Network_DWIT_PortShield

Network > PortShield Groups

PortShield architecture enables you to configure some or all of the LAN ports into separate security contexts, providing protection not only from the WAN and DMZ, but between devices inside your network as well. In effect, each context has its own wire-speed PortShield that enjoy the protection of a dedicated, deep packet inspection firewall.

 
Tip
Zones can always be applied to multiple interfaces in the Network > Interfaces page, even without the use of PortShield groupings. However, these interfaces will not share the same network subnet unless they are grouped using PortShield.

You can assign any combination of ports into a PortShield interface. All ports you do not assign to a PortShield interface are assigned to the LAN interface.

The Network > PortShield Groups page allows you to manage the assignments of ports to PortShield interfaces.

 

Static Mode and Transparent Mode

A PortShield interface is a virtual interface with a set of ports assigned to it. There are two IP assignment methods you can deploy to create PortShield interfaces. They are Static and Transparent modes. The following two sections describe each.

Working in Static Mode

When you create a PortShield interface in Static Mode, you manually create an explicit address to be applied to the PortShield interface. All ports mapped to the interface are identified by this address. Static mode is available on interfaces assigned to Trusted, Public, or Wireless zones.

 
Note
When you create a PortShield interface in Static Mode, make sure the IP address you assign to the interface is not already in use by another PortShield interface.

Working in Transparent Mode

Transparent Mode addressing allows for the WAN subnetwork to be shared by the current interface using Address Object assignments. The interface’s IP address is the same as the WAN interface IP address. Transparent mode is available on interfaces assigned to Trusted and Public Zones.

 
Note
Make sure the IP address you assign to the PortShield interface is within the WAN subnetwork.

When you create a PortShield interface in Transparent Mode, you create a range of addresses to be applied to the PortShield interface. You include these addresses in one entity called an Address Object. Address Objects allow for entities to be defined one time and to be re-used in multiple referential instances throughout the SonicOS interface. When you create a PortShield interface using an address object, all ports mapped to the interface are identified by any of the addresses specified in the address range.

 
Note
Each statically addressed PortShield interface must be on a unique subnetwork. You can not overlap PortShield interfaces across multiple subnetworks.

Configuring PortShield Groups

There are several ways to configure PortShield groups:

 
“Configuring PortShield Interfaces from the Network > Interfaces Page”
 
“Configuring PortShield Interfaces from the Network > PortShield Groups Page” on page 269
 
“Configuring PortShield Interfaces with the PortShield Wizard”

Configuring PortShield Interfaces from the Network > Interfaces Page

To configure a PortShield interface, perform the following steps:

1.
Click on the Network > Interfaces page.
2.
Click the Configure button for the interface you want to configure. The Edit Interface window displays.
3.
In the Zone pulldown menu, select on a zone type option to which you want to map the interface.
 
Note
You can add PortShield interfaces only to Trusted, Public, and Wireless zones.
4.
In the IP Assignment pulldown menu, select PortShield Switch Mode .
5.
In the PortShield to pulldown menu, select the interface you want to map this port to. Only ports that match the zone you have selected are displayed.

Configuring PortShield Interfaces from the Network > PortShield Groups Page

The Network > PortShield Groups page displays a graphical representation of the current configuration of PortShield interfaces.

 
Interfaces in black are not part of a PortShield group.
 
Interfaces in yellow have been selected to be configured
 
Interfaces that are the same color (other than black or yellow) are part of a PortShield group, with the master interface having a white outline around the color.
 
Interfaces that are greyed out cannot be added to a PortShield group.

On the Network > PortShield Groups page, you can manually group ports together using the graphical PortShield Groups interface. Grouping ports allows them to share a common network subnet as well as common zone settings.

 
Note
Interfaces must be configured before being grouped with PortShield.

To configure PortShield groups, perform the following steps:

1.
In the graphic, select the interface(s) you want to configure as part of a PortShield group. The interfaces will turn yellow.
2.
Click the Configure button.

In the Port Enabled pulldown menu, select whether you want to enable or disable the interfaces.

In the PortShield Interface pulldown menu, select which interface you want to assign as the master interface for these PortShield interfaces.

In the Link Speed pulldown menu, select the link speed for the interfaces.

Configuring PortShield Interfaces with the PortShield Wizard

The PortShield Wizard quickly and easily guides you through several common PortShield group configurations. To use the PortShield wizard, perform the following steps:

1.
Click the Wizards button on the top right of the SonicOS UI and select PortShield Interface Wizard . Click Next .

Mousing over the i symbol displays a summary of the current port assignment.

2.
Select one of the four PortShield group options:
 
Basic WAN/LAN Switch
 
WAN/OPT/LAN Switch
 
WAN/LAN/HA
 
Note
In the WAN/LAN/HA scenario, when High Availability is not enabled, the X6 port is assigned to the LAN zone.
 
WAN/LAN/LAN2 Switch
3.
Click Next .
4.
The wizard displays a summary of the configuration changes it is about to make.
5.
Click Apply .