of encryption and authentication keys used when the VPN
devices are negotiating encryption and authentication keys from the Phase 1 Encryption/Authentication list box.
24. Select the type of encryption and authentication keys used for the SAs
25. Specify the destination networks by selecting from the following: To allow this SA to be used as the default route for all Internet traffic,
411
networks below. Then, click Add Networks and enter the destination network IP addresses and subnet masks.
26. When you are finished, click Update. The settings are changed for each
selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
This section assumes that you are familiar with Public Key Infrastructure (PKI) and the implementation of digital certificates with VPN.
A digital certificate is an electronic means to verify identity by using a trusted third party known as a Certificate Authority (CA). SonicWALL now supports third party certificates in addition to the existing Authentication Service. The difference between third party certificates and the SonicWALL Authentication Service is the ability to select the source for your CA certificate. Using Certificate Authority Certificates and Local Certificates is a more manual process than using the SonicWALL Authentication Service; therefore, experience with implementing Public Key Infrastructure (PKI) is necessary to understand the key components of digital certificates. Internet Key Exchange (IKE) is an important part of IPSec VPN solutions, and it can use digital signatures to authenticate peer devices before setting up security associations. Without digital signatures, VPN users must authenticate by manually exchanging shared secrets or symmetric keys. Devices using digital signatures do not require configuration changes every time a new device is added to the network. SonicWALL has implemented X.509v3 as its certificate form and CRLv2 for its certificate revocation list. SonicWALL supports the following two vendors of Certificate Authority Certificates: VeriSign Entrust
412
Obtaining a Certificate
To obtain a certificate, see Generating a Certificate Signing Request on page 150. After you have obtained certificates for both devices, continue to configure the VPN.
When All Appliances are Managed by SonicWALL GMS on page 413 When One Appliance Is Not Managed by SonicWALL GMS on page 418
Expand the VPN tree and click Configure. The VPN Configure page displays.
413
2. 3.
Select the Use Interconnected Mode check box. Select IKE using 3rd Party Certificates. SonicWALL GMS automatically creates a pre-shared key, SPI, encryption key, authentication key, or certificate information as applicable. Select the appropriate option to add, delete, or modify a security association. Click Select Destination. A dialog box that contains all SonicWALL appliances managed by this SonicWALL GMS displays. Select the SonicWALL appliance or group to which you will establish SAs and click the Select button. The name of the target displays in the Target SonicWALL Group/Node field. Aggressive mode improves the performance of IKE SA negotiation by only requiring three packet exchanges. However, it provides no identity protection. To enable aggressive mode, select Aggressive Mode from the Exchange list box. Otherwise, select Main Mode. Select the Diffie-Hellman (DH) group that will be used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 DH Group list box. Group 1 specifies a 768-bit Diffie-Hellman value, Group 2 specifies a more secure 1024-bit Diffie-Hellman value, and Group 5 specifies the currently most secure 1536-bit Diffie-Hellman value.
Note
4. 5. 6.
7.
8.
Note
9.
Select the Diffie-Hellman group that will be used when the VPN devices have established an SA from the Phase 2 DH Group list box. devices are negotiating encryption and authentication keys from the Phase 1 Encryption/Authentication list box.
10. Select the type of encryption and authentication keys used when the VPN
11. Select the type of encryption and authentication keys used for the SAs
from the Phase 2 Encryption/Authentication list box. in the Default LAN Gateway field.
12. To specify the default LAN gateway, enter the IP address of the gateway
414
A Default LAN Gateway is used at a central site in conjunction with a remote site using the Route all Internet traffic through this destination unit check box. The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming Internet Protocol Security (IPSec) packets for this SA. Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL. Since packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.
13. To specify how long the tunnel is active before being renegotiated, enter
reestablishing a tunnel, select the Enable Perfect Forward Secrecy check box. traffic on the SA, select the Enable Keep Alive check box.
15. To configure the VPN tunnel to remain open as long as there is network 16. To configure the SonicWALL appliance to establish the VPN tunnel before
users generate any VPN traffic, select the Try to bring up all possible SAs check box. Mode check box.
17. To enable wireless secure bridging, select the Wireless Secure Bridging 18. To enable NetBIOS broadcasts across the SA, select the Enable
19. To allow the remote VPN tunnel to be included in the routing table, select
Normally, inbound traffic is decrypted and only forwarded to the local LAN or a manually specified route (see Configuring Routing in SonicOS Enhanced on page 196). This option enables you to create a hub and spoke network configuration where all traffic is routed among branch offices via the corporate office.
Note
To create a hub and spoke network, make sure to select the Forward Packets to Remote VPNs check box for each SA.
415
20. To force all network traffic to the WAN through a VPN to a central site,
select the Route all Internet traffic through destination unit check box. When this option is selected, all traffic that is not destined for another SA is forwarded through this VPN tunnel. If this option is not specified and the destination does not match any SA, the packet is forwarded unencrypted to the WAN.
Note
21. If the remote side of this VPN connection is to obtain its addressing from
a DHCP server on this side of the tunnel, select Enable "Destination network obtains IP addresses using DHCP through this SA" on Target.
To configure the VPN tunnel to terminate at the LAN, select LAN.
Users on the other side of the SA will be able to access the LAN, but not the DMZ.
To configure the VPN tunnel to terminate at the OPT or DMZ, select
OPT. Users on the other side of the SA will be able to access the OPT, but not the LAN. OPT, select LAN/OPT.
To allow users on the other side of the SA to access both the LAN and 23. Select from the following NAT and Firewall Rules: To disable NAT and not apply firewall rules to traffic coming through
appliance, select Source. If NAT is enabled, all traffic originating from this appliance will appear to originate from a single IP address and network firewall rules will be applied to all traffic on this SA.
appliance and its peer, select Source and Destination. If NAT is enabled, all traffic originating from this appliance will appear to originate from a single IP address and all traffic originating from its peer will appear to originate from a single IP address. Network firewall rules will be applied to all traffic on this SA.
416
Note
Applying firewall rules can dramatically affect services that run between the networks. For more information, see Configuring UTM Appliance Settings on page 235.
24. Select how local users are authenticated: To disable authentication for local users, select Disabled. To configure local users to be authenticated locally, either through the
network, either through the SonicWALL device or the RADIUS server, select Destination.
To authenticate local users both locally and on the destination
25. Similarly, select how remote users are authenticated. 26. When you are finished, click Update. The settings are changed for each
selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
417
Expand the VPN tree and click Configure. The VPN Configure page di
2. 3. 4. 5.
Deselect the Use Interconnected Mode check box. Select IKE using 3rd Party Certificates. Select the appropriate option to add, delete or modify a security association. Enter the name of the remote firewall/VPN gateway in the Security Association Name field. This name must match exactly if the device has a dynamic IP address. Select the certificate to use from the Select Certificate list box. Enter the IP address of the remote firewall/VPN gateway in the IPSec Gateway Address field. This address must be valid and will be the public IP address if the remote LAN has NAT enabled. If the remote VPN gateway has a dynamic IP address, this field can be left blank if the name matches. Optionally, you can specify a IPSec Secondary Gateway Name or Address. To specify how long the tunnel is active before being renegotiated, enter a value in the SA Lifetime field. We recommend a value of 28,800 seconds (8 hours).
6. 7.
8.
418
9.
To specify the default LAN gateway, enter the IP address of the gateway in the Default LAN Gateway field. A Default LAN Gateway is used at a central site in conjunction with a remote site using the Route all internet traffic through destination unit check box. The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA. Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL. Since packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.
reestablishing a tunnel, select the Enable Perfect Forward Secrecy check box. Mode check box.
11. To enable wireless secure bridging, select the Wireless Secure Bridging 12. To enable NetBIOS broadcasts across the SA, select the Enable
13. To apply NAT and firewall rules to all traffic coming through this SA, select
the Apply NAT and firewall rules check box. This feature is useful for hiding the LAN subnet from the corporate site. All traffic will appear to originate from a single IP address.
14. To allow the remote VPN tunnel to be included in the routing table, select
the Forward Packets to Remote VPNs check box. This will enable the SonicWALL appliance to receive VPN traffic, decrypt it, and forward it to another VPN tunnel.This feature can be used to create a hub and spoke network configuration by routing traffic among SAs. To do this, make sure to enable this option for all SAs. traffic on the SA, select the Enable Keep Alive check box.
15. To configure the VPN tunnel to remain open as long as there is network 16. To configure the SonicWALL appliance to establish the VPN tunnel before
users generate any VPN traffic, select the Try to bring up all possible SAs check box. select the Require authentication of local users check box.
17. To require local users to authenticate locally before accessing the SA,
419
the local RADIUS server before accessing resources, select the Require authentication of remote users check box.
requiring three packet exchanges. However, it provides no identity protection. To enable aggressive mode, select Aggressive Mode from the Exchange list box. Otherwise, select Main Mode.
20. Select the Diffie-Hellman group that will be used when the VPN devices
are negotiating encryption and authentication keys from the Phase 1 DH Group list box. Group 1 specifies a 768-bit Diffie-Hellman value, Group 2 specifies a more secure 1024-bit Diffie-Hellman value, and Group 5 specifies the currently most secure 1536-bit Diffie-Hellman value.
Note
21. Select the Diffie-Hellman group that will be used when the VPN devices
22. Select the type of encryption and authentication keys used when the VPN
devices are negotiating encryption and authentication keys from the Phase 1 Encryption/Authentication list box.
23. Select the type of encryption and authentication keys used for the SAs
24. Select whether the peer device uses a distinguished name, email ID, or 25. Enter the peer devices certificate ID in the Peer Certificates ID field. 26. Select from the following:
domain name as its certificate ID from the Peer Certificates ID list box.
To allow this SA to be used as the default route for all Internet traffic,
networks below. Then, click Add Networks and enter the destination network IP addresses and subnet masks.
27. When you are finished, click Update. The settings are changed for each
selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
420
Note
To disable this SA without deleting it, select the Disable this SA check box and click Update.
When All Appliances are Managed by SonicWALL GMS on page 421 When One Appliance Is Not Managed by SonicWALL GMS on page 426
421
To configure an SA using IKE with pre-shared secrets, perform the following steps:
1.
Expand the VPN tree and click Configure. The VPN Configure page displays.
2. 3. 4. 5. 6.
Select the Use Interconnected Mode check box. Select IKE using Pre-shared Secret. Select the appropriate option to add, delete, or modify a security association. Click Select Destination. A dialog box that contains all SonicWALL appliances managed by this SonicWALL GMS displays. Select the SonicWALL appliance or group to which you will establish SAs and click the Select button. The name of the target displays in the Target SonicWALL Group/Node field. Aggressive mode improves the performance of IKE SA negotiation by only requiring three packet exchanges. However, it provides no identity protection. To enable aggressive mode, select Aggressive Mode from the Exchange list box. Otherwise, select Main Mode.
7.
422
8.
Select the Diffie-Hellman group that will be used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 DH Group list box. Group 1 specifies a 768-bit Diffie-Hellman value, Group 2 specifies a more secure 1024-bit DiffieHellman value, and Group 5 specifies the currently most secure 1536-bit Diffie-Hellman value.
Note
9.
Select the Diffie-Hellman group that will be used when the VPN devices have established an SA from the Phase 2 DH Group list box. devices are negotiating encryption and authentication keys from the Phase 1 Encryption/Authentication list box.
10. Select the type of encryption and authentication keys used when the VPN
11. Select the type of encryption and authentication keys used for the SAs
from the Phase 2 Encryption/Authentication list box. in the Default LAN Gateway field.
12. To specify the default LAN gateway, enter the IP address of the gateway
A Default LAN Gateway is used at a central site in conjunction with a remote site using the Route all internet traffic through destination unit check box. The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA. Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL. Since packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.
13. To specify how long the tunnel is active before being renegotiated, enter
reestablishing a tunnel, select the Enable Perfect Forward Secrecy check box. traffic on the SA, select the Enable Keep Alive check box.
15. To configure the VPN tunnel to remain open as long as there is network
423
16. To configure the SonicWALL appliance to establish the VPN tunnel before
users generate any VPN traffic, select the Try to bring up all possible SAs check box. Mode check box.
17. To enable wireless secure bridging, select the Wireless Secure Bridging 18. To enable NetBIOS broadcasts across the SA, select the Enable
19. To allow the remote VPN tunnel to be included in the routing table, select
Normally, inbound traffic is decrypted and only forwarded to the local LAN or a manually specified route (see Configuring Routing in SonicOS Enhanced on page 196). This option enables you to create a hub and spoke network configuration where all traffic is routed among branch offices via the corporate office.
Note
To create a hub and spoke network, make sure to select the Forward Packets to Remote VPNs check box for each SA. select the Route all internet traffic through destination unit check box. When this option is selected, all traffic that is not destined for another SA is forwarded through this VPN tunnel. If this option is not specified and the destination does not match any SA, the packet is forwarded unencrypted to the WAN.
20. To force all network traffic to the WAN through a VPN to a central site,
Note
21. If the remote side of this VPN connection is to obtain its addressing from
a DHCP server on this side of the tunnel, select Enable "Destination network obtains IP addresses using DHCP through this SA" on Target.
To configure the VPN tunnel to terminate at the LAN or WorkPort,
select LAN. Users on the other side of the SA will be able to access the LAN, but not the OPT. OPT. Users on the other side of the SA will be able to access the OPT, but not the LAN.
424
To allow users on the other side of the SA to access both the LAN and
23. Select from the following NAT and Firewall Rules: To disable NAT and not apply firewall rules to traffic coming through
appliance, select Source. If NAT is enabled, all traffic originating from this appliance will appear to originate from a single IP address and network firewall rules will be applied to all traffic on this SA.
appliance and its peer, select Source and Destination. If NAT is enabled, all traffic originating from this appliance will appear to originate from a single IP address and all traffic originating from its peer will appear to originate from a single IP address. Network firewall rules will be applied to all traffic on this SA.
Note
Applying firewall rules can dramatically affect services that run between the networks. For more information, see Configuring UTM Appliance Settings on page 235.
24. Select how local users are authenticated: To disable authentication for local users, select Disabled. To configure local users to be authenticated locally, either through the
network, either through the SonicWALL device or the RADIUS server, select Destination.
To authenticate local users both locally and on the destination
25. Similarly, select how remote users are authenticated. 26. Select either Remote users behind VPN gateway or Remote VPN clients
with XAUTH.
27. When you are finished, click Update. The settings are changed for each
selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
Note
To disable this SA, select the Disable this SA check box and click Update.
SonicWALL GMS 6.0 Administrators Guide
425
Expand the VPN tree and click Configure. The VPN Configure page displays.
2. 3. 4. 5.
Deselect the Use Interconnected Mode check box. Select IKE using Pre-Shared Secret in the IPSec Keying mode section. Select the appropriate option to add, delete, or modify a security association. Enter the name of the remote firewall/VPN gateway in the Security Association Name field. This name must match exactly if the device has a dynamic IP address.
426
6.
Enter the IP address of the remote firewall/VPN gateway in the IPSec Gateway Address field. This address must be valid and will be the public IP address if the remote LAN has NAT enabled. If the remote VPN gateway has a dynamic IP address, this field can be left blank if the name matches. Enter the amount of time before an IKE SA will automatically negotiate (120 to 2,499,999 seconds) in SA Lifetime. To specify the default LAN gateway, enter the IP address of the gateway in the Default LAN Gateway field. A Default LAN Gateway is used at a central site in conjunction with a remote site using the Route all Internet traffic through destination unit check box. The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA. Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL. Since packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.
7. 8.
9.
To prevent repeated compromises of the same security key when reestablishing a tunnel, select the Enable Perfect Forward Secrecy check box. Mode check box.
10. To enable wireless secure bridging, select the Wireless Secure Bridging 11. To access remote resources within the Windows Network Neighborhood,
select the Enable Windows Networking (NetBIOS) Broadcast check box. the Apply NAT and firewall rules check box.
12. To apply NAT and firewall rules to all traffic coming through this SA, select
This feature is useful for hiding the LAN subnet from the corporate site. All traffic will appear to originate from a single IP address.
13. To allow the remote VPN tunnel to be included in the routing table, select
This will enable the SonicWALL appliance to receive VPN traffic, decrypt it, and forward it to another VPN tunnel. This feature can be used to create a hub and spoke network configuration by routing traffic among SAs. To do this, make sure to enable this option for all SAs.
SonicWALL GMS 6.0 Administrators Guide
427
14. To configure the VPN tunnel to remain open as long as there is network
traffic on the SA, select the Enable Keep Alive check box.
15. To configure the SonicWALL appliance to establish the VPN tunnel before
users generate any VPN traffic, select the Try to bring up all possible SAs check box. select the Require authentication of local users check box.
16. To require local users to authenticate locally before accessing the SA, 17. To require remote users to authenticate with this SonicWALL appliance or
the local RADIUS server before accessing resources, select the Require authentication of remote users check box. with XAUTH.
18. Select either Remote users behind VPN gateway or Remote VPN clients
Note
Only SonicWALL VPN clients can authenticate to a RADIUS server. Users tunneling from another VPN gateway will not be able to complete the VPN tunnel if this check box is selected.
19. Enter the shared secret in the Shared Secret field. 20. Aggressive mode improves the performance of IKE SA negotiation by only
requiring three packet exchanges. However, it provides no identity protection. To enable aggressive mode, select Aggressive Mode from the Exchange list box. Otherwise, select Main Mode.
21. Select the Diffie-Hellman group that will be used when the VPN devices
are negotiating encryption and authentication keys from the Phase 1 DH Group list box. Group 1 specifies a 768-bit Diffie-Hellman value, Group 2 specifies a more secure 1024-bit Diffie-Hellman value, and Group 5 specifies the currently most secure 1536-bit Diffie-Hellman value.
Note
22. Select the Diffie-Hellman group that will be used when the VPN devices
23. Select the type of encryption and authentication keys used when the VPN
devices are negotiating encryption and authentication keys from the Phase 1 Encryption/Authentication list box.
24. Select the type of encryption and authentication keys used for the SAs
428
To allow this SA to be used as the default route for all Internet traffic,
networks below. Then, click Add Network and enter the destination network IP addresses and subnet masks.
26. When you are finished, click Update. The settings are changed for each
selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
27. Create an SA in the remote VPN device for each SonicWALL appliance
To disable this SA without deleting it, select the Disable this SA check box and click Update.
Manual Keying
Manual keying involves exchanging keys in encryption and authentication keys in advance. Although this is the simplest method of establishing an SA between two VPN devices, the SA will always use the same encryption and authentication keys. If the keys are compromised by an outside party, they will remain compromised until the keys are changed.
When All Appliances are Managed by SonicWALL GMS on page 429 When One Appliance Is Not Managed by SonicWALL GMS on page 433
429
Expand the VPN tree and click Configure. The VPN Configure page displays.
2. 3. 4. 5. 6.
Select the Use Interconnected Mode check box. Select Manual Key. Select the appropriate option to add, delete, or modify a security association. Click Select Destination. A dialog box that contains all SonicWALL appliances managed by this SonicWALL GMS displays. Select the SonicWALL appliance or group to which you will establish SAs and click the Select button. The name of the target displays in the Target SonicWALL Group/Node field. Select one of the encryption methods from the Encryption Method list box. To specify the default LAN gateway, enter the IP address of the gateway in the Default LAN Gateway field.
7. 8.
430
A Default LAN Gateway is used at a central site in conjunction with a remote site using the Route all Internet traffic through destination unit check box. The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA. Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL. Since packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.
9.
To enable wireless secure bridging, select the Wireless Secure Bridging Mode check box. Windows Networking (NetBIOS) Broadcast check box. the Forward Packets to Remote VPNs check box.
10. To enable NetBIOS broadcasts across the SA, select the Enable 11. To allow the remote VPN tunnel to be included in the routing table, select
Normally, inbound traffic is decrypted and only forwarded to the local LAN or a manually specified route (see Configuring Routing in SonicOS Enhanced on page 196). This option enables you to create a hub and spoke network configuration where all traffic is routed among branch offices via the corporate office.
Note
To create a hub and spoke network, make sure to select the Forward Packets to Remote VPNs check box for each SA. select the Route all Internet traffic through destination unit check box. When this option is selected, all traffic that is not destined for another SA is forwarded through this VPN tunnel. If this option is not specified and the destination does not match any SA, the packet is forwarded unencrypted to the WAN.
12. To force all network traffic to the WAN through a VPN to a central site,
13. Select one the following VPN termination options: To configure the VPN tunnel to terminate at the LAN, select LAN.
Users on the other side of the SA will be able to access the LAN, but not the DMZ.
431
OPT. Users on the other side of the SA will be able to access the OPT, but not the LAN. OPT, select LAN/OPT.
To allow users on the other side of the SA to access both the LAN and 14. Select from the following NAT and Firewall Rules: To disable NAT and not apply firewall rules to traffic coming through
appliance, select Source. If NAT is enabled, all traffic originating from this appliance will appear to originate from a single IP address and network firewall rules will be applied to all traffic on this SA.
appliance and its peer, select Source and Destination. If NAT is enabled, all traffic originating from this appliance will appear to originate from a single IP address and all traffic originating from its peer will appear to originate from a single IP address. Network firewall rules will be applied to all traffic on this SA.
Note
Applying firewall rules can dramatically affect services that run between the networks. For more information, see Configuring UTM Appliance Settings on page 235
15. Select how local users are authenticated: To disable authentication for local users, select Disabled. To configure local users to be authenticated locally, either through the
network, either through the SonicWALL device or the RADIUS server, select Destination.
To authenticate local users both locally and on the destination
16. Similarly, select how remote users are authenticated. 17. When you are finished, click Update. The settings are changed for each
selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
432
Expand the VPN tree and click Configure. The VPN Configure page displays.
2. 3. 4. 5. 6.
Deselect the Use Interconnected Mode check box. Select Manual Key in the IPSec Keying mode section. Select the appropriate option to add, delete or modify a security association. Enter a descriptive name for the SA in the Security Association Name field. Enter the IP address of the remote firewall in the IPSec Gateway Address field. This address must be valid and will be the public IP address if the remote LAN has NAT enabled. To specify the default LAN gateway, enter the IP address of the gateway in the Default LAN Gateway field.
SonicWALL GMS 6.0 Administrators Guide
7.
433
A Default LAN Gateway is used at a central site in conjunction with a remote site using the Route all Internet traffic through destination unit check box. The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA. Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL. Since packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.
8. 9.
To enable wireless secure bridging, select the Wireless Secure Bridging Mode check box. To access remote resources within the Windows Network Neighborhood, select the Enable Windows Networking (NetBIOS) Broadcast check box. the Apply NAT and firewall rules check box.
10. To apply NAT and firewall rules to all traffic coming through this SA, select
This feature is useful for hiding the LAN subnet from the corporate site. All traffic will appear to originate from a single IP address.
11. To allow the remote VPN tunnel to be included in the routing table, select
This will enable the SonicWALL appliance to receive VPN traffic, decrypt it, and forward it to another VPN tunnel. This feature can be used to create a hub and spoke network configuration by routing traffic among SAs. To do this, make sure to enable this option for all SAs.
12. To require local users to authenticate locally before accessing the SA,
the local RADIUS server before accessing resources, select the Require authentication of remote users check box.
14. Select one of the encryption methods from the Encryption Method list
box.
15. Enter the key used for encryption in the Encryption Key field. The DES
and ARCFour Keys must be exactly 16 characters long and be composed of hexadecimal characters. Encryption keys less than 16 characters will not be accepted; keys longer than 16 characters will be truncated.
434
Note
Valid hexadecimal characters are 0 to 9, and a to f (i.e., 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). For example, a valid key would be 1234567890abcdef. This key must match the encryption key of the remote VPN gateway or client. If encryption is not used, this field is ignored.
16. Enter the key used for authentication in the Authentication Key field. The
authentication key must be exactly 32 characters long and be composed of hexadecimal characters. Authentication keys less than 32 characters will not be accepted; keys longer than 32 characters will be truncated.
Note
Valid hexadecimal characters are 0 to 9, and a to f (i.e., 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). For example, a valid key would be 1234567890abcdef1234567890abcdef. This key must match the authentication key of the remote VPN gateway or client. If authentication is not used, this field is ignored.
17. Enter the Security Parameter Index (SPI) that the remote location will
send to identify the Security Association used for the VPN Tunnel in the Incoming SPI field.
Note
The SPI may be up to eight characters long and be composed of hexadecimal characters. Valid hexadecimal characters are 0 to 9, and a to f (e.g., 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). The hexadecimal characters 0 to ff inclusive are reserved by the Internet Engineering Task Force (IETF) and are not allowed for use as an SPI. For example, a valid SPI would be 1234abcd.
Note
The SPI for an SA must be unique when compared to SPIs for other SAs. However, the Incoming SPI can be the same as the Outgoing SPI on the same SA.
18. Enter the Security Parameter Index (SPI) that the local SonicWALL VPN
will transmit to identify the Security Association used for the VPN Tunnel in the Outgoing SPI field.
19. Select from the following:
435
To allow this SA to be used as the default route for all Internet traffic,
networks below. Then, click Modify and enter the destination network IP addresses and subnet masks.
20. When you are finished, click Update. The settings are changed for each
selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
21. Create an SA in the remote VPN device for each SonicWALL appliance
Expand the VPN tree and click L2TP. The L2TP page displays.
2. 3. 4. 5. 6.
Select the Enable L2TP Server check box. Specify how often the SonicWALL appliance issues a Keepalive in the Keep alive time field. Enter the IP addresses of the DNS Servers in the DNS Server fields. Enter the IP addresses of the WINS Servers in the WINS Server fields. Select from the following:
To assign IP addresses to L2TP clients that are provided by the
436
To use IP addresses from a local L2TP IP address pool, select Use the
Local L2TP IP pool and enter the starting and ending IP addresses in the Start IP and End IP fields.
7.
When you are finished, click Update. To clear all screen settings and start over, click Reset.
Expand the VPN tree and click Monitor. The Monitor page displays.
2.
Select the category of tunnels to display the Display Options section and click Refresh. You can select Show Up Tunnels, Show Down Tunnels, or Show All Tunnels. To synchronize the tunnel status information, click Synchronize Tunnel Status Information. To refresh the statistics, click Refresh Selected Tunnel Statistics. To view the tunnel statistics, select one or more tunnels and click View Selected Tunnel Statistics. To renegotiate selected tunnels, select one or more tunnels and click Renegotiate Selected Tunnels.
3. 4. 5. 6.
Registering and Upgrading SonicWALL Appliances on page 591 Enabling the VPN Client on page 438
437
Navigate to Policies > VPN > Summary. Click the Export button next to the SA.
3.
To email the SPD file to the SonicWALL GMS administrator or the VPN Client user, click Email SPD file. The file is attached to the email. A task is scheduled for each email.
Note
A copy of the SPD file is also stored in the SonicWALL Agent's <gms_directory\etc directory.
4. 5.
Once the SPD file is received, it can be loaded by the VPN Client software on the VPN Client user's computer. If the user does not have the VPN Client software, you can send both the SPD file and the email the client software by clicking Email SPD File and VPN Client. In SonicOS Standard only, VPN clients use RCF files to import data used to communicate with SonicWALL appliances. To send an RCF File to an email address, enter the following information:
Enter the email address in the Email Address field. Enter and reenter the RCF File password in the RCF File Export
6.
Select whether the file will be used for WAN or wireless connections. Select from the following: To email the file, click Email RCF File. To email the file with the Global VPN Client software, click Email
438
Note
Before the VPN client can be emailed to users, it must be downloaded to the <gms_directory>\etc directory from mysonicwall.com.
Click the Console Panel tab at the top of the SonicWALL GMS UI. Expand the Licenses tree and click GMS License. Click Login in a new window. This will open a new browser into the GMS account on mysonicwall.com. Download the VPN Client software from mysonicwall.com to a local directory. Copy the VPN Client software to SonicWALL Agent's <gms_directory>\etc directory. Rename the file to SWVpnClient.zip.
Asymmetric vs. Symmetric CryptographyAsymmetric and symmetric cryptography refer to the keys used to authenticate, or encrypt and decrypt the data. Asymmetric cryptography, or public key cryptography, uses two keys for verification. Organizations such as RSA Data Security and VeriSign support asymmetric cryptography. With symmetric cryptography, the same key is used to authenticate on both ends of the VPN. Symmetric cryptography, or secret key cryptography, is usually faster than asymmetric cryptography. Therefore symmetric algorithms are often used when large quantities of data need to be exchanged. SonicWALL VPN uses symmetric cryptography. As a result, the key on both ends of the VPN tunnel must match exactly.
439
ARCFourARCFour is used for communications with secure Web sites using the SSL protocol. Many banks use a 40-bit key ARCFour for online banking, while others use a 128-bit key. SonicWALL VPN uses a 56-bit key for ARCFour. The ARCFour key must be exactly 16 characters long and is composed of hexadecimal characters. Valid hexadecimal characters are 0 to 9, and a to f (i.e., 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). For example, a valid key would be 1234567890abcdef.
Authentication Header (AH)The authentication header is a mechanism for providing strong integrity and authentication for IP packets. The Authentication Header does not offer confidentiality and protection from traffic analysis. The IP authentication header provides security by adding authentication information to an IP packet. This authentication information is calculated using all header and payload data in the IP packet. This provides significantly more security than is currently present in IP. Use of an AH will increase the processing requirements of SonicWALL VPN and will also increase the communications latency. The increased latency is primarily due to the calculation of the authentication data by the sender and the calculation and comparison of the authentication data by the receiver for each IP packet.
Data Encryption Standard (DES)When DES is used for data communications, both sender and receiver must know the same secret key, which can be used to encrypt and decrypt the message, or to generate and verify a message authentication code. The SonicWALL DES encryption algorithm uses a 56-bit key. The DES Key must be exactly 16 characters long and is composed of hexadecimal characters. Valid hexadecimal characters are 0 to 9, and a to f inclusive (0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). For example, a valid key would be 1234567890abcdef.
Encapsulating Security Payload (ESP)ESP provides confidentiality and integrity of data by encrypting the data and encapsulating it into IP packets. Encryption may be in the form of ARCFour (similar to the popular RC4 encryption method), DES, etc. The use of ESP typically increases the processing requirements and communications latency. The increased latency is primarily due to the encryption and decryption required for each IP packet containing an ESP. ESP typically involves encryption of the packet payload using standard encryption mechanisms, such as RC4, ARCFour, DES, or 3DES.
440
ESP has no mechanism for providing strong integrity and authentication of the data.
EncryptionEncryption is a mathematical operation that transforms data from clear text (something that a human or a program can interpret) to cipher text (something that cannot be interpreted). Usually the mathematical operation requires that an alphanumeric key be supplied along with the clear text. The key and clear text are processed by the encryption operation, which leads to the data scrambling that makes encryption secure. Decryption is the opposite of encryption: it is a mathematical operation that transforms cipher text to clear text. Decryption also requires a key. Shared SecretA shared secret is a predefined field that the two endpoints of a VPN tunnel use to set up an IKE SA. This field can be any combination of alphanumeric characters with a minimum length of 4 characters and a maximum of 128 characters. Precautions should be taken when delivering/exchanging this shared secret to assure that a third party cannot compromise the security of a VPN tunnel. Internet Key Exchange (IKE)IKE is a negotiation and key exchange protocol specified by the Internet Engineering Task Force (IETF). An IKE SA automatically negotiates encryption and authentication keys. With IKE, an initial exchange authenticates the VPN session and automatically negotiates keys that will be used to pass IP traffic. KeyA key is an alphanumeric string that is used by the encryption operation to transform clear text into cipher text. A key is composed of hexadecimal characters (0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). A valid key would be 1234567890abcdef. Keys used in VPN communications can vary in length, but are typically 16 or 32 characters. The longer the key, the more difficult it is to break the encryption. The reason for this is that most methods used to break encryption involve trying every possible combination of characters, similar to trying to find someones telephone number by dialing every possible combination of phone numbers. Manual KeyManual keying allows the SonicWALL administrator to specify the encryption and authentication keys. SonicWALL VPN supports the ability to manually set up a security association as well as the ability to automatically negotiate an SA using IKE. Security Association (SA)An SA is the group of security settings needed to create a VPN tunnel. All SAs require an encryption method, an IPSec gateway address, and a destination network address. IKE includes a shared secret. manual keying includes two SPIs and an encryption and authentication key.
441
SonicWALL PRO appliances supports up to 100 SAs. SonicWALL SOHO2 and SonicWALL XPRS2 appliances support 10 and 25 SAs, respectively. Different SAs may be created to connect branch offices, allow secure remote management, and pass unsupported traffic.
Security Parameter Index (SPI)The SPI is used to establish a VPN tunnel. The SPI is transmitted from the remote VPN gateway to the local VPN gateway. The local VPN gateway then uses the network, encryption, and key values that the administrator associated with the SPI to establish the tunnel. The SPI must be unique, is from one to eight characters long, and is composed of hexadecimal characters. Valid hexadecimal characters are 0 to 9, and a to f (i.e., 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). For example, valid SPIs would be 999 or 1234abcd.
Triple Data Encryption Standard (3DES)3DES is the same as DES, except that it applies three DES keys in succession and is significantly more secure. However, 3DES has significantly more processing requirements than DES. The 3DES Key must be exactly 16 characters long and is composed of hexadecimal characters. Valid hexadecimal characters are 0 to 9, and a to f inclusive (0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). For example, a valid key would be 1234567890abcdef.
VPN TunnelTunneling is the encapsulation of point-to-point transmissions inside IP packets. A VPN Tunnel is a term that is used to describe a connection between two or more private nodes or LANs over a public network, typically the Internet. Encryption is often used to maintain the confidentiality of private data when traveling over the Internet.
442
Certificate Revocation Lists main disadvantage is the need for frequent updates to keep the CRL of every client current. These frequent updates greatly increase network traffic when the complete CRL is downloaded by every client. Depending on the frequency of the CRL updates, a period of time can exist when a certificate is revoked by the CRL but the client has not received the CRL update and permits the certificate to be used. Online Certificate Status Protocol determines the current status of a digital certificate without using a CRL. OCSP enables the client or application to directly determine the status of an identified digital certificate. This provides more timely information about the certificate than is possible with CRLs. In addition, each client typically only checks a few certificates and does not incur the overhead of downloading an entire CRL for only a few entries. This greatly reduces the network traffic associated with certificate validation. OCSP transports messages over HTTP for maximum compatibility with existing networks. This requires careful configuration of any caching servers in the network to avoid receiving a cached copy of an OCSP response that might be out of date. The OCSP client communicates an OCSP responder. The OCSP responder can be a CA server or another server that communicates with the CA server to determine the certificate status. The OCSP client issues a status request to an OCSP responder and suspends the acceptance of the certificate until the responder provides a response. The client request includes data such as protocol version, service request, target certificate identification and optional extensions. These optional extensions may or may not be acknowledged by the OCSP responder. The OCSP responder receives the request from the client and checks that the message is properly formed and if the responder is able to respond to the service request. Then it checks if the request contains the correct information needed for the service desired. If all conditions are satisfied, the responder returns a definitive response to the OCSP client. The OCSP responder is required to provide a basic response of GOOD, REVOKED, or UNKNOWN. If both the OCSP client and responder support the optional extensions, other responses are possible. The GOOD state is the desired response as it indicates the certificate has not been revoked. The REVOKED state indicates that the certificate has been revoked. The UNKNOWN state indicates the responder does not have information about the certificate in question. OCSP servers typically work with a CA server in push or pull setup. The CA server can be configured to push a CRL list (revocation list) to the OCSP server. Additionally the OCSP server can be configured to periodically download (pull) the CRL from the CA server. The OCSP server must also be configured with an OCSP response signing certificate issued by the CA server. The signing certificate must be properly formatted or the OCSP client will not accept the response from the OSCP server.
SonicWALL GMS 6.0 Administrators Guide
443
For SonicOS to act as an OCSP client to a responder, the CA certificate must be loaded onto the SonicWALL system.
Select the radio button next to Enable OCSP Check Specify the OCSP Responder URL of the OCSP server, for example <http://192.168.168.220:2560> where 192.168.168.220 is the IP address of your OCSP server and 2560 is the default port of operation for the OpenCA OCSP responder service.
444
What is SSL VPN NetExtender? section on page 445 Benefits section on page 445 NetExtender Concepts section on page 446
Benefits
NetExtender provides remote users with full access to your protected internal network. The experience is virtually identical to that of using a traditional IPSec VPN client, but NetExtender does not require any manual client installation. Instead, the NetExtender Windows client is automatically installed on a remote users PC by an ActiveX control when using the Internet Explorer
SonicWALL GMS 6.0 Administrators Guide
445
browser, or with the XPCOM plugin when using Firefox. On MacOS systems, supported browsers use Java controls to automatically install NetExtender from the Virtual Office portal. Linux systems can also install and use the NetExtender client. After installation, NetExtender automatically launches and connects a virtual adapter for secure SSL-VPN point-to-point access to permitted hosts and subnets on the internal network.
NetExtender Concepts
The following sections describe advanced NetExtender concepts:
Stand-Alone Client section on page 446 Client Routes section on page 446 Tunnel All Mode section on page 447 Connection Scripts section on page 447 Proxy Configuration section on page 447
Stand-Alone Client
NetExtender is a browser-installed lightweight application that provides comprehensive remote access without requiring users to manually download and install the application. The first time a user launches NetExtender, the NetExtender stand-alone client is automatically installed on the users PC or Mac. The installer creates a profile based on the users login information. The installer window then closes and automatically launches NetExtender. If the user has a legacy version of NetExtender installed, the installer will first uninstall the old NetExtender and install the new version. Once the NetExtender stand-alone client has been installed, Windows users can launch NetExtender from their PCs Start > Programs menu and configure NetExtender to launch when Windows boots. Mac users can launch NetExtender from their system Applications folder, or drag the icon to the dock for quick access. On Linux systems, the installer creates a desktop shortcut in /usr/share/NetExtender. This can be dragged to the shortcut bar in environments like Gnome and KDE.
Client Routes
NetExtender client routes are used to allow and deny access for SSL VPN users to various network resources. Address objects are used to easily and dynamically configure access to network resources. 446
SonicWALL GMS 6.0 Administrators Guide
NetExtender also adds routes for the local networks of all connected Network Connections. These routes are configured with higher metrics than any existing routes to force traffic destined for the local network over the SSL VPN tunnel instead. For example, if a remote user is has the IP address 10.0.67.64 on the 10.0.*.* network, the route 10.0.0.0/255.255.0.0 is added to route traffic through the SSL VPN tunnel. Tunnel All mode is configured on the SSL VPN > Client Routes page.
Connection Scripts
SonicWALL SSL VPN provides users with the ability to run batch file scripts when NetExtender connects and disconnects. The scripts can be used to map or disconnect network drives and printers, launch applications, or open files or Web sites. NetExtender Connection Scripts can support any valid batch file commands.
Proxy Configuration
SonicWALL SSL VPN supports NetExtender sessions using proxy configurations. Currently, only HTTPS proxy is supported. When launching NetExtender from the Web portal, if your browser is already configured for proxy access, NetExtender automatically inherits the proxy settings. The proxy settings can also be manually configured in the NetExtender client preferences. NetExtender can automatically detect proxy settings for proxy servers that support the Web Proxy Auto Discovery (WPAD) Protocol.
447
Automatically detect settings - To use this setting, the proxy server must support Web Proxy Auto Discovery Protocol (WPAD)), which can push the proxy settings script to the client automatically. Use automatic configuration script - If you know the location of the proxy settings script, you can select this option and provide the URL of the script. Use proxy server - You can use this option to specify the IP address and port of the proxy server. Optionally, you can enter an IP address or domain in the BypassProxy field to allow direct connections to those addresses and bypass the proxy server. If required, you can enter a user name and password for the proxy server. If the proxy server requires a username and password, but you do not specify them, a NetExtender pop-up window will prompt you to enter them when you first connect.
When NetExtender connects using proxy settings, it establishes an HTTPS connection to the proxy server instead of connecting to the SonicWALL security appliance. server directly. The proxy server then forwards traffic to the SSL VPN server. All traffic is encrypted by SSL with the certificate negotiated by NetExtender, of which the proxy server has no knowledge. The connecting process is identical for proxy and non-proxy users.
448
The following settings configure the appearance of the Virtual Office portal:
Portal Site Title - The text displayed in the top title of the web browser. Portal Banner Title - The the text displayed next to the logo at the top of the page. Home Page Message - The HTML code that is displayed above the NetExtender icon. Login Message - The HTML code that is displayed when users are prompted to log in to the Virtual Office. Example Template - Resets the Home Page Message and Login Message fields to the default example template. Preview - Launch a pop-up window that displays the HTML code. Launch NetExtender after login - Automatically launches NetExtender after a user logs in.
The following options customize the functionality of the Virtual Office portal:
449
Display Import Certificate Button - Displays an Import Certificate button on the Virtual Office page. This initiates the process of importing the SonicWALL security appliances self-signed certificate onto the web browser. This option only applies to the Internet Explorer browser on PCs running Windows 2000 or Windows XP. Enable HTTP meta tags for cache control - Inserts HTTP tags into the browser that instruct the web browser not to cache the Virtual Office page. SonicWALL recommends enabling this option.
The Customized Logo field is used to display a logo other than the SonicWALL logo at the top of the Virtual Office portal. Enter the URL of the logo in the Customized Logo field. The logo must be in GIF format of size 155 x 36, and a transparent or light background is recommended.
The following tasks are configured on the SSL VPN > Client Settings page:
Configuring Zones for SSL VPN Access section on page 451 Configuring the SSL VPN Client Address Range section on page 451
450
WAN management must be enabled on the zone to terminate SSL VPN sessions. Even though the zone has SSL VPN enabled, if the management interface is disabled, SSL VPN will not work correctly.
The range must fall within the same subnet as the interface to which the SSL VPN appliance is connected, and in cases where there are other hosts on the same segment as the SSL VPN appliance, it must not overlap or collide with any assigned addresses.
451
To configure the SSL VPN Client Address Range, perform the following steps:
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9
Navigate to the SSL VPN > Client Settings page. In the NetExtender Start IP field, enter the first IP address in the client address range. In the NetExtender End IP field, enter the last IP address in the client address range. In the DNS Server 1 field, enter the IP address of the primary DNS server, or click the Default DNS Settings to use the default settings. (Optional) In the DNS Server 2 field, enter the IP address of the backup DNS server. (Optional) In the DNS Domain field, enter the domain name for the DNS servers. In the User Domain field, enter the domain name for the users. The value of this field must match the domain field in the NetExtender client. (Optional) In the WINS Server 1 field, enter the IP address of the primary WINS server. (Optional) In the WINS Server 2 field, enter the IP address of the backup WINS server. VPN services.
Step 10 In the Interface pull-down menu, select the interface to be used for SSL
Note
The IP address range must be on the same subnet as the interface used for SSL VPN services.
Step 11 Click the Zone name at the top of the page to enable SSL VPN access
on it with these settings. The indicator should be green for the Zone you want to enable.
Step 12 Click Accept.
Default Session Timeout (minutes) - The default timeout value for client inactivity, after which the clients session is terminated.
452
Enable NetBIOS Over SSLVPN - Allows NetExtender clients to broadcast NetBIOS to the SSL VPN subnet. Enable Client Autoupdate - The NetExtender client checks for updates every time it is launched. Exit Client After Disconnect - The NetExtender client exits when it becomes disconnected from the SSL VPN server. To reconnect, users will have to either return to the SSL VPN portal or launch NetExtender from their Programs menu. Uninstall Client After Disconnect - The NetExtender client automatically uninstalls when it becomes disconnected from the SSL VPN server. To reconnect, users will have to return to the SSL VPN portal. Create Client Connection Profile - The NetExtender client will create a connection profile recording the SSL VPN Server name, the Domain name and optionally the username and password. Communication Between Clients - Enables NetExtender clients that are connected to the same server to communicate. User Name & Password Caching - Provide flexibility in allowing users to cache their usernames and passwords in the NetExtender client. The three options are Allow saving of user name only, Allow saving of user name & password, and Prohibit saving of user name & password. These options enable administrators to balance security needs against ease of use for users.
453
The following tasks are configured on the SSL VPN > Client Routes page:
Configuring Tunnel All Mode section on page 454 Adding Client Routes section on page 455
454
NetExtender also adds routes for the local networks of all connected Network Connections. These routes are configured with higher metrics than any existing routes to force traffic destined for the local network over the SSL VPN tunnel instead. For example, if a remote user is has the IP address 10.0.67.64 on the 10.0.*.* network, the route 10.0.0.0/255.255.0.0 is added to route traffic through the SSL VPN tunnel.
455
456
Configuring SonicWALL Network Anti-Virus section on page 458 SonicWALL Network Anti-Virus Email Filter section on page 461 Configuring the SonicWALL Content Filter Service section on page 463 Configuring the SonicWALL Intrusion Prevention Service section on page 463 Configuring the SonicWALL RBL Filter section on page 472 Configuring the SonicWALL Gateway Anti-Virus section on page 473 Configuring the SonicWALL Anti-Spyware Service section on page 478
457
SonicWALL appliances are entitled to a one-month anti-virus trial subscription. To enable the trial subscription, see Registering and Upgrading SonicWALL Appliances on page 591.
458
Anti-Virus Settings
To configure Anti-Virus settings for one or more SonicWALL appliances, follow these steps:
1. 2.
Select the global icon, a group, or a SonicWALL appliance. Expand the Security Services tree and click AV Configure. The AV Configure page appears.
3. 4.
Select the Enable Anti-Virus Client Automated Installation, Updates and Enforcement check box. To enforce Anti-Virus protection on the DMZ port or HomePort (if available), select the Enable DMZ/HomePort/WLAN/OPT Policing check box. To disable policing from the LAN to the DMZ, select the Disable policing from LAN/WorkPort to DMZ/HomePort/WLAN/OPT check box. To configure the SonicWALL appliance(s) to only check for updates once a day, select the Reduce AV Traffic for ISDN connections check box. This is useful for low bandwidth connections or connections that are not always on. SonicWALL GMS automatically downloads the latest virus definition files. To configure the maximum number of days that can pass before SonicWALL GMS downloads the latest files, select the number of days from the Maximum Days Allowed Before Forcing Update list box. Significant virus events can occur without warning (e.g., Melissa, ILOVEYOU, and others). When these occur, SonicWALL GMS can be configured to block network traffic until the latest virus definition files are
5. 6.
7.
8.
459
downloaded. To configure this feature, determine which types of events will require updating. Then, select the Low Risk, Medium Risk, or High Risk check boxes.
Exempt Computers
The Exempt Computers section allows the GMS administrator to specify address ranges which should be explicitly included or excluded in Anti-Virus enforcement.
1.
Select the Enforce Anti-Virus policies for all computers radio button to enforce Anti-Virus policies across your entire network. Selecting this option forces computers to install VirusScan ASaP in order to access the Internet or the DMZ. This is the default configuration Select the Include specific address ranges in the Anti-Virus enforcement radio button to force a specified range of addresses to adhere to Anti-Virus enforcement. Choosing this option allows the administrator to define ranges of IP addresses to receive Anti-Virus enforcement. If you select this option, specify a range of IP addresses to be enforced. Any computer requiring enforcement needs a static IP address within the specified range of IP addresses. Up to 64 IP address ranges can be entered for enforcement.
2.
3.
Select the Exclude specific address ranges in the Anti-Virus enforcement radio button to exempt a specified range of addresses from Anti-Virus enforcement. Selecting this option allows the administrator to define ranges of IP addresses that are exempt from Anti-Virus enforcement. If you select this option, specify the range of IP addresses are exempt. Any computer requiring unrestricted Internet access needs a static IP address within the specified range of IP addresses. Up to 64 IP address ranges can be entered.
460
Email Filtering
During an outbreak, Email filtering allows for preemptive blocking of known filenames and newly discovered viruses before the Anti-Virus signature (DAT) files are actually available. This feature also provides full filename blocking of virus files, allowing SonicWALL to block only malicious attachments, while enabling all other attachments through. For example, during a virus outbreak, only the virus file is blocked while other productive files (such as Word documents and Excel spreadsheets) are allowed through. To configure email filter settings for one or more SonicWALL appliances, follow these steps:
1. 2.
Select the global icon, a group, or a SonicWALL appliance. Expand the Security Services tree and click EMail Filter. The EMail Filter screen displays.
461
To enable infected email attachment blocking on inbound SMTP and POP3 Email protocols, select the Enable Email Attachment Filtering Alert Service check box. Only files that were discovered to be infected will be blocked. If a message contains uninfected attachments, those will be forwarded to the recipient. To specify file extensions to filter, select the Enable Email Attachment FIltering of Forbidden File Extensions checkbox. If choosing to specify forbidden file extensions, enter the file extensions (one at a time) in the Forbidden File Extensions box and click the Add button. Remove extensions from the list by selecting the checkbox to the left of the file extension and clicking the Update button at the bottom of the page. Click the Update button to save your changes.
Select the Disable the forbidden file by altering the file extension and attach warning text radio button to alter the file extension by replacing the third character of file extensions with _. If the email attachment is a valid file, the message recipient may return the attachment to its original file extension without damaging the file. Select Delete forbidden file and attach warning text to remove the forbidden file from the Email message entirely and attach warning text to the message. In the Warning Message Text field (maximum 256 characters), enter the text you wish to attach to messages containing forbidden files. Click the Update button to save your changes. Only infected files will be blocked. If a message contains uninfected attachments, those will be forwarded to the recipient.
Note
462
Email Blocking
This option allows the administrator to block fragments of Email messages.
Check the Block Email fragments (Content-Type message\partial) to block fragmented messages from being delivered. Click the Update button to save your changes. Select from the following:
When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset. The SonicWALL appliance will block viruses that are discovered by the virus signature files and filenames that are known to be infected during an outbreak.
463
Overview of IPS section on page 464 SonicWALL Deep Packet Inspection section on page 464 Enabling Intrusion Prevention Services section on page 466 Configuring IPS Policies section on page 469 Manual Upload of Keyset and Signature Files section on page 470
Overview of IPS
SonicWALL Intrusion Prevention Service (SonicWALL IPS) delivers a configurable, high performance Deep Packet Inspection engine for extended protection of key network services such as Web, Email, file transfer, Windows services and DNS. SonicWALL IPS is designed to protect against application vulnerabilities as well as worms, Trojans, and peer-to-peer, spyware and backdoor exploits. The extensible signature language used in SonicWALLs Deep Packet Inspection engine also provides proactive defense against newly discovered application and protocol vulnerabilities. SonicWALL IPS offloads the costly and time-consuming burden of maintaining and updating signatures for new hacker attacks through SonicWALLs industry-leading Distributed Enforcement Architecture (DEA). Signature granularity allows SonicWALL IPS to detect and prevent attacks based on a global, attack group, or per-signature basis to provide maximum flexibility and control false positives.
Pattern Definition Language Interpreter uses signatures that can be written to detect and prevent against known and unknown protocols, applications and exploits. TCP packets arriving out-of-order are reassembled by the Deep Packet Inspection framework. Deep Packet Inspection engine preprocessing involves normalization of the packets payload. For example, a HTTP request may be URL encoded and thus the request is URL decoded in order to perform correct pattern matching on the payload. Deep Packet Inspection engine postprocessors perform actions which may either simply pass the packet without modification, or could drop a packet or could even reset a TCP connection. SonicWALLs Deep Packet Inspection framework supports complete signature matching across the TCP fragments without performing any reassembly (unless the packets are out of order). This results in more efficient use of processor and memory for greater performance.
2. 3.
4.
5.
465
If TCP packets arrive out of order, the SonicWALL IPS engine reassembles them before inspection. However, SonicWALLs IPS framework supports complete signature matching across the TCP fragments without having to perform complete reassembly. SonicWALLs unique reassembly-free matching solution dramatically reduces CPU and memory resource requirements.
466
2.
Expand the Security Services tree and click Intrusion Prevention. The Intrusion Prevention page appears.
3. 4. 5.
Check the Enable IPS checkbox to enable the service. Select the check boxes of the interface ports to monitor. Configure the following settings for High Priority Attacks in the IPS Settings area:
To to detect, log, and prevent all high priority attacks, select the
To detect and log all high priority attacks, select the Detect All check
box.
To prevent the log from becoming overloaded with entries for the same
attack, enter a value in the Log Redundancy Filter field. For example, if you entered a value of 30 seconds and there were 100 SubSeven attacks during that period of time, only one attack would be logged during that 30 second period.
6.
Repeat Step 3 for the remaining categories as applicable, including Medium Priority Attacks, Low Priority Attacks, IM (Instant Messaging) Applications, and P2P (Peer-to-Peer) Applications. Click Configuring IPS Settings to choose one of the following options:
If Enable IP Reassembly is enabled, the SonicWALL security
7.
467
appliance automatically drops and resets the connection, to prevent the traffic from reaching its destination.
If Detect Invalid Checksum is enabled, the SonicWALL security
appliance logs and alerts any traffic, but does not take any action against the traffic. The connection proceeds to its intended destination.
If Enable IPS Exclusion List is enabled, this SonicWALL security
appliance bypasses IPS enforcement for a specified IP range. This requires the addition of an IPS Range (below).
8. 9.
To force the firmware to download all signatures, click Update IPS Signature Database. To reset your IPS settings to the defaults, click Reset IPS Settings & Policies. selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
10. When you are finished, click Update. The settings are changed for each
468
1.
Locate the type of attack that you would like to view. To sort by category, select a category from the Categories list box. To sort by priority, select a priority level from the Priority list box. After locating a type of attack to configure, click its Configure Icon ( The Configure IPS dialog box appears. ).
2.
469
3.
Select whether attack detection for this type of attack is enabled, disabled, or uses the default global settings for the attack category from the Prevention list box. Select whether attack prevention for this type of attack is enabled, disabled, or uses the default global settings for the attack category from the Detection list box. Select which users or groups to include for this attack type in the Included Users/Groups list box Select which users or groups to exclude for this attack type in the Excluded Users/Groups list box. Select an IP address range to include for this attack type in the Included IP Address Range list box Select an IP address range to exclude for this attack type in the Excluded IP Address Range list box Select a time range to enforce attack protection on this attack type from the Schedule list box. (seconds) field, or select the checkbox to Use Category Settings. Prevention page.
4.
5. 6. 7. 8. 9.
10. Enter a timespan (in seconds) to run the Log Redundancy Filter
11. When you are finished, click Update. You are returned to the Intrusion 12. Repeat Steps 2. through 16 for each attack to edit. 13. To reset all attacks to their default settings, click Reset ALL IPS Settings
and Policies.
470
3.
Click on the GMS Settings option. The GMS Settings dialog box displays.
4.
Check the following checkbox: Firewalls managed by this GMS do not have Internet Access - This indicates that the SonicWALL appliances managed by GMS cannot directly reach the Internet.
Note
Note that keyset files will be uploaded at the time of registering a unit or when there is a change in the user license.
471
5.
.
In the Policies tab, navigate to the System > Tools page to upload keyset and signature files.
6.
472
2.
Expand the Security Services tree and click RBL Filter. The Global Security Client screen displays.
3. 4. 5. 6. 7.
Check the Enable Real-time Black List Blocking checkbox to enable the service. In the RBL DNS Servers drop-down list, choose to Inherit Settings from WAN Zone or Specify DNS Servers Manually. If choosing to specify your DNS servers manually, enter the server names in the DNS Server (1, 2, 3) fields below. Click the Add RBL Service link to add a new RBL domain. Enter the RBL Domain you wish to block and check the appropriate responses in the RBL Blocked Responses section below. You also have the option to Block All Responses. Click the OK button to save this new RBL Service. Click the Update button to update these settings.
8. 9.
473
2.
Expand the Security Services tree and click Gateway AntiVirus. The Gateway AntiVirus screen displays).
3.
You can manually update your SonicWALL GAV database at any time by clicking the Update button. However, by default, the SonicWALL security appliance running SonicWALL GAV automatically checks for new signatures once an hour. Check the Enable Gateway Anti-Virus checkbox. If you have GMS managed UTM appliances running SonicOS Standard, select the interface you want to enable Gateway Anti-Virus on. You can select from WAN, LAN/WorkPort, DMZ/HomePort/WLAN/OPT. Check the boxes corresponding to the Protocols you wish to enforce Inbound and Outbound inspection on.
4. 5.
6.
Note
If your SonicWALL UTM appliance is running SonicOS Enhanced, you must enable Gateway Anti-Virus on the appropriate zone in the Network > Zones page before continuing.
474
1. 2. 3.
Select Enable Client Notification Alerts to send relevant blocked file notifications to users of the SonicWALL Desktop Anti-Virus client. Select Disable SMTP Responses to suppress the sending of email notifications when viruses are blocked at the gateway. Select Disable detection of EICAR test virus to ignore this test file. The EICAR file is a small file (but not actually a read virus) often used to test how virus protection mechanisms respond to a threat. It is not recommended to check the options for Enable HTTP Byte-Range requests with Gateway AV or Enable FTP REST requests with Gateway AV unless directed to do so by a SonicWALL representative. Select Enable HTTP Clientless Notification Alerts to enable alerts about blocked content for clients who do not have SonicWALL Client Anti-Virus installed. These alerts are delivered by way of a standard HTML browser window. You may also enter a message below if using this notification type. If Enable Gateway AV Exclusion List is enabled, the SonicWALL security appliance bypasses AV enforcement for a specified IP range. This requires the addition of an IPS Range.
SonicWALL GMS 6.0 Administrators Guide
4.
5.
6.
475
Select which types of traffic to Enable Inbound Inspection for. To scan outgoing SMTP mail, select to Enable Outbound Inspection on SMTP. For more granular control over protocol traffic inspection, click the settings icon for each of the protocols you choose. The settings window displays and allows you to restrict transfer of the following possibly dangerous file types:
Table 6 Gateway AV File Restrictions
File Type Password protected ZIP files MS-Office type files containing macros Packed executable files (UPX, FSG, etc.)
Security Issues This option only functions on protocols (e.g. HTTP, FTP, SMTP) that are enabled for inspection. Transfers of any MS Office 97 and above files that contain VBA macros. Disables the transfer of packed executable files. Packers are utilities which compress and sometimes encrypt executables. Although there are legitimate applications for these, they are also sometimes used with the intent of obfuscation, so as to make the executables less detectable by anti-virus applications. The packer adds a header that expands the file in memory, and then executes that file.
4.
Click the Configure Gateway AV Settings link. The Gateway AV settings window displays. This window allows you to configure client notification alerts and create a SonicWALL GAV exclusion list. To download the latest signature database from mysonicwall.com, click the Update Gateway AV Signature Database link. Click the Update button when you are ready to save your changes.
5. 6.
476
Signature entries in the database change over time in response to new threats.
Displaying Signatures
You can display the signatures in a variety of views using the View Style menu. Use Search String - Allows you to display signatures containing a specified string entered in the Lookup Signatures Containing String field. All Signatures - Displays all the signatures in the table, 50 to a page. 0 - 9 - Displays signature names beginning with the number you select from the menu. A-Z - Displays signature names beginning with the letter you select from menu.
477
Enable SonicWALL Anti-Spyware Specify Spyware Danger Level Protection Apply SonicWALL Anti-Spyware Protection to Zones
Note
For complete instructions on setting up SonicWALL Anti-Spyware Service, refer to the SonicWALL Anti-Spyware Service Administrators Guide available on the SonicWALL Web site http://www.sonicwall.com/us/Support.html
Once you configured these basic anti-spyware protection settings, you can perform additional configuration options to tailor SonicWALL Spyware protection for your network environment.
478
Selecting Security Services > Anti-Spyware displays the configuration settings for SonicWALL Anti-Spyware on your SonicWALL security appliance.
The Anti-Spyware page for the SonicOS Enhanced is divided into three sections:
Anti-Spyware Status - displays status information on the state of the signature database, your SonicWALL Anti-Spyware license, and other information. Anti-Spyware Global Settings - provides the key settings for enabling SonicWALL Anti-Spyware on your SonicWALL security appliance, specifying global SonicWALL Anti-Spyware protection based on three classes of spyware, and other configuration options. Anti-Spyware Signatures - shows the status and contents of your signature database.
479
Warning
After activating your SonicWALL Anti-Spyware license, you must enable and configure SonicWALL Anti-Spyware on the SonicWALL management interface before anti-spyware policies are applied to your network traffic.
Checking the Enable Anti-Spyware check box does not automatically start SonicWALL Anti-Spyware protection. You must also specify a Prevent All action in the Signature Groups table to activate anti-spyware on the SonicWALL security appliance, and then specify the zones you want to protect on the Network > Zones page. You can also select Detect All for spyware event logging and alerting.
480
Selecting the Prevent All and Detect All check boxes for High Danger Level Spyware and Medium Danger Level Spyware in the Signature Groups table, and then clicking Apply protects your network against the most dangerous spyware.
Caution
SonicWALL recommends enabling Prevent All for High Danger Level Spyware and Medium Danger Level Spyware signature groups to provide anti-spyware protection against the most damaging and disruptive spyware applications. You can also enable Detect All for spyware logging and alerting.
SonicWALL Anti-Spyware also allows you to configure anti-spyware policies at the category and signature level to provide flexible granularity for tailoring SonicWALL Anti-Spyware protection based on your network environment requirements. If you are running SonicOS Enhanced, you can apply these custom SonicWALL Anti-Spyware policies to Address Objects, Address Groups, and User Groups, as well as create enforcement schedules. For more information, refer to the SonicWALL Anti-Spyware Administrators Guide available on the SonicWALL Web site http://www.sonicwall.com/us/Support.html
481
In the SonicWALL security appliance management interface, select Network > Zones or from the Anti-Spyware Status section, on the Security Services > Anti-Spyware page, click the Network > Zones link. The Network > Zones page is displayed.
482
2.
In the Configure column in the Zone Settings table, click the Edit icon for the zone you want to apply SonicWALL IPS. The Edit Zone window is displayed.
3. 4.
Click the Enable Anti-Spyware Service checkbox. A checkmark appears. To disable SonicWALL Anti-Spyware Service, uncheck the box. Click OK.
You can also enable SonicWALL IPS protection for new zones you create on the Network > Zones page. Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit Zone window.
483
enforcement schedules. For more information, refer to the SonicWALL Anti-Spyware Administrators Guide available on the SonicWALL Web site http://www.sonicwall.com/us/Support.html.
Configure the fields in the Anti-Spyware Product Settings dialog box as described in the following table.
Table 7 Anti-Spyware Product Settings
Field
Prevention Detection Included Users/Groups
Description
Allows you to enable and disable intrusion prevention for the device. Allows you to enable and disable intrusion detection for the device. Applies the anti-spyware settings to members of the following group types: All, Administrators, Everyone, Guest Services, Trusted Users, Content Filtering Bypass, and Limited Administrators. Does not apply the anti-spyware settings to members of the following group types: All, Administrators, Everyone, Guest Services, Trusted Users, Content Filtering Bypass, and Limited Administrators.
Excluded Users/Groups
Included IP Address Range Allows you to apply the anti-spyware settings to all users that fall within a specified IP address range of a specified category. For more details on the categories, see the table below.
484
For a birds eye view of the categories, refer to the following figure:
485
486
Configuring High Availability Settings section on page 488 Configuring Advanced High Availability Settings section on page 489 Monitoring High Availability section on page 492 Verifying High Availability Status section on page 493
Note
High Availability is available at the appliance level, it cannot be configured at the group level.
487
SonicWALL NSA Series SonicWALL NSA E-Class Series SonicWALL PRO 2040/3060/4060/4100/5060 Select a SonicWALL appliance and click the Policies tab. Expand the High Availability tree and click Settings. The High Availability page displays.
3.
Select the Enable High Availability check box. When a SonicWALL appliance becomes active after startup, it looks for an active SonicWALL appliance that is configured for High Availability. If the other appliance is active, it transitions to Idle mode. Sometimes, due to network latency and other issues, it may take a while to find the other SonicWALL appliance.
4. 5.
Enter the Serial Number of the Backup SonicWALL security appliance to be used in the High Availability pair. When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
488
Select a SonicWALL appliance and click the Policies tab. Expand the High Availability tree and click Advanced.
2.
Select the Enable Stateful Synchronization check box to configure stateful High Availability. With Stateful High Availability, the primary unit actively communicates with the backup on a per connection and VPN level. As the primary creates and updates connection cache entries or VPN tunnels, the backup unit is informed of such changes. The backup unit remains in a continuously synchronized state so that it can seamlessly assume the network responsibilities upon failure of the primary unit with no interruption to existing network connections.
Note
Stateful High Availability requires an additional license for the primary SonicWALL appliance. The license is shared between the primary and backup appliances. To configure Active/Active UTM select the Enable Active/Active UTM checkbox.
SonicWALL GMS 6.0 Administrators Guide
3.
489
Note
Active/Active UTM is available on SonicWALL NSA series appliances running SonicOS Enhanced 5.5 or higher. In an active/active model, both UTM appliances share the processing of Deep Packet Inspection (DPI) UTM services When Active/Active UTM is enabled on a Stateful HA pair, these DPI UTM services can be processed concurrently with firewall, NAT, and other modules on both the active and idle UTM appliances. Processing of all modules other than DPI UTM services is restricted to the active unit.
4.
If enabling Active/Active UTM, select an interface in the HA Data Interface drop-down list. This interface will be used for transferring data between the two units during Active/Active UTM processing. Only unassigned, available interfaces appear in the drop-down list. Select the Enable Preempt Mode check box to configure the primary SonicWALL appliance to take over from the backup SonicWALL appliance when it becomes available. Otherwise, the backup SonicWALL appliance will remain active. Select the Generate/Overwrite Backup Firmware and Settings When Upgrading Firmware check box to overwrite the current firmware backup settings when upgrading. With this option, the current settings at the time of upgrade will be saved as backup settings. Select the Enable Virtual MAC check box. When the Stateful High Availability Upgrade is licensed, Virtual MAC capability is also licensed. Virtual MAC allows the backup unit in an HF pair to use the MAC address of the primary unit when a failover occurs. Alternatively, you can manually set a virtual MAC address for both units to use. Virtual MAC addressing contributes to network continuity and efficiency during a failover in the same way as the use of virtual IP addresses. During a failover, the backup unit uses the same virtual IP address that was used by the primary unit. The Virtual MAC feature avoids the need to update the whole network to associate the virtual IP address with the actual physical MAC address of the backup unit. Optionally, you can fine tune the following options:
Enter the heartbeat interval (in seconds) in the Heartbeat Interval
5.
6.
7.
8.
field.
Specify how long the backup waits before replacing the primary (in
490
To specify how long the SonicWALL appliance will look, enter the
number of seconds in the Election Delay Time field. You can enter a value between 0 and 300 seconds, but the default value of 0 seconds is sufficient in most cases. field. This setting is used when a failover occurs on a High Availability pair that is using either RIP or OSPF dynamic routing. When a failover occurs, Dynamic Route Hold-Down Time is the number of seconds the newly-active appliance keeps the dynamic routes it had previously learned in its route table. During this time, the newly-active appliance relearns the dynamic routes in the network. When the Dynamic Route Hold-Down Time duration expires, it deletes the old routes and implements the new routes it has learned from RIP or OSPF. The default value is 45 seconds. In large or complex networks, a larger value may improve network stability during a failover.
9.
When changes are made to the Primary or Backup UTM appliance, the changes are automatically synchronized between the two UTM appliances. To cause the synchronization to occur now, click Synchronize Settings. Additionally, selecting the Include Certificates/Keys will synchronize certificates and keys between devices. primary device, click the Synchronize Firmware link.
10. To force the backup device to load and reboot to current firmware from the 11. When you are finished, click Update. The settings are changed for each
selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
491
Expand the High Availability tree and click Monitoring. The Monitoring Settings page displays.
2.
Click on the configure icon for the X0 interface. The Interface X0 Monitoring Settings window displays.
3. 4.
Enter the LAN management IP address for the primary appliance in the Primary IP Address field. Enter the LAN management IP address for the backup appliance in the Backup IP Address field.
492
5.
(Optional) Check the Enable Interface Monitoring checkbox and enter the IP address of a reliable device on the LAN network in the Probe IP Address field. This should be a downstream router or server. The primary and backup appliances will regularly ping this probe IP address. If both can successfully ping the target, no failover occurs. If neither can successfully ping the target, no failover occurs, because it is assumed that the problem is with the target, and not the SonicWALL appliances. But, if one appliance can ping the target but the other appliance cannot, failover will occur to the appliance that can ping the target. (Optional) To manually specify the virtual MAC address, check the Manual Virtual MAC checkbox and enter a MAC address. SonicWALL recommends that you manually configure the virtual MAC address only if the appliances do not have Internet access (for example, in secure network environments). Allowing the appliances to retrieve the virtual MAC address from the SonicWALL backend eliminates the possibility of configuration errors and ensures the uniqueness of the virtual MAC address, which prevents possible conflicts. Click OK. Click on the configure icon for the X1 interface and repeat steps 3 through 7 for the WAN IP addresses on the primary and backup appliances.
6.
7. 8.
493
You can also view details on High Availability events in the GMS log, which is available on the Console tab under the Log tree. See Configuring Log Settings on page 277 for more information.
494
Managing SonicPoints section on page 496 Viewing Station Status section on page 511 Using and Configuring SonicPoint IDS section on page 513 Using and Configuring Virtual Access Points section on page 516
495
Managing SonicPoints
Managing SonicPoints
The SonicPoint section of GMS lets you manage the SonicPoints connected to your system.
Configure your SonicPoint Provisioning Profiles Configure a Wireless zone Assign profiles to wireless zones This step is optional. If you do not assign a default profile for a zone, SonicPoints in that zone will use the first profile in the list.
Assign an interface to the Wireless zone Attach the SonicPoints to the interfaces in the Wireless zone Test SonicPoints
496
Managing SonicPoints
sonicwall-D790 (where D790 is an example; this is determined by the hardware address) 2.4 GHz 802.11n/g/b Mixed AutoChannel
Radio Mode
Radio Mode
Radio Mode
Channel
AutoChannel Channel
ACL Disabled Enforceme nt Authentica WEP - Both tion Open System & Type Shared Key Schedule IDS Scan Data Rate Antenna Diversity Disabled Best Best
Authenticatio WEP - Both Authenticatio n Open System n Type & Shared Key Type Schedule IDS Scan Data Rate Antenna Diversity Disabled Best Best
Schedule IDS Disabled Scan Data Rate Antenna Diversity Best Best
497
Managing SonicPoints
Configuring a SonicPointN Profile for 802.11n on page 498 Configuring a SonicPoint Profile for 802.11a or 802.11g on page 504
To add a new profile click Add SonicPointN below the list of SonicPoint 802.11n provisioning profiles. To edit an existing profile, select the profile and click the Configure icon in the same line as the profile you are editing.
Step 2
connected to this zone. When each SonicPointN is provisioned it is given a name that consists of the name prefix and a unique number, for example: SonicPoint 126008.
Country Code: Select the country where you are operating the
SonicPointNs. The country code determines which regulatory domain the radio operation falls under.
498
Managing SonicPoints
Step 3
In the 802.11n tab, configure the radio settings for the 802.11n radio:
wireless network. 802.11a/b/g clients are unable to connect under this restricted radio mode.
2.4GHz 802.11n/g/b Mixed - Supports 802.11b, 802.11g, and
802.11n clients simultaneously. If your wireless network comprises multiple types of clients, select this mode.
Tip
For optimal throughput speed solely for 802.11n clients, SonicWALL recommends the 802.11n Only radio mode. Use the 802.11n/b/g Mixed radio mode for multiple wireless client authentication compatibility.
499
Managing SonicPoints
802.11g clients, you may select this mode for increased 802.11g performance. You may also select this mode if you wish to prevent 802.11b clients from associating.
5 GHz 802.11n Only - Allows only 802.11n clients access to your
wireless network. 802.11a/b/g clients are unable to connect under this restricted radio mode.
5 GHz 802.11n/a Mixed - Supports 802.11n and 802.11a clients
simultaneously. If your wireless network comprises both types of clients, select this mode.
5 GHz 802.11a Only - Select this mode if only 802.11a clients
using this profile. This is the name that will appear in clients lists of available wireless connections.
Note
If all SonicPoints in your organization share the same SSID, it is easier for users to maintain their wireless connection when roaming from one SonicPoint to another.
When the wireless radio is configured for a mode that supports 802.11n, the following options are displayed: Radio Band (802.11n only): Sets the band for the 802.11n radio:
Auto - Allows the appliance to automatically detect and set the optimal channel for wireless operation based on signal strength and integrity. This is the default setting. Standard - 20 MHz Channel - Specifies that the 802.11n radio will use only the standard 20 MHz channel. When this option is selected, the Standard Channel pull-down menu is displayed.
Standard Channel - This pull-down menu only displays when the 20
MHz channel is selected. By default, this is set to Auto, which allows the appliance to set the optimal channel based on signal strength and integrity. Optionally, you can select a single channel within the range of your regulatory domain. Selecting a specific a channel can also help with avoiding interference with other wireless networks in the area.
Wide - 40 MHz Channel - Specifies that the 802.11n radio will use only the wide 40 MHz channel. When this option is selected, the Primary Channel and Secondary Channel pull-down menus are displayed:
500
Managing SonicPoints
set to Auto.
If the primary channel is set to a specific channel, the secondary
channel is set to to the optimum channel to avoid interference with the primary channel. Enable Short Guard Interval: Specifies the short guard interval of 400ns (as opposed to the standard guard interval of 800ns). The guard interval is a pause in transmission intended to avoid data loss from interference or multipath delays. Enable Aggregation: Enables 802.11n frame aggregation, which combines multiple frames to reduce overhead and increase throughput.
Tip
The Enable Short Guard Interval and Enable aggregation options can slightly improve throughput. They both function best in optimum network conditions where users have strong signals with little interference. In networks that experience less than optimum conditions (interference, weak signals, etc.), these options may introduce transmission errors that eliminate any efficiency gains in throughput.
ACL Enforcement: Select this to enforce Access Control by allowing or denying traffic from specific devices. Select a MAC address group from the Allow List to automatically allow traffic from all devices with MAC address in the group. Select a MAC address group from the Deny List to automatically deny traffic from all devices with MAC address in the group. The deny list is enforced before the Allow list.
Step 4
In the Wireless Security section of the 802.11n Radio tab, configure the following settings:
Authentication Type: Select the method of authentication for your
wireless network. You can select WEP - Both (Open System & Shared Key), WEP - Open System, WEP - Shared Key, WPA - PSK, WPA - EAP, WPA2-PSK, WPA2-EAP, WPA2-AUTO-PSK, and WPA2-AUTO-EAP.
WEP Configuration
WEP Key Mode: Select the size of the encryption key.
SonicWALL GMS 6.0 Administrators Guide
501
Managing SonicPoints
Default Key: Select which key in the list below is the default key,
the most likely to be used in the field you selected as the default key.
WPA or WPA2 Configuration:
Cipher Type: The cipher that encrypts your wireless data. Choose
either TKIP (older, more compatible), AES (newer, more secure), or Both (backward compatible).
Group Key Interval: The time period for which a Group Key is valid.
The default value is 86400 seconds. Setting to low of a value can cause connection issues.
Passphrase (PSK only): This is the passphrase your network users
In the Advanced tab, configure the performance settings for the 802.11n radio. For most 802.11n advanced options, the default settings give optimum performance.
502
Managing SonicPoints
Hide SSID in Beacon: Check this option to have the SSID broadcast
the wireless network to schedule an Intrusion Detection Service (IDS) scan to minimize the inconvenience of dropped wireless connections.
Data Rate: Select the speed at which the data is transmitted and
received. Best automatically selects the best rate available in your area given interference and other factors. Or you can manually select a data rate. effects the range of the SonicPoint. You can select: Full Power, Half (-3 dB), Quarter (-6 dB), Eighth (-9 dB), or Minimum.
antenna the SonicPoint uses to send and receive data. When Best is selected, the SonicPoint automatically selects the antenna with the strongest, clearest signal. between sending out a wireless beacon.
Beacon Interval (milliseconds): Enter the number of milliseconds DTIM Interval: Enter the interval in milliseconds. Fragmentation Threshold (bytes): Enter the number of bytes of
clients you want the SonicPoint to support on this radio at one time.
Preamble Length: Select the length of the preamble--the initial
wireless communication send when associating with a wireless host. You can select Long or Short.
Protection Mode: Select the CTS or RTS protection. Select None,
Protection Rate: Select the speed for the CTS or RTS protection, 1 Protection Type: Select the type of protection, CTS-only or
RTS-CTS.
Turbo G mode and therefore are not allowing 802.11b clients to connect.
SonicWALL GMS 6.0 Administrators Guide
503
Managing SonicPoints
When a SonicPoint unit is first connected and powered up, it will have a factory default configuration (IP address 192.168.1.20, username: admin, password: password). Upon initializing, it will attempt to find a SonicOS device with which to peer. If it is unable to find a peer SonicOS device, it will enter into a stand-alone mode of operation with a separate stand-alone configuration allowing it to operate as a standard Access Point. If the SonicPoint does locate, or is located by a peer SonicOS device, via the SonicWALL Discovery Protocol, an encrypted exchange between the two units will ensue wherein the profile assigned to the relevant Wireless zone will be used to automatically configure (provision) the newly added SonicPoint unit. As part of the provisioning process, SonicOS will assign the discovered SonicPoint device a unique name, and it will record its MAC address and the interface and zone on which it was discovered. It can also automatically assign the SonicPoint an IP address, if so configured, so that the SonicPoint can communicate with an authentication server for WPA-EAP support. SonicOS will then use the profile associated with the relevant zone to configure the 2.4GHz and 5GHz radio settings. Modifications to profiles will not affect units that have already been provisioned and are in an operational state. Configuration changes to operational SonicPoint devices can occur in two ways:
Via manual configuration changes Appropriate when a single, or a small set of changes are to be affected, particularly when that individual SonicPoint requires settings that are different from the profile assigned to its zone.
Via un-provisioning Deleting a SonicPoint unit effectively un-provisions the unit, or clears its configuration and places it into a state where it will automatically engage the provisioning process anew with its peer SonicOS device. This technique is useful when the profile for a zone is updated or changed, and the change is set for propagation. It can be used to update firmware on SonicPoints, or to simply and automatically update multiple SonicPoint units in a controlled fashion, rather than changing all peered SonicPoints at once, which can cause service disruptions.
To add a new profile click Add below the list of SonicPoint provisioning profiles. To edit an existing profile, select the profile and click the edit icon in the same line as the profile you are editing. In the General tab of the Add Profile window, specify:
Step 2
504
Managing SonicPoints
SonicPoints.
Name Prefix: Enter a prefix for the names of all SonicPoints
connected to this zone. When each SonicPoint is provisioned it is given a name that consists of the name prefix and a unique number, for example: SonicPoint 126008.
Country Code: Select the country where you are operating the
SonicPoints. The country code determines which regulatory domain the radio operation falls under.
Step 3
In the 802.11g tab, Configure the radio settings for the 802.11g (2.4GHz band) radio:
Enable 802.11g Radio: Check this to automatically enable the
using this profile. This is the name that will appear in clients lists of available wireless connections.
Note
If all SonicPoints in your organization share the same SSID, it is easier for users to maintain their wireless connection when roaming from one SonicPoint to another.
Radio Mode: Select the speed of the wireless connection. You can
choose 11Mbps - 802.11b, 54 Mbps - 802.11g, or 108 Mbps - Turbo G mode. If you choose Turbo mode, all users in your company must use wireless access cards that support turbo mode. AutoChannel, which automatically selects the channel with the least interference. Use AutoChannel unless you have a specific reason to use or avoid specific channels.
Channel: Select the channel the radio will operate on. The default is
or denying traffic from specific devices. Select a MAC address group from the Allow List to automatically allow traffic from all devices with MAC address in the group. Select a MAC address group from the Deny List to automatically deny traffic from all devices with MAC address in the group. The deny list is enforced before the Allow list.
505
Managing SonicPoints
wireless network. You can select WEP - Both (Open System & Shared Key), WEP - Open System, WEP - Shared Key, WPA - PSK, WPA - EAP, WPA2-PSK, WPA2-EAP, WPA2-AUTO-PSK, and WPA2-AUTO-EAP.
WEP Key Mode: Select the size of the encryption key. Default Key: Select which key in the list below is the default key,
the most likely to be used in the field you selected as the default key.
Step 4
In the 802.11g Advanced tab, configure the performance settings for the 802.11g radio. For most 802.11g advanced options, the default settings give optimum performance.
Hide SSID in Beacon: Check this option to have the SSID broadcast
the wireless network to schedule an Intrusion Detection Service (IDS) scan to minimize the inconvenience of dropped wireless connections.
Data Rate: Select the speed at which the data is transmitted and
received. Best automatically selects the best rate available in your area given interference and other factors. Or you can manually select a data rate. effects the range of the SonicPoint. You can select: Full Power, Half (-3 dB), Quarter (-6 dB), Eighth (-9 dB), or Minimum.
antenna the SonicPoint uses to send and receive data. You can select:
Best: This is the default setting. When Best is selected, the
SonicPoint automatically selects the antenna with the strongest, clearest signal. In most cases, Best is the optimal setting.
1: Select 1 to restrict the SonicPoint to use antenna 1 only. Facing
the rear of the SonicPoint, antenna 1 is on the left, closest to the power supply.
2: Select 2 to restrict the SonicPoint to use antenna 2 only. Facing
the rear of the SonicPoint, antenna 2 is on the right, closest to the console port.
506
Managing SonicPoints
clients you want the SonicPoint to support on this radio at one time.
Preamble Length: Select the length of the preamble--the initial
wireless communication send when associating with a wireless host. You can select Long or Short.
Protection Mode: Select the CTS or RTS protection. Select None,
Protection Rate: Select the speed for the CTS or RTS protection, 1 Protection Type: Select the type of protection, CTS-only or
RTS-CTS.
power you will allow between the 802.11b and 802.11g modes: 0 dBm, 1 dBm, or 2 dBm.
Enable Short Slot Time: Allow clients to disassociate and
Turbo G mode and therefore are not allowing 802.11b clients to connect.
Step 5
Configure the settings in the 802.11a Radio and 802.11a Advanced tabs. These settings affect the operation of the 802.11a radio bands. The SonicPoint has two separate radios built in. Therefore, it can send and receive on both the 802.11a and 802.11g bands at the same time.
The settings in the 802.11a Radio and 802.11a Advanced tabs are similar to the settings in the 802.11g Radio and 802.11g Advanced tabs. Follow the instructions in step 3 and step 4 in this procedure to configure the 802.11a radio. When a SonicPoint unit is first connected and powered up, it will have a factory default configuration (IP address 192.168.1.20, username: admin, password: password). Upon initializing, it will attempt to find a SonicOS device with which to peer. If it is unable to find a peer SonicOS device, it will enter into a stand-alone mode of operation with a separate stand-alone configuration allowing it to operate as a standard Access Point.
SonicWALL GMS 6.0 Administrators Guide
507
Managing SonicPoints
If the SonicPoint does locate, or is located by a peer SonicOS device, via the SonicWALL Discovery Protocol, an encrypted exchange between the two units will ensue wherein the profile assigned to the relevant Wireless zone will be used to automatically configure (provision) the newly added SonicPoint unit. As part of the provisioning process, SonicOS will assign the discovered SonicPoint device a unique name, and it will record its MAC address and the interface and zone on which it was discovered. It can also automatically assign the SonicPoint an IP address, if so configured, so that the SonicPoint can communicate with an authentication server for WPA-EAP support. SonicOS will then use the profile associated with the relevant zone to configure the 2.4GHz and 5GHz radio settings. Modifications to profiles will not affect units that have already been provisioned and are in an operational state. Configuration changes to operational SonicPoint devices can occur in two ways:
Via manual configuration changes Appropriate when a single, or a small set of changes are to be affected, particularly when that individual SonicPoint requires settings that are different from the profile assigned to its zone. Via un-provisioning Deleting a SonicPoint unit effectively un-provisions the unit, or clears its configuration and places it into a state where it will automatically engage the provisioning process anew with its peer SonicOS device. This technique is useful when the profile for a zone is updated or changed, and the change is set for propagation. It can be used to update firmware on SonicPoints, or to simply and automatically update multiple SonicPoint units in a controlled fashion, rather than changing all peered SonicPoints at once, which can cause service disruptions.
Under SonicPoint Settings, click the Edit icon SonicPoint you want to edit.
In Edit SonicPoint screen, make the changes you want. The Edit SonicPoint screen has the following tabs:
General
508
Managing SonicPoints
The options on these tabs are the same as the Add SonicPoint Profile screen. See SonicPoint Provisioning Profiles for instructions on configuring these settings.
3.
Synchronize SonicPoints
Click Synchronize SonicPoints at the top of the SonicPoint > SonicPoints page to update the settings for each SonicPoint reported on the page. When you click Synchronize SonicPoints, SonicOS polls all connected SonicPoints and displays updated settings on the page.
Check the box under Enable to enable the SonicPoint, uncheck the box to disable it. Click Apply at the top of the SonicPoint > SonicPoints page to apply this setting to the SonicPoint. Click the SonicPoints option. GMS displays the SonicPoints dialog box. Click Add. GMS displays the Add SonicPoint Profile dialog box containing a series of tabs.
Navigate to the Policies Panel. Select either a SonicPoint G or SonicPoint A device in the unit list.
509
Managing SonicPoints
3. 4. 5. 6. 7.
In the Navigation Bar, click the SonicPoint menu to display SonicPoint options. Click the SonicPoints option. GMS displays the SonicPoints dialog box. Click on an existing SonicPoint device in the device list or click Add. GMS displays the SonicPoint Profile dialog box containing a series of tabs. Click either the 802.11g Radio or 802.11a Radio Tab, depending on which device you want to schedule. Click on the Schedule list box at the top of the screen to the right of the Enable checkbox. The following figure is an example of a scheduling list box (for 802.11g).
Advertisement SonicPoint devices without a peer will periodically and on startup announce or advertise themselves via a broadcast. The advertisement will include information that will be used by the receiving SonicOS device to ascertain the state of the SonicPoint. The SonicOS device will then report the state of all peered SonicPoints, and will take configuration actions as needed.
510
Discovery SonicOS devices will periodically send discovery request broadcasts to elicit responses from L2 connected SonicPoint units. Configure Directive A unicast message from a SonicOS device to a specific SonicPoint unit to establish encryption keys for provisioning, and to set the parameters for and to engage configuration mode. Configure Acknowledgement A unicast message from a SonicPoint to its peered SonicOS device acknowledging a Configure Directive. Keepalive A unicast message from a SonicPoint to its peered SonicOS device used to validate the state of the SonicPoint.
If via the SDP exchange the SonicOS device ascertains that the SonicPoint requires provisioning or a configuration update (e.g. on calculating a checksum mismatch, or when a firmware update is available), the Configure directive will engage a 3DES encrypted, reliable TCP based SonicWALL Simple Provisioning Protocol (SSPP) channel. The SonicOS device will then send the update to the SonicPoint via this channel, and the SonicPoint will restart with the updated configuration. State information will be provided by the SonicPoint, and will be viewable on the SonicOS device throughout the entire discovery and provisioning process.
511
associated).
Up An Access Point state, indicating that the Access Point is up and
running.
Down An Access Point state, indicating that the Access Point is not
running.
Associations Total number of Associations since power up. Dis-Associations Total number of Dis-Associations. Re-Associations Total number of Re-Associations. Authentications Number of Authentications. De-Authentications Number of De-Authentications. Good Frames Received Total number of good frames received. Good Frames Transmitted Total number of good frames transmitted. Error in Receive Frames Total number of error frames received. Error in Transmit Frames Total number of error frames transmitted. Discarded Frames Total number of frames discarded. Discarded frames are generally a sign of network congestion. Total Bytes received Total number of bytes received. Total Bytes Transmitted Total number of bytes transmitted. Management Frames Received Total number of Management frames received. Management Frames include:
Association request Association response Re-association request Re-association response Probe request Probe response Beacon frame
512
Management Frames Transmitted Total number of Management frames transmitted. Control Frames Received Total number of Control frames received. Control frames include:
RTS Request to Send CTS Clear to Send ACK Positive Acknowledgement
Control Frames Transmitted Total number of Control frames transmitted. Data Frames Received Total number of Data frames received. Data Frames Transmitted Total number of Data frames transmitted.
513
Non-persistent, stateless protocols (such as HTTP) should not exhibit any ill-effects. Persistent connections (protocols such as FTP) are impaired or severed. WiFiSec connections should automatically re-establish and resume with no noticeable interruption to the client.
If service disruption is a concern, it is recommended that the Scan Now feature not be used while the TZ 170 Wireless is in Access Point mode until such a time that no clients are active, or the potential for disruption becomes acceptable.
Warning
514
SonicPoint: The SonicPoint that detected the access point. MAC Address (BSSID): The MAC address of the radio interface of the detected access point. SSID: The radio SSID of the access point. Type: The range of radio bands used by the access point, 2.4 GHz or 5 GHz. Channel: The radio channel used by the access point. Manufacturer: The manufacturer of the access point. SonicPoints will show a manufacturer of either SonicWALL or Senao. Signal Strength: The strength of the detected radio signal Max Rate: The fastest allowable data rate for the access point radio, typically 54 Mbps. Authorize: Click the Authorize icon to add the access point to the address object group of authorized access points.
If you have more than one SonicPoint, you can select an individual device from the SonicPoint list to limit the Discovered Access Points table to display only scan results from that SonicPoint. Select All SonicPoints to display scan results from all SonicPoints.
Description The SonicPoint that detected the access point. The MAC address of the radio interface of the detected access point. The radio SSID of the access point.
515
Description The range of radio bands used by the access point, 2.4 GHz or 5 GHz The radio channel used by the access point. The manufacturer of the access point. SonicPoints will show a manufacturer of either SonicWALL or Senao. The strength of the detected radio signal. The strength of the detected radio signal. Adds the access point to the address object group of authorized access points.
In GMS, you can configure VAPs on the Policies panel, SonicPoint > Virtual Access Point screen.
On the Policies panel, navigate to the SonicPoint > Virtual Access Point screen. Click Add Group. The Add Virtual Access Point Group dialog box displays.
3.
Enter the VAP group name in the Virtual AP Group Name field.
517
4.
In Available Virtual AP Objects, select the objects that should be in the VAP group, and then click the arrow button to move them to Member of Virtual AP Group. To remove objects from the group, select them in the Member of Virtual AP Group field and then click the left arrow button to move back to the Available list. Click OK. In the SonicPoint > Virtual Access Point screen, click Update.
5.
6. 7.
On the Policies panel, navigate to the SonicPoint > Virtual Access Point screen. Click Add Virtual Access Point. The Add Virtual Access Point dialog box displays.
3.
On the General tab, enter the SSID associated with the VAP. You can create a service set identifier (SSID) when creating a SonicPoint profile. See SonicPoint Provisioning Profiles on page 497. Select Enable Virtual Access Point. You can also deselect this checkbox to disable the VAP without deleting it completely. To suppress the SSID, select Enable SSID Suppress. Click the Advanced tab. On the Advanced tab, configure the following:
Profile Name: Select the VAP profile from the drop-down list. Radio Type: Select the radio type from the drop-down list. Authentication Type: Select the authentication type from the
4. 5. 6. 7.
Unicast Cipher: Select the unicast cipher from the drop-down list. Multicast Cipher: Select the multicast cipher from the drop-down list. Maximum Clients: Enter the maximum number of clients. 8. 9.
Click OK. In the SonicPoint > Virtual Access Point screen, click Update.
On the Policies panel, navigate to the SonicPoint > Virtual Access Point screen. Click Add Virtual Access Point Profile. The Add Virtual Access Point Profile dialog box displays.
3.
drop-down list.
Unicast Cipher: Select the unicast cipher from the drop-down list. Multicast Cipher: Select the multicast cipher from the drop-down list. Maximum Clients: Enter the maximum number of clients. 4. 5.
Click OK. In the SonicPoint > Virtual Access Point screen, click Update.
519
520
Configuring General Wireless Settings section on page 522 Configuring Wireless Security Settings section on page 525 Configuring Advanced Wireless Settings section on page 530 Configuring MAC Filter List Settings section on page 533 Configuring Intrusion Detection Settings section on page 535
521
Select a wireless SonicWALL appliance. Expand the Wireless tree and click Settings. The Settings page displays. The Wireless > Settings page provides different options for SonicOS Enhanced and SonicOS Standard.
Note
522
3. 4. 5.
Select whether the SonicWALL appliance will act as an Access Point or a Wireless Bridge from the Radio Role list box. To enable Wireless networking on this device, select the Enable WLAN Radio check box. For SonicOS Standard, configure Use Time Constraints to set hours of operation for this wireless device. For SonicOS Enhanced, select the schedule from the Schedule list box. For SonicOS Standard only, optionally select SSL-VPN Enforcement and configure the Server Address and Server Port fields to add SSL-VPN enforcement to this wireless device. For SonicOS Standard only, select WiFiSec Enforcement to enable WiFiSec security over this wireless device. For SonicOS Standard only, if using WiFiSec Enforcement, you can choose to Require WiFiSec for Site-to-Site VPN Tunnel Traversal. This option is selected by default when enabling both SSL-VPN and WiFiSec simultaneously. For SonicOS Standard only, if using WPA encryption, you can choose to Trust WPA traffic as WiFiSec. choose Enable WiFiSec Service Exception List. With this checkbox selected, select a service from the list and click the Add button.
6.
7. 8.
9.
10. For SonicOS Standard only, if using WiFiSec enforcement, you can
523
11. Enter the IP address and subnet mask of the Wireless LAN port in the
WLAN IP Address and WLAN Subnet Mask fields. SSID field (maximum: 32 characters).
12. Enter the Service Set Identifier (SSID) or wireless network name in the 13. Select an applicable wireless Radio Mode form the list-box. 14. Select an applicable Country Code from the list-box. 15. Select a wireless channel to use from the Channel list box. 16. When you are finished, click Update. The settings are changed for the
selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
524
Select a wireless SonicWALL appliance. Expand the Wireless tree and click Security. The fields on this screen will change depending on the Authentication Type that you select.
525
2.
Select a WEP authentication type from the Authentication Type list. Shared Key is selected by default.
Select the default key to use, 1,2,3, or 4, from the Default Key drop-down list Select the key type to be either Alphanumeric or Hexadecimal. The number of characters you enter is different for each because an alphanumeric (or ASCII) character contains 8 bits, and a hexadecimal character contains only 4 bits.
Table 10 WEP Encryption Key Types
WEP - 64-bit
Alphanumeric - 5 characters (0-9, A-Z) Hexadecimal - 10 characters (0-9, A-F) 3. 4. 5.
WEP - 128-bit
Alphanumeric - 13 characters (0-9, A-Z) Hexadecimal - 26 characters (0-9, A-F)
WEP - 152-bit
Alphanumeric - 16 characters (0-9, A-Z) Hexadecimal - 32 characters (0-9, A-F)
Type your keys into each field. For each key, select 64-bit, 128-bit, or 152-bit from the drop-down list next to the Key field. 152-bit is the most secure. Click Update.
Extensible Authentication Protocol (EAP): EAP allows WPA/WPA2 to synchronize keys with an external RADIUS server. The keys are updated periodically based on time or number of packets. Use EAP in larger, enterprise-like deployments where you have an existing RADIUS framework.
526
Pre-Shared Key (PSK): PSK allows WPA/WPA2 to generate keys from a pre-shared passphrase that you configure. The keys are updated periodically based on time or number of packets. Use PSK in smaller deployments where you do not have a RADIUS server.
WPA and WPA2 support is only available in Access Point Mode. WPA and WPA2 support is not available in Bridge Mode.
To configure WPA or WPA2 security on the SonicWALL, perform the following tasks:
1. 2.
On the Policies panel, click Wireless, then Security. Under Encryption Mode, select a WPA or WPA2 authentication type from the Authentication Type list. You can choose from the following authentication types:
WPA-PSK WPA-EAP WPA2-PSK WPA2-EAP WPA2-AUTO-PSK WPA2-AUTO-EAP
The screen changes to display the configurable fields. The same configuration fields are displayed for all authentication types that employ PSK, and the same configuration fields are displayed for all authentication types that employ EAP.
527
AES.
2.
Select one of the following to determine when to update the key in the Group Key Update drop-down list:
By Timeout - Generates a new group key after an interval specified in
seconds.
Disabled - Uses a static key that is never regenerated. 3.
If you selected By Timeout, enter the number of seconds before WPA or WAP2 automatically generates a new group key into the Interval field.
Type the passphrase from which the key is generated into the Passphrase field. Do one of the following:
To apply the settings, click Update. To clear all screen settings and start over, click Reset.
528
Type the IP address of the primary RADIUS server into the Radius Server 1 IP field. Type the port number used to communicate with the primary RADIUS server into the Port field. Type the password for access to the primary Radius Server into the Radius Server 1 Secret field. Type the IP address of the secondary RADIUS server into the Radius Server 2 IP field. Type the port number used to communicate with the secondary RADIUS server into the Port field. Type the password for access to the secondary Radius Server into the Radius Server 2 Secret field. Do one of the following:
To apply the settings, click Update. To clear all screen settings and start over, click Reset.
529
Select a wireless SonicWALL appliance. Expand the Wireless tree and click Advanced. The Advanced screen displays. The Wireless > Advanced page provides different options for SonicOS Standard and SonicOS Enhanced. Also, SonicOS Standard 3.8 displays six more fields than earlier versions of SonicOS Standard.
Note
SonicOS Standard:
530
The SonicOS Enhanced page has different fields than those in SonicOS Standard.
3.
Select Hide SSID in Beacon. If you select Hide SSID in Beacon, your wireless network is invisible to anyone who does not know your SSID. This is a good way to prevent drive by hackers from seeing your wireless connection.
Note
This provides marginal security as Probe Responses and other 802.11 frames contain the SSID.
4.
Enter how often (in milliseconds) a beacon will be sent in the Beacon Interval field. Decreasing the interval time makes passive scanning more reliable and faster because Beacon frames announce the network to the wireless connection more frequently. To specify the maximum number of wireless clients, enter the limit in the Maximum Client Associations field. Wireless clients are devices that attempt to access the wireless SonicWALL appliance.
5.
531
6.
SonicWALL Wireless uses to send and receive data. You can select:
Best: This is the default setting. When Best is selected, the
SonicWALL Wireless automatically selects the antenna with the strongest, clearest signal. In most cases, Best is the optimal setting.
1: Select 1 to restrict the SonicWALL Wireless to use antenna 1
only. Facing the rear of the SonicWALL, antenna 1 is on the left, closest to the console port. You can disconnect antenna 2 when using only antenna 1.
2: Select 2 to restrict the SonicWALL Wireless to use antenna 2
only. Facing the rear of the SonicWALL, antenna 2 is on the right, closest to the power supply. You can disconnect antenna 1 when using only antenna 2.
Select High from the Transmit Power menu to send the strongest
signal on the WLAN. For example, select High if the signal is going from building to building. Medium is recommended for office to office within a building, and Low or Lowest is recommended for shorter distance communications.
Select Short or Long from the Preamble Length menu. Short is
the value means that frames are delivered with less overhead but a lost or damaged frame must be discarded and retransmitted.
The RTS Threshold (bytes) is 2432 by default. If network throughput
is slow or a large number of frame retransmissions is occurring, decrease the RTS threshold to enable RTS clearing.
The default value for the DTIM Interval is 3. Increasing the DTIM
network is very busy, you can increase the timeout by increasing the number of seconds in this field.
For SonicOS Standard 3.8 and above, select the wireless
transmission rate from the Data Rate drop-down list. You can select Best or a value between 1 and 54 megabits per second (Mbps). The default is 48 Mbps.
532
drop-down list, select None, Always or Auto. Use Always or Auto to prevent transmission frame collisions when you have multiple wireless nodes.
drop-down list, select 1 Mbps, 2 Mbps, 5 Mbps or 11 Mbps. The Protection Rate specifies the transmission rate for the Request-To-Send (RTS) and Clear-To-Send (CTS) frames. The default is 5 Mbps. drop-down list, select RTS-CTS or CTS-only. RTS-CTS is the mechanism used by the 802.11 wireless networking protocol to reduce frame collisions. The node wishing to transmit data sends an RTS frame. The destination node replies with a CTS frame. Other wireless nodes within range refrain from sending data for a specified time to avoid collisions. The default is RTS-CTS. drop-down list, select 0 dBm, 1dBm or 2 dBm. Complementary Code Keying (CCK) and Orthogonal Frequency Division Multiplexing (OFDM) are digital modulation techniques used in wireless networks using the 802.11 specifications. This field specifies the change in power used in the modulation, expressed in decibels per milliwatt (dBm). Zero dBm equals one milliwatt. Two dBm is less than two milliwatts. Time checkbox to minimize the time to wait before transmitting. Slot time is the time required for a transmission to reach the destination. The default is to enable a short slot time.
For SonicOS Standard 3.8 and above, in the CCK OFDM Power Delta
For SonicOS Standard 3.8 and above, select the Enable Short Slot
7.
When you are finished, click Update. The settings are changed for the selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
Select a wireless SonicWALL appliance, a group, or the global icon. Expand the Wireless tree and click MAC Filter List. The MAC Filter List screen displays.
533
Note
The MAC Filter List provides different options in SonicOS Standard and SonicOS Enhanced.
SonicOS Enhanced provides drop-down lists for the Allow and Deny lists.
3. 4.
To enable the MAC filter list for the selected device(s), select the Enable MAC Filter List check box. For SonicOS Standard, to add a MAC address to the filter list, enter the address in the MAC Address List field, check either Allow or Block, add any comments to the Comment field. Click Add MAC Address. The scheduler displays. Expand Schedule by clicking the plus icon. Select Immediate or specify a future date and time. Click Accept. Repeat these step for each MAC address that you want to add in SonicOS Standard. selected SonicWALL appliance(s). To clear all screen settings and start over, click Reset.
5. 6. 7. 8. 9.
10. When you are finished, click Update. The settings are changed for the
534
11. For SonicOS Enhanced only, select one of the options from the Allow List
12. Click Update. The scheduler displays. 13. Expand Schedule by clicking the plus icon. 14. Select Immediate or specify a future date and time. 15. Click Accept.
Select a wireless SonicWALL appliance, a group, or the global icon. Expand the Wireless tree and click IDS. The IDS screen displays. Select Enable Client Null Probing Detection to enable client null probe detection. Hackers can cause a Denial-of-Service (DoS) attack by flooding a wireless network with association requests. To combat this, select the Enable Association Flood Detection check box. The default association flood threshold is 10 association attempts within 5 seconds. To change this setting, enter new flood threshold values. To block the MAC address of a computer or device attempting this attack, select the Block station's MAC address in response to an association flood field.
5.
To access a network, hackers can set up a rogue access point that will intercept communications with legitimate users attempting to access a legitimate access point. This man-in-the-middle attack can expose passwords and other network resources. To enable detection of rogue access points, select the Enable Rogue Access Point Detection check box. In SonicOS Standard only, to prevent rogue access points, you must specify each authorized access point within the network. To do so, enter the MAC address of an access point in the MAC Address (BSSID) field and click Add. The scheduler displays. Expand Schedule by clicking the plus icon. Select Immediate or specify a future date and time.
6.
7. 8.
535
9.
10. For SonicOS Standard only, click Request Discovered Access Points 11. For SonicOS Standard only, click Scan Now... 12. For SonicOS Enhanced only, to authorize access points, select one of the
13. When you are finished, click Update. The settings are changed for the
selected SonicWALL appliance(s). To clear all screen settings and start over, click Reset.
536
Configuring Wireless Guest Services Settings section on page 538 Configuring the URL Allow List section on page 541 Denying Access to Networks with the IP Deny List section on page 542 Configuring the Custom Login Screen section on page 543 Configuring External Authentication section on page 544
537
In the TreeControl pane, select a wireless SonicWALL appliance. In the center pane, navigate to WGS > Settings. The Settings page displays.
3. 4.
To enable Wireless Guest Services on this device, select the Enable Wireless Guest Services check box. Check the Bypass Guest Authentication checkbox to allow a SonicPoint running WGS to integrate into environments which are already using some form of user-level authentication. This feature automates the WGS authentication process, allowing wireless users to reach WGS resources without requiring authentication. The Bypass Guest Authentication feature should only be used when unrestricted WGS access is desired, or when another device upstream of the SonicPoint is enforcing authentication. Check the Bypass Filters for Guest Accounts check box to disable filtering for guest accounts.
Note
5.
538
6.
Check the Dynamic Address Translation (DAT) checkbox to enable DAT. This option saves wireless clients the hassle of reconfiguring their IP address and network settings. If this option is disabled (un-checked), wireless guest users must either have DHCP enabled, or an IP addressing scheme compatible with the SonicPoints network settings. Check the Enable SMTP Redirect checkbox and enter the following information:
Server IPenter an SMTP Server IP address to which to redirect
7.
is available at the group and global level, and for units running SonicOS Standard 3.8 and above. The default is port is 25.
8.
Check the Custom Post Authentication Redirect page checkbox and enter a URL to redirect wireless guests to a custom page after successful login To limit the number of concurrent guests, enter the maximum number in the Maximum Concurrent Guests field. Guest on page 540.
9.
10. To add a new guest, click Add New Wireless Guest. See Adding a 11. When you are finished, click Update. The settings are changed for the
selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
539
Adding a Guest
You can add a new guest to Wireless Guest Services from the WGS > Settings page. To add a guest:
1. 2.
Select a wireless SonicWALL appliance and navigate to WGS > Settings. Click Add New Wireless Guest. The Add New Wireless Guest dialog box displays.
3.
In the Account Profile drop-down list, select the WGS account profile to use for this account. This field is only visible when one or more WGS profiles have been created in the current view. Views that provide the WGS Profiles screen include the global and group levels, and unit level for appliances running SonicOS Standard 3.8 and above. Select the Enable Account checkbox to enable the guest account. Select the Auto-Prune Account checkbox to automatically remove the account when its lifetime expires. Select the Enforce login uniqueness checkbox to prevent more than one guest from logging in with the account at the same time. In the Account Name field, enter the username for the guest account. In the Account Password field, enter the password for the guest account. In the Confirm Password field, re-enter the password for the guest account.
4. 5. 6. 7. 8. 9.
540
10. In the Account Lifetime field, select the maximum lifetime of the guest
account.
11. In the Session Timeout field, set the time limit for a guest login session. 12. In the Idle Timeout field, enter a number and select a time period that the
guest can be idle at the computer before the session times out.
13. In the Comment field, add any comments. 14. Click Update.
The URL Allow list is not supported in SonicOS Enhanced. Select a wireless SonicWALL appliance. Expand the WGS tree and click URL Allow List. The URL Allow List page displays.
3.
To enable the URL Allow List, select the Enable URL Allow List for Unauthenticated Users check box.
541
4.
To add a URL to the URL Allow List, enter a URL in the Allowed URLs text field and click Add. Repeat this step for each URL that you would like to add. To delete a URL in the URL Allow List, check the box next to the URL to delete and click the trash can icon. When you are finished, click Update. The settings are changed for the selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
5.
The IP Deny List is not supported in SonicOS Enhanced. Select a wireless SonicWALL appliance. Expand the WGS tree and click IP Deny List. The IP Deny List page displays.
3.
To enable the IP Deny List, select the Enable IP Address Deny List for Authenticated Users check box.
542
4.
To add a URL to the IP Deny List, enter an IP address and subnet mask and click Add IP Deny Entry. Repeat this step for each URL that you would like to add. To delete a URL from the IP Deny List, check the box next to the URL to delete and click the trash can icon. When you are finished, click Update. The settings are changed for the selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
5.
The Custom Login screen is not supported in SonicOS Enhanced. Select a wireless SonicWALL appliance running SonicOS Standard. Expand the WGS tree and click Custom Login. The Custom Login page displays.
3. 4.
To customize the login page, select the Customize Login Page check box. To display the custom login page only when the connection is made through the Wireless LAN, select the Display Custom Login Page on WLAN Only check box.
543
5.
The body of the login page will contain the username and password fields that the user must access to authenticate with the SonicWALL appliance. To configure the header and footer text, select from the following:
To display custom header and footer URLs, enter the URLs in the
Custom Header URL and Custom Footer URL fields. Custom Header Text and Custom Footer Text fields.
To enter custom text for the header and footer, enter the text in the 6.
When you are finished, click Update. The settings are changed for the selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
External Authentication is not supported in SonicOS Enhanced. Select a wireless SonicWALL appliance running SonicOS Standard.
544
2.
Expand the WGS tree and click External Authentication. The External Authentication page displays.
3.
Check the Enable External Guest Authentication checkbox to enable the external authentication feature and configure the tabs as follows:
Enter a Secure Communications Port and select a Client Redirect Protocol for client redirect. This port and protocol (HTTP or HTTPS) is used by the SonicWALL security appliance when performing the initial internal client redirect via the Please wait while you are being redirected page, prior to redirection to the LHM server. Select the Web Server Protocol (HTTP or HTTPS) running on your LHM server from the drop-down list. Enter the IP or resolvable FQDN of the LHM server in the Host field. Enter the TCP port of operations for the selected protocol on the LHM server in the Port field. Enter the duration of time, in seconds, before the LMH server is considered unavailable in the Connection Timeout field. On timeout the client will be presented with the Server Down message configured on the Web Content tab.
2. 3. 4. 5.
545
6.
Select the Enable Message Authentication checkbox to use HMAC digest and embedded querystring in communication with the LHM server. This option is useful if you are concerned about message tampering when HTTP is used to communicate with the LHM server. When using Message Authentication, select the Authentication Method from the drop-down menu. You can select from MD5 or SHA1. When using Message Authentication enter a Shared Secret. The shared secret for the hashed MAC, if used, also needs to be configured on the LHM server scripts.
7. 8.
These pages may each be a unique page on the LHM server, or they may all be the same page with a separate event handler for each status message. Click the Auth Pages tab.
1.
2. 3.
Enter a Login Page. This is the first page to which the client is redirected (e.g. lhm/accept/default.aspx). Enter a Session Expiration Page. This is the page to which the client is redirected when the session expires (e.g. lhm/accept/default.aspx?cc=2). After a session expires, the user must create a new LHM session.
546
4.
Enter an Idle Timeout Page. This is the page to which the client is redirected when the idle timer is exceeded (e.g.lhm/accept/default.aspx?cc=3). After the idle timer is exceeded, the user can log in again with the same credentials as long as there is time left of the session. Enter a Max Session Page. This is the page to which the client is redirected when the maximum number of sessions has been reached (e.g. lhm/accept/default.aspx?cc=4).
5.
2.
Select Use Default or select Customize and enter a Redirect Message in the text box. This is the message that will be presented to the client (usually for no more than one second) explaining that the session is being redirected to the LHM server. This interstitial page is used (rather than going directly to the LHM server) so that the SonicWALL security appliance can verify the availability of the LHM server. Select Use Default or select Customize and enter a Server Down Message in the text box. This is the message that will be presented to the client if the Redirector determines that the LHM server in unavailable.
3.
547
2.
Check Enable Auto-Session Logout checkbox and configure the two corresponding fields to set the time increment and the page to which the SonicWALL security appliance will POST when a session is logged out (either automatically or manually). Check the Enable Server Status Check Checkbox and configure the two corresponding fields to set the time increment and the page to which the SonicWALL will POST to determine the availability of components on or behind (e.g. a back-end database) the LHM server. Check the Session Synchronization checkbox and configure the two corresponding fields to set the time increment and the page to which the SonicWALL will POST the entire Guest Services session table. This allows the LHM server to synchronize the state of Guest Users for the purposes of accounting, billing, or mere curiosity. When you are finished configuring External Authentication, click the Update button to apply your changes.
3.
4.
5.
548
Select a wireless SonicWALL appliance running SonicOS Standard. Expand the WGS tree and click Profiles. On the WGS Account Profiles page, click Add New WGS Profile. The Add Profile page displays. In the WGS Account Profile Settings dialog box, type a descriptive name into the Profile Name field. In the User Name Prefix field, type the user name that the guest will log in with. Do not include the domain. Select Enable Account to activate the account for immediate use. Select Auto-Prune Account if you want the account to be removed after its lifetime expires. Select Enforce Login Uniqueness to prevent multiple logins at the same time for this account.
549
9.
For Account Lifetime, enter a number in the first field and then select Days, Hours, or Minutes from the drop-down list. The account will expire after this time period. Days, Hours, or Minutes from the drop-down list. The guests login session will expire after this time period.
10. For Session Lifetime, enter a number in the first field and then select
11. For Idle Timeout, enter a number in the first field and then select Days,
Hours, or Minutes from the drop-down list. The guest will be logged out after being idle for this amount of time.
12. Optionally type a descriptive comment into the Comment field. 13. Click Update. Clicking Reset repopulates all fields with the default values
550
Configuring the Modem Profile section on page 551 Configuring Modem Settings section on page 555 Configuring Advanced Modem Settings section on page 558
For information on configuring WWAN connection profiles, see Configuring the Connection Profile, page 560 in the Configuring Wireless WAN Options chapter.
A profile is a list of dialup connection settings that can be used by a SonicWALL SP or SonicWALL SPi appliance. To configure a profile, perform the following steps:
1.
551
2. 3.
Click the Policies tab. In the center pane, navigate to the Modem > Connection Profiles. The profile configuration page displays.
4.
To create a new profile, enter the name of the profile in the Profile Name field under ISP User Settings. To edit an existing profile or use an existing profile as a template, select a profile from the Current Profile drop-down menu. If you are editing an existing profile, the name in the Current Profile field must match the existing profile name. If there are no existing profiles, the Current Profile will display the static message No profiles available. Enter the primary ISP phone number in the Primary Phone number field. Enter the backup ISP phone number in the Secondary Phone number field. Enter the user name associated with the account in the User Name field. Enter the password associated with the account in the User Password and Confirm User Password fields. Enter a chat script (optional).
Note
5. 6. 7. 8. 9.
552
Address Automatically.
11. Select from the following DNS server options: If the account obtains DNS server information from the ISP, select
If the account uses a specific DNS servers, select Use the following
12. For SPi appliances, you can configure MSN/EAZ and bandwidth on
demand. To configure MSN/EAZ, enter a phone number in the MSN/EAZ field. To enable bandwidth on demand, click the Bandwidth on Demand box.
If the SonicWALL appliance(s) will remain connected to the Internet
until the broadband connection is restored, select Persistent Connection. data is being sent, select Dial On Data. select Manual Dial.
If the SonicWALL appliance(s) will only connect to the Internet when If the SonicWALL appliance(s) will connect to the Internet manually, 14. To enable the modem to disconnect after a period of inactivity, check the
Inactivity Disconnect box and specify how long (in minutes) the modem waits before disconnecting from the Internet in the Inactivity Timeout field. speed from the Max connection speed drop-down menu. The default is Auto.
16. To specify the maximum connection time, check the Max Connection
Time box and enter the maximum connection time (in minutes) in the Max Connection Time field. To configure the SonicWALL device to allow indefinite connections, enter 0. number of minutes in the Delay Before Reconnect fields.
17. To specify a time (in minutes) before the connection reconnects, enter the 18. For SP appliances, disable call waiting by checking the Disable Call
Waiting box and select the radio button next to the touch tone disabling code. To enter a custom touch done disabling code, select the radio button next to Other and specify the code.
553
19. To allow the modem to attempt a connection multiple times, check the Dial
Retries per Phone Number box and specify the number of retries. Between Retries box and specify the delay (in seconds).
20. To specify how long the modem waits between retries, check the Delay 21. To disable VPN when dialed, check the Disable VPN when dialed box. 22. For SP appliances, enable the network modem by checking the Enable
23. To specify the time periods when the modem can connect, check the Limit
Times for Dialup Profile box and click Configure. The Edit Schedule String pop-up displays.
24. In the Edit Schedule String pop-up, check the box next to the day(s) you
want to allow dial-up connections. Next to the day(s) you select, enter the start and end times between which dial-up connections will be allowed. Enter the hour and minute in 24-hour format.
25. Click Apply. 26. When you are finished, click Add Profile. The profile is added. To clear all
554
For information on configuring WWAN settings, see Configuring Advanced Settings, page 565 in the Configuring Wireless WAN Options chapter.
To configure the modem settings for one or more SonicWALL SP or SonicWALL SPi appliances, perform the following steps:
1. 2. 3.
In the left pane, select the SonicWALL appliance to manage. Click the Policies tab. In the center pane, navigate to Modem > Settings.
4. 5.
For SP appliances, select the Speaker volume drop-down box to configure the speaker volume On or Off. For SP appliances, modem initialization has two options:
To initialize the modem for use in a specific country, select the radio
button next to Initialize Modem for use in and select the country in the drop-down menu. 555
next to Initialize Modem using AT Command and enter the AT command(s) the modem needs to establish a connection in the text box.
6.
For SPi appliances, you can specify the ISDN protocol by selecting the protocol from the ISDN Protocol drop-down menu. To connect immediately, click the Connect/Disconnect button and schedule the connection. For appliances running SonicOS Enhanced, select the check boxes for any combination of the following dial on data categories:
NTP packets GMS Heartbeats System log emails AV Profile Updates SNMP Traps Licensed Updates Firmware Update requests Syslog traffic
7.
8.
For appliances running SonicOS Enhanced, select the check boxes for any combination of the following Management methods:
HTTP HTTPS Ping SNMP SSH
9.
For appliances running SonicOS Enhanced, select the check boxes for any combination of the following User Login methods:
HTTP HTTPS For HTTPS, check the box next to Add rule to enable redirect from
10. Select a primary profile from the Primary Profile drop-down menu.
Optionally, select alternate profiles from Alternate Profile 1 and, for SP appliances, Alternate Profile 2.
556
Note
11. For non-SonicOS Enhanced appliances, you can configure the following
Failover box.
To enable preempt mode, check the Enable Preempt Mode box. To enable probing, check the Enable Probing box. Select a method for probing using the Probe through drop-down
menu.
Enter the IP address that the SonicWALL appliance will use to test
Internet connectivity in the Probe Target (IP Address) field. We recommend using the IP address of the WAN Gateway.
Select the Probe Type, either ICMP Probing or TCP Probing. Enter the TCP port for probing in the TCP Port for Probing field. Specify how often the IP address will be tested (in seconds) in the
Specify how many times the probe target must be unavailable before
the SonicWALL appliance fails over to the modem in the Failover Trigger Level field.
reach the probe target to reactivate the broadband connection in the Successful probes to reactivate Primary field.
12. When you are finished, click Update.
557
In the left pane, select the SonicWALL appliance to manage. Click the Policies tab. In the center pane, navigate to Modem > Advanced.
4. 5.
To enable remotely triggered dial-out, check the Enable Remotely Triggered Dial-out box. If your remotely triggered dial-out requires authentication, check the Requires Authentication box and enter your password in the Password and Confirm Password fields. To enable RIP advertisements through the modem, check the Enable LAN to WAN RIP during dialup box. When you are finished, click Update. For information on configuring WWAN settings, see Configuring Advanced Settings, page 565 in the Configuring Wireless WAN Options chapter.
6. 7.
Note
558
About Wireless WAN section on page 559 Configuring the Connection Profile section on page 560 Configuring WWAN Settings section on page 564 Configuring Advanced Settings section on page 565
WAN Failover to a connection that is not dependent on wire or cable. Temporary networks where a pre-configured connection may not be available, such as trade-shows and kiosks. Mobile networks, where the SonicWALL appliance is based in a vehicle. Primary WAN connection where wire-based connections are not available and cellular is.
559
Wireless WAN support requires a wireless card and a contract with a wireless network provider. See the SonicWALL documentation that comes with the security appliance for more information. GMS provides for complete management of SonicWALL security appliances that are WWAN/3G-capable, and running SonicOS Enhanced 3.6 and above.
In the TreeControl pane, select a group view or a SonicWALL appliance to manage. The appliance must be running SonicOS Enhanced 3.6 or higher, and must support WWAN functionality. Click the Policies tab. In the center pane, navigate to the 3G/Modem > Connection Profiles. The profile configuration page displays. For a group view, the page is slightly different to accommodate both Modem and WWAN settings.
2. 3.
560
4.
Perform the following procedures to configure the Connection Configuration, General Settings, IP Address Settings, Parameters, and Data Usage Limiting sections in the 3G/Modem > Connection Profiles screen. See the following procedures:
To Configure the Connection Configuration and General settings: on
page 561.
To Configure the IP Address Settings: on page 562 To Configure Parameters: on page 562 To Configure Data Usage Limiting: on page 563 5. 6. 7.
Click Delete Profile to delete the profile specified in the Profile Name field. Click RESET to clear all fields and start over. Click UPDATE to save the settings to the specified connection profile.
To edit an existing profile or use an existing profile as a template, select a profile from the Current Profile drop-down menu.
Note
If you are editing an existing profile, the name in the Current Profile field must match the existing profile name. If there are no existing profiles, the Current Profile will display the static message No profiles available.
2. 3.
To create a new profile, enter the name of the profile in the Profile Name field. In the Country drop-down list, select the country where the SonicWALL TZ 190 appliance is deployed.
561
4.
In the Service Provider drop-down list, select the service provider that you have a cellular account with. Note that only service providers supported in the country you selected are displayed in the drop-down list. In the Plan Type window, select the WWAN plan you have subscribed to with the service provider, or select Other. If your specific plan type is listed in the drop-down menu, the rest of the fields in the General section are automatically provisioned. Verify that these fields are correct and continue in the Parameters section. Verify that the appropriate Connection Type is selected. Note that this field is automatically provisioned for most service providers. Verify that the Dialed Number is correct. Note that the dialed number is *99# for most service providers. Enter your username and password in the User Name, User Password, and Confirm User Password fields, respectively. Enter the Access Point Name in the APN field. APNs are required only by GPRS devices and will be provided by the service provider.
5.
6. 7. 8. 9.
Address Automatically. By default, WWAN connection profiles are configured to obtain IP addresses automatically. and type the IP address in the field.
Obtain an IP Address Automatically. By default, WWAN connection profiles are configured to obtain DNS server addresses automatically.
If the account uses a specific DNS servers, select Use the following
IP Address and type the IP addresses of the primary and secondary DNS servers in the fields.
To Configure Parameters:
1.
562
data is being sent, select Dial On Data. To configure the SonicWALL appliance for remotely triggered dial-out, the Dial Type must be Dial on Data. See Configuring Advanced Settings on page 565 select Manual Dial.
Select the Enable Inactivity Disconnect checkbox and enter the number of minutes of inactivity during which the WWAN connection stays alive before disconnecting from the Internet. Note that this option is not available if the Dial Type is Persistent Connection. Select the Enable Max Connection Time checkbox and enter the number of minutes after which the WWAN connection disconnects, regardless of whether the session is inactive or not. Enter a value in the Delay Before Reconnect to have the SonicWALL appliance automatically reconnect after the specified number of minutes. Select the Dial Retries per Phone Number checkbox and enter a number in the field to specify the number of times the SonicWALL appliance can attempt to reconnect. Select the Delay Between Retries checkbox and enter a number in the field to specify the number of seconds between retry attempts. Select the Disable VPN when Dialed checkbox to disable VPN connections over the WWAN interface.
3.
4.
5. 6.
Select the Enable Data Usage Limiting checkbox to have the WWAN interface become automatically disabled when the specified data or time limit has been reached for the month.
Tip
If your WWAN account has a monthly data or time limit, it is strongly recommended that you enable Data Usage Limiting. Select the day of the month to start tracking the monthly data or time usage in the Billing Cycle Start Date drop-down menu. Enter a value in the Limit field and select the appropriate limiting factor: either GB, MB, KB, or Minutes.
2. 3.
563
In the left pane, select the SonicWALL appliance to manage. The appliance must be running SonicOS Enhanced 3.6 or higher, and must support WWAN functionality. Click the Policies tab. In the center pane, navigate to 3G/Modem > Settings.
2. 3.
4.
In the Connect On Data Categories section, select the check boxes for any combination of the following dial on data categories:
NTP packets GMS Heartbeats System log emails AV Profile Updates SNMP Traps Licensed Updates Firmware Update requests Syslog traffic
564
The Connect on Data Categories settings allow you to configure the WWAN interface to automatically connect to the WWAN service provider when the SonicWALL appliance detects specific types of traffic. To configure the SonicWALL appliance for Connect on Data operation, you must select Dial on Data as the Dial Type for the Connection Profile. See To Configure Parameters: on page 562.
5.
In the Management/User Login section, select the check boxes for any combination of the following Management methods:
HTTP HTTPS Ping SNMP SSH
6.
Select the check boxes for any combination of the following User Login methods:
HTTP HTTPS Select Add rule to enable redirect from HTTP to HTTPS to have the
SonicWALL automatically convert HTTP requests to HTTPS requests for added security.
7.
Under Profile Settings, select a primary profile from the Primary Profile drop-down menu. Optionally, select alternate profiles from Alternate Profile 1 and Alternate Profile 2. To set up WWAN Interface Monitoring for this unit, go to the Network > WAN Failover & LB screen. To return all fields to their default settings and start over, click RESET. To save settings, click UPDATE.
Note
8. 9.
565
Before configuring the Remotely Triggered Dial-Out feature, ensure that your configuration meets the following prerequisites:
The WWAN profile is configured for dial-on-data. The SonicWALL Security Appliance is configured to be managed using HTTPS, so that the device can be accessed remotely. It is recommended that you enter a value in the Enable Max Connection Time field. This field is located in the 3G/Modem > Connection Profiles screen in the Parameters section. See To Configure Parameters: on page 562 for more information. If you do not enter a value in this field, dial-out calls will remain connected indefinitely, and you will have to manually terminate sessions by clicking the Disconnect button.
In the left pane, select the SonicWALL appliance to manage. The appliance must be running SonicOS Enhanced 3.6 or higher, and must support WWAN functionality. Click the Policies tab. In the center pane, navigate to 3G/Modem > Advanced.
2. 3.
4. 5.
To enable remotely triggered dial-out, check the Enable Remotely Triggered Dial-out box. If your remotely triggered dial-out requires authentication, check the Requires Authentication box and enter your password in the Password and Confirm Password fields.
566
6.
Under WWAN Connection Limit, type the number of simultaneous connections that are allowed, or enter zero for no limit in the Max Hosts field. To return all fields to their default settings and start over, click RESET. When you are finished, click UPDATE.
7. 8.
567
568
Configuring Inheritance Filters section on page 569 Applying Inheritance Settings section on page 570
569
To create a new filter, the user enters a name for this filter in the Name field. The user then checks boxes next to the screens, or screen groups, they wish to inherit. This screen is enhanced to automatically select or deselect dependent data screens, based upon the related screens chosen by the user.
The user must then select the appropriate Access for each user type: Administrators, Operators, End Users, and Guest users. These selections are made using the corresponding drop down menus. Once the user has made the desired screen and access selections, they must click the Add button to finish creating the new inheritance filter. This new filter will now be available in the Filter drop down menu on the UTM > System > Tools screen.
570
Step 1 To inherit some or all of an appliances settings, go to the UTM > System > Tools screen within the GMS 6.0 Management Interface.
Step 2 In the left pane, the user clicks on the appliance whose settings they wish to inherit.
Step 3 Under the screen section heading, Inherit Settings at Unit, the user selects either forward or reverse inheritance by clicking on the respective radio button.
571
Step 4 From the Filter drop down menu, the user selects the inheritance filter to apply. If a desired filter is not listed and must be created, see Configuring Inheritance Filters, page 569
Step 5 Once the desired inheritance filter is selected, the user clicks the Preview button. A Preview panel opens to allow the user to review the settings to be inherited. Users may continue with all of the default screens selected for inheritance or select only specific screens for inheritance by checking boxes next to the desired settings.
Note
The Preview panel footer states, All referring objects should also be selected as part of the settings picked, to avoid any dependency errors while inheriting. If the user deselects dependent screen data, the settings will not inherit properly.
572
Step 6 If the user is attempting forward inheritance, they may click Update to proceed. If the user is attempting to reverse inherit settings, an additional selection must be made at the bottom of the Preview panel. The user must select either to update the chosen settings to only the target parent node, or to update the target parent node along with all unit nodes under it. Once the user makes this selection, they may click Update to proceed, or Reset to edit previous selections.
Step 7 If the user selects to update the target parent node and all unit nodes, a Modify Task Description and Schedule panel opens in place of the Preview panel. (This panel will not appear if the user selects Update only target parent node). If the Modify Task Description and Schedule panel opens, the user can edit the task description in the Description field. They may also adjust the schedule for inheritance, or continue with the default scheduling. If the user chooses to edit the timing by clicking on the arrow next to Schedule, a calendar expands allowing the user to click on a radio button for Immediate execution, or to select an alternate day and time for inheritance to occur. Once the user has completed any edits, they select either Accept or Cancel to execute or cancel the scheduled inheritance, respectively.
573
Once the inheritance operation begins, a progress bar appears, along with text stating the operation may take a few minutes, depending on the volume of data to be inherited, as shown below:
Once the inheritance operation is complete, the desired settings from the unit or group node should now be updated and reflected in the parent nodes settings, as well as in the settings of all other units, if selected.
574
Configuring Web Filter Settings section on page 575 Configuring Web Filter Policies section on page 578 Configuring Custom Categories section on page 582 Configuring Miscellaneous Web Filters section on page 584 Configuring the Custom Block Page section on page 586
In the left pane, select a SonicWALL CSM appliance. Click the Policies tab.
SonicWALL GMS 6.0 Administrators Guide
575
3.
4. 5.
To enable web filtering using SonicWALL CSM, check the Enable Web Filtering box. Enter a URL cache size in the URL Cache Size (KBs) field. This specifies the URL cache size on the SonicWALL CSM. The default value is 5120 KBs.
Note
A larger URL cache size can provide noticeable improvements in Internet browsing response times.
Check the Use Dynamic Rating box to enable the use of the CSM
integrated dynamic rating engine that allows an unrated URL to be dynamically rated in real-time. Select either Optimize for speed, which instructs the dynamic rating engine to process less information for faster ratings and lower accuracy, or Optimize for accuracy, which instructs the dynamic rating engine to process more information, resulting in slower ratings and higher accuracy.
Check the Server Responses box to block URLs from Web sites that
Enter the session limit in minutes in the Session Limit (Minutes) for Continue option field.
576
7.
To specify an IP address or IP address range on your network to be excluded from any SonicWALL CSM filtering, enter a single IP address in the IP Address Begin and in the IP Address End fields (for a single IP address), or enter the starting IP address in the IP Address Begin field and the ending IP address in the IP Address End field (for an IP address range). Click Add. The scheduler displays. Expand Schedule by clicking the plus icon.
8. 9.
10. Select Immediate or specify a future date and time. 11. Click Accept. 12. When you are finished, click Update. The scheduler displays. 13. Expand Schedule by clicking the plus icon. 14. Select Immediate or specify a future date and time. 15. Click Accept. 16. If you believe that a Web site is rated incorrectly or you wish to submit a
new URL, click the here link in the sentence If you believe that a Web site is rated incorrectly or you wish to submit a new URL, click here. The CFS URL Rating Review Request page displays.
577
The Web Filters > Policies page displays a category sets table. The Policies table initially lists the default 12 predefined policy groups. Clicking the plus button expands the list to display every policy under the policy group. Policies with an asterisk are part of the *Default policy group. The Policies table lists the following information about *Default and custom policy groups:
Name - The name of the policy group. Clicking the plus button expands the policy group and displays the policies included in the group. Type - Displays the type of policy, for example: Policy, Default Category, Forbidden Keywords, Forbidden URLs or Trusted URLs. Action - Displays the action to be performed when a URL or keyword is accessed that fits the category, for example, Block, Log, or Allow. Comment - Displays a caption icon with comments about the policy. When you move the pointer over the icon, the comment text is displayed. The comment text is entered in the Add Category Set window. Configure - Includes the Configure icon, which displays the Edit Web Filter Category Set window, and the Delete icon for removing the policy group. The Delete icon is greyed out for the *Default policy.
578
Clicking the Restore Defaults button removes all custom policies and any policies you added to the *Default policy group. Clicking Add Policy Group window displays the Add Web Filter Policy Group window for adding new policies. This section contains the following subsections:
Modifying the *Default Policy Group on page 579 Adding Category Sets on page 580 Restoring Defaults on page 581
Click the configure icon under Configure in Policies table next to the category you want to configure. The Edit Web Filter Category Set window is displayed. The Name field displays the *Default entry, which can be renamed. You must add descriptive text up to 63 characters in length in the Comment field. Click the Predefined tab. Select the policy categories you want to add to the *Default policy group. Check the box next to the category you want to add. If you want to remove a policy, uncheck the box next to the policy. Click OK. The scheduler displays. Expand Schedule by clicking the plus icon. Select Immediate or specify a date and time in the future. Click Accept.
2.
3. 4.
5. 6. 7. 8.
579
Click Add Category Set. The Add Web Filter Category Set window displays.
2. 3.
Enter a name in the Name field and a comment in the Comment field. Click the Predefined tab and check the predefined categories you want to add to your category set. For each category, select the action to be performed, either Block, Log, or Allow. Click the Custom tab and check the custom categories you want to add to your category set. For each category, select the action to be performed, either Block, Log, or Allow.
4.
Note
To learn how to add custom categories, refer to Configuring Custom Categories on page 582. Click the Miscellaneous tab and select the miscellaneous actions to add to the category set. For each action, select the action to be performed, either Block, Log, or Allow. When you are finished, click OK. The scheduler displays. Expand Schedule by clicking the plus icon. Select Immediate or specify a future date and time.
5.
6. 7. 8.
580
9.
Click Accept.
Restoring Defaults
The Restore Defaults button removes all custom policies and any policies you added to the *Default policy. To restore defaults, perform the following tasks:
1.
Click the Restore Defaults button at the bottom of the screen. A confirmation message displays.
2.
Click OK.
581
In the left pane, select the appliance to manage. Click the Policies tab. Navigate to Web Filters > Custom Categories.
4.
To configure Forbidden URLs to selectively block or allow with logging of the action by the CSM, click Add Forbidden URLs. The Add Forbidden URLs page displays. Enter a name in the Name field. Enter a comment in the Comment field. Enter the URL in the Entry field and click Add. Your entry will appear in the List. To delete an entry, click Delete. Click Update. The scheduler displays. Expand Schedule by clicking the plus icon.
5. 6. 7. 8. 9.
10. Select Immediate or specify a future date and time. 11. Click Accept.
582
12. To edit Forbidden URLs, click the Configure icon next to the forbidden URL
15. Enter a name in the Name field. 16. Enter a comment in the Comment field. 17. Enter the keyword in the Entry field and click Add. Your entry will appear
18. Click Update. The scheduler displays. 19. Expand Schedule by clicking the plus icon. 20. Select Immediate or specify a future date and time. 21. Click Accept. 22. To edit Forbidden Keywords, click the Configure icon next to the forbidden
25. Enter a name in the Name field. 26. Enter a comment in the Comment field. 27. Enter the URL in the Entry field and click Add. Your entry will appear in
28. Click Update. The scheduler displays. 29. Expand Schedule by clicking the plus icon. 30. Select Immediate or specify a future date and time. 31. Click Accept. 32. To edit Allowed URLs, click the Configure icon next to the allowed URL
want to delete.
583
In the left pane, select a SonicWALL CSM appliance. Click the Policies tab. In the center pane, navigate to the Web Filters > Miscellaneous.
584
4.
Web risks, including Block Cookies, Block ActiveX, Block HTTP Proxy Server, and Block Fraudulent Certificates are always activated as Block and cannot be deleted or modified.
Block Cookies - Cookies are used by Web servers to track Web
usage and remember user identity. Cookies can also compromise users' privacy by tracking Web activities.
Block ActiveX - ActiveX is a programming language that embeds
scripts in Web pages. Malicious programmers can use ActiveX to delete files or compromise security.
Block HTTP Proxy Servers - When a proxy server is located on the
external interface, users can circumvent content filtering by pointing their computer to the proxy server.
Block Fraudulent Certificates - Digital certificates help verify that
Web content and files originated from an authorized party. Enabling this feature protects users on the LAN from downloading malicious programs warranted by these fraudulent certificates. If digital certificates are proven fraudulent, then the SonicWALL CSM blocks the Web content and the files that use these fraudulent certificates.
5.
To add forbidden files types, click Add Forbidden File Types. Forbidden File Types are groupings of file extensions including Java Applets, Executable Files, Video Files, Audio Files, and user specified file types by extension, used for similar purposes. SonicWALL CSM allows you to filter Internet content based on file extension. Enter a name in the Name field. Enter a comment in the Comment field. Enter the file type in the Entry field and click Add. Your entry will appear in the List. To delete an entry, click Delete. Click Update. The scheduler displays.
6. 7. 8. 9.
10. Expand Schedule by clicking the plus icon. 11. Select Immediate or specify a future date and time. 12. Click Accept. 13. To edit Forbidden File Types, click the Configure icon next to the forbidden
585
18. Enter a URL in the Entry field and click Add. Your entry will appear in the
19. Click Update. The scheduler displays. 20. Expand Schedule by clicking the plus icon. 21. Select Immediate or specify a future date and time. 22. Click Accept.
In the left pane, select a SonicWALL CSM appliance. Click the Policies tab. In the center pane, navigate to the Web Filters > Custom Block Page.
4. 5. 6. 7. 8. 9.
Type the custom text to be displayed when a blocked site is accessed under Message to Display when Blocking Website. Select the background color from the Background Color drop-down menu. Click Preview to see a preview of the custom block page. When you are finished, click Update. The scheduler displays. Expand Schedule by clicking the plus icon. Select Immediate or specify a future date and time.
586
In the left pane, select the CSM appliance to manage. Click the Policies tab.
587
3.
4.
To update the filter database, click Update Filter Database. The scheduler displays.
5.
6. 7.
588
8. 9.
To enable application filtering, check the Enable Application Filtering box. Click Update. The scheduler displays.
10. Expand Schedule by clicking the plus icon. 11. Select Immediate or specify a future date and time. 12. Click Accept. 13. To enable the application filters exclusion list, which excludes an IP
address or IP address range from application filtering, check the Enable Application Filters Exclusion List.
14. Click Update. The scheduler displays. 15. Expand Schedule by clicking the plus icon. 16. Select Immediate or specify a future date and time. 17. Click Accept. 18. Enter the address range for the application filters exclusion list by entering
a beginning IP address range in the Address Range Begin field and an ending IP address in the Address Range End field.
19. Click Add.The scheduler displays. 20. Expand Schedule by clicking the plus icon. 21. Select Immediate or specify a future date and time. 22. Click Accept.
589
590
Registering SonicWALL Appliances section on page 591 Upgrading Firmware section on page 592 Upgrading Licenses section on page 594 Searching section on page 594 Creating License Sharing Groups section on page 597 Viewing Used Activation Codes section on page 600
In the left pane, select the SonicWALL appliance. Click the Policies tab.
591
Upgrading Firmware
3.
4. 5. 6. 7.
Click Register. The scheduler displays. Expand Schedule by clicking the plus icon. Select Immediate or specify a future date and time. Click Accept. When a unit is added to GMS, once it is acquired successfully by GMS, it is automatically registered by GMS.
Note
Upgrading Firmware
SonicWALL firmware is updated on a periodic basis to offer new functionality and address any known issues. After a SonicWALL appliance is added to SonicWALL GMS management, its auto-update feature is disabled.
592
Upgrading Firmware
SonicWALL GMS periodically polls mysonicwall.com site for new firmware versions. Once a new version of firmware is detected and available, SonicWALL GMS sends an email notification to the SonicWALL GMS administrator. You need to go to your mysonicwall.com account at <https://www.mysonicwall.com> and download the firmware, save the firmware file to the GMS server, and then access the SonicWALL security appliance from GMS. To upgrade to the latest firmware, perform the following steps:
Note
In order for changes on this page to take effect, the SonicWALL appliance(s) will automatically be restarted. We recommend scheduling the firmware update to run when network activity is low. In the left pane, select the global icon, a group, or a SonicWALL appliance. Click the Policies tab. In the center pane, navigate to Register/Upgrades > Firmware Upgrade.
1. 2. 3.
4.
the firmware file that is stored in the local GMS server folder, click Upgrade Firmware using files on the GMS Server.
To upgrade from a firmware file on the local drive of your desktop
system, enter the path to the file or click Browse to locate a file. Then, click Upgrade firmware from local file.
593
Upgrading Licenses
Caution
Upgrading firmware requires that the appliance be restarted. Selecting any of the three firmware upgrade methods displays a warning message that states This will involve restarting the Appliance(s).
Upgrading Licenses
For information on upgrading SonicWALL GMS subscription services (warranty support, anti-virus, content filtering, etc.) see SonicWALL Upgrades on page 1049.
Searching
The search feature allows you to search for appliances based on registration, subscription and upgrade status. You can print the search results or save them to a PDF file with a single click of the printer icon or PDF icon on the Search Results banner. The search parameters are pre-populated for retrieving the subscription services that are currently active on the appliance(s). The search is executed and the results are sorted by Expiry Date. To search for appliances, perform the following tasks:
1. 2. 3.
In the left pane, select a node or appliance to search. Select the Policies tab. In the center pane, navigate to Register/Upgrades > Search.
From the first pull-down menu, select Registration Status. From the second pull-down menu, select Registered or Not Registered.
594
Searching
6.
7.
Click a header in the table to sort by that variable. For example, to sort by appliance name, click the Appliance Name header.
From the first pull-down menu, select a subscription service. From the second pull-down menu, select a subscription service status. Optionally enter a date (mm/dd/yyyy) in the expiring on or before field. Click Search. A table of search results display. Click a header in the table to sort by that variable. For example, to sort by appliance name, click the Appliance Name header.
595
Searching
From the first pull-down menu, select an upgrade. From the second pull-down menu, select an upgrade status. Click Search. A table of search results display. Click a header in the table to sort by that variable. For example, to sort by appliance name, click the Appliance Name header.
Tip
You can print the search results by clicking on the printer icon in the banner Search Results. You can also save the search results to a PDF file by clicking on the PDF icon in the banner.
596
Creating a License Sharing Group on page 597. Adding a SonicWALL Appliance to an Existing Group on page 599.
In the left pane, select a SonicWALL appliance that has no GVC licenses. Select the Policies tab. In the center pane, navigate to Register/Upgrades > License Sharing. The License Sharing page displays.
4.
Select VPN Client Enterprise or Anti-Virus from the List of Services list box.
597
5.
Click Join a License Sharing Group. The Join a License Sharing Group dialog box displays.
6.
Select Create a new License Sharing Group With and from the drop-down menu, select the appliance that has the Enterprise GVC license. Enter a name for the group in the And Name it field. A pop-up with the member license count displays. Click OK. The scheduler displays. Expand Schedule by clicking the plus icon.
7. 8. 9.
10. Select Immediate or specify a future date and time. 11. Click Accept.
598
In the left pane, select the global icon, a group, or a SonicWALL appliance. Click the Policies tab. In the center pane, navigate to Register/Upgrades > License Sharing. The License Sharing page displays.
4. 5.
Select VPN Client Enterprise or Anti-Virus from the List of Services drop-down menu. Click Join a License Sharing Group. The Join a License Sharing Group dialog box displays.
6. 7. 8. 9.
Select Join Existing License Sharing Group and select an LSG from the list box. Click Accept. A pop-up with the member license count displays. Click OK. The scheduler displays. Expand Schedule by clicking the plus icon. 599
10. Select Immediate or specify a future date and time. 11. Click Accept.
In the center pane, navigate to Register/Upgrades > License Sharing. The License Sharing page displays. Select VPN Client Enterprise or Anti-Virus from the List of Services drop-down menu. Enter a new license value and click Change License Count to. To remove this SonicWALL appliance from the LSG, select Remove from License Sharing Group.
In the center pane, navigate to Register/Upgrades > License Sharing. The License Sharing page displays. Select VPN Client Enterprise or Anti-Virus from the List of Services drop-down menu. Click the name of the LSG to view. The License Sharing Group Properties dialog box displays. This dialog box contains detailed information about the total number of licenses, the expiration date of the license, the number of licenses used by each member of the group, and other information. To change the name of the LSG, enter a new name and click Accept.
4.
In the left pane, select a node, group or appliance. Select the Policies tab.
600
3.
In the center pane, navigate to Register/Upgrades > Used Activation Codes. The Used Activation Codes page displays a list of used activation codes.
4.
From the Select sort order drop-down menu, select Activation Code to sort by activation code or Service Name, Activation Code to sort first by service name, then by activation code.
601
602
SonicWALL SSL VPN 2001.5.0.3 or later SonicWALL SSL VPN 2001.5.0.3 or later SonicWALL SSL VPN 2001.5.0.3 or later SonicWALL Aventail EX-Series SSL VPN9.0.0 or later
To configure a SonicWALL SSL-VPN for SonicWALL GMS management, perform the following tasks:
Preparing SSL VPN Appliances for GMS Management section on page 603 Adding SSL-VPN Appliances in GMS section on page 606 Managing SSL-VPN Appliance Settings section on page 608
603
Log in to your SonicWALL SSL-VPN. Navigate to System > Administration. In GMS settings, select the Enable GMS Management check box.
4. 5. 6. 7.
Type the GMS host name or IP address of the GMS server in the GMS Host Name or IP Address field. Type the GMS syslog server port in the Syslog Server Port field. The default port is 514. Enter the heartbeat interval, in seconds, in the Heartbeat Interval (seconds) field. The maximum heartbeat interval is 86400 (24 hours). Click Apply.
604
SonicWALL Aventail EX-Series SSL VPN appliances must be licensed before you can enable GMS management in the Aventail Management Console. When enabling GMS on a SonicWALL Aventail appliance, select Enable single sign-on for AMC configuration if you want direct access to the Aventail Management Console from the SonicWALL GMS right-click menu. If this check box is cleared, you can still open the AMC from the right-click menu, but you must enter your appliance login credentials. The SonicWALL Aventail EX-Series SSL VPN appliance allows HTTPS access only to its LAN port(s), and not to its WAN port(s). This means that when SonicWALL GMS is deployed outside of the Aventail LAN subnet(s), management traffic must be routed from GMS to a gateway that allows access into the LAN network, and from there be routed to the Aventail LAN port.
To prepare a SonicWALL Aventail EX-Series SSL VPN appliance for GMS management:
1. 2. 3. 4. 5.
Log in to your SonicWALL Aventail EX-Series SSL VPN. Click General Settings in the main Aventail Management Console (AMC) navigation menu. Click Edit in the Centralized management area. Select the Enable GMS management check box, and then enter the host name or IP address of the GMS console, and its port number. In the Heartbeat interval text box, set the interval (in seconds) at which the appliance indicates its readiness to send a report on authentication-related events, in addition to status information. An interval of 60 seconds is typical. Select Enable single sign-on for AMC configuration if you want to be able to open the Aventail Management Console and make changes to its configuration from within GMS. If this setting is cleared, you can still open AMC, but you must first enter your AMC login credentials; this is less convenient, but more secure. Select Send only heartbeat status messages if you want to only manage the appliance and not create reports for the appliance.
6.
7.
605
For more information about preparing SonicWALL Aventail appliances for GMS management, see the SonicWALL GMS Aventail EX-Series Appliance Management feature module and the SonicWALL / Aventail EX-Series 9.0.0 Installation and Administration Guide on the SonicWALL Support Web site: http://www.sonicwall.com/us/Support.html
Log in to GMS. Click the SSL-VPNs tab . In the left-most pane, right click and select Add Unit. The Add Unit popup displays.
4. 5.
Enter a descriptive name for the SonicWALL appliance in the Unit Name field. Enter the serial number of the SonicWALL appliance in the Serial Number field. On SonicWALL Aventail appliances, the serial number is found on a sticker on the back of the appliance. Enter it without hyphens into the field.
606
6.
For the Managed Address, choose weather to Determine automatically, or Specify manually. Most SMB SSL VPN deplyoments will be able to determine the address automatically. For Aventail deploiyments, choose to Specify manually and check the Aventail SSL-VPN appliance option. Enter the administrator login name for the SonicWALL appliance in the Login Name field. For SonicWALL Aventail SSL VPN appliances, the login name is pre-configured as GMS and cannot be changed. Enter the password used to access the SonicWALL appliance in the Password field. SSL-VPN deployments.
7. 8.
9.
10. The radio button next to Using HTTPS is automatically selected for 11. For SonicWALL Aventail SSL VPN appliances, enter 8443 in the HTTPS
Port field. Other SonicWALL SSL VPN appliances use port 443. pop up displays.
12. Click OK.. It may take up to a minute for the data to load; a Please Wait
The SonicWALL SSL-VPN displays in the left pane of the SonicWALL GMS interface as a yellow icon, which means the unit has not been acquired by SonicWALL GMS. After the appliance has been acquired, the icon will either turn red, indicating that the appliance status is down, or blue, indicating that the appliance status is up. For detailed appliance icon descriptions, see Understanding SonicWALL GMS Icons on page 25. It may take up to five minutes for the SonicWALL GMS to establish an HTTPS connection and acquire the SonicWALL appliance for management.
607
Modifying an SSL-VPN Appliance on page 608 Deleting an SSL-VPN Appliance on page 609
In the left pane, right click the SSL-VPN appliance you want to modify and select one of the options Description Allows you to rename the unit. Allows you to change the appliance settings, including the unit display name, and appliance login name and password. Allows you to add the appliance to Net Monitor for real-time monitoring. Allows you to import XML settings. Allows you to select HTTP or HTTPS management to directly access the appliance. Single sign-on must be enabled for SonicWALL Aventail appliance to allow direct access to the Aventail Management Console from the SonicWALL GMS right-click menu. Otherwise you will be prompted to enter your Aventail appliance login credentials. Allows you to modify the properties of the appliance, including company, country and department names.
Modify Properties
608
In the left pane, right click the SSL-VPN appliance you want to delete and select Delete. An alert will appear to verify the appliance deletion. Click Yes.
Note
609
610
SSL-VPN Status section on page 612 SSL-VPN Tools section on page 614 SSL-VPN Info section on page 616
611
SSL-VPN Status
SSL-VPN Status
The General > Status section provides the current status of the SSL-VPN appliance and allows for an instant update of appliance information using the Fetch Information button.
The General > Status section provides the following appliance information:
Table 11 General > Status Information
SSL-VPN Status Item SSL-VPN Model Serial Firmware Version CPU Number of LAN IPs allowed SSL-VPN Status
Description The SSL-VPN model number. The SSL-VPN serial number. The SSL-VPN firmware version information. The SSL-VPN CPU information. The number of LAN IPs allowed by the SSL-VPN. The current status of the SSL-VPN appliance, either Up, Down or Unacquired.
612
SSL-VPN Status
Description The date and time the SSL-VPN appliance was added to GMS. The management mode used to access the SSL-VPN, either HTTP or HTTPS. Includes the IP address and port of the SSL-VPN. The IP address of the primary agent. The number of tasks pending for the SSL-VPN. The up time since last reboot in days, hours, minutes, seconds.
2.
3.
Select the Immediate radio button. Alternatively, you can select the At button and specify a date and time for SonicWALL GMS to perform the update.
613
SSL-VPN Tools
4.
Click Accept. It may take several seconds for GMS to fetch the appliance information. The latest status will be displayed under General > Status.
SSL-VPN Tools
The General > Tools section provides the following options: Restart Appliance, Synchronize Now, Synchronize the Appliance with mysonicwall.com.
Note
The Restart Appliance option is not available for SonicWALL Aventail SSL VPN appliances.
Restarting SSL-VPN
To restart the SSL-VPN appliance, perform the following tasks:
1.
2.
Use the Scheduler to specify a date and time for SonicWALL GMS to perform the update.
614
SSL-VPN Tools
Synchronize Now
If a change is made to a SonicWALL appliance through any means other than through SonicWALL GMS, GMS is notified of the change through the syslog data stream. After the syslog notification is received, SonicWALL GMS schedules a task to synchronize its database with the local change. Auto-synchronization automatically occurs whenever SonicWALL GMS receives a local change notification status syslog message from a SonicWALL appliance. You can also force synchronization at any time for a SonicWALL appliance or a group of SonicWALL appliances. To synchronize the SSL-VPN appliance, perform the following tasks:
1.
2. 3.
Click OK. Use the Scheduler to specify a date and time for SonicWALL GMS to perform the update.
Click the Synchronize the Appliance with mysonicwall.com button. A confirmation pop-up displays.
615
SSL-VPN Info
2. 3.
Click OK. The update scheduler displays. Use the Scheduler to specify a date and time for SonicWALL GMS to perform the update.
It may take several seconds for the SSL-VPN to synchronize with mysonicwall.com.
SSL-VPN Info
The General > Info section provides the ability to update the contact information for the SSL-VPN appliance.
Navigate to General > Info. Enter the appropriate information for each field. Click Update to update the information, or Reset to clear the form and start over.
616
Registering SonicWALL SSL-VPN Appliances on page 617 Upgrading SonicWALL SSL-VPN Firmware on page 619 Logging in to SSL-VPN using SonicWALL GMS on page 620
Registering SonicWALL Aventail SSL VPN appliances from GMS is not supported.
In the left pane, right- click the SSL-VPN you want to register and then select Login to Unit to open its management interface. In the SSL-VPN management interface, the System > Status page will be displayed. Record your Serial Number and Authentication Code from the Licenses and Registration box.
SonicWALL GMS 6.0 Administrators Guide
617
3.
In the GMS management interface, navigate to the Policies panel. In the center pane, select Register/Upgrades > Register SSL-VPNs.
4.
In the right pane, click the Register button. The update scheduler displays.
5.
6.
Select the Immediate radio button. Alternatively, you can select the At button and specify a date and time for SonicWALL GMS to perform the update. Click Accept.
7.
You will receive a confirmation in the right pane when the registration succeeded.
Note
If you receive an error message, navigate to the Console tab, then to Log > View Log. A detailed error message will be displayed.
618
Upgrading SonicWALL Aventail SSL VPN appliances from GMS is not supported.
To upgrade the firmware of a SonicWALL SSL-VPN appliance using GMS, perform the following tasks:
1.
2.
In the center pane, navigate to Register/Upgrades > Firmware Upgrade. The current SSL-VPN appliance firmware is displayed under Current Status.
3. 4.
To upgrade the SSL-VPN appliance firmware using a file on the GMS server, click Upgrade firmware using files on the GMS Server. To upgrade the SSL-VPN appliance firmware using a local file, enter the path and file name of the firmware file in the field next to Upgrade firmware from local file, or click Browse to locate the firmware file. Click Upgrade firmware from local file. A message displays indicating that an appliance restart is necessary to complete the firmware upgrade. Click OK to continue.
5.
619
6.
The license agreement message displays. Read the message and click OK to agree and download the firmware, or click Cancel to disagree and cancel the firmware upgrade.
Log in to SonicWALL GMS. Click the SSL-VPNs tab: In the left pane, click the SSL-VPN that you want to manage. If you see a security certificate warning, click Yes to continue. The SSL-VPN management interface opens in a new browser window. This may take several seconds.
620
You can now manage the SonicWALL SSL-VPN directly from the management interface. For detailed instructions about configuration tasks using the SonicWALL SSL-VPN management interface, refer to the SonicWALL SSL-VPN Administrators Guide, available at http://www.sonicwall.com/us/Support.html.
621
622
Adding a CDP/ES Appliance to GMS section on page 624 Managing CDP/ES General Settings section on page 626 Registering CDP/ES Appliances section on page 632 Configuring Alerts section on page 634 Templates section on page 637 Accessing the CDP/ES Management Interface section on page 640 Using Multi-Solution Management section on page 640
623
Preparing the Appliance on page 624 Adding the Appliance to GMS on page 625 Registering CDP/ES Appliances on page 632
Log in to your SonicWALL CDP or Email Security appliance. Navigate to System > Administration. In GMS settings, select the Enable GMS Management check box.
4. 5. 6. 7.
Type the GMS host name or IP address of the GMS server in the GMS Host Name or IP Address field. Type the GMS syslog server port in the Syslog Server Port field. The default port is 514. Enter the heartbeat interval, in seconds, in the Heartbeat Interval (seconds) field. The maximum heartbeat interval is 86400 (24 hours). Click Submit
624
Log in to GMS. Click the CDP appliance tab to add a CDP appliance to GMS, or click the ES appliance tab to add an Email Security appliance to GMS. In the left-most pane, right click and select Add Unit. The Add Unit popup displays.
4. 5. 6. 7.
Enter a descriptive name for the SonicWALL appliance in the Unit Name field. Enter the appliance administrator login name in the Login Name field. Enter the appliance administrator password in the Password field. Enter the appliance serial number in the Serial Number field. The serial number can be found in the appliance management interface under General > Status. The management mode defaults to Using HTTPS. Click OK. This may take up to a minute for the data to load.
8. 9.
625
The SonicWALL appliance is displayed in the left pane of the SonicWALL GMS interface as a yellow icon, which means the unit has not been acquired by SonicWALL GMS. After the appliance has been acquired, the icon will either turn red, indicating that the appliance status is down, or blue, indicating that the appliance status is up. For detailed appliance icon descriptions, see Understanding SonicWALL GMS Icons on page 25. It may take up to five minutes for the SonicWALL GMS to establish an HTTPS connection and acquire the SonicWALL appliance for management. Your CDP/ES is now ready for management using SonicWALL GMS.
Viewing and Managing CDP/ES Status section on page 627 CDP/ES Appliance Tools for Synchronization section on page 630 Registering CDP/ES Appliances section on page 632 Modifying a CDP/ES Appliance section on page 633
626
Global CDP/ES Status section on page 627 Individual CDP/ES Appliance Status section on page 628
For CDP appliances, there is an option to Fetch Information at both global and appliance levels. When in global view, this feature acquires information for all available CDP appliances, however, the results are only displayed when an individual appliance is selected.
627
Note
For CDP appliances, click the Fetch Information button for an updated view. This feature is also available on a global level.
Unit added to The date and time the CDP/ES appliance was added SonicWALL GMS on to GMS
628
Description The management mode used to access the CDP/ES, either HTTP or HTTPS; includes the IP address and port of the CDP/ES The IP address of the primary agent (server, laptop, or PC intended to be backed up on the SonicWALL CDP/ES Appliance) The IP address of the secondary agent used in case of failure The number of tasks pending for the CDP/ES The scheduled task to be executed The up time since last reboot in days, hours, minutes, seconds
Primary Agent
629
Synchronize Now section on page 630 Synchronizing with mySonicWALL.com section on page 630
Synchronize Now
If a change is made to a SonicWALL appliance through any means other than through SonicWALL GMS, GMS is notified of the change through the syslog data stream. After the syslog notification is received, SonicWALL GMS schedules a task to synchronize its database with the local change. Auto-synchronization automatically occurs whenever SonicWALL GMS receives a local change notification status syslog message from a SonicWALL appliance. You can also force synchronization at any time for a SonicWALL appliance or a group of SonicWALL appliances. To synchronize the appliance, perform the following tasks:
1. 2. 3. 4.
In the General > Tools screen, click Synchronize Now. A confirmation pop-up displays. Click OK. Use the scheduler to update immediatley, or selecte a date in the future. Click the Accept button.
630
On the General > Tools page, click the Synchronize the Appliance with mySonicWALL.com button. A confirmation pop-up displays. Click OK. Use the scheduler to update immediatley, or selecte a date in the future. Click Accept.
It may take several seconds for the SonicWALL appliance to synchronize with mySonicWALL.com.
631
Registration Tasks on GMS section on page 632 Registration Tasks on the CDP/ES Appliance section on page 633 Modifying a CDP/ES Appliance section on page 633 Deleting a CDP/ES Appliance section on page 634
When a unit is added to GMS, once it is acquired successfully by GMS, it is automatically registered by GMS. However, CDP or ES appliances cannot be used until you complete the registration tasks on the local CDP/ ES appliance.
You can also register appliances manually in GMS. To register a CDP/ES appliance:
1. 2. 3.
In the left pane of the CDP or ES appliance, select the appliance. Click the Policies tab. In the center pane, navigate to Register/Upgrades > Register CDPs / Register ESAs.
4.
632
5.
Note
When registering a CDP appliance, you will need to specify the offsite backup location between Europe or North America. Click Accept. It may take several seconds for GMS to contact SonicWALL to register the CDP/ ES appliance.
6.
Click the CDP or ES tab . In the left pane, right click the CDP/ES appliance you want to modify and select one of the following options:: Description Allows you to rename the unit. Allows you to change the appliance settings, including the unit display name, and appliance login name and password. Allows you to delete the unit. Allows you to add the appliance to Net Monitor for real-time monitoring. Allows you to import XML settings. Allows you to modify the description of the appliance, including company, country and department names.
633
Configuring Alerts
Click the CDP or ES tab. In the left pane, right click the CDP/ES appliance you want to delete and select Delete. An alert will display to verify the appliance deletion. Click Yes.
Note
To access the GMS Policies panel for CDP management, click the CDP icon at the top of the screen, then select the Policies tab. To access the GMS Policies panel for Email Security management, click the ES icon at the top of the screen, then select the Policies tab.The following sections describe the CDP and ES management options available on the Policies panel.
Configuring Alerts
The Events > Alerts screen allows you to add, edit, or delete a Unit Status alert for managed CDP/ES appliances. See the following sections:
Adding Alerts on page 635 Enabling/Disabling Alerts on page 635 Deleting Alerts on page 636 Editing Alerts on page 636 Current Alerts on page 637
634
Configuring Alerts
Adding Alerts
To add or edit an alert:
1.
Select a CDP or ES appliance in the left pane, click the Policies tab, and click on Events > Alert Settings.
2.
Click the Add Alert link. The screen displays. Enter the name and description, and click Update.
Enabling/Disabling Alerts
To enable/disable an alert:
1. 2.
Select the Enabled checkbox of the alert you wish to enable. Click the Enable/Disable Alert(s) link. A confirmation window will display. Click OK to enable/disable.
635
Configuring Alerts
Deleting Alerts
To delete an alert:
1. 2.
In the Events > Alerts Settings screen, select the checkbox of the Alert you wish to delete. Click the Delete Alert link. A confirmation window will display.
3.
Click OK to delete. You can also delete an alert by clicking the Delete icon under the Configure section of the alert you wish the delete.
Note
Editing Alerts
To edit an alert:
1.
2.
The Edit Alert page will display. When you finish making edits to this alert, click Update.
636
Templates
Current Alerts
To check the status of current alerts for your CDP or Email Security appliance, follow the procedures listed:
1. 2.
Click on the appliance you wish to check the alerts for. From the Policies tab, navigate to the Events > Current Alerts page. All active alerts for this appliance will be listed under Alert Listing.
Templates
A Template is simply a collection of Recordings from one or more appliances of the same type. A Template belongs to a user of a particular domain, and remains visible only in that domain. That is, Templates from one domain are not visible in another domain. A user only has access to his or her own Templates (editing, deleting, or moving Templates). It is recommended that a Template contains Recordings with data that does not conflict with the data in another Recording, as this may cause the deletion of data previously applied, unless intended. For example, a Template should not contain a Recording of setting a time zone to IST, followed by a Recording of setting a time zone to PST, unless it is intentional by the user.
Add Recording on page 637 Edit Recording on page 638 Add/Edit Template on page 638 Move Recording on page 639 Delete Template(s)/Recording(s) on page 639 Applying a Template or a Recording on page 640
Add Recording
This is used to save a freshly created recording. This screen appears when the Recording is stopped. This new recording can be directly added to one of the existing Templates or to the default Template.
637
Templates
Edit Recording
This is used to edit an existing recording.
Add/Edit Template
This is used to create a new Template or to edit an existing Template.
638
Templates
Move Recording
This dialog screen is used to move one or more recordings from one Template to another.
Delete Template(s)/Recording(s)
This is used to confirm the deletion of Template(s) and recording(s).
639
Click on the Unit/Group Node from the Tree Control that you wish to apply a Template or a Recording for. Based on the Node selected on the Tree Control, the Templates screen will list only those Templates/Recordings that can be applied to the currently selected node. Select the checkbox next to the Template you wish to apply. Specify a Schedule for the Template/Recording to be applied. Note that once applied, a task will be created. To view the newly created task, click on the Console tab, and navigate to Tasks>Scheduled Tasks. To verify if the task executes successfully, navigate to Log>View Log. You can also navigate back to the User Interface screen of the appliance that you applied the Template to also verify that the changes are successful.
2.
3.
the future. The Multi-Solution Management feature in GMS provides the capability to support management of all these appliance types through their web user interface over HTTP and HTTPS. Another advantage to the Multi-Solution Management enhancement is that GMS Core Management functionalities, like creating tasks to post policies, scheduling tasks at the Unit Node and Group Node levels, and many more will also be configurable through the enhancement. The Multi-Solution Management feature provides the next generation management capability in GMS. The Multi-Solution Management includes the following sections:
Logging into the CDP/ES Management Interface on page 641 Configuring Multi-Solution Management on page 642 Recording on page 644 Configuring Heartbeat using Email Security CLI on page 648
Log in to SonicWALL GMS. Click the CDP or ES panel. In the left pane, click the CDP or ES appliance that you want to manage. You may see a security certificate warning. Click Yes to continue. To open the CDP/ES management interface, click Management > User Interface. You will be directed to the User Interface of this appliance. To return to the Policies tab, click the Status Page button.
Note 4.
You can now manage the SonicWALL CDP/ES directly from the management interface. For detailed instructions about configuration tasks using the SonicWALL CDP management interface, refer to the SonicWALL CDP Administrators Guide. For detailed instructions about configuration tasks using the SonicWALL Email Security management interface, refer to the SonicWALL Email Security Administrators Guide.
641
Note
If you choose HTTPS, the server uses the same SSL keystore or certificate that is used by the Tomcat web server.
642
The Management Screen Group page is one of the latest supported screens for this new feature.
From this screen, you can navigate to the Template screen or the User Interface screen. Note that the User Interface screen is only available at the Unit Node level. The Templates screen displays all the applicable Templates for the selected Unit/Group Node on the Tree Control.
643
Adding a Unit into GMS The Unit Acquire process Unit Status monitoring through Heartbeat syslogs Task creation and scheduling Execution of Task(s) by the Scheduler service All other core management processes
Recording
The Recording option provides an easier way to apply configurations for one appliance to another similar appliance. You have the option of saving the Recording into the Default Template or into a new Template. The data recorded between one Start Recording and Stop Recording action is called a Recording.
Note
Recording can only be applied to a compatible appliance. For example, a Recording for the CDP 5.0 appliance can be applied to other CDP appliance, but a Recording for the Email Security appliance cannot be applied to a CDP appliance.
To successfully create and save a Recording, follow the procedures listed below:
Step 1 Step 2
Click on the User Interface screen of the Unit Node (appliance) on which you want to make the changes and record on. Navigate to the screen in which you wish to make changes. In this example, we wish to modify General Settings on the Default Message Management screen.
644
Step 3
Next, start the recording by clicking on the Start Recording button on the Recording Controls Panel. Once you see the Recording in progress notification at the top, you can start modifying the settings. In this example, the Number of days to store in Junk Box before deleting changes to 60 days, and the Number of Junk Box messages to display per page changes to 400 rows.
645
Step 4
When finished making changes, click the Apply Changes button. A screen will appear notifying you that the changes were successfully applied.
Step 5
More changes can be recorded similarly. Once you have finished making the necessary changes, stop the Recording by clicking the Stop Recording button on the Recording Controls Panel. A dialog box will display asking if you wish to save the Recording. Click OK.
646
Step 6
Next, the Add Recording dialog box will display. Type in Name and a brief Description of the Recording that will be useful in identifying the Recording at a later time. Indicate if this Recording should be saved into the Default Template or into a New Template. Click Update when you are finished.
Step 7
The Templates screen will display, notifying you that the changes to the Recording were successfully saved.
647
Login to the SNWLCLI as admin. Enter the command gms. This will display the EMS current settings for the GMS heartbeat displayed. Next, set the EMS appliance heartbeat. In this example, the heartbeat interval is 60 seconds. Enter the destination IP address of your GMS server. In this example, the destination IP address is 10.195.11.38.
Note
It is not mandatory to send heartbeat messages to a GMS management server, but it does provide GMS with more data during Multi-Solution Management.
648
Part 3 Reporting
649
650
GMS Reporting Overview section on page 651 Navigating GMS Reporting section on page 655 Showing Domain Names in Reports section on page 666 Managing GMS Reports on the Console Panel and Policies Panel section on page 667 For information about archiving report data using the Move Data to Archive (MDTA) feature, see the Management section on page 1000 in the Managing Reports in the Console Panel chapter. section on page 669
651
SonicWALL Internet security appliances. With GMS Reporting, you can monitor network access, enhance security, and anticipate future bandwidth needs. You can search saved reports by using the report search bar, available in most report screens in the GMS UI. The search bar provides pre-populated quick settings for the search field, and a drop-down calendar for the start and end dates. The search operator field offers a comprehensive list of search operators that varies depending on the search field, which can be either text-based or numeric. You can search all columns of report data except columns that contain computed values, such as %, Cost, or Browse Time. GMS waits until you click Search before it begins building the new report. The GMS Reporting Module:
Displays bandwidth use by IP address and service Identifies inappropriate Web use Provides detailed reports of attacks Collects and aggregates system and network errors Shows VPN events and problems Tracks Web usage by users and by Web sites visited Provides detailed daily firewall logs to analyze specific events.
Note
The GMS Reporting Module receives its information from the stream of syslog data sent by each SonicWALL appliance and stores it in the SonicWALL GMS database or as files on the hard-disk. GMS Reporting can be enabled or disabled. Once disabled, the Reports tab disappears from the SonicWALL GMS User Interface (UI) and the syslog data is no longer stored.
652
A list of views and individual units referred to as the TreeControl: In the left pane, you can select a top level view, a group view, or a unit to display reports that apply to the selected view or unit. GlobalView is the default top level selection. A list of reports: The middle pane provides a list of available reports that changes according to your selection in the TreeControl pane. The reports are divided into categories. You can click on the plus sign next to a category to view the list of reports in that category. You can click on an individual report name to view that report.
653
The report: The right pane displays the report that you selected in the middle pane for the view or unit that you selected in the TreeControl. For most reports, the search bar is provided at the top of the pane. Above the search bar a link to the Scheduler is provided. You can change the time for the report to run by clicking the Schedule link or its clock icon in the upper right. A quick access link to your systems printer is also available in the upper right corner. To print the report, click the Print link or icon. To access the display settings for the report, click More Options to the right of the search bar.
The SonicWALL GMS reporting feature provides the following configurable reports:
Table 12 Dashboard Status Custom Report* Configurable Reports
Bandwidth Services* Web Usage Web Filter FTP Usage Mail Usage VPN Usage Attacks Virus Attacks Anti-Spyware Intrusion Prevention Application Firewall Authentication
Provides a high-level activity summary. Provides up-time and down-time status reports. Provides Internet Activity and Website Filtering reports with details from raw data *Custom Reports are only available at the unit level. Provides bandwidth usage reports. Provides events and usage by service protocol. *Services reporting is only available at the unit level. Provides Web usage reports. Provides web filter event reports. Provides FTP usage reports. Provides mail usage reports. Provides VPN usage reports. Provides attack event reports. Provides virus attack event reports. Provides spyware event reports. Provides intrusion event reports. Provides Application Firewall reports. Provides login reports.
654
Global and Group Views on page 656 Unit View on page 657 Using Interactive Reports on page 658 Searching for a Report on page 659 Collapsible TreeControl Pane on page 664 Enabling/Disabling Scheduled Reports on page 664 Combined Reports on page 664 Improved Navigation on page 665
655
As you navigate the SonicWALL GMS reports screens with the GlobalView or Group view selected and view different reports, the settings that you specify are maintained in effect throughout the session.
656
Unit View
From the Unit view of the Reports panel, reports contain detailed data for the selected SonicWALL appliance. To open the Unit view, click the Reports tab. Then, click a SonicWALL appliance in the left pane of the SonicWALL GMS interface. The report page for the SonicWALL appliance displays.
As you navigate the Reports panel with a single SonicWALL appliance selected and change settings, those settings will remain in effect throughout the session.
657
658
The search bar contains a number of helpful components that allow you to specify search parameters and locate a report with ease. The components of the search bar include:
A column drop-down list: The searchable column drop-down list contains all the searchable columns of a report. It is context-based, containing different options in different reports. The column drop-down list defines criteria for the search and filter functions. An operator drop-down list: There are two types of operator sets. If the content of the selected column is character-based, a character-based list is displayed. If the column contains numerical data, a list with mathematical symbols is displayed. A search text field: You can input a search string into this field. Start date and end date calendar fields: You can also search for reports by date. Clicking on the Start field displays a drop-down calendar where you can select day, month, and year by using the side arrows to navigate. You may also navigate through dates by clicking on the arrows located beside the start date and the end date fields. Detailed drop-down menu
659
The collapsed and expanded Search Bar views are shown below:
660
The search bar feature consists of a column drop-down list, an operator drop-down list, a search text field, and a detailed pull-down menu. Search/Filter functions can be performed by utilizing various components reporting at unit and group level. The drop-down list contains all the searchable columns of a report. It is context-based, meaning that it contains different options in different reports. The column drop-down list defines criteria for search and filter functions to work on.
There are two different operator sets. If the content of the selected column is character-based, the character based operators will show:
A character-based list contains Equals, Start with, End with, and Contains operators. If the content of the selected column contains numerical data, a list with mathematical symbols plus the between operator selection will display:
661
A generated report is shown below with user name (Users) starting with (Start With) 10.50.20 (the value of the search text field).
A generated report is shown below in which the Hit count (Hits column) is greater than (>) 100 (the value of the search field).
662
The calendar module of the search bar is shown below. You can use the calendar module to easily select a date for the Start or End field. You can also manually type in a date. For single day reports, the End field is disabled.
The detailed options are per report based. For example, if you select PIE as the chart type for report A, you will still see Bar chart in report B if the bar chart was the existing chart type. The detailed drop-down menu can be expanded by clicking More Options as shown in the red circle below. As Figure 5 and Figure 6 show, the options in the detailed drop-down menu are context-based. Figure 5 shows the detailed options of the Web Usage By User report. As you can see, Figure 6 contains different options because it is specific to the By User report.
Figure 5 Context-based Detail Options
663
Figure 6
Combined Reports
Users familiar with GMS4.0 will find two categories of reports that are no longer visible on the function tree: the Browse Time report and the ROI report. The information from these two reports have been folded into the Web Usage and Bandwidth reports, respectively. The Web Usage report pages now feature a Browse Time column. The Bandwidth report pages feature a Cost($) column that displays all the information previously displayed by the ROI reports. 664
SonicWALL GMS 6.0 Administrators Guide
Improved Navigation
To save time, GMS now features linked reports. Web Usage and Web Filter reports now link their By User and By Site pages. It is now possible to navigate directly from the Web Usage > By User page to a Web Usage > By Site page or from the Web Filter > By User page to a Web Filter > By Site page detailing the information of the site that the user has been browsing. Click the Plus sign next to the entry in the User column to show details, and hover the mouse over a site. A sticky tooltip will display with a link to the corresponding sites report page. This makes navigating from one report to the next much easier and makes retrieving detailed information simple.
Navigate to the Web Usage > By User report from the Report tab.
2.
Click the Plus button next to any IP address in the User column. This displays detailed information about the sites that the user at that address has been visiting.
665
3.
Hover your mouse over a site in this list. Click the Navigate to Top Visited Web Sites By Site link to navigate directly to the Web Usage > By Site report page.
The Web Usage > By Site report page shows detailed information about Web traffic to this site. Information in this report include the IP addresses of users who have browsed that site, as well as how much time they have spent browsing.
666
Note
In SonicWALL GMS 5.1 and above, the Name Resolution option on the UTM appliance (where the firmware supports it) is enabled when a unit is added. This does not apply to already existing appliances in the system.
The Management section of the Console panel controls the configuration of GMS, including settings which have an effect on GMS Reports.
667
For information about GMS management settings, see the Settings section on page 941 in the Configuring Management Settings chapter. For information about user screen permissions, see the Moving a User section on page 957 in the Configuring Management Settings chapter.
The Reports section on the Console panel is divided into sections that allow you to manage system-wide settings, including the following:
Table 13 Console > Reports
Settings Report Settings/Options Log Viewer Settings Summarizer Settings Reports Data Summarization Interval Syslog Deletion Schedule Host Name Resolution Settings
Email/Archive
Email/Archive Time Settings Days to Store Archived/Published reports Email/Archive Configuration - Web Server Details Logo Settings SortBy Settings In PDF Reports
Scheduled Reports
Management
The Reports section of the Console panel controls settings for syslog data collection, summarizer configuration, email and archiving, scheduling reports, and archiving report data. The Logs section of the Policies panel provides settings for controlling the rate of syslog event logging.
For information about syslog data collection settings, see the Enabling Report Table Sorting section on page 982 in the Managing Reports in the Console Panel chapter. To configure the syslog event rate, see the Configuring Log Settings section on page 278 in the Configuring Log Settings chapter.
668
For information about the summarizer, see the following sections in the Managing Reports in the Console Panel chapter:
About Summary Data in Reports section on page 983 About the Distributed Summarizer section on page 984 Summarizer Settings and Summarization Interval section on
page 987
For information about Email and Archiving settings, see the Configuring Email/Archive Settings section on page 994 in the Managing Reports in the Console Panel chapter. For a description of how to schedule reports in the Console panel, see the Scheduled Reports section on page 995 in the Managing Reports in the Console Panel chapter. For information about archiving report data using the Move Data to Archive (MDTA) feature, see the Management section on page 1000 in the Managing Reports in the Console Panel chapter.
669
670
Configuring Scheduled Reports section on page 671 Selecting Reports for Summarization section on page 675 Configuring Inheritance for Reporting Screens section on page 676 Configuring Data Storage Settings section on page 677 Configuring Summarization Data for Top Usage section on page 678 Configuring Summarization Data for Bandwidth Reports section on page 679 Viewing Current Alerts section on page 680 Scheduling PDF Compliance Reports section on page 680
Viewing or Managing Scheduled Reports on page 672 Adding or Editing a Scheduled Report on page 673
671
To create scheduled email reports in PDF format as Compliance Reports, see the Scheduling PDF Compliance Reports section on page 680.
Click the Reports tab and select a SonicWALL appliance. Expand the Configuration tree and click Scheduled Reports. The Scheduled Reports page displays.
3.
On the Scheduled Reports page, to add a new scheduled report, click Add Scheduled Report. See Adding or Editing a Scheduled Report on page 673. To edit a report, click the pencil icon in that row. See Adding or Editing a Scheduled Report on page 673. To delete a report, select the checkbox in that row and then click Delete Selected Scheduled Reports. To disable a scheduled report, select the checkbox in that row and then click Disable Selected Scheduled Reports. To enable a disabled report, select the checkbox in that row and then click Enable Selected Scheduled Reports. To select all reports in the list, click Select All Scheduled Reports.
4. 5. 6. 7. 8.
672
Navigate to the Configuration > Scheduled Reports page on the Reports panel and do one of the following:
To add a new schedule report, click the Add Scheduled Report
button.
To edit an existing report, click the pencil icon in that row. The
Enter a name for the report in the Name field. Enter descriptive information in the Description field. To email the report, select the Email check box. The screen expands to show email configuration settings. Enter the IP address of the mail server into the SMTP Server field. By default, the GMS Reporting Module will use the email address that was configured in the Console panel in the Management > GMS Settings screen as the Sender email address. To change it, enter a new Sender email address in the Source Email Address field. Enter one or more destination email addresses, separated by semicolons, into the Destination Email Addresses field. Enter the Subject Line that will appear in reports sent from the GMS Reporting Module in the Email Subject field. Enter text that will appear in the message body in the Email Body field. select the Send Reports Inline check box. To send the file as an email attachment, make sure this check box is deselected.
7. 8. 9.
10. To copy the contents of the report into the body of the email message,
Note
Reports can only be sent inline when all data is sent in a single report.
11. To archive the file on the servers hard disk, select the Archive check box
673
Specify the directory where the file will be archived in the Save Directory field.
12. For Report Type, select Daily, Weekly, or Monthly. 13. For Report Format, select HTML, XML, or PDF. 14. Select either Include all data in a single report or Zip Reports into a
single file.
15. If you selected PDF for the Report Format, you can create a password to
protect it by selecting Password Protect the PDF File and typing a password into the Password field. Users must input the password to view the contents of a password-protected PDF file. The content can be copied or printed, but is not editable by a PDF editor. Password Protect the Zip File and typing a password into the Password field. When both PDF and Zip Reports into a single file are selected, you can password-protect the PDF, but not the zip file.
16. If the zip file is selected, you can create a password for it by selecting
Note
17. For the Cover Page, enter a Title and Subtitle and select colors for the
18. For Summary Report Page, you can select up to 4 reports. Select a report
for the summary page from the Choose the Summary Reports drop down list, and then click Add.
19. For Detailed Report Page, do one of the following: Click Select an existing profile, and then select the profile to use
Click Create a new profile, type a profile name into the New Profile
Name field, and then select the checkboxes in the Report list for each report to be included. You can click the checkbox next to the Report heading to select all reports in the list.
20. Optionally click Configure Filters Options. For this procedure see
674
At the bottom of the Scheduled Report Configuration page, click the Configure Filters/Options button. The Display Options/Settings page displays. Select the number of sites to display in Top Sites reports (default: 20). Select the number of users to display in Top Users reports (default: 20). Select the number of sites to display in Sites by User/Users By Site reports (default: 20). Select the number of items to display in all other reports (default: 20). Select the number of entries per item to display in all other reports (default: 20). Under Inclusion Filter Parameters, enter a comma separated list of sites to include in By Site reports in the Site List field. Enter a comma separated list of users to include in By User reports in the User List field. To include the users full name and IP address in the report, select the Whole Name/IP checkbox. Interface drop-down list. Interface drop-down list.
2. 3. 4. 5. 6. 7. 8. 9.
10. For Bandwidth Usage reports, select the source from the Source 11. For Bandwidth Usage reports, select the destination from the Destination 12. Click the Update button to apply changes. The new report will appear in
675
2.
Expand the Configuration tree and click Summarizer Settings. The Summarizer Settings page provides a list of reports and a correlating description of each report. Each report contains a checkbox that you can select to generate a summarized report.
3. 4.
Select the checkbox of each report type to summarize. When you are finished, click Update. Your configuration changes are saved automatically.
676
When you are viewing the screen at the unit level, the option is Sync group to appliance level settings. This is reverse inheritance. Click the Update button to apply your current unit level settings to the group to which this unit belongs.
When you are viewing the screen at the global or group level, the option is Sync appliance(s) to group level settings. This is forward inheritance. Click the Update button to apply your current global or group level settings to the appliances in this group.
For all fields in this section, the minimum values should be 3 days, and will typically be longer. Raw syslog data is transferred to the GMS Summarizer system by individual SonicWALL appliances, where it is stored in raw syslog files. The data from these files is combined and stored in a raw syslog database. Data from this database is processed by the Summarizer and then stored in the summarized data database.
SonicWALL GMS 6.0 Administrators Guide
677
The raw syslog files and databases older than the number of days specified here will get deleted by the global daily deletion schedule configured on the Console > Reports > Summarizer page. That page also provides a way to delete the summarized database for a certain date. See the Configuring the Syslog Deletion Schedule Settings section on page 991. To configure the Data Storage Configuration settings:
1. 2. 3. 4. 5. 6.
On the Reports tab, expand the Configuration tree and click Summarizer Settings. Scroll down to the Data Storage Configuration section. Type the desired number of days to store summarized data into the Days To Store Summarized Data field and then click Update. Type the desired number of days to store raw syslog database files into the Days To Store Raw Syslog Databases field and then click Update. Type the desired number of days to store raw syslog database files into the Days To Store Raw Syslog Databases field and then click Update. Type the desired number of days to store archived XML reports into the Days To Store XML reports field and then click Update.
On the Reports tab, expand the Configuration tree and click Summarizer Settings. Scroll down to the Reports Summarization Data for Top Usage section. Optionally select the Enable Homeport Syslog Reporting checkbox. Select the Enable Web Event Consolidation checkbox to consolidate repetitive syslog event entries within the syslog database and then select one of the following levels of consolidation:
Host & Domain - More restrictive, less consolidation Domain Only - More general, more consolidation
5.
Click Update.
On the Reports tab, expand the Configuration tree and click Summarizer Settings. In the Reports Summarization Data for Bandwidth Reports section, select the currency type in the Type of Currency field. Over 20 different currencies from around the world are available. Specify an amount based on your chosen currency in the Cost Per Mega Byte Bandwidth Use field. Click Update.
3. 4.
679
Customizable cover page (Default also available) Customize Summary/ Descriptions for the reports. Ability to customize a set of reports. Three reports can be persisted as a profile so that it can be consumed by less experienced users in the system. Reports can be generated in industry standard PDF format. Compressed format provides a smaller sized file than an equivalent HTML report. The print quality is higher. This feature has the ability to open a 200 page PDF report with ease. In comparison, opening the same report in HTML takes a more extensive amount of time using IE, as it is weighed down by memory and other systems.
Requirements
Adobe Reader plug-in is required for the preview function.
680
Customizing Your Cover Page section on page 683 Customizing Your Summary Report Page section on page 684 Customizing Your Detailed Reports Page section on page 685 Editing Existing Profiles section on page 686 Verifying User Compliance Reports Configuration section on page 688
To begin creating a new customized Compliance Report, perform the following steps:
1. 2. 3.
Navigate to Reports > Configuration > Scheduled Reports. Click the ADD button, to add a scheduled report. The Scheduled Report Configuration page displays. In the General section, enter the name of your report into the Name field, and the report description.
681
4.
In the Category section, select the Email check box. The details window displays:
SMTP Server field: Enter your SMTP Server IP address or hostname. Source Email Address field: Enter your Source Email Address. Destination Email Address field: Enter the Destination Email Address(es). Email Subject field: Enter your Email Subject. Email Body field: Enter your Email Body.
5.
To archive a directory, click the Archive check box. Enter the your desired directory you want to archive into the Save Directory field.
To change the format and settings of your customized compliance report, perform the following steps:
6.
In the Format and Settings category, select the Report Type that reflects the time interval you want to view your reports, either Daily, Weekly, or Monthly.
682
7.
Select the PDF report format in the Report Format category. Selecting the PDF option will open additional fields to allow you to customize the set up of the Cover Page, Summary Report Page, and Detailed Report Page of your report in PDF format.
8.
To zip all of your reports into a single file, select the check box next to the Zip Reports into a single file check box.
Note 9.
PDF will disable some options that are only applicable to HTML.
For custom reports, enter the template folder name into the Template Folder Name field.
Title field: Enter the document title. Subtitle field: Enter the document subtitle. (Optional).
683
3.
Select the color for the Title and Subtitles foreground and background by clicking the gradient color box in the right side of the each field. You may select a color by either choosing a color on the color bar and then selecting its value in the color box or by typing in the HTML color.
4.
The color codes are automatically filled in the corresponding fields once the color chooser window is closed.
On the Summary report page, select the type of summary reports you need, up to a maximum of 4 reports. Then, click the Add button. The report will be created based on the type of summary report you have selected. Enter the report title in and report description in the appropriate fields. Select the text color for the title and description. Select the background color for both fields. Select the order in the Order drop-down window.
2. 3. 4. 5.
6.
You may continue to add reports based on the summary you select in the Summary Reports drop-down menu. Repeat steps 1-5 to add more summary reports.
684
New Profile Name field: Enter the name of your new profile.
2.
To determine the type of reports that will be summarized in your compliance report, check the boxes next to the reports you need. Sub-folders are revealed to each folder by clicking the plus icon. When all sub-folders are selected, the main folder will be selected. When you have completed your selection(s) of reports, scroll down the page until you see a check button with Configure Filters/Options beside it. Click the check mark button.
3.
685
4.
In the Configure Filter/Options section, you are able to decide how your filter and display is set. Once you have clicked the check button, fill out the table accordingly.
Click the Edit icon, located next to the report name you want to edit.
2.
In the Detailed Page section, choose the Select an existing profile button.
Note
You are able to delete an existing profile in that section by clicking the Delete Selected Scheduled Reports button located at the top of the page.
686
3.
From the drop-down list in the Detailed Report Page, select the profile name you wish to edit. Choose the reports you want to add or remove from that profile. If a new profile has the same name as one of the existing profiles, the behavior will be the same as users opening the existing profile and edit the report list. When selecting an existing profile, the associated reports are checked in the report list automatically.
687
Figure 7
Note
The images used for the preview do not use actual data.
688
Managing Report Settings section on page 690 Viewing Dashboard Reports section on page 694 Using Custom Reports on UTM Appliances section on page 699 Viewing Status Reports section on page 716 Viewing Bandwidth Reports section on page 723 Viewing Services Reports section on page 731 Viewing Web Usage Reports section on page 733 Viewing Web Filter Reports section on page 751 Viewing File Transfer Protocol Reports section on page 767 Viewing Mail Usage Reports section on page 773 Viewing VPN Usage Reports section on page 780 Viewing Attacks Reports section on page 792 Viewing Virus Attacks Reports section on page 801 Viewing Anti-Spyware Reports section on page 807
689
Viewing Intrusion Prevention Reports section on page 814 Viewing Application Firewall Reports section on page 822 Viewing Authentication Reports section on page 828 Viewing the Log section on page 831
690
Many reports offer different graphical displays for the data, such as a bar-graph or a pie chart. To select a graphical display, select Chart and Table under Report Display Settings and choose the display type from the Chart Type list. Your selection should display immediately in the report screen. For most reports you can choose Area, Bar, Pie or Plot.
691
clicking the single arrows (<, >), or the year by clicking the double arrows (<<, >>). To select the month or year from a drop-down list, click and hold the arrow button. Click Search to begin building the report.
Additional Settings
Many reports have additional settings that you can select such as source and destination interfaces to report traffic through or how to display names and IP addresses. Make your selection from these lists and click Search.
Troubleshooting Reports
One of the most common error messages when a report does not display is No Data. There are several reasons why you might see this error, and SonicWALL GMS 5.1 and higher displays the most likely reason and points you to the screen where you can make the necessary adjustments. Some examples are shown in the following figures.
Figure 8 Appliance is Down
692
Figure 9
Figure 10
693
Viewing the Dashboard Summary Report on page 694 Viewing the Security Dashboard Report on page 697
Click the Reports tab. Select the global icon, a group, or a SonicWALL appliance.
694
3.
4. 5.
The tables at the top of the page display the totals, using megabytes for the bandwidth totals. The graphical display breaks down the information as follows:
Bandwidthshown by group when viewed at global or group level. At
eight slices. The top seven Web users by IP address are each shown as a slice, with all other HTTP bandwidth combined in the eighth slice.
Attacks Eventsat the global level, both attack events and virus
attack attempts are shown per group. At unit level, these are shown per hour.
695
report templates. See Using Custom Reports on UTM Appliances on page 699. You can click the Edit icon next to the template on this page to edit the template in the Custom Report page and save it using the Save Template button. To delete the template, click the Delete icon.
When you click on a saved template, the detailed report page is displayed in Full Mode with the same categories in the same order as in the template that you saved. In the report page, the Print, PDF, and Excel icons are available, along with the pagination controls. There is no link to Split Mode and no Save Template button since this template is already saved.
696
You can also configure or delete a saved template from the Dashboard > Summary page. To access a custom report from the Dashboard:
1. 2. 3.
Select a unit for which Log Viewer is enabled, and then navigate to Dashboard > Summary. Locate the box labeled Custom Report Templates. All saved templates for this appliance are listed in the box. Do one of the following: To generate a Custom Report, click a saved template in the Custom Report Templates box. To configure a saved template, click the Configure icon for that template, make the desired changes, and then click OK. For configuration instructions, see Using Custom Reports on UTM Appliances on page 699. To delete a saved template, click the Delete icon then click OK in the confirmation dialog box. for that template and
An Individual Appliance Report that displays a summary of attacks detected by the local SonicWALL security appliance. A Global Report that displays a summary of threat data received from all SonicWALL security appliances worldwide.
The Dashboard > Security Dashboard screen is available at the global level, but not at unit level for SonicWALL CSM Series appliances. To view the Security Dashboard report, perform the following steps:
1. 2. 3.
Click the Reports tab. Select the global icon, a group, or a SonicWALL appliance. Expand the Dashboard tree and click Security Dashboard. The Security Dashboard page displays.
697
Figure 11
4.
At the top of the screen, select either the Global radio button or, for reporting at unit level, select the radio button that is labeled with the units MAC address. Select Global to display a summary of attacks caught by SonicWALL appliances worldwide. Select the units MAC address to see results only for attacks through this unit. At all levels, the categories charted include the following:
Viruses Blocked by SonicWALL Network Intrusions Prevented by SonicWALL Network Spyware Blocked Multimedia (IM/P2P) Detected/Blocked
For each of these, the report includes the results over time for the top ten.
5.
Optionally select the period of time for the report from the drop-down box at the top right of each graphical display. At the unit level, you can select only the Last 21 days. At the global or group level, you can select from:
Last 12 Hours Last 14 Days Last 21 Days Last 6 Months
698
Toggling Between Split Mode and Full Mode on page 700 Configuring the Date and Time for Custom Reports on page 702 Configuring the Report Layout and Generating the Report on page 704 Generating the Custom Report on page 712 Viewing a Custom Report on page 713 Printing a Page or Exporting the Report as a PDF or CSV File on page 715 Saving the Report Template on page 716
699
700
After generating a report, the page automatically changes to Split Mode and displays the report settings in the Template Section in the top half of the page and the report results in the Report Section in the lower portion. The Template Section and Report Section displayed in Split Mode is shown below.
At any time, you can change to Full Mode if you want to display either the Template Section or the Report Section individually. From Full Mode, you can easily change back to Split Mode. To toggle between Split Mode and Full Mode:
1. 2.
Select a unit for which Log Viewer is enabled, and then navigate to the Custom Report page. On a page that is currently displayed in Full Mode, to change the view to Split Mode click the <Split Mode> button at the right side of the section heading. On a page that is currently displayed in Split Mode, do one of the following to change to a Full Mode display of either the Template Section or the Report Section:
Click the <Full Mode> button to the right of the Template Section
3.
heading.
Click the <Full Mode> button to the right of the Report Section
heading. 701
Today Uses log data from the current date, beginning just after midnight Yesterday Uses log data from just after midnight of the previous day, up to and including the most recent log message from the current date Week to Date Uses log data from the current date, plus the seven preceding days Month to Date Uses log data from the same date as the current date in the previous month, up to and including the most recent log message from the current date
When generating a report with a template containing a dynamic date range setting, the dates used when referencing the log data are relative to the current date. Thus, two reports generated from the same template on different days will provide different results. 702
SonicWALL GMS 6.0 Administrators Guide
Select a unit for which Log Viewer is enabled, and then navigate to the page under Custom Report for the report type you want. In the Template Section under Date/Time, select the Dynamic Date Range radio button. In the drop-down list, select Today, Yesterday, Week to Date, or Month to Date. For the Start Time, select the hour, minute, and second from the drop-down lists in the Dynamic Date Range row. These settings specify the earliest data to be included in the report, for each day of the date range. For the End Time, select the hour, minute, and second from the drop-down lists. These settings specify the most recent data to be included in the report, for each day of the date range. To change the settings back to the defaults, click Reset at the bottom of the Template Section. Note that this will change the Report Layout region as well as the Date/Time region back to default settings.
5.
6.
703
Select a unit for which Log Viewer is enabled, and then navigate to the page under Custom Report for the report type you want. In the Template Section under Date/Time, select the Static Date Range radio button. Click the Start Date field to access the pop-up calendar. Use the navigation arrows near the top of the calendar to change the year or month. Click the << button to move to the previous year, or hold the button to select from a list of years. Click the >> button to move to the next year, or hold the button to select from a list of years. Similarly, click the < or > to move back or ahead by one month, or hold the button to select from a list of months. Click the desired start date in the calendar. This adds the date to the Start Date field and closes the calendar. Click the End Date field to access the pop-up calendar. Use the navigation arrows near the top of the calendar to change the year or month. Click the desired end date in the calendar. This adds the date to the End Date field and closes the calendar. For the Start Time, select the hour, minute, and second from the drop-down lists in the Static Date Range row. These settings specify the earliest data for each day in the date range to be included in the report. drop-down lists. These settings specify the most recent data for each day in the date range to be included in the report.
5. 6. 7. 8. 9.
10. For the End Time, select the hour, minute, and second from the
11. To change the settings back to the defaults, click Reset at the bottom of
the Template Section. Note that this will change the Report Layout region as well as the Date/Time region back to default settings.
The Detailed Report tab contains a list of data categories that you can add as report fields, and allows you to specify query values for each. The categories you select will appear as column headings in the report. The Summary Report tab allows you to structure a report showing the top elements of Internet Activity or Website Filtering. You can select the number of top elements, what to base the comparisons on, and the two data categories to evaluate when determining the top elements. The generated report provides graphical output that you can click to drill down for detailed information. For more information about each of these Report Layout tabs, see the following sections:
Detailed Reports on page 705 Summary Reports on page 709 Filter Operators on page 711
For information about the Filter operators, see the following section:
Detailed Reports
The Detailed Report tab is the default view in the Report Layout region.
For a UTM Internet Activity report, the Select Report Field drop-down list contains eight data categories that you can add as column headings in the report. The categories are:
Full URL Adds a column containing the full URL of each Web site visited Category Adds a column containing the category of each site visited, such as Gambling or Adult/Mature Content
705
Domain Adds a column containing the domain name of each site visited Protocol Adds a column containing the protocol used by the traffic Received Traffic Adds a column containing the number of bytes received from the visited site Transmitted Traffic Adds a column containing the number of bytes transmitted to the site Total Traffic Adds a column containing the total number of bytes received and transmitted User Adds a column containing the user ID
For a UTM Website Filtering report, the Select report field drop-down list contains four data categories that you can add as column headings in the report. The categories are:
Full URL Adds a column containing the full URL of each logged Web site Category Adds a column containing the category of each logged site, such as Gambling or Adult/Mature Content Domain Adds a column containing the domain name of each logged Web site User Adds a column containing the user ID
To include a field in the report, select a choice from the list and then click Add. When you click Add, a row is populated in the table below, which has three column headings: Field, Filter, and Options.
Note
When you place your mouse cursor over the row, under the Field heading, the cursor changes to a move cursor. You can drag and drop the rows to rearrange the column ordering in the final report.
In the Filter column, two fields are displayed: an operator field and an input field. The operator field is a drop-down list containing the operator choices for the selected report field. See Filter Operators on page 711 for a description of each operator. The input field can be a drop-down list or a standard input field, depending on the selected report field. The operators and input fields are defined in Table 14 for each report field.
706
Operators and Input Fields for Each Data Type Input Field The input field is a drop-down list containing an alphabetized list of all the content filtering categories, such as Adult/Mature Content, Gambling, Military, etc. Leave the default of All in the input field if you choose not to filter by a certain category. The input field is a standard input field where you can type in the numbers to match, such as 192 or 10.25. Leave the input field blank if you choose not to filter by a certain destination IP address. The input field is a standard input field where you can type in the domain to match, such as sonicwall.com. Leave the input field blank if you choose not to filter by a certain domain. The input field is a standard input field where you can type in the URL to match, such as: http://www.funnyyoutubevideo.com/ funniest.html Leave the input field blank if you choose not to filter by a certain URL. The input field is a standard input field where you can type in the protocol to match, such as FTP. Leave the input field blank if you choose not to filter by a certain protocol. The input field is a standard input field where you can type in the number of bytes to match or compare to. Leave the input field blank if you choose not to filter by a certain amount of traffic. The input field is a standard input field where you can type in the numbers to match, such as 192 or 10.25. Leave the input field blank if you choose not to filter by a certain source IP address. The input field is a standard input field where you can type in the number of bytes to match or compare to. Leave the input field blank if you choose not to filter by a certain amount of traffic.
Operators Equals
Destination IP
Equals Starts with Ends with Contains Equals Start with End with Contains Equals Start with End with Contains
Domain
Full URL
Protocol
Equals Start with End with Contains = > >= < <= != Equals Starts with Ends with Contains = > >= < <= !=
Received Traffic
Source IP
Total Traffic
707
Operators = > >= < <= != Equals Start with End with Contains
Input Field The input field is a standard input field where you can type in the number of bytes to match or compare to. Leave the input field blank if you choose not to filter by a certain amount of traffic. The input field is a standard input field where you can type in the user ID to match. Leave the input field blank if you choose not to filter by a certain user.
User
In the Options column, two icons are displayed: an Eye and an X . You can click the Eye to toggle whether the report field on that row will be displayed in the final report. This allows you to filter the report results based on the selected report field and related filter value, but not display the field as a column. When you click on the Eye icon within a row, the eye closes to show that this field will not be displayed in the final report. The filter value will still be used to filter results from the raw syslog database to apply towards the report. For example, you might specify the following Field/Operator/Filter Value: Protocol/=/http. It would make sense to click the Eye icon to disable the Protocol field from being shown in the report, since it would always just be http and would not add any interesting information to the final report. Contrast this with simply specifying the Protocol field and leaving the Filter Value blank, in which case you would want to enable the Eye so that this column would appear in the report showing a variety of protocols such as udp/dns, tcp/http, udp/ntp, or numbered protocols such as udp/389 (the LDAP protocol) or tcp/445 (MS Server Message Block (SMB) file sharing). Clicking the X icon under Options deletes the selected report field from the table, so it will not be used to generate the report results nor will it be displayed in the report. Use the X icon instead of the Eye when you do not choose to filter the report results based on the field. The Detailed Report tab also contains the Sort By drop-down list. The list contains the Date/Time option and any other report fields that you have selected from the eight data types. The choice you select will be used to order the results in the report from the first page to the last. The selection in the left drop-down list is used for the first sorting, then the selection in the right drop-down list is used to sort and group the entries within each group resulting from the the first sorting.
708
Select a unit for which Log Viewer is enabled, and then navigate to the page under Custom Report for the report type you want. In Report Layout region of the Template Section of the Custom Report page, select the Detailed Report tab. In the Select report field drop-down list, select a data type to include in the report, and then click Add. A row for this field is populated in the table below. Repeat this step to add other fields. Optionally select an operator from the drop-down list under Filter in a table row, and type in or select an input value to be matched when the database is queried. Repeat this step for other rows to add filter values for those fields. To prevent a field from appearing in the final report, click the Eye icon in that row so that the eye appears closed. To allow the field to be displayed in the report, click the closed Eye icon to return it to normal appearance. To delete a field from the table, click the X icon in that row. To sort the report pages by a different field than the default of Date/Time, select the desired field from the Sort by drop-down list. To change the settings back to the defaults, click Reset at the bottom of the Template Section. Note that this will change the Date/Time region and the Report Layout region back to default settings.
4.
5.
6. 7. 8.
Summary Reports
The Summary Report tab is available in the Report Layout region of the Template Section.
709
The Top drop-down list provides selections for the number of entries to display in the report. For example, if the User field is selected below as a Summary Group, and 5 is selected in the Top drop-down list, the report will provide entries for the top five users. For all Custom Reports, available numbers in the Top drop-down list are 5, 10, 20, 50, and 100. The Summary Base drop-down list offers a selection of traffic types that will be used to determine the top usage for the selected field. The Summary Base choices vary as follows depending on the type of Custom Report:
For a UTM Internet Activity report, the Summary Base choices are Total traffic, Received traffic, or Transmitted traffic. For a UTM Website Filtering report, the only Summary Base choice is Filtered Items.
Below the Top and Summary Base fields, you can create one or two Summary Groups from the choices listed on the left side. The Summary Groups choices vary as follows depending on the type of Custom Report:
For a UTM Internet Activity report, the choices are Total traffic, Received traffic, or Transmitted traffic. For a UTM Website Filtering report, the choices are Category, Domain, or User.
To select a field for a Summary Group, simply drag and drop the desired field from the list to either the Level 1 Summary Group or Level 2 Summary Group boxes. When the field name is dragged to one of these, the operator drop-down list and filter input value field are displayed, allowing you to specify values to match when the data is searched. See Filter Operators on page 711 for a description of each operator. Either the Level 1 Summary Group field or the Level 2 Summary Group field can be used alone; the resulting report will look the same in both cases. When both the Level 1 and Level 2 Summary Group fields are populated, the report will display the top entries for the Level 2 field for each of the top entries for the Level 1 field. For example, if User is dragged to the Level 1 Summary Group and Domain is dragged to the Level 2 Summary Group, and 5 is selected in the Top drop-down list, the generated report will display the top five domains visited by each of the top five users. To configure a summary report:
1. 2.
Select a unit for which Log Viewer is enabled, and then navigate to the page under Custom Report for the report type you want. In Report Layout region of the Template Section of the Custom Report page, select the Summary Report tab.
710
3. 4. 5.
In the Top drop-down list, select the number of entries to be displayed in the report. In the Summary Base drop-down list, select one of the choices to use when determining which are the top elements in the selected field. To specify the field for the Level 1 Summary Group, click and drag the desired field from the list on the left to the Level 1 Summary Group field, and then release your mouse button to drop the field into position. The filter operator and input field are displayed next to the field name.
6.
To specify the field for the Level 2 Summary Group, click and drag the desired field from the list on the left to the Level 2 Summary Group field, then release your mouse button to drop the field into position. The filter operator and input field are displayed next to the field name. To specify a filter operator and filter value for a Summary Group, select the operator from the drop-down list next to the field and type a filter value into the input field to the right of the operator. To change the settings back to the defaults, click Reset at the bottom of the Template Section. Note that this will change the Date/Time region as well as the Report Layout region back to default settings.
7.
8.
Filter Operators
When configuring the Report Layout on either the Detailed Report tab or the Summary Report tab, you can specify filter values to be matched in the database during report generation. Depending on the selected field type, text string or numeric, several filter operators are available. The filter operators are used with a filter input value to determine which data should be included in the report. The operators are defined as shown in Table 15.
Table 15 Filter Operators
Definition Only data that exactly matches the filter input text will be included in the report Data that begins with the input text will be included in the report
SonicWALL GMS 6.0 Administrators Guide
711
Definition Data that ends with the input text will be included in the report Data that contains the input text will be included in the report Only data that exactly matches the filter input numerical value will be included in the report Data values that are greater than the input numerical value will be included in the report Data values that are greater than or equal to the input numerical value will be included in the report Data values that are less than or equal to the input numerical value will be included in the report Data values that are less than the input numerical value will be included in the report Data values that are not equal to the input numerical value will be included in the report
Custom Reports are available at the unit level and Log Viewer must be enabled for the appliance. For information about enabling Log Viewer, see Viewing the Log on page 831.
Select a unit for which Log Viewer is enabled, and then navigate to the page under Custom Report for the report you want. In the Date/Time region of the Template Section, specify the time period that the report will cover. For detailed information and instructions, see Configuring the Date and Time for Custom Reports on page 702.
712
3.
In the Report Layout region of the Template Section, specify the contents and appearance of the report. For detailed information and instructions, see Configuring the Report Layout and Generating the Report on page 704. Click Generate Report to create the report using the specified configuration.
4.
In a Detailed Report, shown below, the selected report fields are displayed as column headings. You can click on any column heading to sort that page by the values in the column that you click. Click again to toggle between ascending and descending order on that page. When you navigate away from that page and then come back using the pagination controls, the page reverts to the original sorting order as specified in the Sort by field of the Template Section before generating the report.
713
In a Summary Report, the Report Section displays the traffic volume as horizontal bar charts. This lets you see the information at a glance, such as who consumed the most bandwidth and which domains they visited the most.
You can click on a bar in the chart to pop up detailed information, just like the detailed report with all of the columns for all fields. The report lists details about this Summary Group field only. For example, in the Internet Activity report, if the Summary Group contains the User field and you click on a bar for one of the top users, the report displays the date and time of all Internet activity for the user, and includes data for every field available for detailed reports. A scroll bar is provided along the bottom of the Detailed Information window to allow viewing of all eight fields plus the date and time column.
714
715
In the Report Section in the upper right corner, click the Save Template button.
2.
In the popup dialog box, type in a descriptive name for the template, up to 40 characters. The number of remaining characters allowed in the name is displayed below the input field and changes as you type. Click Save. If you are in a Full Mode display of the Report Section, you can verify that the template has been saved by changing back to Split Mode and viewing the contents of the Template drop-down list.
3.
SonicWALL GMS provides access to your saved Custom Report templates on the Dashboard > Summary page for the appliance. See Viewing Custom Reports on the Dashboard on page 696.
716
Note
Global reports are displayed in the GMSs timezone. Reports for individual SonicWALL security appliances are displayed in the individual appliances time zone.
Viewing the Status Up-Time Summary Report on page 717 Viewing Status Up-Time Over Time on page 718 Viewing the Status Down-Time Summary Report on page 720 Viewing Status Down-Time Over Time on page 721
Click the Reports tab. Select the global icon, a group, or a SonicWALL appliance. Expand the Status tree and click Up-Time Summary. The Up-Time Summary page displays.
717
4. 5.
The bar graph displays the amount of time the SonicWALL appliance(s) were online and functional during each hour of the day. The table contains the following information:
Hourwhen the sample was taken. Up Timenumber of minutes during the hour that the SonicWALL
By default, the GMS Reporting Module shows yesterdays report. To change the date of the report and other settings, click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar or Plot chart
7.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date.
Click the Reports tab. Select the global icon, a group, or a SonicWALL appliance.
718
3.
Expand the Status tree and click Up-Time Over Time. The Up-Time Over Time page displays.
4. 5.
The bar graph displays the amount of time the SonicWALL appliance(s) were available during each day of the specified time period. The table contains the following information:
Datewhen the sample was taken. Up Timeamount of time (in hours) that the SonicWALL appliance
was Up.
% of Up Timepercentage of time the SonicWALL appliance was
The GMS Reporting Module shows yesterdays report. To change the date range of the report and other settings, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar or Plot chart
7.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date range.
719
Click the Reports tab. Select the global icon, a group, or a SonicWALL appliance. Expand the Status tree and click Down-Time Summary. The Down-Time Summary page displays.
4. 5.
The bar graph displays the amount of time the SonicWALL appliance(s) were offline and not available during each hour of the day. The table contains the following information:
Hourwhen the sample was taken. Down Timenumber of minutes during the hour that the SonicWALL
720
6.
By default, the GMS Reporting Module shows yesterdays report. To change the date of the report and other settings, click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar or Plot chart
7.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date.
Click the Reports tab. Select the global icon, a group, or a SonicWALL appliance.
721
3.
Expand the Status tree and click Down-Time Over Time. The Down-Time Over Time page displays.
4. 5.
The bar graph displays the amount of time the SonicWALL appliance(s) were not available during each day of the specified time period. The table contains the following information:
Datewhen the sample was taken. Down Timeamount of time (in hours) that the SonicWALL appliance
was Down.
% of Down Timepercentage of time the SonicWALL appliance was
The GMS Reporting Module shows yesterdays report. To change the date range of the report and other settings, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar or Plot chart
7.
8.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date range.
Viewing the Bandwidth Summary Report on page 723 Viewing the Top Users of Bandwidth on page 725 Viewing Bandwidth Usage Over Time on page 727 Viewing the Top Users of Bandwidth Over Time on page 729
Click the Reports tab. Select the global icon, a group, or a SonicWALL appliance.
723
3.
Expand the Bandwidth tree and click Summary. The Summary page displays.
4. 5.
The bar graph displays the amount of bandwidth transferred during each hour of the day. The table contains the following information:
Hourwhen the sample was taken. Eventsnumber of events or hits. Cost ($)amount of the expense per 100 megabytes. You can
configure this in the Cost Per Mega Byte Bandwidth Use field in the Console > Reports > Summarizer screen.
compared to the day. For example, if 1000 megabytes of data was transferred during the day and 100 megabytes was transferred at the 12:00 time period, the % of MBytes field will display 10%.
6.
The GMS Reporting Module shows yesterdays report. To change the date of the report and other settings, click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
7.
724
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar, Pie or Plot chart Select the Source and Destination interfaces to view If you want to track bandwidth usage in both directions, select the
When you are finished, click Search. The GMS Reporting Module displays the report for the selected day.
Note
These settings will stay in effect for all summary reports during your active login session.
725
3.
Expand the Bandwidth tree and click Top Users. The Top Users page displays.
4. 5.
The pie chart displays the percentage of bandwidth transferred by each user. The table contains the following information:
Usersthe IP address of the user. Connectionsnumber of events or hits. Cost ($)amount of the expense per 100 megabytes. You can
configure this in the Cost Per Mega Byte Bandwidth Use field in the Console > Reports > Summarizer screen.
compared to all users. For example, if 1000 megabytes of data was transferred during the day and 200 megabytes was transferred by the top user, the % of MBytes field will display 20%.
6.
By default, the GMS Reporting Module shows yesterdays report, a pie chart, and the ten top users. To change the date of the report and other settings, click the Start or End field to access the drop-down calendar, or click More Options for report display settings.
726
7.
Note
The search bar fields use pattern matching with operators such as contains. For example, john will match john_smith, john42, or big_john.
9.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected day.
Note
These settings will stay in effect for all similar reports during your active login session.
Click the Reports tab. Select the global icon, a group, or a SonicWALL appliance.
727
3.
Expand the Bandwidth tree and click Over Time. The Over Time page displays.
4. 5.
The bar graph displays the amount of bandwidth transferred during each day of the specified time period. The table contains the following information:
Datewhen the sample was taken. Connectionsnumber of hits. Cost ($)amount of the expense per 100 megabytes. You can
configure this in the Cost Per Mega Byte Bandwidth Use field in the Console > Reports > Summarizer screen.
compared to the time period. For example, if 100,000 megabytes of data was transferred during the time period and 25,000 megabytes was transferred on one day, the % of MBytes field will display 25%.
6.
To change the date of the report and other settings, use the Search Bar and click the Start or End fields to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only
7.
728
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date range.
Note
These settings will stay in effect for all similar reports during your active login session.
Click the Reports tab. Select a SonicWALL appliance. Expand the Bandwidth tree and click Top Users Over Time. The Top Users Over Time page displays.
4.
The pie chart displays the percentage of bandwidth transferred by each user.
SonicWALL GMS 6.0 Administrators Guide
729
5.
compared to all users. For example, if 1000 megabytes of data was transferred during this period and 200 megabytes was transferred by the top user, the % of MBytes field will display 20%.
6.
The GMS Reporting Module shows yesterdays report. To change the date range of the report and other settings, click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar, Pie or Plot chart Number of Users Rows per Screen
7.
To display a limited group of users, enter the user IDs in the Search Bar fields.
Note
The search bar fields use pattern matching with operators such as contains. For example, john will match john_smith, john42, or big_john.
9.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected users and date range.
Note
These settings will stay in effect for all similar reports during your active login session.
730
The procedures for viewing the Services Reports are described in the following section:
Note
You cannot view services reports from the global or group view.
731
3.
Expand the Services tree and click Summary. The Summary page displays.
4. 5.
The bar graph displays the amount of bandwidth used by each service during each hour of the day. The table contains the following information:
Protocolthe service. Eventsnumber of events or hits. MBytesNumber of Megabytes. % of MBytespercentage of megabytes transferred by this service
on the selected day, compared to all other services. For example, if 10,000 megabytes of data was transferred during the day and 5,000 of the megabytes were transferred, the % of MBytes field will display 50%.
6.
To change the date of the report and other settings, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar or Plot chart
7.
732
8.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date.
Note
These settings will stay in effect for all similar reports during your active login session.
Viewing the Web Usage Summary Report on page 734 Viewing the Top Web Sites on page 736 Viewing the Top Users of Web Bandwidth on page 737 Viewing Web Usage by User on page 739 Viewing Web Usage By Site on page 741 Viewing Web Usage By Category on page 742 Viewing Web Usage Over Time on page 744 Viewing Top Sites Over Time on page 745 Viewing Top Users Over Time on page 747 Viewing Web Usage By User Over Time on page 749
SonicWALL GMS 6.0 Administrators Guide
733
Click the Reports tab. Select the global icon, a group, or a SonicWALL appliance. Expand the Web Usage tree and click Summary. The Summary page displays.
4.
The bar graph displays the amount of HTTP bandwidth transferred during each hour of the day.
734
5.
browsing non-job function-related sites on the Internet. Browse Time is calculated as follows: (Number Of Pages / Noise Reduction Factor) * Average Browse Time Per Page "Number Of Pages" is the number of hits (responses by the Web site to build the page) when a User accesses a Web page (www.sonicwall.com). "Noise Reduction Factor" is the average noise we want to exclude per page (like eliminating pop-up links, images, and more). The factory default is 40. "Average Browse Time Per Page" is the time allocated to read a page. Noise Reduction Factor and Average Browse Time Per page are configurable in the database directly, but are not exposed in GMS management interface.
MBytesnumber of megabytes transferred. % of MBytespercentage of megabytes transferred during this hour,
compared to the day. For example, if 1000 megabytes of HTTP data was transferred during the day and 100 megabytes was transferred at the 12:00 time period, the % of MBytes field will display 10%.
6.
To change the date of the report and other settings, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar or Plot chart
7.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date.
735
Click the Reports tab. Select a SonicWALL appliance. Expand the Web Usage tree and click Top Sites. The Top Sites page displays.
4. 5.
The pie chart displays the percentage of bandwidth used to access the top sites. The table contains the following information:
SiteURL or IP address of the site. Hitsnumber of hits. MBytesnumber of megabytes transferred. Categorythe Web site category. % of MBytespercentage of megabytes transferred between this
site, compared to all other HTTP traffic. For example, if 10,000 megabytes of data was transferred during the day and 5,000 megabytes was transferred between the appliance and Ebay, the % of MBytes field will display 50% and you have a problem. 736
6.
To change the date of the report and other settings, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar, Pie or Plot chart Number of Sites Rows per Screen
7.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date.
Note
These settings will stay in effect for all similar reports during your active login session.
737
3.
Expand the Web Usage tree and click Top Users. The Top Users page displays.
4. 5.
The pie chart displays the percentage of bandwidth transferred by each of the top users. The table contains the following information:
Usersthe IP address of the user. Hitsnumber of hits. Browse Timenumber of hours, minutes, and seconds spent
compared to all users. For example, if 1000 megabytes of data was transferred during the day and 200 megabytes was transferred by the top user, the % of MBytes field will display 20%.
6.
The GMS Reporting Module shows yesterdays report. To change the date of the report and other settings, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings.
738
7.
To display a limited group of users, enter the user IDs in the Search Bar fields.
Note
The search bar fields use pattern matching with operators such as contains. For example, john will match john_smith, john42, or big_john.
9.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected day.
Note
These settings will stay in effect for all similar reports during your active login session.
739
3.
Expand the Web Usage tree and click By User. The By User page displays.
4.
You can navigate directly from the Web Usage > By User page to a Web Usage > By Site page detailing the information of the site the user has been browsing. Click the Plus sign to the left of the User name or IP address to show details, and then hover the mouse over a site. A sticky tooltip will display with a link to the corresponding sites report page. The GMS Reporting Module shows yesterdays report. To change the date of the report and other settings, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Number of Users Number of Sites per User Rows per Screen
6.
7.
To display a limited group of users, enter the user IDs in the Search Bar fields.
740
Note
The search bar fields use pattern matching with operators such as contains. For example, john will match john_smith, john42, or big_john.
9.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected day.
Note
These settings will stay in effect for all similar reports during your active login session.
Click the Reports tab. Select a SonicWALL appliance. Expand the Web Usage tree and click By Site. The By Site page displays.
4.
741
5.
You can navigate directly from the Web Usage > By Site page to a Web Usage > By User page detailing the information of the users who have been browsing the site. Click the Plus sign to the left of the Site to show details, and then hover the mouse over a user. A sticky tooltip will display with a link to the corresponding user report page. The GMS Reporting Module shows yesterdays report and all Web sites. To change the date of the report or Web sites displayed, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Chart Types you can set:
Number of Sites Number of Users per Site Rows per Screen
6.
7.
To display a limited group of sites, enter the sites in the Search Bar fields. The search bar fields use pattern matching with operators such as contains. For example, john will match john_smith, john42, or big_john.
Note
9.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected day.
Note
These settings will stay in effect for all similar reports during your active login session.
742
3.
Expand the Web Usage tree and click By Category. The By Category page displays.
4.
5.
The GMS Reporting Module shows yesterdays report and all Web site categories. To change the date of the report or Web site categories displayed, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar, Pie or Plot chart Number of Items Entries per Item Rows per Screen
6.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected day.
SonicWALL GMS 6.0 Administrators Guide
743
Note
These settings will stay in effect for all similar reports during your active login session.
Click the Reports tab. Select the global icon, a group, or a SonicWALL appliance. Expand the Web Usage tree and click Over Time. The Web Activity page displays.
4. 5.
The bar graph displays the amount of HTTP bandwidth transferred during each day of the specified time period. The table contains the following information:
744
Datewhen the sample was taken. Connectionsthe number of connections or hits. Browse Timenumber of hours, minutes, and seconds spent
day, compared to the time period. For example, if 100,000 megabytes of data was transferred during the time period and 25,000 megabytes was transferred on one day, the % of MBytes field will display 25%.
6.
To change the date range of the report, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar or Plot chart
7.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date range.
Note
These settings will stay in effect for all similar reports during your active login session.
745
3.
Expand the Web Usage tree and click Top Sites Over Time. The Top Sites Over Time page displays.
4. 5.
The bar graph displays the amount of HTTP bandwidth transferred during each day of the specified time period. The table contains the following information:
SiteURL or IP address of the site. Hitsthe number of hits. MBytesthe number of megabytes transferred. Categorythe Web site category. % of MBytesthe percentage of megabytes transferred between this
site, compared to all other HTTP traffic. For example, if 1,000,000 megabytes of data was transferred during the day and 500,000 megabytes was transferred between the appliance and Ebay, the % of MBytes field will display 50% and you have a problem.
6.
To change the date range of the report, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar, Pie or Plot chart Number of Sites
7.
746
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date range.
Note
These settings will stay in effect for all similar reports during your active login session.
Click the Reports tab. Select a SonicWALL appliance. Expand the Web Usage tree and click Top Users Over Time. The Top Users Over Time page displays.
4. 5.
The graph provides a graphical display of the percentage of bandwidth transferred by each of the top users over the specified time period. The table contains the following information:
747
SiteURL or IP address of the site. Hitsnumber of hits. Browse Timenumber of hours, minutes, and seconds spent
compared to all users. For example, if 1000 megabytes of data was transferred during the period and 200 megabytes was transferred by the top user, the % of MBytes field will display 20%.
6.
To change the date range of the report, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar, Pie or Plot chart Number of Users Rows per Screen
7.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date range.
Note
These settings will stay in effect for all similar reports during your active login session.
748
Click the Reports tab. Select a SonicWALL appliance. Expand the Web Usage tree and click By User Over Time. The By User Over Time page displays.
4.
To change the date range of the report, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Number of Users Number of Sites per User Rows per Screen
6.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date range.
SonicWALL GMS 6.0 Administrators Guide
749
Note
These settings will stay in effect for all similar reports during your active login session.
Click the Reports tab. Select a SonicWALL appliance. Expand the Web Usage tree and click By Category Over Time. The By User Over Time page displays.
4.
compared to all users. For example, if 1000 megabytes of data was transferred during the period and 200 megabytes was transferred by the top user, the % of MBytes field will display 20%. 750
SonicWALL GMS 6.0 Administrators Guide
5.
To change the date range of the report, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar, Pie or Plot chart Number of Items Entries per Item Rows per Screen
6.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date range.
Note
These settings will stay in effect for all similar reports during your active login session.
Viewing the Web Filter Summary Report on page 752 Viewing the Web Filter Top Sites Report on page 754 Viewing the Top Users that Try to Access Blocked Sites on page 755 Viewing the Blocked Sites for Each User on page 757 Viewing Blocked Sites Sorted By Site on page 758
SonicWALL GMS 6.0 Administrators Guide
751
Viewing Blocked Sites Sorted By Category on page 759 Viewing Blocked Site Attempts Over Time on page 761 Viewing the Top Blocked Site Attempts Over Time on page 762 Viewing the Top Blocked Site Users Over Time on page 763 Viewing Blocked Sites for Each User Over Time on page 764 Viewing Blocked Sites By Category Over Time on page 765
Click the Reports tab. Select the global icon, a group, or a SonicWALL appliance.
752
3.
Expand the Web Filter tree and click Summary. The Summary page displays.
4. 5.
The bar graph displays the number of blocked sites that users attempted to access during each hour of the day. The table contains the following information:
Hourtime when the sample was taken. Attemptsthe number of attempts to access blocked sites. % of Attemptsthe percentage of attempts during this hour,
compared to the day. For example, if 100 attempts occurred during the day and 20 attempts occurred at the 12:00 time period, the % of Attempts field will display 20%.
6.
To change the date of the report, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings.
753
7.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date.
Click the Reports tab. Select a SonicWALL appliance. Expand the Web Filter tree and click Top Sites. The Top Sites page displays.
4.
The graph provides a display of the number of access attempts for each of the top twenty blocked Web sites.
754
5.
compared to all other blocked site attempts. For example, if 500 attempts were made during the day and 100 of those attempts were for www.badsite.com, its % of Attempts field will display 20%.
6.
To change the date of the report, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar, Pie or Plot chart Number of Sites Rows per Screen
7.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date.
755
2. 3.
Select a SonicWALL appliance. Expand the Web Filter tree and click Top Users. The Top Users page displays.
4. 5.
The pie chart displays the top users with the most blocked site attempts. The table contains the following information:
Usersthe IP address of the user. Attemptsthe number of attempts. Categorythe Web site category. % of Attemptspercentage of attempts to access the blocked site,
compared to all other user attempts. For example, if 500 attempts were made during the day and 250 of those attempts were made by a single user, that users % of Attempts field will display 50%.
6.
By default, GMS Reporting shows yesterdays report, a pie chart, and the ten top users. To change these settings, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table or Table Only Chart Type: Area, Bar, Pie or Plot chart Number of Users Rows per Screen
7.
756
8. 9.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date range. These settings will stay in effect for all similar reports during your active login session.
Click the Reports tab. Select a SonicWALL appliance. Expand the Web Filter tree and click By User. The By User page displays.
4.
Web site.
5.
You can navigate directly from the Web Filter > By User page to a Web Filter > By Site page detailing the information of the site the user has been browsing. Click the Plus sign to the left of the User name or IP address to show details, and then hover the mouse over a site. A sticky tooltip will display with a link to the corresponding sites report page. By default, the GMS Reporting Module shows yesterdays report, a pie chart, and the ten top users. To change these settings, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
SonicWALL GMS 6.0 Administrators Guide
6.
7.
757
When you are finished, click Search. The GMS Reporting Module displays the report for the selected settings. These settings will stay in effect for all similar reports during your active login session.
Click the Reports tab. Select a SonicWALL appliance. Expand the Web Filter tree and click By Site. The By Site page displays.
4.
Web site.
Categorythe Web site category.
758
5.
You can navigate directly from the Web Filter > By Site page to a Web Filter > By User page detailing the information of the users who have been browsing the site. Click the Plus sign to the left of the Site to show details, and then hover the mouse over a user. A sticky tooltip will display with a link to the corresponding user report page. By default, the GMS Reporting Module shows yesterdays report, a pie chart, and the ten top users. To change these settings, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Number of Users per Site:
Rows per Screen
6.
7.
Search for Web site addresses in the Search Bar fields. When you are finished, click Search. The GMS Reporting Module displays the report for the selected date.
759
3.
Expand the Web Filter tree and click By Category. The By Site page displays.
4.
Web site.
% of Attemptsthe percentage of attempts to access the blocked
site, compared to all other user attempts. For example, if 500 attempts were made during the day and 250 of those attempts were made by a single user, his % of Attempts field will display 50%.
5.
By default, the GMS Reporting Module shows yesterdays report, a pie chart, and the ten top users. To change these settings, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar, Pie or Plot chart Number of Items Entries per Item Rows per Screen
6.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date range.
760
Click the Reports tab. Select the global icon, a group, or a SonicWALL appliance. Expand the Web Filter tree and click Over Time. The Over Time page displays.
4. 5.
The bar graph displays the number of attempts that were made to access blocked Web sites during each day of the specified time period. The table contains the following information:
Datethe day when the sample was taken. Attemptsthe number of attempts to access blocked Web sites. % of Attemptsthe percentage of attempts to access the blocked
site on the day, compared to the time period. For example, if 5,000 attempts were made during the time period and 500 were made on one day, its % of Attempts field will display 10%.
6.
To change date range of the report, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar or Plot chart
7.
761
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date range.
Note
These settings will stay in effect for all similar reports during your active login session.
Click the Reports tab. Select a SonicWALL appliance. Expand the Web Filter tree and click Top Sites Over Time. The Top Sites Over Time page displays.
4. 5.
The graph displays the number of access attempts for each of the top blocked Web sites during the specified time period. The table contains the following information:
Sitethe URL or IP address of the site. Attemptsthe number of attempts. Categorythe Web site category. % of Attemptsthe percentage of attempts to access the blocked
site, compared to all other blocked site attempts. For example, if 500 attempts were made during the period and 100 of those attempts were for www.badsite.com, its % of Attempts field will display 20%. 762
SonicWALL GMS 6.0 Administrators Guide
6.
To change date range of the report, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar, Pie or Plot chart Number of Sites Rows per Screen
7.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date range.
Click the Reports tab. Select a SonicWALL appliance. Expand the Web Filter tree and click Top Users Over Time. The Top Users Over Time page displays.
4.
The pie chart displays the top users with the most blocked site attempts.
763
5.
site, compared to all other user attempts. For example, if 500 attempts were made during the period and 250 of those attempts were made by a single user, his % of Attempts field will display 50%.
6.
To change date range of the report, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar, Pie or Plot chart Number of Sites Rows per Screen
7.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date range.
764
3.
Expand the Web Filter tree and click By User Over Time. The By User Over Time page displays.
4.
Web site.
5.
To change date range of the report, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar, Pie or Plot chart Number of Users Rows per Screen
6.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date range.
Note
These settings will stay in effect for all similar reports during your active login session.
765
To view the By Category Over Time report, perform the following steps:
1. 2. 3.
Click the Reports tab. Select a SonicWALL appliance. Expand the Web Filter tree and click By Category Over Time. The By Category Over Time page displays.
4.
site.
% of Attemptsthe percentage of attempts to access the blocked
site, compared to all other user attempts. For example, if 500 attempts were made during the period and 250 of those attempts were made by a single user, his % of Attempts field will display 50%.
5.
To change date range of the report, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar, Pie or Plot chart Number of Items Entries per Item Rows per Screen
6.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date range.
766
Viewing the FTP Summary Report on page 767 Viewing the Top FTP Sites By User on page 769 Viewing FTP Bandwidth Usage Over Time on page 770 Viewing the Top Users of FTP Bandwidth Over Time on page 772
Click the Reports tab. Select the global icon, a group, or a SonicWALL appliance.
767
3.
Expand the FTP Usage tree and click Summary. The Summary page displays.
4. 5.
The bar graph displays the amount of FTP bandwidth transferred during each hour of the day. The table contains the following information:
Hourwhen the sample was taken. Eventsthe number of FTP events. MBytesthe number of megabytes transferred. % of MBytesthe percentage of megabytes transferred during this
hour, compared to the day. For example, if 1000 megabytes of FTP data was transferred during the day and 100 megabytes was transferred at the 12:00 time period, the % of MBytes field will display 10%.
6.
The GMS Reporting Module shows yesterdays report. To change the date or other report settings, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar, Pie or Plot chart
7.
768
8.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date.
Click the Reports tab. Select a SonicWALL appliance. Expand the FTP Usage tree and click By User. The By User page displays.
4.
The pie chart displays the percentage of bandwidth used by each user. To view the sites visited by each user, expand the users site tree (indicated by a + sign). The table contains the following information:
5.
769
Usersthe IP address of the user. Eventsthe number of FTP Events. MBytesthe number of megabytes transferred. % of MBytesthe percentage of megabytes transferred during this
hour, compared to the day. For example, if 1000 megabytes of FTP data was transferred during the day and 100 megabytes was transferred at the 12:00 time period, the % of MBytes field will display 10%.
6.
By default, the GMS Reporting Module shows yesterdays report, a pie chart, and the ten top users. To change these settings, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar, Pie or Plot chart Number of Users Number of Sites per User Rows per Screen
7.
Note
The search bar fields use pattern matching with operators such as contains. For example, john will match john_smith, john42, or big_john.
9.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date range.
Click the Reports tab. Select the global icon, a group, or a SonicWALL appliance.
770
3.
Expand the FTP Usage tree and click Over Time. The FTP Activity page displays.
4. 5.
The bar graph displays the amount of FTP bandwidth transferred during each day of the specified time period. The table contains the following information:
Datewhen the sample was taken. Connectionsthe number of FTP connections. MBytesthe number of megabytes transferred. % of Usagethe percentage of megabytes transferred during this
day, compared to the time period. For example, if 10,000 megabytes of FTP data was transferred during the time period and 2,500 megabytes of FTP data was transferred on one day, the % of Usage field will display 25%.
6.
To change the date range of the report, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar or Plot chart
7.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date range.
SonicWALL GMS 6.0 Administrators Guide
771
Click the Reports tab. Select a SonicWALL appliance. Expand the FTP Usage tree and click By Users Over Time. The By Users Over Time page displays.
4.
compared to all users. For example, if 10000 megabytes of data was transferred during the period and 2000 megabytes was transferred by the top user, the % of MBytes field will display 20%.
5.
To change the date range of the report, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings.
772
6.
Note
The search bar fields use pattern matching with operators such as contains. For example, john will match john_smith, john42, or big_john.
8.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date range.
General bandwidth reports do not always provide a complete picture of network bandwidth usage. If a large amount of mail traffic occurs during peak times, you might want to take some of the following actions:
Add bandwidth Upgrade network equipment Ask employees to use compression or transfer large files during non-peak times Ask employees to place large files on an FTP site rather than sending them as mail attachments.
773
Note
To view a summary of the daily mail usage, see Viewing the Mail Usage Summary Report on page 774. To view the users who consume the most mail bandwidth, see Viewing the Top Users of Mail Bandwidth on page 776. To view mail usage over a period of time, see Viewing Mail Usage Over Time on page 777. To view the users who consume the most mail bandwidth over time, see Viewing the Top Users of Mail Bandwidth Over Time on page 779.
Click the Reports tab. Select the global icon, a group, or a SonicWALL appliance.
774
3.
Expand the Mail Usage tree and click Summary. The Summary page displays.
4. 5.
The bar graph displays the amount of mail sent and received during each hour of the day. The table contains the following information:
Hourwhen the sample was taken. Eventsthe number of mail events. MBytesthe number of megabytes transferred. % of MBytesthe percentage of megabytes transferred during this
hour, compared to the day. For example, if 10,000 megabytes of mail was transferred during the day and 1,000 megabytes was transferred at the 12:00 time period, the % of MBytes field will display 10%.
6.
The GMS Reporting Module shows yesterdays report. To change the date of the report or the report display settings, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar or Plot chart
7.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date.
SonicWALL GMS 6.0 Administrators Guide
775
Click the Reports tab. Select a SonicWALL appliance. Expand the Mail Usage tree and click Top Users. The Top Users page displays.
4. 5.
The pie chart displays the percentage of mail sent and received by the top mail users. The table contains the following information:
Usersthe IP address of the user. Eventsthe number of mail messages sent and received. MBytesthe number of megabytes transferred. % of MBytesthe percentage of megabytes transferred by this user,
compared to all users. For example, if 10000 megabytes of data was transferred during the day and 2000 megabytes was transferred by the top user, the % of MBytes field will display 20%.
776
6.
By default, the GMS Reporting Module shows yesterdays report, a pie chart, and the ten top users. To change the date of the report or the report display settings, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar, Pie or Plot chart Number of Users Rows per Screen
7.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date.
Click the Reports tab. Select the global icon, a group, or a SonicWALL appliance.
777
3.
Expand the Mail Usage tree and click Over Time. The Over Time page displays.
4. 5.
The bar graph displays the amount of mail sent and received during each day of the specified time period. The table contains the following information:
Datewhen the sample was taken. Connectionsthe number of mail messages. MBytesthe number of megabytes transferred. % of MBytesthe percentage of megabytes transferred by this user,
compared to all users. For example, if 10000 megabytes of data was transferred during the day and 2000 megabytes was transferred by the top user, the % of MBytes field will display 20%.
6.
To change the date range of the report, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar or Plot chart
7.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date range.
778
Click the Reports tab. Select a SonicWALL appliance. Expand the Mail Usage tree and click Top Users Over Time. The Top Users Over Time page displays.
4. 5.
The pie chart displays the percentage of mail sent and received by the top mail users. The table contains the following information:
Usersthe IP address of the user. Eventsthe number of mail messages sent and received. MBytesthe number of megabytes transferred. % of MBytesthe percentage of megabytes transferred by this user,
compared to all users. For example, if 10,000 megabytes of data was transferred during the period and 2000 kilobytes was transferred by the top user, the % of MBytes field will display 20%.
779
6.
To change the date range of the report, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar, Pie or Plot chart Number of Users Rows per Screen
7.
To display a limited group of users, use the Search Bar fields. The search bar fields use pattern matching with operators such as contains. For example, john will match john_smith, john42, or big_john.
9.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date range.
To view a summary of the daily VPN bandwidth usage, see Viewing the VPN Usage Summary Report on page 781. To view the users who consume the most VPN bandwidth, see Viewing the Top VPN Users on page 783. To view VPN bandwidth usage over a period of time, see Viewing VPN Usage Over Time on page 784.
780
To view the users who consume the most VPN bandwidth over time, see Viewing VPN Usage Over Time on page 784. To view the users who consume the most VPN bandwidth over time, see Viewing the Top VPN Users Over Time on page 785. To view VPN usage by policy, see Viewing VPN Usage By Policy on page 787. To view VPN usage by policy over time, see Viewing the Top VPN Policies Over Time on page 788. To view hourly VPN usage by policy, see Viewing Hourly VPN Usage By Policy on page 789. To view VPN services usage, see Viewing the VPN Services Summary Report on page 790.
Click the Reports tab. Select the global icon, a group, or a SonicWALL appliance.
781
3.
Expand the VPN Usage tree and click Summary. The Summary page displays.
4. 5.
The bar graph displays the number of VPN connections made during each hour of the day. The table contains the following information:
Hourwhen the sample was taken. Eventsthe number of mail events. MBytesthe number of megabytes transferred. % of MBytesthe percentage of megabytes transferred by this user,
compared to all users. For example, if 10,000 megabytes of data was transferred during the period and 2000 kilobytes was transferred by the top user, the % of MBytes field will display 20%.
6.
The GMS Reporting Module shows yesterdays report. To change the date range of the report, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar or Plot chart
7.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date range.
782
Click the Reports tab. Select a SonicWALL appliance. Expand the VPN Usage tree and click Top Users. The Top Users page displays.
4. 5.
The pie chart displays the VPN connections for the top VPN users. The table contains the following information:
Usersthe IP address of the user. Connectionsthe number of VPN connections. MBytesthe number of megabytes transferred. % of MBytesthe percentage of megabytes transferred by this user,
compared to all users. For example, if 10,000 megabytes of data was transferred during the period and 2000 kilobytes was transferred by the top user, the % of MBytes field will display 20%.
6.
By default, the GMS Reporting Module shows yesterdays report, a pie chart, and the ten top users. To change the date of the report, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings.
SonicWALL GMS 6.0 Administrators Guide
783
7.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date. These settings will stay in effect for all similar reports during your active login session.
Click the Reports tab. Select the global icon, a group, or a SonicWALL appliance. Expand the VPN Usage tree and click Over Time. The Over Time page displays.
784
4. 5.
The bar graph displays the number of VPN connections made during each day of the specified time period. The table contains the following information:
Datewhen the sample was taken. Connectionsthe number of connections. MBytesthe number of megabytes transferred. % of MBytesthe percentage of megabytes transferred by this user,
compared to all users. For example, if 10,000 megabytes of data was transferred during the period and 2000 kilobytes was transferred by the top user, the % of MBytes field will display 20%.
6.
To change the date range of the report, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar or Plot chart
7.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date range.
785
3.
Expand the VPN Usage tree and click Top Users Over Time. The Top Users Over Time page displays.
4. 5.
The pie chart displays the VPN connections for the top VPN users. The table contains the following information:
Usersthe IP address of the user. Connectionsthe number of VPN connections. MBytesthe number of megabytes transferred. % of MBytesthe percentage of megabytes transferred by this user,
compared to all users. For example, if 10,000 megabytes of data was transferred during the period and 2000 kilobytes was transferred by the top user, the % of MBytes field will display 20%.
6.
To change the date range of the report, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar, Pie or Plot chart Number of Users Rows per Screen
7.
786
8.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date range.
Click the Reports tab. Select a SonicWALL appliance. Expand the VPN Usage tree and click By Policy. The By Policy page displays.
4. 5.
The pie chart displays the amount of data transferred for each policy. The table contains the following information:
Policythe name of the policy. Eventsthe number of VPN events. MBytesthe number of megabytes transferred. % of MBytesthe percentage of megabytes transferred for this
policy, compared to all other policies. For example, if a total of 10,000 megabytes was transferred and 2,500 megabytes was transferred for one policy, the % of Usage field will display 25%.
SonicWALL GMS 6.0 Administrators Guide
787
6.
The GMS Reporting Module shows yesterdays report. To change the date of the report, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar, Pie or Plot chart Number of Items Rows per Screen
7.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date.
Click the Reports tab. Select a SonicWALL appliance. Expand the VPN Usage tree and click By Policy Over Time. The By Policy Over Time page displays.
788
4. 5.
The pie chart displays the VPN connections for the top policies. The table contains the following information:
Policythe name of the policy. Eventsthe number of VPN events. MBytesthe number of megabytes transferred. % of MBytesthe percentage of megabytes transferred for this
policy, compared to all other policies for the period. For example, if a total of 100,000 megabytes was transferred and 3,000 megabytes was transferred for one policy, the % of MBytes field will display 3%.
6.
To change the date range of the report, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar, Pie or Plot chart Number of Items Rows per Screen
7.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date range.
789
3.
Expand the VPN Usage tree and click By Policy Hourly. The By Policy Hourly page displays.
4.
5.
The GMS Reporting Module shows yesterdays report. To change the date range of the report, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar or Plot chart Hour Begin Hour End
6.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date.
790
3.
Expand the VPN Usage tree and click By Service. The By Service page displays.
4. 5.
The bar graph displays the amount of bandwidth used by each service during each hour of the day. The table contains the following information:
Protocolthe service. Eventsthe number of events or hits. MBytesthe number of megabytes. % of MBytesthe percentage of megabytes transferred by this
service on the selected day, compared to all other services. For example, if 1,000 megabytes were transferred and 900 megabytes were handled by the HTTP service, the % of Mbytes field will display 90%.
6.
The GMS Reporting Module shows yesterdays report. To change the date of the report, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar or Plot chart
7.
791
8. 9.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date. These settings will stay in effect for all similar reports during your active login session.
To view a summary of the attacks, see Viewing the Attack Summary Report on page 792. To view the attacks by attack category, see Viewing the Attacks By Category on page 794. To view the attacks by source IP address, see Viewing the Errors Report on page 795. To view a summary of the errors and exceptions, see Viewing the Errors Report on page 795. To view attacks over a period of time, see Viewing Attack Reports Over Time on page 797. To view errors and exceptions over a period of time, see Viewing Errors Over Time on page 799.
Click the Reports tab. Select the global icon, a group, or a SonicWALL appliance.
792
3.
Expand the Attacks tree and click Summary. The Summary page displays.
4.
The bar graph displays the number of attacks attempted during each hour of the day. The table contains the following information:
Hourwhen the sample was taken. Attacksthe number of attack attempts. % of Attacksthe percentage of attacks during this hour, compared
to the day. For example, if 1,000 attacks occurred during the day and 100 attacks occurred during the 2:00 time period, the % of Attacks field will display 10%.
5.
The GMS Reporting Module shows yesterdays report. To change the date of the report, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar or Plot chart
6.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date.
793
Click the Reports tab. Select a SonicWALL appliance. Expand the Attacks tree and click By Category. The By Category page displays.
4.
The pie chart displays the percentage of each type of attack. To view source and destination information on the individual attacks, expand the category tree (indicated by a + sign). The table contains the following information:
Typethe type of attack Sourcethe IP address of the source Destinationthe IP address to the destination
5.
Click the highlighted source or destination IP address to access the Who is Source Website.
794
Attacksthe number of attacks % of Attacksthe percentage of this type of attack, compared to all
other attack types. For example, if 5,000 attacks occurred during the day and the IP Spoof makes up 500 of the attacks, its % of Attacks field will display 10%.
6.
By default, the GMS Reporting Module shows yesterdays report, a pie chart, and the ten top categories. To change the date of the report, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar, Pie or Plot chart Number of Items Entries per Item Rows per Screen
7.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date. These settings will stay in effect for all similar reports during your active login session.
Click the Reports tab. Select the global icon, a group, or a SonicWALL appliance.
795
3.
Expand the Attacks tree and click Errors. The Errors page displays.
4. 5.
The bar graph displays the packets that were dropped during each hour of the day. The table contains the following information:
Hourwhen the sample was taken. Packetsthe number of dropped packets. % of Packetsthe percentage of packets dropped during this hour,
compared to the day. For example, if 1,000 packets were dropped during the day and 100 packets were dropped during the 1:00 time period, the % of Packets field will display 10%.
6.
The GMS Reporting Module shows yesterdays report.To change the date of the report, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar or Plot chart
7.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date.
796
Click the Reports tab. Select the global icon, a group, or a SonicWALL appliance. Expand the Attacks tree and click Attacks Over Time. The Attacks Over Time page displays.
4. 5.
The bar graph displays the number of attacks attempted each day of the time period. The table contains the following information:
Datewhen the sample was taken. Attacksthe number of attacks. % of Attacksthe percentage of attacks on this day, compared to the
time period. For example, if 10,000 attacks occurred during the time period and 1,000 attacks occurred on Thursday, its % of Attacks field will display 10%.
6.
To change the date range of the report, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings.
797
7.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date range.
Click the Reports tab. Select the global icon, a group, or a SonicWALL appliance. Expand the Attacks tree and click Categories Over Time. The Categories Over Time page displays.
4.
The bar graph displays the number of attacks attempted each day of the specified time period. To view source and destination information on the individual attacks, expand the category tree (indicated by a + sign). The table contains the following information:
Typethe type of attack Sourcethe IP address of the source
5.
798
Click the highlighted source or destination IP address to access the Whois Source Website.
Attacksthe number of attacks % of Attacksthe percentage of this type of attack, compared to all
other attack types. For example, if 5,000 attacks occurred during the day and the IP Spoof makes up 500 of the attacks, its % of Attacks field will display 10%.
6.
To change the date range of the report, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar, Pie or Plot chart Number of Items Entries per Item Rows per Screen
7.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date range.
Click the Reports tab. Select the global icon, a group, or a SonicWALL appliance.
799
3.
Expand the Attacks tree and click Errors Over Time. The Dropped Packets & Exceptions page displays.
4. 5.
The bar graph displays the number of packets that were dropped during each day of the specified time period. The table contains the following information:
Datewhen the sample was taken. Dropped Packetsthe number of dropped packets. % of Errorsthe percentage of dropped packets on this day,
compared to the time period. For example, if 10,000 packets were dropped during the time period and 1,000 packets were dropped on Wednesday, its % of Attacks field will display 10%.
6.
To change the date range of the report, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar or Plot chart
7.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date range.
800
If the selected appliance is not licensed for SonicWALL Gateway Anti-Virus, a sample report is displayed, as shown below. You can click the Click Here link near the top to view the global dashboard report showing all viruses and similar attacks currently being monitored by SonicWALL, or click the link at the bottom of the page to read detailed information about SonicWALL Gateway Anti-Virus and other subscription services.
To view the top virus, see Viewing the Top Viruses By Attack Attempts Report on page 803. To view the virus attacks by top destinations, see Viewing the Virus Attack Attempts Report on page 804.
801
9.
To view virus attacks over time, see Viewing the Virus Attack Attempts Report on page 804. To view virus attacks over a period of time, see Viewing the Virus Attacks By User Report on page 806. To view virus attacks by top destinations over time, see Viewing Anti-Spyware Reports on page 807. Expand the Virus Attacks tree and click Summary. The Summary page displays
10. The bar graph displays the number of virus attacks attempted during each
device during a pre-set time interval (the hour of the day is the default).
% of Attemptsthe percent of attempts the current virus entry
comprises as a portion of the aggregate number of virus attempts on the device during a pre-set time interval (the hour of the day is the default).
11. The GMS Reporting Module shows yesterdays report. To change the date
range of the report, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings.
802
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar or Plot chart
Click the Reports tab. Select the global icon, a group, or a SonicWALL appliance. Expand the Virus Attacks tree and click By Virus. The Top Viruses By Attack Attempts page displays.
4. 5.
The pie chart displays the percentage of virus attacks attempted in a given day. The table contains the following information:
Virusthe name of the virus. Attemptsthe number of attack attempts.
SonicWALL GMS 6.0 Administrators Guide
803
The GMS Reporting Module shows yesterdays report. To change the date range of the report, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar, Pie or Plot chart Number of Items Entries per Item Rows per Screen
7.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date range.
Click the Reports tab. Select the global icon, a group, or a SonicWALL appliance.
804
3.
Expand the Virus Attacks tree and click Over Time. The Virus Attack Attempts page displays.
4. 5.
The bar graph displays the number of virus attempts that were made during each day over a specified time period. The table contains the following information:
Datethe date of when the sample was taken. Attemptsthe number of attempted virus attacks. % of Attemptsthe percentage of attempted virus attacks in a day
compared to the time period. For example, if 5,000 attempts were made during the time period and 500 were made on one day, its % of Attempts field will display 10%.
6.
To change the date range of the report, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings.
805
7.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date range.
Click the Reports tab. Select the global icon, a group, or a SonicWALL appliance. Expand the Virus Attacks tree and click By Viruses Over Time. The Virus Attacks By User page displays.
806
4. 5.
The pie chart displays the percentage of virus attacks attempted in a given day. The table contains the following information:
Virusthe name of the virus. Attemptsthe number of attack attempts. % of Attemptsthe percentage of attempts compared to the day.
6.
The GMS Reporting Module shows yesterdays report. To change the date range of the report, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar, Pie or Plot chart Number of Items Entries per Item Rows per Screen
7.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date range.
807
environment. Network administrators can create global policies between security zones and group attacks by priority, simplifying deployment and management across a distributed network. If the selected appliance is not licensed for SonicWALL Anti-Spyware, a sample report is displayed, as shown below. You can click the Click Here link near the top to view the global dashboard report showing all spyware and similar attacks currently being monitored by SonicWALL, or click the link at the bottom of the page to read detailed information about SonicWALL Anti-Spyware and other subscription services.
Viewing a Spyware Summary on page 809 Viewing Spyware Attempts By Category on page 810 Viewing Spyware Attempts Over Time on page 811 Viewing Spyware Attempts By Category Over Time on page 813
808
Click the Reports tab. Select the global icon, a group, or a SonicWALL appliance. Expand the Anti-Spyware tree and click Summary. The Summary page displays.
4. 5.
The bar graph displays the number of virus attacks attempted during each hour of the day. The table contains the following information:
Hourthe hour of the day for which the summary is provided. Attemptsthe number of times the spyware attempted to infect the
device during a pre-set time interval (the hour of the day is the default).
% of Attemptsthe percent of attempts the current spyware entry
comprises as a portion of the aggregate number of spyware attempts on the device during a pre-set time interval (the hour of the day is the default).
6.
The GMS Reporting Module shows yesterdays report. To change the date range of the report, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings.
809
7.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date range. Note this page displays the number of spyware attempts that occurred during two-hour intervals during the past day.
Click the Reports tab. Select a SonicWALL appliance. Expand the Anti-Spyware tree and click By Category. The By Category page displays.
810
4. 5.
The pie chart displays the percentage of spyware attempts by category. The table contains the following information:
Categorythe category of the spyware. Attemptsthe number of times the spyware attempted to infect the
comprises as a portion of the aggregate number of spyware attempts using the category as a criteria.
6.
To change the date range of the report, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar, Pie or Plot chart Number of Items Entries per Item Rows per Screen
7.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date range.
Click the Reports tab. Select the global icon, a group, or a SonicWALL appliance.
811
3.
Expand the Anti-Spyware tree and click Over Time. The Over Time page displays.
4. 5.
The bar graph displays the number of spyware attempts that were made during each day over a specified time period. The table contains the following information:
Datethe date for which the summary is provided. Attemptsthe number of times the spyware attempted to infect the
comprises as a portion of the aggregate number of spyware attempts on the device during a pre-set time interval.
6.
To change the date range of the report, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar or Plot chart
7.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date range.
812
Click the Reports tab. Select a SonicWALL appliance. Expand the Anti-Spyware tree and click By Category Over Time. The By Category Over Time page displays.
4.
The pie chart displays the percentage of spyware attempts by category. The table contains the following information:
Categorythe category of the virus. Attemptsthe number of times the spyware attempted to infect the
comprises as a portion of the aggregate number of spyware attempts on the device during a pre-set time interval.
5.
To change the date range of the report, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings.
813
6.
Note
The search bar fields use pattern matching with operators such as contains. For example, john will match john_smith or john42.
8.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date range.
If the selected appliance is not licensed for SonicWALL Intrusion Prevention Service, a sample report is displayed, as shown below. You can click the Click Here link near the top to view the global dashboard report showing all
814
intrusions and similar attacks currently being monitored by SonicWALL, or click the link at the bottom of the page to read detailed information about SonicWALL Intrusion Prevention Service and other subscription services.
To view a summary of the attacks, see Viewing the Intrusion Prevention Summary Report on page 816. To view the attacks by source IP address, see Viewing the Errors Report on page 795. To view a summary of the errors and exceptions, see Viewing the Errors Report on page 795. To view attacks over a period of time, see Viewing Attack Reports Over Time on page 797. To view errors and exceptions over a period of time, see Viewing Errors Over Time on page 799.
815
Click the Reports tab. Select the global icon, a group, or a SonicWALL appliance. Expand the Intrusion Prevention tree and click Summary. The Summary page displays.
4. 5.
The bar graph displays the number of intrusions attempted during each hour of the day. The table contains the following information:
Hourwhen the sample was taken. Intrusionsthe number of intrusion attempts. % of Intrusionsthe percentage of intrusion attempts on this day,
compared to the time period. For example, if 10,000 intrusion attempts occurred during the time period and 1,000 intrusion attempts occurred on Thursday, its % of Intrusions field will display 10%. 816
SonicWALL GMS 6.0 Administrators Guide
6.
The GMS Reporting Module shows yesterdays report. To change the date of the report, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar or Plot chart
7.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date.
817
3.
Expand the Intrusion Prevention tree and click By Category. The By Category page displays.
4.
The pie chart displays a list of intrusions attempted by category. The table contains the following information:
Categorythe category of the intrusion attempt. Intrusionsthe number of intrusion attempts. % of Intrusionsthe percentage of intrusion attempts as a portion of
To change the date of the report, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings.
818
6.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date.
Click the Reports tab. Select the global icon, a group, or a SonicWALL appliance.
819
3.
Expand the Intrusion Prevention tree and click Intrusions Over Time. The Intrusions Over Time page displays.
4. 5.
The bar graph displays the number of intrusions attempted each day of the specified time period. The table contains the following information:
Datewhen the sample was taken. Intrusionsthe number of intrusion attempts. % of Intrusionsthe percentage of intrusion attempts on this day,
compared to the time period. For example, if 10,000 intrusion attempts occurred during the time period and 1,000 intrusion attempts occurred on Thursday, its % of Intrusions field will display 10%.
6.
To change the date range of the report, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar or Plot chart
7.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date range.
820
Click the Reports tab. Select a SonicWALL appliance. Expand the Intrusion Prevention tree and click By Category Over Time. The By Category Over Time page displays.
4.
The pie chart displays a list of intrusions attempted by category over time. The table contains the following information:
Categorythe category of the intrusion attempt. Intrusionsthe number of attempted intrusions during a pre-set time
interval.
% of Intrusionsthe percentage of intrusion attempts the current
intrusion entry comprises as a portion of the aggregate number of intrusion attempts on the device during a pre-set time interval.
SonicWALL GMS 6.0 Administrators Guide
821
5.
The GMS Reporting Module shows yesterdays report. To change the date range of the report, use the Search Bar and click the Start or End field to access the drop-down calendar, or click More Options for report display settings. Under Report Display Settings you can set:
Display Type: Chart and Table, or Table Only Chart Type: Area, Bar, Pie or Plot chart Number of Items Entries per Item Rows per Screen
6.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected date range.
To view a summary of the daily Application Firewall usage, see Viewing the Application Firewall Summary Report on page 823. To view Application Firewall usage over time, see Viewing the Application Firewall Over Time Report on page 824.
822
To view the applications most often intercepted by Application Firewall, see Viewing Application Firewall Top Applications on page 825. To view the users whose traffic is most often intercepted by Application Firewall, see Viewing Application Firewall Top Users on page 826. To view the Application Firewall policies that are used the most, see Viewing Application Firewall Top Policies on page 827.
Click the UTM tab. Select the global icon, a group, or a SonicWALL appliance. Expand the Application Firewall tree and click Summary. The Summary page displays.
4.
823
The GMS Reporting Module shows yesterdays report. To change the date of the report, click the Start and End fields to access the drop-down calendars, select the desired dates, and then click Search. The GMS Reporting Module displays the report for the selected day or date range.
Click the UTM tab. Select the global icon, a group, or a SonicWALL appliance. Expand the Application Firewall tree and click Over Time. The Over Time page displays.
4.
824
To change the date of the report, click the Start and End fields to access the drop-down calendars, select the desired dates, and then click Search. The GMS Reporting Module displays the report for the selected date range.
Click the UTM tab. Select a SonicWALL appliance. Expand the Application Firewall tree and click Top Applications. The Top Applications page displays.
4.
so on
825
To change the date of the report, click the Start field to access the drop-down calendar, select the desired date, and then click Search. The GMS Reporting Module displays the report for the selected date.
Click the UTM tab. Select a SonicWALL appliance. Expand the Application Firewall tree and click Top Users. The Top Users page displays.
826
4.
the connection
Connectionsnumber of attempted connections logged (and
To change the date of the report, click the Start field to access the drop-down calendar, select the desired date, and then click Search. The GMS Reporting Module displays the report for the selected date.
827
3.
Expand the Application Firewall tree and click Top Policies. The Top Policies page displays.
4.
To change the date of the report, click the Start field to access the drop-down calendar, select the desired date, and then click Search. The GMS Reporting Module displays the report for the selected date.
Viewing the User Login Report on page 829 Viewing the Administrator Login Report on page 830 Viewing the Failed Login Report on page 830
Click the Reports tab. Select a SonicWALL appliance. Expand the Authentication tree and click User Login. The User Login page displays.
4.
5.
The GMS Reporting Module shows yesterdays report. To change the date of the report, use the Search Bar and click the Start or End field to access the drop-down calendar. See Managing Report Settings on page 690. When you are finished, click Search. The GMS Reporting Module displays the report for the selected date.
6.
829
Click the Reports tab. Select a SonicWALL appliance. Expand the Authentication tree and click Admin Login. The Admin Login page displays.
4.
5.
To change the date range of the report, use the Search Bar and click the Start or End field to access the drop-down calendar. See Managing Report Settings on page 690. When you are finished, click Search. The GMS Reporting Module displays the report for the selected date range.
6.
830
3.
Expand the Authentication tree and click Failed Login. The page displays.
4.
5.
The GMS Reporting Module shows yesterdays report. To change the date of the report, use the Search Bar and click the Start or End field to access the drop-down calendar. See Managing Report Settings on page 690. When you are finished, click Search. The GMS Reporting Module displays the report for the selected date.
6.
The Log Viewer displays raw log information for every connection. Depending on the amount of traffic, this can quickly consume a large amount of space in the database. It is highly recommended to be careful when choosing the number of days of information that will be stored. For more information, see Scheduling and Configuring Reports on page 671.
831
Click the Reports tab. Select a SonicWALL appliance. Expand the Log Viewer tree and click Search. The Search page displays.
4.
Select Enable Log Viewer and then click Update to turn on collection of raw data in the database and enable viewing of that log data. This can consume a large amount of space in your database. Review your database space constraints before enabling the log viewer. The maximum number of appliances for which Log Viewer can be enabled is controlled on the Console > Reports > Settings page. See Controlling the Number of Appliances with Log Viewer Enabled on page 982.
Note
Custom Reports are available on appliances with Log Viewer enabled. See Using Custom Reports on UTM Appliances on page 699. Under Select Search Criteria, select the date range to view data from in the Start Date and End Date fields. Enter the starting time of events to view in the Start Time field. Enter the ending time of events to view in the End Time field. To limit the report to data originating from specific IP addresses or users, enter the source IP address or user name in the Source IP/User field. To view all IP addresses, enter All. To view log entries for data originating from a particular port, enter the port number in the Source Port field.
5. 6. 7. 8.
9.
832
10. To limit the report to data going to specific IP addresses or hosts, enter the
destination IP address or host name in the Destination IP/Hostname field. To view log entries for data going to all IP addresses, enter All. in the Destination Port field.
11. To view log entries for data going to a particular port, enter the port number 12. Select the type of events to view from the Message Category list box. 13. To limit the report to messages containing a specific text string, enter the 14. Select the number of entries to display per page from the Results Per
text in the Message Text field. Leave the field blank to view all messages. Page field.
15. Click Generate Report. The Log Viewer Results page displays.
16. Search through the entries to find the information for which you are
17. To generate another report, click Search again in the Log Viewer tree.
833
834
SSL-VPN Reporting Overview section on page 835 Using and Configuring SSL-VPN Reporting section on page 837
What is SSL-VPN Reporting? section on page 836 Benefits of SSL-VPN Reporting section on page 836 How Does SSL-VPN Reporting Work? section on page 837
After reading the GMS SSL-VPN Reporting Overview section, you will understand the main steps to be taken in order to create and customize reports successfully.
835
Custom reports can track events to the minute or second of the day for forensics and troubleshooting Interactive charts allow drill-down into specific details Table structure with ability to adjust column width of data grid Improved report navigation Report search Scheduled reports
836
The raw syslog database required by Custom Reports is not enabled by default, as it is highly resource intensive. This functionality must be enabled per unit in the Reports > Log Viewer screen.
SSL-VPN Reporting supports scheduled reports to be sent on a daily, weekly, or monthly basis to any specified email address.
About Viewing Available SSL-VPN Report Types section on page 837 Configuring SSL-VPN Scheduled Reports section on page 839
Log into your GMS management console. Click the SSL-VPN tab. Click the Reports tab on the top of the screen. The SSL-VPN screen displays the following list of reports: Node Level reports:
Status
837
Summary: uptime by hour for one day Over Time: uptime by day for date range Down-Time Summary: down-time by hour for one day Down-Time Over Time: down-time over 7 days listed by date Bandwidth Summary: total connections listed by hour Top Users: connections listed by user Over Time: connections listed by date Top Users Over Time: connections listed by user for the selected
date range
Custom Report Resource Activity: source, destination, and other information about
resource activity
Resources Summary: connections per connection protocol (HTTPS,
NetExtender, etc)
Top Users: connections listed by user Authentication User Login: user, time, and source of successful
authentication-daily. User Login reports now combine admin users with all other users in the same report.
Failed login: time and source host of failed logins for one day
group
Bandwidth Summary: connections per SSL-VPN appliance Over Time: total connections by date for group
838
On the Reports tab, navigate to Configuration > Scheduled Reports. Click the Add button. The Scheduled Report Configuration form displays. Fill out the fields accordingly. For more information, see the following sections:
Configuring Scheduled Reports on page 671 Scheduling PDF Compliance Reports on page 680
839
On the Reports tab, navigate to Configuration > Summarizer Settings. The reports that can be summarized for a SSL-VPN appliance are configurable at either group or unit level. The screen displays the configuration appropriate for the level. The report type lists can also be expanded for a detailed description of report content. The report types you can summarize are shown below.
SSL-VPN reports generated in GMS can be exported in PDF format, providing easy online transfer. For more information about the Summarizer and exporting reports in PDF format, see:
Selecting Reports for Summarization on page 675 Configuring Data Storage Settings on page 677 Using Summarize Now on page 989 Scheduling PDF Compliance Reports on page 680
840
Using and Configuring SSL-VPN Reporting on page 837 Viewing Status Reports section on page 841 Viewing SSL-VPN Bandwidth Reports section on page 845 Using SSL-VPN Custom Reports section on page 851 Viewing SSL-VPN Resources Reports section on page 869 Viewing SSL-VPN Authentication Reports section on page 874 Viewing the SSL-VPN Log section on page 876
Viewing the Status Summary Report section on page 842 Viewing the Status Over Time Report section on page 842 Viewing the Status Down-Time Summary Report section on page 842 Viewing the Status Down-Time Over Time Report section on page 843
841
Click the Reports tab. Select the global icon, group icon, or a SSL-VPN appliance. Expand the Status tree and click Summary. The Summary page displays.
Click the Reports tab. Select the global icon, group icon, or a SSL-VPN appliance. Expand the Status tree and click Over Time. The Over Time page displays.
Click the Reports tab. Select the global icon, a group, or an SSL-VPN appliance.
842
3.
Expand the Status tree and click Down-Time Summary. The Down-Time Summary page displays.
4. 5.
The graph displays the amount of time the SSL-VPN appliance(s) were offline and not available during each hour of the day. The table contains the following information:
Hourwhen the sample was taken. Down Time (Mins)number of minutes during the hour that the
By default, the GMS Reporting Module shows yesterdays report. To change the date of the report and other settings, click the Start field to access the drop-down calendar. When you are finished, click Search. The GMS Reporting Module displays the report for the selected date.
7.
843
To view the Status Down-Time Over Time report, perform the following steps:
1. 2. 3.
Click the Reports tab. Select the global icon, a group, or an SSL-VPN appliance. Expand the Status tree and click Down-Time Over Time. The Down-Time Over Time page displays.
4. 5.
The graph displays the amount of time the SSL-VPN appliance(s) were not available during each day of the specified time period. The table contains the following information:
Datewhen the sample was taken. Down Timeamount of time (in hours) that the SSL-VPN appliance
was Down.
6.
The GMS Reporting Module shows the past weeks report. To change the date range of the report, use the Search Bar and click the Start or End field to access the drop-down calendar. When you are finished, click Search. The GMS Reporting Module displays the report for the selected date range.
7.
844
Viewing SSL-VPN Bandwidth Summary Reports on page 845 Viewing SSL-VPN Top Users of Bandwidth Reports on page 847 Viewing SSL-VPN Bandwidth Usage Over Time Reports on page 848 Viewing SSL-VPN Top Users of Bandwidth Over Time Reports on page 850
Click the Reports tab. Select the global icon, a group, or a SSL-VPN appliance.
845
3.
Expand the Bandwidth tree and click Summary. The Summary page displays.
4. 5.
The graph displays the number of connections to the SSL-VPN appliance during each hour of the day. The table contains the following information:
Hourwhen the sample was taken. Connectionsnumber of connections to the SSL-VPN appliance
6. 7.
The GMS Reporting Module shows yesterdays report. To change the date of the report, click the Start field to access the drop-down calendar. After selecting a date, click Search. The GMS Reporting Module displays the report for the selected day.
Note
The date setting will stay in effect for all similar reports during your active login session.
846
Click the Reports tab. Select a SSL-VPN appliance. Expand the Bandwidth tree and click Top Users. The Top Users page displays.
4.
The pie chart displays the percentage of connections used by each user.
847
5.
6.
By default, the GMS Reporting Module shows yesterdays report, a pie chart for the top six users, and a table for all users. To change the date of the report, click the Start field to access the drop-down calendar. To display a limited number of users, use the Search Bar fields.
7.
Note
The search bar fields use pattern matching with operators such as contains. For example, john will match john_smith, john42, or big_john.
8.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected day.
Note
The date setting will stay in effect for all similar reports during your active login session.
Click the Reports tab. Select the global icon, a group, or a SSL-VPN appliance.
848
3.
Expand the Bandwidth tree and click Over Time. The Over Time page displays.
4. 5.
The graph displays the number of connections during each day of the specified time period. The table contains the following information:
Datewhen the sample was taken Connectionsnumber of hits
6. 7.
To change the date of the report, use the Search Bar and click the Start or End fields to access the drop-down calendar. When you are finished, click Search. The GMS Reporting Module displays the report for the selected date range.
Note
These date settings will stay in effect for all similar reports during your active login session.
849
Click the Reports tab. Select a SSL-VPN appliance. Expand the Bandwidth tree and click Top Users Over Time. The Top Users Over Time page displays.
4.
The pie chart displays the percentage of connections used by the top users.
850
5.
6.
The GMS Reporting Module shows yesterdays report. To change the date range of the report, click the Start or End field to access the drop-down calendar. To display a limited group of users, enter the user IDs in the Search Bar fields.
7.
Note
The search bar fields use pattern matching with operators such as contains. For example, john will match john_smith, john42, or big_john.
8.
When you are finished, click Search. The GMS Reporting Module displays the report for the selected users and date range.
Note
These settings will stay in effect for all similar reports during your active login session.
851
The Report Section displays the report and provides controls for pagination, printing, and exporting the report in PDF or CSV format. You can also click the Save Template button in this section if you want to save the settings for this report as a template for reuse later. See the following sections for detailed information:
Toggling Between Split Mode and Full Mode on page 852 Configuring the Date and Time for Custom Reports on page 855 Configuring the Report Layout and Generating the Report on page 858 Generating the Custom Report on page 864 Viewing a Custom Report on page 865 Printing a Page or Exporting the Report as a PDF or CSV File on page 867 Saving the Report Template on page 868
852
When the Custom Report page is initially displayed for a selected appliance, the Template Section is displayed in Full Mode. Split Mode is available, but the Report Section displays no data until a report has been generated. The image below shows the Custom Report > Resource Activity page with the Template Section displayed in Full Mode.
853
After generating a report, the page automatically changes to Split Mode and displays the report settings in the Template Section in the top half of the page and the report results in the Report Section in the lower portion. The image below shows the Template Section and Report Section displayed in Split Mode.
At any time, you can change to Full Mode if you want to display either the Template Section or the Report Section individually. From Full Mode, you can easily change back to Split Mode. To toggle between Split Mode and Full Mode:
1. 2.
Select a unit for which Log Viewer is enabled, and then navigate to the Custom Report page. On a page that is currently displayed in Full Mode, to change the view to Split Mode click the <Split Mode> button at the right side of the section heading.
854
3.
On a page that is currently displayed in Split Mode, do one of the following to change to a Full Mode display of either the Template Section or the Report Section:
Click the <Full Mode> button to the right of the Template Section
heading.
Click the <Full Mode> button to the right of the Report Section
heading.
Today Uses log data from the current date, beginning just after midnight Yesterday Uses log data from just after midnight of the previous day, up to and including the most recent log message from the current date
855
Week to Date Uses log data from the current date, plus the seven preceding days Month to Date Uses log data from the same date as the current date in the previous month, up to and including the most recent log message from the current date
When generating a report with a template containing a dynamic date range setting, the dates used when referencing the log data are relative to the current date. Thus, two reports generated from the same template on different days will provide different results. To select a Dynamic Date Range:
1. 2. 3. 4.
Select a unit for which Log Viewer is enabled, and then navigate to the page under Custom Report for the report type you want. In the Template Section under Date/Time, select the Dynamic Date Range radio button. In the drop-down list, select Today, Yesterday, Week to Date, or Month to Date. For the Start Time, select the hour, minute, and second from the drop-down lists in the Dynamic Date Range row. These settings specify the earliest data to be included in the report, for each day of the date range. For the End Time, select the hour, minute, and second from the drop-down lists. These settings specify the most recent data to be included in the report, for each day of the date range. To change the settings back to the defaults, click Reset at the bottom of the Template Section. Note that this will change the Report Layout region as well as the Date/Time region back to default settings.
5.
6.
856
A popup calendar makes it easy to select the Start Date and End Date for the date range, as shown below.
Select a unit for which Log Viewer is enabled, and then navigate to the page under Custom Report for the report type you want. In the Template Section under Date/Time, select the Static Date Range radio button. Click the Start Date field to access the pop-up calendar. Use the navigation arrows near the top of the calendar to change the year or month. Click the << button to move to the previous year, or hold the button to select from a list of years. Click the >> button to move to the next year, or hold the button to select from a list of years. Similarly, click the < or > to move back or ahead by one month, or hold the button to select from a list of months. Click the desired start date in the calendar. This adds the date to the Start Date field and closes the calendar. Click the End Date field to access the pop-up calendar. Use the navigation arrows near the top of the calendar to change the year or month. Click the desired end date in the calendar. This adds the date to the End Date field and closes the calendar. For the Start Time, select the hour, minute, and second from the drop-down lists in the Static Date Range row. These settings specify the earliest data for each day in the date range to be included in the report.
5. 6. 7. 8. 9.
857
10. For the End Time, select the hour, minute, and second from the
drop-down lists. These settings specify the most recent data for each day in the date range to be included in the report.
11. To change the settings back to the defaults, click Reset at the bottom of
the Template Section. Note that this will change the Report Layout region as well as the Date/Time region back to default settings.
Detailed Reports on page 859 Summary Reports on page 862 Filter Operators on page 863
For information about the Filter operators, see the following section:
858
Detailed Reports
The Detailed Report tab is the default view in the Report Layout region.
For a SSL-VPN Resource Activity report, the Select report field drop-down list contains four data categories that you can add as column headings in the report. The categories are:
Destination IP Adds a column containing the IP address of each accessed resource Protocol Adds a column containing the protocol used by the traffic Source IP Adds a column containing the IP address of each system which accessed a resource User Adds a column containing the user ID
To include a field in the report, select a choice from the list and then click Add. When you click Add, a row is populated in the table below, which has three column headings: Field, Filter, and Options.
Note
When you place your mouse cursor over the row, under the Field heading, the cursor changes to a move cursor. You can drag and drop the rows to rearrange the column ordering in the final report.
In the Filter column, two fields are displayed: an operator field and an input field. The operator field is a drop-down list containing the operator choices for the selected report field. See Filter Operators on page 863 for a description of each operator. The input field can be a drop-down list or a standard input field, depending on the selected report field. The operators and input fields are defined in Table 16 for each report field.
SonicWALL GMS 6.0 Administrators Guide
859
Operators and Input Fields for Each Data Type Input Field The input field is a standard input field where you can type in the numbers to match, such as 192 or 10.25. Leave the input field blank if you choose not to filter by a certain destination IP address. The input field is a standard input field where you can type in the protocol to match, such as FTP. Leave the input field blank if you choose not to filter by a certain protocol. The input field is a standard input field where you can type in the numbers to match, such as 192 or 10.25. Leave the input field blank if you choose not to filter by a certain source IP address. The input field is a standard input field where you can type in the user ID to match. Leave the input field blank if you choose not to filter by a certain user.
Operators Equals Starts with Ends with Contains Equals Start with End with Contains Equals Starts with Ends with Contains Equals Start with End with Contains
Protocol
Source IP
User
In the Options column, two icons are displayed: an Eye and an X . You can click the Eye to toggle whether the report field on that row will be displayed in the final report. This allows you to filter the report results based on the selected report field and related filter value, but not display the field as a column. When you click on the Eye icon within a row, the eye closes to show that this field will not be displayed in the final report. The filter value will still be used to filter results from the raw syslog database to apply towards the report. For example, you might specify the following Field/Operator/Filter Value: Protocol/=/http. It would make sense to click the Eye icon to disable the Protocol field from being shown in the report, since it would always just be http and would not add any interesting information to the final report. Contrast this with simply specifying the Protocol field and leaving the Filter Value blank, in which case you would want to enable the Eye so that this column would appear in the report showing a variety of protocols such as udp/dns, tcp/http, udp/ntp, or numbered protocols such as udp/389 (the LDAP protocol) or tcp/445 (MS Server Message Block (SMB) file sharing). Clicking the X icon under Options deletes the selected report field from the table, so it will not be used to generate the report results nor will it be displayed in the report. Use the X icon instead of the Eye when you do not choose to filter the report results based on the field.
860
The Detailed Report tab also contains the Sort By drop-down list. The list contains the Date/Time option and any other report fields that you have selected from the eight data types. The choice you select will be used to order the results in the report from the first page to the last. The selection in the left drop-down list is used for the first sorting, then the selection in the right drop-down list is used to sort and group the entries within each group resulting from the the first sorting. To configure a detailed report:
1. 2. 3.
Select a unit for which Log Viewer is enabled, and then navigate to the page under Custom Report for the report type you want. In Report Layout region of the Template Section of the Custom Report page, select the Detailed Report tab. In the Select report field drop-down list, select a data type to include in the report, and then click Add. A row for this field is populated in the table below. Repeat this step to add other fields. Optionally select an operator from the drop-down list under Filter in a table row, and type in or select an input value to be matched when the database is queried. Repeat this step for other rows to add filter values for those fields. To prevent a field from appearing in the final report, click the Eye icon in that row so that the eye appears closed. To allow the field to be displayed in the report, click the closed Eye icon to return it to normal appearance. To delete a field from the table, click the X icon in that row. To sort the report pages by a different field than the default of Date/Time, select the desired field from the Sort by drop-down list. To change the settings back to the defaults, click Reset at the bottom of the Template Section. Note that this will change the Date/Time region and the Report Layout region back to default settings.
4.
5.
6. 7. 8.
861
Summary Reports
The Summary Report tab is available in the Report Layout region of the Template Section.
The Top drop-down list provides selections for the number of entries to display in the report. For example, if the User field is selected below as a Summary Group, and 5 is selected in the Top drop-down list, the report will provide entries for the top five users. For all Custom Reports, available numbers in the Top drop-down list are 5, 10, 20, 50, and 100. The Summary Base drop-down list offers a selection of traffic types that will be used to determine the top usage for the selected field. For a SSL-VPN Resource Activity report, the only Summary Base choice is Event Count. Below the Top and Summary Base fields, you can create one or two Summary Groups from the choices listed on the left side. For a SSL-VPN Resource Activity report, the choices are Destination IP, Protocol, Source IP, or User. To select a field for a Summary Group, simply drag and drop the desired field from the list to either the Level 1 Summary Group or Level 2 Summary Group boxes. When the field name is dragged to one of these, the operator drop-down list and filter input value field are displayed, allowing you to specify values to match when the data is searched. See Filter Operators on page 863 for a description of each operator. Either the Level 1 Summary Group field or the Level 2 Summary Group field can be used alone; the resulting report will look the same in both cases. When both the Level 1 and Level 2 Summary Group fields are populated, the report will display the top entries for the Level 2 field for each of the top entries for the Level 1 field. For example, if User is dragged to the Level 1 Summary 862
SonicWALL GMS 6.0 Administrators Guide
Group and Domain is dragged to the Level 2 Summary Group, and 5 is selected in the Top drop-down list, the generated report will display the top five domains visited by each of the top five users. To configure a summary report:
1. 2. 3. 4. 5.
Select a unit for which Log Viewer is enabled, and then navigate to the page under Custom Report for the report type you want. In Report Layout region of the Template Section of the Custom Report page, select the Summary Report tab. In the Top drop-down list, select the number of entries to be displayed in the report. In the Summary Base drop-down list, use the default, Event Count. To specify the field for the Level 1 Summary Group, click and drag the desired field from the list on the left to the Level 1 Summary Group field, and then release your mouse button to drop the field into position. The filter operator and input field are displayed next to the field name.
6.
To specify the field for the Level 2 Summary Group, click and drag the desired field from the list on the left to the Level 2 Summary Group field, then release your mouse button to drop the field into position. The filter operator and input field are displayed next to the field name. To specify a filter operator and filter value for a Summary Group, select the operator from the drop-down list next to the field and type a filter value into the input field to the right of the operator. To change the settings back to the defaults, click Reset at the bottom of the Template Section. Note that this will change the Date/Time region as well as the Report Layout region back to default settings.
7.
8.
Filter Operators
When configuring the Report Layout on either the Detailed Report tab or the Summary Report tab, you can specify filter values to be matched in the database during report generation. Depending on the selected field type, text string or numeric, several filter operators are available. The filter operators are used with a filter input value to determine which data should be included in the report. The operators are defined as shown in Table 17.
SonicWALL GMS 6.0 Administrators Guide
863
Table 17
Filter Operators
Operator Equals Start with End with Contains = > >= <= < !=
Definition Only data that exactly matches the filter input text will be included in the report Data that begins with the input text will be included in the report Data that ends with the input text will be included in the report Data that contains the input text will be included in the report Only data that exactly matches the filter input numerical value will be included in the report Data values that are greater than the input numerical value will be included in the report Data values that are greater than or equal to the input numerical value will be included in the report Data values that are less than or equal to the input numerical value will be included in the report Data values that are less than the input numerical value will be included in the report Data values that are not equal to the input numerical value will be included in the report
Custom Reports are available at the unit level and Log Viewer must be enabled for the appliance. For information about enabling Log Viewer, see Viewing the SSL-VPN Log on page 876.
Select a unit for which Log Viewer is enabled, and then navigate to the page under Custom Report for the report you want.
864
2.
In the Date/Time region of the Template Section, specify the time period that the report will cover. For detailed information and instructions, see Configuring the Date and Time for Custom Reports on page 855. In the Report Layout region of the Template Section, specify the contents and appearance of the report. For detailed information and instructions, see Configuring the Report Layout and Generating the Report on page 858. Click Generate Report to create the report using the specified configuration.
3.
4.
In a Detailed Report, the selected report fields are displayed as column headings. You can click on any column heading to sort that page by the values in the column that you click. Click again to toggle between ascending and descending order on that page. When you navigate away from that page and
865
then come back using the pagination controls, the page reverts to the original sorting order as specified in the Sort by field of the Template Section before generating the report.
In a Summary Report, the Report Section displays the event count as horizontal bar charts. This lets you see the information at a glance, such as who had the most resource activity and which protocols they used the most.
You can click on a bar in the chart to pop up detailed information, just like the detailed report with all of the columns for all fields. The report lists details about this Summary Group field only. For example, if the Summary Group contains the User field and you click on a bar for one of the top users, the report displays the date and time of all resource activity for the user, and 866
SonicWALL GMS 6.0 Administrators Guide
includes data for every field available for detailed reports. A scroll bar is provided along the bottom of the Detailed Information window to allow viewing of all four fields plus the date and time column. The Detailed Information window is shown below.
867
To export the entire report in PDF format, click the PDF icon at the top of the Report Section. A PDF file is generated showing the report results in table format. To export the entire report in Microsoft Excel Comma Separated Value (CSV) format, click the Excel icon at the top of the Report Section. A CSV file is generated showing the report results in spreadsheet format. The PDF can contain a maximum of 10,000 records. If your report contains more than 10,000 records, you can use the Static Date Range fields to adjust the dates and regenerate the report to shorten its length. You can save the PDF or CSV file using any filename and location.
In the Report Section in the upper right corner, click the Save Template button.
2.
In the popup dialog box, type in a descriptive name for the template, up to 40 characters. The number of remaining characters allowed in the name is displayed below the input field and changes as you type. Click Save. If you are in a Full Mode display of the Report Section, you can verify that the template has been saved by changing back to Split Mode and viewing the contents of the Template drop-down list.
3.
868
The procedures for viewing the Resources Reports are described in the following sections:
Viewing SSL-VPN Resources Summary Reports on page 869 Viewing SSL-VPN Resources Top Users Reports on page 871
Note
You cannot view resources reports from the global or group view.
869
3.
Expand the Resources tree and click Summary. The Resources Summary page displays.
4. 5.
The graph displays the number of connections used by each service or protocol during the day. The table contains the following information:
870
To view the user detail for a particular resource, click the resource slice in the pie chart or the resource name in the table to drill down for this information.
7. 8. 9.
To return to the Resources > Summary page, click the Go Back button. To change the date of the report, use the Search Bar and click the Start field to access the drop-down calendar. When you are finished, click Search. The GMS Reporting Module displays the report for the selected date.
Note
This date setting will stay in effect for all similar reports during your active login session.
871
To view the Resources Top Users report, perform the following steps:
1. 2. 3.
Click the Reports tab. Select a SSL-VPN appliance. Expand the Resources tree and click Top Users. The Top Users page displays.
4. 5.
The pie chart displays the percentage of connections used by each user. The table contains the following information for all users:
Usersthe user name Connectionsnumber of connection events or hits
872
6.
To view the resources by service or protocol used by a particular user, click the user slice in the pie chart or the user name in the table to drill down for this information.
7. 8.
To return to the Resources > Top Users page, click the Go Back button. By default, the GMS Reporting Module shows yesterdays report, a pie chart for the top six users, and a table for all users. To change the date of the report, click the Start field to access the drop-down calendar. To display a limited number of users, use the Search Bar fields.
9.
Note
The search bar fields use pattern matching with operators such as contains. For example, john will match john_smith, john42, or big_john.
10. When you are finished, click Search. The GMS Reporting Module displays
The date setting will stay in effect for all similar reports during your active login session.
873
Viewing SSL-VPN User Login Reports on page 874 Viewing SSL-VPN Failed Login Reports on page 875
Click the Reports tab. Select a SSL-VPN appliance. Expand the Authentication tree and click User Login. The User Login page displays.
4.
874
Source Hostthe IP address of the users computer Timethe time that the user logged in Durationthe duration of the user login session 5.
The GMS Reporting Module shows yesterdays report. To change the date of the report, use the Search Bar and click the Start field to access the drop-down calendar. When you are finished, click Search. The GMS Reporting Module displays the report for the selected date.
6.
Click the Reports tab. Select a SSL-VPN appliance. Expand the Authentication tree and click Failed Login. The Failed Logins page displays.
4.
875
Durationnot applicable 5.
The GMS Reporting Module shows yesterdays report. To change the date of the report, use the Search Bar and click the Start field to access the drop-down calendar. When you are finished, click Search. The GMS Reporting Module displays the report for the selected date.
6.
The Log Viewer displays raw log information for every connection. Depending on the amount of traffic, this can quickly consume a large amount of space in the database. It is highly recommended to be careful when choosing the number of days of information that will be stored. For more information, see Scheduling and Configuring Reports on page 671.
876
3.
Expand the Log Viewer tree and click Search. The Search page displays.
4.
Select Enable Log Viewer and then click Update to turn on collection of raw data in the database and enable viewing of that log data. This can consume a large amount of space in your database. Review your database space constraints before enabling the log viewer. Under Select Search Criteria, select the date range to view data from in the Start Date and End Date fields. Enter the starting time of events to view in the Start Time field. Enter the ending time of events to view in the End Time field. To limit the report to data originating from specific IP addresses, enter the source IP address in the Source IP field. To view all IP addresses, enter All. To view log entries for data originating from a particular user, enter the user name in the User field. destination IP address or host name in the Destination IP/Hostname field. To view data for all IP addresses, enter All. can select from the following:
All Categories Connections Rejected Connections
5. 6. 7. 8.
9.
10. To limit the report to data going to specific IP addresses or hosts, enter the
11. Select the type of events to view from the Message Category list box. You
877
User Events Unrecognized Events 12. To limit the report to messages containing a specific text string, enter the 13. Select the number of entries to display per page from the Results Per
text in the Message Text field. Leave the field blank to view all messages. Page field.
14. Click Generate Report. The Log Search Results page displays.
15. To view the next page of entries, click Next. 16. To generate another report, click Search again in the Log Viewer tree.
878
Part 4 Monitoring
879
880
GMS Navigation Tool section on page 881 VPN Monitor section on page 883 Net Monitor section on page 886 Real-Time Syslog section on page 912 Live Monitoring section on page 913
881
2.
Expand the Tools tree and click GMS Navigation. The GMS Navigation Tool appears with the managed SonicWALL appliances displayed.
The Navigation Tool provides a quick way to locate failed devices within the GMS network. The following describes the meaning of link and device colors:
Device Status Yellow Devicedevice is provisioned Blue Devicedevice is operational Red Devicedevice is down Link Status Dark Blue Linklink is up and managed by Primary Agent Light Blue Linklink is up and managed by Standby Agent Link Thickness 1x Thicklink is using management tunnel 2x Thicklink is using existing tunnel 3x Thicklink is using HTTPS Solidprimary management tunnel Dashedstandby management tunnel 3.
To hide the devices that belong to an Agent, right-click the agent and select Collapse. To view the properties of a SonicWALL appliance, right-click the device and select Properties. To move a device, right-click a device and select Cut. Then, right-click the new agent and select Paste.
4.
882
VPN Monitor
5.
Note 6.
Clicking within the Navigation Tool will modify the network view.
To open the GMS Navigation Tool in a new window, uncheck the Dock checkbox at the top right section of the screen and click the Show Navigation Tool Window link. The GMS Navigation Tool displays in a new window. To re-enter docked view, close out the undocked window and check the Dock checkbox in the standard GMS Navigation window. When you are finished viewing managed SonicWALL appliances, close the window.
7. 8.
VPN Monitor
The VPN Monitor shows a graphical representation of the VPN network. All devices within the network are displayed and color-coded according to their operational state. To open the VPN Monitor, perform the following steps:
1. 2.
Click the Monitor tab. Expand the Tools tree and click VPN Monitor. The VPN Monitor appears with the configured VPN tunnels displayed.
883
VPN Monitor
3.
The VPN Monitor provides a quick way to view the status of VPN connections within the GMS network. The following describes the meaning of link and device colors:
Node Status Yellow Deviceunit is provisioned Blue Devicenode is operational Red Devicenode is down Black Devicegroup node Dark Gray DeviceVPN not enabled Purple DeviceNon-GMS device White Deviceexpanded tunnel nodes Link Status Blue Linktunnel is operational Red Linktunnel is down Yellow Linktunnel is pending Black Linktunnel is disabled White Linktunnel status unknown Link Thickness 1x Thicklink not selected 2x Thicklink is selected Soliddirect tunnel Dashedindirect tunnel
4. 5.
To synchronize the status of a tunnel with the Agent, right-click the SonicWALL appliance and select Synchronize Tunnel Status. To show the remote units that belong to a SonicWALL appliance, right-click the agent and select Expand. To hide the remote units, right-click the SonicWALL appliance and select Collapse. To center a SonicWALL appliance and remove all other devices from the display, right-click the SonicWALL appliance and select Center this node.
6.
884
VPN Monitor
7.
To open the VPN Monitor in a new window, uncheck the Dock checkbox at the top right section of the screen and click the Show VPN Monitor Window link. The VPN Monitor displays in a new window.
8. 9.
To re-enter docked view, close out the undocked window and check the Dock checkbox in the standard VPN Monitor window. When you are finished monitoring VPNs, close the window.
885
Net Monitor
Net Monitor
The SonicWALL GMS Net Monitor periodically tests the status of SonicWALL appliances and other network devices. Once configured, it enables you to monitor the status of your network and immediately respond when SonicWALL appliances and other network devices become unavailable. The Net Monitor enables you to categorize different groups of SonicWALL appliances or other network devices. You can categorize them by device type, geography, or any other organizational scheme. Additionally, you can assign devices within each category a high, medium, or low priority. The following graphic shows the main Net Monitor Page.
When you add a new device to monitor, you will be able to select a category, priority level, how often the device is tested, and the type of test that is used. The Net Monitor currently supports five types of tests: Ping, TCP Probe, HTTP, HTTPS and SNMP.
886
Net Monitor
Navigating the Net Monitor UI on page 887 Finding Devices on page 888 Viewing Device Status on page 888 Configuring Preferences on page 889
887
Net Monitor
Finding Devices
GMS NetMonitor gives you the ability to search for devices using the Find feature:
1.
2. 3. 4. 5.
Type a search string in the Look For field. You can optionally choose to Match case or to find only the Whole word in your search. Click the Find button to search all views for your search term, results are displayed below. Double click on the device you wish to display and it will be found highlighted in the NetMonitor window. After making an initial search, you can use F3 (find next) and Shift+F3 (find previous) to move easily between found devices without having to keep the Find window open.
Note
In the NetMonitor window, select the device(s) you wish to view device status for. In the menu bar, go to Tools > Status.
888
Net Monitor
3.
Note
Configuring Preferences
To configure Net Monitor preferences, perform the following steps:
1. 2.
Click the Monitor tab. Expand the Tools tree and click Net Monitor. The Net Monitor screen displays.
889
Net Monitor
3.
4. 5.
To view each category on its own page, select Each from the View Type list box. To view all categories on one page, select All. To configure the Net Monitor to automatically refresh the status of monitored devices, select the Enable auto refresh while loading check box and specify the refresh interval. In the Monitor tab of the Preferences window, select a Minimum Severity to Show Alert in Dashboard from the drop-down menu. In the Filters tab, select which devices will be displayed in the Show devices by status area. To view all devices, select the Select All check box.
6. 7.
890
Net Monitor
8.
In the Table tab, To view the default table color, select Default. To pick a custom color, select Custom and choose a color from the color selector.
9.
When you are finished, click Apply. To cancel and start over, click Cancel.
Defining Categories on page 891 Adding SonicWALL Appliances on page 894 Adding Other Devices on page 898
Defining Categories
To create a new category, perform the following steps:
1.
In the Monitor Tool window, select Add Category from the Categories Menu.
2.
891
Net Monitor
3. 4.
When you are finished, click Apply. To cancel and start over, click Cancel. Repeat this procedure for each category to add.
Editing Categories
To edit an existing category, perform the following steps:
1.
In the Monitor Tool window, select Edit Category from the Categories Menu.
2. 3. 4.
Select the category name you want to change from the list. Enter a new name for the selected category in the Name field. When you are finished, click Apply. To cancel and start over, click Cancel.
892
Net Monitor
Deleting Categories
To delete an existing category, perform the following steps:
1.
In the Monitor Tool window, select Delete Category from the Categories Menu.
2. 3. 4. 5.
From the list provided, select the category name (shift-click for multiple category names) you want to delete. Select the Forcibly delete all devices under category checkbox to delete all devices in this category. To submit the delete request, click Apply. To cancel and start over, click Cancel. A warning message displays. Click Yes to continue and delete this category.
893
Net Monitor
Re-ordering Categories
To change the order of an existing category, perform the following steps:
1.
In the Monitor Tool window, select Order Category from the Categories Menu.
2. 3. 4.
From the list provided, select the category name you want to move. Click the Move Up or Move Down buttons to change the order of this category. Click Apply to finish. To cancel and start over, click Cancel.
From the Monitor Tool window, select Add GMS Device from the File Menu.
894
Net Monitor
2.
Select a device or group to monitor and click the Add button in the center of the screen. Repeat this step for each device or group to monitor.
3.
Click Next. The second page of the Add GMS Device Wizard appears.
4.
Select the category to which the SonicWALL appliance(s) will be added from the Use an Existing Category list box. To add the SonicWALL appliance(s) to a new category, enter the category name in the Add a New Category field. Select the priority of the appliance(s) from the Category Priority list box. Select how the SonicWALL appliance(s) will be monitored from the Monitoring Type list box and specify a Port if applicable.
5. 6.
895
Net Monitor
7.
If choosing SNMP as the monitoring type, you must enter a Monitor Port, and have the option of configuring the following advanced settings by clicking on the Advanced button.
The community name. (default value is public) Time to retry, in seconds (default value is 0). Timeout length, in seconds (default value is 5). Choose the version of SNMP to be used (default value is V2C). Select the MIB(s) you wish to use for polling information (RFC1213-MIB is the default MIB and cannot be de-selected). Enter a user name (SNMP v3 only). Select an authentication protocol form the list (SNMP v3 only). Enter an authentication password (SNMP v3 only). Enter a privacy password (SNMP v3 only). Enter a context ID (SNMP v3 only). Enter a context name (SNMP v3 only).
User Name Authentication Protocol Authentication Password Privacy Password Context ID Context Name
8. 9.
Press the OK button to save SNMP advanced settings. Specify how often the SonicWALL appliance(s) will be tested in the Polling Interval field.
896
Net Monitor
10. Enter the ideal response time (IRT) in the Ideal Response Time field
(default: 500 milliseconds). SonicWALL appliances that take between 1 and 1.5 times the IRT will be marked as Slow. SonicWALL appliances that take between 1.5 and 2 times the IRT will be marked as Very Slow.
11. Select the Agent that will perform the testing from the Assign to Monitor
list box.
12. Optional. To disable monitoring of the SonicWALL appliance(s), select
Disable.
13. To change the icon image that will represent the device(s), click the icon
Note
The process of acquiring a new device may take several minutes. To force acquisition of the device, select the device and go to SNMP > SNMP Re-acquire in the NetMonitor menu bar.
* Custom MIBs may be required for some devices. Custom MIBs allow polling Non-SonicWALL or Non-Standard based SNMP enabled devices and to poll information specific to a certain device based on Manufacturer ID.These MIBs have to be placed in the etc\mibs folder by the GMS Administrator on the Web Server and Monitoring Agent machine(s) in order to use it for probing.
897
Net Monitor
From the Monitor Tool window, select Add Non-GMS Device from the File Menu.
2.
Enter a name for the device in the Name field and its IP address or hostname in the Host field and click Add. Repeat this step for each device to monitor. Click Next. The second page of the Add Non-GMS Device Wizard displays.
3.
4.
Select the category to which the device(s) will be added from the Use an Existing Category list box. To add the device to a new category, enter the category name in the Add a New Category field. Select the priority of the device(s) from the Category Priority list box. Select how the device(s) will be monitored from the Monitoring Type list box.
5. 6.
898
Net Monitor
7.
If choosing SNMP as the monitoring type, you must enter a Monitor Port, and have the option of configuring the following advanced settings by clicking on the Advanced button.
The community name. (default value is public) Time to retry, in seconds (default value is 0). Timeout length, in seconds (default value is 5). Choose the version of SNMP to be used (default value is V2C). Select the MIB(s) you wish to use for polling information (RFC1213-MIB is the default MIB and cannot be de-selected). Enter a user name (SNMP v3 only). Select an authentication protocol form the list (SNMP v3 only). Enter an authentication password (SNMP v3 only). Enter a privacy password (SNMP v3 only). Enter a context ID (SNMP v3 only). Enter a context name (SNMP v3 only).
User Name Authentication Protocol Authentication Password Privacy Password Context ID Context Name
8. 9.
Press the OK button to save SNMP advanced settings. Specify how often the device(s) will be tested in the Polling Interval field.
SonicWALL GMS 6.0 Administrators Guide
899
Net Monitor
10. Enter the ideal response time (IRT) in the Ideal Response Time field
(default: 500 milliseconds). Devices that take between 1 and 1.5 times the IRT will be marked as Slow. Devices that take between 1.5 and 2 times the IRT will be marked as Very Slow.
11. Select the Agent that will perform the testing from the Assign to Monitor
list box.
12. Optional. To disable monitoring of the device(s), select Disable. 13. To change the icon image that will represent the device(s), click the icon
acquisition of the device, select the device and go to SNMP > SNMP Re-acquire in the NetMonitor menu bar.
* Custom MIBs may be required for some devices. Custom MIBs allow polling Non-SonicWALL or Non-Standard based SNMP enabled devices and to poll information specific to a certain device based on Manufacturer ID.These MIBs have to be placed in the etc\mibs folder by the GMS Administrator on the Web Server and Monitoring Agent machine(s) in order to use it for probing.
Creating a Realtime Monitor or Realtime Monitor Template Using a Dialog Creating a Realtime Monitor From a Template
900
Net Monitor
Select the device(s) you wish to create a realtime monitor for. In the menu bar, go to SNMP > SNMP Manage Realtime Monitors.
3. 4.
Click on the button on the left side of the screen (under Realtime Monitors) to add a new realtime monitor. In the Middle of the screen, select your preferences as follows:
901
Net Monitor
Individually: Add OID(s) as individual elements. As a group: Add multiple similar OIDs as one single element.
Add To: Add OID(s) to an existing Element. Insert At: Add OID(s) as a new element in the specified location. Append: Append OID(s) to the end of the element list. 5. Add a friendly name for the new monitor in the Monitor Name field.
6.
If you wish to save the new monitor as a template for future use, click the Save as template checkbox and add a friendly name for the template. It is important that the elements present in a Realtime Monitor Template contain OIDs that are present in the devices that the template is applied to. Applying a template which contains un-relevant OIDs can produce unexpected results.
Note
7.
Display Type Chart Style Used only when display type is set to graph.
Table: Displays data in a tabular format. Graph: Displays data in a graphical format.
Plot: Generates graph in plot format. Bar: Generates graph in bar format. Area: Generates graph in area format. Pie: Generates graph in pie format. Line: Generates graphic in line format. 8. Navigate to the MIB Tree list and select the OIDs you wish to add.
9.
Click the button on the right side of the screen (under MIB Tree) to add the selected MIB(s) to the Elements list.
Tip
Alternate ways of adding a MIB to the Elements list include double-clicking the MIB and dragging and dropping the MIB from the MIB Tree into the Elements list.
10. Enter a friendly name for the element you just added by double-clicking
902
Net Monitor
11. Specify a threshold value for the alert monitor in the Threshold field
Select the device(s) you wish to create a realtime monitor for. In the menu bar, go to SNMP > SNMP Apply Realtime Monitor Templates.
3. 4.
Select the templates (ctrl-click for multiple selections) you wish to use for monitoring the selected device(s). Click the Apply button to create the Realtime Monitor.
Select the device(s) you wish to monitor from the GMS NetMonitor main status screen (Ctrl-click for multiple devices). In the menu bar, select SNMP > SNMP Realtime Monitor Status. In the Realtime Monitors window, select one or more nodes to monitor. The appropriate graphs and or tables will be loaded into the monitoring window on the right side of the screen.
903
Net Monitor
Note
Data in the monitoring windows is refreshed automatically based on the auto-refresh interval specified in NetMonitor Preferences. While you may do a manual refresh of the graphs and charts, it is not necessary to do so.
904
Net Monitor
4.
To display historical charts (daily, weekly, monthly) for a node, double-click on the desired realtime graph in the monitoring window on the right side of the screen.
Note
Only one history chart window may be opened at a time. It is possible, however, to display historical charts for multiple nodes by selecting the charts you wish to view with ctrl-click and then clicking the button at the top right side of the screen.
905
Net Monitor
Managing Severity
To configure your Severity settings:
1.
2. 3. 4. 5.
Move the new severity to a different priority level by having the severity selected in the list and using the and buttons. Change the color of the severity by having the severity selected in the list and clicking the button. To delete a severity, have the severity selected in the list and click the button.
Note
A severity can not be deleted if it is being used by one or more threshold elements. In order to delete a severity, you must make sure all corresponding threshold elements are first unassociated with that severity.
906
Net Monitor
Managing Thresholds
Every element in a threshold is assigned an operator, value and severity. These thresholds are used to notify the user when an element reaches a certain severity. To configure your thresholds:
1.
2. 3. 4.
Click the button under Threshold and enter a friendly name to add a new threshold. Click the threshold. button under Elements to add a new element to the
Configure the Operator, Value and Severity fields in the new element as follows: Double-click and choose an operator as a modifier for your value. For numeric values, operator options include ==, !=, >, >=, <, =<. For alpha numeric values, operator options include equals, equals ignore case, not equals, contains, not contains. Double-click and enter an alpha or numeric value. Numeric values are entered in bytes. Double-click and choose a severity from the list to correspond with the operator and value.
Operator
Value Severity
907
Net Monitor
The following threshold triggers a Low-level Warning at a value of less than 100000 bytes.
5.
Click the Apply button to save your changes. Thresholds are global settings and will be run across all available nodes.
Note
In the menu bar, select SNMP > Manage Scheduled Reports. Click the button to add a new report.
3.
908
Net Monitor
4. 5.
Enter a description for the report in the Description field. Optionally, you may check Disable this report to disable the current report and save it for future use.
6. 7. 8.
Check the Email check box to enable emailing of this report. Enter your SMTP server information in the SMTP server field. Enter a To address, From address, Subject and Body for the email in the appropriate fields.
9.
Check the Archive checkbox and enter a location in the Save Directory* field in order to archive this report on disk.
909
Net Monitor
Report Type
Specifies how often the report will be sent out. Daily: Sent ever day Weekly: Sent every week Monthly: Sent ever month Specifies the time range a report will cover. Realtime: Reports only the data at the time the report is sent Hourly: Reports hourly data form the last 24 hours. Daily: Reports daily data from the last 7 days. Monthly: Reports Monthly data from the last 12 months. Sends reports as an XML attachment Includes all reports in a single email, with the option to send reports inline instead of as an attachment. Will zip all reports into a single zip attachment, with the option to password protect the zip file.
Generate reports in XML Include all data in a Single report Zip reports to single file
Template Folder The local folder where your template will be Name saved** *If the directory path entered is invalid, the archive will be saved to the default path of [sgms_directory]/Viewpoint/reports ** This field only requires the folder name to be entered, not the complete path.
11. Select the checkboxes for the realtime monitors you wish to include in this
report.
910
Net Monitor
2. 3. 1. 2.
In the Monitor tab of the Preferences window, select a Minimum Severity to Show Alert in Dashboard from the drop-down menu. Click the Apply button to save changes. Select the device(s) you wish to configure alerts for from the GMS NetMonitor main status screen by clicking (ctrl-click for multiple devices). In the menu bar, select Tools > Alert Settings.
3. 4. 5. 6.
Select the Notify by Email check box to send the SonicWALL GMS administrator(s) email when the status of a device changes. Select the Notify by SNMP Trap check box to generate an SNMP trap when the status of a device changes. Choose to apply settings to Selected Devices or to All Devices. Click the Apply button to save changes.
911
Real-Time Syslog
Create a VPN tunnel to the remote firewall that makes all LAN subnets accessible to the Net Monitor. Create NAT Policies that allow specific types of traffic through. For example, if TCP Probe is chosen as the monitor type, TCP connections must be allowed to the specified port. If Ping is chosen as the monitor type, ICMP must be allowed.
Real-Time Syslog
The real-time syslog utility enables you to diagnose the system by viewing the syslog messages in real time.
Note
Click the Monitor tab. Expand the Tools tree and click Real-Time Syslog. The Real-Time Syslog page appears. If the Syslog Reader is not already running, click Start Syslog Reader.
912
Live Monitoring
4.
Click Start Button at the bottom of the screen. The Syslog Viewer begins showing the latest syslog entries.
5. 6. 7.
To change how many messages are displayed, select a number from the Number of Messages list box at the bottom of the screen. To change how often the Syslog Viewer is refreshed, select the time from the Refresh Time list box at the bottom of the screen. To filter the results on the fly, enter the search terms in the Filter field using regular search expressions.
Note
The Real-Time Syslog Viewer uses java.util.regex to support the search feature. For more information on this enhanced search capability, visit <http://java.sun.com/developer/technialArticles/releases/1.4regex/ > To stop the viewer, click the Stop button.
8.
Live Monitoring
Live Monitoring lets users monitor a network through the correlation of syslogs received from appliances throughout a deployment. The syslogs are received by the Event Manager Receiver Service, which then feeds them into an Event Correlation Engine. The engine sends the messages through user-defined rules, and if a rule condition is met, the engine forwards the object to be turned into an alert for Live Monitoring.
913
Live Monitoring
These alerts are sent to email, traps, other user-defined destinations, and to the new Live Monitoring user interface, if a user is currently monitoring. Viewing alerts in the Live Monitoring interface provides greater flexibility to monitor a network, and to analyze traffic based on protocols, web usage and productivity, or even to detect viruses and attacks in the network.
Click the Manage Rules button on the upper-right of the interface control bar. The Rule Manger > Rule List is now displayed.
914
Live Monitoring
Rule Settings The Rule Manager > Rule Settings panel is now displayed. Fill in the Name field to build a more descriptive name for this new rule. If you wish to just build a rule without immediately enabling it, click on the Disable check box. Leaving this box blank sets the rule as enabled in the Rule List, once it is built.
The Severity drop down menu allows you to set a different severity level tag for each syslog that meets the conditions of this rule.
Rules must be created using available templates. Under the Group heading, you will find the available templates. Under the Generic rules group, a listing of six rule templates are displayed. Clicking on one of these types allows the full rule to display below in the Rule Editor box. The Computational rules group provides average-based statistical alerts on syslogs received, further broken down by number received for appliances, or the number of syslogs received grouped by appliance. The Attack rules group offers rules to understand the number of appliances under attack from security threats, and for identifying specific appliances under attack.
915
Live Monitoring
The Advanced rules group is a flexible template that allows syslogs to be filtered based on one or two conditions.
916
Live Monitoring
Using the Rule Editor The Rule Editor allows you to define conditions for a rule, if available. Keep in mind that the specificity with which these conditions are set, controls how many alerts will be received in the Live Monitoring user interface. To edit the rule conditions, click on the Rule Editor (pencil) icon. A series of open fields and drop down menus are now available to be adjusted to specify the desired conditions, including various parameters, if desired. Rule types allowing you to set one condition let you specify the name of the syslog tag you want to see, along with the operator to use in filtering those tags. You gain further granularity control on rule types allowing filtering based on two conditions.
Note
Multiple rules with the same Rule Type are allowed, as long as the values are different in the rule condition(s). Creating different severity tags for the same rule type, with the same conditions, is not possible.
Setting Alert Destination and Schedule Once rule editing is complete, click the Next button, or you may re-click the pencil icon to lock the rule editor, and then click Next. The Rule Manager > Destination/Schedule panel is now displayed. To set the destination and schedule for alerts based on the rule you just created, click Add Destination.
917
Live Monitoring
The Destination and Schedule drop down menus are now displayed in the panel. To open additional destination fields, up to the maximum of five, you may click again on Add Destination. Open the Destination drop down menu to select the desired destination, such as Email-Admin, Email-Adhoc, Trap listener Adhoc, etc. If you have email as a destination, and the condition defined is very lenient, your email could easily be flooded with alerts.
Note
The Live Monitoring user interface will not appear as a destination, as it is auto-determined, based on whether the interface is currently running. This means that if at least one user is live monitoring the interface, the engine will automatically detect this and continue forwarding alerts. If no one is currently monitoring, no alerts will be sent to the Live Monitor interface, but they will continue to be sent to defined destinations, such as email and traps.
Once the destination is selected, open the adjoining Schedule drop down menu to select the frequency this destination will receive alerts based on this rule.
918
Live Monitoring
Once the destination(s) and schedule(s) are set for alerts based on this rule, click the Finish button to complete this Rule Update. Once completed, a Message from webpage dialog box appears on screen announcing the Rule Update action was successful. Click OK to close the dialog box and to return to the Rule Manager > Rule List panel. The newly created rule will now be displayed in the list.
Modifying Rule Status From this screen, you can Enable (green circle with check), Disable (red circle with X), or Delete (blue wastebasket) selected rules. These icons are in the section header.
To change a rules status, select it by clicking on the checkbox to the left of the rule name, then click the desired status icon from the section header. For example, if you chose to disable a rule, here is how it would appear with the X icon now showing the rules current status as disabled.
Once you have built and enabled the rules you want the event correlation engine to apply against the syslogs, click the Close button to return to the Live Monitoring user interface.
919
Live Monitoring
Before you can receive alerts in the Live Monitoring user interface, you must check the box next to Enable Syslogs Forwarding for Live Monitoring. Once you check the box, the message below appears. This is a reminder to anticipate an increase in syslog traffic, since each message will be cloned for event handling. Click OK to proceed.
The remaining fields on the Monitor tab allow you to configure various Live Monitoring settings, such as the IP address and port (default port is 21011) that the Live Monitoring interface is listening on.
Note
In a distributed set-up, enter an IP address that is reachable, so the event manager knows where the Live Monitoring reader is running.
The Monitor Buffer Size field allows you to define how many alerts need to be stored in the buffer.
920
Live Monitoring
The Limit on Emails field is an email throttling setting that you can adjust to limit the number emails sent every hour for each rule to prevent the flooding of inboxes.
Click on the User tab. This field allows you to set how often the Live Monitoring user interface will refresh with new, incoming alerts. Once this is set, click Update to return to the Live Monitoring user interface.
Controlling the User Interface The control bar in the upper-left corner of the Live Monitoring interface holds the buttons to control the flow of alerts on the screen. Click the Start button to begin Live Monitoring. It will take 15-30 seconds for the backend to recognize that a user is Live Monitoring.
921
Live Monitoring
Once alerts are received, they will begin to appear in the user interface.
Note
Although Super Admins will be able to view alerts from across all domains of a network, regular users will only see their domain-specific alerts in the Live Monitoring user interface.
Once Live Monitoring begins, the buttons will change in the upper-left of the interface control bar. If you need to focus on one alert, while keeping the buffer from continuing to fill up with alerts, click the Pause button.
\
Once alerts are paused, the control bar buttons will change again. Click Resume when you are ready to resume Live Monitoring. If you wish to clear all alerts from the interface window, click the Clear button.
Clicking the Stop button will terminate Live Monitoring from receiving alerts to display. Keep in mind there is a 15-30 second lag before the event engine sees the Live Monitoring user interface is no longer listening. Scroll Navigation The right side of the Live Monitoring interface contains a scroll bar. As alerts are displayed, the most recent appear at the bottom of the buffer in auto-scroll mode. Clicking on other scroll bar controls disables auto-scroll, giving command to the user. Re-start auto-scroll by clicking on the auto-scroll icon at the top of the scroll bar. The scroll bars up and down double arrow buttons provide fast scroll movement in the display. The single arrow buttons provide standard scrolling capability.
922
Live Monitoring
Alert Event Detail Within the Live Monitoring user interface display, you can see greater detail about a particular alert by clicking on the arrow on the left of the alert. This expands the field to show additional information.
The Live Monitoring user interface can be viewed by multiple users at the same time. However, if no users are actively monitoring, alerts will no longer be sent to the interface. Alerts will continue to be sent to previously set destinations, such as email and traps.
923
Live Monitoring
924
Part 5 Console
925
926
Configuring General Settings section on page 928 Configuring Reports Settings section on page 930
927
Enter the existing SonicWALL GMS password in the Current GMS Password field. Enter the new SonicWALL GMS password in the New GMS Password field. Reenter the new password in the Confirm New Password field. Password fields will be grayed out for users on a Remote Domain. The GMS Inactivity Timeout period specifies how long SonicWALL GMS waits before logging out an inactive user. To prevent someone from accessing the SonicWALL GMS UI when SonicWALL GMS users are away from their desks, enter an appropriate value in the GMS Inactivity Timeout field. You can disable automatic logout completely by entering a -1 in this field. The minimum is 5 minutes and the maximum is 120 minutes.
Note 4.
928
5. 6.
Select a value between 10 and 100 in the Max Rows Per Screen field. This value applies only to non-reporting related paginated screens. The Appliance Selection Panel options determine how devices are displayed in the far left panel. You can display only icons (the Icons option), only the name of the appliance (Text), or both icons and names (Icons and text), or use the default GMS display settings for this user (Use default). The default is Icons and Text. To configure SonicWALL GMS to display an editable task description each time a task is generated, select the Enable edit task description dialog when creating tasks check box. To have GMS play an audio alert when an appliance goes up, check the Enable Audio Alarm when a Managed Unit goes Up check box. To have GMS play an audio alert when an appliance goes down, check the Enable Audio Alarm when a Managed Unit goes Down check box. To customize the audio alerts, place wav files in the following directory:
[SGMS2]\Tomcat\webapps\sgms\com\sonicwall\sgms\applets\common
7.
8. 9.
The file names for an appliance going up and down must be up_custom.wav and down_custom.wav respectively.
10. To view the message of the day now, click View Message of the Day. 11. When you are finished, click Update. The settings are changed. To clear
Note
The maximum size of the SonicWALL GMS User ID is 24 alphanumeric characters. The password is one-way hashed and any password of any length can be hashed into a fixed 32 character long internal password.
929
The following Web Usage reports are affected by the Web Site and Web User Exclusion Filters:
Web Usage > Summary Web Usage > Top Sites Web Usage > Top Users Web Usage > By User Web Usage > By Site Web Usage > By Category Web Usage > Over Time Web Usage > Top Sites Over Time Web Usage > Top Users Over Time Web Usage > By User Over Time Web Usage > By Category Over Time
930
On the Console > User Settings > Reports page, type the Web site to be excluded into the Web Sites Filter field. Enter the Web site without the http:// or www prefix. Click the Add button.
2.
On the Console > User Settings > Reports page, select the checkbox next to the Web site to be removed from the exclusion list. To select all sites in the list, select the Select All checkbox. Click the Delete button.
2.
On the Console > User Settings > Reports page, type the user name to be excluded into the Web Users Filter field. Enter the user name without the domain. Click the Add button.
2.
931
On the Console > User Settings > Reports page, select the checkbox next to the user to be removed from the exclusion list. To select all users in the list, select the Select All checkbox. Click the Delete button.
2.
932
Configuration
The Log > Configuration screen provides a way to delete log messages older than a specific date. To delete GMS log messages, perform the following steps:
1.
Click the Console tab, expand the Log tree, and click Configuration. The Configuration page displays.
2. 3.
Select the month, day, and year from the drop down menu. Click Delete Log Messages Older Than.
933
View Log
View Log
The SonicWALL GMS log keeps track of changes made within the SonicWALL GMS UI, logins, failed logins, logouts, password changes, scheduled tasks, failed tasks, completed tasks, raw syslog database size, syslog message uploads, and time spent summarizing syslog data. To view the SonicWALL GMS log, perform the following steps:
1.
Click the Console tab, expand the Log tree, and click View Log. The View Log page displays.
2.
934
View Log
3.
Tip
You can press Enter to navigate from one form element to the next in this section.
Select Time of logsdisplays all log entries for a specified range of
dates.
SonicWALL Nodedisplays all log entries associated with the
text. This input field provides an auto-suggest functionality that uses existing log message text to predict what you want to type. It fills in the field with the suggested text and you can either press Tab to accept it or keep typing. Different suggestions will appear as you continue to type if log messages match your input.
Severitydisplays log entries with the matching severity level: All (Alert, Warning, and FYI)where FYI mean For Your
Information
Alert and Warning Alert Select the Match case checkbox to make the SonicWALL Node,
Select one of Exact Phrase, All Words, or Any Word. Exact Phrase matches a log entry that contains exactly what you
All Words matches a log entry that contains all the words you typed
in the Message contains field, but the words can be non-consecutive or in any order
Any Word matches a log entry that contains any of the words you
4.
To view the results of your search criteria, click Start Search. To clear all values from the input fields and start over, click Clear Search. To save the results as an HTML file on your system, click Export Logs and follow the on-screen instructions.
935
View Log
5.
To configure how many messages are shown per screen, enter a new value between 10 and 100 in the Show Messages Per Screen field. (default: 10). Click Next to display the next page, or click Previous to display the preceding page. To jump to a specific message, enter the message number in the Go to Message Number field.
6.
936
Scheduled Tasks
As you perform multiple tasks through the SonicWALL GMS UI, SonicWALL GMS creates, queues, and applies them to the SonicWALL appliances. As SonicWALL GMS processes the tasks, some SonicWALL appliances may be down or offline. When this occurs, SonicWALL GMS requeues the tasks and reattempts the changes.
937
Scheduled Tasks
Click the Console tab, expand the Tasks tree and click Scheduled Tasks. The Scheduled Tasks page displays.
2.
error.
SGMS Userspecifies the user who created the task. Agentspecifies the IP address of the agent.
938
Scheduled Tasks
3.
To narrow the search, enter one or more of the following search criteria and click Start Search:
Tip
You can press Enter to navigate from one form element to the next in this section.
Calendarselect the period of time for which SonicWALL GMS will
display tasks. The pull down menu to the right enables you to specify that the date range applies to the task creation time, the local scheduled time, and the agent scheduled time.
SonicWALL Nodedisplays all tasks associated with the specified
SonicWALL appliance.
Description containsdisplays all tasks that contain the specified
text.
Ownerdisplays all tasks with the specified owner. Task IDdisplays the task with the specified task ID. 4.
To execute one or more scheduled tasks immediately, select their check boxes and click Execute the tasks selected now. You can also select al l of the tasks on the page by checking the Select Only the 10 Tasks Displayed Above checkbox, or select all tasks by checking the Select All Pending Tasks checkbox. To reschedule one or more pending tasks for another time, select their check boxes and click Re-schedule the tasks selected. The GMS Date Selector dialog box displays.
5.
939
Scheduled Tasks
6.
Select a new date when the task will execute and click OK. The dialog box closes and the task will execute at the selected time.
Note
The task(s) will execute based on the time setting of the SonicWALL GMS agent server, UTC, or local browser's time. To delete one or more tasks from the list of pending tasks, select their check boxes and click Delete the tasks selected. To delete all pending tasks, select the Select all Tasks check box and click Delete the tasks selected.
7.
940
Settings section on page 941 Domains section on page 945 Users section on page 953 Custom Groups section on page 964 Sessions section on page 970 Agents section on page 971 SNMP Managers section on page 973 Inheritance Filters section on page 974 Message of the Day section on page 975 Database Maintenance section on page 977
Settings
On the Console > Management > Settings page, you can enable reporting, configure email settings, enable automatic preferences file backup, configure GMS to synchronize with managed units, and configure Enhanced Security Access (ESA) settings. This section describes the following Settings topics::
Configuring Email Settings on page 942 Configuring Prefs File Settings on page 942
SonicWALL GMS 6.0 Administrators Guide
941
Settings
Enabling Reporting and Synchronization with Managed Units on page 943 Enhanced Security Access Settings on page 944
System alerts for your SonicWALL GMS deployment performance Availability of product updates, hot fixes, or patches Availability of firmware upgrades for managed appliances Alerts on your managed appliances status Scheduled Reports Click the Console tab. Expand the Management tree and click Settings. The Settings page displays. Type the IP address of the Simple Mail Transfer Protocol (SMTP) server into the SMTP Server field. This server can be the same one that is normally used for email in your network. Type the email account name and domain that will appear in messages sent from the SonicWALL GMS into the GMS Senders e-Mail Address field. When finished in the Settings page, click Update. To clear the screen settings and start over, click Reset.
4.
5.
942
Settings
2. 3.
Expand the Management tree and click Settings. The Settings page displays. Select Daily or Weekly in the Automatically save prefs file & addunit.xml field, and select a day of the week (if weekly) and a time. This determines how often SonicWALL GMS will automatically save the preferences and addUnit.xml files. To automatically save the VPN Gateway Preferences files for SonicWALL appliances, select Automatically save VPN Gateway Prefs file.
Note
4.
The Enable Prefs Backup option must also be selected on the Policies > General > Settings screen.
5.
When finished in the Settings page, click Update. To clear the screen settings and start over, click Reset.
Click the Console tab. Expand the Management tree and click Settings. The Settings page displays. To enable GMS Reporting, select the Enable Reporting check box. To disable it, deselect the Enable Reporting check box (default: Enabled). To configure SonicWALL GMS to automatically synchronize with the local changes made to the SonicWALL appliances, select the Enable Auto Synchronization check box. For SonicWALL appliances that do not have direct access to the Internet, you can instruct GMS to download updates to security service signatures. To do so, select the follow two check boxes:
Firewalls managed by this GMS do not have Internet Access Upload latest signatures on subscription status change
5.
Note
When updated signatures have been downloaded to the GMS, you must then manually upload them to the SonicWALL appliances. This action is performed on the Policies>System>Tools page. When
SonicWALL GMS 6.0 Administrators Guide
943
Settings
there are new signatures to be uploaded, the Upload Signatures Now appears on the Tools page. Click this button to manually upload the signatures.
6. 7.
To create an addUnit.xml file to track all units under management, click Create Add Unit XML File. When finished in the Settings page, click Update. To clear the screen settings and start over, click Reset.
Enhanced security settings are also available in your browser. For information, see Browser Requirements on page 12.
GMS supports these data security standards by providing support for encryption of all passwords and any pre-shared secrets in the database. This includes VPN Security Association pre-shared secrets, encryption keys, authentication keys, and passwords. The following passwords are encrypted in GMS :
GMS gateway password UTM appliance passwords for managed units Guest account password LDAP and RADIUS passwords
Enhanced security compliance also requires a password rotation feature. GMS supports password rotation requirements, including several changes in the management interface. These changes occur on the Console panel, in the Management > Settings screen and in all screens accessed from the Management > Users screen. To turn on password security enforcement in GMS:
1.
In the Management > Settings screen, select the Enforce Password Security checkbox.
944
Domains
2. 3.
In the Number of failed login attempts before user can be locked out field, enter a value. The default is 6. In the User lockout minutes field, enter a value. The default is 30. This is the number of minutes that a user will not be able to log in to GMS after failing to log in correctly for the specified number of attempts. In the Number of inactive days to mark user for deletion field, enter a value. The default is 90. The users account will be deleted if it is not used for the specified number of days. In the Number of days to force password change field, enter a value. The default is 90. GMS will prompt the user to change his password after the specified number of days. When finished in the Settings page, click Update. To clear the screen settings and start over, click Reset.
4.
5.
6.
Domains
A Domain in GMS is a logically bound collection of users, authentication servers, managed appliances, policies and reporting data, alerts and all other related data in manner such that the contents in a domain are only visible within the boundaries of the domain. Data from one domain is not visible to users in other domains. Only the SuperAdmin user can create new domains and can view and edit information from all the domains in the system. All other admin users of each domain have the privilege of managing their own domains in GMS. This section describes the following GMS Settings topics:
About Domains
In addition to a built in LocalDomain with a LocalAuthServer for authentication of users, GMS is able to access and authenticate against popular third party systems including Active Directory, RADIUS and LDAP in a transparent fashion. By default, GMS maintains its own locally stored database for authentication purposes. This is also referred to as the LocalAuthServer. GMS also allows simultaneous third party database authentication, which makes use of your existing (and separately maintained) database system(s).
945
Domains
Note
Although GMS 6.0 supports the use of multiple external authentication mechanisms for a single domain, only one instance of a local GMS authentication server the default GMS LocalAuthServer can exist for each domain.
The user hierarchy of your database (either GMS or third-party) determines what a users view consists of, and what data they are able to access and/or modify. In the case of Active Directory servers, GMS has the ability to limit access to only specified groups of users. If this functionality is desired, the target groups must be specified.
Every instance of GMS installs with a default domain, named LocalDomain even before a domain is created by the administrator. Users of new admin-created domains do not have the ability to view data in other domains.
Login as the Administrator of the LocalDomain on the SonicWALL GMS Login Screen.
946
Domains
2.
Navigate to the Console > Management > Domain page. You will see a default LocalDomain. To create a new domain in SonicWALL GMS, click Add Domain to complete the configuration parameters for the new remote domain.
3.
Under Name, type in the desired name for the remote domain. This name will be visible on the Domain drop-down list on the SonicWALL GMS Login screen. For Default Admin User, specify a valid user account -- this will be the default admin account created for the domain. Note that this username must exist in your third party server, and will have administrative privileges in GMS for the newly created domain. The Host Name can either be specified as the IP Address of the remote server, or the fully-qualified domain name. The authentication servers Global Catalog can be set as a Host in case of a complex directory structure. If using the Global Catalog, SonicWALL GMS will be able to search through the directory and through all its children node. Enter a friendly name, or Alias for this new Domain. If your new domain will use only local (GMS) database for user authentication, configuration is complete after this step. If you are planning to authenticate using an existing third-party database, continue to Configuring LDAP or AD Authentication or Configuring RADIUS Authentication.
4.
5.
6.
Note
Be sure to complete the basic setup procedures in theCreating a New Domain section on page 946 before continuing. Check the Add Auth Server option to enable third-party authentication for this domain.
947
Domains
3.
In the Authentication Port field, specify the value of the port number on which the third party server listens for authentication requests. The default Authentication Port for LDAP or AD servers is 389. To reach an AD servers global catalog, use port 3268.
Note
4. 5. 6.
Select LDAP, or Active Directory from the drop-down menu under Host Type. Next, select which Protocol Version the remote server is running on. The Base Distinguished Name (Base DN) is used to identify the root entry in the directory from which SonicWALL GMS will execute searches. This should be the node in the authentication system under which all SonicWALL GMS users will be present. The value is specified as a distinguished name (for example, dc=gmseng,dc=com). Click the Use SSL checkbox to use SSL when connecting to the remote server. If you check this checkbox, you will need to specify the SSL Port on which the remote server is listening for bind requests. By default, this is 636. If connecting to an AD servers global catalog, use port 3269.
7.
948
Domains
Note
SonicWALL recommends using SSL with remote domains. The Certificate Authority (CA) or Root certificate of the LDAP server will need to be imported into GMS JRE using the keytool command. Only select Anonymous Login if the authentication system is configured to allow anonymous binds. This option makes the Admin User ID irrelevant. This is not a recommended setting as it reduces security. The Login User Distinguished Name is used to authenticate to the third party server when performing the initial bind. This value is specified as a distinguished name. Type in the matching password for the Login Password field. The Login User Distinguished Name need not correspond with the Admin User ID, but both must exist in the third party server. The Login User Distinguished Name can be found using any LDAP Browser Tool.
8.
9.
Note
10. In the Connection Timeout field, specify the connection timeout period
(in milliseconds). Once the Settings panel is completed, click the Schema panel to continue setup of the new remote domain. drop-down list. Each selection in this list will fill in the remaining fields on the Schema panel with default values.
11. Under LDAP Schema, select which LDAP Server you are using from the
Note
If the server you are using is not specified in the default list, click User Defined to configure your own values and settings.
12. Optional, for AD servers only: Select the Allow Only AD Group Members
checkbox. Then specify which groups are allowed to login to GMS from this remote domain. Multiple groups can be specified if they are separated by a semi-colon. All users that are members of the specified AD group must be present below the Base DN that was specified in the settings pane.
949
Domains
1. 2. 3. 4. 5.
Check the Add Auth Server option to enable authentication by a third party server. Enter the Host Name (or IP address) of the RADIUS server you wish to use for authentication. Enter the Authentication Port on which the RADIUS server listens for requests. The default Authentication Port is 1812. Enter the Shared Secret to be used between GMS the RADIUS server. Enter the Authentication Protocol used by your RADIUS installation.
Note
SonicWALL GMS supports PAP, CHAP, MSCHAP, and MSCHAPv2 protocols for RADIUS authentication. Enter the RADIUS Timeout (Seconds), this specifies the amount of time GMS will wait before giving up or retrying the authentication attempt. The number of retries is specified next. The default value is 10 seconds. Enter the Max Retries, this specifies the number of times GMS will attempt to authenticate with the RADIUS server before aborting the attempt. The default value is 3 tries.
6.
7.
950
Domains
8.
Fill in the Host Name, Authentication Port, and Shared Secret values for your backup RADIUS server, if available.
9.
Check the Allow Only Radius Group Members option if you plan to limit GMS access to members of select groups. The specific groups are specified later in this tab. RADIUS Server option to use SonicWall-user-group, and SonicWall-user-groups as RADIUS user group identifiers for GMS authentication.
11. If the RADIUS server is configured to return the Filter-ID attribute with
each user ID, select the Use Filter-ID attribute on RADIUS Server option. Henceforth, this value will be used as the RADIUS user group identifier.
field specifies groups, the members of which are allowed to access GMS resources.
951
Domains
To test the third party authentication feature, specify the credentials of any user in the domain and click the Test button.
You will also see the new domain (local and remote) you have created under Console > Management > Domains of SonicWALL GMS. To confirm the configurations for each domain, click the icon to view or change these settings.
952
Users
Editing a Domain
Any admin-created domain can be edited after initial creation. To create a new domain:
1. 2.
Login as the Administrator of the LocalDomain on the SonicWALL GMS Login Screen. Navigate to the Console > Management > Domain page. To delete a domain in SonicWALL GMS, select the checkbox corresponding to the domain you wish to delete and click the Edit Domain button. The default LocalDomain which comes pre-installed with GMS systems cannot be edited or deleted. You are done. Please enjoy your edited domain.
Note
3.
Users
To operate in complex environments, the SonicWALL Global Management System (SonicWALL GMS) is designed to support multiple users, each with his or her own set of permissions and access rights. This section contains the following subsections:
Creating User Groups on page 954 Moving a User on page 957 Configuring Appliance Access on page 960
Note
If you do not want to restrict access to SonicWALL appliances or SonicWALL GMS functions, but want to divide SonicWALL GMS responsibility among multiple users, use views to provide specific criteria to display groups of SonicWALL appliances. Depending on the type of task they are trying to perform, users can switch between these views as often as necessary. For more information, see Configuring Unit, View, and Other Permissions on page 961.
Note
All of the user configuration options are available through the command-line interface. For more information, refer to the SonicWALL Global Management System Command-Line Interface Guide.
SonicWALL GMS 6.0 Administrators Guide
953
Users
AdministratorsFull view and update privileges. OperatorsView privileges only. End UsersNo privileges. Guest UsersNo privileges. Click the Console tab, expand the Management tree and click Users. The General Page of the User screen displays. In the middle pane, right-click All Users and select Add User Types from the pop-up menu. A new user group dialog box displays. In the dialog box, enter the name of the new user type and then click OK. The new user type is added to the list under All Users. In the right pane, enter any comments regarding the new user group in the Comments field. Select a default view for the new user group from the Default View pull-down menu. This view will be displayed for members of the user group when they first log in to SonicWALL GMS. To force all users in the user group to change their passwords, select the Change Password checkbox. To delete the user type when it becomes inactive, select the Delete Inactive checkbox. To set a date when the user type will become inactive, click in the Active Until field and then select a date from the popup calendar. To keep the user type active at all times without an end date, select the Always Active checkbox. list in the Schedule field.
6. 7. 8. 9.
10. Select the schedule for when the user group is active from the drop-down 11. Click Update. The new user group is added. By default, the new group has
no privileges. To configure screen access settings, see Moving a User on page 957.
954
Users
Adding Users
This section describes how to create a new user. Although the user will inherit all group settings, individual user settings will override the group settings. To add a new user, perform the following steps:
1.
Click the Console tab, expand the Management tree and click Users. The General Page of the User configuration screen displays.
2. 3.
Right-click a user group and select Add User from the pop-up menu. The Add User window displays. In the dialog box, enter a username and a password and click OK. In the main window, the new user displays beneath the group to which it is assigned.
Note
The username and password are case-sensitive. Do not enter the single quote character () in the User ID field. Select the new user. Enter the full name of the user in the Name field. Enter contact information for the user in the Phone, Fax, Pager, and Email fields. Select the default view for the user from the Default View list box.
SonicWALL GMS 6.0 Administrators Guide
4. 5. 6. 7.
955
Users
8. 9.
Enter any comments regarding the new user in the Comments field. Check the SuperAdmin checkbox to enable privelages for this user across all domains.
Note
By default, permissions for users exist only within the domain to which they belong. By checking the SuperAdmin option, permissions are extended across all domains.
10. Enter the number of minutes that the user can be inactive on his computer
before the session times out in the Inactivity Timeout field. Enter -1 to never time out. Password field, and then type it again in Confirm Password. Disabled checkbox. checkbox.
11. To change the password for the user, type in the password in the New 12. To disable the user without deleting the entire entry, select the Account 13. To force the user to change his password, select the Change Password 14. To delete the user when the account becomes inactive, select the Delete
Inactive checkbox.
15. To set a date when the user will become inactive, click in the Active Until
checkbox. If this is selected, the date in the Active Until field is ignored. Schedule field.
17. Select a schedule when the user is active from the drop-down list in the 18. Do one of the following: Click Inherit Permissions from Group. The user will inherit the
permissions from the group that you right-clicked to begin this procedure.
Click Update. The new user is added. You will need to configure the
users permissions. See Moving a User, below and Configuring Appliance Access on page 960.
Click Reset to change all fields in this screen to their default values
To temporarily disable a user account, select the Account Disabled check box and click Update.
956
Users
Moving a User
When new users log in to SonicWALL GMS for the first time, they will be considered guest users and will only have limited access. One way to configure user privileges is to more the user to the appropriate group. To change a SonicWALL GMS users group:
1.
Have the user login to GMS. The user will be logged in as a guest user with limited privileges. An administrator can now upgrade the account to a separate user class.
2. 3. 4.
Login as the remote domains administrator. Navigate to the Console tab. Navigate to the Management > Users page.
Youll see that there are currently four different categories of users: Administrators, End Users, Guest Users, and Operators. These categories can be further opened to list the users that comprise them.
5. 6.
Select the new user from the Guest Users list. Right-click the new users name in the Guest Users list and select Move User from the pull down menu.
957
Users
7.
In the Move User dialog box, select the appropriate new level for the new user, and select Inherit permissions defined from the new user type permission.
8.
Click OK.
To configure screen access settings for a user or user group, perform the following steps:
1. 2. 3.
Navigate to Console > Management and open the Users configuration screen. Select a user or user group under All Users. Click the Screen Permissions tab.
958
Users
4.
Under All Screens, select a panel, section, or screen. For example, for REPORTS_PANEL, you can select the whole panel, the unit type section such as UTM, SSL-VPN, CDP, or Email Security, the group of reports for that type of unit, or the individual report or screen that you want to set permissions for. In this example, we chose the Firewall > Bandwidth panel.
5.
and not for group-level screens, select View & Update At Unit Level Only. This option is only available for objects in the Policies Panel and Reports Panel.
For this example, we select the View Only option to allow our executive team to view the firewall bandwidth panel.
6.
959
Users
7.
You may see a warning screen if you are applying permission changes to a group, verify that you wish to apply these changes to the group and all users within that group and click the OK button. The panel object is now preceded by a .
Note
The more specific settings override the more general settings. For example, if you select View Only for the Status group of reports and select None for the Up-Time over Time report, then the selected user will only see the Up-Time Summary report in the Status reports and have View Only permission for that report.
8. 9.
To clear all screen settings and start over, click Reset. When finished, click Update.
960
Users
3.
4. 5.
Select a View from the Views pull-down menu. To provide the user with access to a SonicWALL group or appliance, select a SonicWALL group or appliance in the left pane of the window and click Add. The group or appliance displays in the right pane. Repeat Step 5. for each group or appliance to add. To prevent the user from accessing a SonicWALL group or appliance, select the group or appliance in the right pane of the window and click Remove. The group or appliance is deleted from the right pane. Repeat Step 7. for each group or appliance to remove.
6. 7.
8.
Open the Management > Users configuration screen. Select the user group.
961
Users
3.
4.
Select the unit actions you wish to be available for this group in the Units section. Allows the user to... add, delete, or modify GMS management specifications of managed units rename units gain access to managed unit GUI through GMS modify properties of managed units move units between agents
Checkbox Add Unit, Modify Unit, Delete Unit Rename Unit Login to Unit Modify Properties Re-assign Agents
5.
Select the view options you wish to be available for this group in the Views section: Allows the user to... alter the properties of views change between views
Users
6.
Select any remaining options for this group in the Others section:
Allows the user to... manage using the command line interface (CLI) easily switch between the System and Management interfaces configure and use the Web Services feature
963
Custom Groups
Custom Groups
The SonicWALL GMS uses an innovative method for organizing SonicWALL appliances. SonicWALL appliances are not forced into specific, limited, rigid hierarchies. Simply create a set of fields that define criteria (e.g., country, city, state) which separate SonicWALL appliances. Then, create and use views to display and sort appliances on the fly.
Although SonicWALL GMS supports up to ten custom fields, only seven fields can be used to sort SonicWALL appliances at any given time.
The following are examples of custom fields that you can use:
Geographicuseful for organizing SonicWALL appliances geographically. Especially useful when used in combination with other grouping methods. Geographic fields may include:
Country Time Zone Region State City
Customer-basedUseful for organizations that are providing managed security services for multiple customers. Customer-based fields may include:
Company Division Department
Configuration-basedUseful when SonicWALL appliances will have very different configurations. (e.g., Filtering, No Filtering, Pornography Filtering, Violence Filtering, or VPN).
964
Custom Groups
User-typeDifferent service offerings can be made available to different user types. For example, engineering, sales, and customer service users can have very different configuration requirements. Or, if offered as a service to end users, you can allow or disallow network address translation (NAT) depending on the number of IP addresses that you want to make available.
SonicWALL GMS is pre-configured with four custom fields: Country, Company, Department, and State. These fields can be modified or deleted. To add fields, perform the following steps:
1.
Click the Console tab, expand the Management tree and click Custom Groups.
2. 3. 4. 5. 6. 7.
Right-click Custom Groupings in the right pane. Select Add Group from the pop-up menu. Enter the name of the first field. Select the newly created field and select Add Group from the pop-up menu. Enter the name of the new field. Repeat Steps 6 through 8 for each field that you want to create. You can create up to ten fields.
Note
Although the fields appear to be in a hierarchical form, this has no effect on how the fields will appear within a view. To define views, see Configuring Unit, View, and Other Permissions on page 961.
To modify or delete fields, right-click any of the existing fields and select Modify or Delete from the pop-up menu.
965
Custom Groups
Click the Console tab. Expand the Management tree and click Settings. The Settings page displays. Select Daily or Weekly in the Automatically save prefs file & addunit.xml field, and select a day of the week (if weekly) and a time. This determines how often SonicWALL GMS will automatically save the preferences and addUnit.xml files. To automatically save the VPN Gateway Preferences files for SonicWALL appliances, select Automatically save VPN Gateway Prefs file.
Note
4.
The Enable Prefs Backup option must also be selected on the Policies > General > Settings screen.
5.
When finished in the Settings page, click Update. To clear the screen settings and start over, click Reset.
Click the Console tab. Expand the Management tree and click Settings. The Settings page displays. To enable GMS Reporting, select the Enable Reporting check box. To disable it, deselect the Enable Reporting check box (default: Enabled). To configure SonicWALL GMS to automatically synchronize with the local changes made to the SonicWALL appliances, select the Enable Auto Synchronization check box.
966
Custom Groups
5.
For SonicWALL appliances that do not have direct access to the Internet, you can instruct GMS to download updates to security service signatures. To do so, select the follow two check boxes:
Firewalls managed by this GMS do not have Internet Access Upload latest signatures on subscription status change
Note
When updated signatures have been downloaded to the GMS, you must then manually upload them to the SonicWALL appliances. This action is performed on the Policies>System>Tools page. When there are new signatures to be uploaded, the Upload Signatures Now appears on the Tools page. Click this button to manually upload the signatures. To create an addUnit.xml file to track all units under management, click Create Add Unit XML File. When finished in the Settings page, click Update. To clear the screen settings and start over, click Reset.
6. 7.
Enhanced security settings are also available in your browser. For information, see Browser Requirements on page 12.
GMS 4.1 supports these data security standards by providing support for encryption of all passwords and any pre-shared secrets in the database. This includes VPN Security Association pre-shared secrets, encryption keys, authentication keys, and passwords. The following passwords are encrypted in GMS 4.1:
GMS gateway password Firewall passwords for managed units Guest account password LDAP and RADIUS passwords
SonicWALL GMS 6.0 Administrators Guide
967
Custom Groups
Enhanced security compliance also requires a password rotation feature. GMS 4.1 supports password rotation requirements, including several changes in the management interface. These changes occur on the Console panel, in the Management > Settings screen and in all screens accessed from the Management > Users screen. To turn on password security enforcement in GMS:
1. 2. 3.
In the Management > Settings screen, select the Enforce Password Security checkbox. In the Number of failed login attempts before user can be locked out field, enter a value. The default is 6. In the User lockout minutes field, enter a value. The default is 30. This is the number of minutes that a user will not be able to log in to GMS after failing to log in correctly for the specified number of attempts. In the Number of inactive days to mark user for deletion field, enter a value. The default is 90. The users account will be deleted if it is not used for the specified number of days. In the Number of days to force password change field, enter a value. The default is 90. GMS will prompt the user to change his password after the specified number of days. When finished in the Settings page, click Update. To clear the screen settings and start over, click Reset.
4.
5.
6.
Custom Groups
The SonicWALL GMS uses an innovative method for organizing SonicWALL appliances. SonicWALL appliances are not forced into specific, limited, rigid hierarchies. Simply create a set of fields that define criteria (e.g., country, city, state) which separate SonicWALL appliances. Then, create and use views to display and sort appliances on the fly.
968
Custom Groups
Note
Although SonicWALL GMS supports up to ten custom fields, only seven fields can be used to sort SonicWALL appliances at any given time.
The following are examples of custom fields that you can use:
Geographicuseful for organizing SonicWALL appliances geographically. Especially useful when used in combination with other grouping methods. Geographic fields may include:
Country Time Zone Region State City
Customer-basedUseful for organizations that are providing managed security services for multiple customers. Customer-based fields may include:
Company Division Department
Configuration-basedUseful when SonicWALL appliances will have very different configurations. (e.g., Filtering, No Filtering, Pornography Filtering, Violence Filtering, or VPN). User-typeDifferent service offerings can be made available to different user types. For example, engineering, sales, and customer service users can have very different configuration requirements. Or, if offered as a service to end users, you can allow or disallow network address translation (NAT) depending on the number of IP addresses that you want to make available.
SonicWALL GMS is pre-configured with four custom fields: Country, Company, Department, and State. These fields can be modified or deleted.
969
Sessions
Click the Console tab, expand the Management tree and click Custom Groups.
2. 3. 4. 5. 6. 7.
Right-click Custom Groupings in the right pane. Select Add Group from the pop-up menu. Enter the name of the first field. Select the newly created field and select Add Group from the pop-up menu. Enter the name of the new field. Repeat Steps 6 through 8 for each field that you want to create. You can create up to ten fields.
Note
Although the fields appear to be in a hierarchical form, this has no effect on how the fields will appear within a view. To define views, see Configuring Unit, View, and Other Permissions on page 961.
To modify or delete fields, right-click any of the existing fields and select Modify or Delete from the pop-up menu.
Sessions
The Sessions page of the Management section of the GMS Console allows you to view session statistics for currently logged in GMS users and to end selected sessions.
970
Agents
Managing Sessions
On occasion, it may be necessary to log off other user sessions. To do this, perform the following steps:
1.
Click the Console tab, expand the Management tree and click Sessions. The Sessions page displays.
2.
When more than one session is active, a checkbox is displayed next to each row. Select the check box of each user to log off and click End selected sessions. The selected users are logged off.
Agents
The Agents page provides information for the SonicWALL GMS primary and backup agent servers that are managing the SonicWALL appliances. This page lists the IP address and status of each agent server, the IP address and password of the GMS gateway for each agent server, and the number of firewalls under SonicWALL GMS management. You can also schedule all the tasks for each agent server to be executed during a specified time period.
Note
You can also use this page to remove agents, but they cannot be managing any firewalls.
971
Agents
Click the Console tab, expand the Management tree and click Agents. The Agents page displays.
2.
The summary section displays the number of installed and running agents. Select the IP address of the Agent you want to view from the Agent IP list box. The Agent Name field displays the name of the selected Agent. The agent name can be modified by editing this field. To specify when tasks can run, select the start time from the Daily At list box. The time is based on the SonicWALL appliances local time.
Note 3.
Note
972
SNMP Managers
4.
For each agent server, the GMS Gateway IP address and password is displayed. If you change the GMS gateway IP address or password, you must also change the settings on this page. To change the name of the GMS Gateway administrator for selected firmware/models, enter the name in the GMS Gateway Username field (default: admin). To change the password used to log in as the GMS Gateway administrator, enter the name in the GMS Gateway Password field. For each agent server, the Firewalls for Primary Management list box lists the SonicWALL appliances that are assigned to the agent server for primary management. The total number is also displayed. For each agent server, the Firewalls for Standby Management list box lists the SonicWALL appliances that are assigned to the agent server for backup management. The total number is also displayed. For each agent server, the Firewalls Under Active Management list box lists the SonicWALL appliances that are actively being managed by the agent server. The total number is also displayed. the settings and start over, click Reset.
5.
6. 7.
8.
9.
10. When you are finished, click Update. The settings are changed. To clear
SNMP Managers
The SNMP Managers page enables you to specify SNMP Managers to which SonicWALL GMS will send SNMP Traps.
973
Inheritance Filters
Click the Console tab, expand the Management tree and click SNMP Managers. The SNMP Managers page displays.
2. 3. 4. 5. 6.
Select the IP address and port of the SNMP Manager from the SNMP Manager IP/Port fields. Specify the IP addresses of SNMP Hosts to which traps will be forwarded in the SNMP Host to forward traps to fields. To enable trap forwarding, select the Enable SNMP Trap Forwarding check box. To enable trap email, select the Enable SNMP Trap Email check box. When you are finished, click Update. The settings are changed. To clear the settings and start over, click Reset.
Inheritance Filters
The Inheritance Filters page specifies which settings are inherited from the group when adding a new SonicWALL appliance.
974
To configure the SNMP Inheritance Filter page, perform the following steps:
1.
Click the Console tab, expand the Management tree and click Inheritance Filters. The Inheritance Filter page displays.
2.
To edit an existing filter, select the filter from the Select Filter list box. To specify a new filter, select New Filter from the Select Filter drop-down menu and type a name in the Filter name field. Select which page settings are inherited in the Inheritance Filter Detail section. Select the type of access that is available to each SonicWALL GMS user group from the Access for each UserType section. When you are finished, click Add for a new filter or click Update for an existing filter. The settings are changed. To clear the settings and start over, click Reset.
3. 4. 5.
975
To configure the Message of the Day page, perform the following steps:
1.
Click the Console tab, expand the Management tree and click Message of the Day. The Message of the Day page displays.
2. 3. 4. 5. 6. 7.
Select all users, a user group, or an individual user. Enter message text in the Message field. Select whether the message text will be displayed in plain text or HTML. Select the start and end date of the message (default: current day). When you are finished, click Update. The settings are changed. Repeat this procedure for each group or user for which this message will be displayed.
976
Database Maintenance
Database Maintenance
The Database Maintenance page allows you to back up the MySQL databases used by SonicWALL GMS. This screen is not applicable to deployments using SQL Server.
Note
The Console > Management > Database Maintenance page only appears in the management interface when a MySQL database is being used.
You can configure the type of backup, schedule for periodic backups, folder for backup storage, and number of backups (up to 3) to keep. You can also perform an immediate database backup from this page. Existing backups of the database are listed, and you can select from them to restore your databases.
977
Database Maintenance
Configuring Backup Schedule and Settings, page 978 Backing Up a Database Immediately, page 979 Restoring a Database Backup, page 979
If you have a SonicWALL UMA appliance, you can download and run the Data Export Wizard. The wizard will help you configure a Java-based client and a corresponding script that you can use to schedule recurring, automatic backups. For information about the Data Export Tool see the Data Export Wizard section on page 91.
Click the Console tab, expand the Management tree, and click Database Maintenance. The Database Maintenance page displays. Under Database Backup Schedule, select one of the following from the Database Backup Type drop-down list:
Current data Backs up system information and all data in sgmsdb
Archived and Raw syslog data Backs up the archived data that is
moved from sgmsdb to other files at the end of every month, and backs up raw syslog data data and raw syslog data; this option requires the most time
Complete data Backs up all data including sgmsdb and all archived 3.
Select the desired backup schedule from the Database Backup Schedule drop-down list. You can select a pre-configured schedule or a custom schedule, which you can configure in the Console > Events > Schedule screen. When finished selecting options under Database Backup Schedule, click the Update Backup Schedule button. Under Database Backup Settings in the Backup files to directory [installDir] field, enter the folder name in which you want to store the backup files. Select the Zip files checkbox if you want the backup to be compressed and stored as a .zip file.
4. 5.
6.
978
Database Maintenance
7.
In the Number of backups to store field, enter the number of backups you want to store. The maximum is 3. When the maximum number of backups is reached in the configured folder, the oldest one will be removed when a new backup is created. If the folder is changed, existing backups in the previous folder will not be deleted. When finished selecting options under Database Backup Settings, Select the Zip files checkbox if you want the backup to be compressed and stored as a .zip file. When finished selecting options under Database Backup Settings, click the Update Backup Settings button.
8.
9.
On the Console > Management > Database Maintenance page, under Immediate Database Backup, select the type of backup from the Backup database now drop-down list. You can select one of the following types:
Current data Backs up system information and all data in sgmsdb
Archived and Raw syslog data Backs up the archived data that is
moved from sgmsdb to other files at the end of every month, and backs up raw syslog data data and raw syslog data; this option requires the most time
Complete data Backs up all data including sgmsdb and all archived 2. 3. 4.
Select the Zip files checkbox if you want the backup to be compressed and stored as a .zip file. Click the Backup Database Immediately button. In the confirmation dialog box, click OK.
979
Database Maintenance
Note
All services except the Web Server and the Database Service should be manually stopped before restoration is started to avoid corruption of data. For multi-agent systems, the services on the agents should also be stopped before restore.
To restore your database with one of your backups, perform the following steps:
1.
On the Console > Management > Database Maintenance page, under Database Restore, select the radio button for the backup that you want to restore.
2. 3. 4.
Click the Restore Database button. In the confirmation dialog box, click OK. For GMS software installations, you must restart the Web Server service manually after the backup is completed.
980
Settings section on page 981 Summarizer section on page 983 Email/Archive section on page 994 Scheduled Reports section on page 995 Management section on page 1000
Settings
The Settings page under Reports on the Console panel provides a check box for enabling the sort option in report tables. You can also specify the number of appliances which can have Log Viewer enabled at the same time. See the following:
Enabling Report Table Sorting section on page 982 Controlling the Number of Appliances with Log Viewer Enabled section on page 982
981
Settings
Click the Console tab, expand the Reports tree and click Settings.
2. 3.
To enable the report table sort option, select the Enable Sort Option on Report Tables checkbox. To disable sorting, clear the checkbox. Click Update.
For detailed information about Log Viewer files, see the Log Viewer Files section on page 985. To change the number of appliances for which Log Viewer can be enabled:
1.
982
Summarizer
2.
Under Log Viewer Settings, in the Maximum number of appliances on which Log Viewer can be enabled field, enter the number of appliances for which Log Viewer can be enabled. The default is five. Click Update. Limiting the number of appliances for which the Log Viewer is enabled will increase the overall performance of your SonicWALL GMS system.
3.
Note
Summarizer
This section contains the following subsections:
About Summary Data in Reports on page 983 About the Distributed Summarizer on page 984 Summarizer Settings and Summarization Interval on page 987 Configuring the Syslog Deletion Schedule Settings on page 991 Configuring Host Name Resolution on page 992
983
Summarizer
Additionally, you can select the number of days that raw syslog data is stored. The raw data is made up of information for every connection. Depending on the amount of traffic, this can quickly consume an enormous amount of space in the database. Be very careful when selecting how much raw information to store. For information on configuring raw data storage, see Enabling Report Table Sorting section on page 982.
Summarizer Processing and Files, page 984 Log Viewer Files, page 985 Additional Files, page 986
The Distributed Summarizer (also known as Gen 2 Summarizer) gathers and processes the syslog data that the reports use. The Distributed Summarizer provides improved performance over the Gen 1 Summarizer (which captured the syslog directly into the database). For GMS releases after version 2.9.4, the Distributed Summarizer is enabled by default, and for GMS 5.0 and higher, the Gen 1 Summarizer is no longer an option. The Summarizer page manages the configuration of the Distributed Summarizer.
With the Distributed Summarizer, the syslog is stored on the agents hard drive at the syslogFilePath location specified in: [installdir]\conf\sgmsConfig.xml The syslog messages are initially stored in a *.log file. When this file contains about 10K lines, the file is renamed to *.src and is ready for processing. The format of the filename is:
AgentID_YYYYMMDD_HHMMSS_to_YYYYMMDD_HHMMSS.SRC
When the summarizer starts, it groups the files for each unit and names each file with this format:
AgentID_YYYYMMDD_HHMMSS_to_YYYYMMDD_HHMMSS_SERIAL_UnitType__#.UNP
As the summarizer processes the data, it creates PRG and PRE files. PRG files are created when the summarizer is grouping the data and preparing it for reports. PRE files contain error status information for each report type, and are used to track errors and failed upload attempts. When parsing is complete, the report data, or summary data, is uploaded to the
984
Summarizer
database. The PRG files contain the raw syslog data, but only the data necessary for reports is uploaded to the database. The format of these files is as follows:
AgentID_YYYYMMDD_HHMMSS_to_YYYYMMDD_HHMMSS_SERIAL_UnitType__#.PRG AgentID_YYYYMMDD_HHMMSS_to_YYYYMMDD_HHMMSS_SERIAL_UnitType__#.PRE
When the upload is complete, the PRE files are deleted and the PRG files are converted to this format:
AgentID_YYYYMMDD_HHMMSS_to_YYYYMMDD_HHMMSS_SERIAL_UnitType__#.UPL
If the Log Viewer is enabled for a UTM appliance, additional files will be created from the raw syslog data in the UPL files (see Log Viewer Files, page 985). If the Log Viewer is not enabled, the UTM appliances UPL files are saved as PRD files in this format:
AgentID_YYYYMMDD_HHMMSS_to_YYYYMMDD_HHMMSS_SERIAL_UnitType__#.PRD
At the configured syslogArchiveInterval (also in C:\sgmsConfig.xml), the PRD files are zipped and moved to the \archivedSyslog folder.
At the configured syslogArchiveInterval, the UPD files are zipped with the PRD files mentioned above and moved to the \archivedSyslog folder. If there is no raw syslog data to be uploaded to the rawsyslogdb database, you may see this message in the GMS log: Raw syslog file upload ended. No syslog files were uploaded to database since upload has been disabled for the units encountered If there were problems uploading the raw syslog data to the database, the Raw Syslog Data Uploader quarantines the syslog files that consistently failed for 3 times. The files are quarantined in the \badSyslogs folder. The Uploader renames the original processed syslog file with .UPE (UPload Error) extension, then it deletes the corresponding format (.UDP) file. The diagram in Figure 12 displays the summarizer process.
985
Summarizer
Figure 12
Summarizer Process
Additional Files
The following files may also be seen: IMF (Infected Message File) - The summarizer has a mechanism to identify a possible infection of a host behind a UTM appliance by looking at the volume of data in the syslog file. This enables the summarizer to bypass certain reports, which will improve the performance. The infected file will be marked with the IMF extension and a log entry will be made in the StdVPSummarizer0.log file. NMM (Not My Message File) - Syslog messages containing a serial number not found in the system are logged to this file type. Additionally, if the vpsummarizer.associateScheduler parameter in sgmsConfig.xml is set to 1, then the summarizer will not process syslog from units which are not managed by that agent. Syslog received from these units will be stored in a file with the NMM extension.
986
Summarizer
Enabling Report Summarization section on page 987 Setting the Reports Data Summarization Interval section on page 987 Using Summarize Now section on page 989
On the Console panel, navigate to Reports > Summarizer. Under Summarizer Settings, select the Enable Report Summarization checkbox. Click Update.
987
Summarizer
Click the Console tab, expand the Reports tree and click Summarizer. The Summarizer page displays.
2.
Under Reports Data Summarization Interval, important information about the Summarizer is displayed. Use the Summarize every drop-down lists to specify how often in hours and minutes the GMS Reporting Module should process syslog data and update summary information. Click the Update button to the right of this field. To specify the next summarization time, enter a date in the form mm/dd/yyyy in the Next Scheduled Run Time field, and select the hour and minute values from the drop-down lists. Click the Update button to the right of this field. To update the summary information now, click the Summarize Now button. SonicWALL GMS will automatically process the latest information and make it available for immediate viewing.
3. 4.
5. 6.
Note
This will not affect the normally scheduled summarization updates on the GMS Agent. For more information about using and verifying the Summarize Now option, see the Using Summarize Now section on page 989.
988
Summarizer
Click the Console tab, expand the Reports tree and click Summarizer. Click the Summarize Now button. You will see a pop-up window verifying that you want to summarize the data now. Summarizing data using Summarize Now is a one-time action and will not affect the scheduled summary. Click OK to continue.
989
Summarizer
3.
To verify summarization, navigate to Log > View Log in the center pane. Search for the message Report Data Summarized to verify that the Summarize Now action has completed.
4.
When Summarize Now has completed, click the Reports tab. In the left-most pane, click GlobalViewor click a group or a managed appliance. You may see incomplete data if you view the Summary section of a selected report before the Summarize Now process is complete. Wait for the Report Data Summarized message to be displayed in Log > View Log.
Note
990
Summarizer
5.
In the center pane, click a report to expand it, then click the Summary option underneath it. For example, click Bandwidth, then click Summary to review the summarized bandwidth usage data.
6.
Navigate to the Summary section of other reports in the center pane to see other summarized data.
991
Summarizer
Tip
Run your database maintenance jobs soon after the completion of the scheduled tasks configured on this page for summarizing data and deleting old syslog data.
For information about setting the number of days to store syslog files, the syslog database, and the summary database, see the Configuring Data Storage Settings section on page 677. To configure the syslog and summarized data deletion settings, perform the following:
1. 2.
On the Console panel, navigate to Reports > Summarizer. Under Syslog Deletion Schedule, select the time for daily deletion in the hour and minute Delete Syslog Data Daily at drop-down lists. Syslog data will be deleted at this time only after being stored for the number of days configured. Click the Update button to the right of this field. To delete summarized data from a specific date, enter a date in the form mm/dd/yyyy in the Delete Summarized Data For field. Click the Update button to the right of this field.
3. 4. 5.
992
Summarizer
To use the Host Name Resolution feature, perform the following steps:
1.
On the Console panel, navigate to Reports > Summarizer. The Host Name Resolution Settings section is displayed at the bottom of the page.
2. 3. 4.
To resolve host names for destination IP addresses, select the Resolve Destination Host Names checkbox. To resolve host names for source IP addresses, select the Resolve Source Host Names checkbox. To set the interval at which the name resolution crawler runs, select the number of minutes in the Periodic Crawling Interval drop-down list. Performance may be affected while the name resolution crawler is running, especially for the Summarizer module.
993
Email/Archive
Email/Archive
The Console > Reports > Email/Archive page provides global options for setting the time and interval for emailing/archiving scheduled reports, and global settings for the Web server, logo, and PDF sorting options.
Click the Console tab, expand the Reports tree and click Email/Archive. The Email/Archive page displays. To set the next archive time, enter the date and time in the Next Scheduled Email/Archive Time fields and click Update. To specify the day to send weekly reports, select the day from the Send Weekly Reports Every list box and click Update.
994
Scheduled Reports
4. 5.
To specify the date to send monthly reports, select the date from the Send Monthly Reports Every list box and click Update. If the Web server address, port, or protocol has changed since SonicWALL GMS was installed, the new values will automatically appear in the Email/Archive Configuration section. These settings can be modified on the System Interface, and cannot be modified here. Under Logo Settings, you can select a logo to be used on reports. By default, the SonicWALL logo is used. To select another logo, click Browse next to the Logo File field or type the path and filename into the field, and then click Update. Under SortBy Settings for PDF Reports, select one of the following as the sorting criteria for reports and then click Update.
Mbytes - Sort reports by the number of megabytes in each entry Hits/Connections/Events - Sort reports by the number of hits,
6.
7.
Scheduled Reports
The Scheduled Reports page allows you to manage all the report schedules in the system from a central location. This page lists all the schedules in the system, enabling you to monitor the status of these recurring schedules and re-send failed schedules, if needed. For information on adding a new scheduled report, see Adding or Editing a Scheduled Report section on page 673. Under Search Results, the table indicates whether each schedule is enabled, along with information about the last execution time of a schedule, whether it ran successfully and the error that occurred if it failed, the last run type (scheduled or one time run), along with the node, owner and other relevant information. The Summary section provides status information on your report schedules. The Search Criteria section provides settings for searching report schedules. Results of your searches are displayed in the Search Results section.
995
Scheduled Reports
Click the Console tab, expand the Reports tree and click Scheduled Reports. The Scheduled Reports page displays.
2.
Define the Search Criteria tab. The Search Criteria tab contains the following elements to refine your search:
Schedule Type - Select from the following schedule types: All Schedules Daily Schedules Weekly Schedules Monthly Schedules Status - Select from the following status conditions: All
996
Scheduled Reports
Failed In Progress Success In Queue Partial Failure SonicWALL Node - Select from the following SonicWALL nodes: All Per Unit View Owner - Displays the owner (admin). Name Contains - Enter a context string to search by keywords. Error Contains - Enter a context string to search by keywords. Use Condition - Select from the following conditions: And Or Match Case - Select this checkbox to make your searches case
sensitive.
3.
Click Start Search to begin searching, or click Clear Search to reset all fields and start over.
The results of your search are displayed in a table in the Search Results section. You can adjust the number of schedules displayed, go directly to a row of the table, or navigate to other screens by clicking on links within the table.
To work with the search results:
1.
To adjust the number of schedules displayed in the table, enter a number of rows to display in the Show Schedules Per Screen field, and then click on the checkmark. To go directly to a row of the table, enter the row number in the Go To Schedule Number field, and then click on the checkmark. The columns in the table are as follows:
The check box allows you select the schedule for emailing or
2. 3.
archiving.
The notepad icon is a link to the Schedule Properties page.
997
Scheduled Reports
click on the column heading to sort by this field. An arrow is displayed in the column heading when this field is the basis for sorting, and indicates ascending or descending order.
Enabled - A green check mark indicates that this schedule is enabled,
link to access the report for editing. You can click on the column heading to sort by this field. An arrow is displayed in the column heading when this field is the basis for sorting, and indicates ascending or descending order.
Type - All, Daily Schedules, Weekly Schedules, and Monthly
Schedules.
Unit/Group/Devices(s) - The host name of the SonicWALL appliance,
can click on the column heading to sort by this field. An arrow is displayed in the column heading when this field is the basis for sorting, and indicates ascending or descending order.
Status - Includes the following report status options: Blue: Queued, waiting to be processed. Yellow: Currently processing. Orange: Report completed with errors. Red: Report failed with errors. Green: Report processed successfully.
You can click on the column heading to sort by this field. An arrow is displayed in the column heading when this field is the basis for sorting, and indicates ascending or descending order.
Last Run Type - Indicates if the most recent run was a scheduled run
or a one-time execution. You can click on the column heading to sort by this field. An arrow is displayed in the column heading when this field is the basis for sorting, and indicates ascending or descending order.
Last Error - Displays the error condition from the most recent run, if
any. You can click on the column heading to sort by this field. An arrow is displayed in the column heading when this field is the basis for sorting, and indicates ascending or descending order.
998
Scheduled Reports
Owner - Indicates the user ID of the user who created the schedule.
You can click on the column heading to sort by this field. An arrow is displayed in the column heading when this field is the basis for sorting, and indicates ascending or descending order.
4. 5.
To view the properties for a schedule, click the notepad icon in that row. The Schedule Properties page displays. To view the report, click on the name of the report. Your screen will change to the report screen on the UTM or SSL-VPN panel.
Resending Schedules
Apart from selecting multiple schedules for a one-time execution by selecting the appropriate checkboxes and clicking the Email/Archive the Selected Schedules now, you can re-send required schedules using the Re-send the selected schedules for dates option.
Select the Schedule Type (Daily, Weekly, or Monthly) from the Search Criteria section and click Start Search. This lists all the schedules of the selected type. Select the checkboxes of the schedules you want to resend. Provide a start date (and an end date if applicable). Reports are generated for the specified date/date range. Click Re-send the selected schedules for dates. Reports are generated for the specific dates and emailed/archived as a one time option for all the schedules selected.
2. 3.
999
Management
Management
Report Data Management allows the SonicWALL GMS administrator to backup large amounts of report data incrementally and at specified intervals using MDTA. Typically, the total amount of data stored in an archive is equal to at least 30 days, although best benefits are seen when storing at least 60 days of summarizer data. MDTA allows this archive to be built over time, archiving as little as 1 day of data each time the MDTA process is run.
Note
Total days to store summarized data in reports is set separately in the Console > Reports > Summarizer screen. Set this field for a value greater than 60 days for best results.
In the GMS Administrator Interface, navigate to Console > Reports > Management.
1000
Management
Step 2 Step 3
Check the box next to Enable Data Archive and click the corresponding Update button. Configure Data Archiving as follows, clicking the corresponding Update button after each line is completed:
Save Data Archive Select to save truncated data archive transaction Transaction Logs logs during each MDTA operation. Click the Update button. This option is deselected by default in order to conserve disk space. Next Scheduled Archive Time Schedule an initial date (mm/dd/yyyy) and time (in 24-hour format) for the MDTA operation. Click the Update button. MDTA operations will take place every day at the time you specify, starting with your initial date selection.
Number of Days to Specify the number of days worth of data to Archive consider for each MDTA operation. Archive Data Immediately Press this button to immediately start an on-demand MDTA operation. The archive will run immediately but your scheduled archive operation will still take place.
Note
High-traffic systems can generate reports that consume large amounts of memory, disk space and CPU time when using MDTA. Set your Number of Days to Archive and Scheduled Archive Time accordingly. To view when MDTA operations are starting and how long the process is taking, navigate to the Console > Log > View Log screen and look (or search) for or start and completed times for Report Data Archive.
1001
Management
1002
Debug Log Settings section on page 1003 Request Snapshot section on page 1006 Snapshot Status section on page 1008 Summarizer Status section on page 1009
Warning
1003
Click the Console tab, expand the Diagnostics tree and click Debug Log Settings. The Debug Log Settings page displays.
2.
Select the amount of debug information that is stored from the System Debug Level field. For no debugging, enter 0. For verbose debugging, enter 3. Select a debug setting from the Custom Settings list, and check the Enable Current Custom Setting checkbox to enable it. If there is not a custom setting that meets your needs, select New Custom Setting. The custom debug settings control the selections in the Custom Settings Detail and Qualification Type sections of this page. Custom settings can be useful to repeat the same debug runs after making changes elsewhere in the product to monitor the effect of those changes.
3.
4.
If you selected New Custom Setting or you need to modify the current custom setting, configure the Custom Setting Detail section:
Custom Setting Name: Enter the name for the new custom setting. Event Class: Select whether you want to monitor DEBUG,
within the Event Class you selected. SonicWALL Technical Support can help you understand the names of the event types. 1004
SonicWALL GMS 6.0 Administrators Guide
Destination File Name: Enter a name for the file where your debug
information will be written. The destination file will reside in: [GMS_Install_Directory]/Logs/
Sys Output: Select this to enable the debug to capture all system
information as it occurs.
5.
Click Select Qualification List to select a list Java classes in the GMS code in which to monitor debug symbols. The Qualification List is a list of Java classes. When you select Java classes in this list, the debug process monitors only the debug symbols in the Java classes you selected. Leave the list blank (it will display None) to monitor debug symbols for all classes.
6.
In the Qualification Names window, select the Java packages you want to debug. you can include or exclude specific Java classes by entering their full package and class names in the Included Class File Name and Excluded Class File Name fields.
7.
Click Update to accept your selections and close the window. You can clear you selections by clicking Reset.
1005
Request Snapshot
Request Snapshot
In order for a technical support representative to troubleshoot a problem, you might be asked to take a snapshot of SonicWALL GMS or you might want to view the configuration yourself.
Server state (Console or Agent only)whether a database connection could be established Environment information
CLASSPATH, PATH variables Web server listening port (Console only) Country Language Operating System IP Address MAC Address Machine data (memory size, etc.)
1006
Request Snapshot
Click the Console tab, expand the Diagnostics tree and click Request Snapshot. The Request Snapshot page displays.
2. 3. 4. 5. 6.
To take a snapshot of the SonicWALL GMS console, select GMS Console. To take a snapshot of one or more SonicWALL GMS agents, select the Agent check box(es). To take a snapshot of the GMS Gateway, select Gateway. Click Submit Snapshot Request. SonicWALL GMS takes the snapshot. To view the snapshot, see Viewing the Snapshot or Diagnostics.
1007
Snapshot Status
Snapshot Status
Viewing the Snapshot or Diagnostics
To view a snapshot or SonicWALL diagnostics, perform the following steps:
1.
Click the Console tab, expand the Diagnostics tree and click Snapshot Status. The Snapshot Status page displays.
2. 3. 4. 5. 6.
Select the snapshot or diagnostics that you want to view from the Diagnostics requested list box. To view the information, click View Snapshot Data. To save the information to a file that you can send to technical support, click Save Snapshot Data. To delete the information, click Delete Snapshot Data. To refresh the information, click Refresh Snapshot Data.
1008
Summarizer Status
Summarizer Status
The Summarizer Status page displays overall summarizer utilization information for the deployment including database and syslog file statistics, and details on the current status of each summarizer.
The Summarizer Status screen provides performance metrics for your network administrator to plan, design, and expand your GMS server deployment. This feature has information on the Syslog Collector and Summarizer metrics. The Summarizer metrics are available only for GMS deployments that have Distributed Summarizer enabled (enabled by default on GMS. The metrics are available for the past 24 hours, past seven days, and past 30 days. These metrics are reset (to zero), every 24 hours for daily metrics, every seven days for weekly metrics, and every 30 days for monthly metrics. Weekly metrics are not shown unless the data collection for weekly metrics started earlier than the daily metrics. Similarly, monthly metrics are not shown unless data collection for monthly metrics started earlier than for daily and weekly metrics. GMS will not display metrics for a component if the daily statistics collection started more than 26 hours earlier. This generally indicates that the component is not active. You can receive alert emails when Summarizer Status shows any abnormalities.
SonicWALL GMS 6.0 Administrators Guide
1009
Summarizer Status
To reach the Summarizer Status screen, navigate to the Console panel of GMS and then to Diagnostics > Summarizer Status. The Summarizer Status page is divided into a section showing the overall deployment-wide summarizer status and sections with details for each summarizer. See the following sections:
Summarizer Status Over 7 Days, page 1010 Details for Summarizer at <IP Address>, page 1012
Summarizer Utilization
The top Summarizer Utilization section shows the average utilization of the summarizer over the applicable time period. The Dial Charts show the percent of total capacity used by the Syslog Collector or the Summarizer. The following metrics are also displayed in the Summarizer Utilization section: Total Run Time: Total amount of time spent generating summarization statistical data and results over the applicable time period. Number of Syslogs Received: Total number of syslogs received by the Summarizer over the applicable time period.
Note
Not all syslogs are summarized some syslogs, such as heartbeat messages are ignored. When Web Event Consolidation/Home Port Reporting is enabled, several syslogs may be ignored or alternatively, consolidated into a single syslog. If your appliance is managed by a different Agent, the results are not summarized here.
Number of Syslogs Summarized: Total number of syslogs summarized over the applicable time period. Average Syslogs Summarizer per Minute: Average number of syslogs summarized per minute over the applicable time period. Estimated Unused Capacity in Syslogs: The estimated remaining capacity of the summarizer in terms of the number of syslogs it can summarize, based on the time taken and number of syslogs summarized over the applicable time period. This number does not include the discarded syslogs. 1010
SonicWALL GMS 6.0 Administrators Guide
Summarizer Status
Tip
Usage Example: For this example, lets assume that the syslogs summarized per minute on a system is 18,108, and the average number of syslogs received on that system is 91 per firewall, per minute. Divide the number of syslogs per minute (18,108) by the number of syslogs per appliance per minute (91). This yields an estimate of 198 security appliances, assuming that the current appliances are a fair sample of the security appliances on your network. This simple math gives a reasonable estimate of the total number of security appliances this system should be able to handle, assuming that the Summarizer was to constantly summarize 24 hours (as in the case of a dedicated Summarizer).
Reporting Details
The Reporting Details section shows the number of appliances in the deployment, and the number with the following types of reports enabled:
Database Statistics
The size is displayed for each of the following databases:
Current
1011
Summarizer Status
Archived Bad
Reporting Details
The Reporting Details section shows the number of appliances serviced by this summarizer, and the number with the following types of reports enabled:
1012
Summarizer Status
Syslog File Type: The type of files being reported on. There are ten main syslog file types:
Processed Files Unprocessed Files Grouped Files Not Mine Files Infected Files Archived Files Bad Files Upload Pending Files Uploaded Files Bad Upload Files
File Stats: The number of syslog files in the category and their size in Megabytes. Oldest: The date and time on the oldest file in the category.
1013
Summarizer Status
If the summarizer is currently running, the page displays the thread, appliance identifier, file being used, and state of the summarizer.
If the summarizer is currently idle, the page displays the last run time and next run time.
1014
Granular Event Management Overview section on page 1015 Using Granular Event Management section on page 1019 Configuring Granular Event Management section on page 1023 Viewing Current Alerts section on page 1040 Sample Event Alert Reports section on page 1041
Severities: Severity is used to tag an alert as Critical, Warning, Information, or a custom severity level. You can create your own preferred severities and assign the order of importance to them from lowest to highest. When using a custom severity, you must define it before creating a threshold that uses it.
1015
Thresholds: A threshold defines the condition that must be matched to trigger an event and send an alert. Each threshold is associated with a Severity to tag the generated alert as critical, warning, or another value . You must define a threshold prior to creating an alert that uses it. One or more threshold elements are defined within a threshold. Each element of a threshold includes an Alert Type (defined below), an Operator, a Value, and a Severity. When a value is received for an alert type, the GEM framework examines threshold elements to find a match for the specified condition. If a match is found (one or more conditions match), the threshold with the highest severity containing a matching element is used to trigger an event.
Schedules: You can use Schedules to specify the day(s) and time (intervals) in which to send an alert. You can also invert a schedule, which means that the schedule is the opposite of the time specified in it. For example:
Send an alert during weekdays only, or weekends only, or only during
business hours.
Do not send an alert during a time period when the unit, network, or
Destinations: You can use Destinations to define where the alerts are sent. The destination(s) for an alert are specified in the Add Alert or Edit Alert screen. You can specify up to six destinations for an alert, such as multiple email addresses. For example:
Send an alert to the Unit owner all the time. Send an alert to a GMS user during business hours. Send an alert to the admin also during non-business hours for
immediate attention.
Alert types: Alert Types are pre-defined, static parameters and are not customizable. Alert types are used within threshold elements that define conditions that can trigger an event. Some example alert types are:
Unit Up-Down Alert type VPN SA is UP-Down, Enable-Disable
Severities - You can use the pre-defined defaults or create your own Severities. Thresholds - You must configure the Thresholds that will trigger alerts. Schedules - You can use the pre-defined defaults or create your own Schedules.
1016
These can be configured in the Console > Events screens. After you configure these elements in Console > Events, you can also create alerts on the UTM and SSL-VPN panels. The Super Admin (admin@LocalDomain) user is able to add a new Severity, Threshold, Schedule, Schedule Group, or Alert into any domain. Other administrative users may only create/edit objects within their own domain. The GEM process flow is illustrated below. As you can see, you begin by configuring Severities and end with creating Alerts.
1017
including screens for Events > Settings, Severity, Threshold, Schedule, and Alert Settings. The UTM, SSL-VPN, CDP, and Email Security panels also provide an Events > Alert Settings screen where you can add, delete, enable, or configure alerts that relate to either policies or reports. You can create or update an alert at the global, group, or unit level in GMS. At the group or global level, the alert is then applied to all units in the group or globally. Whenever you add a new unit to GMS management, the alerts set at the global level are applied to the new unit. Group level alerts are not automatically applied to the new unit, but when you update an alert at the group level, the update applies the alert to the entire group including any new units.
Benefits
Granular Event Management offers a significant improvement in control over the way different events are handled. You now have more flexibility when deciding where and when to send alerts, and you can configure event thresholds, severities, schedules, and alerts from a centralized location in the management interface rather than configuring these on a per-unit basis.
1018
Panel Console
Console
Unit Status Unit WAN Status Unit HF Status Unit Locally Changed VPN Tunnel Status Capacity in Percentage Agent Quota Reached Unit Status Database Size Status Database Log Size Status (on MySQL DB only) Summarizer Utilization
Console
Schedule Groups:
24x7 Weekdays 24 hours 8x5 Weekend Schedule: admin Monday 24 hours 1019
Schedules:
Panel
Screens
Monday business hours Tuesday 24 hours Tuesday business hours Wednesday 24 hours Wednesday business hours Thursday 24 hours Thursday business hours Friday 24 hours Friday business hours Saturday 24 hours Sunday 24 hours
Console
Unit Status Report Database Info New Firmware Availability Database Size Status Database Log Size Status (on MySQL DB only) Summarizer Utilization Status Summarizer Backed-Up Files Status (on MySQL DB only)
About Alerts
The Events > Alert Settings screens are available in the Console, UTM, SSL-VPN, CDP, and ES panels. You can create and edit alerts on these screens. In the alert settings screens, you can combine all of the previous elements (severity, threshold, and schedule) that you have configured in the Console panel. The GEM framework provides different types of alert types for the respective areas of the GMS application:
Policies panel: Alert settings for Management Reports panel: Alert settings for Reporting Console panel: Alert settings for the GMS application
1020
Table 19
Available Alert Types Date Base Info New Firmware Availability Unit Status Report Database Size Status Database Log Size Status (on MySQL DB only) Summarizer Utilization Status Summarizer Backed-Up Files Status (on MySQL DB only)
Reports
Bandwidth Usage (Billing Cycle) Bandwidth Usage (Daily) Events/Hits Total (Daily) Number of Attacks (Daily) Number of Intrusions (Daily) Number of Spyware Attempts (Daily) Number of Virus Attacks (Daily)
Policies
Unit HF Status Unit Locally Changed Unit Status Unit WAN Status VPN Tunnel Status
Duplicate Alerts
Duplicate alerts are allowed in GMS. A duplicate alert uses the same alert type that is already used in an existing alert. You do not need to create a duplicate alert if you want to add to or change an existing alert. Normally, you would avoid creating a duplicate alert by editing an existing alert to add another threshold element, destination, or other component. For example, you can have two or more threshold elements in the same alert to trigger under different conditions.
1021
At times there are benefits to creating a duplicate alert. As an example, only five destinations are allowed per alert, so a duplicate alert could include additional destinations. Or, you could create a duplicate alert that sends SNMP traps while the original alert sends email notifications. Also, if a threshold is being shared and you do not want to modify it, you can create a separate threshold and use it in a duplicate alert. GMS displays a warning when you try to create a duplicate alert. The warning serves as a reminder in case you forget that an alert already exists using the same alert type.
Note
Duplicate alerts use more resources from the alerting agent, but do not have a large impact on performance. You will receive two alert emails instead of one if the destinations are identical.
1022
Configuring Events on the Console Panel section on page 1023 Configuring Alerts on the Policies Panel section on page 1037 Configuring Alerts on the Reports Panel section on page 1038 Adding Destinations and Schedules to an Alert section on page 1039
Configuring Event Alert Settings on page 1023 Configuring Event Severities on page 1025 Configuring Event Thresholds on page 1026 Configuring Event Schedules on page 1032 Configuring Alerts on the Console Panel on page 1035
Email Alert Format, such as HTML (the default), text, or text for a pager Email Alert Frequencies and Thresholds Enable and Disable Alerts
1023
On the Console panel, navigate to the Events > Settings screen. Under Email Alert Format Preferences, select whether the email alert will be sent as HTML, Plain Text, or Plain Text (Pager). The Pager setting sends a very short email to ensure that the email is not cut off by the character limits of some pagers.
Note
To assist in your decision for choosing a type of alert format, refer to Email Alert Formats section on page 1042 to view the appearance of the types of Email Alert Format Preferences.
3.
SonicWALL GMS provides a subscription expiry notification email that notifies the SonicWALL GMS administrator before warranty support, anti-virus, and content filtering services expire. By default, the email is sent to the SonicWALL GMS administrator 30 days and 7 days in advance of the firewall subscription service expiration dates. The email lists all managed SonicWALL appliances with expiring subscription services. In the E-Mail Alert Frequencies area, configure the notification and alert frequency settings:
Subscription Expiration 1st NoticeSpecifies when the first
Click Update.
1024
Console_Events_Severity_Snwls
Information: This is the lowest severity level Warning: This is a mid-range severity level Critical: This is the highest severity level On the Console panel, navigate to the Events > Severity screen. On this screen, you can re-sequence the severities in importance by entering a severity sequence number in each field.
2.
In the Add Severity dialog box, type a name for the new severity level in the Name field.
1025
4.
Choose the color associated with this severity level by selecting a color from the Color Chooser diablog. You can see a preview of the color you selected in the Preview field.
5. 6.
Click Update. In the Console > Events > Severity screen, assign the level for the new severity you created by changing the numbering in the Sequence column of the Severity table. Click Update.
7.
Adding a Custom Event Threshold on page 1027 Adding a Threshold Element on page 1028 Editing a Custom or Existing Threshold on page 1029 Editing an Event Threshold Element on page 1029 Enabling/Disabling Event Thresholds and Threshold Elements on page 1030 Deleting a Threshold and Threshold Elements on page 1031
1026
2. 3.
Click the Add Threshold button to add a new threshold. In the Add Threshold dialog box, provide a name for the threshold value in the Name field.
4.
Select the Visible to Non-Administrators check box if you want the threshold to be visible to non-administrators. If this is selected, anyone can view the threshold elements and use the threshold in customized reports.
1027
Note
If the Visible to Non-Administrators is unchecked, only users from the Administrator group or the threshold creator will be able to view, use, edit, and delete the threshold. Whether this is selected or not, only the users from the Administrator group and the threshold creator will be able to edit or delete this object. Click Update.
5.
To add a threshold element to the threshold, click the plus button in the Configure column of the Events > Threshold screen. The Add Threshold window will display.
3.
4. 5.
In the Value field, enter a value. In the Severity field, select a severity.
1028
6.
The Disable check box allows you to temporarily disable the threshold without deleting it. Select the Disable check box if you want to disable the threshold. For more information about the enabling and disabling feature, see Enabling/Disabling Event Thresholds and Threshold Elements section on page 1030. Click Update.
7.
The Edit Threshold window will display. In this window, you can edit the name of your threshold as well as allow this threshold to be visible to non-administrators. For more information on the visible to non-administrators feature, seeAdding a Custom Event Threshold section on page 1027. Click Update.
3.
On the Events > Threshold screen, click the Configure column in the element row.
Operator Value Description Severity Disable
In the Edit Threshold Element window, you can edit the following fields:
1029
Some alerts created by certain Alert Types contain predefined Thresholds that may not be edited. Alert Types: Unit HF Status, Unit WAN Status, Unit Locally Changed, and Thresholds with the same name in the Console Panel.
3.
In the Operator field, select from the drop down menu the type of operator to apply to your threshold element..
4. 5. 6.
In the Value field, enter the value for your threshold element. In the Description field, enter the description for your threshold element. In the Severity field, select the severity priority from the drop down menu. These are color coded for your easy reference on the Events > Threshold screen.
7.
To disable the threshold element, click the Disable check box. See Enabling/Disabling Event Thresholds and Threshold Elements section on page 1030. Click Update.
8.
1030
You can disable a threshold by disabling all its elements. You can also disable individual elements within a threshold. To enable or disable Thresholds and/or their elements, perform the following tasks:
1.
On the Console panel, navigate to the Events > Threshold screen. On this screen, you are able to view existing Thresholds. You can also view existing elements within those thresholds by clicking the expand button by a threshold. You have the following two options for the enabling/disabling feature:
You can enable or disable a Threshold by disabling/enabling all the
To enable or disable a threshold and/or elements, click the edit button that is on the element level. Select the Disable checkbox to disable the element or de-select the Disable checkbox to enable the element.
4.
Click Update.
On the Events > Threshold screen, optionally expand the threshold to view the individual elements.
1031
2.
To delete a threshold, click the checkbox to the left of the threshold name. You will see that its elements are automatically selected as well.
3. 4.
To delete an element, select only the element checkbox. When you have finished with your selections, click the Delete Threshold(s)/Element(s) button.
Adding an Event Schedule on page 1032 Editing an Event Schedule on page 1033 Adding an Event Schedule Group on page 1034 Deleting a Schedule or Schedule Group on page 1034
On the Events > Schedules screen, click Add Schedule. Select the Visible to Non-Administrators check box if you want the schedule to be visible and usable by non-administrators. To temporarily disable a schedule, select the Disable checkbox. Click Invert to create a schedule that is off during the dates and times that you specify.
1032
5. 6.
In the Schedule field, you can create one or more schedules. For each schedule, configure either: One Time Occurrence
Fill in the Date and Time fields.
Recurrence
Fill in Days, Start Time, and End Time fields.
Click Add to add this schedule to the Schedule List text box.
7. 8.
To delete an entry from the Schedule List text box, select the entry that you want to delete, and then click Delete. Click Delete All to delete all entries. Click Update when you are finished.
1033
On the Events > Schedule screen, click the Add Schedule Group button. Enter the name of your schedule group in the Name field. Enter a description of your schedule group in the Description field. Click the Visible to Non-Administrators check box to allow this schedule group to be viewed and used by non administrators. Click the Disable check box to temporarily disable the schedule group. In the Schedules field, select the schedule(s) to add to your schedule group, and then use the arrow buttons to move the selected schedule into or out of the group. To move multiple schedule groups and/or schedules all at once, hold the CTRL button on your keyboard while making your selections.
7.
Click Update.
To delete an event schedule, schedule group, or remove a schedule from a schedule group:
1. 2.
Navigate to the Events > Schedule screen. Click the check boxes of the schedule groups or schedules that you want deleted. When you click the schedule group check box, the schedules within that schedule group will be deleted as well. To remove a schedule from a schedule group, click the expand button on the schedule group, and select the schedules you wish to remove within that group. To delete the selected schedule group(s) or remove the selected schedules from a group, click the Delete Schedule Group(s)/Remove Schedules from Group button. To delete the selected schedule(s), click the Delete Schedule(s) button.
3.
4.
5.
Adding an Alert
To add an alert in the Console panel, perform the following steps:
1. 2. 3.
Navigate to the Events > Alert Settings screen on the Console panel. Click Add Alert. In the Add Alert dialog box, optionally select the Visible to Non-Administrators checkbox. When the Visible to Non-Administrators checkbox is selected, anyone can use the Alert or view its details. When not selected, only users in the administrator group can view, edit, delete, or use this Alert.
1035
4.
To temporarily disable the alert, select the Disable checkbox. This is convenient for temporarily disabling the Alert rather than deleting it completely.
5. 6.
Select an alert type from the Alert Type drop-down list. Click Edit Content to configure the Threshold to use for triggering the Alert. The Edit Content link displays [Not Edited] until you have edited the content for the alert. See the following sections for more steps to perform when adding an alert:
Adding Destinations and Schedules to an Alert section on page 1039 Adding Destinations and Schedules to an Alert section on page 1039
7.
1036
Policies_Events_AlertSettings_Snwls
In the Policies > Events > Alert Settings screen, click Add Alert to access the Add Alert dialog box.
2.
In the Add Alert dialog box, optionally select the Visible to Non-Administrators checkbox. When the Visible to Non-Administrators checkbox is selected, anyone can use the Alert or view its details. When not selected, only users in the administrator group can view, edit, delete, or use this Alert.
1037
3. 4. 5.
To temporarily disable the alert, select the Disable checkbox. Select an alert type from the Alert Type drop-down list. Click Edit Content to configure the Threshold to use for triggering the Alert. The Edit Content link displays [Not Edited] until you have edited the content for the alert. See the following sections for more steps to perform when adding an alert:
Adding Destinations and Schedules to an Alert section on page 1039 Adding Destinations and Schedules to an Alert section on page 1039
6.
On the Reports > Events > Alert Settings screen, click Add Alert to access the Add Alert dialog box. The following screenshot shows an example of the Alert Types list available when adding an alert from the Reports panel:
1038
2.
In the Add Alert dialog box, optionally select the Visible to Non-Administrators checkbox. When the Visible to Non-Administrators checkbox is selected, anyone can use the Alert or view its details. When not selected, only users in the administrator group can view, edit, delete, or use this Alert. To temporarily disable the alert, select the Disable checkbox. Select an alert type from the Alert Type drop-down list. Click Edit Content to configure the Threshold to use for triggering the Alert. The Edit Content link displays [Not Edited] until you have edited the content for the alert. See the following sections for more steps to perform when adding an alert:
Adding Destinations and Schedules to an Alert section on page 1039 Adding Destinations and Schedules to an Alert section on page 1039
3. 4. 5.
6.
In the Add Alert dialog box, click Add Destination to create an entry under Destination / Schedule. In the Destination drop-down list, select the type of email alert to send. For some email types, specify one or more email addresses in the second text box that GMS displays.
Note
1039
3.
In the Schedule drop-down list, select the alert schedule from your choice of custom or predefined schedules or schedule groups. You can add up to five destinations and schedules to the Alert.
4. 5.
Repeat this procedure for additional destinations and/or schedules. A total of five destinations is allowed. When you are finished, click Update. If you select another Alert Type before you click Update in the Add Alert dialog box, or if you click Reset, you lose the on the fly Threshold that you created and the Edit Content status becomes Not Edited.
Note
1040
Figure 13
Database Healthcheck
Figure 14
1041
Figure 15
1042
Plain Text
1043
1044
GMS License section on page 1045 SonicWALL Upgrades section on page 1049
GMS License
The following sections describe how to manage GMS licenses:
Upgrading a Demo License to a Retail License on page 1046 Product Licenses on page 1047
1045
GMS License
Click the Console Panel tab, expand the Licenses tree and click Manage Licenses. The product License Summary page displays. If prompted to login, enter your mysonicwall.com User name and password before continuing.
2.
Enter the activation code in the Activation Code field and click Upgrade.
The License Type will change to Retail License and the Current Nodes Allowed will change from 10 to 25.
Start SonicWALL GMS. The Registration page displays. Enter the demo upgrade activation code and click Update. The Login displays and the license is upgraded.
1046
GMS License
Product Licenses
The Product Licences page allows the user to view, upload, and manage licences and subscriptions for this GMS installation.
License Summary
View license details on the Licenses > Product Licences page, under the License section.
This section allows you to view the following information about security services and support services: StatusDisplays whether the product is licensed or not licensed CountDisplays the remaining number of licenses for this service. ExpirationDisplays the expiration date of the service (if applicable).
This section allows you to view a summary of information about any subscriptions which carry an expiration date.
Managing Licenses
This feature allows licenses to be managed through your MySonicWALL.com account.
1047
GMS License
To manage licenses:
1. 2.
In the Console panel, navigate to the Licenses > Product Licenses page. Click the Manage Licenses button. The MySonicWALL login page displays.
3.
Refreshing Licenses
This feature allows the administrator to synchronize GMS with the MySonicWALL license server. Synchronization is useful if you have recently purchased new licenses, and these licenses are not yet appearing in the summary page. To refresh licenses:
1. 2.
In the Console panel, navigate to the Licenses > Product Licenses page. Click the Refresh Licenses button. The License Summary page displays a message, and the date of last contact changes to reflect this.
1048
SonicWALL Upgrades
In the Console panel, navigate to the Licenses > Product Licenses page. Click the Upload Licenses button. The Upload Licenses page displays.
3.
Click the Browse... button to search for your locally stored license file. License files for manual updates are available for download through your MySonicWALL account. Click the Upload button to complete the license transfer.
Note
4.
SonicWALL Upgrades
This section describes the procedures for upgrading SonicWALL appliances. This functionality includes adding nodes, content filter subscriptions, VPN functionality, VPN clients, anti-virus licenses, and more. When a SonicWALL GMS subscription service (i.e., warranty support, anti-virus, or content filtering) is about to expire, the GMS administrator will receive expiration notifications via email prior to the expiration. The email notification is sent once a day (if applicable) and lists all managed SonicWALL appliances with expiring subscription services. To upgrade SonicWALL appliances, complete the following procedures:
1. 2. 3.
Upgrading the Node License on page 1050 Purchasing Upgrades on page 1050 Activating the Upgrades on page 1051
1049
SonicWALL Upgrades
Technical support for the GMS application Software updates and upgrades for GMS Technical support, advanced-exchange hardware replacement and firmware updates for all of the units under GMS management
Comprehensive GMS Support is sold in increments of 25, 100, and 1,000 nodes and is available in both 8X5 and 24X7 versions. The nodes can be any combination of UTM or SSL-VPN nodes. Currently CDP and SonicWALL Email Security are not included in CGS packets.
Purchasing Upgrades
To purchase upgrades, perform the following steps:
1. 2.
Contact your SonicWALL sales representative. You will receive an activation code for each upgrade that you purchase. After receiving the activation codes for the SonicWALL upgrades, continue to the next section.
1050
SonicWALL Upgrades
Click the Console tab, expand the Licenses tree and click Activation Codes. The SonicWALL Activation Codes page displays.
2. 3.
To manually add one or more activation codes, in the Activation Code (manual) field, enter a list of activation codes separated by semi-colons. Click Add Activation Code(s). GMS validates the codes with the backend server and then adds them to the GMS license pool database if they are valid. The Console > Logs screen provides more information on success/failure of individual activation codes.
4.
To delete activation codes, select one or more codes under the Delete Activation Codes section and click the Delete Activation Code(s) button. To add a large number of activation codes from a file, type the file name into the Activation Code (file-based) field, or click Browse to select the file. Then, click Add Activation Code(s) and follow the on-screen prompts. The file can contain multiple activation codes - each line in the file has a single activation code. Once the operation is completed, the Console > Logs screen has more detailed information on the success/failure of individual activation codes that were provided in the file. A sample file is as follows, which includes for activation codes (one per line): SBRG4827 AGTRUY56 GFKJASLJ
SonicWALL GMS 6.0 Administrators Guide
5.
1051
SonicWALL Upgrades
1052
URI Basics section on page 1054 Settings section on page 1055 Status section on page 1056 Distributed Instances section on page 1057
1053
URI Basics
URI Basics
The URI is a HTTPS string which is used to identify Web Services resources. Each URI is composed of both static and dynamic parts which differ based on each particular deployment. The following provides a typical, though not comprehensive, URI example:
https protocol
https://10.0.14.150/ws/screenAttributes/0001B123C45D/1003
screen ID (dynamic)
For more information on configuring and using GMS Web Services in your deployment, download the GMS Web Services Technote at: <http://www.sonicwall.com/us/support.html>
1054
Settings
Settings
The Settings screen allows configuration of a secure HTTPS Public URI for use with Web Services features. The public URI specified here is used to access Web Services and to ensure proper embedded cross-links between Web Services applications. To configure Web Services Settings:
1.
Navigate to the Web Services > Settings screen on the GMS Console panel.
2. 3. 4.
Choose which deployment you wish to configure from the drop-down list in the GMS Deployment section. Enter the public server name and port in the Public URI section. This field is typically pre-populated during the GMS install/setup process. Click the Update button to save your changes.
1055
Status
Status
The status screen allows the administrator to view, enable, and disable individual Web Services across one or more GMS deployments. To view and configure Web Services status:
1.
Navigate to the Web Services > Status screen on the GMS Console panel.
2. 3. 4.
Select or deselect the Enabled checkbox for the service(s) you wish to enable or disable. Click the Update button to save your changes. The Web Services table, in the Web Services > Status screen gives the following information about each Web Service: Description If selected, this feature is currently enabled Indicates the name of the Web Service Indicates the full URI used to access this Web Service Provides a description of the Web Service
1056
Distributed Instances
Distributed Instances
The distributed instances screen allows the administrator to enable and configure distributed instances of GMS Web Services. The distributed instances feature is accessed through the Web Services > Distributed Instances screen in the GMS Console tab.
Current distributed instances can be viewed, edited, or deleted as follows: Feature Status Serial Number Name Hostname Port Username Password Edit Icon Delete Icon Description Green: Instance is currently online Red: Instance is currently offline Serial number of this instance Friendly name assigned to this instance Hostname or IP address of this instance SSL port used to communicate with this instance Username used when accessing this instance Password used when accessing this instance Click to edit the properties of this instance Click to delete this instance
1057
Distributed Instances
Navigate to the Web Services > Distributed Instances screen in the GMS Console tab.
2. 3.
Select the Enable distributed instances checkbox to allow this instance of GMS Web Services to interact with other instances. Select the This is a central instance checkbox to designate this installation as the central management point for Web Services across a distributed environment.
Navigate to the Web Services > Distributed Instances screen in the GMS Console tab. Click the Add Distributed Instance link in the Distributed Interfaces section. The Add Remote Interface window displays.
3. 4. 5. 6. 7. 8.
Enter a friendly Name for this instance. Enter the Hostname / IP Address for the system . Enter the HTTPS port for the system you wish to add as an instance. Enter the Username you wish to use to access this system. Enter the Password for the username you specified in the previous step. Select the Default Domain for this instance to operate under.
1058
Distributed Instances
9.
Select the Default Scheduler to be used for this instance. instance is authenticated and verified.
10. Click the Update button to add this instance and wait while the new
1059
Distributed Instances
1060
1061
About GMS
Navigate to the page where you need help. If available, click the Lightbulb icon in the upper right-hand corner of the window. Tips, tutorials, and online help are displayed for this topic.
About GMS
The Console > Help > About page displays the version of GMS being run, who the GMS is licensed to, database information, and the serial number of the GMS. To access the GMS online help, click the blue help button corner of the GMSuser interface. in the top-right
1062
Part 6 Appendix
1063
1064
Log Viewer section on page 1066 Real-time Syslog Viewer section on page 1068 Forwarding Syslog Data to Another Syslog Server section on page 1072 Forwarding the Syslog Data to a WebTrends Server section on page 1072 Posting GMS Reporting to Another Web Server for End-User Access section on page 1073 Miscellaneous Procedures and Troubleshooting Tips section on page 1073
1065
Log Viewer
Log Viewer
The Log Viewer contains detailed information on each transaction that occurred on the SonicWALL appliance. This information is stored for the time that you specified in the configuration settings.
Note
The Log Viewer displays raw log information for every connection. Depending on the amount of traffic, this can quickly consume a large amount of space in the database. It is highly recommended to be careful when choosing the number of days of information that will be stored. For more information, see Configuring Log Settings on page 933.
To configure Log Viewer settings for generating a report, perform the following steps:
1. 2. 3.
Click the Reports tab. Select a SonicWALL appliance. Expand the Log Viewer tree and click Search. The Search page displays.
Reports > Log Viewer > Search
Figure 16
4. 5. 6. 7. 8.
Select the date to view from the Date list box. Enter the starting time of events to view in the Start Time field. Select the ending date of events to view in the End Date list box Enter the ending time of events to view in the End Time field. Select the type of events to view from the Message Category list box.
1066
Log Viewer
9.
Enter the source IP address to view in the Source IP Address field. To view all IP addresses, enter All. field. To view all IP addresses, enter All.
10. Enter the destination IP address to view in the Destination IP Address 11. Select the number of entries to display per page from the Results Per
Page field.
12. Click Generate Report. The Log Viewer Results page displays. Figure 17 Log Viewer Results
1067
Click the Monitor tab, expand the Tools tree and click Real-Time Syslog. The Real-Time Syslog page appears. If the Syslog Reader is not already running, click Start Syslog Reader. Click Start Button at the bottom of the screen. The Syslog Viewer begins showing the latest syslog entries.
Syslog Viewer Entries
Figure 18
4. 5.
To change how many messages are displayed, select a number from the Number of Messages list box at the bottom of the screen. To change how often the Syslog Viewer is refreshed, select the time from the Refresh Time list box at the bottom of the screen.
1068
6. 7.
To stop the viewer, click the Stop button. To search for text, use the browsers Find utility.
Report Title Up-time summary Up-time over time Summary Top Users Over Time
Syslog Category GMS GMS Network Traffic Network Traffic Network Traffic Network Traffic Network Traffic Network Traffic Network Traffic Network Traffic Network Traffic Network Traffic
Top Users Over Time Network Traffic Web Usage Summary Top Sites Top Users By User By Site By Category Over Time
Top Sites Over Time Network Traffic Top Users Over Time Network Traffic By Users Over Time Network Traffic By Category Over Time Browse Time Summary Top Users By User Over Time Network Traffic Network Traffic Network Traffic Network Traffic Network Traffic 1069
Table 20
Report Category
Syslog Category Network Traffic Blocked Websites Blocked Websites Blocked Websites Blocked Websites Blocked Websites Blocked Websites Blocked Websites
Top Users Over Time Network Traffic Web Filter Summary Top Sites Top Users By User By Site By Category Over Time
Top Sites Over Time Blocked Websites Top Users Over Time Blocked Websites By Users Over Time Blocked Websites By Category Over Time FTP Usage Summary Top Users Over Time Mail Usage Summary Top Users Over Time VPN Usage Summary Top Users Over Time By Policy By Policy Hourly By Service Blocked Websites Network Traffic Network Traffic Network Traffic Network Traffic Network Traffic Network Traffic Network Traffic Network Traffic Network Traffic Network Traffic Network Traffic Network Traffic
Top Users Over Time Network Traffic By Policy Over Time Network Traffic
1070
Table 20
Report Title Summary By Category Errors Attacks Over Time Categories Over Time Errors Over Time
Syslog Category Attacks, Intrusion Prevention Attacks, Intrusion Prevention Dropped TCP, Dropped UDP, Dropped ICMP Attacks, Intrusion Prevention Attacks, Intrusion Prevention Dropped TCP, Dropped UDP, Dropped ICMP Attacks Attacks Attacks Attacks Intrusion Prevention Intrusion Prevention Intrusion Prevention Intrusion Prevention Intrusion Prevention Intrusion Prevention Intrusion Prevention Intrusion Prevention Authenticated Access Authenticated Access
Virus Attacks
Anti-Spyware
Intrusion Prevention
Authentication
1071
Open the sgmsConfig.xml file with a text editor. Locate the following line:
Parameter name =syslog.forwardToHost value=
Add the IP address or hostname of the destination syslog server to the value attribute. Save the sgmsConfig.xml file and exit. Ensure that at least firmware 6.3.1.0 is running on the managed SonicWALL appliances.
Note
To configure SonicWALL GMS to not store the syslog data after it has been forwarded, you must disable the GMS Reporting Module. To do this, open the GMS Settings page in the Console Panel, deselect the Enable Reporting check box, and click Update.
Open the sgmsConfig.xml file with a text editor. Locate the following line:
Parameter name =syslog.forwardToHost value=
Add the IP address or hostname of the WebTrends syslog to the value attribute. Save the sgmsConfig.xml file and exit. Ensure that at least firmware 6.3.1.0 is running on the managed SonicWALL appliances. Change the syslog format in each managed SonicWALL appliance from the default format to the WebTrends format on the Log Settings page.
1072
WebTrends cannot read the SonicWALL syslog in its default format. The default syslog formats source (src) and destination (dst) fields contain port numbers and link information (i.e., WAN, LAN, and DMZ). These prevent WebTrends from resolving the IP to DNS entries and from performing HTML title lookups within the reports.
Note
The GMS Reporting Module also has problems with the WebTrends syslog format. To disable GMS Reporting, open the GMS Settings page in the Console Panel, deselect the Enable Reporting check box, and click Update.
Miscellaneous Procedures
This section contains information on procedures that you may need to perform. Select from the following:
It is highly recommended that you regularly back up the SonicWALL GMS data. For more information, see Backing up SonicWALL GMS Data on page 1074.
1073
SonicWALL GMS requires Mixed Mode authentication when using SQL Server 2000. To change the authentication mode, see Changing the SQL Server Authentication Mode on page 1074. If you are reinstalling SonicWALL GMS, preserving the previous configuration settings can save a lot of time. To reinstall SonicWALL GMS using an existing SonicWALL GMS database, see Reinstalling SonicWALL GMS Using an Existing Database on page 1075. If you need to uninstall SonicWALL GMS from a server, it is important to do it correctly. To uninstall SonicWALL GMS, see Uninstalling SonicWALL GMS and Its Database on page 1075.
It is also recommended to regularly back up the entire contents of the SonicWALL GMS directory, the sgmsConfig.xml file.
Start the Microsoft SQL Server Enterprise Manager. Right-click the appropriate SQL Server Group and select Properties from the pop-up menu. Click the Security tab.
1074
4. 5.
Change the Authentication mode from Windows only to SQL Server and Windows. Click OK.
Install a new database, using the same username and password that you used for the existing SonicWALL GMS database. Install SonicWALL GMS using this new database. Stop all SonicWALL GMS services. Open the sgmsConfig.xml and web.xml files with a text editor. Change the values for the dbhost and dburl parameters to match the existing SonicWALL GMS database. Restart the SonicWALL GMS services. Uninstall the new database.
5. 6.
To uninstall SonicWALL GMS on the Windows platform, see Windows on page 1075. To uninstall SonicWALL GMS databases from Microsoft SQL Server 2000, see MS SQL Server 2000 on page 1076.
Windows
To uninstall SonicWALL GMS from a Windows system, follow these steps:
1. 2. 3.
Click Start, point to Settings, and click Control Panel. Double-click Add/Remove Programs. The Add/Remove Programs Properties window displays. Select SonicWALL Universal Management Suite and click Change/Remove. The SonicWALL Universal Management Suite Uninstall program starts. Follow the on-screen prompts. Restart the system. SonicWALL GMS is uninstalled.
SonicWALL GMS 6.0 Administrators Guide
4. 5.
1075
Or you can use the MS SQL Server's Enterprise Manager and delete the SGMSDB and sgmsvp_ databases.
Troubleshooting Tips
This section contains SonicWALL GMS troubleshooting tips.
Stop all SonicWALL GMS services. Change the GMS Scheduler service status to manual mode (Windows only). If you are using MS SQL Server, execute the following SQL commands from a DOS window:
osql -U <userid> -P <password> -Q "update sgmsdb.dbo.schedulers set ipAddress = 'new ip' where ipAddress = 'old ip'"
4. 5.
Change the GMS Scheduler service status to Automatic mode (Windows only). Restart all SonicWALL GMS services.
1076
Open the sgmsConfig.xml file with a text editor. Add the following line to the end of the file before the </Configuration> section:
Open the Windows Control Panel. Double-click on the Java icon. Click the Java tab. Select the View button at the top of the dialog box, under Java Applet Runtime Settings. Record the default directory for your JRE plugin. The default directory is the first instance listed in the Location column. Navigate to the \lib\security folder within your default JRE plugin directory. Open the java.policy file using a text editor, for example, WordPad.
1077
8.
At the end of the file, paste the following text: grant { permission java.net.SocketPermission "*","connect,resolve"; permission java.net.NetPermission "getCookieHandler"; permission java.net.NetPermission "setCookieHandler"; permission java.io.FilePermission "<<ALL FILES>>","read, write, delete,execute"; permission java.util.PropertyPermission "user.home","read, write"; permission java.util.PropertyPermission "user.dir","read, write"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "accessClassInPackage.sun.misc"; permission java.awt.AWTPermission "accessClipboard", "write"; };
9.
Tip
The Java Plug-in is automatically installed during the SonicWALL GMS installation. However, you can manually install the Java Plug-in by following these steps.
Execute the application C:\SGMS4\etc\jre-1_6-windows-i586-p.exe. Select the radio button next to Accept the Terms of the LIcense Agreement. Click Next. Select the radio button next to Typical installation and click Next. It may take several minutes for the Java Plug-in to install. In the Installation Complete window, click Finish.
1078
Accessing the CLI section on page 1080 CLI Commands section on page 1081 Configuring SonicWALL Parameters section on page 1105 Modifying SonicWALL Parameters section on page 1109 Configuration Parameters section on page 1112
1079
Open the command-line prompt. Change to the following directory: sonicwall_directory\cli where sonicwall_directory is the location where SonicWALL GMS is installed.
3. 4. 5.
Enter one of the following commands: For Windows NT, enter: sgms Perform any of the commands described in CLI Commands on page 1081. To exit from the SonicWALL GMS CLI, enter the following command: sgms> quit
The default port for the CLI service is 5555. Ensure that this port is opened on your perimeter firewall or UTM device in order for a connection to be established. This port is configurable in the <gmsvp>/CLI/cliserver/liserver.properties file.
1080
CLI Commands
Unzip and install the CLIClient.zip bundle on the client system. This file is found inside the CLI directory on your GMS or ViewPoint system. On the client system, run the remote client from a command prompt. Enter the network configuration information for your remote server as prompted.
Note
On the client system, verify that the JAVA_HOME environment variable is set to the JRE/JDK install directory. Perform any commands as you would using a local CLI prompt. These commands are described in CLI Commands on page 1081. To exit from the SonicWALL GMS CLI, enter the following command: sgms> quit
4. 5.
CLI Commands
This section provides both syntax and usage guidelines for common GMS CLI commands. This section contains the following sub-sections:
Logging In section on page 1082 Logging Out section on page 1082 Executing a Command without Logging In section on page 1083 Adding SonicWALL Appliances section on page 1084 Adding Users section on page 1088 Changing Users section on page 1092 Deleting a Single User section on page 1095 Deleting Multiple Users section on page 1096 Adding and Removing Activation Codes section on page 1097 Deleting Nodes Using XML section on page 1101 Monitoring Tunnel Status section on page 1102 Monitoring Tunnel Statistics section on page 1103 Refreshing a Tunnel section on page 1104
1081
CLI Commands
Renegotiating a Tunnel section on page 1104 Synchronizing Tunnel Information section on page 1104
Logging In
To log in to the SonicWALL GMS CLI, use the sgms login command: sgms > login username password
Syntax
Table 1:
username password
Usage Guidelines
When this command is entered, SonicWALL GMS does the following:
the command.
Checks the validity of the username and password. Executes the login command. Creates a new session with a randomly generated session ID. Returns any command output.
Example
In the following example, the user admin logs in using the password password.
sgms>
Logging Out
To log out from the SonicWALL GMS CLI, use the logout command.
sgms>
logout
1082
CLI Commands
Usage Guidelines
When this command is entered, SonicWALL GMS does the following:
Executes the logout command. Closes the session. Returns to the SGMS prompt from which you can login again.
Syntax
Table 2:
Admin user. Password of the admin user. The command. Any command parameters.
Usage Guidelines
When this command is entered, SonicWALL GMS does the following:
the command.
Checks the validity of the username and password. Executes the login command. Creates a new session with a randomly generated session ID. Executes the command. Closes the session and exits.
Example
1083
CLI Commands
In the following example, the user admin logs in using the password password and runs an addunit command.
sgms>
addunit xml_file
Syntax
Table 3:
xml_file
Usage Guidelines
The XML file should contain the following:
<?xml version ="1.0" ?> <sgmscommand> <command>addUnit</command> <FirewallList> <FirewallInfo> <SonicwallName>sonicwall_name</sonicwallName> <SonicwallPassword>password</sonicwallPassword> <IpAddress>ip_address</ipAddress> <SerialNumber>serial_number</serialNumber> <SAencryptionKey>encrypt_key</SAencryptionKey> <SAAuthKey>auth_key</SAAuthKey> <AntivirusPassword>av_password</antivirusPassword> <SchedulerIPAddress>scheduler_ip</schedulerIPAddress> <StandbySchedulerIP>standby_ip</standbySchedulerIP> <UseVPN>use_vpn</useVPN> <supportRavlin>ravlin_bit</supportRavlin> <snmpRead>read_string</snmpRead> <snmpWrite>write_string</snmpWrite> <httpsMgmt>https_bit</httpsMgmt> <managedOnLanIP>managedon_lanip</managedOnLanIP> <StandbyManagedAtWan>standbymanaged_atwan</standbyManagedAtW an> <CustomInfo> <Customfield01>field_01</Customfield01> <Customfield02>field_02</Customfield02>
... <Customfield10>field_10</Customfield10>
1084
CLI Commands
</CustomInfo>
<FirewallInfo>
(SonicWALL Configuration Information) </FirewallInfo> </FirewallList> </sgmscommand> Table 4:
Required. Descriptive name for the SonicWALL appliance. Required. Password used to access the SonicWALL appliance. If the WAN IP address of the SonicWALL appliance is static, enter the IP address. If the WAN IP address of the SonicWALL appliance changes dynamically, leave this field blank. Required. Serial number of the SonicWALL appliance. Required. Enter a 16-character encryption key. The key must be exactly 16 characters long and comprised of hexadecimal characters. Valid hexadecimal characters are 0 to 9, and a to f (i.e., 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). For example, a valid key would be 1234567890abcdef. This key must match the encryption key of the SonicWALL appliance. Required. Enter a 32-character authentication key. The key must be exactly 32 characters long and comprised of hexadecimal characters. For example, a valid key would be 1234567890abcdef1234567890abcdef. This key must match the authentication key of the SonicWALL appliance.
serial_number encrypt_key
auth_key
av_password scheduler_ip
If the SonicWALL appliance uses the Anti-Virus feature, enter the Anti-Virus password. Otherwise, leave the field blank. Required. Enter the IP address of the SonicWALL GMS server that will manage the SonicWALL appliance: If SonicWALL GMS is configured in a two-tier distributed environment, you can select any Agent. However, the IP address must match the IP address that you specified when configuring the SonicWALL appliance for SonicWALL GMS management. If SonicWALL GMS is in a single server environment, enter the IP address of the SonicWALL GMS server.
1085
standby_ip
Enter the IP address of the standby SonicWALL GMS server. The standby SonicWALL GMS server will automatically manage the SonicWALL appliance in the event of a primary failure. Any Agent can be configured as the standby. If SonicWALL GMS is in a single server environment, leave this field blank.
use_vpn
Specifies whether SonicWALL GMS will need a VPN tunnel to reach the SonicWALL appliance (default: yes). If yes, enter use_vpn. If no, leave it blank. Specifies whether this is a Ravlin device (default: no). If yes, enter 1. If no, enter 0. If this entry does not appear in the file, SonicWALL GMS assumes it is SonicWALL appliance. Specifies the SNMP read string for Ravlin devices. Specifies the SNMP write string for Ravlin devices. Specifies whether this device uses HTTPS instead of a VPN tunnel (default: no). If yes, enter 1. If no, enter 0. Specifies the device will be managed from the LAN interface. If you will use HTTPS, this setting must be enabled. Specifies whether the SonicWALL appliance will establish a VPN tunnel to the standby scheduler (default: yes). If yes, standbymanaged_atwan. If no, leave it blank. Specifies the values of each custom field. Specifies the usernames of non-administrator SonicWALL GMS users that have access to this SonicWALL appliance through the SonicWALL GMS UI.
ravlin_bit
field_01...field_10 user_01...
Example
In the following example, two new SonicWALL appliances are added to SonicWALL GMS:
sgms> addunit new_sonicwall.xml
1086
CLI Commands <SAuthKey>12345678123456781234567812345678</SAuthKey> <antivirusPassword>avpass</antivirusPassword> <schedulerIPAddress>192.168.168.168</schedulerIPAddress> <useVPN>1</useVPN> <standbyManagedAtWan>1</standbyManagedAtWan> <standbySchedulerIP>192.168.168.23</standbySchedulerIP> <supportRavlin>1</supportRavlin> <snmpRead>abcdef12</snmpRead> <snmpWrite>abcdef12</snmpWrite> <httpsMgmt>0</httpsMgmt> <manageOnLanIP>0</manageOnLanIP> <CustomInfo> <Company>SonicWAll</Company> <Country>China</Country> <State>California</State> <Department>Engineering</Department> </CustomInfo> <userList> <user>billb</user> <user>dana</user> </userList> </FirewallInfo> <FirewallInfo> <sonicwallName>XYZ26</sonicwallName> <sonicwallPassword>abc</sonicwallPassword> <ipAddress></ipAddress> <serialNumber>00F1434CE265</serialNumber> <SAencryptionKey>1234567812345678</SAencryptionKey> <SAuthKey>123456781234567812345678abcdef89</SAuthKey> <antivirusPassword></antivirusPassword> <schedulerIPAddress>192.168.168.168</schedulerIPAddress> <useVPN>1</useVPN> <standbyManagedAtWan>1</standbyManagedAtWan> <standbySchedulerIP>192.168.168.23</standbySchedulerIP> <httpsMgmt>0</httpsMgmt> <manageOnLanIP>0</manageOnLanIP> <CustomInfo> <Company>SonicWAll</Company> <Country>China</Country> <State>California</State> <Department>Engineering</Department> </CustomInfo> </FirewallInfo> </FirewallList> </sgmscommand>
Note
A sample of this file, sample_nodes.xml, is located in the Misc directory on the SonicWALL GMS CD-ROM.
1087
CLI Commands
Adding Users
To add users, use the addusers command.
sgms>
addusers xml_file
Syntax
Table 5:
xml_file
Usage Guidelines
The XML file should contain the following:
<? Xml version ="1.0" > <Sgmscommand> <AddUsers> <AddUser> <UserAccountInfo> <Name>username</Name> <Password>password</Password> <UserTypeName>group</UserTypeName> <DefaultViewName>viewname</DefaultViewName> <FirstName>firstname</FirstName> <MiddleName>middlename</MiddleName> <LastName>lastname</LastName> <Phone>phone</Phone> <Fax>fax</Fax> <Email1>email</Email1> <Email2>email2</Email2> <Timeout>timeout_period</Timeout> </UserAccountInfo> <UserPermsInfo> <UserScreenList> <UserScreen pathname="screenpath" permtype="permission_type"> </UserScreen> </UserScreenList> <UserNodeList> <UserNode displayname="node" viewname="viewname" operationtype="optype"></UserNode> </UserNodeList> <UserActionList> <AddUnit>permission</AddUnit> <ModifyUnit>permission</ModifyUnit> <DeleteUnit>permission</DeleteUnit> <RenameUnit>permission</RenameUnit> <ModifyProperties>permission</ModifyProperties> <ReassignAgents>permission</ReassignAgents> <AddDeleteModifyView>permission</AddDeleteModifyView>
1088
1089
Table 6:
UserAccountInfo
User account options include: Nameusername of the user. Passwordpassword of the user. UserTypeNameuser group to which the user belongs. DefaultViewNamedefault view for the user. FirstNamefirst name of the user. MiddleNamemiddle name of the user. LastNamelast name of the user. Phonephone number of the user. Faxfax number of the user. Email1email address of the user. Email2email address of the user. Timeoutidle-timeout setting for the user.
UserPermsInfo
User permissions information include: UserScreenList pathnamepath to a screen. For example: Console/Management/Users or Policies/Access/General. permtypepermissions for the screen. Options include: Read Only and Read/Write. UserNodeList displaynamename of the node. viewnameview in which the node appears. UserActionList AddUnitspecifies whether the user can add units (allow or deny). ModifyUnitspecifies whether the user can modify units (allow or deny). DeleteUnitspecifies whether the user can delete units (allow or deny). RenameUnitspecifies whether the user can rename units (allow or deny). ModifyPropertiesspecifies whether the user can modify unit properties (allow or deny). ReassignAgentsspecifies whether the user can reassign units to other agents (allow or deny). AddDeleteModifyViewspecifies whether the user can add, delete, or modify views (allow or deny). ChangeViewspecifies whether the user can change views (allow or deny). AllowCLIspecifies whether the user can use the CLI (allow or deny).
1090
CLI Commands
Example
In the following example, the user Linda is added:
sgms> addusers linda.xml
1091
CLI Commands
Changing Users
To change user settings, use the changeusers command. This command is similar to the addusers command.
sgms>
changeusers xml_file
Syntax
Table 7:
xml_file
Usage Guidelines
The XML file can contain the following:
<? Xml version ="1.0" > <Sgmscommand> <AddUsers> <AddUser> <UserAccountInfo> <Name>username</Name> <Password>password</Password> <UserTypeName>group</UserTypeName> <DefaultViewName>viewname</DefaultViewName> <FirstName>firstname</FirstName> <MiddleName>middlename</MiddleName> <LastName>lastname</LastName> <Phone>phone</Phone> <Fax>fax</Fax> <Email1>email</Email1> <Email2>email2</Email2> <Timeout>timeout_period</Timeout> </UserAccountInfo> <UserPermsInfo> <UserScreenList> <UserScreen pathname="screenpath" permtype="permission_type"> </UserScreen> </UserScreenList> <UserNodeList> <UserNode displayname="node" viewname="viewname" operationtype="optype"></UserNode> </UserNodeList> <UserActionList> <AddUnit>permission</AddUnit> <ModifyUnit>permission</ModifyUnit> <DeleteUnit>permission</DeleteUnit> <RenameUnit>permission</RenameUnit> <ModifyProperties>permission</ModifyProperties>
1092
CLI Commands <ReassignAgents>permission</ReassignAgents> <AddDeleteModifyView>permission</AddDeleteModifyView> <ChangeView>permission</ChangeView> <AllowCLI>permission</AllowCLI> </UserActionList> </UserPermsInfo> </AddUser> </AddUsers>
1093
Table 8:
UserAccountInfo
User account options include: Nameusername of the user. Passwordpassword of the user. UserTypeNameuser group to which the user belongs. DefaultViewNamedefault view for the user. FirstNamefirst name of the user. MiddleNamemiddle name of the user. LastNamelast name of the user. Phonephone number of the user. Faxfax number of the user. Email1email address of the user. Email2email address of the user. Timeoutidle-timeout setting for the user.
UserPermsInfo
User permissions information include: UserScreenList pathnamepath to a screen. For example: Console/Management/Users or Policies/Access/General. permtypepermissions for the screen. Options include: Read Only and Read/Write. UserNodeList displaynamename of the node. viewnameview in which the node appears. UserActionList AddUnitspecifies whether the user can add units (allow or deny). ModifyUnitspecifies whether the user can modify units (allow or deny). DeleteUnitspecifies whether the user can delete units (allow or deny). RenameUnitspecifies whether the user can rename units (allow or deny). ModifyPropertiesspecifies whether the user can modify unit properties (allow or deny). ReassignAgentsspecifies whether the user can reassign units to other agents (allow or deny). AddDeleteModifyViewspecifies whether the user can add, delete, or modify views (allow or deny). ChangeViewspecifies whether the user can change views (allow or deny). AllowCLIspecifies whether the user can use the CLI (allow or deny).
1094
CLI Commands
Example
In the following example, new information is updated for the users Linda and Mike:
sgms> addusers linda.xml
deleteuser username
Syntax
Table 9:
username
Name of a user.
Example
SonicWALL GMS 6.0 Administrators Guide
1095
CLI Commands
deleteuser linda
deleteusers xml_file
Syntax
Table 10:
xml_file
Usage Guidelines
The XML file should contain the following:
<? Xml version ="1.0" > <Sgmscommand> <DeleteUsers> <DeleteUser username="username"></DeleteUser> <DeleteUser username="username"></DeleteUser> </DeleteUsers> </Sgmscommand>
Table 11:
username
Example
In the following example, the users John, Linda, and Albert are deleted:
sgms> deleteuser deleteusers.xml
1096
activationcode xml_file
Syntax
Table 12:
xml_file
Usage Guidelines
The XML file should contain the following:
<? Xml version ="1.0" > <Sgmscommand> <Activation>command_type</Activation> <Activation values> <Activation category>category</Activation _category > <Activation type>activation_type</Activation type> </Activation values> <Codes> <Code>code</code> <Code>code</code> </Codes> </Sgmscommand>
1097
command_type
Required. Specifies the action to perform. Options include: addadds the specified category and type. deletedeletes the specified activation codes. listlists the activation codes for the specified category and type. To add activation codes, enter add. To remove codes, enter delete.
category
Required for add and list. Enter the category of upgrade. Options include: Anti-Virus Content Filter Subscription PKI End User Certificate Node Upgrade PKI Administrator Certificate VPN Upgrade VPN Client Upgrade HA Upgrade
activation_type
Required for add and list. Enter the type of upgrade for the selected category. Options include:
1098
Anti-Virus
5 Nodes 10 Nodes 50 Nodes 100 Nodes 1000 Nodes 5 Nodes 10 Nodes 50 Nodes Unlimited Nodes 1 Node 10 Nodes 50 Nodes 100 Nodes 10->25 Nodes 10->50 Nodes 10->Unlimited Nodes 25->50 Nodes 50->Unlimited Nodes SOHO2/SOHO3 GX 2500/GX 2500 HA Backup GX 6500/GX6500 HA Backup XPRS/XPRS2/PRO 100 PRO/PRO-VX/RPO 200/PRO 300 TELE2/TELE3
Node Upgrade
VPN Upgrade
5/10/25/50 Nodes Unlimited Nodes Single VPN Client 10 VPN Clients 100 VPN Clients 50 VPN Clients PRO/PRO 200
HA Upgrade
code
Required for add and delete. One or more code numbers. Each code number must appear on its own line.
1099
CLI Commands
Example
In the following example, four 100 Node Anti-Virus activation codes are added to SonicWALL GMS:
sgms> activationcode new_virus_codes.xml
Note
A sample of the file is available on the SonicWALL GMS CD-ROM. It is called sample_activationcode.xml and is located in the Misc directory.
1}]
Syntax
Table 14:
displayname viewname {0 | 1}
Required. Specifies the name of the node. Required. Specifies the name of a view in which the node appears. Specifies whether the nodes SAs are deleted. To delete the SAs, enter 1. To save the SAs, enter 0.
1100
CLI Commands
Example
In the following example, the node Timbuktu52 and its SAs are deleted.
sgms>
deletenodes xml_file
Syntax
Table 15:
xml_file
Usage Guidelines
The XML file should contain the following: <? Xml version ="1.0" > <Sgmscommand> <DeleteNodes> <DeleteNode displayname="displayname" viewname="viewname" deleteSAs="0" /> </DeleteNodes> </Sgmscommand>
Table 16:
Required. Specifies the name of the node. If you specify group parameters, all nodes that belong to the groups will be deleted. Required. Specifies the name of a view in which the node appears. Specifies whether the nodes SAs are deleted. To delete the SAs, enter 1. To save the SAs, enter 0.
Example
In the following example, Palo Alto 4 and all nodes within the specified groups are deleted:
sgms> activationcode node-delete.xml
1101
CLI Commands
down
all
}]
Syntax
Table 17:
all
This command causes the SonicWALL appliance to display the first five VPN tunnels. If the SonicWALL appliance has more than 5 tunnels, enter the vpnmonitor N command to display the next page of results.
Example
In the following example, the status of each VPN tunnel for the SonicWALL appliance with serial number 004010126FB0 is displayed:
sgms> vpnmonitor status 004010126FB0 ----------------------------------------------------------------------------SA NAME: GroupVPN LAST UPDATED: Mar 22, 2004 Mon [11:49 AM] Tunnel ID Status Destination Address Range MT107998499199600B0D01FDBF8 Down 0.0.0.0 - 0.0.0.0 ----------------------------------------------------------------------------SA NAME: SGMS-0006B1040148 LAST UPDATED: Mar 22, 2004 Mon [11:49 AM] Tunnel ID Status Destination Address Range MT107998499489000B0D01FDBF8 Up 10.0.14.43 - 10.0.14.43 ----------------------------------------------------------------------------SA NAME: SGMS-0006B1044046
1102
CLI Commands
LAST UPDATED: Mar 22, 2004 Mon [11:49 AM]
Tunnel ID Status Destination Address Range MT107998499529000B0D01FDBF8 Up 10.0.14.44 - 10.0.14.44 ----------------------------------------------------------------------------SA NAME: SGMS-00401012550C LAST UPDATED: Mar 22, 2004 Mon [11:49 AM] Tunnel ID Status Destination Address Range MT107998499428900B0D01FDBF8 Up 10.0.14.45 - 10.0.14.45 ----------------------------------------------------------------------------Displayed 0 to 4 of 4 rows.
Syntax
Table 18:
tunnel-id
Example
In the following example, the statistics for tunnel MT107998499428900B0D01FDBF8 are displayed:
sgms> vpnmonitor statistics MT107998499428900B0D01FDBF8 Statistics for tunnel MT107998499428900B0D01FDBF8 ------------------------------------------------------------------SA Name: SGMS-00401012550C Gateway: 10.0.14.45 Source Address Range: 0.0.0.0 - 255.255.255.255 Destination Address Range: 10.0.14.45 - 10.0.14.45 Creation Time: 03/19/2004 10:43:34 Expiry Time: SaUpTime: No Expiry Packets In: 18822 Packets Out: 2941 Bytes In: 267 Bytes Out: 103 Fragmented Packets In: 0 Fragmented Packets Out: 0 -------------------------------------------------------------------
1103
CLI Commands
Refreshing a Tunnel
To refresh a tunnel, use the vpnmonitor refresh command.
sgms>
Syntax
Table 19:
tunnel-id
Example
In the following example, tunnel MT107998499428900B0D01FDBF8 is refreshed:
sgms> vpnmonitor refresh MT107998499428900B0D01FDBF8
Renegotiating a Tunnel
To renegotiate a VPN tunnel, use the vpnmonitor renegotiate command.
sgms>
Syntax
Table 20:
tunnel-id
Example
In the following example, tunnel MT107998499428900B0D01FDBF8 is renegotiated:
sgms> vpnmonitor renegotiate MT107998499428900B0D01FDBF8
1104
Syntax
Table 21:
firewall-sn
Example
In the following example, tunnel status information for each VPN tunnel on the SonicWALL appliance with serial number 004010126FB0 is synchronized with SonicWALL GMS:
sgms> vpnmonitor synchronize 004010126FB0
configure xml_file
Note
For information on creating a configuration file, see Preparing a Configuration File on page 1106.
Syntax
Table 22:
xml_file
Usage Guidelines
When this command is entered, SonicWALL GMS does the following:
1105
the command.
Checks the validity of the XML file. Executes the command. Closes the session and exits.
Example
In the following example, the user admin logs in using the password password and runs an addunit command.
sgms>
configure configure.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes" ?> <!DOCTYPE Configure [ <!ELEMENT Configure (Task*)> <!ELEMENT Task (SetParam*,DelParam*,AddParam*)> <!ATTLIST Task displaynameCDATA#REQUIRED viewnameCDATA #REQUIRED updatetypeCDATA #REQUIRED tasktypeCDATA#REQUIRED description CDATA#REQUIRED> <!ELEMENT SetParam EMPTY> <!ATTLIST SetParam setParamNameCDATA#REQUIRED setParamValueCDATA#REQUIRED> <!ELEMENT DelParam EMPTY> <!ATTLIST DelParam delParamNameCDATA#REQUIRED delParamValueCDATA#REQUIRED> <!ELEMENT AddParam EMPTY> <!ATTLIST AddParam
1106
Configuring SonicWALL Parameters addParamNameCDATA#REQUIRED addParamValueCDATA#REQUIRED> ]> <Configure> <Task displayname="firewall_parameters" viewname="view_name" updatetype="update_type" tasktype="task_type" description="description" > <AddParam addParamName="add_parameter_name" addParamValue="add_parameter_value"/> <AddParam setParamName="set_parameter_name" setParamValue="set_parameter_value"/> </Task> </Configure>
firewall_parameters Required. Specifies the firewall or parameters of the firewalls that will updated. To specify a single firewall, enter the firewall name. For example:
displayname="Firewall_42"
To specify more than one firewall, enter each group parameter that applies to the firwall. For example:
displayname="Country=USA:State=California:Department=Engineering"
view_name
Specifies the view to which the firewall or group of firewalls belongs. This allows you to apply changes to firewalls within a specific view. For example, to apply the changes to firewalls that meet the parameters that you specified in the view USA_west_coast, enter the following:
viewname=USA_west_coast
update_type
Specifies the kind of update to be performed such as changing existing values, adding new values, or deleting values. Options include: change_fieldused to set a non-array-type field add_array_fieldused to add an array-type field del_array_fieldused to delete a value from an array-type field special_actionused to perform special tasks, such as synchronizing or restarting a firewall Specifies the task type. Options include: Configure_FWused to configure SonicWALL firewalls Configure_RCused to configure Ravlin devices Registerused to register SonicWALL appliances Description of the tasks you are performing. This information will appear in the log files.
task_type
description
1107
Parameter Settings
Used to add, delete, or set parameters. Change Fields Used to set independent firewall parameters. set_parameter_namespecifies the name of the parameter. set_parameter_valuespecifies the new setting. For example, to create a task to change the time zone of the firewall (the
timezone parameter), enter the following:
updatetype=change_field tasktype=Configure_FW description=Change Timezone setParamName=timezone setParamValue=829
Add Fields Used to add new firewall parameters. add_parameter_namespecifies the name of the parameter. add_parameter_valuespecifies the new parameter setting. For example, to add a rule (such as Allow File Transfer (FTP)), use the following text:
updatetype=add_array_field tasktype=Configure_FW description=Add Rule, Allow File Transfer (FTP) setParamName=serviceNameInRule setParamValue=File Transfer (FTP)
Delete Fields Used to delete firewall parameters. del_parameter_namespecifies the name of the parameter. del_parameter_valuespecifies the setting to delete. For example, to remove a rule (such as Allow File Transfer (FTP)), use the following text:
updatetype=del_array_field tasktype=Configure_FW description=Delete Rule, Allow File Transfer (FTP) setParamName=serviceNameInRule setParamValue=File Transfer (FTP)
Special Action Used to execute special actions such as a resetting a firewall. set_parameter_namespecifies the name of the parameter. set_parameter_valuespecifies the action to execute. For example, to restart a firewall, use the following text:
updatetype=special_action tasktype=Configure_FW description=Restart Firewall setParamName=cgi_action setParamValue=restart
1108
modifyarray xml_file
Note
For information on creating a configuration file, see Preparing a Parameter Modification File on page 1110.
Syntax
Table 23:
xml_file
Usage Guidelines
When this command is entered, SonicWALL GMS does the following:
the command.
Checks the validity of the XML file. Executes the command. Closes the session and exits.
Example
In the following example, the value of the secondary phone number is changed to the number specifed in the primary phone number field and the primary phone number is changed to 800-555-1212.
sgms>
modifyarray modify.xml
1109
Modifying SonicWALL Parameters <?xml version="1.0" encoding="UTF-8" standalone="yes" ?> <!DOCTYPE Configure (View Source for full doctype...)> <Configure> <Task displayname="root" viewname="AGENTCompany" description="Modify SP Profiles" arraytable name="SW_PROFILES" indidxcolumnname="dialupProfileInUse_0"> <ArrayIndexColumnName paramName="dialConfigName" /> <ModParam paramName="secPhone" paramValue="%priPhone%" /> <ModParam paramName="priPhone" paramValue="[18005551212]" /> </Task> </Configure>
1110
Table 24:
firewall_parameters
Required. Specifies the firewall or parameters of the firewalls that will updated. To specify a single firewall, enter the firewall name. For example:
displayname="Firewall_42"
To specify more than one firewall, enter each group parameter that applies to the firwall. For example:
displayname="Country=USA:State=California:Department=Engineering"
description view_name
Description of the tasks you are performing. This information will appear in the log files. Specifies the view to which the firewall or group of firewalls belongs. This allows you to apply changes to firewalls within a specific view. For example, to apply the changes to firewalls that meet the parameters that you specified in the view USA_west_coast, enter the following:
viewname=USA_west_coast
Specifies the array index column name. Used to modify parameters. Modify Parameters Used to set independent firewall parameters. param_namespecifies the name of the parameter. param_valuespecifies the new setting. This can be a variable that refers to another the setting for another paramter. For example, the following string will change the Secondary modem phone number to the value of the Primary modem phone number:
<ModParam paramName="secPhone" paramValue="%priPhone%" />
1111
Configuration Parameters
Configuration Parameters
For the latest list of available CLI configuration parameters, see the SonicWALL GMS CLI Reference Guide, which is available at the following URL: http://www.sonicwall.com/us/Support.html This chapter contains information on how to retrieve parameters that can be used with the command-line interface (CLI) configure command.
System/Time
This section describes parameters that can be configured for the time screen of the System tree. To get firewall parameters list that needs to be configured on firmware, it is necessary to query the back-end database. To configure the time screen, perform the following steps:
1.
Open Query Analyzer select sgmsdb database, then execute following queries:
Select id from screens where name like 'Time'. Output: 1003 Query to get details of parameters. Select prefs_file_name,independent,default_value from params_info
where prefs_file_name in (Select param_name from sub_policy where screen_id = 1003) Table 21 provides the parameters returned for above query.
Table 21 Query Parameters
Grouping independent and array parameters from above query results 1112
SonicWALL GMS 6.0 Administrators Guide
Configuration Parameters
The following provides the XML to configure the Array parameters of the time screen: <!ELEMENT Task (SetParam*,DelParam*,AddParam*)> <!ATTLIST Task displayname CDATA #REQUIRED viewname CDATA #REQUIRED updatetype CDATA #REQUIRED tasktype CDATA #REQUIRED description CDATA #REQUIRED> <!ELEMENT SetParam EMPTY> <!ATTLIST SetParam setParamName CDATA #REQUIRED setParamValue CDATA #REQUIRED> xml_file The XML file that contains configuration instructions. Using the Command Line Interface 27 <!ELEMENT DelParam EMPTY> <!ATTLIST DelParam delParamName CDATA #REQUIRED delParamValue CDATA #REQUIRED> <!ELEMENT AddParam EMPTY> <!ATTLIST AddParam addParamName CDATA #REQUIRED addParamValue CDATA #REQUIRED> ]> <Configure> <Task displayname="firewall_parameters" viewname="view_name" updatetype="update_type"
SonicWALL GMS 6.0 Administrators Guide
1113
Configuration Parameters
tasktype="task_type" description="description" > <AddParam addParamName=" addCustomNTPServer " addParamValue="10.0.0.1"/> </Task> </Configure> The following provides the the XML to configure independent parameters for the time screen. <!ELEMENT Task (SetParam*,DelParam*,AddParam*)> <!ATTLIST Task displayname CDATA #REQUIRED viewname CDATA #REQUIRED updatetype CDATA #REQUIRED tasktype CDATA #REQUIRED description CDATA #REQUIRED> <!ELEMENT SetParam EMPTY> <!ATTLIST SetParam setParamName CDATA #REQUIRED setParamValue CDATA #REQUIRED> xml_file The XML file that contains configuration instructions. Using the Command Line Interface 27 <!ELEMENT DelParam EMPTY> <!ATTLIST DelParam delParamName CDATA #REQUIRED delParamValue CDATA #REQUIRED> <!ELEMENT AddParam EMPTY> <!ATTLIST AddParam addParamName CDATA #REQUIRED addParamValue CDATA #REQUIRED> ]> <Configure>
1114
Configuration Parameters
<Task displayname="firewall_parameters" viewname="view_name" updatetype="update_type" tasktype="task_type" description="description" <AddParam setParamName=" ntp_updateInterval " setParamValue="30"/> <AddParam setParamName= " ntp_useDst " setParamValue="1"/> <AddParam setParamName=" ntp_useNtp " setParamValue="1"/> <AddParam setParamName=" ntp_utcLogs " setParamValue="1"/> <AddParam setParamName=" timezone " setParamValue="829"/> <AddParam setParamName=" useInternational " setParamValue="1"/> </Task> </Configure>
1115
Configuration Parameters
1116
SonicWALL, Inc. 2001 Logic Drive San Jose CA 95124-345 T +1 408.745.9600 F +1 408.745.9300 www.sonicwall.com
1/2010