SonicWALL TZ170SP manual What is Fips Mode?, Is the TZ 170 SP ICSA-Certified?

There is a slight decrease to overall security as a result of the increased predictability of the traffic resulting from the consistent port remapping of Consistent NAT. The potential for exploitation is minimal; nonetheless, unless Consistent NAT is strictly required to support a certain application, it is recommended that it be left at its default setting of "disabled."

What is FIPS Mode?

FIPS, which is short for Federal Information Processing Standards, is a new feature found in SonicOS 2.5 Enhanced and newer. Enabling the FIPS Mode checkbox on the ‘System > Settings’ page automatically sets all necessary internal settings for a TZ 170 SP running SonicOS 2.6 Enhanced to be FIPS 140-2 compliant. Enabling FIPS mode will not change any functionality of the device, nor will it change the way the management GUI operates. Please note that since FIPS mode forces the device to use a stronger PRNG algorithm for key generation, VPN performance may be marginally affected. FIPS Mode is not supported in SonicOS Standard or any earlier version of SonicWALL firmware.

Is the TZ 170 SP ICSA-Certified?

SonicWALL has submitted the TZ 170 SP for ICSA 1.1 IPSec and ICSA 4.0 Firewall certification and is currently awaiting approval (ETA Fall 2004).

Does the TZ 170 SP support protocols other than IP?

No. The TZ 170 can only process IP traffic and cannot process IPX/SPX, NetBEUI, AppleTalk, DECNet, LAT, or SNA traffic natively. SonicOS 2.5 Enhanced and newer support GRE and Multicast. If the TZ 170 is running an earlier version of SonicOS Enhanced, or is running SonicOS Standard, in order for the TZ 170 to process such traffic it must first be encapsulated into IP packets by another device before it reaches the TZ 170’s interfaces. PPTP is supported as a pass-through protocol if a specific rule is written for it.

Which routing protocols does the TZ 170 SP support?

Support for routing protocols is limited in SonicOS 2.6 – at present, the device is only capable of using RIPv1 and RIPv2 to advertise networks, for security reasons. RIP advertisements may be enabled and configured on any interface (previously it could only be enabled on the LAN and DMZ). Support for default route advertisement has been added. For each interface, the user may configure RIP to:

•always advertise the default route.

•never advertise the default route.

•conditionally advertise the default route depending on the viability of the WAN connection (non-WAN interfaces only). This taps into the wan-failover logic to determine the viability of our WAN connection(s).

The user now has the choice of enabling or disabling advertisement of remote VPN networks that are accessible via the interface for which RIP is being configured. Remote VPN networks will only be advertised when the remote address object is of the type "Network". "Range" and "Host" networks cannot be advertised. When advertisement of static routes is enabled, RIP will advertise all accessible routes, regardless of the route's egress interface. Previously, only routes that egressed out of the WAN interface were advertised. Intra-zone route advertisement (for devices running SonicOS Enhanced) will be consistent with the configuration of intra-zone communication on the ‘Network >Zones’ page. Dynamic routing support will be expanded in future releases of firmware.

Does the TZ 170 SP have a console-port?

Yes, it has a single RJ-45 console port. The TZ 170 SP Unrestricted-Node model ships with a RJ-45 to DB-9 serial cable to allow you to attach a workstation to the console port. In addition, the SonicOS Enhanced upgrade for TZ 170 SP includes a RJ-45 to DB-9 serial cable. The settings for the console port are 9600 bits per second, 8 data bits, No parity, 1stop bit, and no flow control. These settings cannot be modified at present. With SonicOS 2.6 Enhanced, the CLI attached to the console port is much more functional than in previous versions of firmware. The CLI’s capability will be greatly expanded over the next six months.

4