Posts Tagged ‘sonicwall’

Troubleshoot network port connectivity in SonicWall devices

Wednesday, June 12th, 2013

Few things are as aggravating to a technician or customer as two vendors blaming each other for a problem.

I recently ran into this when I was unable to establish communication from the Internet to a client’s internal server through a SonicWall TZ 100 firewall device. The customer’s server would accept connections internally but not externally. The firewall had the necessary ports open to allow communication but the application just couldn’t reach the server.

Other applications worked just fine—just this one was failing… somewhere. Two of my co-workers verified my settings and couldn’t find any problems. The problem lay either with the ISP blocking the port or a malfunction with the SonicWall.

When I reported the problem to the ISP the technician quickly said “we don’t block any ports.” He checked a few items and reaffirmed nothing on their end was causing our problem. OK, so that left the SonicWall device. It was under maintenance and I called for technical support.

The SonicWall technician remote controlled my computer to view my setup. He found nothing wrong as well and said the problem is the ISP blocking the port. I replied to him the ISP said nothing was blocked.

The technician proceeded to prove the SonicWall was working correctly, which made my day!

Packet Monitor

SonicWall devices have a Packet Monitor feature that works independently of any configured settings. It can capture incoming traffic as it enters the firewall before routing it to the local network. It can also filter for traffic on specific ports making the results easier to examine.

Assume the port I need to verify is 445, which is Windows file sharing (CIFS/SMB). This is commonly blocked for security reasons. Assume its Mac counterpart, port 548, is working correctly and a completely random port such as port 54321 is not configured at all. This random port will be my “control” in my testing.

  1. Log in to the SonicWall device and select System –> Packet Monitor in the lefthand navigation pane.

    Packet Monitor menu
  2. In the right pane click the Configure button.Packet Monitor Configure
  3. Under the Settings tab of the Packet Monitor Configuration window enable all options under the Exclude Filter section. This eliminates any management traffic from contaminating the results.
    Configure Settings
  4. Under the Monitor Filter tab enter the following information and enable the following items:
    Interface Name(s): X1 — This is the Internet facing port of the SonicWall device.
    • Ether Type(s): IP — By specifying IP we eliminate any ARP or PPPOE traffic.
    • IP Type(s): TCP — This eliminates any UDP, ICMP or other types of IP traffic.
    • Source Port(s): 548 — For now, we’ll test with a known working port.
    • Destination IP Address(es): The public IP address of the SonicWall device.
    Enable Bidirectional Address and Port Matching: Enabled
    • Forwarded packets only: Enabled
    • Dropped packets only: Enabled
    Click the OK button to save the settings and close the window.
    Monitor filter
  5. Finally, click the Start Capture button. The window reflects that tracing is active.
    Start Capture

Now that the SonicWall device is monitoring Mac file sharing traffic, use telnet in the Terminal application to verify this type of traffic is actually reaching the destination.

  1. In the Terminal application enter:
    telnet 97.XXX.XXX.14 548
    Telnet 548
  2. In the Captured Packets window below an entry appears in blue and indicates the packet was forwarded to the destination server inside the local network.Captured 548 packet

With connectivity verified on port 548, test next with port 54321. This port should not be open but the SonicWall should at least register the attempt.

  1. Revisit the Monitor Filter and change the Source Port from 548 to 54321. Click the OK button and then click the Clear button to erase the captured packets.
    Monitor filter 54321
  2. In the Terminal application enter:
    telnet 97.XXX.XXX.14 54321
    Telnet 54321

    Terminal should reflect it cannot connect on port 54321. The SonicWall doesn’t accept this port.

  3. However, the SonicWall packet filter will at least acknowledge the attempt and report the packet was dropped.
    Dropped 54321 packet

The SonicWall packet filter is clearly registering attempts for open ports and closed ports. So, what happens when the ISP is blocking a port?

  1. Revisit the Monitor Filter and change the Source Port from 54321 to 445 (the suspected ISP-blocked port). Click the OK button and click the Clear button to erase captured packets.
    Monitor filter 445
  2. In the Terminal application enter:
    telnet 97.XXX.XXX.14 445
    Telnet 443

    This time Terminal acts differently. It neither succeeds nor fails. It just keeps trying.

  3. The SonicWall shows nothing because it never receives the packet.
    No 445 packet received

This concludes the test and proves the SonicWall is functioning normally. Convincing the ISP it’s still blocking the port… that’s another story.

Quick Update to a Radiotope Guide for Built-In Mac OS X VPN Connections

Tuesday, March 26th, 2013

Just a note for those folks with well-worn bookmarks to this post on Ed Marczak’s blog, Radiotope.com, for authenticating VPN connections with Mac OS X Server’s Open Directory, which is still valid today. When trying to use the System Preferences VPN client/network adapter with the built-in L2TP server in Sonicwall, though, I was curious why OD auth wasn’t working for me, but users that were local to the Sonicwall were. Having been a while since the last time I’d set it up, I went on a search engine spelunking and found a link that did the trick.

In particular, a comment by Ted Dively brought to my attention the fact you need to change the order(in the VPN sidebar item, L2TP Server, when the Configure button pop-up is clicked, it’s under the PPP tab) that the L2TP service is configured to use for authentication type, PAP instead of the more standard MSCHAPv2.

Where it's done

We hope that is of help to current and future generations.

How to Configure basic High Availability (Hardware Failover) on a SonicWALL

Friday, November 30th, 2012

Configuring High Availability (Hardware Failover) SonicWALL requires the following:

1. Two SonicWALLs of the same model (TZ 200 and up).

2. Both SonicWALLs need to be registered at MySonicWALL.com (regular registration, and then one as HF Primary, one as HF Secondary).

3. The same firmware versions need to be on both SonicWALLs.

4. Static IP addresses are required for the WAN Virtual IP interface (you can’t use DHCP).

5. Three LAN IP addresses (one for Virtual IP, one for the management IP, and one for the Backup management IP).

6. Cross over cable (to connect SonicWALLs to each other) on the last ethernet interfaces.

7. 1 hub or switch for the WAN port on each SonicWALL to connect to.

8. 1 hub or switch for the LAN port on each SonicWALL to connect to.

Caveats

1. High Availability cannot be configured if “built-in wireless is enabled”.

2. On NSA 2400MX units, High Availability cannot be configured if PortShield is enabled.

3. Stateful HA is not supported for connections on which DPI-SSL is applied.

4. On TZ210 units the HA port/Interface must be UNASSIGNED before setting up HA (last available copper ethernet interfaces).

 

Setup

1. Register both SonicWALLs at MySonicWALL as High Availability Pairs BEFORE connecting them to each other:

• “Associating an Appliance at First Registration”: http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6233#Associating_an_Appliance_at_First_Registration_

• “Associating Pre-Registered Appliances”: http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6235#Associating_Pre-Registered_Appliances

• “Associating a New Unit to a Pre-Registered Appliance”: http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6236#Associating_a_New_Unit_to_a_Pre-Registered_Appliance

2. Login to Primary HF and configure the SonicWALL (firewall rules, VPN, etc).

3. Connect the SonicWALLs to each other on their last ethernet ports using a cross over cable.

4. Connect the WAN port on both SonicWALLs to a switch or hub using straight through (standard) ethernet cables, and then connect the switch to your upstream device (modem, router, ADTRAN, etc.)

5. Ensure the Primary HF can still communicate to the Internet.

6. Connect the LAN port on both SonicWALLs to a switch or hub using straight through (standard) ethernet cables, and then connect them to your main LAN switch (if you don’t have one, you should purchase one. This will be the switch that all your LAN nodes connect to.).

7. Go to High Availability > Settings.

8. Select the Enable High Availability checkbox.

9. Under SonicWALL Address Settings, type in the serial number for the Secondary HF (Backup SonicWALL). You can find the serial number on the back of the SonicWALL security appliance, or in the System > Status screen of the backup unit. The serial number for the Primary SonicWALL is automatically populated.

10. Click Accept to save these settings.

 

Configuring Advanced High Availability Settings

1. Click High Availability > Advanced.

2. Put a check mark for Enable Preempt Mode.

3. Put a check mark for Generate / Overwrite Backup Firmware and Settings when Upgrading Firmware.

4. Put a check mark for Enable Virtual MAC.

5. Leave the Heartbeat Interval at default (5000ms).

6. Leave the Probe Interval at default (no less than 5 seconds).

7. Leave Probe Count and Election Delay Time at default.

8. Ensure there’s a checkmark for Include Certificates/Keys.

9. Press Synchronize settings.

 

Configuring High Availability > Monitoring Setting

(Only do the following on the primary unit, they will be sync’d with the secondary unit).

1. Login as the administrator on the Primary SonicWALL.

2. Click High Availability > Monitoring.

3. Click the Configure icon for an interface on the LAN (ex. X0).

4. To enable link detection between the designated HA interface on the Primary and Backup units, leave the Enable Physical Interface monitoring checkbox selected.

5. In the Primary IP Address field, enter the unique LAN management IP address.

6. In the Backup IP Address field, enter the unique LAN management IP address of the backup unit.

7. Select the Allow Management on Primary/Backup IP Address checkbox.

8. In the Logical Probe IP Address field, enter the IP address of a downstream device on the LAN network that should be monitored for connectivity (something that has an address that’s always turned on like a server or managed switch).

9. Click OK.

10. To configure monitoring on any of the other interfaces, repeat the above steps.

11. When finished with all High Availability configuration, click Accept. All changes will be synchronized to the idle HA device automatically.

 

Testing the Configuration

1. Allow some time for the configuration to sync (at least a few minutes). Power off the Primary SonicWALL. The Backup SonicWALL should quickly take over.

2. Test to ensure Internet access is OK.

3. Test to ensure LAN access is OK.

4. Log into the Backup SonicWALL using the unique LAN address you configured.

5. The management interface should now display “Logged Into: Backup SonicWALL Status: (green ball)”. If all licenses are not already synchronized with the Primary SonicWALL, go to System > Licenses and register this SonicWALL on mysonicwall.com. This allows the SonicWALL licensing server to synchronize the licenses.

6. Power the Primary SonicWALL back on, wait a few minutes, then log back into the management interface. The management interface should again display “Logged Into: Primary SonicWALL Status: (green ball)”.

NOTE: Successful High Availability synchronization is not logged, only failures are logged.

Installing a SonicWALL ViewPoint Virtual Machine

Monday, April 2nd, 2012

When installing a Viewpoint VM machine you will need to download three items.

First is the SonicWALL_ViewPoint_Virtual_Appliance_GSG.pdf available from mysonicwall.com
This will be you step by step instruction manual for installing the Viewpoint VM.
Next you will need to identify which version VXI host and then download the same version client as your VXI host.
Lastly you will need log into mysonicwall.com and download the sw_gmsvp_vm_eng_6.0.6022.1243.950GB.ova from mysonicwall.com

When you have all three of these downloaded open the SonicWALL_ViewPoint_Virtual_Appliance_GSG and start going through the step by step instructions.
You will first install the VM client and may run into the first gotcha. Depending on machine setup the .exe may be blocked from running.
The download will look like this: VMware-viclient-all-4.1.0-345043.exe.zip, get properties on this file and unblock if blocked.
After the install of the VM client follow the instructions in the PDF till you get to page 18 step 2.

2. When the console window opens, click inside the window, type snwlcli at the login:
prompt and then press Enter. Your mouse pointer disappears when you click in the
console window. To release it, press Ctrl+Alt

Here is where you will run into the biggest gotcha.

You will be ask to log into with name and password, on first login use name of: snwlcli no password,
Then use the default name and password and continue.

Using Nagios MIBs with a SonicWALL

Wednesday, November 23rd, 2011

MIB (short for Management Information Base), is an index based on a network standard that categorizes data for a specific device so SNMP servers can read the data. SonicWALL MIBs are specific to device AND firmware.  Each can be downloaded from www.mysonicwall.com (you will need to have an account to download).  Click on Downloads, Download Center and then find the firmware that you are running.  Then click on “SNMP MIBs” to download.

Once downloaded, copy the MIB files to /usr/share/snmp/mibs to prepare them for loading into NetSNMP. Then run check_snmp with a -m option followed by ALL so that Nagios will detect the new MIBs:
check_snmp -m ALL
Once complete, determine the OID. OID’s are MIB variables that instruct an SNMP server monitor to look for information on the device. These variables can be determined by reading the MIBs.  One tool that assists with doing this is MIB Browser by iReasoning Networks http://tl1.ireasoning.com/mibbrowser.shtml  MIB Browser can run on Windows, Mac OS X, and Linux/UNIX.  To obtain the appropriate OID’s:
  1. Load the MIBs in MIB Browser by going to File > Load Mibs
  2. Manually comb through to find the OID you want (a string used in the SonicWALL Web Configuration).

To put this into use, let’s prepare an snmpwalk from a TZ100. First, download the SNMP MIBs from MySonicWALL.com for a TZ100 running firmware version (5.6.0.12-65o). Then let’s load the MIB for SONICWALL-FIREWALL-IP-STATISTICS-MIB into MIB Browser. Searching for “CPU” (Edit -> Find in MIB Tree) shows sonicCurrentCPUUtil, the OID for this fact is .1.3.6.1.4.1.8741.1.3.1.3.0. We used the OID shown in the drop-down near the menu in the MIB Browser. This shows the full OID, which sometimes includes a “0″ at the end (shown towards the bottom of the window). Next, add the OID into a switch.cfg file in nagios:

define service{
use                                       generic-service ; Inherit values from a template
host_name                       TZ100
service_description     CPU Utilization
check_command           check_snmp!-C public -o .1.3.6.1.4.1.8741.1.3.1.3.0 -m all
}

These settings include the following:

  • host_name: the name of the device (whatever you want to call it)
  • service_description: the name of the service you are monitoring (whatever you want to call it)
  • check_command: -C is to define the community SNMP string, -o is to define the OID to read, -m is to define which MIB files to load – to be more specific, for this example you can narrow “-m all” to “-m SONICWALL-FIREWALL-IP-STATISTICS-MIB.MIB”

Overall, setting up Nagios to be able to leverage MIBs from 3rd party vendors is an easy task, if not tedious when there are a lot of settings you’d like to walk through with SNMP.

Basic SonicWALL Router Setups

Tuesday, October 11th, 2011

A work in progress…

1. Register the Sonicwall appliance at www.mysonicwall.com A new account may be created for this purpose

2. Download the latest firmware from mysonicwall.com

3. Disable popup blocking on your browser

4. The default IP of a factory Sonicwall device is 192.168.168.168. Connect to the Sonicwall (you need to adjust your Ethernet NIC’s config to match the Sonicwall’s network settings)

5. Follow the setup wizard and define a WAN IP, LAN IP, and DHCP range of IPs

6. Upload the newer firmware downloaded above and boot from it

7. In the https://[Sonicwall IP Address]/diag.html screen, uncheck the box ““Enforce Host Tag Search with for CFS”

8. Use the Public Server Wizard to create additional systems on the LAN that need to be publicly accessible. Note that the default WAN IP address provided in the wizard is the SonicWALL’s, but you can enter a different WAN IP; this creates a NAT policy using a new Address Object in the WAN zone

9. If more than one service needs to be visible for a system (ie, a mail sever needing 993, 587, 465, etc.), just select a single service during the wizard setup and then modify the “Service Group” that the wizard creates to include additional services that you want visible

10. For site-to-site VPN, follow the documentation in the SonicOS Administrators guide. Typically we have found that setting the VPN policy up in Aggressive Mode works more reliably than Main Mode

Provisioning TelePacific iNOC On A SonicWALL

Friday, January 7th, 2011

1. Login to SonicWALL

2. Check to see if SNMP is already in use on WAN IPs by checking under Network > Firewall.

ALERT: Enabling SNMP Management on the SonicWALL will cause issues with the SNMP firewall rules. You can ONLY have SNMP SonicWALL Management OR SNMP firewall port forwarding. Not both. This was confirmed with SonicWALL Tech Support.

3. Go to System > Administration

4. Scroll down and put a check mark for “Enable SNMP”

5. Click on Configure

6. Put in whatever you want for System Name, System Contact, System Location. You can leave Asset Number blank. Ask TPAC for their monitoring WAN IP and put that in the “Host 1″ field.

7. Go to Network > Interfaces

8. Click on the Configure icon for the Interface that you want monitored.

9. Put a check mark next to SNMP

10. Click OK

11. You can confirm SNMP is listening by using snmpwalk. On a Mac, the command can be:

snmpwalk -c private -v 2c “wanipaddress of SonicWALL”

or

snmpwalk -c private -v 1 “wanipaddress of SonicWALL”

The SonicWALL utilizes version 1 and 2c for SNMP.

Restricting Outgoing Email To a 3rd Party SMTP Relay Host on SonicWALLs

Friday, November 12th, 2010

Often times, it is necessary to lockdown outbound traffic to MX Logic. MX Logic can provide outbound filtering capabilities which assists against getting blacklisted, while also scanning your outgoing e-mail for malware. Also, limiting only the server to communicate with MX Logic ensures that no rogue mail servers can send out e-mail (often done by infected devices).

This guide assumes you have already used the Wizard to setup port forwarding, firewall rules, and NAT policies for allowing the mail server to be accessed via the SonicWALL.

To Lockdown a SonicWALL to Outbound Email to MX Logic
1. Determine what port you will be sending out on. If you are using a non standard port, you will first need to make a custom service object on the SonicWALL for the port.
2. Create an Address Group containing the Address Objects for MX Logic
1. Go to Network
2. Go to Address Objects
3. Add Address Object
1. Name: MX Logic 1
2. Zone Assignment: WAN
3. TYPE: Network
4. Network: IP From MX Logic
5. Netmask: Subnet From MX Logic
NOTE: You will need to do this for each subnet that MX Logic Offers. Name them sequentially. The Address info can be found on MX Logic’s Portal.
4. Go to Address Objects
5. Create Address Object Group
6. Add all of your MX Logic Address Objects to the Address Object Group, and call it “MX Logic”
7. Save all your changes.
3. Go to Firewall
4. Go to LAN to WAN
5. Click Add
6. Create a Rule that allows the mail server on the LAN to send out to anywhere on the WAN.
1. Action: Allow
2. From Zone: LAN
3. To Zone: WAN
4. Service: SMTP (or whatever you named your custom one)
5. Source: Your Address Object Representing Your Mail Server
6. Destination: MX Logic (The Address Object Group you created Previously).
7. Save your changes.
7. Create Another Rule to block all other outbound e-mail.
1. Go to Firewall
2. Go to LAN to WAN
3. Click Add
4. Action: Deny
5. From Zone: LAN
6. To Zone: WAN
7. Service: SMTP (or whatever you named your custom one)
8. Source: Any
9. Destination: Any
10. Save Your changes
8. Adjust Rule Order.
1. Ensure that the MX Logic Outbound rule is above the rule that blocks all other devices from sending SMTP traffic out to the Internet.
2. Apply the changes.
NOTE: By doing this, any laptop users, or other portable device users, that may try to send email over port 25 through other servers (Gmail, Yahoo, AOL, etc.) will be DENIED by the SonicWALL.

Setting Up SonicWALL’s SonicPoints

Tuesday, February 23rd, 2010

99% of this is from Page 23 of the SonicWALL Network Security Appliances – SonicPoint-N Dual-Band Getting Started Guide, the other 1% makes it worth reprinting.

Configuring Wireless Access

This section describes how to configure SonicPoints with a
SonicWALL UTM appliance.

SonicWALL SonicPoints are wireless access points specially engineered to work with SonicWALL UTM appliances. Before you can manage SonicPoints in the management interface, perform the following steps:
-Configuring Provision Profiles
-Configuring a Wireless Zone
-Configuring the Network Interface

Configuring Provision Profiles
SonicPOint Profile defines settings that can be configured on a SonicPoint, such as radio SSIDs, and channels of operation.

These profiles make it easy to apply basic settings to a wireless zone, especially when that zone contains multiple SonicPoints When a SonicPoint is connected to a zone, it is automatically provisioned with the profile assigned to that zone. If a SonicPoint is connected to a zone that does not have a custom profile assigned to it, the default profile “SonicPoint-N” is used.

To add a new profile:
1. Navigate to the SonicPoint > SonicPoints page in the SonicOS interface.
2. Click Add SonicPointN below the list of SonicPoint provisioning profiles.
3. The Add/Edit SonicPoint Profile window displays settings you can enable and/or modify.

Settings Tab:
1. Select Enable SonicPoint
2. Enter a Name Prefix to be used internally as the first part of the name for each SonicPoint provisioned
3. Select the Country Code for the area of operation

802.11n Radio Tab
1. Select Enable Radio
2. Optionally, select a schedule for he radio to be enabled from the drop-down list. The most common work and weekend hour schedules are pre-populated for selection.
3. Select a Radio Mode to dictate the radio frequency band(s). The default settings is 2.4GHz 802.11n/g/b Mixed.
4. Enter an SSID. This is the access point name that will appear in clients’ lists of available wireless connections.
5. Select a Primary Channel and Secondary Channel. You may choose AutcChannel and Secondary Channel. You may choose AutoChannel unless you have a reason to use or avoid specific channels.
6. Under WEP/WPA Encryption, select the Authentication Type of your wireless network. SonicWALL recommends using WPA2 as the authentication type.
7. Fill in the fields specific to the authentication type that you selected. The remaining files change depending on the selected authentication type.
8. Optionally, under ACL Enforcement, select Enable MAC Filter List to enforce Access Control by allowing or denying traffic from specific devices. Select a MAC address object group from the Allow List or Deny List to automatically allow or deny traffic to and from all devices with MAC addresses in the group. The Deny List is enforced before the Allow List.

Advanced Tab:
Configure the advanced radio settings for the 802.11n radio. For most 802.11n advanced options, the default settings give optimum performance. For a full description of the fields on this tab, see the SonicOS Enhanced Administrator’s Guide.

Configuring a Wireless Zone

You can configure a wireless zone on eh Network > Zones page. Typically, you will configure the WLAN zone for use with SonicPoints.

To configure a standard WLAN zone:
1. On the Network > Zones page in the WLAN row, click the icon in the Configure column.
2. Click on General tab.
3. Select the Allow Interface Trust setting to automate the creation of Access Rules to allow traffic to flow between the interfaces within the zone, regardless of which interfaces to which the zone is applied. For example, if the WLAN Zone has both the X2 and X3 interfaces assigned to it, selecting the Allow Interface Trust checkbox on the WLAN Zone creates the necessary Access Rules to allow hosts on these interfaces to communicate with each other.
4. Select the check boxes for the security services to enable on this zone. Typically, you would enable Gateway Anti-Virus, IPS, and Anti-Spyware (IF YOU HAVE THE LICENSES). If your wireless clients are all running SonicWALL Client Anti-Virus, select Enable Client AV Enforcement Service.
5. Click on the Wireless Tab.
6. Select Only allow traffic generated by a SonicPoint to allow only traffic from SonicWALL SonicPoints to enter the WLAN Zone interface. This provides the maximum security on your WLAN.
7. Optionally, click the Guest Services tab to configure guest Internet access solely, or in tandem with secured access. For information about configuring Guest Services, see the SonicOS Enhanced Administrator’s Guide.
8. When finished, click OK.

Configuring the Network Interface

Each SonicPoint or group of SonicPoints must be connected to a physical network interface that is configured for Wireless. SonicOS by default provides a standard wireless zone (WLAN), which can be applied to any available interface.

To configure a network interface using the standard wireless (WLAN) zone:
1. Navigate to the Network > Interfaces page and click the Configure button for the interface to which your SonicPoints will be connected.
2. Select WLAN for the Zone type.
3. Select Static for the IP Assignment.
4. Enter a static IP Address in the field. Any private IP is appropriate for this field, as long as it does not interfere with the IP address range of any of your other interfaces.
5. Enter a Subnet Mask.
6. Optionally, choose a SonicPoint Limit for this interface. This option helps limit resources on port by port basis when using SonicPoints across multiple ports.
7. Optionally, choose to allow Management and User Login mechanisms if they make sense in your deployment. Remember that allowing login from a wireless zone can pose a security threat, especially if you or your users have not set strong passwords.

Verifying Operation

To verify that the SonicPoint is provisioned and operational, navigate to the SonicPoint > SonicPoints page in the SonicOS management interface. The SonicPoint displays an “operational” status in the SonicPointNs table.

Connect to WIFI and ensure that you can browse the Internet.

Setting Up SonicWALL High Availability Pairs

Friday, May 29th, 2009

Prerequisites
1. They MUST be the same model
2. Make sure that if you need Stateful High Availability that you have the license for it (only Primary SonicWALL needs to be licensed)
3. Make sure that if the client wants support for both SonicWALLs that they purchase support for the Backup SonicWALL as well.
4. Register and associate the Primary and Backup SonicWALLs as a High Availability pair on mysonicwall.com
5. Physically label the SonicWALLs
6. On the back of each SonicWALL make note of the Serial Number.
7. Ensure you have two (2) Ethernet cables coming off of the LAN (one for each SonicWALL)
a. Adjust the Spanning Tree protocol if it’s being used on the switch to FAST.
8. Ensure that you have a crossover cable for X8 on NSA 240s (this is for the heartbeat between the two units)
9. Ensure that you have a dumb switch for the WAN, and two (2) Ethernet cables (one for the primary, one for the secondary).
10. Ensure that you have 2 LAN IP address that you can give to the SonicWALLs for monitoring
11. DON’T connect the SonicWALLs together yet

Setup
1. Register both SonicWALLs online
2. Register both SonicWALLs as an HA Pair
a. Go to www.mysonicwall.com
b. Go to the Backup SonicWALL
c. At the bottom of the licensing, look for HF or Hardware Failover
d. Enter in the requested information (name, and serial number)
e. On the “Service Management – Associated Products” page confirm that the registration was successful, then scroll to the bottom to see the Associated Products and click either HA Primary or HA Backup to display that the unit that is now associated with the your newly registered SonicWALL.
f. (OPTIONAL) Register Stateful HA on the Primary SonicWALL if you have the license.
3. Power on Primary SonicWALL and enter in LAN and WAN information
4. Connect LAN and WAN to SonicWALL (DO NOT CONNECT CROSSOVER CABLE)
5. Activate Primary SonicWALL (login to the Primary SonicWALL and register it when you get it online).
6. Load up new firmware on Primary SonicWALL (this’ll take up to 5 minutes)
7. Disconnect Primary SonicWALL from LAN and WAN once you’ve confirmed that the unit is now registered.
8. Power on Backup SonicWALL and enter in LAN and WAN information same as Primary and connect to LAN and WAN (DO NOT CONNECT CROSSOVER CABLE)
9. Activate Backup SonicWALL (login to the Primary SonicWALL and register it when you get it online).
10. Load up new firmware on Primary SonicWALL. (this’ll take up to 5 minutes)
11. Disconnect Backup SonicWALL from LAN and WAN once you’ve confirmed that the unit is now registered.
12. Power on and connect Primary SonicWALL
13. Create all necessary firewall/security rules on the Main Unit
14. Create a Backup of your settings

Configuring HA
1. Login to Primary SonicWALL
2. Go to “High Availability”
3. Go to “Settings”
4. Select Enable High Availability checkbox
5. Enter in Serial number of Backup SonicWALL
6. Click Accept
7. Go to “High Availability” > “Advanced”
8. Leave all values the same in the fields
9. Select the following:
Enable Preempt Mode
Enable Virtual MAC
10. Save your settings

Connecting the HA units
1. Make sure both devices are turned on
2. Connect a LAN cable to X0 on each SonicWALL device
3. Connect a WAN cable to X1 on each SonicWALL device
4. Connect the cross over cable to the HA reserved port (X8 if it’s an NSA 240)
5. Login to the Primary SonicWALL
6. Go to “High Availability” > “Settings” and keep clicking on refresh until:
a. That status at the top right is Active
b. “Primary Status” is enabled
c. Dedicated HA Link is connected
d. “Found backup” is Yes
e. “Settings Synchronized” is Yes
f. OPTIONAL make sure anything that says “Stateful” is at “yes”
7. Review the logs to ensure that there are NO errors with licensing. If found, errors with licensing will occur in the logs every 10 minutes. If you find errors in the licensing, wipe everything out, and reapply the firmware.

Configuring Monitoring of HA Devices
1. Login to Primary SonicWALL
2. Go to “High Availability” > “Monitoring”
3. Find X0 (the LAN) and click to configure it
4. Enable Physical Monitoring
5. Enter in a LAN IP address for each device that you reserved in the Prerequisite steps (Primary = Primary Unit; Backup = Backup Unit).
6. Attempt to manage both SonicWALLs from their respective HA IP addresses. NOTE: The HA LAN management IP addresses are only used for management and CANNOT be used as a gateway for traffic.

Finish
1. Backup all of the settings from the Primary SonicWALL and Secondary SonicWALL (via HA LAN management IP address)

Configuring IPS to Deny P2P Traffic On a SonicWALL

Thursday, May 28th, 2009

1. Login to SonicWALL
2. Go to Application Firewall
3. Go to Application Objects
4. “Add New Object”
5. In the next window, name the object
a. Under “Application Object Type” select “Signature List”
b. Under “IDP Category” select P2P
c. Under “IDP Signature” select each one, and add it to the list
NOTE: I tried using Signature Category List, assuming that this would be the same thing as choosing Signature List, and then Selects all of the IDP Signatures. I did not get good results, YMMV.
d. Click OK
6. Go to Policies
a. “Add New Policy”
b. Name the Policy
c. For “Policy Type”, choose “Dynamic Content”
d. For “Application Object” choose the name of the Application Object that you created initially.
e. For Action, choose “Reset/Drop”
f. Select “Enable Logging”
g. Ensure “Log Redundancy Filter” is selected.
h. Click OK
7. Ensure that the Policy is enabled.
8. Check the little bar graph next to the policy, called the Policy Statistics. This will tell you how many times it was used to block traffic.
9. Check the logs to see the blocking in effect, it will most likely be highlighted in yellow.

Setting Up A DMZ With Transparency Mode on a SonicWALL

Wednesday, January 7th, 2009

This article will outline how to setup a SonicWALL with One to One NAT using Transparency Mode on a DMZ on a specific Port.

What you need:
1. SonicWALL with OS Enhanced
2. All WAN IP addresses leased to company
3. An unused unassigned port on the SonicWALL (not port 1 – it’s reserved for stuff internally on ALL SonicWALLs).

Steps:
1. Login to SonicWALL
2. Add portshield interface to network interfaces on SonicWALL. (Network)
3. Here’s the trick. Create a new address object, name it anything. Make sure it has the following:
a) Zone is DMZ
b) Type is Range
c) Make it within the WAN Range, but the unused IP addresses in that range.
d) Enable DHCP on this Interface
e) Click Save
4. Go to Firewall
5. In matrix click WAN > DMZ
6. If applicable (not recommended due to obvious security implication,) change setting from “deny all” to “allow all” (whichever host will be behind that DMZ should be running its own firewall).
7. Go to DHCP, ensure the scope for the subnet is correct. Then get the MAC address of the firewall to be chained to it, and add it on there with the appropriate WAN IP (for static setup).
8. Change the DNS settings for the DHCP stuff to ensure it’s not using the LAN’s IP DNSes.
9. Test with your laptop.

Traversing SonicWALLs with NetBIOS

Friday, August 15th, 2008

This article assumes that you already have a functioning Site to Site VPN connection setup.

1. On the SonicWALL with OS Standard, go to the ‘VPN > Advanced’ page and uncheck the box next to ‘Disable all VPN Windows Networking (NetBIOS) Broadcasts This is a global setting, and unless unchecked, no VPN SA will be able to pass NetBIOS broadcasts. When done, click on the ‘Apply’ button in the upper-right-hand corner to save and activate the change.

2. Then, go to the ‘VPN > Settings’ page and click on the ‘Configure’ icon next to the VPN policy you previously created to connect to the central site. On the pop-up that appears, go to the ‘Advanced tab and check the box next to ‘Enable Windows Networking (NetBIOS) Broadcast’. This is a per VPN SA setting and applies to this VPN tunnel only. When done, click on the ‘OK’ button to save and activate the change.

3. On the central site SonicWALL with OS Enhanced, go to the ‘VPN >Settings’ page and click on the ‘Configure’ icon next to the VPN policy you previously created to connect to the remote site. On the pop-up that appears, go to the Advanced tab and check the box next to ‘Enable Windows Networking (NetBIOS) Broadcast’. When done, click on the ‘OK’ button to save and activate the change.

4. Then, go to the ‘Network > IP Helper’ page. Check the box next to ‘Enable IP Helper’, make sure the box next to ‘Enable DHCP Support’ is unchecked (unless you are using this feature – DHCP enabled enabled you may not be able to uncheck this setting), and check the box next to Enable NetBIOS Support’. You will notice that there will be an autocreated IP Helper Policy listed as a result of the previous step’s configuration. When done, click on the ‘Apply’ button in the upper-right-hand corner to save and activate the change.

5. On XP workstations you will need to reboot them (or wait about 30 minutes) for the broadcasting to work, and NetBIOS results to populate “Network Neighborhood”
NOTE: On Vista workstations you can hit refresh a couple of times (this may take up to 5 minutes – but no reboot required), and it should start populating pretty quickly.

Mac OS X Server 10.5: NATd

Tuesday, August 12th, 2008

There are certain aspects of Mac OS X Server that it just isn’t that great at. One of them is acting as a router. It’s just a fact that an appliance by SonicWALL, Cisco, Watchguard and sometimes LinkSys will run circles around the speed and feature set of Mac OS X Server. So with that in mind, let’s look at how you would go about configuring a basic port forward on OS X Server if you decided not to listen to us on this point…

You can use the /etc/nat/natd.plist. The key you’ll want to edit is the redirect_port, one per port or a range of all in one key… Basically the array would look something like this assuming you were trying to forward afp traffic to 192.168.0.2 from a WAN IP of 4.2.2.2:

redirect_port

proto

TCP

targetIP

192.168.0.2

TargetPortRange

548

aliasIP

4.2.2.2

aliasPortRange

548

You could also use the route command or ipfw depending on exactly what you’re trying to do with this thing. Route is going to be useful if you’re trying to respond to network traffic over a different interface than the default interface.

Configuring a SonicWALL for Fonality/Trixbox

Thursday, August 7th, 2008

The Fonality/Trixbox server and phones should be on the same subnet, separated from the data network.

On the SonicWall:

Under Network/Interfaces, create a new Interface for the Phone System. Under the Zone option, create a new Zone for the Phone System. Name the zone Phone System. Under the “Switch Ports” tab, assign it a port on the SonicWall. Label this port for the phone system (in the SonicWall OS and physically).

Blacklisting IP addresses on SonicWALLs

Friday, April 4th, 2008

Blacklisting an IP from the WAN on a SonicWALL

1. Login to SonicWALL 2. Go to Firewall Rules 3. Go to Matrix 4. Go to WAN -> LAN 5. Create Rule 6. For Source, choose Create Network. 7. Change Zone to WAN 8. Name it whatever you want (ie. Blacklisted IP1) 9. Enter in IP 10. Save it 11. On the firewall rule, make sure to click on the check box for Deny 12. Source is Blacklisted IP 13. Destination is ANY 14. Service ANY (if you want to block all traffic). 15. Save it. 16. Move it up in the chain to be the first rule. 17. Test it.

Installing SonicWALL ViewPoint

Wednesday, May 23rd, 2007

Here are the steps to follow for installing Sonic ViewPoint. Note that a Windows system running 2000, XP, or 2003 is required.

1. Go to www.mysonicwall.com and add the ViewPoint license key to the registered appliance.

2. Download the ViewPoint installation software. It is a free download from www.mysonicwall.com (the client should have a login/password from when the SonicWALL was installed)

3. Extract and run the installer. Follow the prompts to add an SMTP server and admin accounts. Make sure that the Windows firewall is off or has an exception for ports 80, 443, and 514. Reboot the system.

4. Log into the SonicWALL appliance and enter the upgrade key from the mysonicwall.com site into the System > Licenses section on the navbar.

5. In the Logs > ViewPoint section on the navbar, Add the IP address of the computer running the ViewPoint software.

6. open a web browser to the IP address of the ViewPoint system. In the far left pane, right-click on MyReportsView and select Add Unit. Enter the information for the SonicWALL appliance in the window that appears and click OK.

SonicOS Enhanced: CFS Causes errors on sites with logins

Thursday, March 1st, 2007

This article applies also to any SonicWALL running SonicOS Enhanced that is having performance issues.

Safari and other web browsers on a Mac will experience errors trying to load pages that require a login over https, such as store.apple.com and www.amazon.com. To fix this, you need to uncheck the “Enforce Host Tag Search with for CFS” feature on the SonicWALL. This applies even if the SonicWALL is not utilizing the Content Filtering Service features.

In order to uncheck “Enforce Host Tag Search with for CFS”, you have to login to sonicwall console and then go to diag page, which is accessible by logging into the sonicwall and replacing the webpage name with diag.html.

For example, if you log into http://192.168.1.1/main.html you have to replace main with diag; that is: http://192.168.1.1/diag.html

This page will bring the internal settings page of the SonicWALL, and from here you can uncheck “Enforce Host Tag Search with for CFS”.

Data Loss

Sunday, November 19th, 2006

We’ve attended plenty of events that preach the importance of backup, but rarely is it approached from what is essentially at the heart of data protection – data recovery. For example, did you know that DLT tapes (still the media of choice across the board) are designed to be overwritten only 5 times? According to our valued partners at SonicWALL, Inc., administrators report that they use DLT tapes an average of 12 times. Also, something like 73% of the backed up data surveyed, was unrecoverable!!! Point being, a backup is only as secure as its recovery plan.

The recommendation here is to run periodic recovery drills to test the viability of the data protection scheme. Taking SonicWall’s lead, we here at 318, Inc. would like to begin a vigorous push with all our clients towards increasing the awareness of the importance of data recovery. Another tidbit: 93% of companies that had suffered a major loss of data, were out of business within one year. Far too many systems administrators’ careers have ended abruptly due to recovery-plan negligence and we’ve all seen it happen… nuff said.

A few more interesting points on the subject of data loss (if data loss can be considered interesting…):

The speed of recovery is as important as anything else. The example was given of when, during the early days of eBay, their servers were brought down under attack and, though their data was safely backed up, it took 2.5 days to recover it. Million$ lost in revenue! Administrators should design a plan that includes rapid recovery of the most recent and most critical data, allowing the affected party(s) to resume their daily tasks while recovery of the older, less important files continue to restore.
People are, by far, the biggest challenge to security – eg. Passwords taped to monitor screens; using “password” as their password, etc. Only strict security company policies and education can combat this security leak. Even the most secure server in the world can be easily compromised by an employee walking through an airport with log-on credentials for that server, written with a Sharpie on the outside of their laptop case (it was an agent from the U.S. Homeland Security Department -true story – as the laptop came out of security’s X-ray scanner, it was mistakenly handed to the wrong person!).
Small to medium businesses are hit hardest by data loss. They usually have fewer resources to invest in protecting their data and are usually the ones least likely to appreciate the importance of a strong backup/recovery scheme.
Data protection is more important than ever now, considering that cyber-criminals are making approximately 6 times more money with far fewer expenditures than organized crime ever did, even in its hey day.
On the subject of data security, no discussion is complete without extensive planning for protecting the network that the data resides on. “Controlling the flow of data can be as difficult as herding cats.” For network security, 318, Inc. recommends the SonicWall TZ 170 firewall/router for most networks. We feel it’s important to understand some of the differences between using SonicWall’s firewall appliances and the limitations of other, “consumer level” products such as Linksys or D-link routers. From SonicWall.com:

SonicOS Standards, which ships on every SonicWALL TZ 170, includes:

Real-Time Gateway Anti-Virus, Anti-Spyware and Intrusion Prevention. The TZ 170 extends security from the network core to the perimeter by integrating support for SonicWALL’s Gateway Anti-Virus, Anti-Spyware and Intrusion Prevention Service, delivering real-time protection against the latest blended threats, including viruses, spyware, worms, Trojans, software vulnerabilities and other malicious code.
Powerful Content Filtering. The TZ 170 supports SonicWALL’s Content Filtering Service, providing an enterprise-class, scalable content filtering service that enhances productivity and security without requiring additional server or deployment costs.
Deep Packet Inspection Firewall. The TZ 170 features a configurable, high performance deep packet inspection firewall for extended protection to key Internet services such as Web, e-mail, file transfer, Windows services, and DNS.
WorkPort. The SonicWALL TZ 170 includes an optional port that can be configured as a WorkPort, creating an independent, isolated zone of trusted network security that protects corporate networks from malicious attacks that can occur when telecommuters share broadband Internet access with networked home computers.
Comprehensive Central Management Support. Every SonicWALL Internet security appliance can be managed using SonicWALL’s award-winning Global Management System, which provides network administrators with the tools for simplified configuration, enforcement and management of global security policies, VPN, and services, all from a central location.
More information about SonicWall’s products can be found at their website: http://www.sonicwall.com.

318, Inc. is a proud partner of SonicWall, and would appreciate the opportunity to perform a vulnerability assessment on your network in order to offer you some solid recommendations for protecting it.

Dual WANs for Your Office

Tuesday, September 5th, 2006

Often, a single internet connection is all that is needed to allow a group of computers to access the internet for websites, email and chatting. DSL, Cable Modem or a single T1 can often provide enough bandwidth for a small group of users.

As your company grows, there can come a point where the speed of the internet connection becomes a bottleneck, increasing the time for web pages to load and for emails to be sent and received. After you hit the limits of what a single connection is able to provide, one very cost effective way to address the issue is to add a second connection.

Adding a second internet connection to your network is also highly recommended if your business relies heavily on the internet. In the event of a downed internet connection, the outage could cost companies thousands of dollars in lost productivity and client interaction. By utilizing a second internet connection from an alternate provider, businesses can ensure a higher level of availability and uptime.

The equipment can be set up in one of two ways. When setup in a failover configuration, the second internet connection is used only when the primary fails. In typical configurations, the fast data connection such as a T1 is supplemented by the slower connection, such as DSL, to bear the burden of connectivity in the event of an outage.

When setup with load balancing, both internet connections are used simultaneously, with the traffic load being split and routed to the more ‘available’ connection. In this configuration, both data circuits should be sufficiently fast to allow the load to be effectively shared between both circuits, typically T1’s.

318 is an expert in setting up and integrating Dual-WAN networks. It can be as simple as using a DSL line and a cable modem, or as robust as using two T1s from two different providers. Or even an mix of a T1 and WiMax link. If you think this is a situation that would suit your business, give 318 a call to discuss your options.