SonicWALL 3 S

SONICWALL SONICOS STANDARD 3.0 ADMINISTRATOR’S GUIDE

205

Configuring GroupVPN Policy on the SonicWALL

In the IKE (Phase 1) Proposal section, select the following settings:

Group 2 from the DH Group menu.

3DES from the Encryption menu

SHA1 from the Authentication menu

Leave the default setting, 28800, in the Life Time (secs) field. This setting forces the tunnel to

renegotiate and exchange keys every 8 hours.

In the IPSec (Phase 2) Proposal section, select the following settings:

ESP from the Protocol menu

3DES from the Encryption menu

MD5 from the Authentication menu

Select Enable Perfect Forward Secrecy if you want an additional Diffie-Hellman key exchange

as an added layer of security. Then select Group 2 from the DH Group menu.

Leave the default setting, 28800, in the Life Time (secs) field. This setting forces the tunnel to

renegotiate and exchange keys every 8 hours.

4

Click the Advanced tab. Select any of the following settings you want to apply to your GroupVPN

policy.

Enable Windows Networking (NetBIOS) broadcast - to allow access to remote network

resources by browsing the Windows® Network Neighborhood.

Apply NAT and Firewall Rules - This feature allows a remote site’s LAN subnet to be hidden

from the corporate site, and is most useful when a remote office’s network traffic is initiated to

the corporate office. The IPSec tunnel is located between the SonicWALL WAN interface and

the LAN segment of the corporation. To protect the traffic, NAT (Network Address Translation)

is performed on the outbound packet before it is sent through the tunnel, and in turn, NAT is

performed on inbound packets when they are received. By using NAT for a VPN connection,

computers on the remote LAN are viewed as one address (the SonicWALL public address)

from the corporate LAN.

SAlert: Offices can have overlapping LAN IP ranges if the Apply NAT and Firewall Rules feature is

selected.

Contents

Main Chapter 2: Basic SonicWALL Security Appliance Setup. . . . . . . . . . . . . . . . .9 Chapter 5: Using System Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Chapter 6: Setting System Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Chapter 7: Configuring System Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Chapter 8: Performing Diagnostic Tests and Restarting the SonicWALL Security Appliance51 Chapter 10:Configuring One-to-One NAT . . . . . . . . . . . . . . . . . . . . . . . . . . .81 Chapter 11:Configuring Web Proxy Settings . . . . . . . . . . . . . . . . . . . . . . . . .85 Chapter 12:Configuring Intranet Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Page Page Chapter 30:Managing Wireless Guest Accounts . . . . . . . . . . . . . . . . . . . . 171 Chapter 32:Configuring Advanced Rule Options . . . . . . . . . . . . . . . . . . . . 189 Chapter 33:Configuring Custom Services. . . . . . . . . . . . . . . . . . . . . . . . . . 191 Chapter 35:Monitoring Active Firewall Connections . . . . . . . . . . . . . . . . . . 197 Chapter 37:Configuring Advanced VPN Settings. . . . . . . . . . . . . . . . . . . . .229 Chapter 38:Configuring DHCP Over VPN . . . . . . . . . . . . . . . . . . . . . . . . . .233 Chapter 39:Configuring L2TP Server Settings. . . . . . . . . . . . . . . . . . . . . . . 237 Chapter 40:Managing Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .241 PART 9: Users Chapter 41:Viewing User Status and Configuring User Authentication. . . . 249 Chapter 42:Configuring Local Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Chapter 44:Configuring SonicWALL Content Filtering Service. . . . . . . . . . 265 Chapter 45:Managing SonicWALL Network Anti-Virus and E-Mail Filter Services275 Chapter 46:Managing SonicWALL Gateway Anti-Virus Service. . . . . . . . . .279 Chapter 47:Managing SonicWALL Intrusion Prevention Service . . . . . . . . .285 Chapter 48:Managing SonicWALL Global Security Client . . . . . . . . . . . . . .291 Chapter 50:Specifying Log Categories. . . . . . . . . . . . . . . . . . . . . . . . . . . . .301 Chapter 51:Configuring Log Automation . . . . . . . . . . . . . . . . . . . . . . . . . . . 303 Appendix A:Using the SonicSetup Diagnostic and Recovery Tool . . . . . . . 313 Appendix B:Resetting the SonicWALL Security Appliance Using SafeMode321 Copyright Notice Trademarks Limited Warranty About this Guide 9 Organization of this Guide Part 1 Introduction Part 2 System Part 3 Network Part 4 Modem (TZ 170 SP) Part 9 Users Part 10 Security Services Part 11 Log Guide Conventions Icons Used in this Manual S 9 SonicWALL Technical Support North America Telephone Support Current Documentation http://www.sonicwall.com/services/documentation.html Page Page Whats New in SonicOS Standard 3.0 SonicWALL Management Interface Navigating the Management Interface Status Bar Applying Changes Navigating Tables Common Icons in the Management Interface Getting Help S Logging Out Page Appliance Setup SonicWALL Security Appliance Configuration Steps Collecting Required ISP Information Internet Service Provider (ISP) Information If You Have a Cable Modem S 9 Using the SonicWALL Setup Wizard 9 SonicWALL TZ 170 SP Page 9 Configuring a DHCP Internet Connection 9 Configuring a PPPoE Internet Connection Configuring PPTP Internet Connectivity Page Configuring the TZ 170 SP using the Setup Wizard Configuring the TZ 50 Wireless/TZ 150 Wireless/170 Wireless using the Setup Wizard Configuring the TZ 50 Wireless/TZ 150 Wireless/170 Wireless as an Office Gateway Configuring the WAN Network Mode Configuring WAN Settings Configuring LAN Settings Configuring LAN DHCP Settings Configuring WLAN 802.11b/g Settings Configuring WiFiSec - VPN Client User Authentication Configuring the TZ 50 Wireless/TZ 150 Wireless/TZ 170 Wireless as a Secure Access Point Configuring the LAN Settings Configuring the LAN DHCP Settings Configuring WiFiSec - VPN Client User Authentication Configuring the TZ 50 Wireless/TZ 150 Wireless/TZ 170 Wireless as a Guest Internet Gateway Configuring the WAN Network Mode Configuring WAN Settings Configuring Wireless Guest Services Configuring the TZ 170 Wireless as a Secure Wireless Bridge Configuring LAN Settings Configuring LAN DHCP Settings Configuring WLAN Network Setting Configuring Secure Wireless Bridge Settings Registering Your SonicWALL Security Appliance S Creating a mySonicWALL.com Account Registering Your SonicWALL Security Appliance Page Page Page Information System > Status Wizards System Messages System Information Security Services Latest Alerts System > Licenses Node License Status Currently Licensed Nodes Node License Exclusion List Security Services Summary Manage Security Services Online 9 Manual Upgrade for Closed Environments From a Computer Connected to the Internet From the Management Interface of the SonicWALL Security Appliance Page System > Administration Firewall Name Name/Password Administrator Name Changing the Administrator Password 9 Enable Administrator/User Lockout S Web Management Settings Changing the Default Size for SonicWALL Management Interface Tables Advanced Management Enable SNMP Enable Management Using SonicWALL GMS Page System > Time Set Time Setting the SonicWALL Security Appliance Time NTP Settings System > Settings Import Settings Export Settings Firmware Management New Firmware Page Tech Support Report S Generating a Tech Support Report Diagnostic Tools Active Connections Monitor Active Connections Monitor Settings CPU Monitor DNS Name Lookup Find Network Path Packet Trace 9 Ping Process Monitor Reverse Name Resolution System > Restart Page Page Network > Settings Setup Wizard Interfaces Interface Options by SonicWALL Security Appliance DNS Settings Configuring the WAN Interface Configuration Example Configuring NAT Enabled Configuring NAT with DHCP Client Configuring NAT with PPPoE Client Configuring NAT with L2TP Client Configuring NAT with PPTP Client Configuring Ethernet Settings in WAN Properties 9 S Configuring the LAN Interface Basic LAN Configuration Configuring Multiple LAN Subnets Configuring Ethernet Settings Configuring the OPT Interface Page Configuring NAT Mode Configuring the DMZ Interface Page Configuring NAT Mode Configuring the Modem Interface (TZ 170 SP) Modem Settings Profiles Failover Advanced Activating the Modem Configuring WLAN Properties (TZ 50 Wireless/TZ 150 Wireless/TZ 170 Wireless) Page Network > One-to-One NAT S 9 One-to-One NAT Configuration Example S 9 Page Page Network > Web Proxy Configuring Automatic Web Proxy Forwarding S Bypass Proxy Servers Upon Proxy Failure Forward OPT/DMZ/WLAN Client Requests to Proxy Server Network > Intranet Installation S Intranet Settings 9 Network > Routing Static Routes 9 Static Route Configuration Example 9 Route Advertisement Route Advertisement Configuration Routing Table Protocol Settings Network > ARP Static ARP Entries Secondary Subnets with Static ARP Adding a Secondary Subnet using the Static ARP Method Page Prohibit Dynamic ARP Entries S Navigating and Sorting the ARP Cache Table Flushing the ARP Cache Page Network > DHCP Server DHCP Server Settings DHCP Server Lease Scopes Configuring DHCP Server for Dynamic Ranges Configuring Static DHCP Entries 9 Current DHCP Leases Network > Dynamic DNS Supported DDNS Providers Additional Services offered by Dynamic DNS Providers Configuring Dynamic DNS Page Dynamic DNS Settings Table Page Page Page Modem > Status Modem Status Modem > Settings Configuring Profile and Modem Settings 9 Modem > Failover S Modem Failover Settings S Configuring Modem Failover 9 Modem > Advanced Page Properties Modem > Dialup Profiles 9 Dial-Up Profiles Configuring a Dialup Profile Modem > Dialup Profiles > Modem Profile Configuration Configuring a Dialup Profile Page S Chat Scripts Custom Chat Scripts 9 Page Page Wireless Wizard and Monitoring Your WLAN Considerations for Using Wireless Connections Optimal Wireless Performance Recommendations Adjusting the TZ 50 Wireless/TZ 150 Wireless/TZ 170 Wireless Antennas Wireless Guest Services (WGS) Wireless Node Count Enforcement MAC Filter List WiFiSec Enforcement Using the Wireless Wizard Welcome to the SonicWALL Wireless Configuration Wizard S WLAN 802.11b Settings WLAN Security Settings WiFiSec - VPN Client User Authentication S Wireless Guest Services Wireless Configuration Summary Updating the TZ 50 Wireless/TZ 150 Wireless/TZ 170 Wireless Congratulations Configuring Additional Wireless Features Wireless > Status WLAN Settings Access Point Status WLAN Statistics Station Status Page Wireless > Settings Wireless Radio Mode Wireless Settings Secure Wireless Bridging (TZ 170 Only) Configuring a Secure Wireless Bridge Network Settings for the Example Network Wireless Bridging (without WiFiSec) Configuring VPN Policies for the Access Point and Wireless Bridge Access Point Advanced Configuration for both VPN Policies Wireless Bridge VPN Policy Page Encryption Wireless > WEP/WPA Encryption WEP Encryption Settings WEP Encryption Keys WPA Encryption Settings WPA-PSK Settings Preshared Key Settings (PSK) WPA-EAP Settings WPA Settings: Extensible Authentication Protocol Settings (PSK) Wireless > Advanced Beaconing & SSID Controls Wireless Client Communications Advanced Radio Settings Configurable Antenna Diversity (TZ 170 Wireless) Page Page Wireless > MAC Filter List Page Wireless > IDS Wireless Bridge IDS Access Point IDS Enable Client Null Probing Association Flood Detection Rogue Access Point Detection S Authorizing Access Points on Your Network Page Page Page Status WGS > Status Page Wireless Guest Services WGS > Settings Bypass Guest Authentication Bypass Filters for Guest Accounts Enable Dynamic Address Translation (DAT) Enable SMTP Redirect Enable URL Allow List for Authenticated Users 9 Enable IP Address Deny List for Authenticated Users 9 Customize Login Page Custom Post Authentication Redirect Page Maximum Concurrent Guests WGS Account Profiles Page Accounts WGS > Accounts Working with Guest Accounts Automatically Generating Guest Accounts Manually Configuring Wireless Guests Account Detail Printing Flexible Default Route Secure Access Point with Virtual Adapter Support Secure Access Point with Wireless Guest Services Page Page Page Rules Network Access Rules Overview S Using Bandwidth Management with Access Rules S Firewall > Access Rules 9 Navigating and Sorting the Access Rules Table Entries Restoring Default Network Access Rules Adding Rules using the Network Access Rule Wizard Configuring a Public Server Rule Configuring a General Network Access Rule Page Adding Rules Using the Add Rule Window Page 9 Rule Examples Blocking LAN Access for Specific Services Enabling Ping Page Options Access Rules > Advanced Windows Networking (NetBIOS) Broadcast Pass Through Detection Prevention Enable Stealth Mode Randomize IP ID Dynamic Ports Source Routed Packets Firewall > Services User Defined (Custom) Services Predefined Services Firewall > VoIP VoIP Protocols H.323 SIP Configuring the VoIP Settings SIP Settings H.323 Settings Page Connections Firewall > Connections Monitor Setting Filter Logic Using Group Filters Page Page SonicWALL VPN Options Overview VPN > Settings VPN Global Settings VPN Policies Navigating and Sorting the VPN Policies Entries Currently Active VPN Tunnels Configuring IKE Preshared Secret S Page Page Configuring GroupVPN with IKE 3rd Party Certificates S Page Page Page Page Export a GroupVPN Client Policy S Site to Site VPN Configurations Site-to-Site VPN Deployments VPN Planning Sheet for Site-to-Site VPN Policies Site A Workstation SonicWALL Router Creating a Typical IKE Preshared Secret VPN Policy Creating a Custom VPN Policy IKE with Preshared Secret Creating a Manual Key VPN Policy with the VPN Policy Wizard S Configuring IKE 3rd Party Certificates with the VPN Policy Wizard S Creating Site-to-Site VPN Policies Using the VPN Policy Window 9 Configuring a VPN Policy IKE with Preshared Secret 9 Page Page Configuring a VPN Policy using Manual Key S Configuring a VPN Policy with IKE 3rd Party Certificate S Page Page Page VPN > Advanced Advanced VPN Settings VPN User Authentication Settings VPN Bandwidth Management 9 Page VPN > DHCP over VPN DHCP Relay Mode Configuring the Central Gateway for DHCP Over VPN Configuring DHCP over VPN Remote Gateway S Device Configuration S 9 Current DHCP over VPN Leases VPN > L2TP Server L2TP Server Settings IP Address Settings Adding L2TP Clients to the SonicWALL Currently Active L2TP Sessions Page Digital Certificates Overview SonicWALL Third-Party Digital Certificate Support VPN > Local Certificates 9 Importing Certificate with Private Key Certificate Details Delete This Certificate Generating a Certificate Signing Request VPN > CA Certificates Importing CA Certificates into the SonicWALL Certificate Details Delete This Certificate Certificate Revocation List (CRL) Importing a CRL List Automatic CRL Update Page Page Page Configuring User Authentication User Level Authentication Overview Users > Status Active User Sessions Users > Settings Authentication Method Global User Settings Internet Authentication Exclusions Acceptable Use Policy 9 Configuring RADIUS Authentication Page Page Page Users > Local Users Adding a Local User Page Page Services SonicWALL Security Services 9 mySonicWALL.com Activating Free Trials Security Services > Summary Security Services Summary Manage Licenses If Your SonicWALL Security Appliance is Not Registered Security Services Settings Filtering Service SonicWALL Content Filtering Service Security Services > Content Filter Content Filter Status Activating SonicWALL Content Filtering Service Activating a SonicWALL Content Filtering Service FREE TRIAL Content Filter Type Restrict Web Features Trusted Domains Message to Display when Blocking Configuring SonicWALL Filter Properties S Keyword Blocking Disable all Web traffic except for Allowed Domains Consent Mandatory Filtered IP Addresses Consent Page URL (mandatory filtering) Adding a New Address Page Anti-Virus and E-Mail Filter Services SonicWALL Network Anti-Virus Overview Security Services > Anti-Virus Activating SonicWALL Network Anti-Virus Activating a SonicWALL Network Anti-Virus FREE TRIAL Security Services > E-Mail Filter Configuring SonicWALL Network Anti-Virus Gateway Anti-Virus Service SonicWALL Gateway Anti-Virus Overview SonicWALL Gateway Anti-Virus/Intrusion Prevention Features Activating SonicWALL Gateway Anti-Virus Activating SonicWALL Gateway Anti-Virus Activating the SonicWALL Gateway Anti-Virus FREE TRIAL Configuring SonicWALL Gateway Anti-Virus Page Intrusion Prevention Service SonicWALL Intrusion Prevention Service SonicWALL IPS Features SonicWALL Deep Packet Inspection How SonicWALLs Deep Packet Inspection Architecture Works Security Services > Intrusion Prevention Activating SonicWALL IPS Activating the SonicWALL IPS FREE TRIAL Page Global Security Client SonicWALL Global Security Client Global Security Client Features How SonicWALL Global Security Client Works SonicWALL Global Security Client Activation Activating SonicWALL Global Security Client Page Page Page SonicOS Log Event Messages Overview Log > View Navigating and Sorting Log View Table Entries SonicOS Log Entries 9 Refresh Clear Log E-mail Log Page Log > Categories Log Categories Alerts & SNMP Traps Log > Automation E-mail Syslog Servers Page Page Log > Name Resolution Selecting Name Resolution Settings Specifying the DNS Server Log Reports Log > Reports Data Collection View Data Web Site Hits Bandwidth Usage by IP Address Bandwidth Usage by Service Log > ViewPoint Page A PPENDIX A and Recovery Tool SonicSetup Introduction and Discovery Device Selection Diagnostics Diagnostic Results SonicROM Recovery SonicOS Recovery Restoring Factory Defaults Address Synchronization Page A PPENDIX B Appliance Using SafeMode SonicWALL SafeMode Page Upgrading SonicOS Firmware