Wizards_Public Server

Wizards > Public Server Wizard

Step 1 Click the Wizard button on the top-right corner of the SonicOS management interface. In the Welcome screen, select the Public Server Wizard and then click Next.

Step 2 Select the type of server from the Server Type list. Depending on the type you select, the available services change. Check the box for the services you are enabling on this server. Click Next

Step 3 Enter the name of the server.

Step 4 Enter the private IP address of the server. Specify an IP address in the range of addresses assigned to zone where you want to put this server. The Public Server Wizard will automatically assign the server to the zone in which its IP address belongs. Click Next.

Step 5 Enter the public IP address of the server. The default is the WAN public IP address. If you enter a different IP, the Public Server Wizard will create an address object for that IP address and bind the address object to the WAN zone. Click Next. The Summary page displays a summary of the configuration you selected in the wizard.

• Server Address Objects - The wizard creates the address object for the new server. Because the IP address of the server added in the example is in the IP address range assigned to the DMZ, the wizard binds the address object to the DMZ zone. It gives the object a name of the name you specified for the server plus “_private”. If you specify an IP in the range of another zone, it will bind the address object to that zone. If you specify an IP address out of the range of any zone you have configured, the wizard will bind the address object to the LAN zone.

Because the server in the example used the default WAN IP address for the Server Public IP Address, the wizard states that it will use the existing WAN address object when constructing policies between the new server and the WAN. If you specify another address, the server will create an object for that address bound to the WAN zone and assign the new address object a name of the name you specified for the server plus “_public”.

• Server Service Group Object - The wizard creates a service group object for the services used by the new server. Because the server in the example is a Web server, the service group includes HTTP and HTTPS. This way, you have a convenient group to refer to when creating or editing access policies for this server.

• Server NAT Policies - The wizard creates a NAT policy to translate the destination addresses of all incoming packets with one of the services in the new service group and addressed to the WAN address to the address of the new server. Therefore, in this example, if a packet with service type of HTTPS comes in addressed to the WAN interface (10.0.93.43), the NAT policy will translate its address to 172.22.2.44.

The wizard also creates a Loopback NAT policy to translate HTTP and HTTPS traffic from inside your network addressed to the WAN IP address back to the address of the mail server.

• Server Access Rules - The wizard creates an access policy allowing all mail traffic service traffic from the WAN zone to the DMZ.

Step 6 Click Accept in the Public Server Configuration Summary page to complete the wizard and apply the configuration to your SonicWALL.

Step 7 The new IP address used to access the new server, internally and externally is displayed in the URL field of the Congratulations window. Click Close to close the wizard.

Wizards > VPN Wizard

The VPN Policy Wizard walks you step-by-step through the configuration of GroupVPN on the SonicWALL. After the configuration is completed, the wizard creates the necessary VPN settings for the selected VPN policy. You can use the SonicWALL Management Interface for optional advanced configuration options.

Using the VPN Policy Wizard

Step 1 Click the Wizard button on the top-right corner of the SonicOS management interface. In the Welcome screen, select the VPN Policy Wizard and then click Next.

Step 2 In the VPN Policy Type page, select WAN GroupVPN and click Next.

Step 3 In the IKE Phase 1 Key Method page, you select the authentication key to use for this VPN policy:

• Default Key: If you choose the default key, all your Global VPN Clients will automatically use the default key generated by the SonicWALL to authenticate with the SonicWALL.

• Use this Key: If you choose a custom preshared key, you must distribute the key to every VPN Client because the user is prompted for this key when connecting to the SonicWALL.

Note If you select Use this Key, and leave the default key as the value, you must still distribute the key to your VPN clients.

Step 4 Click Next.

Step 5 In the IKE Security Settings page, you select the security settings for IKE Phase 2 negotiations and for the VPN tunnel. You can use the defaults settings.

• DH Group: The Diffie-Hellman (DH) group are the group of numbers used to create the key pair. Each subsequent group uses larger numbers to start with. You can choose Group 1, Group 2, or Group 5. The VPN Uses this during IKE negotiation to create the key pair.

• Encryption: This is the method for encrypting data through the VPN Tunnel. The methods are listed in order of security. DES is the least secure and the and takes the least amount of time to encrypt and decrypt. AES-256 is the most secure and takes the longest time to encrypt and decrypt. You can choose. DES, 3DES, AES-128, or AES-256. The VPN uses this for all data through the tunnel.

• Authentication: This is the hashing method used to authenticate the key, once it is exchanged during IKE negotiation. You can choose MD5 or SHA-1.

• Life Time (seconds): This is the length of time the VPN tunnel stays open before needing to re-authenticate. The default is eight hours (28800).

Warning The SonicWALL Global VPN Client version 1.x is not capable of AES encryption, so if you chose this method, only SonicWALL Global VPN Client versions 2.x and higher will be able to connect.

Step 6 Click Next.

Step 7 In the User Authentication page, select if you want the VPN Users to be required to authenticate with the firewall when they connect. If you select Enable User Authentication, you must select the user group which contains the VPN users. For this example, leave Enable User Authentication unchecked. Click Next.

Note If you enable user authentication, the users must be entered in the SonicWALL database for authentication. Users are entered into the SonicWALL database on the Users > Local Users page, and then added to groups in the Users > Local Groups page.

Step 8 In the Configure Virtual IP Adapter page, select whether you want to use the SonicWALL’s internal DHCP server to assign each VPN client IP address from the LAN zone’s IP range. Therefore, when a user connects, it appears that the user is inside the LAN. Check the Use Virtual IP Adapter box and click Next.

Step 9 The Configuration Summary page details the settings that will be pushed to the SonicWALL when you apply the configuration. Click Accept to create your GroupVPN.

Connecting the Global VPN Clients

Remote SonicWALL Global VPN Clients install the Global VPN Client software. Once the application is installed, they use a connection wizard to setup their VPN connection. To configure the VPN connection, the client must have the following information:

• A public IP address (or domain name) of the WAN port for your SonicWALL

• The shared secret if you selected a custom preshared secret in the VPN Wizard.

• The authentication username and password.

Configuring a Site-to-Site VPN using the VPN Wizard

You use the VPN Policy Wizard to create the site-to-site VPN policy.

Using the VPN Wizard to Configure Preshared Secret

Step 1 Click the Wizard button on the top-right corner of the SonicOS management interface. In the Welcome screen, select the VPN Policy Wizard and then click Next.

Step 2 In the VPN Policy Type page, select Site-to-Site and click Next.

Step 3 In the Create Site-to-Site Policy page, enter the following information:

• Policy Name: Enter a name you can use to refer to the policy. For example, Boston Office.

• Preshared Key: Enter a character string to use to authenticate traffic during IKE Phase 1 negotiation. You can use the default SonicWALL generated Preshared Key.

• I know my Remote Peer IP Address (or FQDN): If you check this option, this SonicWALL can initiate the contact with the named remote peer.

If you do not check this option, the peer must initiate contact to create a VPN tunnel. This device will use aggressive mode for IKE negotiation.

For this example, leave the option unchecked.

• Remote Peer IP Address (or FQDN): If you checked the option above, enter the IP address or Fully Qualified Domain Name (FQDN) of the remote peer (For example, boston.yourcompany.com).

Step 4 Click Next.

Step 5 In the Network Selection page, select the local and destination resources this VPN will be connecting:

• Local Networks: Select the local network resources protected by this SonicWALL that you are connecting with this VPN. You can select any address object or group on the device, including networks, subnets, individual servers, and interface IP addresses.

If the object or group you want has not been created yet, select Create Object or Create Group. Create the new object or group in the dialog box that pops up. Then select the new object or group. For this example, select LAN Subnets.

• Destination Networks: Select the network resources on the destination end of the VPN Tunnel. If the object or group does not exist, select Create new Address Object or Create new Address Group. For example:

a. Select Create new Address Group.

b. In the Name field, enter “LAN Group”.

c. In the list on the left, select LAN Subnets and click the -> button.

d. Click OK to create the group and return to the Network Selection page.

e. In the Destination Networks field, select the newly created group.

Step 6 Click Next.

Step 7 In the IKE Security Settings page, select the security settings for IKE Phase 2 negotiations and for the VPN tunnel. You can use the default settings.

• Authentication: This is the hashing method used to authenticate the key, once it is exchanged during IKE negotiation. You can choose MD5 or SHA-1.

• Life Time (seconds): This is the length of time the VPN tunnel stays open before needing to re-authenticate. The default is eight hours (28800).

Step 8 The Configuration Summary page details the settings that will be pushed to the security appliance when you apply the configuration.

Step 9 Click Accept to create the VPN.

Wizards > App Rules Wizard

The App Rules wizard provides safe configuration for many common use cases, but not for everything. If at any time during the wizard you are unable to find the options that you need, you can click Cancel and proceed using manual configuration. See Application Control for more information on manual configuration. To use the wizard to configure app rules, perform the following steps:

Step 1 Login to the SonicWALL security appliance.

Step 2 In the SonicWALL banner at the top of the screen, click the Wizards icon. The wizards Welcome screen displays.

Step 3 Select the App Rules Wizard radio button and then click Next.

Step 4 In the App Rules Wizard Introduction screen, click Next.

Step 5 In the App Rules Policy Type screen, click a selection for the policy type, and then click Next.

You can choose among SMTP, incoming POP3, Web Access, or FTP file transfer. The policy that you create will only apply to the type of traffic that you select. The next screen will vary depending on your choice here.

Step 6 In the Select <your choice> Rules for App Rules Policy screen, select a policy rule from the choices supplied, and then click Next.

Depending on your choice in the previous step, this screen is one of four possible screens:

• Select SMTP Rules for App Rules Policy

• Select POP3 Rules for App Rules Policy

• Select Web Access Rules for App Rules Policy

• Select FTP Rules for App Rules Policy

Step 7 The screen displayed here will vary depending on your choice of policy rule in the previous step. For the following policy rules, the wizard displays the Set App Rules Object Content screen on which you can select the traffic direction to scan, and the content or keywords to match.

• All SMTP policy rule types except Specify maximum email size

• All POP3 policy rule types

• All Web Access policy rule types

• All FTP policy types except Make all FTP access read-only and Disallow usage of SITE command

In the Set App Rules Object Content screen, perform the following steps:

• In the Direction drop-down list, select the traffic direction to scan from the drop-down list. Select one of Incoming, Outgoing, or Both.

• Do one of the following:

Note If you selected a choice with the words except the ones specified in the previous step, content that you enter here will be the only content that does not cause the action to occur. See Negative Matching .

– In the Content text box, type or paste a text or hexadecimal representation of the content to match, and then click Add. Repeat until all content is added to the List text box.

– To import keywords from a predefined text file that contains a list of content values, one per line, click Load From File.

• Click Next.

If you selected a policy type in the previous step that did not result in the Set App Rules Object Content screen with the standard options, the wizard displays a screen that allows you to select the traffic direction, and certain other choices depending on the policy type.

• In the Direction drop-down list, select the traffic direction to scan.

• SMTP: In the Set Maximum Email Size screen, in the Maximum Email Size text box, enter the maximum number of bytes for an email message.

• Web Access: In the special-case Set App Rules Object Content screen, the Content text box has a drop-down list with a limited number of choices, and no Load From File button is available. Select a browser from the drop-down list.

• FTP: In the special-case Set App Rules Object Content screen, you can only select the traffic direction to scan.

• Click Next.

Step 8 In the App Rules Action Type screen, select the action to take when matching content is found in the specified type of network traffic, and then click Next.

You will see one or more of the following choices depending on the policy type, which is shown in parentheses here for reference:

• Blocking Action - block and send custom email reply (SMTP)

• Blocking Action - block without sending email reply (SMTP)

• Blocking Action - disable attachment and add custom text (POP3)

• Blocking Action - custom block page (Web Access)

• Blocking Action - redirect to new location (Web Access)

• Blocking Action - reset connection (Web Access, FTP)

• Blocking Action - add block message (FTP)

• Add Email Banner (append text at the end of email) (SMTP)

• Log Only (SMTP, POP3, Web Access, FTP)

Step 9 In the App Rules Action Settings screen (if it is displayed), in the Content text box, type the text or URL that you want to use, and then click Next.

The App Rules Action Settings screen is only displayed when you selected an action in the previous step that requires additional text. For a Web Access policy type, if you selected an action that redirects the user, you can type the new URL into the Content text box.

Step 10 In the Select Name for App Rules Policy screen, in the Policy Name text box, type a descriptive name for the policy, and then click Next.

Step 11 In the Confirm New App Rules Policy Settings screen, review the displayed values for the new policy and do one of the following:

• To create a policy using the displayed configuration values, click Accept.

• To change one or more of the values, click Back.

In the App Rules Policy Wizard Complete screen, to exit the wizard, click Close.