U0_interface

Configuring the U0 External 3G/Modem Interface

The SonicWALL TZ 200 security appliances support an external 3G/mobile or analog modem interface. This interface is listed at the bottom of the Interface Settings table as the U0 interface. A number of the settings for the external interface can be configured from the Network > Interfaces page, but it can be more thoroughly configured using the pages on the 3G or Modem tab in the left-side navigation bar.

For complete information on configuring a 3G or analog modem external interface, see “3G/Modem” .

Specifying the WAN Connection Model

 
Note
The WAN Connection Model drop-down menu is only displayed when the U0 interface is configured for a 3G/mobile external interface. This menu item is not displayed when the U0 interface is configured for an analog modem.

To configure the WAN connection model, navigate to the Network > Interfaces page and select one of the following options in the WAN Connection Model drop-down menu:

 
3G only - The WAN interface is disabled and the 3G interface is used exclusively.
 
Ethernet only - The 3G interface is disabled and the WAN interface is used exclusively.
 
Ethernet with 3G Failover - The WAN interface is used as the primary interface and the 3G interface is disabled. If the WAN connection fails, the 3G interface is enabled and a 3G connection is automatically initiated.

For a detailed explanation of the behavior of the Ethernet with 3G Failover setting see “Understanding 3G Connection Models” .

Configuring SonicWALL PortShield Interfaces

PortShield architecture enables you to configure some or all of the LAN ports into separate security contexts, providing protection not only from the WAN and DMZ, but between devices inside your network as well. In effect, each context has its own wire-speed PortShield that enjoys the protection of a dedicated, deep packet inspection firewall.

PortShield is supported on SonicWALL TZ Series and NSA 240 appliances.

 
Tip
Zones can always be applied to multiple interfaces in the Network > Interfaces page, even without the use of PortShield groupings. However, these interfaces will not share the same network subnet unless they are grouped using PortShield.

You can assign any combination of ports into a PortShield interface. All ports you do not assign to a PortShield interface are assigned to the LAN interface.

To configure a PortShield interface, perform the following steps:

Step 1
Click on the Network > Interfaces page.

Step 2
Click the Configure button for the interface you want to configure. The Edit Interface window displays.

Step 3
In the Zone pulldown menu, select on a zone type option to which you want to map the interface.
 
Note
You can add PortShield interfaces only to Trusted, Public, and Wireless zones.
Step 4
In the IP Assignment pulldown menu, select PortShield Switch Mode .
Step 5
In the PortShield to pulldown menu, select the interface you want to map this port to. Only ports that match the zone you have selected are displayed.

Configuring VLAN Subinterfaces

VLAN subinterfaces are supported on SonicWALL NSA series appliances. When you add a VLAN subinterface, you need to assign it to a zone, assign it a VLAN Tag, and assign it to a physical interface. Based on your zone assignment, you configure the VLAN subinterface the same way you configure a physical interface for the same zone.

Adding a virtual interface

Step 1
In the left-navigation menu click on Network and then Interfaces to display the Network   >   Interfaces page.
Step 2
At the bottom of the Interface Settings table, click Add Interface. The Edit Interface window displays.
Step 3
Select a zone to assign to the interface. You can select LAN, WAN, DMZ, WLAN, or a custom zone. The zone assignment does not have to be the same as the parent (physical) interface. In fact, the parent interface can even remain Unassigned .

Your configuration choices for the network settings of the subinterface depend on the zone you select.

 
LAN , DMZ , or a custom zone of Trusted type: Static or Transparent
 
WLAN or a custom Wireless zone: static IP only (no IP Assignment list).
Step 4
Assign a VLAN tag (ID) to the subinterface. Valid VLAN ID’s are 1 to 4095, although some switches reserve VLAN 1 for native VLAN designation. You will need to create a VLAN subinterface with a corresponding VLAN ID for each VLAN you wish to secure with your security appliance.
Step 5
Declare the parent (physical) interface to which this subinterface will belong. There is no per- interface limit to the number of subinterfaces you can assign – you may assign subinterfaces up to the system limit.
Step 6
Configure the subinterface network settings based on the zone you selected. See the interface configuration instructions earlier in this chapter:
 
“Configuring the Static Interfaces”
 
“Configuring Advanced Settings for the Interface”
 
“Configuring Interfaces in Transparent Mode”
 
“Configuring Wireless Interfaces”
 
“Configuring a WAN Interface”
 
“Configuring SonicWALL PortShield Interfaces”
 
“Configuring VLAN Subinterfaces”
Step 7
Select the management and user-login methods for the subinterface.
Step 8
Click OK .

Configuring Layer 2 Bridge Mode

See the following sections:

 
“Configuration Task List for Layer 2 Bridge Mode”
 
“Configuring Layer 2 Bridge Mode Procedure”
 
“VLAN Integration with Layer 2 Bridge Mode”
 
“VPN Integration with Layer 2 Bridge Mode”

Configuration Task List for Layer 2 Bridge Mode

 
Choose a topology that suits your network
 
“Configuring the Common Settings for L2 Bridge Mode Deployments” section
 
License UTM services
 
Disable DHCP server
 
Configure and enable SNMP and HTTP/HTTPS management
 
Enable syslog
 
Activate UTM services on affected zones
 
Create firewall access rules
 
Configure log settings
 
Configure wireless zone settings
 
“Configuring the Primary Bridge Interface” section
 
Select the zone for the Primary Bridge Interface
 
Activate management
 
Activate security services
 
“Configuring the Secondary Bridge Interface” section
 
Select the zone for the Secondary Bridge Interface
 
Activate management
 
Activate security services
 
Apply security services to the appropriate zones

Configuring the Common Settings for L2 Bridge Mode Deployments

The following settings need to be configured on your SonicWALL UTM appliance prior to using it in most of the Layer 2 Bridge Mode topologies.

Licensing Services

When the appliance is successfully registered, go to the System > Licenses page and click Synchronize under Manage Security Services Online . This will contact the SonicWALL licensing server and ensure that the appliance is properly licensed.

To check licensing status, go to the System > Status page and view the license status of all the UTM services (Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention).

Disabling DHCP Server

When using a SonicWALL UTM appliance in Layer 2 Bridge Mode in a network configuration where another device is acting as the DHCP server, you must first disable its internal DHCP engine, which is configured and running by default. On the Network > DHCP Server page, clear the Enable DHCP Server check box, and then click on the Accept button at the top of the screen.

Configuring SNMP Settings

On the System > Administration page, make sure the checkbox next to Enable SNMP is checked, and then click on the Accept button at the top of the screen.

Then, click the Configure button. On the SNMP Settings page, enter all the relevant information for your UTM appliance: the GET and TRAP SNMP community names that the SNMP server expects, and the IP address of the SNMP server. Click OK to save and activate the changes.

Enabling SNMP and HTTPS on the Interfaces

On the Network > Interfaces page, enable SNMP and HTTP/HTTPS on the interface through which you will be managing the appliance.

Enabling Syslog

On the Log > Syslog page, click on the Add button and create an entry for the syslog server. Click OK to save and activate the change.

Activating UTM Services on Each Zone

On the Network > Zones page, for each zone you will be using, make sure that the UTM services are activated.

Then, on the Security Services page for each UTM service, activate and configure the settings that are most appropriate for your environment.

An example of the Gateway Anti-Virus settings is shown below:

An example of the Intrusion Prevention settings is shown below:

An example of the Anti-Spyware settings is shown below:

Creating Firewall Access Rules

If you plan to manage the appliance from a different zone, or if you will be using a server such as the HP PCM+/NIM server for management, SNMP, or syslog services, create access rules for traffic between the zones. On the Firewall > Access Rules page, click on the icon for the intersection of the zone of the server and the zone that has users and servers (your environment may have more than one of these intersections). Create a new rule to allow the server to communicate with all devices in that zone.

Configuring Log Settings

On the Log > Categories page, set the Logging Level to Informational and the Alert Level to Critical . Click Accept to save and activate the change.

Then, go to the Log > Name Resolution page and set the Name Resolution Method to DNS then NetBios . Click Accept to save and activate the change.

Configuring Wireless Zone Settings

In the case where you are using a HP PCM+/NIM system, if it will be managing a HP ProCurve switch on an interface assigned to a WLAN/Wireless zone, you will need to deactivate two features, otherwise you will not be able to manage the switch. Go to the Network > Zones page and select your Wireless zone. On the Wireless tab, clear the checkboxes next to Only allow traffic generated by a SonicPoint and WiFiSec Enforcement . Click OK to save and activate the change.

Configuring Layer 2 Bridge Mode Procedure

Refer to the “L2 Bridge Interface Zone Selection” section for choosing a topology that best suits your network. In this example, we will be using a topology that most closely resembles the Simple L2 Bridge Topology.

Choose an interface to act as the Primary Bridge Interface. Refer to the “L2 Bridge Interface Zone Selection” section for information in making this selection. In this example, we will use X1 (automatically assigned to the Primary WAN):

Configuring the Primary Bridge Interface

Step 1
Select the Network tab, Interfaces folder from the navigation panel.
Step 2
Click the Configure icon in the right column of the X1 (WAN) interface.
Step 3
Configure the interface with a Static IP address (e.g. 192.168.0.12).
 
Note
The Primary Bridge Interface must have a Static IP assignment.
Step 4
Configure the default gateway. This is required for the security appliance itself to reach the Internet. (This applies only to WAN interfaces.)
Step 5
Configure the DNS server. (This applies only to WAN interfaces.)
Step 6
Configure management (HTTP, HTTPS, Ping, SNMP, SSH, User Logins, HTTP Redirects).
Step 7
Click OK .

Choose an interface to act as the Secondary Bridge Interface. Refer to the L2 Bridge Interface Zone Selection for information in making this selection. In this example, we will use X0 (automatically assigned to the LAN):

Configuring the Secondary Bridge Interface

Step 1
On the Network > Interfaces page, click the Configure icon in the right column of the X0 (LAN) interface.
Step 2
In the IP Assignment drop-down list, select Layer 2 Bridged Mode .
Step 3
In the Bridged to drop-down list, select the X1 interface.
Step 4
Configure management (HTTP, HTTPS, Ping, SNMP, SSH, User Logins, HTTP Redirects).
Step 5
You may optionally enable the Block all non-IPv4 traffic setting to prevent the L2 bridge from passing non-IPv4 traffic.

VLAN Filtering (on SonicWALL NSA series appliances)

 
You may also optionally navigate to the VLAN Filtering tab to control VLAN traffic through the L2 bridge. By default, all VLANs are allowed:
 
Select Block listed VLANs (blacklist) from the drop-down list and add the VLANs you wish to block from the left pane to the right pane. All VLANs added to the right pane will be blocked, and all VLANs remaining in the left pane will be allowed.
 
Select Allow listed VLANs (whitelist) from the drop-down list and add the VLANs you wish to explicitly allow from the left pane to the right pane. All VLANs added to the right pane will be allowed, and all VLANs remaining in the left pane will be blocked.
Step 6
Click OK .

The Network > Interfaces page displays the updated configuration:

You may now apply security services to the appropriate zones, as desired. In this example, they should be applied to the LAN, WAN, or both zones.

VLAN Integration with Layer 2 Bridge Mode

VLANs are supported on SonicWALL NSA series appliances. When a packet with a VLAN tag arrives on a physical interface, the VLAN ID is evaluated to determine if it is supported. The VLAN tag is stripped, and packet processing continues as it would for any other traffic. A simplified view of the inbound and outbound packet path includes the following potentially reiterative steps:

 
IP validation and reassembly
 
Decapsulation (802.1q, PPP)
 
Decryption
 
Connection cache lookup and management
 
Route policy lookup
 
NAT Policy lookup
 
Access Rule (policy) lookup
 
Bandwidth management
 
NAT translation
 
Advanced Packet Handling (as applicable)
 
TCP validation
 
Management traffic handling
 
Content Filtering
 
Transformations and flow analysis (on SonicWALL NSA series appliances): H.323, SIP, RTSP, ILS/LDAP, FTP, Oracle, NetBIOS, Real Audio, TFTP
 
IPS and GAV

At this point, if the packet has been validated as acceptable traffic, it is forwarded to its destination. The packet egress path includes:

 
Encryption
 
Encapsulation
 
IP fragmentation

On egress, if the route policy lookup determines that the gateway interface is a VLAN subinterface, the packet is tagged (encapsulated) with the appropriate VLAN ID header. The creation of VLAN subinterfaces automatically updates the SonicWALL’s routing policy table:

The auto-creation of NAT policies, Access Rules with regard to VLAN subinterfaces behave exactly the same as with physical interfaces. Customization of the rules and policies that govern the traffic between VLANs can be performed with customary SonicOS ease and efficiency.

When creating a zone (either as part of general administration, or as a step in creating a subinterface), a checkbox will be presented on the zone creation page to control the auto-creation of a GroupVPN for that zone. By default, only newly created Wireless type zones will have ‘Create GroupVPN for this zone’ enabled, although the option can be enabled for other zone types by selecting the checkbox during creation.

Management of security services between VLAN subinterfaces is accomplished at the zone level. All security services are configurable and applicable to zones comprising physical interfaces, VLAN subinterfaces, or combinations of physical and VLAN subinterfaces.

Gateway Anti-Virus and Intrusion Prevention Services between the different workgroups can easily be employed with the use of VLAN segmentation, obviating the need for dedicated physical interfaces for each protected segment.

VLAN support enables organizations to offer meaningful internal security (as opposed to simple packet filtering) between various workgroups, and between workgroups and server farms without having to use dedicated physical interfaces on the SonicWALL.

Here the ability to assign VLAN subinterfaces to the WAN zone, and to use the WAN client mode (only Static addressing is supported on VLAN subinterfaces assigned to the WAN zone) is illustrated, along with the ability to support WAN Load Balancing and failover. Also demonstrated is the distribution of SonicPoints throughout the network by means of connecting them to access mode VLAN ports on workgroup switches. These switches are then backhauled to the core switch, which then connects all the VLANs to the appliance via a trunk link.

VPN Integration with Layer 2 Bridge Mode

When configuring a VPN on an interface that is also configured for Layer 2 Bridge mode, you must configure an additional route to ensure that incoming VPN traffic properly traverses the SonicWALL security appliance. Navigate to the Network > Routing page, scroll to the bottom of the page, and click on the Add button. In the Add Route Policy window, configure the route as follows:

 
Source: ANY
 
Destination: custom-VPN-address-object (This is the address object for the local VPN tunnel IP address range.)
 
Service: ANY
 
Gateway: 0.0.0.0
 
Interface: X0

Configuring IPS Sniffer Mode

To configure the SonicWALL NSA appliance for IPS Sniffer Mode, you will use two interfaces in the same zone for the L2 Bridge-Pair. You can use any interfaces except the WAN interface. For this example, we will use X2 and X3 for the Bridge-Pair, and configure them to be in the LAN zone. The WAN interface (X1) is used by the SonicWALL appliance for access to the SonicWALL Data Center as needed. The mirrored port on the switch will connect to one of the interfaces in the Bridge-Pair.

This section contains the following topics:

 
“Configuration Task List for IPS Sniffer Mode”
 
“Configuring the Primary Bridge Interface”
 
“Configuring the Secondary Bridge Interface”
 
“Enabling and Configuring SNMP”
 
“Configuring Security Services (Unified Threat Management)”
 
“Configuring Logging”
 
“Connecting the Mirrored Switch Port to a IPS Sniffer Mode Interface”
 
“Connecting and Configuring the WAN Interface to the Data Center”

Configuration Task List for IPS Sniffer Mode

 
Configure the Primary Bridge Interface
 
Select LAN as the Zone for the Primary Bridge Interface
 
Assign a static IP address
 
Configure the Secondary Bridge Interface
 
Select LAN as the Zone for the Secondary Bridge Interface
 
Enable the L2 Bridge to the Primary Bridge interface
 
Enable SNMP and configure the IP address of the SNMP manager system where traps can be sent
 
Configure Security Services (UTM) for LAN traffic
 
Configure logging alert settings to “Alert” or below
 
Connect the mirrored port on the switch to either one of the interfaces in the Bridge-Pair
 
Connect and configure the WAN to allow access to dynamic signature data over the Internet

Configuring the Primary Bridge Interface

Step 1
Select the Network tab, Interfaces folder from the navigation panel.
Step 2
Click the Configure icon in the right column of interface X2.
Step 3
In the Edit Interface dialog box on the General tab, select LAN from the Zone drop-down list.

Note that you do not need to configure settings on the Advanced or VLAN Filtering tabs.

Step 4
For IP Assignment, select Static from the drop-down list.
Step 5
Configure the interface with a static IP Address (e.g. 10.1.2.3). The IP address you choose should not collide with any of the networks that are seen by the switch.
 
Note
The Primary Bridge Interface must have a static IP assignment.
Step 6
Configure the Subnet Mask.
Step 7
Type in a descriptive comment.
Step 8
Select management options for the interface (HTTP, HTTPS, Ping, SNMP, SSH, User Logins, HTTP Redirects).
Step 9
Click OK .

Configuring the Secondary Bridge Interface

Our example continues with X3 as the secondary bridge interface.

Step 1
Select the Network tab, Interfaces folder from the navigation panel.
Step 2
Click the Configure icon in the right column of the X3 interface.
Step 3
In the Edit Interface dialog box on the General tab, select LAN from the Zone drop-down list.

Note that you do not need to configure settings on the Advanced or VLAN Filtering tabs.

Step 4
In the IP Assignment drop-down list, select Layer 2 Bridged Mode .
Step 5
In the Bridged to drop-down list, select the X2 interface.
Step 6
Do not enable the Block all non-IPv4 traffic setting if you want to monitor non-IPv4 traffic.
Step 7
Select Never route traffic on this bridge-pair to ensure that the traffic from the mirrored switch port is not sent back out onto the network. (The Never route traffic on this bridge-pair setting is known as Captive-Bridge Mode.)
Step 8
Select Only sniff traffic on this bridge-pair to enable sniffing or monitoring of packets that arrive on the L2 Bridge from the mirrored switch port.
Step 9
Select Disable stateful-inspection on this bridge-pair to Allow TCP connections to pass through the SonicWALL even if the device has not seen a valid and complete TCP handshake sequence. This can be used for networks employing asymmetric packet paths for incoming and outgoing traffic in which the SonicWALL does not see all traffic of the TCP flow. Use of this setting is not recommended as it limits the SonicWALL’s ability to enforce TCP stateful and other protections for the secured network.
Step 10
Configure management (HTTP, HTTPS, Ping, SNMP, SSH, User Logins, HTTP Redirects).
Step 11
Click OK .

Enabling and Configuring SNMP

When SNMP is enabled, SNMP traps are automatically triggered for many events that are generated by SonicWALL Security Services such as Intrusion Prevention and Gateway Anti-Virus.

More than 50 IPS and GAV events currently trigger SNMP traps. The SonicOS Log Event Reference Guide contains a list of events that are logged by SonicOS, and includes the SNMP trap number where applicable. The guide is available online at
h ttp://www.sonicwall.com/us/Support.html by typing Log Event into the Search field at the top of the page.

To determine the traps that are possible when using IPS Sniffer Mode with Intrusion Prevention enabled, search for Intrusion in the table found in the Index of Log Event Messages section in the SonicOS Log Event Reference Guide . The SNMP trap number, if available for that event, is printed in the SNMP Trap Type column of the table.

To determine the possible traps with Gateway Anti-Virus enabled, search the table for Security Services , and view the SNMP trap number in the SNMP Trap Type column.

To enable and configure SNMP:

Step 1
Select the System tab, Administration folder from the navigation panel.
Step 2
Scroll down to the Advanced Management section.
Step 3
Select the Enable SNMP checkbox. The Configure button becomes active.
Step 4
Click Configure . The SNMP Settings dialog box is displayed.
Step 5
In the SNMP Settings dialog box, for System Name, type the name of the SNMP manager system that will receive the traps sent from the SonicWALL.
Step 6
Enter the name or email address of the contact person for the SNMP Contact
Step 7
Enter a description of the system location, such as “3rd floor lab”.
Step 8
Enter the system’s asset number.
Step 9
For Get Community Name, type the community name that has permissions to retrieve SNMP information from the SonicWALL, e.g. public .
Step 10
For Trap Community Name, type the community name that will be used to send SNMP traps from the SonicWALL to the SNMP manager, e.g. public .
Step 11
For the Host fields, type in the IP address(es) of the SNMP manager system(s) that will receive the traps.
Step 12
Click OK .

Configuring Security Services (Unified Threat Management)

The settings that you enable in this section will control what type of malicious traffic you detect in IPS Sniffer Mode. Typically you will want to enable Intrusion Prevention, but you may also want to enable other Security Services such as Gateway Anti-Virus or Anti-Spyware.

To enable Security Services, your SonicWALL must be licensed for them and the signatures must be downloaded from the SonicWALL Data Center. For complete instructions on enabling and configuring IPS, GAV, and Anti-Spyware, see the Security Services section in this guide.

Configuring Logging

You can configure logging to record entries for attacks that are detected by the SonicWALL.

To enable logging, perform the following steps:

Step 1
Select the Log tab, Categories folder from the navigation panel.
Step 2
Under Log Categories, select All Categories in the View Style drop-down list.
Step 3
In the Attacks category, enable the checkboxes for Log , Alerts , and Syslog .
Step 4
Click Apply .

Connecting the Mirrored Switch Port to a IPS Sniffer Mode Interface

Use a standard Cat-5 Ethernet cable to connect the mirrored switch port to either interface in the Bridge-Pair. Network traffic will automatically be sent from the switch to the SonicWALL where it can be inspected.

Consult the switch documentation for instructions on setting up the mirrored port.

Connecting and Configuring the WAN Interface to the Data Center

Connect the WAN port on the SonicWALL, typically port X1, to your gateway or to a device with access to the gateway. The SonicWALL communicates with the SonicWALL Data Center automatically. For detailed instructions on configuring the WAN interface, see “Configuring a WAN Interface” .

Configuring Wire Mode

Adding to the broad collection of traditional modes of SonicOS interface operation, including all LAN modes (Static, NAT, Transparent Mode, L2 Bridge Mode, Portshield Switch Mode), and all WAN modes (Static, DHCP, PPPoE, PPTP, and L2TP), SonicOS 5.8 introduces Wire-Mode, which provides four new methods non‑disruptive, incremental insertion into networks.

Restrict analysis at resource limit

 
Table 1
Wire Mode Settings

Bypass Mode

Bypass Mode allows for the quick and relatively non-interruptive introduction of Wire Mode into a network. Upon selecting a point of insertion into a network (e.g. between a core switch and a perimeter firewall, in front of a VM server farm, at a transition point between data classification domains) the SonicWALL security appliance is inserted into the physical data path, requiring a very short maintenance window. One or more pairs of switch ports on the appliance are used to forward all packets across segments at full line rates. While Bypass Mode does not offer any inspection or firewalling, this mode allows the administrator to physically introduce the SonicWALL security appliance into the network with a minimum of downtime and risk, and to obtain a level of comfort with the newly inserted component of the networking and security infrastructure. The administrator can then transition from Bypass Mode to Inspect or Secure Mode instantaneously through a simple user-interface driven reconfiguration.

Inspect Mode

Inspect Mode extends Bypass Mode without functionally altering the low-risk, zero-latency packet path. Packets continue to pass through the SonicWALL security appliance, but they are also mirrored to the multi-core RF-DPI engine for the purposes of passive inspection, classification, and flow reporting. This reveals the appliance’s Application Intelligence and threat detection capabilities without any actual intermediate processing.

When Inspect Mode is selected, the Restrict analysis at resource limit option specifies whether all traffic is inspected. When this option is enabled (which is the default), the appliance scans the maximum number of packets it can process. The remaining packets are allowed to pass without inspection. If this option is disabled, traffic will be throttled in the flow of traffic exceeds the firewalls inspection ability.

 
Note
Disabling the Restrict analysis at resource limit option will reduce throughput if the rate of traffic exceeds the appliance’s ability to scan all traffic.

Secure Mode

Secure Mode is the progression of Inspect Mode, actively interposing the SonicWALL security appliance’s multi-core processors into the packet processing path. This unleashes the inspection and policy engines’ full-set of capabilities, including Application Intelligence and Control, Intrusion Prevention Services, Gateway and Cloud-based Anti-Virus, Anti-Spyware, and Content Filtering. Secure Mode affords the same level of visibility and enforcement as conventional NAT or L2 Bridge mode deployments, but without any L3/L4 transformations, and with no alterations of ARP or routing behavior. Secure Mode thus provides an incrementally attainable NGFW deployment requiring no logical and only minimal physical changes to existing network designs.

Tap Mode

Tap Mode provides the same visibility as Inspect Mode, but differs from the latter in that it ingests a mirrored packet stream via a single switch port on the SonicWALL security appliance, eliminating the need for physically intermediated insertion. Tap Mode is designed for use in environments employing network taps, smart taps, port mirrors, or SPAN ports to deliver packets to external devices for inspection or collection. Like all other forms of Wire Mode, Tap Mode can operate on multiple concurrent port instances, supporting discrete streams from multiple taps.

To summarize the key functional differences between modes of interface configuration:

 

 
Table 2
Functionality of the Different Wire Mode Settings
 
Bypass Mode
Inspect Mode
Secure Mode
Tap Mode
L2 Bridge, Transparent, NAT, Route Modes

Active/Active Clustering 1

No

No

No

No

Yes

Application Control

No

No

Yes

No

Yes

Application Visibility

No

Yes

Yes

Yes

Yes

ARP/Routing/NAT 1

No

No

No

No

Yes

Comprehensive Anti‑Spam Service 1

No

No

No

No

Yes

Content Filtering

No

No

Yes

No

Yes

DHCP Server 1

No

No

No

No

Yes 2

DPI Detection

No

Yes

Yes

Yes

Yes

DPI Prevention

No

No

Yes

No

Yes

DPI-SSL 1

No

No

No

No

Yes

High-Availability 1 3

No

No

No

No

Yes

Link-State Propagation 4

Yes

Yes

Yes

No

No

SPI

No

Yes

Yes

Yes

Yes

TCP Handshake Enforcement 5

No

No

No

No

Yes

Virtual Groups 1

No

No

No

No

Yes


1

These functions or services are unavailable on interfaces configured in Wire Mode, but remain available on a system-wide level for any interfaces configured in other compatible modes of operation.

2

3

4

Link State Propagation is a feature whereby interfaces in a Wire-Mode pair will mirror the link-state triggered by transitions of their partners. This is essential to proper operations in redundant path networks, in particular.

5

Disabled by design in Wire Mode to allow for failover events occurring elsewhere on the network to be supported when multiple Wire-Mode paths, or when multiple SonicWALL security appliance units are in use along redundant or asymmetric paths.
 
Note
When operating in Wire-Mode, the SonicWALL security appliance’s dedicated “Management” interface will be used for local management. To enable remote management and dynamic security services and application intelligence updates, a WAN interface (separate from the Wire-Mode interfaces) must be configured for Internet connectivity. This is easily done given that SonicOS supports interfaces in mixed-modes of almost any combination.

To configure an interface for Wire Mode, perform the following steps:

1.
On the Network > Interfaces page, click the Configure button for the interface you want to configure for Wire Mode.
2.
In the Zone pulldown menu, select LAN .
3.
To configure the Interface for Tap Mode, in the Mode / IP Assignment pulldown menu, select Tap Mode (1-Port Tap ) and click OK .
4.
To configure the Interface for Wire Mode, in the Mode / IP Assignment pulldown menu, select Wire Mode (2-Port Wire ).
5.
In the Wire Mode Type pulldown menu, select the appropriate mode:
 
Bypass Mode (via Internal Switch / Relay)
 
Inspect Mode (Passive DPI of Mirrored Traffic)
 
Secure Mode (Active DPI of Inline Traffic)
6.
When Inspect Mode is selected, the Restrict analysis at resource limit option is displayed. It is enabled by default. When this option is enabled, the appliance scans the maximum number of packets it can process. The remaining packets are allowed to pass without inspection. If this option is disabled, traffic will be throttled in the flow of traffic exceeds the firewalls inspection ability.
 
Note
Disabling the Restrict analysis at resource limit option will reduce throughput if the rate of traffic exceeds the appliance’s ability to scan all traffic.
7.
In the Paired Interface pulldown menu, select the interface that will connect to the upstream firewall. The paired interfaces must be of the same type (two 1 GB interfaces or two 10 GB interfaces).
 
Note
Only unassigned interfaces are available in the Paired Interface pulldown menu. To make an interface unassigned, click on the Configure button for it, and in the Zone pulldown menu, select Unassigned .
8.
Click OK .