Introduction
37
SonicOS Enhanced 4.0 Administrator Guide
CLI (SSH or serial console). For instance, if a CLI session goes to the config level, it will
ask you if you want to preempt an administrator who is at config level in the GUI or an SSH
session.
Multiple and Read-only Administrator Login - SonicOS Enhanced 4.0 introduces
Multiple Administrator Login, which provides a way for multiple users to be given
administration rights, either full or read-only, for the SonicOS security appliance.
Additionally, SonicOS Enhanced 4.0 allows multiple users to concurrently manage the
appliance, but only one user at a time can be in config mode with the ability to change
configuration settings. This feature applies to both the graphical user interface (GUI) and
the command line interface (CLI).
IP-Based Connection Limit - SonicOS Enhanced 4.0 provides a way to limit the number
of connections on a per-source or per-destination IP address basis. This feature protects
against worms on the LAN side that initiate large numbers of connections in denial of
service attacks.
IKEv2 Secondary Gateway Support - SonicOS Enhanced 4.0 introduces IKEv2
Secondary Gateway Support, which provides a way to configure a secondary VPN gateway
to act as an alternative tunnel end-point if the primary gateway becomes unreachable.
While using the secondary gateway, SonicOS can periodically check for availability of the
primary gateway and revert to it, if configured to do so. Configuration for the secondary
VPN gateway is available under VPN > Settings > Add Policy in the management
interface.
IKEv2 Dynamic Client Support - SonicOS Enhanced 4.0 introduces IKEv2 Dynamic Client
Support, which provides a way to configure the Internet Key Exchange (IKE) attributes
rather than using the default settings. Previously, only the default settings were supported:
Diffie-Hellman (DH) Group 2, the 3DES encryption algorithm, and the SHA1 authentication
method. SonicOS now allows the following IKE Proposal settings:
DH Group: 1, 2, or 5
Encryption: DES, 3DES, AES-128, AES-192, AES-256
Authentication: MD5, SHA1
These settings are available by pressing the Configure button in the VPN > Advanced
screen of the management interface. However, if a VPN Policy with IKEv2 exchange mode
and a 0.0.0.0 IPsec gateway is defined, you cannot configure these IKE Proposal settings
on an individual policy basis.
Note The VPN policy on the remote gateway must also be configured with the same
settings.
Wireless IDS Rogue Detection - SonicOS Enhanced 4.0 supports wireless intrusion
detection on SonicPoint devices. Wireless IDS Rogue Detection allows you to configure a
set of authorized access points, defined by address object groups. If contact is attempted
from an unauthorized access point, SonicOS generates an alert.
RF Management - SonicOS Enhanced 4.0 introduces Radio Frequency Management on
SonicPoint devices. RF Management provides detection of eleven types of wireless threats:
Long duration attack
Management frame flood
Null probe request
Broadcasting de-authentication
Valid station with invalid SSID