Table of Contents Previous Next


Policies_Firewall_Advanced_Snwls

Configuring Advanced Firewall Settings

To configure advanced access settings, perform the following steps:

1.
Select the global icon, a group, or a SonicWALL appliance running SonicOS Enhanced.
2.
Expand the Firewall tree and click Advanced. The Advanced page displays.

 

3.
To enable stealth mode, select the Enable Stealth Mode check box. During normal operation, SonicWALL appliances respond to incoming connection requests as either “blocked” or “open.” During stealth operation, SonicWALL appliances do not respond to inbound requests, making the appliances “invisible” to potential hackers.
4.
To configure the SonicWALL appliance(s) to generate random IP IDs, select the Randomize IP ID check box. This prevents hackers from using various detection tools to “fingerprint” IP IDs and detect the presence of a SonicWALL appliance.
5.
Select Decrement IP TTL for forwarded traffic to decrease the Time-to-live (TTL) value for packets that have been forwarded and therefore have already been in the network for some time. TTL is a value in an IP packet that tells a network router whether or not the packet has been in the network too long and should be discarded.
6.
Select Never generate ICMP Time-Exceeded packets if you do not want the SonicWALL appliance to generate these reporting packets. The SonicWALL appliance generates Time-Exceeded packets to report when it has dropped a packet because its TTL value has decreased to zero.
7.
Select the dynamic ports that will be supported from the Dynamic Ports area:
 
Enable support for Oracle (SQLNet)—Select if you have Oracle applications on your network.
 
Enable support for Windows Messenger—Select this option to support special SIP messaging used in Windows Messenger on Windows XP.
 
Enable RTSP Transformations—Select this option to support on-demand delivery of real-time data, such as audio and video. Real Time Streaming Protocol (RTSP) is an application-level protocol for control over delivery of data with real-time properties.
8.
The Drop Source Routed Packets check box is selected by default. Clear the check box if you are testing traffic between two specific hosts and you are using source routing.

Connections Settings

9.
The Connections section provides the ability to fine-tune the performance of the appliance to prioritize either optimal performance or support for an increased number of simultaneous connections that are inspected by Firewall services. For appliances running SonicOS 5.6.0 and above, select one of the following options:
 
Disable Anti-Spyware, Gateway AV and IPS Engine (increases maximum SPI connections) —This option ensures that the appliance performance will not be degraded under high-traffic conditions. Firewall connections may be dropped to preserve performance.
 
Recommended for normal deployments with Firewall services enabled—This is the default setting that provides a balanced deployment.
 
Optimized for deployments requiring more Firewall connections but less performance critical—This option prioritizes support for the maximum number of simultaneous Firewall connections. Performance may be slowed under high-traffic conditions.

For appliances running SonicOS Enhanced releases lower than 5.6.0, the single Disable Anti-Spyware, Gateway AV and IPS Engine (increases maximum SPI connections) option is available as a checkbox.

10.
To specify how long the SonicWALL appliance(s) wait before closing inactive TCP connections outside the LAN, enter the amount of time in the Default Connection Timeout field (default: 25 minutes). The Connection Inactivity Timeout option disables connections outside the LAN if they are idle for a specified period of time. Without this timeout, connections can stay open indefinitely and create potential security holes.
11.
Select the Force inbound and outbound FTP data connections to use default port 20 check box to specify that any FTP data connection through the SonicWALL must come from port 20 or the connection will be dropped and logged. By default, FTP connections from port 20 are allowed, but remapped to outbound traffic ports such as 1024.
12.
Under IP, UDP Checksum Enforcement, select one or both checkboxes to force the SonicWALL to perform checksums on IP packet headers and on UDP packets. Packets with invalid checksums will be dropped. This helps to prevent attacks that involve falsification of header fields that define important characteristics of the packet.
13.
To specify how long the SonicWALL appliance(s) wait before closing inactive UDP connections outside the LAN, enter the amount of time in the Default UDP Connection Timeout field.
14.
Set a limit for the maximum number of connections allowed per source IP Address by selecting Enable connection limit for each Source IP Address and entering the value in the Threshold field.(Only available for Allow rules).
15.
Set a limit for the maximum number of connections allowed per destination IP Address by selecting Enable connection limit for each Destination IP Address field and entering the value in the Threshold field.(Only available for Allow rules).
16.
When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset.

Table of Contents Previous Next