Table of ContentsPreviousNextIndex

Put your logo here!



Configuring Network Settings for SonicOS Enhanced


This section describes how to configure network settings for SonicWALL appliances using SonicOS Enhanced. SonicOS Enhanced introduces a large number of new concepts that simplify network management while adding new levels of complexity and control.

This section describes how to configure the network settings for SonicWALL appliances running SonicOS Enhanced. To configure network settings for SonicWALL appliance running SonicOS Standard, see Chapter 9, "Configuring Network Settings."

To configure network settings for a SonicWALL appliance using SonicOS, configure the following:

Configuring Interface Network Settings

This section describes how to configure each interface to communicate properly with the network to which it attaches.

Figure 89 shows the basic interfaces for a SonicWALL appliance. The LAN interface uses a static IP address and acts as a gateway for devices on the LAN Network. The WAN interface can use a static or dynamic IP address and can connect to the Internet via Transmission Control Protocol (TCP), Point-to-Point Protocol over Ethernet (PPPoE), Level 2 Tunneling Protocol (L2TP), or Point-to-Point Tunneling Protocol (PPTP). A SonicWALL appliance might have one, many, or no optional interfaces. Optional interfaces can be configured for LAN, WAN, DMZ, WLAN, or Multicast connections, or they can be disabled.

Figure 89: Interfaces

Virtual Interfaces (VLAN)

On the SonicWALL PRO 4060 and SonicWALL PRO 5060 security appliances, virtual Interfaces are sub-interfaces assigned to a physical interface. Virtual interfaces allow you to have more than one interface on one physical connection.

Virtual interfaces provide many of the same features as physical interfaces, including Zone assignment, DHCP Server, and NAT and Access Rule controls.

Sub-Interfaces

VLAN support on SonicOS Enhanced is achieved by means of sub-interfaces, which are logical interfaces nested beneath a physical interface. Every unique VLAN ID requires its own sub-interface. For reasons of security and control, SonicOS does not participate in any VLAN trunking protocols, but instead requires that each VLAN that is to be supported be configured and assigned appropriate security characteristics.

Configure Interface Settings

To configure the network interfaces for a SonicWALL appliance, follow these steps:

  1. Start and log into SonicWALL GMS.
  2. Select a SonicWALL appliance.
  3. Expand the Network tree and click Interfaces. The Interfaces page appears (Figure 90).
  4. Figure 90: Interfaces Page

  5. Click the Edit Icon () of the LAN, WAN, or Optional interface. The Edit Interface property sheet appears.
  6. Configure the interface settings:

Edit Interface Settings

Figure 91: Edit Interface

For LAN, DMZ, or Multicast interfaces, configure the following settings:

WAN Settings

Figure 92: WAN Settings

For WAN interfaces, select how the WAN connects to the Internet from the IP Assignment list box and configure those settings:

Configuring VLAN Sub-Interfaces

When you add a VLAN sub-interface, you need to assign it to a Zone, assign it a VLAN Tag, and assign it to a physical interface. Based on your zone assignment, you configure the VLAN sub-interface the same way you configure a physical interface for the same zone.

Adding a virtual interface

  1. In the left-navigation menu click on Network and then Interfaces to display the Network > Interfaces page.
  2. At the bottom of the Interface Settings table, click Add Interface. The Edit Interface window displays.
  3. Figure 93: Add Interface

  4. Select a Zone to assign to the interface. You can select LAN, WAN, DMZ, WLAN, or a custom zone. The zone assignment does not have to be the same as the parent (physical) interface. In fact, the parent interface can even remain Unassigned.
  5. Your configuration choices for the network settings of the sub-interface depend on the zone you select.

    • LAN, DMZ, or a custom zone of Trusted type: Static or Transparent
    • WAN or a custom zone of Untrusted type: DHCP, Static, PPPoE, PPTP, or L2TP
    • WLAN or a custom Wireless zone: static IP only (no IP Assignment list)
  6. Assign a VLAN tag (ID) to the sub-interface. Valid VLAN ID's are 1 to 4095, although some switches reserve VLAN 1 for native VLAN designation. You will need to create a VLAN sub-interface with a corresponding VLAN ID for each VLAN you wish to secure with your security appliance.
  7. Declare the parent (physical) interface to which this sub-interface will belong. There is no per-interface limit to the number of sub-interfaces you can assign - you may assign sub-interfaces up to the system limit (200 for the PRO 4060, 400 for the PRO 5060).
  8. Configure the sub-interface network settings based on the zone you selected. Select the management and user-login methods for the sub-interface.
  9. Click OK.

The Virtual interface displays in the VLAN Interfaces table below the Interfaces table

Figure 94: Interfaces Page with VLAN Sub-interfaces

Click the Edit Icon () of the VLAN sub-interface to edit its settings.

WAN Failover and Load Balancing

WAN Failover enables you to configure one of the user-defined interfaces as a secondary WAN port. The secondary WAN port can be used in a simple "active/passive" setup to allow traffic to be only routed through the secondary WAN port if the Primary WAN port is unavailable. This allows the SonicWALL to maintain a persistent connection for WAN port traffic by "failing over" to the secondary WAN port.

This feature also allows you to perform simple load balancing for the WAN traffic on the SonicWALL. You can select a method of dividing the outbound WAN traffic between the two WAN ports and balance network traffic.

The SonicWALL can monitor WAN traffic using Physical Monitoring which detects if the link is unplugged or disconnected, or Physical and Logical Monitoring, which monitors traffic at a higher level, such as upstream connectivity interruptions.

Note: Before you begin, be sure you have configured a user-defined interface to mirror the WAN port settings.

To configure the WAN Failover for a SonicWALL appliance, follow these steps:

  1. Start and log into SonicWALL GMS.
  2. Select a SonicWALL appliance.
  3. Expand the Network tree and click WAN Failover & LB. The WAN Failover & LB page appears (Figure 95).
  4. Figure 95: WAN Failover & LB Page

  5. Select the Enable Load Balancing check box.
  6. Select the secondary interface from the Secondary WAN Interface list box.
  7. Note: If this is not configured, you will need to configure a WAN interface from the Network | Interfaces page.

  8. Specify how often the SonicWALL appliance will check the interface (5-300 seconds) in the Check interface every field (default: 5 seconds).
  9. Specify the number of times the SonicWALL appliance tests the interface as inactive before failing over (default: 3). For example, if the SonicWALL appliance tests the interface every 5 seconds and finds the interface inactive after 3 successive attempts, it will fail over to the secondary interface after 15 seconds.
  10. Specify the number of times the SonicWALL appliance tests the interface as active before failing back to the primary interface (default: 3). For example, if the SonicWALL appliance tests the interface every 5 seconds and finds the interface active after 3 successive attempts, it will fail back to the primary interface after 15 seconds.
  11. To configure outbound load balancing, select from the following:
    • Basic Active/Passive Failover-The SonicWALL appliance will not load-balance outbound traffic and will only use the secondary interface when the primary fails. To configure the SonicWALL appliance to fail back to the primary interface when it becomes available, select the Preempt and failback to Primary WAN when possible check box.
    • Per Connection Round-Robin-The SonicWALL appliance will load-balance outbound traffic using an alternating or round-robin method.
    • Spillover-Based-The SonicWALL appliance will load-balance outbound traffic when the primary WAN exceeds the bandwidth setting that you specify in the Send traffic to Secondary WAN when bandwidth exceeds: field.
    • Percentage-Based-The SonicWALL appliance will load-balance outbound traffic according to the percentages that you specify in the Primary WAN Percentage and the Secondary WAN Percentage fields.
  12. The SonicWALL appliance can monitor the WAN by detecting whether the link is unplugged or disconnected or by sending probes to a target IP address of an "always available" target upstream device on the WAN network, such as an ISP side router. To enable probe monitoring, select the Enable Probe Monitoring check box and configure the following settings:
    • Primary WAN Probe Settings-Select the protocol used for monitoring and enter the IP address and port (TCP only) of the probe target. If there will be an optional probe target, specify these settings also and select whether the SonicWALL appliance must test both targets or either target.
    • Secondary WAN Probe Settings-Select the protocol used for monitoring and enter the IP address and port (TCP only) of the secondary probe target. If there will be an optional secondary probe target, specify these settings also and select whether the SonicWALL appliance must test both targets or either target.
  13. When you are finished, click Update. The settings are changed for the selected SonicWALL appliance. To clear all screen settings and start over, click Reset.

Configuring Zones

A Zone is a logical grouping of one or more interfaces designed to make management, such as the definition and application of Access Rules, a simpler and more intuitive process than following a strict physical interface scheme. There are four fixed Zone types: Trusted, Untrusted, Public, and Encrypted. Trusted is associated with LAN Zones. These fixed Zone types cannot be modified or deleted. A Zone instance is created from a Zone type and named accordingly, i.e Sales, Finance, etc.

Only the number of interfaces limits the number of Zone instances for Trusted and Untrusted Zone types. The Untrusted Zone type (i.e. the WAN) is restricted to two Zone instances. The Encrypted Zone type is a special system Zone comprising all VPN traffic and doesn't have any associated interfaces.

Trusted and Public Zone types offer an option, Interface Trust, to automate the creation of Access Rules to allow traffic to flow between the Interfaces of a Zone instance. For example, if the LAN Zone has interfaces X0, X3, and X5 assigned to it, checking Allow Interface Trust on the LAN Zone creates the necessary Access Rules to allow hosts on these Interfaces to communicate with each other.

To add or edit a Zone, follow these steps:

  1. Start and log into SonicWALL GMS.
  2. Select a SonicWALL appliance.
  3. Expand the Network tree and click Zones. The Zones page appears (Figure 96).
  4. Figure 96: Zones Page

  5. Click the Edit Icon () for a Zone or click Add New Zone. The Edit Zone or Add Zone dialog box appears.
  6. Figure 97: Adding or Editing a Zone

  7. If this is a new Zone, enter a name for the Zone.
  8. Select the Security Type.
  9. To configure the SonicWALL appliance to automatically create the rules that allow data to freely flow between interfaces in the same Zone, select the Allow Interface Trust check box.
  10. To enforce content filtering on multiple interfaces in the same Trusted or Public Zones, select the Enforce
    Content Filtering Service
    check box.
  11. To enforce network anti-virus protection on multiple interfaces in the same Trusted or Public Zones, select the
    Enforce Network Anti-Virus Service check box.
  12. To enforce gateway anti-virus protection on multiple interfaces in the same Trusted or Public Zones, select the Enable Gateway Anti-Virus Service.
  13. To enforce Intrusion Prevention Services (IPS) on multiple interfaces in the same Trusted or Public Zones, select the Enable IPS check box.
  14. To enforce security policies for Global Security Clients on multiple interfaces in the same Trusted or Public Zones, select Enforce Global Security Clients.
  15. To automatically create a GroupVPN policy for this zone, select Create Group VPN.
  16. When you are finished, click Update. The Zone is modified or added for selected SonicWALL appliance. To clear all settings and start over, click Reset.

Configuring DNS

Domain Name System (DNS) is the Internet standard for locating domain names and translating them into IP addresses. To configure DNS, follow these steps:

  1. Start and log into SonicWALL GMS.
  2. Select a SonicWALL appliance.
  3. Expand the Network tree and click DNS. The DNS page appears (Figure 98).
  4. Figure 98: DNS Page

  5. Select from the following:
    • To specific IP addresses manually, select Specify DNS Servers Manually and enter the IP addresses of two or three DNS servers.
    • To inherit the DNS settings from the WAN Zone configuration, select Inherit DNS Settings Dynamically from WAN Zone.
  6. When you are finished, click Update. The settings are changed for the selected SonicWALL appliance. To clear all screen settings and start over, click Reset.

Configuring Dynamic DNS

Dynamic DNS (DDNS) is a service provided by various companies and organizations that allows for dynamic changing IP addresses to automatically update DNS records without manual intervention. This service allows for network access using domain names rather than IP addresses, even when the target's IP addresses change.

To configure Dynamic DNS on the SonicWALL security appliance, perform these steps:

  1. Start and log into SonicWALL GMS.
  2. Select a SonicWALL appliance.
  3. Expand the Network tree and click Dynamic DNS. The Dynamic DNS page appears (Figure 99).
  4. Figure 99: Dynamic DNS Page

  5. Click Add Dynamic DNS Profile. The Add Dynamic DNS Profile window is displayed (Figure 100)
  6. Figure 100: Add Dynamic DNS Profile

  7. Select the Provider from the drop-down list at the top of the page. This example uses DynDNS.org. Dyndns.org requires the selection of a service. This example assumes you have created a dynamic service record with dyndns.org.
  8. Enter a name to assign to the DDNS entry in the Profile Name field. This can be any value used to identify the entry in the Dynamic DNS Settings table.
  9. If Enable this profile is checked, the profile is administratively enabled, and the SonicWALL security appliance takes the actions defined in the Online Settings section on the Advanced tab.
  10. If Use Online Settings is checked, the profile is administratively online.
  11. Enter your dyndns.org username and password in the User Name and Password fields.
  12. Enter the fully qualified domain name (FQDN) of the hostname you registered with dyndns.org in the Domain Name field. Make sure you provide the same hostname and domain as you configured.
  13. You may optionally select Enable Wildcard and/or configure an MX entry in the Mail Exchanger field. Check Backup MX if your DDNS provider allows for the specification of an alternative IP address for the MX record.
  14. Click the Advanced tab. You can typically leave the default settings on this page (Figure 101).
  15. Figure 101: Advanced Tab

  16. The On-line Settings section provides control over what address is registered with the dynamic DNS provider. The options are:
      • Let the server detect IP Address - The dynamic DNS provider determines the IP address based upon the source address of the connection. This is the most common setting.
      • Automatically set IP Address to the Primary WAN Interface IP Address - This will cause the SonicWALL device to assert its WAN IP address as the registered IP address, overriding auto-detection by the dynamic DNS server. Useful if detection is not working correctly.
      • Specify IP Address manually - Allows for the IP address to be registered to be manually specified and asserted.
  17. The Off-line Settings section controls what IP Address is registered with the dynamic DNS service provider if the dynamic DNS entry is taken off-line locally (disabled) on the SonicWALL. The options are:
      • Do nothing - the default setting. This allows the previously registered address to remain current with the dynamic DNS provider.
      • Use the Off-Line IP Address previously configured at Providers site - if your provider supports manual configuration of Off-Line Settings, you can select this option to use those settings when this profile is taken administratively offline.
      • Make Host Unknown - Unregisters the entry.
      • Specify IP Address manually -
  18. When you are finished, click Update. The settings are changed for the selected SonicWALL appliance. To clear all screen settings and start over, click Reset.

Configuring Address Objects

An Address Object is a host, network, or IP address range. An Address Object Group is a group of Address Objects or other Address Object Groups. Once defined, you can quickly establish NAT Policies, VPN Security Associations (SAs), firewall rules, and DHCP settings between Address Objects and Address Object Groups without individual configuration.

All SonicWALL appliances come with a group of pre-defined default network objects. These include subnets for each interface, interface IP addresses for each interface, management IP addresses, and more.

Creating an Address Object

To create an address object, follow these steps:

  1. Start and log into SonicWALL GMS.
  2. Select a SonicWALL appliance.
  3. Expand the Network tree and click Address Objects. The Address Objects page appears (Figure 102).
  4. Figure 102: Address Objects Page

  5. Scroll to the bottom of the page and click Add New Address Object.
  6. Figure 103: Adding an Address Object

  7. Enter a name for the Address Object in the Name field.
  8. Select from the following:
    • To specify an individual IP address, select Host from the Type field and enter the IP address.
    • To specify an IP address range, select Range from the Type field and enter the starting and ending IP addresses.
    • To specify a network, select Network from the Type field and enter the IP address and subnet mask.
  9. Select the zone to which this Address Object will be assigned from the Zone Assignment list box.
  10. When you are finished, click OK.
  11. Repeat this procedure for each Address Object to add.

Network Address Object Deletion

GMS now enables you to delete a single address object more conveniently. To delete network address objects, perform the following steps:

  1. Navigate to the Policies Panel.
  2. Go to the Network > Settings page.

  3. Click on the Trashcan icon of the selected address object.

Creating an Address Object Group

To create an Address Object Group, follow these steps:

  1. Start and log into SonicWALL GMS.
  2. Select a SonicWALL appliance.
  3. Expand the Network tree and click Address Objects. The Address Objects page appears (Figure 104).
  4. Figure 104: Address Objects Page

  5. Scroll down and click Add New Group.
  6. Figure 105: Adding an Address Object Group

  7. Enter a name for the Address Object Group in the Name field.
  8. Select an object or group that will be a part of the Address Object Group and click the right arrow.
  9. Repeat Step 6 for each object or group to add.
  10. When you are finished, click OK.
  11. Repeat this procedure for each Address Object Group to add.

Configuring Network Address Translation

SonicWALL appliances support Network Address Translation (NAT). NAT is the automated translation of IP addresses between different networks. For example, a company might use private IP addresses on a LAN that are represented by a single IP address on the WAN side of the SonicWALL appliance.

SonicWALL appliances support two types of NAT:

Common Types of Mapping

SonicWALL supports several types of address mapping. These include

SonicWALL NAT Policy Fields

When configuring a NAT Policy, you will configure a group of settings that specify how the IP address originates and how it will be translated. Additionally, you can apply a group of filters that allow you to apply different policies to specific services and interfaces.

Common Configuration Types

One-to-One Mapping

To configure one-to-one mapping from the private network to the public network, select the Address Object that corresponds to the private network IP address in the Original Source field and the public IP address that it will used to reach the Internet in the Translated Source field. Leave the other fields alone, unless you want to filter by service or interface.

Note: If you map more than one private IP address to the same public IP address, the private IP addresses will automatically be configured for port mapping or NAPT.

To configure one-to-one mapping from the public network to the private network, select the Address Object that corresponds to the public network IP address in the Original Destination field and the private IP address that it will used to reach the server in the Translated Destination field. Leave the other fields alone, unless you want to filter by service or interface.

Note: If you map one public IP address to more than one private IP address, the public IP addresses will be mapped to the first private IP address. Load balancing is not supported. Additionally, you must set the Original Source to Any.

Many-to-One Mapping

To configure many-to-one mapping from the private network to the pubic network, select the select the Address Object that corresponds to the private network IP addresses in the Original Source field and the public IP address that it will used to reach the Internet in the Translated Source field. Leave the other fields alone, unless you want to filter by service or interface.

Note: You can also specify Any in the Original Source field and the Address Object of the LAN interface in the Translated Source field.

Many-to-Many Mapping

To configure many-to-many mapping from the private network to the pubic network, select the select the Address Object that corresponds to the private network IP addresses in the Original Source field and the public IP addresses to which they will be mapped in the Translated Source field. Leave the other fields alone, unless you want to filter by service or interface.

Note: If the IP address range specified in the Original Source is larger than the Translated Source, the SonicWALL appliance will use port mapping or NAPT. If the Translated Source is equal to or larger than the Original Source, addresses will be individually mapped.

To configure many-to-many mapping from the public network to the private network, select the Address Object that corresponds to the public network IP addresses in the Original Destination field and the IP addresses on the private network in the Translated Destination field. Leave the other fields alone, unless you want to filter by service or interface.

Note: If the IP address range specified in the Original Destination is smaller than the Translated Destination, the SonicWALL appliance will be individually mapped to the first translated IP addresses in the translated range. If the Translated Destination is equal to or smaller than the Original Destination, addresses will be individually mapped.

Configuring NAT Policies

To configure NAT Policies, follow these steps:

  1. Start and log into SonicWALL GMS.
  2. Select a SonicWALL appliance.
  3. Expand the Network tree and click NAT Policies. The NAT Policies page appears (Figure 106).
  4. Figure 106: NAT Policies Page

  5. To edit an existing policy, click its Edit Icon (). To add a new policy, click Add NAT Policy.
  6. Figure 107: NAT Policies Page

  7. Configure the following:
    • Original Source-used to remap IP addresses based on the source address, this field specifies an Address Object that can consist of an IP address or IP address range.
    • Translated Source-specifies the IP address or IP address range to which the original source will be mapped.
    • Original Destination-used to remap IP addresses based on the destination address, this field specifies an Address Object that can consist of an IP address or IP address range.
    • Translated Destination-specifies the IP address or IP address range to which the original source will be mapped.
    • Original Service-used to filter source addresses by service, this field specifies a Service Object that can be a single service or group of services.
    • Translated Service-used to filter destination addresses by service, this field specifies a Service Object that can be a single service or group of services.
    • Source Interface-filters source addresses by interface.
    • Destination Interface-filters destination addresses by interface.
  8. To enable the NAT policy, select the Enable check box.
  9. Add any comments to the Comments field.
  10. When you are finished, click Update. The policy is added and you are returned to the NAT Policies screen.
  11. Repeat Steps 4 through 8 for each policy to add.

Configuring Web Proxy Forwarding Settings

A Web proxy server intercepts HTTP requests and determines if it has stored copies of the requested Web pages. If it does not, the proxy completes the request to the server on the Internet, returning the requested information to the user and also saving it locally for future requests.

Setting up a Web proxy server on a network can be cumbersome, because each computer on the network must be configured to direct Web requests to the server.

If there is a proxy server on the SonicWALL appliance's network, you can move the SonicWALL appliance between the network and enable Web Proxy Forwarding. This will forward all WAN requests to the proxy server without requiring the computers to be individually configured.

To configure Web Proxy Forwarding settings, follow these steps:

  1. Start and log into SonicWALL GMS.
  2. Select a SonicWALL appliance.
  3. Expand the Network tree and click Web Proxy. The Web Proxy page appears (Figure 108).
  4. Figure 108: Web Proxy Page

  5. Enter the name or IP address of the proxy server in the Proxy Web Server field.
  6. Enter the proxy IP port in the Proxy Web Server Port field.
  7. To bypass the Proxy Server if a failure occurs, select the Bypass Proxy Servers Upon Proxy Server Failure check box.
  8. If you have clients configured on the DMZ, select the Forward DMZ Client Requests to Proxy Server check box.
  9. When you are finished, click Update. The settings are changed for the selected SonicWALL appliance. To clear all screen settings and start over, click Reset.

Configuring Policy-Based Routing

If you have routers on your interfaces, you can configure the SonicWALL appliance to route network traffic to specific predefined destinations.

Static routes must be defined if the network connected to an interface is segmented into subnets, either for size or practical considerations. For example, a subnet can be created to isolate a section of a company, such as finance, from network traffic on the rest of the LAN, DMZ, or WAN.

To add static routes, follow these steps:

  1. Start and log into SonicWALL GMS.
  2. Select a SonicWALL appliance.
  3. Expand the Network tree and click Routing. The Routing page appears (Figure 109).
  4. Figure 109: Routing Page

  5. Click Add Route Policy.
  6. Figure 110: Routing Page

  7. Select the source address object from the Source list box.
  8. Select the destination address object from the Destination list box.
  9. Specify the type of service that will be routed from the Service list box.
  10. Select the address object that will act as a gateway for packets matching these settings.
  11. Select the interface through which these packets will be routed from the Interface list box.
  12. Specify the RIP metric in the Metric field.
  13. When you are finished, click Update. The route settings are configured for the selected SonicWALL appliance(s). To clear all screen settings and start over, click Reset.
  14. Repeat Steps 4 through 11 for each route to add.
  15. When you are finished, click Update. The settings are saved.

Configuring Routing Information Protocol

Routing Information Protocol (RIP) is a distance-vector routing protocol that is commonly used in small homogeneous networks. Using RIP, a router will periodically send its entire routing table to its closest neighbor, which passes the information to its next neighbor, and so on. Eventually, all routers within the network will have the information about the routing paths. When attempting to route packets, a router will check the routing table and select the path that requires the fewest hops.

SonicWALL appliances support RIPv1 or RIPv2 to advertise its static and dynamic routes to other routers on the network. Changes in the status of VPN tunnels between the SonicWALL and remote VPN gateways are also reflected in the RIPv2 advertisements. Choose between RIPv1 or RIPv2 based on your router's capabilities or configuration. RIPv1 is an earlier version of the protocol that has fewer features, and it also sends packets via broadcast instead of multicast. RIPv2 packets are backwards-compatible and can be accepted by some RIPv1 implementations that provide an option of listening for multicast packets. The RIPv2 Enabled (broadcast) selection broadcasts packets instead of multicasting packets is for heterogeneous networks with a mixture of RIPv1 and RIPv2 routers.

To configure RIP, follow these steps:

  1. Start and log into SonicWALL GMS.
  2. Select a SonicWALL appliance.
  3. Expand the Network tree and click RIP (ENH). The RIP (ENH) page appears (Figure 111).
  4. Figure 111: RIP Page

  5. Click the Edit Icon () for an interface. The Edit Route Advertising Settings dialog box appears.
  6. Figure 112: Edit Route Advertising Settings Dialog Box

  7. Select the RIP version from the RIP Advertisements list box:
      • RIPv1 Enabled-first version of RIP.
      • RIPv2 Enabled (multicast)-sends route advertisements using multicasting (a single data packet to specific nodes on the network).
      • RIPv2 Enabled (broadcast)-sends route advertisements using broadcasting (a single data packet to all nodes on the network).
  8. To advertise static routes that you specified on the Routes page, select the Advertise Static Routes check box.
  9. To advertise remote VPN networks that you specified on the Routes page, select the Advertise Remote VPN Networks check box.
  10. To set the amount of time between a VPN tunnel state change and the time the change is advertised, enter a value in the Route Change Damp Time field (default: 30 seconds).
  11. To specify the number of advertisements that are sent after a route is deleted, enter a value in the Deleted Route Advertisements field (default: 5 advertisements).
  12. By default, the connection between this router and its neighbor counts as one hop. However, there are cases where you want to discourage or reduce the use of this route by adding additional hops. To change the hop count of this route, enter the number of hops in the Route Metric field.
  13. Optional. If RIPv2 is selected from the Route Advertisements list box, you can enter a value for the Route Tag. This value is implementation-dependent and provides a mechanism for routers to classify the originators of RIPv2 advertisements.
  14. Optional. Select from the following RIPv2 Authentication options:
    • User Defined-Enter 4 hex digits in the Authentication Type field and 32 hex digits in the Authentication Data field.
    • Cleartext Password-Enter a password (16 characters or less) in the Authentication Password field.
    • MD5 Digest-Enter a numerical value from 0-255 in the Authentication Key-Id field. Enter a 32 hex digit value for the Authentication Key field, or use the generated key.
  15. When you are finished, click Update. The settings are changed for the SonicWALL appliance. To clear all screen settings and start over, click Reset.
  16. Repeat this procedure for each interface to configure.

Configuring Advanced Routing Services

SonicOS Enhanced 3.0 running on the PRO4060 and PRO5060 offers the option of enabling Advanced Routing Services (ARS). Advanced Routing Services provides full advertising and listening support for the Routing
Information Protocol (RIPv1 - RFC1058) and (RIPv2 - RFC2453), and Open Shortest Path First (OSPFv2 - RFC2328). Advanced Routing Service should only be enabled by those environments requiring support for either or both of these dynamic routing protocols.

This section provides configuration procedures to enable Advanced Routing services.

To configure Advanced Routing, follow these steps:

  1. Start and log into SonicWALL GMS.
  2. Select a SonicWALL appliance.
  3. Expand the Network tree and click RIP (ENH). The RIP (ENH) page appears (Figure 113).
  4. Figure 113: RIP Page

  5. Select Use Advanced Routing and click update. The RIP (ENH) page displays the advanced routing settings.
  6. Figure 114: RIP Page

Configuring RIP

  1. Click the Edit Icon () for an interface in the Edit column for RIP. The Edit RIP Route Advertisement dialog box appears (Figure 115).
  2. Figure 115: Edit RIP Route Advertisement Dialog Box

  3. Select the RIP mode from the RIP list box:
      • Disabled - RIP is disabled on this interface
      • Send and Receive - The RIP router on this interface will send updates and process received updates.
      • Send Only - The RIP router on this interface will only send updates, and will not process received updates. This is similar to the basic routing implementation.
      • Receive Only - The RIP router on this interface will only process received updates.
      • Passive - The RIP router on this interface will not process received updates, and will only send updates to neighboring RIP routers specified with the CLI `neighbor' command. This mode should only be used when configuring advanced RIP options from the ars-rip CLI.
  4. If you selected Send and Receive or Receive Only modes, select one of the following options from the Receive list box:
      • RIPv1 - Receive only broadcast RIPv1 packets.
      • RIPv2 - Receive only multicast RIPv2 packets. RIPv2 packets are sent by multicast, although some implementations of RIP routers (including basic routing on SonicWALL devices) have the ability to send RIPv2 in either broadcast or multicast formats.
  5. If you selected Send and Receive or Send Only, select one of the following options from the Send list box.
      • RIPv1 - Send only broadcast RIPv1 packets.
      • RIPv2 - v1 compatible - Send only broadcast RIPv2 packets.
      • RIPv2 - send only multicast RIPv2 packets. RIPv2 packets are sent by multicast, although some implementations of RIP routers (including basic routing on SonicWALL devices) have the ability to send RIPv2 in either broadcast or multicast formats.
  6. To suppress the inclusion of routes sent in updates to routers from which they were learned, select
    Split Horizon. This is a common RIP mechanism for preventing routing loops.
  7. Select Poison Reverse as an optional mode of Split Horizon operation. Rather than suppressing the inclusion of learned routes, the routes are sent with a metric of infinity (16) thus indicating that they are unreachable.
  8. To enable the use of a plain-text password on this interface, select Use Password and enter up to a 16 alpha-numeric character password in the Password (Max 16 chars.) field.
  9. When you are finished, click Update. The settings are changed for the SonicWALL appliance. To clear all screen settings and start over, click Reset.
  10. Repeat this procedure for each interface to configure.

Configuring OSPF

  1. Click the Edit Icon () for an interface in the Edit column for OSPF. The Edit OSPF Route Advertisement dialog box appears (Figure 116).
  2. Figure 116: Edit OSPF Route Advertisement Dialog Box

  3. Select one of the following options from the OSPFv2 list box:
      • Disabled - OSPF Router is disabled on this interface
      • Enabled - OSPF Router is enabled on this interface
      • Passive - The OSPF router is enabled on this interface, but only advertises connected networks using type 1 LSA's (Router Link Advertisements) into the local area. This is different from the `Redistribute Connected Networks' options, which would cause the OSPF router to behave as an ASBR, and to use type 5 LSA's (AS External Link Advertisement) to flood the advertisements into all non-stub areas. See the `OSPF Terms' section for more information.
  4. Specify the OSPF area represented in either IP or decimal notation in the OSPF Area field.
  5. Select one of the following options from the OSPFv2 Area Type list box:
      • Normal
      • Stub Area
      • Totally Stubby Area
      • Not-So-Stubby Area
  6. In the Dead Interval field, specify the period after an entry in the LSDB is removed if not Hello is received. The default is 40 seconds, with a minimum of 1 and a maximum on 65,535. Be sure this value agrees with the other OSPF routers on the segment for successful neighbor establishment.
  7. In the Hello Interval field, specify the period of time between Hello packets. The default is 10 seconds, with a minimum of 1 and a maximum on 65,535. Be sure this value agrees with the other OSPF routers on the segment for successful neighbor establishment.
  8. In the Interface Cost field, specify the overhead of sending packets across this interface. The default value is 10, generally used to indicate an Ethernet interface. The minimum value is 1 (e.g. Fast Ethernet) and the maximum value is 65,535.
  9. In the Router Priority field, specify the router priority value used in determining the Designated Router (DR) for a segment. The higher the value, the higher the priority. In the event of a priority tie, the Router ID will act as the tie-breaker. Setting a value of 0 makes the OSPF router on this interface ineligible for DR status. The default value is 1, and the maximum value is 255.
  10. Specify one of the following authentication methods from the Authentication list box. Be sure this setting agrees with the other OSPF routers on the segment for successful neighbor establishment.
      • Disabled - No authentication is used on this interface.
      • Simple Password - A plain-text password is used for identification purposes by the OSPF router on this interface.
      • Message Digest - An MD5 hash is used to securely identify the OSPF router on this interface.
  11. If you selected Simple Password in the Authentication list box, enter up to a 16 alpha-numeric character
    password in the Password (Max 16 chars.) field.
  12. When you are finished, click Update. The settings are changed for the SonicWALL appliance. To clear all screen settings and start over, click Reset.
  13. Repeat this procedure for each interface to configure.

Configuring Global RIP Configuration

Configuring Global OSPF Configuration

Configuring IP Helper

The IP Helper allows the SonicWALL to forward DHCP requests originating from the interfaces on a SonicWALL to a centralized DHCP server on the behalf of the requesting client. IP Helper is used extensively in routed VLAN environments where a DHCP server is not available for each interface, or where the layer 3 routing mechanism is not capable of acting as a DHCP server itself. The IP Helper also allows NetBIOS broadcasts to be forwarded with DHCP client requests.

To enable IP Helper and add an IP Helper policy, follow these steps:

  1. Start and log into SonicWALL GMS.
  2. Select a SonicWALL appliance.
  3. Expand the Network tree and click IP Helper. The IP Helper page appears (Figure 117).
  4. Figure 117: IP Helper Page

  5. Select the Enable IP Helper check box.
  6. To enable DHCP support, select Enable DHCP Support.
  7. To enable NetBIOS support, select Enable NetBIOS Support.
  8. To add an IP Helper Policy, click Add IP Helper Policy. The Add IP Helper dialog box appears.
  9. Figure 118: Add IP Helper Dialog Box

  10. The policy is enabled by default. To configure the policy without enabling it, clear the Enabled check box.
  11. Select DHCP or NetBIOS from the Protocol menu.
  12. Select a source Interface or Zone from the From menu.
  13. Select a destination IP address or subnet from the To menu.
  14. Enter an optional comment in the Comment field.
  15. Click OK to add the policy to the IP Helper Policies table.
  16. Repeat this procedure for each policy to add.
  17. When you are finished, click Update. The settings are changed for the selected SonicWALL appliance. To clear all screen settings and start over, click Reset.

Configuring ARP

ARP (Address Resolution Protocol) maps layer 3 (IP addresses) to layer 2 (physical or MAC addresses) to enable communications between hosts residing on the same subnet. ARP is a broadcast protocol that can create excessive amounts of network traffic on your network. To minimize the broadcast traffic, an ARP cache is maintained to store and reuse previously learned ARP information.

To configure ARP, follow these steps:

  1. Start and log into SonicWALL GMS.
  2. Select a SonicWALL appliance.
  3. Expand the Network tree and click ARP. The ARP page appears (Figure 119).
  4. Figure 119: ARP Page

Static ARP Entries

The Static ARP feature allows for static mappings to be created between layer 2 MAC addresses and layer 3 IP addresses, but also provides the following capabilities:

Figure 120: Static ARP Entry

Secondary Subnets with Static ARP

The Static ARP feature allows for secondary subnets to be added on other interfaces, and without the addition of automatic NAT rules.

Adding a Secondary Subnet using the Static ARP Method

  1. Add a 'published' static ARP entry for the gateway address that will be used for the secondary subnet, assigning it the MAC address of the SonicWALL interface to which it will be connected.
  2. Add a static route for that subnet, so that the SonicWALL regards it as valid traffic, and knows to which interface to route that subnet's traffic.
  3. Add Access Rules to allow traffic destined for that subnet to traverse the correct network interface.
  4. Optional: Add a static route on upstream device(s) so that they know which gateway IP to use to reach the secondary subnet.

Flushing the ARP Cache

It is sometimes necessary to flush the ARP cache if the IP address has changed for a device on the network. Since the IP address is linked to a physical address, the IP address can change but still be associated with the physical address in the ARP Cache. Flushing the ARP Cache allows new information to be gathered and stored in the ARP Cache. Click Flush ARP Cache to clear the information.

To configure a specific length of time for the entry to time out, enter a value in minutes in the ARP Cache entry time out (minutes) field.

Navigating and Sorting the ARP Cache Table Entries

To view ARP cache information, click Request ARP Cache display from unit(s).

The ARP Cache table provides easy pagination for viewing a large number of ARP entries. You can navigate a large number of ARP entries listed in the ARP Cache table by using the navigation control bar located at the top right of the ARP Cache table. Navigation control bar includes four buttons. The far left button displays the first page of the table. The far right button displays the last page. The inside left and right arrow buttons moved the previous or next page respectively.

You can enter the policy number (the number listed before the policy name in the # Name column) in the Items field to move to a specific ARP entry. The default table configuration displays 50 entries per page. You can change this default number of entries for tables on the System > Administration page.

You can sort the entries in the table by clicking on the column header. The entries are sorted by ascending or descending order. The arrow to the right of the column entry indicates the sorting status. A down arrow means ascending order. An up arrow indicates a descending order.



SonicWALL, Inc.
http://www.sonicwall.com
1160 Bordeaux Drive
Sunnyvale, CA 94089-1209
Table of ContentsPreviousNextIndex