To configure advanced access rule options, select
Firewall Settings > Advanced
under Firewall.
The
Firewall Settings > Advanced
page includes the following firewall configuration option groups:
|
|
•
|
Enable Stealth Mode
- By default, the security appliance responds to incoming connection requests as either “blocked” or “open.” If you enable Stealth Mode, your security appliance does not respond to blocked inbound connection requests
. Stealth Mode makes your security appliance essentially invisible to hackers.
|
|
|
•
|
Randomize IP ID
- Select Randomize IP ID to prevent hackers using various detection tools from detecting the presence of a security appliance. IP packets are given random IP IDs, which makes it more difficult for hackers to “fingerprint” the security appliance.
|
|
|
•
|
Decrement IP TTL for forwarded traffic
- Time-to-live (TTL) is a value in an IP packet that tells a network router whether or not the packet has been in the network too long and should be discarded. Select this option to decrease the TTL value for packets that have been forwarded and therefore have already been in the network for some time.
|
|
|
–
|
Never generate ICMP Time-Exceeded packets
- The SonicWALL appliance generates Time-Exceeded packets to report when it has dropped a packet because its TTL value has decreased to zero. Select this option if you do not want the SonicWALL appliance to generate these reporting packets.
|
|
|
•
|
Enable FTP Transformations for TCP port(s) in Service Object
– FTP operates on TCP ports 20 and 21 where port 21 is the Control Port and 20 is Data Port. However, when using non-standard ports (eg. 2020, 2121), SonicWALL drops the packets by default as it is not able to identify it as FTP traffic. The Enable FTP Transformations for TCP port(s) in Service Object option allows you to select a Service Object to specify a custom control port for FTP traffic.
|
To illustrate how this feature works, consider the following example of an FTP server
behind the SonicWALL listening on port 2121:
|
a.
|
On the
Network > Address Objects
page, create an Address Object
for the private IP address of the FTP server with the following values:
|
|
b.
|
On the
Network > Services
page, create a custom Service for the FTP Server with the following values:
|
|
c.
|
On the
Network > NAT Policies
page, create the following NAT Policy, and on the Firewall Settings > Advanced
page, create the following Access Rule
|
|
d.
|
Lastly, on the
Firewall Settings > Advanced
page, for the Enable FTP
Transformations for TCP port(s) in Service Object
select the FTP Custom Port
Control
Service Object.
|
The following options are also configured in the
Dynamic Ports
section of the Firewall
Settings > Advanced
page:
|
|
•
|
E
nable support for Oracle (SQLNet)
– Select if you have Oracle applications on your network.
|
|
|
•
|
Enable RTSP Transformations
– Select this option to support on-demand delivery of real-time data, such as audio and video. RTSP (Real Time Streaming Protocol) is an application-level protocol for control over delivery of data with real-time properties.
|
Drop Source Routed Packets
- (Enabled by default.) Clear this check box if you are testing traffic between two specific hosts and you are using source routing.
The Connections section provides the ability to fine-tune the performance of the appliance to
prioritize either optimal performance or support for an increased number of simultaneous connections that are inspected by UTM services. There is no change in the level of security protection provided by either of the DPI Connections settings below. The following connection options are available:
|
|
•
|
Maximum SPI Connections (DPI services disabled)
- This option does not provide SonicWALL DPI Security Services protection and optimizes the firewall for maximum number of connections with only stateful packet inspection enabled. This option should be used by networks that require only
stateful packet inspection, which is not recommended for most SonicWALL SuperMassive deployments.
|
|
|
Note
|
When changing the
Connections
setting, the SonicWALL security appliance must be restarted for the change to be implemented.
|
The maximum number of connections also depends on whether App Flow is enabled and if an
external collector is configured, as well as the physical capabilities of the particular model of SonicWALL security appliance. Mousing over the 
question mark icon next to the Connections
heading displays a pop-up table of the maximum number of connections for your specific SonicWALL security appliance for the various configuration permutations. The table entry for your current configuration is indicated in the table, as shown in the example below.
A
ccess Rule Service Options
Force inbound and outbound FTP data connections to use default port 20
- The default configuration allows FTP connections from port 20 but remaps outbound traffic to a port such as 1024. If the check box is selected, any FTP data connection through the security appliance must come from port 20 or the connection is dropped. The event is then logged as a log event on the security appliance.
Apply firewall rules for intra-LAN traffic to/from the same interface
- Applies firewall rules that is received on a LAN interface and that is destined for the same LAN interface. Typically, this only necessary when secondary LAN subnets are configured.
Default UDP Connection Timeout (seconds)
-
Enter the number of seconds of idle time you want to allow before UDP connections time out. This value is overridden by the UDP Connection timeout you set for individual rules.
The Connection Limiting feature provides an additional layer of security against distributed
denial of service (DDoS) attacks by limiting the number of connections that can be initiated from or to individual IP addresses.
|
|
•
|
Enable connection limit based on source IP
- Select to limit the number of connections that can be made from a single source IP address. By default, the limit is set to 128. To modify this, enter a value in the Threshold
field.
|
|
|
•
|
Enable connection limit based on destination IP
- Select to limit the number of connections that can be made to a single destination IP address. By default, the limit is set to 128. To modify this, enter a value in the Threshold
field.
|
In addition to these configurable settings for individual IP addresses, all SonicWALL security
appliances have a built-in limit on the total number of connections allowed. For more information on this feature, see “Connection Limiting Overview”
.