4
There is a slight decrease to overall security as a result of the increased predictability of the traffic resulting
from the consistent port remapping of Consistent NAT. The potential for exploitation is minimal; nonetheless, unless
Consistent NAT is strictly required to support a certain application, it is recommended that it be left at its default
setting of "disabled."
What is FIPS Mode?
FIPS, which is short for Federal Information Processing Standards, is a new feature found in SonicOS 2.5
Enhanced and newer. Enabling the FIPS Mode checkbox on the ‘System > Settings’ page automatically sets all
necessary internal settings for a TZ 170 SP running SonicOS 2.6 Enhanced to be FIPS 140-2 compliant. Enabling
FIPS mode will not change any functionality of the device, nor will it change the way the management GUI
operates. Please note that since FIPS mode forces the device to use a stronger PRNG algorithm for key
generation, VPN performance may be marginally affected. FIPS Mode is not supported in SonicOS Standard or any
earlier version of SonicWALL firmware.
Is the TZ 170 SP ICSA-Certified?
SonicWALL has submitted the TZ 170 SP for ICSA 1.1 IPSec and ICSA 4.0 Firewall certification and is currently
awaiting approval (ETA Fall 2004).
Does the TZ 170 SP support protocols other than IP?
No. The TZ 170 can only process IP traffic and cannot process IPX/SPX, NetBEUI, AppleTalk, DECNet, LAT, or
SNA traffic natively. SonicOS 2.5 Enhanced and newer support GRE and Multicast. If the TZ 170 is running an
earlier version of SonicOS Enhanced, or is running SonicOS Standard, in order for the TZ 170 to process such
traffic it must first be encapsulated into IP packets by another device before it reaches the TZ 170’s interfaces.
PPTP is supported as a pass-through protocol if a specific rule is written for it.
Which routing protocols does the TZ 170 SP support?
Support for routing protocols is limited in SonicOS 2.6 – at present, the device is only capable of using RIPv1 and
RIPv2 to advertise networks, for security reasons. RIP advertisements may be enabled and configured on any
interface (previously it could only be enabled on the LAN and DMZ). Support for default route advertisement has
been added. For each interface, the user may configure RIP to:
• always advertise the default route.
• never advertise the default route.
• conditionally advertise the default route depending on the viability of the WAN connection (non-WAN
interfaces only). This taps into the wan-failover logic to determine the viability of our WAN connection(s).
The user now has the choice of enabling or disabling advertisement of remote VPN networks that are accessible
via the interface for which RIP is being configured. Remote VPN networks will only be advertised when the remote
address object is of the type "Network". "Range" and "Host" networks cannot be advertised. When advertisement of
static routes is enabled, RIP will advertise all accessible routes, regardless of the route's egress interface.
Previously, only routes that egressed out of the WAN interface were advertised. Intra-zone route advertisement (for
devices running SonicOS Enhanced) will be consistent with the configuration of intra-zone communication on the
‘Network >Zones’ page. Dynamic routing support will be expanded in future releases of firmware.
Does the TZ 170 SP have a console-port?
Yes, it has a single RJ-45 console port. The TZ 170 SP Unrestricted-Node model ships with a RJ-45 to DB-9 serial
cable to allow you to attach a workstation to the console port. In addition, the SonicOS Enhanced upgrade for TZ
170 SP includes a RJ-45 to DB-9 serial cable. The settings for the console port are 9600 bits per second, 8 data
bits, No parity, 1stop bit, and no flow control. These settings cannot be modified at present. With SonicOS 2.6
Enhanced, the CLI attached to the console port is much more functional than in previous versions of firmware. The
CLI’s capability will be greatly expanded over the next six months.