205 | SonicWALL 3 guide

Configuring GroupVPN Policy on the SonicWALL

In the IKE (Phase 1) Proposal section, select the following settings:

Group 2 from the DH Group menu. 3DES from the Encryption menu SHA1 from the Authentication menu

Leave the default setting, 28800, in the Life Time (secs) field. This setting forces the tunnel to renegotiate and exchange keys every 8 hours.

In the IPSec (Phase 2) Proposal section, select the following settings:

ESP from the Protocol menu 3DES from the Encryption menu MD5 from the Authentication menu

Select Enable Perfect Forward Secrecy if you want an additional Diffie-Hellman key exchange as an added layer of security. Then select Group 2 from the DH Group menu.

Leave the default setting, 28800, in the Life Time (secs) field. This setting forces the tunnel to renegotiate and exchange keys every 8 hours.

4Click the Advanced tab. Select any of the following settings you want to apply to your GroupVPN policy.

Enable Windows Networking (NetBIOS) broadcast - to allow access to remote network resources by browsing the Windows® Network Neighborhood.

Apply NAT and Firewall Rules - This feature allows a remote site’s LAN subnet to be hidden from the corporate site, and is most useful when a remote office’s network traffic is initiated to the corporate office. The IPSec tunnel is located between the SonicWALL WAN interface and the LAN segment of the corporation. To protect the traffic, NAT (Network Address Translation) is performed on the outbound packet before it is sent through the tunnel, and in turn, NAT is performed on inbound packets when they are received. By using NAT for a VPN connection, computers on the remote LAN are viewed as one address (the SonicWALL public address) from the corporate LAN.

SAlert:selected.Offices can have overlapping LAN IP ranges if the Apply NAT and Firewall Rules feature is

SONICWALL SONICOS STANDARD 3.0 ADMINISTRATOR’S GUIDE

205

Image 224

SonicWALL 3 manual 205

Contents

SonicOS Standard Administrators Guide Table of Contents Part 2 System Part 3 Network Part 4 Modem Part 5 Wireless Part 8 VPN Configuring Site to Site VPN Policies Using Vii Part 9 Users Viii Part 11 Log Index Trademarks PrefaceCopyright Notice Limited Warranty XiiPage Organization of this Guide Part 10 Security Services Part 9 UsersPart 11 Log About this Guide Guide Conventions Icons Used in this Manual More Information on SonicWALL Products and Services SonicWALL Technical SupportNorth America Telephone Support International Telephone Support Current Documentation Xviii Introduction Sonicwall Sonicos Standard 3.0 ADMINISTRATOR’S Guide Introduction What’s New in SonicOS Standard SonicWALL Management Interface Navigating the Management Interface SonicWALL Management Interface Navigating Tables Status BarApplying Changes Logging Out Common Icons in the Management InterfaceGetting Help Introduction Basic SonicWALL Security Appliance Setup SonicWALL Security Appliance Configuration StepsInternet Service Provider ISP Information Collecting Required ISP Information Other Information If You Have DSLIf You Have a Static IP Address SonicWALL Management Interface Using the SonicWALL Setup Wizard SonicWALL TZ 170 SP SonicWALL TZ 50 Wireless/TZ 150 Wireless/TZ 170 Wireless Configuring a Static IP Address Internet Connection Using the SonicWALL Setup Wizard Configuring a Dhcp Internet Connection Configuring a PPPoE Internet Connection Configuring Pptp Internet Connectivity Sonicwall Sonicos Standard 3.0 ADMINISTRATOR’S Guide Configuring the TZ 170 SP using the Setup Wizard Welcome to the SonicWALL Setup Wizard Changing the PasswordConfiguring the WAN Network Mode Selecting the Deployment Scenario Configuring WAN Settings Configuring LAN SettingsConfiguring LAN Dhcp Settings Configuring Wlan 802.11b/g Settings Configuring Wlan 802.11b Settings Configuring the LAN SettingsConfiguring the LAN Dhcp Settings Configuring the WAN Network Mode Configuring the TZ 170 Wireless as a Secure Wireless Bridge Configuring Wlan Network Setting Configuring Secure Wireless Bridge Settings Registering Your SonicWALL Security Appliance Before You Register Registering Your SonicWALL Security Appliance Registering Your SonicWALL Security Appliance Sonicwall Sonicos Standard 3.0 ADMINISTRATOR’S Guide System Sonicwall Sonicos Standard 3.0 ADMINISTRATOR’S Guide System Status Viewing System Status InformationSystem Status System Information WizardsSystem Messages Security Services Latest Alerts SonicWALL TZ 50 Wireless SonicWALL TZ 150 WirelessNetwork Interfaces SonicWALL Security Appliance Model Interfaces SonicWALL TZ System Licenses System LicensesSystem Licenses Node License Exclusion List Node License StatusCurrently Licensed Nodes Security Services Summary Manage Security Services Online Manual Upgrade Manual Upgrade for Closed Environments From a Computer Connected to the Internet System Licenses System Administration Using System AdministrationSystem Administration Firewall Name Name/PasswordLogin Security Web Management Settings Enable Snmp Advanced ManagementFour addresses or host names can be used Click OK Enable Management Using SonicWALL GMS Using System Administration Setting System Time System TimeSet Time System Time NTP Settings Setting the SonicWALL Security Appliance Time Configuring System Settings System SettingsSettings Import Settings Export Settings Click Export SettingsFirmware Management New Firmware System Information SafeMode Rebooting the SonicWALL Security ApplianceFirmware Management Settings Firmware Management System Diagnostics System Diagnostics Tech Support Report Generating a Tech Support Report Active Connections Monitor Diagnostic ToolsActive Connections Monitor Settings CPU Monitor DNS Name Lookup Find Network Path Packet Trace Select Packet Trace from the Diagnostic tool menu Process Monitor Reverse Name ResolutionPing System Restart Network Sonicwall Sonicos Standard 3.0 ADMINISTRATOR’S Guide Network Settings Configuring Network SettingsNetwork Settings Setup Wizard Interfaces DNS Settings Interface Options by SonicWALL Security Appliance Configuring the WAN Interface Configuring Transparent Mode Configuration Example Configuring the WAN Interface Configuring NAT Enabled Configuring NAT with Dhcp Client Configuring NAT with PPPoE Client Configuring NAT with L2TP Client Configuring NAT with Pptp Client Configuring Ethernet Settings in WAN Properties Configuring the WAN Interface Configuring Multiple LAN Subnets Configuring the LAN InterfaceBasic LAN Configuration Configuring the OPT Interface Configuring the OPT InterfaceConfiguring Ethernet Settings Configuring Transparent Mode Configuring the DMZ Interface Configuring NAT ModeConfiguring the DMZ Interface Select OPT in NAT Mode Configuring Transparent Mode Select DMZ in NAT Mode Configuring the Modem Interface TZ 170 SPConfiguring the Modem Interface TZ 170 SP Modem Settings Profiles Select Enable WAN Failover Failover Advanced Activating the Modem Sonicwall Sonicos Standard 3.0 ADMINISTRATOR’S Guide Sonicwall Sonicos Standard 3.0 ADMINISTRATOR’S Guide Configuring One-to-One NAT Select the Enable One-to-One NAT check boxNetwork One-to-One NAT Network One-to-One NAT Click Firewall, then Access Rules One-to-One NAT Configuration ExampleSelect Enable One-to-One NAT Allow Service Http Source WAN Configuring One-to-One NAT Network Web Proxy Configuring Web Proxy SettingsNetwork Web Proxy Forward OPT/DMZ/WLAN Client Requests to Proxy Server Configuring Automatic Web Proxy ForwardingBypass Proxy Servers Upon Proxy Failure Network Intranet Configuring Intranet SettingsNetwork Intranet Installation Intranet SettingsSpecified address ranges are attached to the LAN link Specified address ranges are attached to the WAN link Network Routing Configuring Static RoutesNetwork Routing Static Route Configuration Example Static RoutesKey terms SonicWALL LAN IP Address Route Advertisement Configuration Route Advertisement Routing Table Network ARP Configuring Address Resolution Protocol SettingsNetwork ARP Secondary Subnets with Static ARP Adding a Secondary Subnet using the Static ARP MethodStatic ARP Entries Network ARP Prohibit Dynamic ARP Entries Navigating and Sorting the ARP Cache Table Flushing the ARP Cache Configuring Address Resolution Protocol Settings Configuring the Dhcp Server Dhcp Server SettingsNetwork Dhcp Server Network Dhcp Server Configuring Dhcp Server for Dynamic Ranges Dhcp Server Lease Scopes Configuring Static Dhcp Entries 101 Current Dhcp Leases Configuring Dynamic DNS Network Dynamic DNSSupported Ddns Providers Network Dynamic DNS Additional Services offered by Dynamic DNS Providers Configuring Dynamic DNS 105 106 Dynamic DNS Settings Table 107 108 Modem 109 110 Viewing Modem Status Modem StatusModem Status 111 Modem Status Configuring Modem Settings Modem SettingsModem Settings 113 Configuring Profile and Modem Settings Configuring Modem Failover Modem Failover SettingsModem Failover Modem Failover Configuring Modem Failover 117 Modem AdvancedModem Advanced Configuring Advanced Modem Settings Configuring Modem Dialup Properties Modem Dialup ProfilesDial-Up Profiles Modem Dialup Profiles Modem Dialup Profiles Modem Profile Configuration Configuring a Dialup Profile Modem Dialup Profiles Modem Profile Configuration 121 122 Chat Scripts 123 Custom Chat Scripts Wireless 125 126 LAN WAN 127 Considerations for Using Wireless Connections Optimal Wireless Performance Recommendations Wireless Guest Services WGSOptimal Wireless Performance Recommendations 129 MAC Filter List Wireless Node Count EnforcementWiFiSec Enforcement Using the Wireless Wizard Welcome to the SonicWALL Wireless Configuration WizardWlan Network Settings Using the Wireless Wizard Wlan 802.11b Settings Wlan Security Settings 133 WiFiSec VPN Client User AuthenticationWireless Guest Services Wireless Configuration Summary Updating the TZ 50 Wireless/TZ 150 Wireless/TZ 170 Wireless Wireless Status Configuring Additional Wireless FeaturesWireless Status 135 Wlan Settings Access Point Status 137 Wlan StatisticsStation Status 138 Configuring Wireless Settings Wireless SettingsWireless Radio Mode Wireless Settings Wireless Settings Secure Wireless Bridging TZ 170 Only 141 Configuring a Secure Wireless Bridge 143 Network Settings for the Example NetworkWireless Bridging without WiFiSec Advanced Configuration for both VPN Policies Select LAN for VPN Terminated at Wireless Bridge VPN Policy 145 146 Configuring WEP and WPA Encryption Wireless WEP/WPA EncryptionWireless WEP/WPA Encryption 147 WEP Encryption Keys WEP Encryption SettingsWPA Encryption Settings 149 WPA-PSK SettingsWPA-EAP Settings WPA Settings Wireless Advanced Wireless AdvancedBeaconing & Ssid Controls 151 Configurable Antenna Diversity TZ 170 Wireless Wireless Client CommunicationsAdvanced Radio Settings 153 154 Configuring the MAC Filter List Wireless MAC Filter ListWireless MAC Filter List 155 156 Configuring Wireless IDS Wireless IDSWireless Bridge IDS Wireless IDS Access Point IDS Enable Client Null ProbingRogue Access Point Detection Association Flood Detection Authorizing Access Points on Your Network 159 160 Wireless Guest Services 161 162 163 WGS StatusWGS Status Viewing Wireless Guest Services Status Configuring Wireless Guest Services WGS SettingsWGS Settings 165 Bypass Filters for Guest Accounts Bypass Guest AuthenticationEnable Dynamic Address Translation DAT Enable Smtp Redirect Enable URL Allow List for Authenticated UsersEnable IP Address Deny List for Authenticated Users 167 Customize Login Check the Customize Login Page box Custom Post Authentication Redirect Maximum Concurrent GuestsWGS Account Profiles To add a profile Account Lifetime Managing Wireless Guest Accounts WGS AccountsWorking with Guest Accounts WGS Accounts Automatically Generating Guest Accounts Manually Configuring Wireless Guests Account Detail PrintingAccount Profile 173 Flexible Default Route Secure Access Point with Virtual Adapter Support Secure Access Point with Wireless Guest Services 175 176 Firewall 177 178 Configuring Network Access Rules Network Access Rules OverviewNetwork Access Rules Overview 179 Using Bandwidth Management with Access Rules Firewall Access Rules Restoring Default Network Access Rules Adding Rules using the Network Access Rule WizardConfiguring a Public Server Rule Navigating and Sorting the Access Rules Table Entries Configuring a General Network Access Rule 183 Adding Rules Using the Add Rule Window 185 Configuring Network Access Rules Click the Bandwidth tab Blocking LAN Access for Specific Services Rule ExamplesEnabling Ping Select WAN from the Destination Ethernet menu 188 Configuring Advanced Rule Options Access Rules AdvancedWindows Networking NetBIOS Broadcast Pass Through Access Rules Advanced TCP Connection Inactivity Timeout Access Rule Service OptionsDetection Prevention Source Routed Packets Configuring Custom Services Firewall ServicesUser Defined Custom Services Firewall Services Predefined Services Configuring VoIP Firewall VoIPVoIP Protocols Firewall VoIP 323 SIP Configuring the VoIP Settings SIP SettingsSettings 195 196 Monitoring Active Firewall Connections Firewall Connections MonitorFirewall Connections Monitor 197 Setting Filter Logic Using Group FiltersClick Apply Filters Source IP Priority && Category && Source && Destination VPN 199 200 Configuring VPN Settings SonicWALL VPN Options OverviewSonicWALL VPN Options Overview 201 VPN Policies VPN SettingsVPN Global Settings Configuring GroupVPN Policy on the SonicWALL Configuring GroupVPN Policy on the SonicWALLCurrently Active VPN Tunnels Navigating and Sorting the VPN Policies Entries Configuring IKE Preshared Secret 205 206 207 Configuring GroupVPN with IKE 3rd Party Certificates 209 210 211 212 Site to Site VPN Configurations Site to Site VPN ConfigurationsExport a GroupVPN Client Policy Site-to-Site VPN Deployments VPN Planning Sheet for Site-to-Site VPN Policies Site aRouter Additional Information 215 Creating a Typical IKE Preshared Secret VPN Policy Creating a Custom VPN Policy IKE with Preshared Secret 217 Creating a Manual Key VPN Policy with the VPN Policy Wizard 219 220 221 Configuring a VPN Policy IKE with Preshared SecretTip The Shared Secret must be a minimum of four characters 222 223 Configuring a VPN Policy using Manual Key Select Manual Key from the IPSec Keying Mode menu 225 Configuring a VPN Policy with IKE 3rd Party CertificateGeneral tab, select IKE using 3rd Party Certificates 226 227 228 Configuring Advanced VPN Settings Advanced VPN SettingsVPN Advanced VPN Advanced VPN User Authentication Settings 231 Select Enable VPN Bandwidth ManagementVPN Bandwidth Management Configuring Advanced VPN Settings Configuring Dhcp Over VPN Dhcp Relay ModeVPN Dhcp over VPN VPN Dhcp over VPN Configuring the Central Gateway for Dhcp Over VPN Configuring Dhcp over VPN Remote Gateway 235 Current Dhcp over VPN Leases Device ConfigurationClick OK to exit the Dhcp over VPN Configuration window Configuring L2TP Server Settings VPN L2TP ServerVPN L2TP Server 237 Adding L2TP Clients to the SonicWALL L2TP Server SettingsIP Address Settings Currently Active L2TP Sessions 239 Configuring L2TP Server Settings Managing Certificates Digital Certificates OverviewSonicWALL Third-Party Digital Certificate Support Digital Certificates Overview Certificate Details VPN Local CertificatesImporting Certificate with Private Key Generating a Certificate Signing Request Delete This CertificateVPN Local Certificates Select Add New Local Certificate from the Certificates menu Select Add New CA Certificate VPN CA CertificatesImporting CA Certificates into the SonicWALL Automatic CRL Update Certificate Revocation List CRLImporting a CRL List Click Browse for Please select a file to import 246 Users 247 248 User Level Authentication Overview User Level Authentication OverviewUsers Status 249 Active User Sessions Users SettingsAuthentication Method Global User Settings Internet Authentication ExclusionsUsers Settings 251 Acceptable Use Policy 253 Configuring Radius AuthenticationSelect Use Radius for user authentication 254 255 256 Configuring Local Users Users Local UsersUsers Local Users 257 Adding a Local User Security Services 259 260 SonicWALL Security Services SonicWALL Security Services MySonicWALL.com Activating Free Trials Security Services Summary Security Services Summary Manage LicensesSecurity Services Summary 263 If Your SonicWALL Security Appliance is Not Registered Security Services SettingsSecurity Services Information 265 SonicWALL Content Filtering ServiceSonicWALL Content Filtering Service Activating SonicWALL Content Filtering Service Security Services Content FilterContent Filter Status 267 Activating a SonicWALL Content Filtering ServiceSecurity Services Content Filter Content Filter Type Restrict Web Features Configuring SonicWALL Filter Properties Message to Display when BlockingConfiguring SonicWALL Filter Properties Trusted Domains Keyword Blocking Custom ListAllowed/Forbidden Domains Disable all Web traffic except for Allowed Domains 271 Consent Mandatory Filtered IP Addresses Consent Page URL mandatory filteringAdding a New Address 273 274 275 SonicWALL Network Anti-Virus OverviewSonicWALL Network Anti-Virus Overview Security Services Anti-Virus Activating SonicWALL Network Anti-Virus 277 Security Services Anti-VirusActivating a SonicWALL Network Anti-Virus Free Trial Security Services E-Mail Filter Configuring SonicWALL Network Anti-Virus Managing SonicWALL Gateway Anti-Virus Service SonicWALL Gateway Anti-Virus OverviewSonicWALL Gateway Anti-Virus Overview 279 SonicWALL Gateway Anti-Virus/Intrusion Prevention Features Activating SonicWALL Gateway Anti-Virus 281 Activating SonicWALL Gateway Anti-Virus Activating the SonicWALL Gateway Anti-Virus 283 Configuring SonicWALL Gateway Anti-VirusConfiguring SonicWALL Gateway Anti-Virus 284 Managing SonicWALL Intrusion Prevention Service SonicWALL Intrusion Prevention ServiceSonicWALL IPS Features SonicWALL Intrusion Prevention Service SonicWALL Deep Packet Inspection How SonicWALL’s Deep Packet Inspection Architecture Works 287 Security Services Intrusion Prevention Activating SonicWALL IPS 289 Security Services Intrusion PreventionActivating the SonicWALL IPS Free Trial 290 Managing SonicWALL Global Security Client SonicWALL Global Security ClientSonicWALL Global Security Client 291 SonicWALL Global Security Client Activation Global Security Client FeaturesHow SonicWALL Global Security Client Works Activating SonicWALL Global Security Client 293 294 Log 295 296 Viewing Log Events SonicOS Log Event Messages OverviewSonicOS Log Event Messages Overview 297 Log View Navigating and Sorting Log View Table Entries SonicOS Log Entries RefreshClear Log Mail Log 300 Log Categories Specifying Log CategoriesLog Categories Alerts & Snmp Traps Configuring Log Automation Log AutomationLog Automation 303 Mail Syslog Servers 305 306 Configuring Name Resolution Log Name ResolutionLog Name Resolution 307 Specifying the DNS Server Selecting Name Resolution SettingsName Resolution Method list, select Reset Data Generating and Viewing Log ReportsLog Reports Data Collection Bandwidth Usage by Service View DataWeb Site Hits Bandwidth Usage by IP Address Log ViewPoint SonicWALL ViewPointLog ViewPoint 311 Generating and Viewing Log Reports 313 SonicSetupSonicSetup Introduction and Discovery Device Selection 315 DiagnosticsDiagnostics SonicROM Recovery Diagnostic Results 317 SonicOS RecoverySonicOS Recovery Restoring Factory Defaults 319 Address SynchronizationAddress Synchronization 320 321 SonicWALL SafeModeSonicWALL SafeMode 322 323 Upgrading SonicOS FirmwareUpgrading SonicOS Firmware 324 Index Numerics 326 VPN 327 WPA, see WiFiSec Protected Access 232- 000609- 00 Rev E 02/05