Page 1 SONICWALL The TELE3 SP Administrator's Guide...
Page 2: Table Of Contents
About this Guide ................. 8 SonicWALL Technical Support .............. 9 1 Introduction ..................10 Your SonicWALL TELE3 SP (Smart Path) Internet Security Appliance ..10 SonicWALL TELE3 SP Internet Security Appliance Features ....11 2 General and Network Settings ............14 Network ....................14 Network Settings ................14...
Page 3 SonicWALL Remote Management ............87 8 Advanced Features ................90 Proxy Relay ..................90 Intranet ....................92 Intranet Configuration ...............92 Routes ....................94 One-to-One NAT ................95 The Ethernet Tab ................97 Bandwidth Management ..............98 Introduction to Bandwidth Management ..........98 Page 2 SonicWALL TELE3 SP Administrator’s Guide...
Page 4 Advanced Settings for VPN Configurations .........121 Enabling Group VPN on the SonicWALL ..........122 Group VPN Client Configuration ............124 Manual Key Configuration for a SonicWALL and VPN Client ....127 Installing the VPN Client Software ............ 128 VPN for Two SonicWALLs ..............135 Manual Key for Two SonicWALLs ............
Page 5 A computer on the LAN cannot access the Internet......178 The SonicWALL does not establish authenticated sessions....178 The SonicWALL does not save changes that you have made....179 Duplicate IP address errors ..............179 Machines on the WAN are not reachable........... 179 15 Appendices ..................
Page 6: Copyright Notice
If there is a defect in the hardware, SonicWALL will replace the product at no charge, provided that it is returned to SonicWALL with transportation charges prepaid. A Return Materials Authorization (RMA) number must be displayed on the outside of the package for the product being returned for replacement or the product will be refused.
Page 7: About This Guide
THIS WARRANTY AND THE REMEDIES SET FORTH ABOVE ARE EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES, ORAL OR WRITTEN, EXPRESS OR IMPLIED. No dealer, agent, or employee of SonicWALL is authorized to make any extension or addition to this warranty.
Page 8: Sonicwall Technical Support
Chapter 12, SonicWALL Options and Upgrades, presents a brief summary of the SonicWALL's subscription services, firmware upgrades and other options. Chapter 13, Hardware, provides a description of the front and back of the TELE3 SP, including LED lights and ports.
Page 9: Introduction
Your SonicWALL TELE3 SP (Smart Path) Internet Security Appliance The SonicWALL TELE3 SP (Smart Path) provides a complete security solution that protects your network from attacks, intrusions, and malicious tampering. In addition, the SonicWALL filters objectionable Web content and logs security threats. SonicWALL VPN provides secure, encrypted communications to business partners and branch offices.
Page 10: Sonicwall Tele3 Sp Internet Security Appliance Features
By default, the SonicWALL TELE3 SP allows outbound access from the LAN to the Internet and blocks inbound access from the Internet to the LAN. Users on the Internet are restricted from accessing resources on the LAN unless they are authorized remote users or Network Access Rules were created to allow inbound access.
Page 11: Content Filtering
Websites and newsgroups are properly enforced. • Log and Block or Log Only You can configure the SonicWALL to log and block access to objectional Web sites, or to log inappropriate usage without blocking Web access. • Filter Protocols In addition to filtering access to Web sites, the SonicWALL can also block Newsgroups, ActiveX, Java, Cookies, and Web Proxies.
Page 12: Installation And Configuration
IP address. • DHCP over VPN DHCP over VPN allows a Host (DHCP Client) behind a SonicWALL obtain an IP address lease from a DHCP server at the end of a VPN tunnel. In some network deployments, it is desirable to have all VPN networks residing in one IP subnet address space.
Page 13: General And Network Settings
2 General and Network Settings This chapter describes the tabs in the General section and the configuration of the SonicWALL TELE3 SP Network Settings. The Network Settings include the SonicWALL IP settings, the administrator password, and the time and date. There are three tabs other than Status in the General section: •...
Page 14: Lan Settings
Note: This feature does not replace or substitute configuring routes with the Routes tab in the Advanced section of the SonicWALL. If you have to define a subnet on the other side of a router, you must define a static route using the Routes tab in the Advanced section.
Page 15: Wan Settings
Note: The SonicWALL cannot be managed from any of the additional Network Gateway addresses. You must use the IP address set as the LAN IP address of the SonicWALL. Also, you cannot mix Standard and NAT subnets behind the SonicWALL.
Page 16: Standard Configuration
IP addresses to all computers and network devices on your LAN. 2. Enter a unique, valid IP address from your LAN address range in the SonicWALL LAN IP Address field. The SonicWALL LAN IP Address is the address assigned to the SonicWALL LAN and is used for management of the SonicWALL.
Page 17 Cable or DSL, your WAN router is probably located at your ISP. 5. Enter a valid IP address assigned by your ISP in the SonicWALL WAN IP (NAT Public) Address field. Because NAT is enabled, all network activity appears to originate from this address.
Page 18 7. Enter your DNS server IP address(es) in the DNS Servers field. The SonicWALL uses these DNS servers for diagnostic tests and for upgrade and registration functionality. 8. Click Update. Once the SonicWALL has been updated, a message confirming the update is displayed at the bottom of the browser window.
Page 19: Nat With Dhcp Client Configuration
NAT with DHCP Client Configuration The SonicWALL can receive an IP address from a DHCP server on the Internet. If your ISP did not provide you with a valid IP address, and instructed you to set your network settings to obtain an IP address automatically, enable NAT with DHCP Client.
Page 20 WAN/LAN Subnet Mask, and DNS Servers are obtained from a DHCP server on the Internet. Note: The SonicWALL does not relay DNS settings to the LAN; you must enable and configure the SonicWALL DHCP server or manually configure DNS settings on your computers to obtain DNS name resolution.
Page 21 2. Enter a unique IP address from your LAN address range in the SonicWALL LAN IP Address field. The SonicWALL LAN IP Address is the address assigned to the SonicWALL LAN port and is used for management of the SonicWALL.
Page 22: Setting The Time And Date
Select Use NTP to set time automatically if you want to use your local server to set the SonicWALL clock. You can also set the Update Interval for the NTP server to synchronize the time in the SonicWALL.
Page 23: Setting The Administrator Password
If you mistype the password, you are not locked out of the SonicWALL. Warning: The password cannot be recovered if it is lost or forgotten. If the password is lost, you must to reset the SonicWALL to its factory default state. Go to Appendix F for instructions. Setting the Administrator Inactivity Timeout...
Page 24: Managing Your Sonicwall Tele3 Sp
“password”. The User Name is not configurable. If you cannot log into the SonicWALL, a cached copy of the page is displayed instead of the correct page. Click Reload or Refresh on the Web browser and try again. Also, be sure to wait until the Java applet has finished loading before attempting to log in.
Page 25 HTTPS Management allows secure access to the SonicWALL without a VPN client. It is a simple and secure way to manage your SonicWALL from both the LAN and the WAN. The first time you access the SonicWALL Management interface using HTTPS, you may see the following information message: Click Yes to continue the login process.
Page 26: Status
Status To view the Status tab, log into your SonicWALL using your Web browser. Click General and then click the Status tab. Note: The SonicWALL Status window is displayed above. Each SonicWALL Internet Security appliance displays unique characteristics, such as the presence of VPN acceleration hardware or a different amount of memory.
Page 27: Cli Support And Remote Management
Authentication window. If Logout is clicked, you must log in again to manage the SonicWALL. Online help is also available. Click Help at the top of any browser window to view the help files stored in the SonicWALL.
Page 28 LAN IP address, and the subnet mask. • Status - displays the information typically seen on the Web management interface tab labeled General. • TSR - retrieves a copy of the tech support report using Z-modem file transfer protocol. Managing Your SonicWALL TELE3 SP Page 27...
Page 29: Logging And Alerts
The log is displayed in a table and is sortable by column. The SonicWALL can alert you of important events, such as an attack to the SonicWALL. Alerts are immediately e-mailed, either to an e-mail address or to an e-mail pager. Each log entry contains the date and time of the event and a brief message describing the event.
Page 30: Sonicwall Log Messages
• TCP, UDP, or ICMP packets dropped When IP packets are blocked by the SonicWALL, dropped TCP, UDP and ICMP messages is displayed. The messages include the source and destination IP addresses of the packet. The TCP or UDP port number or the ICMP code follows the IP address. Log messages usually include the name of the service in quotation marks.
Page 31: Log Settings
PPP Dial-Up: PPP Link down - no network connectivity over the modem connection. • PPP Dial-Up: Connect request canceled - modem disconnected from remote dial-up access. Log Settings Click Log on the left side of the browser window, and then click the Log Settings tab. Page 30 SonicWALL TELE3 SP Administrator’s Guide...
Page 32 2. Send Log To - Enter your full e-mail address(username@mydomain.com) in the Send log to field to receive the event log via e-mail. Once sent, the log is cleared from the SonicWALL memory. If this field is left blank, the log is not e-mailed.
Page 33: Log Categories
If you select WebTrends, however, you must have WebTrends software installed on your system. Log Categories You can define which log messages appear in the SonicWALL Event Log. All Log Categories are enabled by default except Network Debug. • System Maintenance Logs general system activity, such as administrator log ins, automatic downloads of the Content Filter Lists, and system activations.
Page 34: Alert Categories
Reports The SonicWALL is able to perform a rolling analysis of the event log to show the top 25 most frequently accessed Web sites, the top 25 users of bandwidth by IP address, and the top 25 services consuming the most bandwidth.Click Log on the left side of the browser window, and...
Page 35: Start Data Collection
Stop Data Collection. • Reset Data Click Reset to clear the report statistics and begin a new sample period. The sample period is also reset when data collection is stopped or started, and when the SonicWALL is restarted. • View Data Select the desired report from the Report to view menu.
Page 36: Content Filtering And Blocking
URL list and completely customize your Content Filter feature including allowed and forbidden domains as well as content filtering using keywords. • N2H2 - N2H2 is a third party content filter software package supported by SonicWALL. You can obtain more information on N2H2 at <http://www.n2h2.com>. If you select N2H2 from the list, an N2H2 tab is available to configure the location of the N2H2 server and other settings.
Page 37: Configuring Sonicwall Content Filtering
Enabling this feature protects users on the LAN from downloading malicious programs warranted by these fraudulent certificates. If digital certificates are proven fraudulent, then the SonicWALL blocks the Web content and the files that use these fraudulent certificates. Known fraudulent certificates blocked by SonicWALL include two certificates issued on January 29 and 30, 2001 by VeriSign to an impostor masquerading as a Microsoft employee.
Page 38: Url List
If you trust content on specific domains, you can select Don’t block Java/ActiveX/ Cookies to Trusted Domains and then add the Trusted Domains to the SonicWALL. Java scripts, ActiveX, and cookies are not blocked from Trusted Domains if the checkbox is selected.
Page 39: Block All Categories
Select Categories to Block Block all categories The SonicWALL uses a Content Filter List generated by CyberPatrol to block access to objectional Web sites. CyberPatrol classifies objectional Web sites based upon input from a wide range of social, political, and civic organizations. Select the Block all categories check box to block all of these categories.
Page 40: Customizing The Content Filtering List
Questionable/Illegal Gambling Intolerance Alcohol & Tobacco Visit <http://www.sonicwall.com/Content-Filter/categories.html> for a detailed description of the criteria used to define Content Filter List categories. Customizing the Content Filtering List The Customize tab allows you to customize your URL List by manually entering domain names or keywords to be blocked or allowed.
Page 41: Enable Allowed/Forbidden Domains
When the Disable Web traffic except for Allowed Domains check box is selected, the SonicWALL only allows Web access to sites on the Allowed Domains list. With careful screening, this can be nearly 100% effective at blocking pornography and other objectional material.
Page 42: Consent
Filter Block Action • Log Only If this check box is selected, the SonicWALL logs and then allows access to all sites on the Content Filter, custom, and keyword lists. The Log Only check box allows you to monitor inappropriate usage without restricting access.
Page 43 This Web page must reside on a Web server and be accessible as a URL by users on the LAN. This page must also contain a link to a page contained in the SonicWALL that tells the Page 42 SonicWALL TELE3 SP Administrator’s Guide...
Page 44: Configuring N2H2 Internet Filtering
Configuring N2H2 Internet Filtering N2H2 is a third party Internet filtering package that allows you to use Internet filtering through the SonicWALL. When you select N2H2 as your Content Filter List, the N2H2 tab is available. Content Filtering and Blocking Page 43...
Page 45: Restrict Web Features
Enabling this feature protects users on the LAN from downloading malicious programs warranted by these fraudulent certificates. If digital certificates are proven fraudulent, then the SonicWALL blocks the Web content and the files that use these fraudulent certificates. Known fraudulent certificates blocked by SonicWALL include two certificates issued on January 29 and 30, 2001 by VeriSign to an impostor masquerading as a Microsoft employee.
Page 46 Enter your customized text to display to the user when access to a blocked site is attempted. The default message is Web Site blocked by SonicWALL Filter. Any message, including embedded HTML, up to 255 characters long, can be entered in this field.
Page 47 • Allow traffic to all Web sites URL Cache Configure the size of the URL Cache in KB. Cache Size Model TELE3 SP Note: A larger URL Cache size can increase in noticeable improvements in Internet browsing response times Page 46 SonicWALL TELE3 SP Administrator’s Guide...
Page 48: Configuring Websense Enterprise Content Filter
Websense is a third party software package that allows you to use content filtering through the SonicWALL. Select Websense Enterprise from the Content Filter Type menu. Customization of the Content Filter List is not available if you select Websense as your source for content filtering.
Page 49: Known Fraudulent Certificates
Enabling this feature protects users on the LAN from downloading malicious programs warranted by these fraudulent certificates. If digital certificates are proven fraudulent, then the SonicWALL blocks the Web content and the files that use these fraudulent certificates. Known fraudulent certificates blocked by SonicWALL include two certificates issued on January 29 and 30, 2001 by VeriSign to an impostor masquerading as a Microsoft employee.
Page 50: Configuring Websense Content Filter List
To enable reporting of users and groups defined on the Webense Enterprise server, leave this field blank. To enable reporting by a specific user or group behind the SonicWALL, enter the User Name configured on the Websense Enterprise Server for the user or group. If using NT- based directories on the Websense Enterprise Server, the User Name is in this format, for example: NTLM:\\domainname\username.
Page 51: Url Cache
• Allow traffic to all Web sites URL Cache Configure the size of the URL Cache in KB. Cache Size Model TELE3 SP Note: A larger URL Cache size can result in noticeable improvements in Internet browsing response times. Page 50 SonicWALL TELE3 SP Administrator’s Guide...
Page 52: Web Management Tools
SonicWALL, and then click Yes to confirm the restart. The SonicWALL takes up to 90 seconds to restart, and the yellow Test LED is lit. During the restart time, Internet access for all users on the LAN is momentarily interrupted.
Page 53: Preferences
Click Tools on the left side of the browser window, and then click the Preferences tab. You can save the SonicWALL settings, and then retrieve them later for backup purposes. SonicWALL recommends saving the SonicWALL settings when upgrading the firmware.
Page 54: Exporting The Settings File
Exporting the Settings File It is possible to save the SonicWALL configuration information as a file on your computer, and retrieve it for later use. 1. Click Export in the Preferences tab. 2. Click Export again to download the settings file. Then choose the location to save the settings file.
Page 55: Importing The Settings File
Internet Explorer 5.0 and higher as well as Netscape Navigator 4.0 and higher is recommended. Netscape Navigator can be downloaded at <http://www.netscape.com> Restoring Factory Default Settings You can erase the SonicWALL configuration settings and restore the SonicWALL to its factory default state. 1. Click Restore on the Preferences tab to restore factory default settings.
Page 56: Updating Firmware
2. Click Yes, and then restart the SonicWALL for the change to take effect. Note: The SonicWALL LAN IP Address, LAN Subnet Mask, and the Administrator Password are not reset. Updating Firmware The SonicWALL has flash memory and can be easily upgraded with new firmware. Current firmware can be downloaded from SonicWALL, Inc.
Page 57 To be automatically notified when new firmware is available, select the Notify me when new firmware is available check box. Then click Update. If you enable firmware notification, your SonicWALL sends a status message to SonicWALL, Inc. Firmware Server on a daily basis. The status message includes the following information: •...
Page 58: Updating Firmware Manually
Internet Explorer 5.0 and higher as well as Netscape Navigator 4.0 and higher is recommended. When firmware is uploaded, the SonicWALL settings can be erased. Before uploading new firmware, export and save the SonicWALL settings so that they can be restored later. Once the settings have been saved, click Yes.
Page 59: Upgrade Features
Note: When uploading firmware to the SonicWALL, you must not interrupt the Web browser by closing the window, clicking a link, or loading a new page. If the browser is interrupted, it can corrupt the SonicWALL firmware. Upgrade Features The SonicWALL can be upgraded to support new or optional features.
Page 60: Diagnostic Tools
Tools on the left side of the browser window and then click the Diagnostic tab. DNS Name Lookup The SonicWALL has a DNS lookup tool that returns the numerical IP address of a domain name or if you enter an IP address, it returns the domain name.
Page 61: Ping
The Ping test bounces a packet off a machine on the Internet back to the sender. This test shows if the SonicWALL is able to contact the remote host. If users on the LAN are having problems accessing services on the Internet, try pinging the DNS server, or another machine at the ISP location.
Page 62: Packet Trace
Once completed, a message showing the results is displayed in the browser window. Note: Ping requires an IP address. The SonicWALL DNS Name Lookup tool can be used to find the IP address of a host. Packet Trace The Packet Trace tool tracks the status of a communications stream as it moves from source to destination.
Page 63 From 207.88.211.116 / 1937 (00:40:10:0c:01:4e To 204.71.200.74 / 80 (02:00:cf:58:d3:6a) The SonicWALL forwards the client ACK to the remote host and waits for the data transfer to begin. When using packet traces to isolate network connectivity problems, look for the location where the three-way handshake is breaking down.
Page 64 1. Select Packet Trace from the Choose a diagnostic tool menu. Note: Packet Trace requires an IP address. The SonicWALL DNS Name Lookup tool can be used to find the IP address of a host. 2. Enter the IP address of the remote host in the Trace on IP address field, and click Start.
Page 65: Tech Support Report
Tech Support Report The Tech Support Report generates a detailed report of the SonicWALL configuration and status, and saves it to the local hard disk. This file can then be e-mailed to SonicWALL Technical Support to help assist with a problem.
Page 66: Trace Route
3. Click Save Report to save the file to your system. When you click Save Report, a warning message is displayed. 4. Click OK to save the file. Attach the report to your Tech Support Request e-mail. Trace Route Trace Route is a diagnostic utility to assist in diagnosing and troubleshooting router connections on the Internet.
Page 67 A second window is displayed with each hop to the destination host: By following the route, you can diagnose where the connection fails between the SonicWALL and the destination. Page 66 SonicWALL TELE3 SP Administrator’s Guide...
Page 68: Network Access Rules
SonicWALL. Network Access Rules take precedence, and can override the SonicWALL’s stateful packet inspection. For example, a rule that blocks IRC traffic takes precedence over the SonicWALL default setting of allowing this type of traffic.
Page 69: Viewing Network Access Rules
Public LAN Server for a service, enter "0.0.0.0" in the field. Windows Networking (NetBIOS) Broadcast Pass Through Computers running Microsoft Windows communicate with one another through NetBIOS broadcast packets. By default, the SonicWALL blocks these broadcasts. If you select From LAN Page 68 SonicWALL TELE3 SP Administrator’s Guide...
Page 70: Windows Networking (Netbios) Broadcast Pass Through
WAN, your SonicWALL allows NetBIOS broadcasts from LAN to LAN or from LAN to WAN. Then, LAN users are able to view machines on the WAN in their Windows Network Neighborhood. Detection Prevention Enable Stealth Mode By default, the SonicWALL responds to incoming connection requests as either "blocked" or "open".
Page 71: Add Service
2. Click Add. The new service appears in the list box on the right side of the browser window. Note that some services add more than one entry to the list. Note: Session Initiation Protocol (SIP) and HTTPS are also available Services. Page 70 SonicWALL TELE3 SP Administrator’s Guide...
Page 72: Rules
• Allow specified IP addresses on the Internet to access a sensitive server on the LAN. • Configure bandwidth management for individual services. Note: The maximum number of Rules for TELE3 SP is 100 with 50 available to use bandwidth management.
Page 73 To create custom Network Access Rules, click Access on the left side of the browser window, and then click the Rules tab. Note: Use extreme caution when creating or deleting Network Access Rules, because you can disable firewall protection or block access to the Internet. Page 72 SonicWALL TELE3 SP Administrator’s Guide...
Page 74 Bandwidth Management The SonicWALL can now be configured for bandwidth management of outbound (WAN) network traffic via bandwidth management. Each Service add via a Rule has a checkbox to enable bandwidth management for the Service. Select Enable Bandwidth Management, then enter the Guaranteed Bandwidth in Kpbs for the Service, and enter the Maximum Bandwidth in number of Kpbs for the Service.
Page 75 10. Enter the maximum amount of bandwidth available to the Rule at any time in the Maximum Bandwidth field. Assign a priority from 0 (highest) to 7 (lowest). 11. Click Update. Once the SonicWALL has been updated, the new rule appears in the list of Current Network Access Rules.
Page 76 Bandwidth Management, and enter values for Guaranteed Bandwidth, Maximum Bandwidth, and Bandwidth Priority. 10. Click Update to add the rule to the SonicWALL. Note: The source part (WAN or LAN) can be limited to certain parts of the Internet using a range of IP addresses on the WAN or LAN.
Page 77: Understanding The Access Rule Hierarchy
To delete a rule, click the Trash Can icon at the right side of the browser window. A dialog box appears with the message “Do you want to remove this rule?”. Click OK. Once the SonicWALL has been updated, a message confirming the update is displayed at the bottom of the browser window.
Page 78: Examples
The Default Allow Rule (#7) at the bottom of the page allows all traffic from the LAN to the WAN. However, Rule #1 blocks IRC (Chat) traffic from a computer on the LAN to a server on the WAN. The Default Deny Rule (#6) blocks all traffic from the WAN to the LAN, however, Rule #2 overrides this rule by allowing Web traffic from the WAN to the LAN.
Page 79: Https Management Of The Sonicwall
IP address of the ISP network in the Source Addr Range End field. 6. Select LAN from the Destination Ethernet menu. 7. Since the intent is to allow a ping only to the SonicWALL, enter the SonicWALL LAN IP Address in the Destination Addr Range Begin field.
Page 80: Users
Currently, when a VPN tunnel is established between two SonicWALL appliances, any users residing on the local LAN of each SonicWALL can send data across the VPN. In some cases, complete user access could be a security risk, and only authenticated users access the VPN tunnel and send data across the network.
Page 81 • Maximum login session time - Configure the length of time, in minutes, that a user is allowed to be logged into the network via the SonicWALL. When a user logs into the SonicWALL using his username and password, the user can also set the maximum login session time, but LAN it cannot be longer than the time configured by the administrator.
Page 82 XAUTH for authentication and accesses the firewall via a VPN client. - Limited Management Capabilities - By enabling this check box, the user has limited local management access to the SonicWALL Management interface. The access is limited to the following pages:...
Page 83: User Login Changes
Logging into the SonicWALL as the administrator automatically gives the user access to all VPN tunnels requiring authentication. Note: Authentication sessions create a log entry in the SonicWALL, but user activity is not logged Page 82 SonicWALL TELE3 SP Administrator’s Guide...
Page 84: Radius
RADIUS Users You can select the default privileges for all RADIUS users in this section. • Remote Access - Enable this check box if the user accesses the SonicWALL from a remote computer. This option is only available in Standard mode.
Page 85: Sonicwall Management
Management Information Base II (MIBII) groups except egp and at. The SonicWALL replies to SNMP Get commands for MIBII via any interface and supports a custom SonicWALL MIB for generating trap messages. The custom SonicWALL MIB is available for download from the SonicWALL Website and can be loaded into third-party SNMP management software such as HP Openview, Tivoli, or SNMPC.
Page 86: Sonicwall Remote Management
By default, the SonicWALL appliance responds only to SNMP Get messages received on its LAN interface. Appropriate rules must be set up in the SonicWALL to allow SNMP traffic to and from the WAN. SNMP trap messages can be sent via the LAN, WAN, or LAN interface.
Page 87 WAN interface" to enable secure remote management. When remote management is enabled, a Management SA is automatically generated. The Management SA uses Manual Keying to set up a VPN tunnel between the SonicWALL and the VPN client. The Management SA also defines Inbound and Outbound Security Parameter Indices (SPIs) which match the last eight digits of the SonicWALL serial number.
Page 88 HTTPS Management Port field, and click Update. For example, if you configure the HTTPS Management Port to be 700, then you must log into the SonicWALL using the port number as well as the IP address, for example, <https://192.168.168.1:700> to access the SonicWALL..
Page 89: Advanced Features
8 Advanced Features This chapter describes the SonicWALL Advanced Features, such as Web Proxy Forwarding, and One-to-One NAT. The Advanced Features can be accessed in the Advanced section of the SonicWALL Web Management interface.There are five tabs in the Advanced section: •...
Page 90 Configuring Web Proxy Relay 1. Connect your Web proxy server to a hub, and connect the hub to the SonicWALL WAN port. Note: The proxy server must be located on the WAN; it can not be located on the LAN.
Page 91: Intranet
1. Connect the LAN Ethernet port on the back of the SonicWALL to the network segment to be protected against unauthorized access. 2. Connect the WAN Ethernet port on the back of the SonicWALL to the rest of the network. Note: Devices connected to the WAN port do not have firewall protection. It is...
Page 92: Intranet Settings
Select one of the following four options: • SonicWALL WAN link is connected directly to the Internet router Select this option if the SonicWALL is protecting your entire network. This is the default setting. • Specified address ranges are attached to the LAN link Select this option if it is easier to specify the devices on your LAN.
Page 93: Routes
SonicWALL. If your router is located on the SonicWALL LAN, the Gateway address should be in the same subnet as the SonicWALL LAN IP Address. 4. Select the port on the SonicWALL that the router is connected to either the LAN or the WAN from the Link list.
Page 94: One-To-One Nat
5. Click Update. Once the SonicWALL has been updated, a message confirming the update is displayed at the bottom of the Web browser window. Restart the SonicWALL for the change to take effect. Note: The SonicWALL can support up to 128 static route entries.
Page 95 Up to 64 ranges can be added. To map a single address, enter a Range Length of 1. 5. Click Update. Once the SonicWALL has been updated, a message confirming the update is displayed at the bottom of the browser window. Restart the SonicWALL for changes to take effect.
Page 96: The Ethernet Tab
• Apply this rule - always 9. Click Update and restart the SonicWALL. The server configurations take effect after the SonicWALL restarts and the configuration is updated. Requests for http://208.1.2.4 are answered by the server at 192.168.1.10. Requests for http://208.1.2.5 are answered by the server at 192.168.1.11, and requests for http:// 208.1.2.6 are answered by the server at 192.168.1.12.
Page 97: Bandwidth Management
SonicWALL appliance and proxies that address onto the WAN port of the SonicWALL. If you are not managing the SonicWALL appliance from the LAN side, the firmware looks for a random computer on the LAN creating a lengthy search process.
Page 98 Rules created in the Access section of the SonicWALL Management interface. By controlling the amount of bandwidth to an application or user, the network administrator can prevent a small number of applications or users to consume all available bandwidth.
Page 99 Defining a class of traffic that has 0 bandwidth allocated to it effectively blocks the traffic unless there is no other traffic with higher priority on the network. Overview of Bandwidth Management Page 98 SonicWALL TELE3 SP Administrator’s Guide...
Page 100 200 Kbps Enabling Bandwidth Management on the SonicWALL To enable Bandwidth Management on the SonicWALL, you must know the current bandwidth of your connection. Once you have this figure, you can select Enable Bandwidth Management on the Advanced/Ethernet page, and then enter the amount of available WAN bandwidth in Kbps.
Page 101: Dhcp Server
The SonicWALL DHCP Server distributes IP addresses, gateway addresses and DNS server addresses to the computers on your LAN. To access the SonicWALL DHCP Setup window, click DHCP on the left side of the browser window. There are three tabs in the DHCP section: •...
Page 102: Enable Dhcp Server
6. Select Set DNS Servers using the SonicWALL Network settings to use the DNS servers that you specified in the SonicWALL Network section. If you wish to use different DNS servers than the ones specified in the SonicWALL Network section, then select Specify Manually. Enter your DNS Server addresses in the DNS Server 1, DNS Server 2, and DNS Server 3 fields.
Page 103: Deleting Dynamic Ranges And Static Entries
Web browser window.Continue this process until you have added all the desired static entries. Note: The SonicWALL DHCP server can assign a total of 254 dynamic and static IP addresses. Deleting Dynamic Ranges and Static Entries •...
Page 104: Dhcp Over Vpn
DHCP over VPN DHCP over VPN is a new feature that allows a Host (DHCP Client) behind a SonicWALL obtain an IP address lease from a DHCP server at the other end of a VPN tunnel. In some network deployments, it is desirable to have all VPN networks on one logical IP subnet, and create the appearance of all VPN networks residing in one IP subnet address space.
Page 105 Add DHCP Server field, and click Update. The SonicWALL now directs DHCP requests to the specified servers. 4. To delete DHCP servers, click on the IP address of the DHCP server, and click Delete DHCP Server. The server is removed from the list of DHCP servers.
Page 106 5. The SonicWALL can also be managed through the Relay IP address. 6. If you enable Block traffic through tunnel when IP spoof detected, the SonicWALL blocks any traffic across the VPN tunnel that is spoofing an authenticated user’s IP address.
Page 107 Command Prompt window. Note: You must configure the local DHCP server on the remote SonicWALL to assign IP leases to these computers. Note: If a remote site has trouble connecting to a central gateway and obtaining a lease, verify that Deterministic Network Enhancer (DNE) is not enabled on the remote PC.
Page 108: Dhcp Status
DHCP Status A Status page is now available to review DHCP Server Status and DHCP over VPN Status. The DHCP Server Status section reports the number of Current, Available Dynamic, Available Static leases as well as the Total leases. The DHCP over VPN Status section reports the number of Current Dynamic, Current Static, and the Total leases.
Page 109: 10 Sonicwall Vpn
SonicWALL VPN provides secure, encrypted communication to business partners and remote offices at a fraction of the cost of dedicated leased lines. Using the SonicWALL intuitive Web Management Interface, you can quickly create a VPN Security Association to a remote site.
Page 110: Nat Traversal Support
NAT or NAPT device. The “keepalive” is silently discarded by the IPSec peer. NAT Traversal support is transparent, but log messages are generated by the SonicWALL when a IPSec Security Gateway is detected behind a NAT/NAPT device. The following log messages are found on the View Log tab: •...
Page 111: The Vpn Interface
The Global IPSec Settings section displays the Unique Firewall Identifier which defaults to the serial number of the SonicWALL appliance. You can change the Identifier, and use it for configuring VPN tunnels. Enable VPN must be selected to allow VPN security associations.
Page 112: Sonicwall Vpn Client For Remote Access And Management
Security Associations to use bandwidth management. Current IPSec Security Associations This section displays all of the VPN configurations in the SonicWALL appliance. If you click the name of the security association, the security association settings are displayed. The Security Association, Group VPN, is a default setting.
Page 113: The Configure Tab
To disable the SA, select Disable This SA. If selected, you can disable a security association temporarily if problems occur with it. The IPSec Gateway Address field is used to configure the gateway for the security association. Page 112 SonicWALL TELE3 SP Administrator’s Guide...
Page 114 IKE using preshared secret. However, Phase 2 Encryption/Authentication is different for the Group VPN SA. The VPN Client does not support ArcFour encryption methods, and you cannot disable authentication in the VPN SonicWALL VPN Page 113...
Page 115 Task Force (IETF) and are not allowed for use as an SPI. These numbers are not accepted by the SonicWALL when entered as an SPI; an error message is displayed at the bottom of the Web browser window when Update is pressed. For example, a valid SPI would be 1234abcd.
Page 116: Vpn Advanced Settings
- Remote VPN clients with XAUTH • Enable Windows Networking (NetBIOS) broadcast • Apply NAT and firewall rules • Forward packets to remote VPNs • Enable Perfect Forward Secrecy • Phase 2 DH Group • Default LAN Gateway SonicWALL VPN Page 115...
Page 117 Selecting the Use Aggressive Mode check box forces the SonicWALL appliance to use Aggressive Mode to establish the VPN tunnel even if the SonicWALL has a static IP address. Aggressive Mode requires half of the main mode messages to be exchanged in Phase One of the SA exchange.
Page 118 VPN tunnel. Normally, inbound traffic is decrypted and only forwarded to the SonicWALL LAN or a specific route on the LAN specified on the Routes tab located under the Advanced section.
Page 119 For packets received via an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway.
Page 120: Advanced Settings For Vpn Configurations
Phase 2 DH Group Default LAN Gateway *Default LAN Gateway and Forward Packets to Remote VPN are not configured for VPN Client to SonicWALL appliance connections using Manual Key Exchange. These parameters apply to both SonicWALL Certificates and Third Party Certificates.
Page 121: Enabling Group Vpn On The Sonicwall
Click VPN on the left side of the SonicWALL browser window, and then click Configure. The SonicWALL VPN tab defaults to a Group VPN setting. This feature facilitates the set up and deployment of multiple VPN clients by the administrator of the SonicWALL appliance.
Page 122 5.1.1. Installing the VPN Client Software 1. When you register your SonicWALL or SonicWALL VPN Upgrade, a unique VPN client serial number and link to download the SonicWALL VPN Client zip file is displayed. 2. Unzip the SonicWALL VPN Client zip file.
Page 123: Group Vpn Client Configuration
2. A file location box appears which allows you to search for the location of the saved security file. Select the file, and click Open. 3. A dialogue box confirming the request to import the security file appears. Page 122 SonicWALL TELE3 SP Administrator’s Guide...
Page 124 Policy. Select My Identity to view the settings. 5. Click Pre-Shared Key to enter the Pre-Shared Secret created in the Group VPN settings in the SonicWALL appliance. Click Enter Key and enter the pre-shared secret. Then click OK. 6. Click File, then Save Changes to save the settings to the security policy.
Page 125 You can verify the connection by verifying the type of icon displayed in the system tray near the system clock. The SonicWALL VPN Client icon is displayed in the System Tray if you are running a Windows operating system.
Page 126: Manual Key Configuration For A Sonicwall And Vpn Client
Manual Key Configuration for a SonicWALL and VPN Client To configure the SonicWALL appliance, click VPN on the left side of the browser window, and select Enable VPN to allow the VPN connection. 1. Select Disable VPN Windows Networking (NetBIOS) broadcast. Leave the Enable Fragmented Packet Handling unselected until the SonicWALL logs show many fragmented packets transmitted.
Page 127: Installing The Vpn Client Software
Installing the VPN Client Software 1. When you register your SonicWALL VPN Upgrade at <http://www.mysonicwall.com>, a unique VPN client serial number and link to download the SonicWALL VPN Client zip file is displayed. Note: SonicWALL PRO 300 lists an additional 50 serial numbers on the back of the SonicWALL VPN Client certificate 2.
Page 128 Click My Connections, and right click to select Add > Connection at the top of the Security Policy Editor window. Note: The security policy is renamed to match the SA name created in the SonicWALL. You can rename the security policy by highlighting New Connection in the Network Security Policy box and typing the security policy name.
Page 129 8. Enter the SonicWALL WAN IP Address in the field below the ID Type menu. Enter the NAT Public Address if NAT is enabled. Configuring VPN Client Identity To configure the VPN Client Identity, click My Identity in the Network Security Policy window.
Page 130 2. Select Use Manual Keys in the Select Phase 1 Negotiation Mode menu. 3. Click the + next to Security Policy, and select Key Exchange (Phase 2). Click the + next to Key Exchange (Phase 2), and select Proposal 1. SonicWALL VPN Page 129...
Page 131 1. Click Inbound Keys. The Inbound Keying Material box appears. 2. Click Enter Key to define the encryption and authentication keys. 3. Enter the SonicWALL Outgoing SPI in the Security Parameter Index field. 4. Select Binary in the Choose key format options.
Page 132 5. Enter the SonicWALL 16-character Encryption Key in the ESP Encryption Key field. 6. Enter the SonicWALL 32-character Authentication Key in the ESP Authentication Key field, then click OK. Configuring Outbound VPN Client Keys 1. Click Outbound Keys. An Outbound Keying Material box is displayed.
Page 133 Verifying the VPN Client Icon in the System Tray The SonicWALL VPN Client icon is displayed in the System Tray if you are running a Windows operating system. The icon changes to reflect the current status of your communication over the VPN tunnel.
Page 134: Vpn For Two Sonicwalls
Preshared Secret can be used to configure a VPN tunnel between two SonicWALLs. Manual Key for Two SonicWALLs Click VPN on the left side of the SonicWALL browser window, and then click the Configure tab. 1. Select Manual Key from the IPSec Keying Mode menu.
Page 135 6. Define an SPI that the local SonicWALL uses to identify the Security Association in the Outgoing SPI field.SPIs should range from 3 to 8 characters in length and include only hexadecimal characters. Note: Valid hexadecimal characters are “0” to “9”, and “a” to “f” inclusive (0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f).
Page 136 Encryption Key field. This can be used as a valid key for Triple DES. If this key is used, it must also be entered in the Encryption Key field in the remote SonicWALL. If Tunnel Only (ESP NULL) or Authenticate (AH MD5) is used, the Encryption Key field is ignored.
Page 137: Example Of Manual Key Configuration For Two Sonicwalls
Widgit, Inc. wants to connect their main office with a branch office on the East Coast. Using a SonicWALL PRO 300 and a TELE3 SP, they can configure a secure VPN tunnel between the two sites. The main office has the following network settings: •...
Page 138 1. Configure the network settings for the firewall using the Network tab located in the General section. 2. Click Update and restart the SonicWALL if necessary. 3. Click VPN, then the Configure tab. 4. Create a name for the main office SA, for example, Main Office.
Page 139 Default LAN Gateway if specifying the IP address of the default LAN route for incoming IPSec packets for this SA. This is used in conjunction with the Route all internet traffic through this SA check box. 12. Click OK, and then click Update. Page 138 SonicWALL TELE3 SP Administrator’s Guide...
Page 140: Ike Configuration For Two Sonicwalls
3. Enter a descriptive name for the Security Association, such as "Palo Alto Office" or "NY Headquarters", in the Name field. 4. Enter the IP address of the remote SonicWALL in the IPSec Gateway Address field. This address must be valid, and should be the NAT Public IP Address if the remote SonicWALL uses Network Address Translation (NAT).
Page 141 Strong Encrypt (ESP 3DES) uses 168-bit 3DES (Triple DES) to encrypt data. 3DES is considered an almost "unbreakable" encryption method, applying three DES keys in succession, but it significantly impacts the data throughput of the SonicWALL. • Strong Encrypt and Authenticate (ESP 3DES HMAC MD5) uses 168-bit 3DES encryption and HMAC MD5 authentication.
Page 142 HMAC SHA1 authentication. 9. Enter a alphanumeric “secret” in the Shared Secret field. The Shared Secret must match the corresponding field in the remote SonicWALL. This field can range from 4 to 128 characters in length and is case sensitive.
Page 143: Example: Linking Two Sonicwalls Using Ike
A company wants to use VPN to link two offices together, one in Chicago and the other in San Francisco. To do this, the SonicWALL PRO 200 in Chicago and the SonicWALL TELE3 SP in San Francisco must have corresponding Security Associations.
Page 144 IPSec packets for this SA. This is used in conjunction with the Route all internet traffic through this SA check box. 14. Click Update to add the Security Association. Once the SonicWALL PRO 200 is updated, a message confirming the update is displayed at the bottom of the browser window.
Page 145 4. Enter the SonicWALL PRO 200 Unique Firewall Identifier in the SonicWALL TELE3 SP Name field, in this example, "Chicago Office." 5. Enter the SonicWALL PRO 200 WAN IP Address in the IPSec Gateway Address field. This address must be valid, and is the SonicWALL PRO 200 NAT Public Address, or "216.0.0.20."...
Page 146: Vpn Third Party Digital Certificate Support
SA check box. 14. Click Update to add the remote network and close the VPN Destination Network window. Once the SonicWALL TELE3 SP has been updated, a message confirming the update is displayed at the bottom of the browser window.
Page 147: Overview Of Third Party Digital Certificate Support
SonicWALL to validate your Local Certificates. Importing CA Certificates into the SonicWALL After your CA service has validated your CA Certificate, you can import it into the SonicWALL and use it to validate Local Certificates for VPN Security Associations. To import your CA Certificate into the SonicWALL, use the following steps: 1.
Page 148 After a certificate is signed by the CA and returned to you, you can import the certificate into the SonicWALL to be used as a Local Certificate for a VPN Security Association. Use the following steps to import the certificate into the SonicWALL: 1.
Page 149: Creating A Certificate Signing Request
2. Click Browse, and select the *.der from the Choose File dialogue box. 3. Click Import Certificate. 4. The certificate is now updated to Verified, and you can now use it for a VPN SA using a third party certificate. Page 148 SonicWALL TELE3 SP Administrator’s Guide...
Page 150 Require authentication of remote users - Remote users behind VPN gateway - Remote VPN clients with XAUTH • Enable Windows Networking (NetBIOS) broadcast • Apply NAT and firewall rules • Forward packets to remote VPNs • Enable Perfect Forward Secrecy SonicWALL VPN Page 149...
Page 151 Selecting the Use Aggressive Mode check box forces the SonicWALL appliance to use Aggressive Mode to establish the VPN tunnel even if the SonicWALL has a static IP address. Aggressive Mode requires half of the main mode messages to be exchanged in Phase One of the SA exchange.
Page 152 VPN tunnel. Normally, inbound traffic is decrypted and only forwarded to the SonicWALL LAN or a specific route on the LAN specified on the Routes tab located under the Advanced section.
Page 153: Testing A Vpn Tunnel Connection Using Ping
For packets received via an IPSec tunnel, the SonicWALL looks up a route for the LAN network. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway.
Page 154: Configuring Windows Networking
Use the following steps to configure Windows Networking on your computer (Windows98): 1. Click Start, then Control Panel. Locate the Network icon and double-click it. 2. Select Client for Microsoft Networks from the list, and then click Properties. SonicWALL VPN Page 153...
Page 155 Windows NT domain text box. Select Quick Logon under Network logon options section. 4. Click on the Identification tab, and enter the domain name provided by your administrator in the Workgroup text box. Page 154 SonicWALL TELE3 SP Administrator’s Guide...
Page 156: Adding, Modifying And Deleting Destination Networks
The Security Association menu also allows you to modify and delete existing Security Associations. To delete an SA, select it from the list and click the Delete This SA button. To modify an SA, select it from the list, make the desired changes, and click Update. Once the SonicWALL VPN Page 155...
Page 157: Sonicwall Enhanced Vpn Logging
SonicWALL has been updated, a message confirming the update is displayed at the bottom of the Web browser window. Click Update to enable the changes. Accessing Remote Resources across a Virtual Private Network SonicWALL VPN Clients, which cannot transmit NetBIOS broadcasts, can access resources across a VPN by locating a remote computer by IP address.
Page 158: Disabling Security Associations
VPN clients. The feature is useful if it is suspected that a remote VPN user connection has become unstable or insecure. It can also temporarily block access to the SonicWALL appliance if necessary. Disable the Security Association by checking the Disable this SA check box.
Page 159: Basic Vpn Terms And Concepts
VPN. Symmetric cryptography, or secret key cryptography, is usually faster than asymmetric cryptography. Therefore symmetric algorithms are often used when large quantities of data have to be exchanged. SonicWALL VPN uses Symmetric Cryptography. As a result, the key on both ends of the VPN tunnel must match exactly.
Page 160: Internet Key Exchange (Ike)
With IKE, an initial exchange authenticates the VPN session and automatically negotiates keys that is used to pass IP traffic. The initial exchange occurs on UDP port 500, so when an IKE SA is created, the SonicWALL automatically opens port 500 to allow the IKE key exchange.
Page 161: Data Encryption Standard (Des)
DES, it is designed to encrypt data streams, rather than static storage. The SonicWALL VPN ARCFour key must be exactly 16 characters long and is comprised of hexadecimal characters. Valid hexadecimal characters are "0" to "9", and "a" to "f" inclusive (0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f).
Page 162: 11 High Availability
SonicWALL monitors the primary SonicWALL and takes over operation in the event of a failure. This ensures a secure and reliable connection between the protected network and the Internet. Note: If WAN Failover is enabled, you cannot configure High Availablity for the TELE3 SP. Page 161...
Page 163: Getting Started With High Availability
All SonicWALL ports being used must be connected together with a hub or switch. Each SonicWALL must have a unique LAN IP Address on the same LAN subnet. If each SonicWALL has a unique WAN IP Address for remote management, the WAN IP Addresses must be in the same subnet.
Page 164: Configuring High Availability On The Primary Sonicwall
LAN IP Address - This is a unique IP address for accessing the primary SonicWALL from the LAN whether it is Active or Idle. Note: This IP address is different from the IP address used to contact the SonicWALL in the General Network settings.
Page 165 LAN IP Address - The unique LAN IP address used to access and manage the backup SonicWALL whether it is Active or Idle. Note: This IP address is different from the IP address used to contact the SonicWALL in the General Network settings.
Page 166: Configuration Changes
To check the backup SonicWALL firmware version or serial number, log into the backup SonicWALL, click General on the left side of the browser window and then click Status at the top of the window. Both the firmware version and the SonicWALL serial number are displayed at the top of the window.
Page 167: High Availability Status
High Availability pair. To view the High Availability Status window, you can log into the primary or backup SonicWALL LAN IP Address. Click High Availability on the left side of the browser window and then click Configure at the top of the window. If the primary...
Page 168 If the backup SonicWALL is active, the first line changes to reflect the active status of the backup as shown below: The first line in the status window indicates that the backup SonicWALL is currently Active. It is also possible to check the status of the backup SonicWALL by logging into the LAN IP Address of the backup SonicWALL.
Page 169: E-Mail Alerts Indicating Status Change
SonicWALL Web Management Interface or it may be automatically sent to the administrator’s E-mail address. To view the SonicWALL log, click Log on the left side of the browser window and then click on View Log at the top of the window.
Page 170: Configuration Notes
Forcing Transitions In some cases, it may be necessary to force a transition from one active SonicWALL to another – for example, to force the primary SonicWALL to become active again after a failure when Preempt Mode has not been enabled, or to force the backup SonicWALL to become active in order to do preventive maintenance on the primary SonicWALL.
Page 171: 12 Sonicwall Options And Upgrades
12 SonicWALL Options and Upgrades SonicWALL, Inc. offers a variety of options and upgrades to enhance the functionality of your SonicWALL Internet security appliance. SonicWALL options and upgrades include the following: • SonicWALL VPN Client for Windows • SonicWALL Network Anti-Virus Subscription •...
Page 172: Content Filter List Subscription
SonicWALL Content Filter List Subscription allows businesses to create and enforce Internet access policies tailored to the requirements of the organization. The SonicWALL Internet security appliance provides you with flexible tools to create and administer Acceptable Use Policies. An annual subscription to the Content Filter List (provided by CyberPatrol) allows you to block or monitor access to undesirable Internet sites, such as pornography or violence.
Page 173: Sonicwall Global Management System
SonicWALL Global Management System SonicWALL Global Management System is a scalable, cost-effective solution that extends the SonicWALL's ease of administration, giving you the tools to manage the security policies of remote, distributed networks. SonicWALL GMS lets you administer the SonicWALL at your corporate headquarters, branch offices and telecommuters from a central location.
Page 174: 13 Hardware Description
More information is provided in Appendix A, Technical Specifications. SonicWALL TELE3 SP Front Panel The SonicWALL TELE3 SP front panel is shown below, followed by a description of each item. Modem LED WAN Port LEDs LAN Port LEDs...
Page 175: Sonicwall Tele3 Sp Back Panel
These tests take about 90 seconds. If the Test LED remains lit after this time, the software is corrupt and must be reinstalled. SonicWALL TELE3 SP Back Panel The SonicWALL TELE3 SP back panel is shown below, followed by a description of each item. Cooling Vents 5VDC,2A...
Page 176 • Test Lights up when the SonicWALL is powered up and performing diagnostic tests for proper operation. These tests take up to 5 minutes. If the Test LED remains lit after this time, the firmware is corrupt and must be reinstalled.
Page 177: 14 Troubleshooting Guide
All computers on the LAN should be able to log into the SonicWALL Management Interface by typing the SonicWALL LAN IP Address into the Location or Go to field from a Web browser. If the SonicWALL authentication screen does not appear, check for Ethernet connectivity problems.
Page 178: The Sonicwall Does Not Save Changes That You Have Made
The SonicWALL does not save changes that you have made. • When configuring the SonicWALL, be sure to click Update before moving to another win- dow or tab, or all changes will be lost. •...
Page 179: Appendices
Standards Certifications Environment TCP/IP, UDP, ICMP, FCC, ISCA Firewall, ICSA Temperature: 32 - 104 F, 0 - 40 HTTP, IPSec, IKE, IPSec VPN Humidity: 10 - 90% non-condensing SNMP, FTP, DHCP, PPPoE Page 178 SonicWALL TELE3 SP Administrator’s Guide...
Page 180 SonicWALL SonicWALL TELE3 SP TELE3 SP Firewall High Availability Firewall Throughput 75 Mbps Failover Support Concurrent Connections 6,000 Active-Standby/Mirroring IPSec VPN Firewall Certification ICSA Packet Filtering Method Stateful Packet VPN Encryption Included DoS, DDoS Protection Encryption Methods 3DES, DES, ARCFour...
Page 181: Appendix B - Sonicwall Support Solutions
Internet Security Expertise Technical Support is only as good as the people providing it to you. SonicWALL support professionals are Certified Internet Security Administrators with years of experience in networking and Internet security. They are also supported by the best in class tools and processes that ensure a quick and accurate solution to your problem.
Page 182 • Access to SonicWALL’s electronic support and Knowledge Base systems All of SonicWALL Support Services offer a variety of support services to meet your unique needs including fast, responsive service, instant access to electronic support tools, and high quality technical support.
Page 183 SonicWALL. SonicWALL ships a replacement appliance to you based upon the RMA information. You are responsible for returning the failed appliance to SonicWALL with 30 days or be charged for the full replacement cost.
Page 184 SonicWALL Support 24X7 provides access to SonicWALL’s Web-based support tools, including FAQs, documentation, and Knowledge Base systems. Availability SonicWALL Support 24X7 is an annual service available for sale at the time of product purchase or anytime before warranty expiration. SonicWALL Support 8X5...
Page 185 SonicWALL Support 8X5 provides access to SonicWALL’s Web-based support tools, including FAQs, documentation, and Knowledge Base systems. Availability SonicWALL Support 8X5 is an annual service available for sale at the time of product purchase or anytime before warranty expiration. North America...
Page 186 SonicWALL factory for a period of year following the date of purchase. Upon diagnosis of a hardware failure, a SonicWALL technical specialist issues an RMA number and provides instructions for returning the hardware to SonicWALL. Upon receipt of the failed appliance, SonicWALL ships a fully functional appliance.
Page 187 Support Tools Warranty Support provides access to SonicWALL’s Web-based support tools, including FAQs, documentation, and Knowledge Base systems. Availability This warranty applied to products sold in Europe, the Middle East, Africa, Asia, Central and South America. Page 186 SonicWALL TELE3 SP Administrator’s Guide...
Page 188: Appendix C - Introduction To Networking
This appendix provides a non-technical overview of the network protocols supported by the SonicWALL and includes a discussion of Internet Protocol (IP) addressing. It can be helpful to review a book on TCP/IP for an overview of protocols such as TCP (Transmission Control Protocol), UDP (User Datagram Protocol), and ICMP (Internet Control Message Protocol).
Page 189 DNS - Domain Name System (DNS) is a protocol that matches Internet computer names to their corresponding IP addresses. By using DNS, a user can type in a computer name, such as www.sonicwall.com, instead of an IP address, such as 192.168.168.168, to access a computer.
Page 190: Default Gateway
IP Addressing To become part of an IP network, a network device must have an IP address. An IP address is a unique number that differentiates one device from another on the network to avoid confusion during communication. To help illustrate IP addresses, the following sections compare an IP address to the telephone numbering system, a system that is used every day.
Page 191: Network Address Translation (Nat)
A node is a device, such as a PC or a printer, on a network with an IP address. The feature chart shows how many node licenses for PCs or printers are included with a SonicWALL Internet Security appliance. The TELE3 has a non-upgradeable 5-node license, but the SOHO3 is upgradeable up to have 10, 50, or an unlimited number of node licenses.
Page 192 LAN IP addresses accessing the Internet until the appliance is rebooted. When a computer or other device connects to the LAN port of the SonicWALL, it is detected via broadcast and stores the computer or other device IP address in memory. If 5, 10, or 50 IP addresses have been stored in the SonicWALL, the SonicWALL does not permit any additional machines to access the Internet.
Page 193: Appendix D - Ip Port Numbers
While the IANA can not control uses of these ports it does list uses of these ports as a convenience. The Registered Ports are in the range 1024-65535. Visit <http://www.ietf.org/rfc/rfc1700.txt> for a list of IP port numbers. Page 192 SonicWALL TELE3 SP Administrator’s Guide...
Page 194: Appendix E - Configuring Tcp/Ip Settings
The SonicWALL is pre-configured with the IP address “192.168.168.168". During the initial configuration, it is necessary to temporarily change the IP address of the Management Station to one in the same subnet as the SonicWALL. For initial configuration, set the IP address of the Management Station to "192.168.168.200".
Page 195 Enter the Subnet Mask address in the Subnet Mask field. Click OK. Follow the SonicWALL Installation Wizard instructions to perform the initial setup of the SonicWALL. Refer to Chapter 2 for instructions on using the Wizard. Page 194 SonicWALL TELE3 SP Administrator’s Guide...
Page 196: Appendix F - Erasing The Firmware
<http://www.mysonicwall.com> as a registered user. Locating the Reset button on your SonicWALL Internet Security Appliance The SonicWALL TELE3 SP models use the small recessed button on the back of the unit for this procedure. Erasing the Firmware for all Models 1.
Page 197: Appendix G - Configuring Radius And Ace Servers
Note: Refer to your Steel Belted RADIUS Administration Guide for complete instructions on adding dictionaries and configuring user privileges. To configure the Steel Belted RADIUS server to include the SonicWALL.dct file, use the following instructions: Locate the directory that Steel Belted RADIUS is installed, C:\RADIUS by default, and copy the SonicWALL.dct file into C:\RADIUS\Service folder.
Page 198 Run the Steel Belted RADIUS Administrator. Click RAS Clients, and select SonicWALL Firewall from the Make/Model list. Click Save. Note: If there is no entry for SonicWALL Firewall, be sure that steps 2 and 3 were performed correctly. Configuring User Privileges...
Page 199 The ACS server can still be used for authentication if the RADIUS users are configured globally on the SonicWALL to have the same privileges. Also, the ACS server supports CHAP, so it can be used if HTTPS is not available when logging into the SonicWALL management interface.
Page 200 CHAP with RADIUS if the domain controller is configured to store passwords using reversible encryption for all users. If the domain controller is not configured in this manner, it is necessary to use HTTPS to log into the SonicWALL management interface.
Page 201 RADIUS Attributes Dictionary The following is the RADIUS dictionary in the format used with Funk Software’s Steel Belted RADIUS server. Page 200 SonicWALL TELE3 SP Administrator’s Guide...
Page 202: Appendix H - Regulatory Compliance
SonicWALL, Inc. could void the user’s authority to operate this equipment. FCC part 68 Telecom Information Repair Information - According to the FCC, only the modem vendor for the SonicWALL modem is allowed to service the modem. Contact SonicWALL Technical Support for any repairs including the modem.
Page 203: Lithium Battery Warning
Lithium Battery Warning The Lithium Battery used in the SonicWALL Internet security appliance may not be replaced by the user. The SonicWALL must be returned to a SonicWALL authorized service center for replacement with the same or equivalent type recommended by the manufacturer. If, for any reason, the battery or SonicWALL Internet security appliance must be disposed of, do so following the battery manufacturer's instructions.
Page 204: Notes
Notes Appendices Page 203...
Page 205 Page 204 SonicWALL TELE3 SP Administrator’s Guide...
Page 206 DHCP Server Status 109 DHCP Setup 102 CA Certificates 112 DHCP Status 109 Certificate Authority Certificates 147 Diagnostic Tools 61 Certificate Revocation List 149 Diagram of SonicWALL PRO's functions 10 Certificates 112 Display Report 36 Choose a diagnostic tool 61 Index Page 205...
Page 207 Installation Wizard 13 Internet Key Exchange (IKE) 141, 161 Intranet 92 Factory Default 56 Intranet Settings 93 Failover Trigger 166 IPSec Gateway Address 114, 127 Failover Trigger Level 166 IPSec Keying Mode 127 Page 206 SonicWALL TELE3 SP Administrator’s Guide...
Page 208 IPSec VPN 13 Network Access Rules 11 Network Address Translation (NAT) 11 Network Anti-Virus 172 Java 38, 46, 49 Network Configuration for High Availability Pair Network Debug 35, 158 Key 160 Network Security Policy 132 Key Exchange 132 Network Settings 19 Keywords 41 Known Fraudulent Certificates 38, 46, 50 One-to-One NAT 95...
Page 209 Windows Networking 71, 155 Tech Support Request Form 66 WINS Server 103 Temporary Lease Time 108 WorkPort Default Gateway 103 Third Party Digital Certificate 147 Time 28 Time of Day 42 X.509 148 Page 208 SonicWALL TELE3 SP Administrator’s Guide...
Page 210 SonicWALL, Inc. 1160 Bordeaux Drive Sunnyvale, CA 94089-1209 Tel: (408) 745-9600 Fax: (408) 745-9300 E-mail: info@sonicwall.com Part# 232-0000316-00 Web: www.sonicwall.com Rev. A 06/02...

SonicWALL TELE3 SP Administrator's Manual

1 Introduction

2 General and Network Settings

3 Managing Your Sonicwall TELE3 SP

4 Logging and Alerts

5 Content Filtering and Blocking

6 Web Management Tools

7 Network Access Rules

8 Advanced Features

9 DHCP Server

10 Sonicwall VPN

11 High Availability

12 Sonicwall Options and Upgrades

13 Hardware Description

14 Troubleshooting Guide

15 Appendices

Appendix A - Technical Specifications

Appendix B - Sonicwall Support Solutions

Appendix C - Introduction to Networking

Appendix D - IP Port Numbers

Appendix E - Configuring TCP/IP Settings

Appendix F - Erasing the Firmware

Appendix G - Configuring RADIUS and ACE Servers

Appendix H - Regulatory Compliance

Quick Links

Need help?

Questions and answers

Related Manuals for SonicWALL TELE3 SP

Summary of Contents for SonicWALL TELE3 SP