Configuring the U0 External 3G/Modem Interface

The SonicWALL TZ 200 security appliances support an external 3G/mobile or analog modem interface. This interface is listed at the bottom of the Interface Settings table as the U0 interface. A number of the settings for the external interface can be configured from the Network > Interfaces page, but it can be more thoroughly configured using the pages on the 3G or Modem tab in the left-side navigation bar.

For complete information on configuring a 3G or analog modem external interface, see 3G/4GModem.

Specifying the WAN Connection Model

Note: The WAN Connection Model drop-down menu is only displayed when the U0 interface is configured for a 3G/mobile external interface. This menu item is not displayed when the U0 interface is configured for an analog modem.

To configure the WAN connection model, navigate to the Network > Interfaces page and select one of the following options in the WAN Connection Model drop-down menu:





For a detailed explanation of the behavior of the Ethernet with 3G Failover setting see Understanding 3G/4G Connection Types.

PortShield is supported on SonicWALL TZ Series and NSA 240 appliances.





Configuring Layer 2 Bridge Mode

See the following sections:

Configuration Task List for Layer 2 Bridge Mode

Configuring the Common Settings for L2 Bridge Mode Deployments

The following settings need to be configured on your SonicWALL UTM appliance prior to using it in most of the Layer 2 Bridge Mode topologies.

Licensing Services

When the appliance is successfully registered, go to the System > Licenses page and click Synchronize under Manage Security Services Online. This will contact the SonicWALL licensing server and ensure that the appliance is properly licensed.

To check licensing status, go to the System > Status page and view the license status of all the UTM services (Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention).





Disabling DHCP Server

When using a SonicWALL UTM appliance in Layer 2 Bridge Mode in a network configuration where another device is acting as the DHCP server, you must first disable its internal DHCP engine, which is configured and running by default. On the Network > DHCP Server page, clear the Enable DHCP Server check box, and then click on the Accept button at the top of the screen.





Configuring SNMP Settings

On the System > Administration page, make sure the checkbox next to Enable SNMP is checked, and then click on the Accept button at the top of the screen.





Then, click the Configure button. On the SNMP Settings page, enter all the relevant information for your UTM appliance: the GET and TRAP SNMP community names that the SNMP server expects, and the IP address of the SNMP server. Click OK to save and activate the changes.





Enabling SNMP and HTTPS on the Interfaces

On the Network > Interfaces page, enable SNMP and HTTP/HTTPS on the interface through which you will be managing the appliance.





Enabling Syslog

On the Log > Syslog page, click on the Add button and create an entry for the syslog server. Click OK to save and activate the change.





Activating UTM Services on Each Zone

On the Network > Zones page, for each zone you will be using, make sure that the UTM services are activated.





Then, on the Security Services page for each UTM service, activate and configure the settings that are most appropriate for your environment.

An example of the Gateway Anti-Virus settings is shown below:





An example of the Intrusion Prevention settings is shown below:





An example of the Anti-Spyware settings is shown below:





Creating Firewall Access Rules

If you plan to manage the appliance from a different zone, or if you will be using a server such as the HP PCM+/NIM server for management, SNMP, or syslog services, create access rules for traffic between the zones. On the Firewall > Access Rules page, click on the icon for the intersection of the zone of the server and the zone that has users and servers (your environment may have more than one of these intersections). Create a new rule to allow the server to communicate with all devices in that zone.





Configuring Log Settings

On the Log > Categories page, set the Logging Level to Informational and the Alert Level to Critical. Click Accept to save and activate the change.





Then, go to the Log > Name Resolution page and set the Name Resolution Method to DNS then NetBios. Click Accept to save and activate the change.





Configuring Wireless Zone Settings

In the case where you are using a HP PCM+/NIM system, if it will be managing a HP ProCurve switch on an interface assigned to a WLAN/Wireless zone, you will need to deactivate two features, otherwise you will not be able to manage the switch. Go to the Network > Zones page and select your Wireless zone. On the Wireless tab, clear the checkboxes next to Only allow traffic generated by a SonicPoint and WiFiSec Enforcement. Click OK to save and activate the change.





Configuring Layer 2 Bridge Mode Procedure

Refer to the L2 Bridge Interface Zone Selection section for choosing a topology that best suits your network. In this example, we will be using a topology that most closely resembles the Simple L2 Bridge Topology.

Choose an interface to act as the Primary Bridge Interface. Refer to the L2 Bridge Interface Zone Selection section for information in making this selection. In this example, we will use X1 (automatically assigned to the Primary WAN):

Configuring the Primary Bridge Interface

  1. Select the Network tab, Interfaces folder from the navigation panel.
  2. Click the Configure



    icon in the right column of the X1 (WAN) interface.
  3. Configure the interface with a Static IP address (e.g. 192.168.0.12).

    4. Note: The Primary Bridge Interface must have a Static IP assignment.

  4. Configure the default gateway. This is required for the security appliance itself to reach the Internet. (This applies only to WAN interfaces.)
  5. Configure the DNS server. (This applies only to WAN interfaces.)
  6. Configure management (HTTP, HTTPS, Ping, SNMP, SSH, User Logins, HTTP Redirects).
  7. Click OK.




Choose an interface to act as the Secondary Bridge Interface. Refer to the L2 Bridge Interface Zone Selection for information in making this selection. In this example, we will use X0 (automatically assigned to the LAN):

Configuring the Secondary Bridge Interface

  1. On the Network > Interfaces page, click the Configure



    icon in the right column of the X0 (LAN) interface.
  2. In the IP Assignment drop-down list, select Layer 2 Bridged Mode.
  3. In the Bridged to drop-down list, select the X1 interface.
  4. Configure management (HTTP, HTTPS, Ping, SNMP, SSH, User Logins, HTTP Redirects).
  5. You may optionally enable the Block all non-IPv4 traffic setting to prevent the L2 bridge from passing non-IPv4 traffic.
  6. Click OK.

The Network > Interfaces page displays the updated configuration:

You may now apply security services to the appropriate zones, as desired. In this example, they should be applied to the LAN, WAN, or both zones.









VPN Integration with Layer 2 Bridge Mode

When configuring a VPN on an interface that is also configured for Layer 2 Bridge mode, you must configure an additional route to ensure that incoming VPN traffic properly traverses the SonicWALL security appliance. Navigate to the Network > Routing page, scroll to the bottom of the page, and click on the Add button. In the Add Route Policy window, configure the route as follows:





  1. setting is known as Captive-Bridge Mode.)
  2. Select Disable stateful-inspection on this bridge-pair to allow TCP connections to pass through the SonicWALL even if the device has not seen a valid and complete TCP handshake sequence. This can be used for networks employing asymmetric packet paths for incoming and outgoing traffic in which the SonicWALL does not see all traffic of the TCP flow. Use of this setting is not recommended as it limits the SonicWALL’s ability to enforce TCP stateful and other protections for the secured network.








Configuring Wire Mode

Adding to the broad collection of traditional modes of SonicOS interface operation, including all LAN modes (Static, NAT, Transparent Mode, L2 Bridge Mode, Portshield Switch Mode), and all WAN modes (Static, DHCP, PPPoE, PPTP, and L2TP), SonicOS 5.8 introduces Wire-Mode, which provides four new methods non-disruptive, incremental insertion into networks.

Table 1: Wire Mode Settings Wire Mode Setting Description

Bypass Mode

Bypass Mode allows for the quick and relatively non-interruptive introduction of Wire Mode into a network. Upon selecting a point of insertion into a network (e.g. between a core switch and a perimeter firewall, in front of a VM server farm, at a transition point between data classification domains) the SonicWALL security appliance is inserted into the physical data path, requiring a very short maintenance window. One or more pairs of switch ports on the appliance are used to forward all packets across segments at full line rates. While Bypass Mode does not offer any inspection or firewalling, this mode allows the administrator to physically introduce the SonicWALL security appliance into the network with a minimum of downtime and risk, and to obtain a level of comfort with the newly inserted component of the networking and security infrastructure. The administrator can then transition from Bypass Mode to Inspect or Secure Mode instantaneously through a simple user-interface driven reconfiguration.

Inspect Mode

Inspect Mode extends Bypass Mode without functionally altering the low-risk, zero-latency packet path. Packets continue to pass through the SonicWALL security appliance, but they are also mirrored to the multi-core RF-DPI engine for the purposes of passive inspection, classification, and flow reporting. This reveals the appliance’s Application Intelligence and threat detection capabilities without any actual intermediate processing.

When Inspect Mode is selected, the Restrict analysis at resource limit option specifies whether all traffic is inspected. When this option is enabled (which is the default), the appliance scans the maximum number of packets it can process. The remaining packets are allowed to pass without inspection. If this option is disabled, traffic will be throttled in the flow of traffic exceeds the firewalls inspection ability.

Note: Disabling the Restrict analysis at resource limit option will reduce throughput if the rate of traffic exceeds the appliance’s ability to scan all traffic.

Secure Mode

Secure Mode is the progression of Inspect Mode, actively interposing the SonicWALL security appliance’s multi-core processors into the packet processing path. This unleashes the inspection and policy engines’ full-set of capabilities, including Application Intelligence and Control, Intrusion Prevention Services, Gateway and Cloud-based Anti-Virus, Anti-Spyware, and Content Filtering. Secure Mode affords the same level of visibility and enforcement as conventional NAT or L2 Bridge mode deployments, but without any L3/L4 transformations, and with no alterations of ARP or routing behavior. Secure Mode thus provides an incrementally attainable NGFW deployment requiring no logical and only minimal physical changes to existing network designs.

Tap Mode

Tap Mode provides the same visibility as Inspect Mode, but differs from the latter in that it ingests a mirrored packet stream via a single switch port on the SonicWALL security appliance, eliminating the need for physically intermediated insertion. Tap Mode is designed for use in environments employing network taps, smart taps, port mirrors, or SPAN ports to deliver packets to external devices for inspection or collection. Like all other forms of Wire Mode, Tap Mode can operate on multiple concurrent port instances, supporting discrete streams from multiple taps.

To summarize the key functional differences between modes of interface configuration:

Table 2: Functionality of the Different Wire Mode Settings   Bypass Mode Inspect Mode Secure Mode Tap Mode L2 Bridge, Transparent, NAT, Route Modes

Active/Active Clustering 1

No

No

No

No

No

Application Control

No

No

Yes

No

Yes

Application Visibility

No

Yes

Yes

Yes

Yes

ARP/Routing/NAT 1

No

No

No

No

Yes

Comprehensive Anti-Spam Service 1

No

No

No

No

Yes

Content Filtering

No

No

Yes

No

Yes

DHCP Server 1

No

No

No

No

Yes 2

DPI Detection

No

Yes

Yes

Yes

Yes

DPI Prevention

No

No

Yes

No

Yes

DPI-SSL1

No

No

No

No

Yes

High-Availability 1

Yes

Yes

Yes

Yes

Yes

Link-State Propagation 3

No

No

No

No

No

SPI

No

Yes

Yes

Yes

Yes

TCP Handshake Enforcement 4

No

No

No

No

Yes

Virtual Groups 1

No

No

No

No

Yes

1 These functions or services are unavailable on interfaces configured in Wire Mode, but remain available on a system-wide level for any interfaces configured in other compatible modes of operation.

2 Not available in L2 Bridge Mode.

3Link State Propagation is a feature whereby interfaces in a Wire-Mode pair will mirror the link-state triggered by transitions of their partners. This is essential to proper operations in redundant path networks, in particular.

4 Disabled by design in Wire Mode to allow for failover events occurring elsewhere on the network to be supported when multiple Wire-Mode paths, or when multiple SonicWALL security appliance units are in use along redundant or asymmetric paths.

Note: When operating in Wire-Mode, the SonicWALL security appliance’s dedicated “Management” interface will be used for local management. To enable remote management and dynamic security services and application intelligence updates, a WAN interface (separate from the Wire-Mode interfaces) must be configured for Internet connectivity. This is easily done given that SonicOS supports interfaces in mixed-modes of almost any combination.

To configure an interface for Wire Mode, perform the following steps:

  1. On the Network > Interfaces page, click the Configure button for the interface you want to configure for Wire Mode.
  2. In the Zone pulldown menu, select LAN.
  3. To configure the Interface for Tap Mode, in the Mode / IP Assignment pulldown menu, select Tap Mode (1-Port Tap) and click OK.




  4. To configure the Interface for Wire Mode, in the Mode / IP Assignment pulldown menu, select Wire Mode (2-Port Wire).




  5. In the Wire Mode Type pulldown menu, select the appropriate mode:
  6. When Inspect Mode is selected, the Restrict analysis at resource limit option is displayed. It is enabled by default. When this option is enabled, the appliance scans the maximum number of packets it can process. The remaining packets are allowed to pass without inspection. If this option is disabled, traffic will be throttled in the flow of traffic exceeds the firewalls inspection ability.

    7. Note: Disabling the Restrict analysis at resource limit option will reduce throughput if the rate of traffic exceeds the appliance’s ability to scan all traffic.

  7. In the Paired Interface pulldown menu, select the interface that will connect to the upstream firewall. The paired interfaces must be of the same type (two 1 GB interfaces or two 10 GB interfaces).

    8. Note: Only unassigned interfaces are available in the Paired Interface pulldown menu. To make an interface unassigned, click on the Configure button for it, and in the Zone pulldown menu, select Unassigned.

  8. Click OK.