Configuring Firewall Settings in SonicOS Enhanced

To enable stealth mode, select Enable Stealth Mode. During normal operation, SonicWALL appliances respond to incoming connection requests as either “blocked” or “open.” During stealth operation, SonicWALL appliances do not respond to inbound requests, making the appliances “invisible” to potential hackers.

To configure the SonicWALL appliance(s) to generate random IP IDs, select Randomize IP ID. This prevents hackers from using various detection tools to “fingerprint” IP IDs and detect the presence of a SonicWALL appliance.

Select Decrement IP TTL for forwarded traffic to decrease the Time-to-live (TTL) value for packets that have been forwarded and therefore have already been in the network for some time. TTL is a value in an IP packet that tells a network router whether or not the packet has been in the network too long and should be discarded.

Select Never generate ICMP Time-Exceeded packets if you do not want the SonicWALL appliance to generate these reporting packets. The SonicWALL appliance generates Time-Exceeded packets to report when it has dropped a packet because its TTL value has decreased to zero.

•

Enable support for Oracle (SQLNet)—Select if you have Oracle applications on your network.

•

Enable support for Windows Messenger—Select this option to support special SIP messaging used in Windows Messenger on Windows XP.

•

Enable RTSP Transformations—Select this option to support on-demand delivery of real-time data, such as audio and video. Real Time Streaming Protocol (RTSP) is an application-level protocol for control over delivery of data with real-time properties.

Drop Source Routed Packets is selected by default. Clear the check box if you are testing traffic between two specific hosts and you are using source routing.

The Connections section provides the ability to fine-tune the performance of the appliance to prioritize either optimal performance or support for an increased number of simultaneous connections that are inspected by Firewall services. For appliances running SonicOS 5.6.0 and above, select one of the following options:

•

Disable Anti-Spyware, Gateway AV and IPS Engine (increases maximum SPI connections) —This option ensures that the appliance performance is not degraded under high-traffic conditions. Firewall connections might be dropped to preserve performance.

•

Recommended for normal deployments with Firewall services enabled—This is the default setting that provides a balanced deployment.

•

Optimized for deployments requiring more Firewall connections but less performance critical—This option prioritizes support for the maximum number of simultaneous Firewall connections. Performance might be slowed under high-traffic conditions.

•

For appliances running SonicOS Enhanced releases lower than 5.6.0, the single Disable Anti-Spyware, Gateway AV and IPS Engine (increases maximum SPI connections) option is available as a check box.

To specify how long the SonicWALL appliance(s) wait before closing inactive TCP connections outside the LAN, enter the amount of time in the Default Connection Timeout field (default: 25 minutes). The Connection Inactivity Timeout option disables connections outside the LAN if they are idle for a specified period of time. Without this timeout, connections can stay open indefinitely and create potential security holes.

Select Force inbound and outbound FTP data connections to use default port 20 to specify that any FTP data connection through the SonicWALL must come from port 20 or the connection is dropped and logged. By default, FTP connections from port 20 are allowed, but remapped to outbound traffic ports such as 1024.

Under IP, UDP Checksum Enforcement, select one or both check boxes to force the SonicWALL to complete checksums on IP packet headers and on UDP packets. Packets with invalid checksums are dropped. This helps to prevent attacks that involve falsification of header fields that define important characteristics of the packet.

Set a limit for the maximum number of connections allowed per source IP Address by selecting Enable connection limit for each Source IP Address and entering the value in the Threshold field. (Only available for Allow rules).

Set a limit for the maximum number of connections allowed per destination IP Address by selecting Enable connection limit for each Destination IP Address field and entering the value in the Threshold field. (Only available for Allow rules).

When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset.