Table of ContentsPreviousNextIndex

Put your logo here!



Configuring Firewall Settings


To determine whether packets are allowed through the firewall, each SonicWALL checks the destination IP address, source IP address, and port against the firewall rules.

Note: Firewall rules take precedence over the default firewall functions. Because it is possible to disable all firewall protection or block all access to the Internet, use caution when creating or deleting network access rules.

Network access rules do not disable protection from Denial of Service attacks such as SYN Flood, Ping of Death, LAND, and so on. However, it is possible to create vulnerabilities to attacks that exploit application weaknesses.

It is important to consider the purpose and ramifications of a rule before adding it to the firewall rule list. Use the following guidelines to determine the rule logic:

After determining the logic of the rule, consider the ramifications:

Understanding the Network Access Rules Hierarchy

The rule hierarchy uses two basic concepts:

For example: a rule defining a specific service is more specific than the Default rule; a defined Ethernet link, such as LAN (WorkPort), or WAN, is more specific than * (all); and a single IP address is more specific than an IP address range.

Rules are listed in the LAN (WorkPort) Interface window from most specific to the least specific, and rules at the top override rules listed below.

To illustrate this, consider the Rules shown below.

Table 2: Sample Rules
#
Action
Service
Source
Destination
1
Deny
Chat (IRC)
206.18.25.4 (LAN)
148.178.90.55 (WAN)
2
Allow
Ping
199.2.23.0 - 199.2.23.255 (WAN)
206.18.25.4 (WAN)
3
Deny
Web (HTTP)
216.37.125.0 - 216.37.125.255 (WAN)
*
4
Allow
Lotus Notes
WAN
LAN (WorkPort)
5
Deny
News (NNTP)
LAN (WorkPort)
*
6
Deny
Default
*
LAN (WorkPort)
7
Allow
Default
LAN (WorkPort)
*

The Default Allow Rule (#7) at the bottom of the page allows all traffic from the LAN (WorkPort) out to the WAN. However, Rule #5 blocks all NNTP traffic from the LAN (WorkPort).

The Default Deny Rule (#6) blocks traffic from the WAN to the LAN (WorkPort). However, Rule #4 overrides part of this rule by allowing Lotus Notes into the LAN (WorkPort) from the WAN.

Defining Firewall Rules

After defining rules and understanding their ramifications, select from the following:

SonicOS Enhanced

To configure rules for SonicOS Standard, follow these steps:

  1. Schedules are pre-defined periods of time that enable you to quickly define when rules are applied. To add a schedule, see "Adding a Service" on page 136.
  2. Determine whether the service for which you want to create a rule is defined. If not, define the service or Service Group. See "Adding a Service Object" on page 131 and "Adding a Service Object Group" on page 131.
  3. Create one or more rules for the service. See "Creating Rules" on page 136.
  4. Repeat this procedure for each service for which you would like to define rules.

Configuring Schedule Groups and Schedules

Schedule Groups are groups of schedules to which you can apply firewall rules. For example, you might want to block access to auction sites during business hours, but allow employees to access the sites after hours.

You can apply rules to specific schedule times or all schedules within a Schedule Group. For example, you might create an Engineering Work Hours group that runs from 11:00 AM to 9:00 PM, Monday through Friday and 12:00 PM to 5:00 PM, Saturday and Sunday. Once configured, you can apply specific firewall rules to the entire Engineering Work Hours Schedule Group or only to the weekday schedule.

Creating a New Schedule Group

To create a Schedule Group, follow these steps:

  1. Start and log into SonicWALL GMS.
  2. Select the global icon, a group, or a SonicWALL appliance.
  3. Expand the Firewall tree and click Schedules. The Schedules page appears (Figure 121).
  4. Figure 121: Schedules Page

  5. To add a Schedule Group, click Add Schedule Group.
  6. Figure 122: Add Schedule Dialog Box

  7. Enter the name of the Schedule Group in the Name field.
  8. Configure a schedule:
    • Select the check boxes for each day the schedule will apply.
    • Enter the start time for the schedule in the Start Time field. Make sure to use the 24-hour format.
    • Enter the end time for the schedule in the Stop Time field. Make sure to use the 24-hour format.
    • Click Add.
  9. Repeat Step 6 for each schedule to add.
  10. To delete a schedule, select the schedule and click Delete.
  11. Click OK. The Schedule Group is added and configured.

Editing a Schedule Group

To edit a Schedule Group, follow these steps:

  1. Start and log into SonicWALL GMS.
  2. Select the global icon, a group, or a SonicWALL appliance.
  3. Expand the Firewall tree and click Schedules. The Schedules page appears (Figure 123).
  4. Figure 123: Schedules Page

  5. To add a Schedule Group, click its Edit Icon (). The Edit Schedule Group dialog box appears.
  6. Figure 124: Edit Schedule Dialog Box

  7. To add a schedule:
    • Select the check boxes for each day the schedule will apply.
    • Enter the start time for the schedule in the Start Time field. Make sure to use the 24-hour format.
    • Enter the end time for the schedule in the Stop Time field. Make sure to use the 24-hour format.
    • Click Add.
  8. Repeat Step 5 for each schedule to add.
  9. To delete a schedule, select the schedule and click Delete.
  10. Click OK. The settings for the Schedule Group are changed.

Adding a Service Object

A Service Object is a protocol/port range combination that defines a service. A Service Group is a group of services that, once defined, enable you to quickly establish firewall rules without manually configuring each service.

By default, a large number of services are pre-defined. To add a service, follow these steps:

  1. Start and log into SonicWALL GMS.
  2. Select the global icon, a group, or a SonicWALL appliance.
  3. Expand the Firewall tree and click Service Objects. The Service Objects page appears (Figure 125).
  4. Figure 125: Service Objects Page

  5. To add a service, scroll to the bottom of the Custom Services section and click Add Service.
  6. Figure 126: Add Service Dialog Box

  7. Enter the name of the service in the Name field.
  8. Enter the starting and ending port for the service in the Port Range fields.
  9. Select the type of protocol from the Protocol field.
  10. Click OK. The service is added.
  11. Repeat Steps 4 through 8 for each service to add.

Adding a Service Object Group

A Service Group is a group of services that can be used to quickly apply rules to large numbers of services without individually configuring each service. By default, many Service Groups are pre-defined. To add a new Service Group, follow these steps:

  1. Start and log into SonicWALL GMS.
  2. Select the global icon, a group, or a SonicWALL appliance.
  3. Expand the Firewall tree and click Service Objects. The Service Objects page appears (Figure 127).
  4. Figure 127: Service Objects Page

  5. To add a service, scroll to the bottom of the Custom Service Groups section and click Add Group. The Add Service Group dialog box appears.
  6. Figure 128: Add Service Group Dialog Box

  7. Enter a name for the service group in the Name field.
  8. To add a service, select it and click the right arrow button.
  9. To remove a service, select it and click the left arrow button.
  10. Click OK. The service group is added.
  11. Repeat Steps 4 through 8 for each service to add.

Configuring the Access Rules

This section describes how to define firewall rules. To create a rule, follow these steps:

  1. Start and log into SonicWALL GMS.
  2. Select the global icon, a group, or a SonicWALL appliance.
  3. Expand the Firewall tree and click Access Rules. The Access Rules page appears (Figure 129).The Firewall > Access Rules page enables you to select multiple views of Access Rules, including Drop-down boxes, Option Buttons, and All Rules. The default view is the Matrix View which provides a matrix of source and destination nodes between LAN, WAN, VPN, Multicast, and WLAN.
  4. Figure 129: Access Rules Page

  5. From the Matrix View, click the Edit Icon (). for the source and destination interfaces for which you will configure a rule.
  6. Click Add Rule. The Add Rule Property Sheet appears.
  7. Figure 130: Add Rule Property Sheet

  8. Select whether access to this service will be allowed or denied.
  9. Select a service from the from the Service Name list box. If the service does not exist, see "Adding a Service Object" on page 131.
  10. Select the source Address Object from the Source list box.
  11. Select the destination Address Object from the Destination list box.
  12. Specify when the rule will be applied by selecting a schedule or Schedule Group from the Schedule list box. If the rule will always be applied, select Always on. If the schedule does not exist, see "Configuring Schedule Groups and Schedules" on page 128.
  13. To enable logging for this rule, select the Logging check box.
  14. Add any comments to the Comment field.
  15. Click the Advanced tab. The Advanced properties page appears.
  16. Figure 131: Add Rule Property Sheet: Advanced Page

  17. Fragmented packets are used in certain types of Denial of Service attacks and, by default, are blocked. You should only enable the Allow Fragmented Packets check box if users are experiencing problems accessing certain applications and the SonicWALL logs show many dropped fragmented packets.
  18. Specify how long (in minutes) the connection may remain idle before the connection is terminated in the Inactivity Timeout field.
  19. Click the Bandwidth tab. The Bandwidth page appears.
  20. Figure 132: Add Rule Property Sheet: Bandwidth Page

  21. SonicWALL appliances can manage outbound traffic using bandwidth management. To enable bandwidth management for this service, select the Enable Bandwidth Management check box.
  22. Enter the amount of bandwidth that will always be available to this service in the Guaranteed Bandwidth field. Keep in mind that this bandwidth will be permanently assigned to this service and not available to other services, regardless of the amount of bandwidth this service does or does not use.

    Enter the maximum amount of bandwidth that will be available to this service in the Maximum Bandwidth field.

    Select the priority of this service from the Bandwidth Priority list box. Select a priority from 0 (highest) to 7 (lowest).

    Note: In order to configure bandwidth management for this service, bandwidth management must be enabled on the SonicWALL appliance. For more information, see "Configuring Interface Network Settings" on page 94.

  23. To add this rule to the rule list, click OK. You are returned to that Access Rules page.
  24. Repeat Steps 4 through 18 for each rule that you will to add.
  25. If the network access rules have been modified or deleted, you can restore the Default Rules. The Default Rules prevent malicious intrusions and attacks, block all inbound IP traffic and allow all outbound IP traffic. To restore the network access rules to their default settings, click Restore Rules to Defaults and click Update. A task is scheduled to update the rules page for each selected SonicWALL appliance.
  26. To modify a rule, click its Edit Icon (). The Add/Modify Rule dialog box appears. When you are finished making changes, click OK. SonicWALL GMS creates a task that modifies the rule for each selected SonicWALL appliance.
  27. To enable logging for a rule, select its Logging check box.
  28. To disable a rule without deleting it, deselect its Enable check box.
  29. To delete a rule, click its trash can icon. SonicWALL GMS creates a task that deletes the rule for each selected SonicWALL appliance.

SonicOS Standard

To configure rules for SonicOS Standard, follow these steps:

  1. Determine whether the service for which you want to create a rule is defined. If not, define the service. See "Adding a Service" on page 136.
  2. Create one or more rules for the service. See "Creating Rules" on page 136.
  3. Repeat this procedure for each service for which you would like to define rules.

Adding a Service

By default, a large number of services are pre-defined. This section describes how to add a new or custom service.

To add a service, follow these steps:

  1. Start and log into SonicWALL GMS.
  2. Select the global icon, a group, or a SonicWALL appliance.
  3. Expand the Firewall tree and click Services. The Services page appears (Figure 133).
  4. Figure 133: Access Services Page

  5. To add a known service (e.g., HTTP, FTP, News), select the service from the Service Name list box and click Add Known Service. Repeat this step for each service that you would like to add. A task is scheduled for each service for each selected SonicWALL appliance.
  6. To add a custom service, enter its name in the Service Name field, enter the port range it uses in the Port Begin and Port End fields, select the appropriate protocol check boxes, and click Add Custom Service. Repeat this step for each service that you would like to add. A task gets scheduled for each service for each selected SonicWALL appliance.
  7. To remove a service from the list, select its trash can check box and click Update. A task gets scheduled to update the services page for each selected SonicWALL appliance.
  8. To clear all screen settings and start over, click Reset.

Creating Rules

This section describes how to define rules for defined services.

To create a rule, follow these steps:

  1. Start and log into SonicWALL GMS.
  2. Select the global icon, a group, or a SonicWALL appliance.
  3. Expand the Firewall tree and click Rules. The Rules page appears (Figure 134).
  4. Figure 134: Access Rules Page

  5. Click Add Rule. The Add Rule dialog box appears.
  6. Figure 135: Add Rule Dialog Box

  7. Select a service from the from the Service Name list box. If the service does not exist, see "Adding a Service" on page 136.
  8. Select whether access to this service will be allowed or denied.
  9. Select the SonicWALL interface to which this rule applies. Select whether this rule will apply to packets coming from the LAN (WorkPort), WAN, DMZ (HomePort), or all interfaces (*).
  10. Specify the source IP address range. The rule will apply to requests originating from IP addresses within this range. For all IP addresses, enter an asterisk (*).
  11. Specify the destination IP address range. The rule will apply to requests sent to IP addresses within this range. For all IP addresses, enter an asterisk (*).
  12. Specify when the rule will be applied. By default, it is Always. To specify a time, enter the time of day (in 24-hour format) to begin and end enforcement. Then, enter the days of the week to begin and end rule enforcement.
  13. Specify how long (in minutes) the connection may remain idle before the connection is terminated in the Inactivity Timeout field.
  14. Fragmented packets are used in certain types of Denial of Service attacks and, by default, are blocked. You should only enable the Allow Fragmented Packets check box if users are experiencing problems accessing certain applications and the SonicWALL logs show many dropped fragmented packets.
  15. SonicWALL appliances can manage outbound traffic using bandwidth management. To enable bandwidth management for this service, select the Enable Bandwidth Management check box.
  16. Enter the amount of bandwidth that will always be available to this service in the Guaranteed Bandwidth field. Keep in mind that this bandwidth will be permanently assigned to this service and not available to other services, regardless of the amount of bandwidth this service does or does not use.

    Enter the maximum amount of bandwidth that will be available to this service in the Maximum Bandwidth field.

    Select the priority of this service from the Bandwidth Priority list box. Select a priority from 0 (highest) to 7 (lowest).

    Note: In order to configure bandwidth management for this service, bandwidth management must be enabled on the SonicWALL appliance. For more information, see "Configuring Ethernet Settings" on page 119.

  17. To add this rule to the rule list, click Update. Repeat Step 4 through Step 14 for each rule that you will to add.
  18. If the network access rules have been modified or deleted, you can restore the Default Rules. The Default Rules prevent malicious intrusions and attacks, block all inbound IP traffic and allow all outbound IP traffic. To restore the network access rules to their default settings, click Restore Rules to Defaults and click Update. A task is scheduled to update the rules page for each selected SonicWALL appliance.
  19. If the network access rules for a SonicWALL appliance need to be uniform with access rules for other
    SonicWALL appliances in the same group, you can restore the group rules.
  20. To do this, click Restore Rules to Group Settings and click Update. A task is scheduled to overwrite the rules page for each selected SonicWALL appliance.

    If you want to append the group rules to the current rules, make sure the Append Services and Rules inherited from group check box is selected on the GMS Settings page of the Console Panel.

    Note: This option is not available at the group or global level.

  21. To modify a rule, select its notepad icon. The Add/Modify Rule dialog box appears. When you are finished making changes, click Update. SonicWALL GMS creates a task that modifies the rule for each selected SonicWALL appliance.
  22. To disable a rule without deleting it, deselect its Enable Rule check box.
  23. To delete a rule, select its trash can icon and click Update. SonicWALL GMS creates a task that deletes the rule for each selected SonicWALL appliance.

Configuring Advanced Access Settings

To configure advanced access settings, follow these steps:

  1. Start and log into SonicWALL GMS.
  2. Select the global icon, a group, or a SonicWALL appliance.
  3. Expand the Firewall tree and click Advanced. The Advanced page appears (Figure 136).
  4. Figure 136: Advanced Page

  5. Computers running Microsoft Windows communicate with each other through NetBIOS broadcast packets. By default, SonicWALL appliances block these broadcasts. Select from the following:
    • To configure the SonicWALL appliance(s) to allow NetBIOS packets to pass from the LAN (WorkPort) to the DMZ (HomePort), select the From LAN to DMZ or From WorkPort to HomePort check box.
    • To configure the SonicWALL appliance(s) to allow NetBIOS packets to pass from the LAN (WorkPort) to the WAN, select the From LAN to WAN or From WorkPort to WAN check box.
  6. Detection prevention helps hide SonicWALL appliances from potential hackers. Select from the following Detection Prevention options:
    • To enable stealth mode, select the Enable Stealth Mode check box. During normal operation, SonicWALL appliances respond to incoming connection requests as either "blocked" or "open." During stealth operation, SonicWALL appliances do not respond to inbound requests, making the appliances "invisible" to potential hackers.
    • Hackers can use various detection tools to "fingerprint" IP IDs and detect the presence of a SonicWALL appliance. To configure the SonicWALL appliance(s) to generate random IP IDs, select the Randomize IP ID check box.
  7. Select the dynamic ports that will be supported from the Dynamic Ports area:
    • Enable support for Oracle (SQLNet)-Select if you have Oracle applications on your network.
    • Enable support for Windows Messenger-Select this option to support special SIP messaging used in Windows Messenger on the Windows XP.
    • Enable support for H.323-Select this option to enable support for H.323. H.323 is a standard that was designed to provide consistency for audio, video, and data transmissions over the Internet and is most commonly used for VoIP.

    • Enable RTSP Transformations-Select this option to support on-demand delivery of real-time data, such as audio and video. Real Time Streaming Protocol (RTSP) is an application-level protocol for control over delivery of data with real-time properties.
  8. The Drop Source Routed Packets check box is selected by default. Clear the check box if you are testing traffic between two specific hosts and you are using source routing.
  9. The Connection Inactivity Timeout option disables connections outside the LAN if they are idle for a specified period of time. Without this timeout, connections can stay open indefinitely and create potential security holes. To specify how long the SonicWALL appliance(s) wait before closing inactive connections outside the LAN, enter the amount of time in the Default Connection Timeout field (default: 25 minutes).
  10. By default, FTP connections from port 20 are allowed, but remapped to outbound traffic ports such as 1024. If you select the Force inbound and outbound FTP data connections to use default port 20 check box, any FTP data connection through the SonicWALL must come from port 20 or the connection will be dropped and logged.
  11. When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset.

Configuring Voice over IP Settings

To configure Voice over IP (VoIP) settings, follow these steps:

  1. Start and log into SonicWALL GMS.
  2. Select the global icon, a group, or a SonicWALL appliance.
  3. Expand the Firewall tree and click VoIP. The VoIP page appears (Figure 137).
  4. Figure 137: VoIP Page

  5. To enable secure NAT, select the Use secure NAT check box.
  6. Select from the following Session Initiation Protocol (SIP) configuration options:
    • Enable SIP Transformations-Select this option to support translation of SIP messages.
    • By default, NAT translates Layer 3 addresses, but does not translate Layer 5 SIP/SDP addresses. Unless there is another NAT traversal solution that requires this feature to be turned off, it is highly recommended to enable SIP transformations.

      After enabling SIP transformations, configure the following options:

      • SIP Signaling inactivity time out (seconds)-Specifies the period of time that must elapse before timing out an inactive SIP session if no SIP signaling occurs (default: 1800 seconds or 30 minutes).
      • SIP Media inactivity time out (seconds)-Specifies the period of time that must elapse before timing out an inactive SIP session if no media transfer activity occurs (default: 120 seconds or 2 minutes).
  7. Select from the following H.323 configuration options:
    • Enable H.323 Transformation-Select this option to allow stateful H.323 protocol-aware packet content inspection and modification by the SonicWALL. The SonicWALL performs any dynamic IP address and transport port mapping within the H.323 packets, which is necessary for communication between H.323 parties in trusted and untrusted networks/zones. Clear this check box to bypass the H.323 specific processing performed by the SonicWALL.
    • After enabling H.323 transformations, configure the following options:

      • Only accept incoming calls from Gatekeeper-when selected, only incoming calls from specified Gatekeeper IP address will be accepted.
      • Enable LDAP ILS Support- when selected, the SonicWALL appliance will support Lightweight Directory Access Protocol (LDAP) and Microsoft Netmeeting's Internet Locator Service (ILS)
      • H.323 Signaling/Media inactivity time out (seconds)-specifies how long the SonicWALL appliance waits before closing a connection when no activity is occurring.
      • Default WAN/DMZ Gatekeeper IP Address-specifies the IP address of the H.323 Gatekeeper that acts as a proxy server between clients on the private network and the Internet.
  8. When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset.

Configuring Multicast Settings

To configure multicast settings, follow these steps:

  1. Start and log into SonicWALL GMS.
  2. Select the global icon, a group, or a SonicWALL appliance.
  3. Expand the Firewall tree and click Multicast. The Multicast page appears (Figure 138).
  4. Figure 138: Multicast Page

  5. To enable multicast, select the Enable Multicast check box.
  6. Configure the following options:
    • Require IGMP Membership reports for multicast data forwarding-This checkbox is enabled by default. Select this checkbox to improve performance by regulating muliticast data to be forwarded to only interfaces belonging to an enabled multicast group address.
    • Multicast state table entry timeout (minutes)-This field has a default of 5. The value range for this field is 5 to 60 (minutes). Increase the value if you have a client that is not sending reports periodically.
  7. Select from the following:
    • To receive all (class D) multicast addresses, select Enable reception of all multicast addresses. Receiving all multicast addresses may cause your network to experience performance degradation.
    • Default. To enable reception for the following multicast addresses, select Enable reception for the following multicast addresses and select Create a new multicast object or Create new multicast group from the list box.
  8. To view the IGMP State Information, click Request IGMP State Information. The following information appears:
    • Multicast Group Address-Provides the multicast group address the interface is joined to.
    • Interface / VPN Tunnel-Provides the interface (such as X0) or the VPN policy.
    • IGMP Version-Provides the IGMP version (such as V2 or V3).
    • Time Remaining-Provides the remaining time left for the multicast session. This is calculated by subtracting the "Multicast state table entry timeout (minutes)" value, which has the default value of 5 minutes, and the elapsed time since the multicast address was added.
  9. When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset.


SonicWALL, Inc.
http://www.sonicwall.com
1160 Bordeaux Drive
Sunnyvale, CA 94089-1209
Table of ContentsPreviousNextIndex