Professional Documents
Culture Documents
Contents
Contents ..................................................................................................................................................................... 1
Overview..................................................................................................................................................................... 1
Deploying a SonicWALL Appliance in Layer 2 Bridge Mode ..................................................................................... 2
Layer 2 Bridge Mode Configuration Overview ........................................................................................................ 2
Configuring Initial Settings ...................................................................................................................................... 3
Configuring Layer 2 Bridge Mode ........................................................................................................................... 4
Deploying a SonicWALL Appliance in Wire-Mode ..................................................................................................... 5
Wire-Mode Overview .............................................................................................................................................. 5
Configuring Tap-Mode ............................................................................................................................................ 8
Advanced Wire-Mode Deployments ........................................................................................................................... 9
Network Insertion: Augmenting Existing Firewalls.................................................................................................. 9
Configuring Wire-Mode when Augmenting Existing Firewalls .............................................................................. 11
Configuring Application Intelligence ......................................................................................................................... 13
Creating the SWARM Report ................................................................................................................................... 17
Configuring Alerts (Optional) .................................................................................................................................... 19
Enabling NetFlow Reporting (Optional) .................................................................................................................... 20
Configuring Single Sign On (Optional) ..................................................................................................................... 21
Overview
On SonicWALLs next generation firewalls, it is possible to detect, classify, and enforce policy for over 3,000
unique applications, while simultaneously preventing thousands of intrusions, attacks, exploits, and malware,
thanks to the superior patented deep-packet-inspection (DPI) engine running inside your SonicWALL. Application
Intelligence (AI) holds the key to the tools that allow network administrators to regain control over their network
usage and more importantly, employee productivity. Reclaiming bandwidth, wasted time at work, and improving
mission critical applications is all within your grasp. AI can help you save money in more ways than one.
Have you ever been put in a situation where you needed to know what a particular user is doing on the network?
For example, should you have challenges with VOIP call quality, how do you quickly identify the bandwidth being
used for VOIP, and all the other applications on the network? With real-time monitoring you can quickly identify
traffic from given users, devices, applications, URLs, bandwidth consumption, intrusions, and more, enabling you
to intelligently define policy to control the network. This all becomes possible with the next generation firewall
from SonicWALL; quickly identify offenders or problem spots, control applications, block malware, and report on
all network activity.
There are many ways to insert a SonicWALL into a network as a bump on the wire:
We recommend that you deploy in either Layer 2 Bridge mode or the newly created Wire-Mode. Deploying in this
configuration allows for minimal network interruption and doesnt require any drastic changes for an existing
network. It also makes it easy to migrate to full NAT/router mode when ready.
Note: If one-port sniffer mode is desired, utilize the Wire-Mode Tap mode unless you have a SonicWALL that
does not support Wire-Mode. In that case reference the following Tech Note:
http://www.sonicwall.com/downloads/Integrating_SonicWALL_and_HP.pdf
Note: In this case, SonicWALL recommends that you do not use the Getting Started Wizard.
2
TechNote
3. Activate all the security services, Gateway Anti-Virus, Anti-Spyware, IPS, and Application Control as
described below in the Configuring Application Intelligence section. The X0 interface will then be bridged to
the X1 interface forming the Layer 2 Bridge to allow all Internet traffic to pass through the SonicWALL for
inspection.
In preparation for Layer 2 Bridge Mode configuration, perform the following steps:
a. To allow for management of the SonicWALL, connect a laptop to the X0 LAN interface with a default IP of
192.168.168.168 and assign your laptop an IP of 192.168.168.169.
b. Open a browser and navigate to 192.168.168.168. Enter the default admin credentials (admin/password).
Bypass the Getting Started Wizard and proceed directly to management.
c. Navigate to Network > Interfaces and configure X1 with an appropriate IP address for the local network.
Then, attach the X1 interface to a spare LAN switch port. In this example, we have an existing LAN subnet of
192.168.169.0/24.
d. Attach the X1 interface to a free switch port as depicted in the diagram below.
3
TechNote
1. On the Network > Interfaces page, click the Configure icon in the right column of the X0 (LAN) interface.
2. If not completed earlier, configure management (HTTP, HTTPS, Ping, SNMP, SSH, User Logins, HTTP
Redirects).
Note: If you are performing Application Intelligence testing with an NSA model other than an E7500 or E8500,
there is a slight risk to installing into an existing network in Layer 2 Bridge Node. If the SonicWALL appliance
has a hard crash or power failure, all Internet traffic will effectively be blocked. The NSA E7500 and E8500
models have fail open interfaces which allow network traffic to flow even in the event of a failure. For more
details on the setup, refer to:
http://www.sonicwall.com/downloads/SonicOS_5.5_L2_Bridge_Bypass_Feature_Module.pdf
3. In the IP Assignment drop-down list, select Layer 2 Bridged Mode.
4. In the Bridged to drop-down list, select the X1 interface.
4
TechNote
Note: After this step is completed, you may lose management access to the firewall as the X0 interface is
now on a different subnet. To ensure the configuration is correct, change the IP of the laptop to a spare
address on the network (e.g. 192.168.169.15) and browse to the IP address previously configured for the X1
Interface.
The SonicWALL is now ready to be inserted in to the network.
5. Connect the X1 interface to the LAN interface of the existing router/firewall.
6. Connect the X0 interface to the existing LAN switch.
7. Connect your laptop to a spare switch port and login to the SonicWALL.
Traffic is now configured to flow through the SonicWALL and the Real-Time monitors should be displaying
info.
8. Activate all the security services, Gateway Anti-Virus, Anti-Spyware, IPS, and Application Control as
described below in the Configuring Application Intelligence section.
Wire-Mode Overview
With the NSA 3500 and higher models, SonicOS 5.8.1+ introduces Wire-Mode, which provides four new methods
of non-disruptive, incremental insertion into networks.
Note: To enable remote management and dynamic security services and application intelligence updates, a WAN
interface (separate from Wire-Mode interfaces) must be configured for Internet connectivity. This is easily done
given that SonicOS supports interfaces in mixed-modes of most any combination. Consider the network interface
settings shown below:
5
TechNote
The table below describes the four Wire-Mode settings:
Wire-Mode Description
Setting
Bypass Mode Bypass Mode allows for the quick and relatively non-interruptive introduction
of the SonicWALL into a network. Upon selecting a point of insertion into a
network (e.g. between a core switch and a perimeter firewall, in front of a VM
server farm, at a transition point between data classification domains) the
SonicWALL is inserted into the physical data path, requiring a very short
maintenance window. While Bypass Mode does not offer any inspection or
firewalling, this mode allows the administrator to physically introduce the
SonicWALL into the network with a minimum of downtime and risk, and to
obtain a level of comfort with the newly inserted component of the
networking and security infrastructure. The administrator can then transition
from Bypass Mode to Inspect or Secure Mode instantaneously through a
simple user-interface driven reconfiguration.
Inspect Mode Inspect Mode extends Bypass Mode without functionally altering the low-risk,
zero-latency packet path. Packets continue to pass through the SonicWALL,
but they are also mirrored to the multi-core RF-DPI engine for the purposes
of passive inspection, classification, and flow reporting. This reveals the
SonicWALLs Application Intelligence and threat detection capabilities
without any actual intermediated processing.
Secure Mode Secure Mode is the progression of Inspect Mode, actively interposing the
SonicWALLs multi-core processors into the packet processing path. This
unleashes the inspection and policy engines full-set of capabilities, including
Application Intelligence and Control, Intrusion Prevention Services, Gateway
and Cloud-based Anti-Virus, Anti-Spyware, and Content Filtering. Secure
Mode affords the same level of visibility and enforcement as conventional
NAT or L2 Bridge mode deployments, but without any L3/L4 transformations,
and with no alterations of ARP or routing behavior. Secure Mode thus
provides an incrementally attainable NGFW deployment requiring no logical
and only minimally physical changes to existing network designs.
Tap Mode Tap Mode is designed for use in environments employing network taps,
smart taps, port mirrors, or SPAN ports to deliver packets to external devices
for inspection or collection. Tap Mode provides the same visibility as Inspect
Mode, but differs from the latter in that it ingests a mirrored packet stream via
a single port on the SonicWALL, eliminating the need for physically
intermediated insertion. Like all other forms of Wire-Mode, Tap Mode can
operate on multiple concurrent port instances, supporting discrete streams
from multiple taps.
6
TechNote
To summarize the key functional differences between modes of interface configuration:
L2 Bridge,
Bypass Inspect Secure Tap
Transparent, NAT,
Mode Mode Mode Mode
Route Modes
Active/Active
No No No No Yes
Clustering (a)
Application Control No No Yes No Yes
Application Visibility No Yes Yes Yes Yes
ARP/Routing/NAT (a) No No No No Yes
Comprehensive
No No No No Yes
Anti-Spam Service (a)
Content Filtering No No Yes No Yes
DHCP Server (a,b) No No No No Yes
DPI Detection No Yes Yes Yes Yes
DPI Prevention No No Yes No Yes
DPI-SSL (a) No No No No Yes
High-Availability (a,c) No No No No Yes
Link-State
Yes Yes Yes No No
Propagation (d)
SPI No Yes Yes Yes Yes
TCP Handshake
No No No No Yes
Enforcement (e)
Virtual Groups (a) No No No No Yes
a. These functions or services are unavailable on interfaces configured in Wire-Mode, but remain available on a system-wide
level for any interfaces configured in other compatible modes of operation.
b. Not available in L2 Bridge Mode.
c. Not available on the E10100. Active/Passive HA can be achieved using Active/Active Clustering in singleton mode.
d. Link State Propagation is a feature whereby interfaces in a Wire-Mode pair will mirror the link-state triggered by transitions
of their partners. This is essential to proper operations in redundant path networks, in particular, and will be described in
the Augmenting Existing Firewalls network insertion scenario below.
e. Disabled by design in Wire-Mode (and possible to disable in L2 Bridge Mode) to allow for failover events occurring
elsewhere on the network to be supported when multiple Wire-Mode paths, or when multiple SonicWALL units are in use
along redundant or asymmetric paths.
7
TechNote
Configuring Tap-Mode
The quickest, easiest way to get an evaluation started is to place the SonicWALL unit into Tap Mode:
1. Rack and power the SonicWALL unit and, physically connect one of the interfaces, (e.g. X2) to a link from the
distribution tap.
2. Using the dedicated management interface (default IP 192.168.168.168), select an interface (e.g. X1) to
serve as the WAN interface for dynamic updates.
3. Connect this interface to a segment of the network with outbound Internet access (minimally, for services
DNS, NTP, HTTP, and HTTPS), and address accordingly.
4. Consult the reference documents 1 for steps on configuring Security Services, Application Intelligence, Flow
Reporting 2, and Visualizations.
5. On the SonicWALL Network > Interface page, select the X2 interface and configure as follows:
Zone = LAN
IP Assignment = Wire Mode
Wire Mode Type = Tap Mode
6. Additional configuration will need to be done on the Layer 2 Managed switch that the SonicWALL is
connected to. In particular a gigabit Ethernet port needs to be placed into Sniffer/Promiscuous mode in order for
the SonicWALL NSA to capture all the data.
1
ApplicationControlFeatureModulehttp://www.sonicwall.com/us/support/230_17452.html
NetFlowReportingFeatureModulehttp://www.sonicwall.com/us/support/230_17455.html
VisualizationDashboardFeatureModulehttp://www.sonicwall.com/us/support/230_17458.html
IntrusionPreventionServicePrimerhttp://www.sonicwall.com/us/support/2134_4169.html
2
FlowReportingrequiresthattheconfiguredflowcollectorbereachablebyIPfromtheSonicWALL.Aninterface,suchas
thededicatedmanagementinterfaceorsomeotheravailableX0X21interface,mustbeconfiguredandconnected
accordingly.
8
TechNote
7. Activate all the security services, Gateway Anti-Virus, Anti-Spyware, IPS, and Application Control as
described below in the Configuring Application Intelligence section.
This section details the deployment and configuration of a SonicWALL Next Generation Firewall using Wire-Mode
for high availability.
Tap Mode, as described above, never introduces a point of failure, and Bypass, Inspect, and Secure mode
deployments can be as redundant as the topology into which they are being introduced. For example, consider
the following environment:
9
TechNote
Assume that the current firewalls in use are older models, incapable of providing essential next generation firewall
protection, but still providing other services and deemed not quite ready for retirement. Assume further that traffic
rates at this point on the network average around 1Gbps with occasional spikes up to 3Gbps. A reasonable point
of insertion for the appropriately sized SonicWALL E10400 would be between the core-switches and the existing
firewalls:
The redundant paths between the switches and the firewalls are fully preserved across the two Secure Mode
interface pairs through each SonicWALL E10400, and although the addition of another component technically
increases the systems calculated hazard rate, the system is still spared a single point of failure. In the event of a
failure of any of the elements in the diagram (e.g. a switch, a fiber path, an SPF+ transceiver, a firewall, etc.) the
traffic would proceed through the redundant counterpart.
10
TechNote
The Link-State Propagation feature of Wire-Mode supports this kind of resiliency in redundant path networks.
Consider what would happen if there were a fiber cable failure on the primary link between the E10400s X1
interface and the upstream firewall. Without Link-State Propagation, the switch below, connected to the E10400s
X0, would not know of the path failure (since its link to the E10400 would still be in an up state) and it would not
fail over to its redundant path to the upstream firewall on the right (connected through the E10400s X2 and X3
Wire-Mode interfaces). With Link-State Propagation, when the X1 link state changes to down, its paired interface
X0 is switched to an administratively down state, allowing path failover to occur. When link state is restored on
X1, X0 is brought back up, and the path again becomes available.
Because Wire-Mode also disables TCP handshake enforcement, previously established connections are allowed
to continue unimpeded. So in the example above, when the path transitions from the X0:X1 Wire-Mode pair to the
X2:X3 pair, all of the connections (as supported by the underlying applications and protocols) will resume without
needing to be re-established. This would also be true for path failures from one E10400 to the other (such as in
the event of total switch failure). 3
With the newly inserted application intelligence layer, the security administrator is finally able to see precisely the
sort of traffic that is passing through the access rule access-list SIEVE permit TCP any object-group
LOCALNETS eq http on their existing firewalls, and to define real access controls.
3
Statefulinspectioncontinuesonallconnectionsinpathfailoversofthissort,butDPIscanningonlyoccursonnewly
establishedconnections.
4
ApplicationControlFeatureModulehttp://www.sonicwall.com/us/support/230_17452.html
NetFlowReportingFeatureModulehttp://www.sonicwall.com/us/support/230_17455.html
VisualizationDashboardFeatureModulehttp://www.sonicwall.com/us/support/230_17458.html
IntrusionPreventionServicePrimerhttp://www.sonicwall.com/us/support/2134_4169.html
5
FlowReportingrequiresthattheflowcollectorbereachablebyIPfromtheE10400.Aninterface,suchasthededicated
managementinterfaceorsomeotheravailableX0X21interface,mustbeconfiguredandconnectedaccordingly.
11
TechNote
10. Move to the other (e.g. right) side of the network, and disconnect the link between the core-switch and the
diagonally cross-connected firewall.
11. Connect this link from the switch to the X0 interface on the right E10400.
12. Cable the X1 interface on the right E10400 to the diagonally situated upstream firewall.
13. On the right E10400 Network > Interface page, select the X1 interface and set the Zone to Unassigned.
14. On the right E10400 Network > Interface page, select the X0 interface and configure as follows:
Zone = LAN
IP Assignment = Wire Mode
Wire Mode Type = Secure Mode
Paired Interface = X1
15. Staying on the right side of the network, disconnect the link between the core-switch and the firewall situated
above it.
16. Connect this link from the switch to the X2 interface on the right E10400.
17. Cable the X3 interface on the right E10400 to the upstream firewall
18. Beginning on one side of the network (e.g. the core-switch on the left), disconnect the link between the core-
switch and the diagonally cross-connected firewall.
19. Return to the other (e.g. left) side of the network and disconnect the link between the core-switch and the
firewall situated above it.
20. Cable the X1 interface on the left E10400 to the upstream firewall.
21. On the right E10400 Network > Interface page, select the X1 interface and set the Zone to Unassigned.
22. On the right E10400 Network > Interface page, select the X0 interface and configure as follows:
Zone = LAN
IP Assignment = Wire Mode
Wire Mode Type = Secure Mode
Paired Interface = X1
23. Activate all the security services, Gateway Anti-Virus, Anti-Spyware, IPS, and Application Control as
described below in the Configuring Application Intelligence section.
12
TechNote
1. Once Internet connectivity is established over the X0 interface, proceed with registering the appliance. If
security services have not been purchased, activate the 30 day trial of Gateway AV, IPS, App Control, CFS,
and Anti-Spyware.
Navigate to System > Diagnostics and run all the tests under Check Network Settings. If you have an
unsuccessful result, double check cabling and IP settings. (Note: the upstream gateway device may not allow
ping. Failing this particular test is not conclusive enough to indicate an issue. The license servers for
MySonicWALL should all come back with positive results.)
2. When the appliance is successfully registered, go to the System > Licenses page and click Synchronize
under Manage Security Services Online. This will contact the SonicWALL licensing server and ensure that
the appliance is properly licensed.
3. To check licensing status, go to the System > Status page and view the license status of all the services.
4. Download the latest firmware (5.8.1 or newer) from www.mysonicwall.com. On the SonicWALL, navigate to
System > Settings upload the new firmware and boot the new firmware image.
5. When using a SonicWALL network security appliance in Layer 2 Bridge Mode in a network configuration
where another device is acting as the DHCP server, you must first disable its internal DHCP engine, which is
configured and running by default. On the Network > DHCP Server page, clear the Enable DHCP Server
check box, and then click on the Apply button at the top of the screen.
13
TechNote
6. On the Network > Interfaces page, click the configure icon for X1 and X0. Enable HTTP/HTTPS
management boxes and optionally the others.
7. OPTIONAL (when you have an SNMP management solution) On the System > Administration page, make
sure the checkbox next to Enable SNMP is checked, and then click on the Accept button at the top of the
screen. Then, click the Configure button. On the SNMP Settings page, enter all the relevant information for
your network security appliance: the GET and TRAP SNMP community names that the SNMP server expects
and the IP address of the SNMP server. Click OK to save and activate the changes.
8. On the Log > Viewpoint page, click on the Add button and create an entry for the Viewpoint server. Click OK
to save and activate the change.
9. On the Network > Zones page, enable GAV, Anti-Spyware, IPS, and App Control on the WAN and LAN
zones.
10. Then, on the Security Services page for each service, enable and configure the settings that are most
appropriate for your environment. The recommended settings are shown below:
14
TechNote
Intrusion Prevention settings
Anti-Spyware settings
15
TechNote
11. On the Firewall > Access page, create access rules that allow WAN > LAN for ANY traffic. By default all
traffic is allowed from LAN > WAN.
12. On the Log > Categories page, set the Logging Level to Informational and the Alert Level to Critical.
Click Accept to save and activate the change. Enable Log and Sys Log for Application Control,
Application Firewall, and any other pertinent areas. If you wish to receive alerts for a particular activity,
enable the Alert checkbox.
13. Go to the Log > Name Resolution page and set the Name Resolution Method to DNS then NetBIOS.
Ensure the correct DNS servers are specified. Click Accept to save and activate the change.
16
TechNote
There are a variety of Application Intelligence reports that can be generated from a SonicWALL Next Generation
Firewall. The simplest and quickest is the SonicWALL Application and Risk Management (SWARM) report.
1. From the SonicWALL Administrator interface, select DashboardApp Flow Monitor and select the paper
icon:
2. The following popup window will appear. Select the blue Download button to download the database and
save the file to a local directory:
3. Login to MySonicWall (http://www.mysonicwall.com) and select the SW Tools section from the main menu:
17
TechNote
4. This will expand the section and present a sub menu. Select App Reports:
5. This will open up a dialog that allows you to upload the database you saved in Step #2 by selecting the
Upload button:
6. After the report is created, it will be available in Open Office or Word formats for editing or a PDF format for
distribution:
18
TechNote
19
TechNote
SonicOS 5.8 offers the ability to use NetFlow/IPFIX based reporting for NetFlow v5, v9, and IPFIX. The
recommendation is to use IPFIX as it provides the richest reporting along with custom templates. Templates are
additional extensions to the IPFIX standard that allow the export of custom data to an external IPFIX collector (like
SonicWALL Scrutinizer).
In this release, SonicWALL templates include the following: Applications, Virus, Spyware, Intrusions, Users,
URLs, URL Ratings, Location Map (Countries), Services, Connections, VPNs, SPAM, VOIP, Logs, Interface
Stats, Core Utilization, and Memory Utilization.
Note: Even though SonicWALL is capable of exporting this extra data via templates, the NetFlow/IPFIX collector
needs to support these templates as well if you wish to get reporting data from them. SonicWALL Scrutinizer
supports many of the custom templates the firewall exports.
Note: The App Flow Monitor is dependent on having the Flow Reporting enabled for the internal collector.
20
TechNote
For more details on SSO and policy actions that can pertain to given users or groups in LDAP, refer to the
TechNote available in the Support section of www.sonicwall.com entitled, Leveraging LDAP Groups and Users
with SonicWALL network security appliances.
For instructions on how to deploy SSO agents, see the following TechNote:
http://www.sonicwall.com/downloads/SonicOS_Enhanced_5.6_Single_Sign_On_Feature_Module.pdf
21