This section provides a list of the following configuration tasks:
Access rules can be displayed in multiple views using SonicOS. You can select the type of view from the selections in the View Style section. The following View Styles are available:
|
•
|
All Rules - Select All Rules to display all access rules configured on the Dell SonicWALL security appliance.
|
|
•
|
Matrix - Displays as From/To with LAN, WAN, VPN, or other interface in the From row, and LAN, WAN, VPN, or other interface in the To column. Select the Edit icon in the table cell to view the access rules.
|
|
•
|
Drop-down Boxes - Displays two drop-down menus: From Zone and To Zone. Select an interface from the From Zone menu and select an interface from the To Zone menu. Click OK and access rules defined for the two interfaces are displayed.
|
|
TIP: You can also view access rules by zones. Use the Option checkboxes in the From Zone and To Zone column. Select LAN, WAN, VPN, ALL from the From Zone column. And then select LAN, WAN, VPN, ALL from the To Zone column. Click OK to display the access rules.
|
Each view displays a table of defined network access rules. For example, selecting All Rules displays all the network access rules for all zones.
To display the Access Rules for a specific zone select a zone from the Matrix, Drop-down Boxes, or All Rules view.
The access rules are sorted from the most specific at the top, to less specific at the bottom of the table. At the bottom of the table is the Any rule. The default access rule is all IP services except those listed in the Access Rules page. Access rules can be created to override the behavior of the Any rule; for example, the Any rule allows users on the LAN to access all Internet services, including NNTP News.
You can change the priority ranking of an access rule by clicking the Arrows icon in the Priority column. The Change Priority dialog is displayed. Enter the new priority number (1-10) in the Priority field, and click OK.
|
TIP: If the Delete or Edit icons are dimmed (unavailable), the access rule cannot be changed or deleted from the list.
|
|
•
|
|
•
|
|
1
|
|
2
|
In the General tab, under Settings, select an Action, that is, how the rule processes (permits or blocks) the specified IP traffic:
|
|
•
|
Allow (default)
|
|
•
|
|
•
|
|
3
|
|
4
|
From the Select Port drop-down menu, select the source port defined in the selected Service Object/Group. The Service Object/Group selected must have the same protocol types as the ones selected in the Service drop-down menu. The default is Any.
|
If the service is not listed, you must define the service in the Add Service dialog by selecting either:
|
•
|
|
•
|
Create new group to display the Add Service Group dialog.
|
|
5
|
Select the service or group of services affected by the access rule from the Service drop-down menu. The Any service encompasses all IP services.
|
If the service is not listed, you must define the service in the Add Service dialog by selecting either:
|
•
|
|
•
|
Create New Group to display the Add Service Group dialog.
|
|
6
|
Selecting Create new network displays the Add Address Object dialog. If you want to define the source IP addresses that are affected by the access rule, such as restricting certain users from accessing the Internet:
|
a
|
|
b
|
Type the starting IP addresses of the address range in the Address Range Begin field and the ending IP address in the Address Range End field.
|
|
c
|
Click OK.
|
|
7
|
Selecting Create New Network displays the Add Address Object dialog.
|
8
|
From the Users Allowed drop-down menu, add the user or user group affected by the access rule.
|
|
9
|
|
10
|
Enter any comments to help identify the access rule in the Comments field.
|
|
11
|
If you want to enable the logging of the service activities, select the Enable Logging checkbox. This option is selected by default.
|
|
12
|
The Allow Fragmented Packets checkbox is enabled by default. Selecting this checkbox overrides the default configuration and allows fragmented packets over PPTP or IPSec.
|
|
13
|
If you want to enable flows matching this access rule to be displayed in the AppFlow Monitor and AppFlow Reports pages, select the Enable flow reporting checkbox. This option is not selected by default.
|
|
14
|
If you want to enable flows matching this access rule to be displayed in the Packet Monitor page, select the Enable packet monitor checkbox. This option is not selected by default.
|
|
15
|
To enable both management and non-management traffic, select the Enable Management checkbox. This option is not selected by default.
|
|
16
|
If you want to use the Geo-IP Filter, select the Enable Geo-IP Filter checkbox. For information about the Geo-IP Filter, see Configuring Geo-IP Filters . This option is not selected by default.
|
|
17
|
If you want to use the Botnet Filter, select the Enable Botnet Filter checkbox. For information about the Botnet Filter, see Configuring Botnet Filters . This option is not selected by default.
|
|
1
|
Click on the Advanced tab.
|
|
2
|
To have the access rule timeout after a period of TCP inactivity, set the amount of time, in minutes, in the TCP Connection Inactivity Timeout (minutes) field. The default value is 5 minutes.
|
|
3
|
To have the access rule timeout after a period of UDP inactivity, set the amount of time, in minutes, in the UDP Connection Inactivity Timeout (minutes) field. The default value is 30 minutes.
|
|
4
|
Specify the number of connections allowed as a percent of he maximum number of connections allowed by the Dell SonicWALL security appliance in the Number of connections allowed (% of maximum connections) field. Refer to Connection Limiting Overview , for more information on connection limiting.
|
|
5
|
Select the Enable connection limit for each Source IP Address checkbox to define a threshold for dropped packets. When this threshold is exceeded, connections and packets from the corresponding Source IP are dropped. The minimum number is 0, the maximum is 65535, and the default is 128. This option is not selected by default.
|
|
6
|
Select the Enable connection limit for each Destination IP Address checkbox to define a threshold for dropped packets. When this threshold is exceeded, connections and packets from the corresponding Destination IP are dropped. The minimum number is 0, the maximum is 65535, and the default is 128. This option is not selected by default.
|
|
7
|
Select Create a reflexive rule if you want to create a matching access rule to this one in the opposite direction--from your destination zone or address object to your source zone or address object. This option is not selected by default.
|
|
8
|
To disable Deep Packet Inspection (DPI) scanning on a per-rule basis, select the Disable DPI checkbox. This option is not selected by default.
|
|
1
|
Click on the QoS tab if you want to apply DSCP or 802.1p Quality of Service management to traffic governed by this rule.
|
|
2
|
|
•
|
None: DSCP values in packets are reset to 0.
|
|
•
|
Preserve (default): DSCP values in packets remain unaltered.
|
|
•
|
Explicit: The Explicit DSCP Value drop-down menu displays. Select a numeric value between 0 and 63. Some of the standard values are:
|
|
•
|
0 - Best effort/Default (default)
|
|
•
|
8 - Class 1
|
|
•
|
10 - Class 1, Gold (AF11)
|
|
•
|
12 - Class 1, Silver (AF12)
|
|
•
|
14 - Class 1, Bronze (AF13)
|
|
•
|
16 - Class 2
|
|
•
|
18 - Class 2, Gold (AF21)
|
|
•
|
20 - Class 2, Silver (AF22)
|
|
•
|
22 - Class 2, Bronze (AF23)
|
|
•
|
24 - Class 3
|
|
•
|
26 - Class 3, Gold (AF31)
|
|
•
|
27 - Class 3, Silver (AF32)
|
|
•
|
30 - Class 3, Bronze (AF33)
|
|
•
|
32 - Class 4
|
|
•
|
34 - Class 4, Gold (AF41)
|
|
•
|
36 - Class 4, Silver (AF42)
|
|
•
|
38 - Class 4, Bronze (AF43)
|
|
•
|
40 - Express Forwarding
|
|
•
|
46 - Expedited Forwarding (EF)
|
|
•
|
48 - Control
|
|
•
|
56 - Control
|
|
•
|
Map: The QoS mapping settings on the Firewall > QoS Mapping page are used.
|
|
•
|
The Allow 802.1p Marking to override DSCP values checkbox displays. Select to allow DSCP values to be overridden by 802.1p marking. This option is disabled by default.
|
|
3
|
|
•
|
None (default): No 802.1p tagging is added to the packets.
|
|
•
|
Preserve: 802.1p values in packets remain unaltered.
|
|
•
|
Explicit: The Explicit 802.1p Value drop-down menu displays.
|
Select a numeric value between 0 and 7:
|
•
|
0 - Best effort (default)
|
|
•
|
1 - Background
|
|
•
|
2 - Spare
|
|
•
|
3 - Excellent effort
|
|
•
|
4 - Controlled load
|
|
•
|
5 - Video (<100ms latency)
|
|
•
|
6 - Voice (<10ms latency)
|
|
•
|
7 - Network control
|
|
•
|
Map: This Note displays: The QoS mapping settings on the Firewall > QoS Mapping page is used.
|
|
1
|
Click the BWM tab.
|
|
2
|
To enable BWM for outbound traffic, select the Enable Egress Bandwidth Management (‘Allow’ rules only) checkbox. This option is disabled by default.
|
|
a
|
Select a bandwidth object from the Bandwidth Object drop-down menu.
|
To create a new bandwidth object, select Create new Bandwidth Object. For more information about creating bandwidth objects, see Configuring a Bandwidth Object .
|
3
|
To enable BWM for inbound traffic, select the Enable Ingress Bandwidth Management (‘Allow’ rules only) checkbox. This option is disabled by default.
|
|
a
|
Select a bandwidth object from the Bandwidth Object drop-down menu.
|
To create a new bandwidth object, select Create new Bandwidth Object. For more information about creating bandwidth objects, see Configuring a Bandwidth Object .
|
4
|
To track bandwidth usage, select the Enable Tracking Bandwidth Usage checkbox. This option is disabled by default. To select this option, you must select either or both of the Enable Bandwidth Management options.
|
|
1
|
Click OK to add the rule.
|
To display the Edit Rule dialog (includes the same settings as the Add Rule dialog), click the Edit icon.
To delete the individual access rule, click on the Delete icon. To delete all the checkbox-selected access rules, click the Delete button.
To enable or disable an access rule, click the Enable checkbox.
To remove all end-user configured access rules for a zone, click the Default button. This restores the access rules for the selected zone to the default access rules initially setup on the Dell SonicWALL network security appliance.
Move your mouse pointer over the Graph icon to display the following access rule receive (Rx) and transmit (Tx) traffic statistics:
|
•
|
|
•
|
This section provides configuration examples on adding network access rules:
|
2
|
Navigate to the Firewall > Access Rules page.
|
|
3
|
|
4
|
Select the Allow radio button.
|
|
5
|
|
6
|
|
7
|
|
8
|
Click OK.
|
|
1
|
|
2
|
|
3
|
Select NNTP (News) from the Service drop-down menu. If the service is not listed, you must add it in the Add Service dialog.
|
|
4
|
|
5
|
|
6
|
Select the schedule from the Schedule drop-down menu.
|
|
7
|
Enter any comments in the Comment field.
|
|
8
|
Click Add.
|
|
1
|
|
2
|
|
3
|
|
4
|
Select one of the following services from the Service menu:
|
|
•
|
|
•
|
|
•
|
|
•
|
|
5
|
|
6
|
|
NOTE: Do not select an address group or object representing a subnet, such as WAN Primary Subnet. This would allow access to devices on the WAN subnet (already allowed by default), but not to the WAN management IP address.
|
|
7
|
Select the user or group to have access from the Users Allowed menu.
|
|
8
|
Select the schedule from the Schedule menu.
|
|
9
|
Enter any comments in the Comment field.
|
|
10
|
Click Add.
|
Bandwidth management can be applied on both ingress and egress traffic using access rules. Access rules displaying the Funnel icon are configured for bandwidth management.
For information on configuring Bandwidth Management see Firewall Settings > BWM .
