Manuals / Brands / Computer Equipment / Network Router / SonicWALL / Computer Equipment / Network Router

SonicWALL Internet Security Appliances Understanding the Access Rule Hierarchy

1 293

Download 293 pages, 5.43 Mb

Page 138 SonicWALL Internet Security Appliance Administrator’s Guide

Understanding the Access Rule Hierarchy

The rule hierarchy has two basic concepts:

1. Specific rules override general rul es:

An individual service is more specific than the Default service.

A single Etherne t link, such as LAN or W AN, is more specific tha n * (all).

A single IP addre ss is more specific tha n an IP address range.

2. Equally specific Deny rules overr ide Allow rules.

Rules are disp layed in the Current Network Access Rules list from the mo st specific to th e least

specific, and rules at the top override rules listed below. For example, consider the section of the

Rules window shown below.

The Default Allow Rule (#7) at the bottom of the page allows all traffic from the LAN to the WAN.

However, Rule #1 blocks IRC (Chat) traffic from a computer on the LAN to a server on the WAN.

The Default Deny Rule (#6) blocks all traffic from the WAN to the LAN, however, Rule #2 overrides

this rule by allowing Web traffic from the WAN to the LAN.

Contents

Main Contents Page Page Page Page Page Page Page Copyright Notice LIMITED WARRANTY About this Guide Organization of this Guide SonicWALL Technical Support Firmware Version Icons Used in this Manual 1 Introduction Your SonicWALL Internet Sec urity Appliance SonicWALL Internet Security Appliance Functional Diagram SonicWALL Internet Security Appliance Features Internet Security Content Filtering Logging and Reporting Dynamic Host Configuration Protocol (DHCP) Easy Installation and Configuration IPSec VPN 2 Configuring the Network Mode on the SonicWALL Standard Mode Network Address Tra nslation (NAT) Enabled NAT with PP PoE Client NAT with DHCP Client Configuring the SonicWALL in Standard Mode Configuring the SonicWALL in NAT Enabled Mode Accessing the Wizard Page Page Page Page Page Restarting Configuring NAT with PPPoE Client Page Page Page Page Page Configuring NAT with DHCP Client Accessing the Installation Wizard Setting the Passwo rd Page Page Configuring LAN Network Settings Configuring the SonicWALL DHCP Server Page Restarting Configuring NAT with L2TP Client Configuring NAT with PPTP Client Setting the Password Page Page Page Page Page Logging into the SonicWALL Management Interface Page 3 Registering at mySonicWALL.com Creating a New User Account Account Information Personal Information Page Page Problems Creating a MysonicWALL.com User Account? User Name and Password Functions Registering Your SonicWALL Internet Security Applia nce Click Here Registration Quick Registration Status and Options Page Transferring a SonicWALL Product Page Page Activating Services Using mySonicWALL.com Page 4 Configuring the TELE3 SP Modem Connection Configuring the TELE3 SP WAN Failover Feature Page ISP Settings Location Settings Page TELE3 SP Modem Configuration Modem Settings Primary Interface Failover Settings Probing on the TELE3 SP Configuring a Modem Profile for Manual Dial-Up ISP Settings Location Settings Configure Modem Settings Configuring Your TELE3 SP in Modem Only Mode Configuring the Network Settings Configuring the Modem Settings Tested Internet Service Providers Status Modem Status Chat Scripts Custom Chat Scripts 5 Managing Your SonicWALL Internet Security Appliance HTTPS Management Status Page CLI Support and Remote Management 6 General and Network Settings Network Settings Network Addressing Mode LAN Settings Multiple LAN Subnet Mask Support WAN Settings DNS Settings Standard Configuration NAT Enabled Configuration Page NAT with DHCP Client Configuration NAT with PPPoE Configuration Page NAT with L2TP Client Configuration Page NAT with PPTP Client Configuration Page Setting the Time and Date NTP Settings Configuring the Admini strator Settings Administrator Name Change the Administrator Password Setting the Administrator Inactivity Timeout Login Failure Handling 7 Logging and Alerts View Log SonicWALL Log Messages Log Settings Configure the following settings: Page Log Categories Alerts/SNMP Traps Reports Web Site Hits Bandwidth Usage by IP Address Bandwidth Usage by Service SonicWALL ViewPoint 8 Content Filtering and Blocking Configuring SonicWALL Content Filtering URL List List Status List Updates Download Automatically every Settings Select Categories to Block Customizing the Content Filtering List Custom Filter Time of Day Filter Block Action Consent Mandatory Filtered IP Addresses Configuring N2H2 Internet Filtering Page Page Configuring the Websense Enterprise Content Fil t er Page Configuring the Websense Content Filter List Websense Server Status Settings Server Host Name or IP Address Server Port URL Cache Model Cache Size 9 Web Management Tools Page Page Updating Firmware Updating Firmware Manually Upgrade Features Page Find Network Path Ping Packet Trace Tech Support Report Page Trace Route 10 Network Access Rules Viewing Network Access Rules Services LAN Out DMZ In (Optional) LAN In Page Add Service Add a Known Service Add a Custom Service Enable Logging Delete a Service Rules Maximum Number of Rules by Product Network Access Rule Logic Li st Bandwidth Management Add A New Rule Page Add New Rule Examples Blocking LAN Access for Specific Services Enabling Ping Current Network Access Rules Table Edit a Rule Delete a Rule Enable/Disable a Rule Restore the Default Network Access Rules Understanding the Access Rule Hierarchy Users Global User Settings Users Adding and Removing a User Page User Login RADIUS RADIUS Servers RADIUS Users RADIUS Client Test Management SonicWALL SNMP Support Configuration of the Log/Log Settings for SNMP Configuration of the Service and Rules Pages SonicWALL Management Protocol Additional Management Page 11 Advanced Features Proxy Relay Web Proxy Forwarding Configuring Web Proxy Relay Bypass Proxy Servers Upon Proxy Failure Intranet Installation Intranet Configuration Intranet Settings VPN Single-Armed Mode (stand-alone VPN gateway) Configuring a SonicWALL for VPN Single Armed Mode Routes LAN Route Advertisement RIPv2 Authentication DMZ Route Advertisement DMZ Addresses DMZ in Standard Mode DMZ in NAT Mode Delete a DMZ Addres s R an g e HomePort Configuration HomePort in Standard Mode HomePort in NAT Mo de Delete a HomePort Address Range One-to-One NAT One-to-One NAT Configuration Example Ethernet WAN Link Settings Enable Bandwidth Management DMZ/WorkPort Link Se tti n g s LAN/HomePort Link Se tt in g s Proxy Management workstation ethernet address on WAN MTU Settings SonicWALL Bandwidth Management How SonicWALL Bandwidth Management Works Page 12 DHCP Server Setup Allow DHCP Pass Through in Standard Mode Configuring the SonicWALL DHCP Server Deleting Dynamic Ranges and Static Entries DHCP over VPN DHCP Relay Mode Configuring the Central Gateway for VPN over DHCP Configuring the Remote Gate wa y for VP N over DHCP LAN IP Addresses LAN Device Configuration DHCP Status Page Configuring the SonicWALL DHCP Server Deleting Dynamic Ranges and Static Entries DHCP Status 13 SonicWALL VPN VPN Management Interface Summary Tab Global VPN Settin gs Page SonicWALL NAT Traversal Support AES (Advanced Encryption Standard) Support Configure Tab Add/Modify IPSec Security Associations Disabling Security Associations Security Policy Settings Security Policy Settings for Group VPN Security Policy Settings for IKE using Pre-shared Secret Page Security Policy Settings using Manual Key Destination Networks Adding Destination Networks Modifying and Deleting Existing Security Associations Accessing Remote Resources across a Virtual Private Network Advanced Settings Enable Keep Alive Try to bring up all possible SAs Require authentication of local users Require authentication of remote users Enable Windows Networking (NetBIOS) broadcast Apply NAT and firewall rules Forward Packets to Remote VPNs Route all internet traffic through this SA Enable Perfect Forward Secrecy Phase 2 DH Group Default LAN Gateway Page Advanced Settings for VPN Configurations Configuring SonicWALL VPN Group VPN Configuration for the SonicWALL and VPN Client Configuring Group VPN on the SonicWALL Page Group VPN Client Setup Installing the VPN Client Software Group VPN Client Configuration Page Page Page Manual Key Configuration for the SonicWALL and VPN Client Configuring the SonicWALL Configuring the VPN Client Installing the VPN Client Software Launching the SonicWALL VPN Client Configuring VPN Security and Remote Identity Page Configuring VPN Client Key Exchange Proposal Page Page IKE and Manual Key Configuration for Two SonicWALLs Manual Key for Two SonicWALLs Page Configuring the Second SonicWALL Appliance Example of Manual Key Configuration for Two SonicWALLs To configure the main office PRO 300, use the following steps: Configuring the Remote SonicWALL Page IKE Configuration for Two SonicWALLs Page Example of IKE Configuration for Two SonicWALLs Configuring a SonicWALL PRO 200 in Chicago Configuring a SonicWALL TELE3 in San Francisco Page SonicWALL Third Party Digital Certificate Support Overview of Third Party Digital Certificate Support X.509 Version 3 Certificate Standard Importing CA Certificates into the SonicWALL Certificate Details Importing Certificate with private key Certificate Details Certificate Revocation List (CRL ) Creating a Certificate Signing Request Importing a Signed Local Certificate Configuring a VPN Security Association using IKE and a Third Party Certificate SonicWALL Enhanced VPN Logging Testing a VPN Tunnel Connection Us ing PING Configuring Windows Networking Page Page 14 High Availability Before Configuring High Availability Network Configuration for High Availability Pair Configuring High Availability on the Primary SonicWALL Synchronize Now Page Configuration Changes Page High Availability Status Window E-mail Alerts Indicating Status Change View Log Forcing Transitions Configuration Notes 15 SonicWALL Options and Upgrades SonicWALL VPN Client SonicWALL Network Anti-Virus Content Filter List Subscription Vulnerability Scanning Service SonicWALL Authentication Service SonicWALL ViewPoint Reporting SonicWALL Global Management System Contact Your Reseller or SonicWALL 16 Hardware Descriptions SonicWALL PRO 230 and PRO 330 Front Panel SonicWALL PRO 230 and PRO 330 Front Panel Description SonicWALL PRO 230 and PRO 330 Rear Panel Description SonicWALL PRO 200 and PRO 300 Front Panel SonicWALL PRO 200 and PRO 300 Front Panel Description SonicWALL PRO 200 and PRO 300 Back Panel SonicWALL PRO 200 and PRO 300 Back Panel Description SonicWALL PRO 100 Front Panel SonicWALL PRO 100 Front Panel Description SonicWALL PRO 100 Back Panel SonicWALL PRO 100 Back Panel Description SonicWALL TELE3 SP Front Panel SonicWALL TELE3 SP Front Panel Description SonicWALL TELE3 SP Back Panel The SonicWALL TELE3 SP Back Panel Description SonicWALL TELE3 TZ Front Panel SonicWALL TELE3 TZ Front Panel Description SonicWALL TELE3 TZ Back Panel SonicWALL TELE3 TZ Back Panel Description SonicWALL TELE3 TZX Front Panel SonicWALL TELE3 TZX Front Panel Description SonicWALL TELE3 TZX Back Panel l SonicWALL TELE3 TZX Back Panel Description SonicWALL SOHO3 and TELE3 Front Panel SonicWALL SOHO3 and TELE3 Front Panel Description SonicWALL SOHO3 and TELE3 Back Panel SonicWALL SOHO3 and TELE3 Back Panel Description SonicWALL GX 250 and GX 650 Front Panel SonicWALL GX250 and GX 650 Front Panel Description SonicWALL GX250 Front Panel SonicWALL GX 650 Front Panel SonicWALL GX 250 and GX 650 Back Panel Description 17 Troubleshooting Guide The Link LED is off A computer on the LAN cannot access the Internet The SonicWALL does not establish authenticated sessions The SonicWALL does not save changes that you have made Duplicate IP address errors Machines on the WAN are not reachable VPN tunnel problems Page 256 SonicWALL Internet Security Appliance Administrators Guide 18 Appendices Appendix A - Technical Specifications SonicWALL Hardware and Performance TELE3 SOHO3 PRO 100 PRO 200 PRO 230 PRO 300 PRO 330 TELE3 SP TELE3 TZ TELE3 TZX GX250 GX650 Page SonicWALL Support 24X7 SonicWALL Support Services Features and Benefits Warranty Support - North America Warranty Support - International SonicWALL Support 24X7 SonicWALL Support 8X5 Appendix C - Introduction to Networking Network Hardware Components Network Types Firewalls Gateways Network Protocols IP Addressing IP Address Subnet Mask Default Gateway Network Address Translation (NAT) Nodes Page Appendix D - IP Port Numbers Well Known Port Numbers Registered Port N u mb e rs Appendix E - Configuring TCP/IP Settings Windows 98 Windows NT Windows 2000 Windows XP Macintosh OS 10 Appendix F - Basic VPN Terms and Concepts Page Page Page Appendix G- Erasing the Firmware Locating the Reset button on your SonicWALL Erasing the Firmware for all Models Appendix H- Mounting the SonicWALL PRO 200 and PRO 300 Appendix I - Configuring RADIUS and ACE Servers Steel Belted RADIUS (Funk Software) Tab le 1: Configuring User Privileges ACE Serve r (RSA) ACS Server (Cisco) Internet Authentication Service (Windows NT/2000 Server) Page Page Page Page Page Page Page Index A B C D E F G H I M N O P R T U V W X