232-001620-50 Rev a Sonicwall Tz 210 Series Getting Started Guide
SonicWALL TZ 210 Series Guide
description
Transcript of SonicWALL TZ 210 Series Guide
-
7/15/2019 SonicWALL TZ 210 Series Guide
1/88
Getting Started Gui
SonicWALL Network Security Appliances
NETWORK SECURITY TZ 210 Series
-
7/15/2019 SonicWALL TZ 210 Series Guide
2/88
1
3
5
GettingStarted Guide
SonicWALL Network Security Appliances
N E TW O RK S E C URI TY TZ 210 Series
Missing Items?
If any items are missing from your package, please contact SonicWALL support.
A listing of the most current support documents are available online at:
*Antennas included withTZ 210 Wireless-N Only
*
SonicWALL TZ 210 Series Quick Start
Start here if you are new to SonicWALL appliances. The next few pages provide a Quick Start to connecting youappliance. For a complete listing of contents, including more advanced network deployments, see the Table o
Contents onpage iof this guide
Verify Contents
Connect Networ
Connect Power
Boot Appliance
Setup Wizard
-
7/15/2019 SonicWALL TZ 210 Series Guide
3/88
SonicWALL TZ 210 Series Quick Start
Connect the SonicWALL TZ 210 series appliance using standard CAT-5 Ethernet cables as shown in theillustration below.
Verify Contents
Connect Networ
Connect Power
Boot Appliance
Setup Wizard
-
7/15/2019 SonicWALL TZ 210 Series Guide
4/88
SonicWALL TZ 210 Series Quick Star
Connect the included power cable and adaptor and plug into a properly grounded 120V AC outle
Verify Contents
Connect Networ
Connect Power
Boot Appliance
Setup Wizard
-
7/15/2019 SonicWALL TZ 210 Series Guide
5/88
1
2
?Getting Started
Guide | page iv
SonicWALL TZ 210 Series Quick Start
The TZ 210 series appliance powers on and the orange test LED blinks during the boot sequence. Continue tothe next step when the test LED is no longer lit. This process may take up to 2 minutes.
For troubleshooting this step, seepage ivof this guide.
Verify Contents
Connect Networ
Connect Power
Boot Appliance
Setup Wizard
-
7/15/2019 SonicWALL TZ 210 Series Guide
6/88
1
2
3
4
5
SonicWALL TZ 210 Series Quick Start
http://192.168.168.168/
http://192.168.168.168/
? Getting StartedGuide | page 4
Using a computer connected to the LAN port of the SonicWALL TZ 210 series appliance, navigate thttp://192.168.168.168/ in a Web browser. The SonicWALL Setup Wizard display
Continue topage 4 of this guide to complete the Setup Wizard
Verify Contents
Connect Networ
Connect Power
Boot Appliance
Setup Wizard
-
7/15/2019 SonicWALL TZ 210 Series Guide
7/88
-
7/15/2019 SonicWALL TZ 210 Series Guide
8/88
SonicWALL TZ 210 Series Getting Started Gu
SonicWALL TZ 210 SeriesGetting Started Guide
This Getting Started Guide provides instructions for basicinstallation and configuration of the SonicWALL TZ 210series appliance running SonicOS Enhanced.
Document Contents
This document contains the following sections:
Setting Up Your Network - page 1
Registering Your Appliance - page9
Enabling Security Services - page13
Advanced Network Configuration - page21
Advanced Deployments - page33
Support and Training Options - page59
Product Safety and Regulatory Information - page67
1
2
3
4
5
6
7
-
7/15/2019 SonicWALL TZ 210 Series Guide
9/88
Page ii SonicWALL TZ 210 Series Front Panel
SonicWALL TZ 210 Series Front Panel
Provides
Provides dedicated LAN/WAN port status as follows:
link/spd:
activity:
LAN/WAN Port Status10/100 Ethernet Port Status
Off=10MGreen=100M
Solid=link
Blinking=activity
Solid=wireless radio on
-
7/15/2019 SonicWALL TZ 210 Series Guide
10/88
SonicWALL TZ 210 Series Getting Started Guid
SonicWALL TZ 210 Series Rear Panel
X3 X4 X5 X6X2
WAN
X1X0
LAN
Console Power
Console Port
Provides access to the SonicOSCommand Line Interface (CLI)via the DB9 -> RJ45 cable
LAN Port (X0)
Provides dedicated LAN accessto local area network resources
WAN Port (X1)
Provides dedicated WAN (Internet)
Power Supply
Provides power connectionusing supplied power cable
Reset Button
Press and hold to manually resetthe appliance to SafeMode
Ethernet Ports (X2-X6)
Provides configurable 10/100 Ethernet portsfor connection to network devices on WAN,
LAN, DMZ, and other zone types
HA Ethernet Port (X6)
Provides 10/100 Ethernet port forhigh availability (HA) connectivity
-
7/15/2019 SonicWALL TZ 210 Series Guide
11/88
Page iv SonicWALL TZ 210 Series LED Reference
SonicWALL TZ 210 Series LED Reference
X 0 X 1 X 2 X 3 X 4 X 5 X6
-
7/15/2019 SonicWALL TZ 210 Series Guide
12/88
SonicWALL TZ 210 Series Getting Started Gui
Setting Up Your Network
In this Section:
This section provides pre-configuration information. Review this section before setting up your SonicWALL TZ 210 series applian
System Requirements - page 2 Recording Configuration Information - page 2 Completing the Setup Wizard - page 4 Accessing the Management Interface - page 5 Verifying WAN (Internet) Connectivity - page 6 Connecting Your Network Devices - page 6 Troubleshooting Initial Setup - page 7
-
7/15/2019 SonicWALL TZ 210 Series Guide
13/88
Page 2 System Requirements
System Requirements
Before you begin the setup process, verify that you have:
An Internet connection A Web browser supporting J ava Script and HTTP uploads.
Supported browsers include the following:
Recording Configuration Information
Record the following setup information to use during the setuprocess and for future reference:
Registration Information
Networking Information
Administrator Information
Supported Browsers Browser VersionNumber
Internet Explorer 6.0 or higher
Firefox 2.0 or higher
Netscape 9.0 or higher
Opera 9.10 or higher
for Windows
Safari 2.0 or higherfor MacOS
Serial Number: Record the serial number found on thebottom panel of your SonicWALLappliance.
Au thenticati on Code:
Record the authentication code found the bottom panel of your SonicWALLappliance.
LAN IP Address:
. . .
Select a static IP address for yourSonicWALL appliance that is within therange of your local subnet. If you areunsure, you can use the default IPaddress (192.168.168.168).
Subnet Mask:
. . .
Record the subnet mask for the local
subnet where you are installing yourSonicWALL appliance.
Ethernet WAN IP Address:
. . .
Select a static IP address for yourEthernet WAN. This setting only applieyou are already using an ISP that assiga static IP address.
Admin Name:
Select an administrator account name(default is admin)
Admin Password :
Select an administrator password.(default is password)
-
7/15/2019 SonicWALL TZ 210 Series Guide
14/88
SonicWALL TZ 210 Series Getting Started Gui
Primary Internet Service Provider (ISP) Information
Record the following information about your current ISP:
Secondary ISP Information
Record the following information about your secondary
If you connectvia
You likelyuse
Please record
Cable modem,DSL with arouter
DHCP No Internet connection information isusually required, although some serviceproviders require a host name.
Host Name:
Home DSL PPPoEUser Name:
Password:Note: Your ISP may require your user namein the format: [email protected]
T1/E1,Staticbroadband,Cable or DSL
with a static IP
Static IP IP Address: . . .
Subnet Mask: . . .
Default Gateway(IP Address): . . .
Primary DNS: . . .
Secondary DNS(optional): . . .
Dial-in to aserver
PPTPServer Address:
User Name:
Password:
If you connectvia
You likelyuse
Please record
Cable modem,DSL with arouter
DHCPHost Name:
Home DSL PPPoEUser Name:
Password:
T1/E1,Staticbroadband,Cable or DSLwith a static IP
Static IPIP Address: . .
Subnet Mask: . .
Default Gateway(IP Address): . .
Primary DNS: . .
Secondary DNS(optional): . .
Dial-in to aserver
PPTPServer Address:
User Name:
Password:
-
7/15/2019 SonicWALL TZ 210 Series Guide
15/88
Page 4 Completing the Setup Wizard
Completing the Setup Wizard
The Setup Wizard takes you through several basic steps to getyour SonicWALL TZ 210 series appliance configured for yournetwork. Use the Recording Configuration Informationsection, on page 2 to record your configuration informationas you complete the wizard.
Note: If you are having trouble accessing the Setup Wizard,see the Troubleshooting the Setup Wizard section, on
page 7 of this document.
The Setup Wizard guides you through the following steps:
Change PasswordCreate a new password so that only youhave access to the management interface. The default
password is password.Change Time ZoneSelect the correct time zone for properupdates and time-based functionality.
WAN Network ModeChoose your method of connecting tothe Internet. This information is provided by your InternetService Provider (ISP).
WAN SettingsRequired for some WAN modes. Thisinformation is also provided by your ISP.
LAN SettingsEnter custom local network address settings,or use the default values, which work well for most networks.
LAN DHCP SettingsAllow your SonicWALL TZ 210 seriesappliance to automatically connect other local computers byspecifying a DHCP range, or use the default.
Ports AssignmentConfigure the extra interfaces (X2-X6) different network requirements.
At the end of the wizard, a configuration summary displays. I
recommended that you record this information in the RecordConfiguration Information section, on page 2 of this guide.
After the Setup Wizard completes, the appliance may rebootPlease wait a few minutes while the SonicWALL appliancereboots to save the updated firmware settings, and then
continue with the next section of this guide.
-
7/15/2019 SonicWALL TZ 210 Series Guide
16/88
SonicWALL TZ 210 Series Getting Started Gui
Accessing the Management Interface
The computer you use to manage the SonicWALL TZ 210series appliance must be set up to connect using DHCP, or witha static IP address in your chosen subnet. The default subnetfor LAN zone ports is 192.168.168.x.
If your SonicWALL TZ 210 series appliance required a reboot
after completing the Setup Wizard, wait until the LED is nolonger lit before continuing.
To access the SonicOS Web-based management interface:
1. Enter the default IP address of http://192.168.168.168, orthe LAN IP address you chose during the Setup Wizard, intheLocation orAddress field of your Web browser.
Tip: If you changed the LAN IP of your SonicWALL during
the Setup Wizard, you may need to restart yourcomputerfor changes to take effect.
2. When the SonicWALL Management Login page displays,enter your username and password (default values areadmin for user name and password for password).
If the System > Status page (shown below) displays, thhave correctly configured the SonicWALL TZ 210 seriesappliance to work with the computer on your LAN.
-
7/15/2019 SonicWALL TZ 210 Series Guide
17/88
Page 6 Verifying WAN (Internet) Connectivity
Verifying WAN (Internet) Connectivity
Complete the following steps to confirm your Internetconnectivity:
1. In the Windows interface, launch your Web browser.
2. Enter http://www.sonicwall.com in the address bar andpress Enteron the keyboard. The SonicWALL websitedisplays. If you are unable to browse to a Website, seeTroubleshooting Internet Connection on page7.
Connecting Your Network Devices
Wireless Clients Desktop Clients Local Server
W0 WLANX2 LAN X3 LAN X4 LAN
Good or small networks (less than 5 clients)
Easy to setup
Requires less equipment
Each interace may be confgured or a
dierent zone (LAN, WAN, DMZ)
Connecting Directly
Wireless Clients Desktop Clients
Hub/Switch
Local Server
W0 WLAN
X2 LAN
Requires extra equipment (hub/switch)
Ability to connect to multiple clients
through one port
Zone security assignment (LAN, WAN, DMZ)
can be applied to many clients on a
single interace
Connecting With a Hub/Switch
-
7/15/2019 SonicWALL TZ 210 Series Guide
18/88
SonicWALL TZ 210 Series Getting Started Gui
Troubleshooting Initial Setup
This section provides troubleshooting tips for the following initialsetup topics:
Troubleshooting the Setup Wizard - page 7 Troubleshooting Internet Connection - page 7 Configuring DHCP IP Addressing - page 8
Troubleshooting the Setup Wizard If you see the login screen, but not the Setup Wizard:
Configure your Web browser to allow pop-ups.
Log into the security appliance using admin as theuser name and password as the password. Afteryou log in, click the Wizards button at the top right.
If you do not see the login screen or the Setup Wizard,
verify the following:
Did you correctly enter the SonicWALL TZ 210 seriesappliance management IP address, 192.168.168.168,in your Web browser?
Is your computer set to accept DHCP addressing orset to a static IP address within the 192.168.168.xsubnet range? If not, see the Configuring DHCP IPAddressing section, on page8 for instructions.
Is the Ethernet cable connected between yourcomputer and the LAN (X0) port on your SonicWALL?
Do you need to add the SonicWALL appliancelist of trusted sites in your Web browser? Use tdefault IP address (192.168.168.168) for this.
Is the Test LED on the front panel of your Sonappliance lit? If the Test LED stays lit for more few minutes after the initial power on sequencecycle the SonicWALL appliance.
Troubleshooting Internet Connection
If you can view the SonicWALL home page, you haveconfigured your SonicWALL TZ 210 series appliance coIf you cannot view the SonicWALL home page, try the fo
Renew your management station DHCP addyou changed the IP address/subnet of your neduring setup.
Restart your management station to accept network settings from the DHCP server in the
SonicWALL appliance. Restart your Internet router or modem to
communicate with the DHCP client in the Soniappliance.
Log into the SonicOS management interfaclaunch the Setup Wizard again by clicking the Wbutton in the top right corner of the interface. Ethat all of your settings are correct.
-
7/15/2019 SonicWALL TZ 210 Series Guide
19/88
Page 8 Troubleshooting Initial Setup
Configuring DHCP IP Addressing
If you are having trouble connecting to the SonicWALL TZ 210series appliance, complete the following section based on yourWindows operating system flavor. Configure your managementcomputer to obtain an IP address using DHCP.
Windows Vista
1. From the Start menu, right-click Network and selectProperties.
2. In the Tasks menu, click Manage network connections.The Network Connections windows displays.
3. Right-click on your Local Area Connection and selectProperties.
4. In the list, double-click Internet Protocol Version 4 (TCP/IP).
5. SelectObtain an IP address automatically and Obtain aDNS address automaticall y.
6. Click OK, and then click OK again for the settings to takeeffect.
Windows XP
1. From the Start menu, highlight Connect To and thenselect Show All Connections.
2. Right-click on your Local Area Connection and selectProperties.
3. In the list, double-click Internet Protocol (TCP/IP).
4. SelectObtain an IP address automati cally and ObtaiDNS address automatically
.5. Click OK, and then click OK again for the settings to takeffect.
Windows 2000
1. From the Windows Start menu, select Settings.
2. Open Network and Dial-up Connections.
3. Click Properties.
4. Highlight Internet Protocol (TCP/IP) and click Propertie
5. SelectObtain an IP address automati cally and Obtai
DNS address automatically.6. Click OK for the settings to take effect.
-
7/15/2019 SonicWALL TZ 210 Series Guide
20/88
SonicWALL TZ 210 Series Getting Started Gui
Registering Your Appliance
In this Section:
This section provides instructions for registering your SonicWALL TZ 210 series appliance.
Creating a MySonicWALL Account - page10 Registering and Licensing Your Appliance on MySonicWALL - page10
Note: Registration is an important part of the setup process and is necessary to receive the benefits of SonicWALL security sefirmware updates, and technical support.
-
7/15/2019 SonicWALL TZ 210 Series Guide
21/88
Page 10 Creating a MySonicWALL Account
Creating a MySonicWALL Account
A MySonicWALL account is required for product registration. Ifyou already have an account, continue to the Registering andLicensing Your Appliance on MySonicWALL section.
Perform the following steps to create a MySonicWALL account:
1. In your browser, navigate to www.mysonicwall.com.
2. In the login screen, click the Not a registered user? link.
3. Complete the Registration form and clickRegister.
4. Verify that the information is correct and click Submit.
5. In the screen confirming that your account was created,
click Continue.
Registering and Licensing Your Applianc
on MySonicWALL
This section contains the following subsections:
Product Registration - page10 Security Services and Software - page 11 Activating Security Services and Software - page1
Trying or Purchasing Security Services - page12
Product Registration
You must register your SonicWALL security appliance onMySonicWALL to enable full functionality.
1. Login to your MySonicWALL account. If you do not haveaccount, you can create one at www.mysonicwall.com.
2. On the main page, type the appliance serial number the Register A Product field. Then click Next.
3. On the My Products page, underAdd New Produc t,type the friendly name for the appliance, select theProduct Group if any, type the authentication code inthe appropriate text boxes, and then click Register.
4. On the Product Survey page, fill in the requestedinformation and then click Continue.
http://www.mysonicwall.com/http://www.mysonicwall.com/http://www.mysonicwall.com/http://www.mysonicwall.com/http://www.mysonicwall.com/http://www.mysonicwall.com/ -
7/15/2019 SonicWALL TZ 210 Series Guide
22/88
SonicWALL TZ 210 Series Getting Started Guid
Security Services and Software
The Service Management - Associated Products page inMySonicWALL lists security services, support options, andsoftware, such as ViewPoint, that you can purchase or try with afree trial. For details, click the Info button.
If you purchased an appliance that is pre-licensed, you may be
required to enter your activation key here unless currentlicenses are already indicated in the Status column with either alicense key or an expiration date.
The following products and services are available for thSonicWALL TZ 210 series appliances:
Gateway Service Bundles:
Client/Server Anti-Virus Suite
Comprehensive Gateway Security Suite Individual Gateway Services:
Gateway Anti-Virus, Anti-Spyware,
Intrusion Prevention Global Management System
Content Filtering: Premium Edition
High Availability Upgrade Desktop and Server Software:
Enforced Client Anti-Virus and Anti-Spyware
Global VPN Client
Global VPN Client Enterprise
ViewPoint
Support Services : Dynamic Support 8x5
Dynamic Support 24x7
Software and Firmware Updates
-
7/15/2019 SonicWALL TZ 210 Series Guide
23/88
Page 12 Registering and Licensing Your Appliance on MySonicWALL
Activating Security Services and Software
If you purchase a service subscription or upgrade from a salesrepresentative, you will receive an activation key. This key isemailed to you after online purchases, or is on the front of thecertificate that was included with your purchase.
To activate existing licenses, perform the following tasks:
1. Navigate to the My Products page and select theregistered product you want to manage.
2. Locate the product on the Service Management page andclick Enter Key in that row.
3. In the Activate Service page, type or paste your key intotheActivation Key field and then click Submit.
Once the service is activated, you will see an expirationdate or a license key string in the Status column on theService Management page.
Trying or Purchasing Security Services
To try a Free Trial o f a service, click Try in the ServiceManagement page. To purchase a product or service, clicBuy Now in the Service Management page.
When activation is complete, MySonicWALL displays an
activation screen with service status and expiration informatioThe service management screen also displays the product ylicensed.
You have successfully registered your SonicWALL appliance
And now you need to enable Unified Threat Management(UTM) security services. SonicWALL UTM security services anot enabled by default.
-
7/15/2019 SonicWALL TZ 210 Series Guide
24/88
SonicWALL TZ 210 Series Getting Started Guid
Enabling Security Services
In this Section:
Security services are an essential component of a secure network deployment. This section provides instructions for registering enabling security services on your SonicWALL TZ 210 series appliance.
Enabling Security Services in SonicOS - page14 Verifying Security Services on Zones - page19
-
7/15/2019 SonicWALL TZ 210 Series Guide
25/88
Page 14 Enabling Security Services in SonicOS
Enabling Security Services in SonicOS
After completing the registration process in SonicOS, performthe tasks listed below to activate your licenses and enable yourlicensed services from within the SonicOS user interface.
SonicWALL security services are key components of threatmanagement in SonicOS. The core security services are
Gateway Anti-Virus, Intrusion Prevention Services, and Anti-Spyware.
You must enable each security service individually in theSonicOS user interface. See the following procedures to enableand configure your security services:
Verifying Licenses - page14 Enabling Gateway Anti-Virus - page15 Enabling Intrusion Prevention Services - page16
Enabling Anti-Spyware - page17 Enabling Content Filtering Service - page18
Verifying Licenses
Verify that your security services are licensed on the SystemStatus page.
If services that are already activated on MySonicWALL do ndisplay as licensed, you need to synchronize your SonicWAwith the licensing server.
If initial setup is already complete, click the Synchronize butto synchronize licenses from the System >Licenses page.
-
7/15/2019 SonicWALL TZ 210 Series Guide
26/88
SonicWALL TZ 210 Series Getting Started Guid
Enabling Gateway Anti-Virus
To enable Gateway Anti-Virus (GAV) in SonicOS:
1. Navigate to the SecurityServices >GatewayAnti-Viruspage.
2. Select the Enable Gateway Ant i-Virus checkbox and clickAccept to apply changes.
3. Verify that theEnable Inbound Inspection checkboxesare selected for the protocols you wish to inspect. See thefollowing table for an explanation of these protocols.
The following table gives descriptions and default valueGAV-enforced protocols:
4. Click theAccept button to apply changes
GAV contains many other useful features, including:
Outbound SMTP Inspection scans outbound ema User Notification notifies users when content is bl File-Type Restrict ions blocks various non-scanna Exclusion Lists for network nodes where Gateway
Virus enforcement is not necessary.
Tip: For a complete overview of GAV features, referSonicOS Enhanced Administrators Guide.
Protocol Default Description
HTTP Enabled Hyper-Text Transfer Protocol, common Webtraffic
FTP Enabled File Transfer Protocol, dedicated file downlo
IMAP Enabled Internet Message Access Protocol, standard
for accessing emailSMTP Enabled Simple Mail Transfer Protocol, standard met
accessing email
POP3 Enabled Post Office Protocol 3, standard method for email
CIFS/Netbios
Disabled Intra-network traffic on Windows operating s(network file-sharing)
TCP Stream Disabled Any other non-standard type of network data
-
7/15/2019 SonicWALL TZ 210 Series Guide
27/88
Page 16 Enabling Security Services in SonicOS
Enabling Intrusion Prevention Services
To enable Intrusion Prevention (IPS) in SonicOS:
1. Navigate to the Security Services >Intrusion Preventionpage.
2. Select the Enable Intrusion Prevention checkbox.
3. In the Signature Groupstable, select the Prevent All andDetect Al l checkboxes based on attack priority.
Note: Prevent All blocks attacks of the chosen priority, andDetect Al l saves a log of these attacks that can be
viewed on the Log > View page.
4. Click theAccept button to apply changes.
Intrusion Prevention contains other useful features, including
Exclusion Lists for network nodes where IPSenforcement is not necessary.
Log Redundancy to control log size during high-volumintrusion attack attempts by enforcing a delay between entries.
Tip: For a complete overview of IPS features, refer to theSonicOS Enhanced Administrators Guide.
-
7/15/2019 SonicWALL TZ 210 Series Guide
28/88
SonicWALL TZ 210 Series Getting Started Guid
Enabling Anti-Spyware
To enable Anti-Spyware in SonicOS:
1. Navigate to the Security Services >Anti -Spyware page.
2. Select the Enable Anti-Spyware checkbox.
3. In the Signature Groupstable, select the Prevent All andDetect All checkboxes for each spyware danger level thatyou want to prevent.
Note: Prevent all blocks attacks of the chosen priority, DetectAll saves a log of these attacks which can be viewed in
the Log > View screen.
4. Click theAccept button to apply changes.
Anti-Spyware contains other useful features, including:
Exclusion Lists excludes network nodes whenAnti-Spyware enforcement is not necessary.
Log Redundancy controls log size during high-voluintrusion attack attempts by enforcing a delay betwentries.
Clientless Notification displays messages to user
content is blocked by SonicWALL Anti-Spyware. Outbound Inspection enables scanning and loggi
outbound spyware communication attempts. Disable SMTP Responses suppresses the sendin
email messages to clients when spyware is detecte
Tip: For a complete overview of Anti-Spyware featurefer to the SonicOS Enhanced Administrators
-
7/15/2019 SonicWALL TZ 210 Series Guide
29/88
Page 18 Enabling Security Services in SonicOS
Enabling Content Filtering Service
To enable Content Filtering Service (CFS) in SonicOS:
1. Navigate to the Security Services >Content Filterpage.
2. SelectSonicWALL CFS in the Content Filter Type drop-down list and then click the Configure button.
3. In the Policy tab, click the Configure button for the defaultpolicy. The Edit CFS Policy windows displays.
4. In the URL List tab, review and select additional exclusioncategories as needed.
5. Click OK to both pop-up windows.
6. Click theAccept button to apply changes.
Content FIltering Service contains other useful features,including:
URL Rating Review allows the administrator and usersreview blocked URL ratings if they think a URL is ratedincorrectly.
Restrict Web Features restricts features such as cookiJ ava, ActiveX, and HTTP Proxy access.
Trusted Domains allows access to restricted features otrusted domains.
CFS Exclusion List excludes administrators and/or IPranges from content filtering enforcement.
Blocked Content Web Page displays a custom HTMLpage to users when content is blocked.
Tip: For a complete overview of CFS features, refer to th
SonicOS Enhanced Administrators Guide.
-
7/15/2019 SonicWALL TZ 210 Series Guide
30/88
SonicWALL TZ 210 Series Getting Started Guid
Verifying Security Services on Zones
Security services such as Gateway Anti-Virus are automaticallyapplied to the LAN and WAN network zones. To protect otherzones such as the DMZ or Wireless LAN (WLAN), you mustapply the security services to the network zones. For example,you can configure SonicWALL Intrusion Prevention Service forincoming and outgoing traffic on the WLAN zone to add more
security for internal network traffic.
To apply services to network zones:
1. Navigate to the Network >Zones page.
2. In the Zone Settings table, click the Configure icon for thezone where you want to apply security services.
3. In the Edit Zone dialog box on the General tab, select thecheckboxes for the security services to enable on this
zone.4. Click OK.
Congratulations!Your SonicWALL TZ 210 series applregistered and fully functional with active UTM security senabled.
For advanced network setup information, continue to: Advanced Network Configuration - page21 Advanced Deployments - page33
-
7/15/2019 SonicWALL TZ 210 Series Guide
31/88
Page 20 Verifying Security Services on Zones
-
7/15/2019 SonicWALL TZ 210 Series Guide
32/88
SonicWALL TZ 210 Series Getting Started Guid
Advanced Network Configuration
In this Section:
This section provides detailed overviews of advanced deployment scenarios, as well as configuration instructions for connectingSonicWALL TZ 210 series appliance to various network devices.
An Introduction to Zones and Interfaces - page22 SonicWALL Wireless Firewalling - page23 Configuring Interfaces - page24
Creating Network Access Rules - page27 Address Objects - page29 Network Address Translation - page31
Tip: Before completing this section, fill out the information in Recording Configuration Information - page 2.
-
7/15/2019 SonicWALL TZ 210 Series Guide
33/88
Page 22 An Introduction to Zones and Interfaces
An Introduction to Zones and Interfaces
Zones split a network infrastructure into logical areas, each withits own set of usage rules, security services, and policies. Mostnetworks include multiple definitions for zones, including thosefor trusted, untrusted, public, encrypted, and wireless traffic.
Some basic (default) zone types include:
WANUntrusted resources outside your local network.
LANTrusted local network resources.f
WLANLocal wireless network resources originating fromSonicWALL wireless enabled appliances.
DMZLocal network assets that must be accessible from theWAN zone (such as Web and FTP servers).
VPNTrusted endpoints in an otherwise untrusted zone, suchas the WAN.
The security features and settings that zones carry areenforced by binding a zone to one or more physical interfaces(such as, X0, X1, or X2) on the SonicWALL TZ 210 seriesappliance.
The X1 and X0 interfaces are preconfigured as WAN and LArespectively. The remaining ports (X2-X6) are also LAN ports default, however, these ports can be configured to meet theneeds of your network, either by using basic zone types (WALAN, WLAN, DMZ, VPN) or configuring a custom zone type fit your network requirements (Gaming Console Zone, WirelePrinter Zone, Wireless Ticket Scanner Zone, and more).
Wireless ClientsWireless Devices
Wireless (WLAN)
Hotel / Home Oce
Front Lobby Sales Marketing
X1 WAN
X0 LAN
W0 WLAN
-
7/15/2019 SonicWALL TZ 210 Series Guide
34/88
SonicWALL TZ 210 Series Getting Started Guid
SonicWALL Wireless Firewalling
When a wireless device uses an access point to communicatewith a device on another subnet or on a completely differentnetwork, traffic between the devices is forced to traverse thenetwork gateway. This traversal enables Unified ThreatManagement (UTM) services to be enforced at the gateway.
Standard practice for wireless firewalling (where one wirelessclient is communicating with another) bypasses many of thecritical UTM security services. The illustration below shows thestandard practice for wireless firewalling.
Many security products on the market share this potential
vulnerability when two users connected by a common hub orwireless access point wish to exchange data.
SonicWALL addresses this security shortcoming by mathe SonicPoint access points from the UTM appliance. Tallows complete control of the wireless space, includingenforcement of security services and complete firewallincapabilities, as shown in the illustration below.
WLAN Zone
Security Services
?
Content Filtering Service
Client Anti-Virus Enforcement
Gateway Anti-Virus
Gateway Anti-Spyware
Intrusion Prevention Service
Other Security Appliance
WLAN Zone Security S
SonicWALLseries ap
SonicWALLSonicPoint*
*SonicPoint needed for wireless access on TZ 210 wir
Content Filtering Service
Client Anti-Virus Enforceme
Gateway Anti-Virus
Gateway Anti-Spyware
Intrusion Prevention Servic
SONICPOINT
-
7/15/2019 SonicWALL TZ 210 Series Guide
35/88
Page 24 Configuring Interfaces
Configuring Interfaces
Interfaces, also known as ports, are physical networkconnections that can be configured to provide differentnetworking and security features based on your network needs.
Note: For more information on Zone types, see An
Introduction to Zones and Interfaces on page 22.
This section contains the following sub-sections: Configuring an Interface - page24 PortShield Wizard - page25 Manual PortShield Configuration - page26
Configuring an Interface
The SonicOS Enhanced Web-based management interfaceallows you to configure each individual Ethernet port (from X2-X6) with its own security settings through the use of zones.
To configure a network interface:
1. In the Network > Interfaces panel, click the Configurebutton for the interface you wish to configure. The EditInterface window displays.
Note: If only X0 and X1 interfaces are displayed in theInterfaces list, click the Show PortShield Interfaces
button to show all interfaces.
2. Selecta Zone Type for this interface.
3. Select an IP assignment for this interface. If you intendcreate a new network segment on this interface such asDMZ or secondary LAN, this value should be set to Sta
4. Enter a static IP Address for the interface. For private asemi-private network segments, any private static IPaddress such as 10.10.20.1 is appropriate. Ensure that tstatic IP address you choose does not conflict with anycurrently existing interfaces. The newly created interfacappears in the Interfaces list. You may now connect theappropriate network resources to this interface.
-
7/15/2019 SonicWALL TZ 210 Series Guide
36/88
SonicWALL TZ 210 Series Getting Started Guid
PortShield Wizard
With PortShield, multiple ports can share the network settings ofa single interface. The SonicWALL PortShield feature enablesyou to easily configure the ports on the SonicWALL TZ 210series appliance into common deployments.
Tip: Zones can always be applied to multiple interfaces inthe Network > Interfaces page, even without the use
of PortShield groupings. However, these interfaces will
not share the same network subnet unless they are
grouped using PortShield.
To configure ports using the SonicWALL PortShield Wizard:
1. Click the Wizards button on the top-right of the SonicOSmanagement interface.
2. Choose PortShield Interface Wizard and click Next.
3. Select from the following:
4. WAN/LAN or WAN/LAN/DMZ and click Next tocontinue.This will prompt a configuration summary appear. Verify that the ports assigned are correct.
5. ClickApply to change port assignments.
Note: For more information about PortShield interfacethe SonicOS Enhanced Administrators Guide.
Selection Port Assignment Usage
WAN/LAN X0, X2-X6: LANX1: WAN
Connect any local network deviceX2-X6 for local and Internet conn
WAN/LAN/DMZ
X0, X3-X6: LANX1: WANX2: DMZ
Connect any local network deviceX3-X6 for local and Internet conn
Connect public-facing servers or semi-public resources to X2.
-
7/15/2019 SonicWALL TZ 210 Series Guide
37/88
Page 26 Configuring Interfaces
Manual PortShield Configuration
You can also manually group ports together using the graphicalPortShield Groups interface. Grouping ports allows them toshare a common network subnet as well as common zonesettings.
To manually configure a PortShield interface:
1. Navigate to the Network > PortShield Groups page.2. Click one or more interfaces in the PortShield interface andthen click the Configure button.
3. Select Enabled from thePort Enable drop-down menu.
4. Select the port with which you wish to group this interface
from the PortShield Interfaces drop-down menu
Note: Interfaces must be configured before being groupedwith PortShield. For instructions, see the Configuring
an Interface section, on page 24.
5. Click the OK button. Your new port groupings display ascolor-coded ports.
-
7/15/2019 SonicWALL TZ 210 Series Guide
38/88
SonicWALL TZ 210 Series Getting Started Guid
Creating Network Access Rules
A Zone is a logical grouping of one or more interfaces designedto make management a simpler and more intuitive process thanfollowing a strict physical interface scheme.
By default, the SonicWALL security appliances stateful packetinspection allows all communication from the LAN to the
Internet, and blocks all traffic from the Internet to the LAN. Thefollowing behaviors are defined by the Default statefulinspection packet access rule enabled in the SonicWALLsecurity appliance:
To create an access rule:
1. On the Firewall >Access Rules page in the matrixselect two zones that will be bridged by this new ru
2. On the Access Rules page, clickAdd.
The access rules are sorted from the most specificleast specific at the bottom of the table. At the bottotable is theAny rule.
Note: SonicWALLs default firewall rules are set in thfor ease of initial configuration, but do not reflec
practice installations. Firewall rules should only
the required traffic and deny all other traffic.
Originating Zone Destination Zone Action
LAN, WLAN WAN, DMZ Allow
DMZ WAN Allow
WAN DMZ Deny
WAN and DMZ LAN or WLAN Deny
-
7/15/2019 SonicWALL TZ 210 Series Guide
39/88
Page 28 Creating Network Access Rules
3. In the Add Rule page on theGeneral tab, selectAl low orDeny orDiscard from theAction list to permit or block IPtraffic.
4. Configure the other settings on the General tab asexplained below: Select the service or group of services affected by t
access rule from the Service drop-downlist. If theservice is not listed, you must define the service in tAdd Service window. SelectCreate New ServiceCreate New Group to display theAdd Servicewindow orAdd Service Group window.
Select the source of the traffic affected by the accerule from the Source drop-downlist. Selecting CreaNew Network displays theAdd Address Objectwindow.
Select the destination of the traffic affected by theaccess rule from the Destination drop-downlist.Selecting Create New Network displays theAddAddress Object window.
Select a user or user group from theUsers Allowe
drop-downlist. Select a schedule from the Schedule drop-downlisThe default schedule isAlways on.
Enter any comments to help identify the access ruletheComments field.
li k h b Add Obj
-
7/15/2019 SonicWALL TZ 210 Series Guide
40/88
SonicWALL TZ 210 Series Getting Started Guid
5. Click on theAdvanced tab.
6. Configure the other settings on theAdvanced tab asexplained below: In the TCP Connection Inactivity Timeout (minutes)
field, set the length of TCP inactivity after which theaccess rule will time out. The default value is 15minutes.
In theUDP Connection Inactivity Timeout (minutes)field, set the length of UDP inactivity after which the
access rule will time out. The default value is 30minutes.
In the Number of connections allowed (% ofmaximum connections) field, specify the percentageof maximum connections that is allowed by this accessrule. The default is 100%.
Select Create a reflexive rule to create a matchingaccess rule for the opposite direction, that is, from yourdestination back to your source.
7. Click on theQoS
tab to apply DSCP marking to trafficgoverned by this rule.
8. Click OK to add the rule.
Address Objects
Address Objects are one of four object classes (AddresService, and Schedule) in SonicOS Enhanced. Once youan Address Object, it becomes available for use wherevapplicable throughout the SonicOS management interfaexample, consider an internal Web server with an IP ad67.115.118.80.
Rather than repeatedly typing in the IP address whenconstructing Access Rules or NAT policies, you can creAddress Object to store the Web servers IP address. TAddress Object, My Web Server, can then be used in configuration screen that employs Address Objects as adefining criterion.
Available Address Object types include the following: Host Define a single host by its IP address.
Range Define a range of contiguous IP addresse Network Network Address Objects are like Rangobjects in that they comprise multiple hosts, but rathbeing bound by specified upper and lower range dethe boundaries are defined by a valid netmask.
MAC Address Allows for the identification of a hohardware address.
FQDN Address Fully Qualified Domain Names (Address Objects allow for the identification of a hosdomain name, such as www.sonicwall.com.
3 I th Add Add Obj t di l b t f
-
7/15/2019 SonicWALL TZ 210 Series Guide
41/88
Page 30 Address Objects
Tip: SonicOS Enhanced provides a number of defaultAddress Objects that cannot be modified or deleted.
You can use the default Address Objects when creating
a NAT policy, or you can create custom Address
Objects to use. All Address Objects are available in the
drop-down lists when creating a NAT policy.
Creating an Address Object
The Network >Address Objects page allows you to createand manage your Address Objects. You can view AddressObjects in the following ways using the View Style menu:
All Address Objects displays all configured AddressObjects.
Custom Address Objects displays Address Objects
with custom properties. Default Address Objects displays Address Objects
configured by default on the SonicWALL securityappliance.
To add an Address Object:
1. Navigate to the Network >Address Objects page.
2. Below theAddress Objects table, clickAdd.
3. In theAdd Address Object dialog box, enter a name fothe Address Object in the Name field.
4. Select the zone to assign to the Address Object from thZone Assignment drop-down list.
5. Select Host, Range, Network, MAC, orFQDN from theType menu.- For Host, enter the IP address in the IP Address fie- For Range, enter the starting and ending IP address
in the Starting IP Address and Ending IP Addressfields.
- For Network, enter the network IP address andnetmask in the Network and Netmask fields.
- For MAC, enter the MAC address in theMAC Addrefield.
- For FQDN, enter the domain name for the individuasite or range of sites (with a wildcard) in the FQDN
field.6. Click OK.
N t k Add T l ti C fi i NAT P li i
-
7/15/2019 SonicWALL TZ 210 Series Guide
42/88
SonicWALL TZ 210 Series Getting Started Guid
Network Address Translation
The Network Address Translation (NAT) engine in SonicOSEnhanced allows users to define granular NAT policies for theirincoming and outgoing traffic. By default, the SonicWALLsecurity appliance has a preconfigured NAT policy to performMany-to-One NAT between the systems on the LAN and the IPaddress of the WAN interface. The appliance does not perform
NAT by default when traffic crosses between the otherinterfaces.
You can create multiple NAT policies on a SonicWALL runningSonicOS Enhanced for the same object for instance, you canspecify that an internal server uses one IP address whenaccessing Telnet servers, and uses a different IP address for allother protocols. Because the NAT engine in SonicOS Enhancedsupports inbound port forwarding, it is possible to accessmultiple internal servers from the WAN IP address of the
SonicWALL security appliance. The more granular the NATPolicy, the more precedence it takes.
Before configuring NAT Policies, you must create all AddressObjects that will be referenced by the policy. For instance, if youare creating a One-to-One NAT policy, first create AddressObjects for your public and private IP addresses.
Configuring NAT Policies
NAT policies allow you to control Network Address Tranbased on matching combinations of Source IP address,Destination IP address, and Destination Services. PolicyNAT allows you to deploy different types of NAT simultan
The following NAT configurations are available in SonicEnhanced:
Many-to-One NAT Policy Many-to-Many NAT Policy One-to-One NAT Policy for Outbound Traffic One-to-One NAT Policy for Inbound Traffic (Reflex One-to-Many NAT Load Balancing Inbound Port Address Translation via One-to-One N
Policy Inbound Port Address Translation via WAN IP Addr
Thi ti d ib h t fi O t O NAT T dd th t f O t O NAT li f
-
7/15/2019 SonicWALL TZ 210 Series Guide
43/88
Page 32 Network Address Translation
This section describes how to configure a One-to-One NATpolicy. One-to-One is the most common NAT policy used toroute traffic to an internal server, such as a Web server. Most ofthe time, this means that incoming requests from external IPaddresses are translated from the IP address of the SonicWALLsecurity appliance WAN port to the IP address of the internalWeb server. The following example configuration illustrates theuse of the fields in the Add NAT Policy procedure. To add a
One-to-One NAT policy that allows all Internet traffic to berouted through a public IP address, two policies are needed:one policy for the outbound traffic, and one policy for theinbound traffic.
To add the components of a One-to-One NAT policy, performthe following steps:
1. Navigate to theNetwork >NATPolicies page. ClickAdTheAdd NAT Pol icy dialog box displays.
2. For Original Source, selectAny.
3. For Translated Source, selectOriginal.
4. For Original Destination, select X0 IP.
5. For Translated Destination, selectCreate new addresobject and create a new address object using WAN forZone Assignment and Host for Type.
6. For Original Service, selectHTTP.
7. For Translated Service, select Original .
8. For Inbound Interface, selectX0.
9. For Outbound Interface, selectAny.
10. For Comment, enter a short description.
11. Select the Enable NAT Policy checkbox.
12. Select the Create a reflexive poli cy checkbox if you waa matching NAT policy to be automatically created in theopposite direction. This will create the outbound as well the inbound policies.
13. ClickAdd.
For more information on creating NAT policies, refer to theSonicOS Enhanced Administrators Guide.
-
7/15/2019 SonicWALL TZ 210 Series Guide
44/88
SonicWALL TZ 210 Series Getting Started Guid
Advanced Deployments
In this Section:
The advanced deployments contained in this chapter are based on the most common customer deployments and contain best-pguidelines for deploying your SonicWALL TZ 210 series appliances. These deployments are designed as modular concepts to hedeploying your SonicWALL as a comprehensive security solution.
SonicPoints for Wireless Access - page34 Public Server on DMZ - page40
Configuring High Availability - page44 Multiple ISP / WAN Failover and Load Balancing - page53
Tip: Before completing this section, fill out the information in the Recording Configuration Information section, on page 2.
SonicPoints for Wireless Access
-
7/15/2019 SonicWALL TZ 210 Series Guide
45/88
Page 34 SonicPoints for Wireless Access
SonicPoints for Wireless Access
This section describes how to configure SonicPoints with theSonicWALL TZ 210 series appliance. SonicPoints can be usedto add wireless features to a SonicWALL TZ 210 wiredappliance, or to create a more robust distributed wirelessnetwork with a SonicWALL TZ 210 Wireless-N appliance.
This section contains the following subsections:
Configuring Provisioning Profiles - page36 Configuring a Wireless Zone - page37 Assigning an Interface to the Wireless Zone - page39 Connecting the SonicPoint- page40
SonicWALL SonicPoints are wireless access points speciallyengineered to work with SonicWALL security appliances.Before you can manage SonicPoints in the ManagementInterface, you must first:
Configure your SonicPoint provisioning profiles. Configure a Wireless zone. Assign profiles to Wireless zones. This step is optional. If
you do not assign a default profile for a zone, SonicPointsin that zone will use the first profile in the list.
Assign an interface to the Wireless zone. Attach the SonicPoints to the interface in the Wireless zone
and test.
-
7/15/2019 SonicWALL TZ 210 Series Guide
46/88
SonicWALL TZ 210 Series Getting Started Guid
Wireless ClientsWireless Devices
Wireless (WLAN)
Hotel / Home Oce
Local Wireless Clients
Sales Engineering
X1 WAN
X2 WLAN
X0 LAN
In this deployment, the SonicWALL TZ 210 is
configured to operate as a network gateway
with the following zones:
Local Network (LAN) - wired local client
computers and servers
Wireless (WLAN)* - using a SonicPoint to
deliver wireless to local client computers and
devices
Internet (WAN) - worldwide public and private
networks
*For the TZ 210 wired appliance, wireless is achieved
by adding a SonicWALL SonicPoint appliance to any
free interface (X2-X5) and zoning that interface as
WLAN.
Internet Gateway with SonicPoint Wireless
SonicWALLSonicPointSONICPOINT
Configuring Provisioning Profiles 2 In the 802 11g Radio tab:
-
7/15/2019 SonicWALL TZ 210 Series Guide
47/88
Page 36 SonicPoints for Wireless Access
Configuring Provisioning Profiles
SonicPoint Profile definitions include all of the settings that canbe configured on a SonicPoint, such as radio settings for the2.4GHz and 5GHz radios, SSIDs, and channels of operation.
Once you have defined a SonicPoint profile, you can apply it toa Wireless zone. Each Wireless zone can be configured withone SonicPoint profile. When a SonicPoint is connected to a
zone, it is automatically provisioned with the profile assigned tothat zone. SonicOS includes a default SonicPoint profile,named SonicPoint.
To add a new profile, clickAdd below the list of SonicPointprovisioning profiles. To edit an existing profile, select the profileand click the Configure icon in the same line as the profile youare editing.
1. In the Add/Edit SonicPoint Profile window on the General
tab: Select Enable SonicPoint.
Enter a Name Prefix to be used as the first part of thename for each SonicPoint provisioned.
Select the Country Code for where the SonicPointsare operating.
2. In the 802.11g Radio tab: Select Enable Radio.
Optionally, select a schedule for the radio to beenabled from the drop-down list.
For Radio Mode, select the speed that the SonicPowill operate on. You can choose from the following:
11Mbps - 802.11b
54 Mbps - 802.11g
108 Mbps - Turbo G
Note: If you choose Turbo mode, all users in your companmust use wireless access cards that support Turbo
mode.
For Channel, use AutoChannel unless you have areason to use or avoid specific channels.
Enter a recognizable string for the SSID of eachSonicPoint using this profile. This is the name that appear in clients lists of available wirelessconnections.
UnderACL Enforcement, select Enable MAC FiltList to enforce Access Control by allowing or denytraffic from specific devices. Select a MAC addressobject group from theAl low List to automatically alltraffic from all devices with MAC addresses in thegroup. Select a MAC address group from the DenyList to automatically deny traffic from all devices w
MAC addresses in the group The Deny List is 3 In the 802 11g Adv tab configure the advanced ra
-
7/15/2019 SonicWALL TZ 210 Series Guide
48/88
SonicWALL TZ 210 Series Getting Started Guid
MAC addresses in the group. The Deny List isenforced before the Allow List.
Under WEP/WPA Encryption, select theAuthent ication Type for your wireless network.SonicWALL recommends using WPA2 as theauthentication type.
Fill in the fields specific to the authentication type thatyou selected. The remaining fields change depending
on the selected authentication type.
3. In the 802.11g Adv tab, configure the advanced rasettings for the 802.11g radio. For most 802.11g adoptions, the default settings give optimum performaFor a full description of the fields on this tab, see thSonicOS Enhanced Administrators Guide.
4. In the 802.11a Radio and 802.11a Adv tabs, configsettings for the operation of the 802.11a radio bandSonicPoint has two separate radios built in. Therefocan send and receive on both the 802.11a and 802bands at the same time.
The settings in the802.11a Radio and 802.11a Advtabs are similar to the settings in the 802.11g Radio802.11g Advanced tabs.
5. When finished, clickOK.
Configuring a Wireless Zone
You can configure a wireless zone on the Network >Zo
page. Typically, you will configure the WLAN zone for usSonicPoints.
1. On the Network >Zones page in the WLAN row, cicon in the Configure column.
2. In the Edit Zone dialog box on the General tab, theInterface Trust setting automates the creation of ARules to allow traffic to flow between the interfaces zone instance. For example, if the WLAN Zone hastheX2 and X3 interfaces assigned to it, selecting thInterface Trust checkbox on the WLAN Zone creat
necessary Access Rules to allow hosts on these interfaces 4 Click on the Wireless tab
-
7/15/2019 SonicWALL TZ 210 Series Guide
49/88
Page 38 SonicPoints for Wireless Access
necessary Access Rules to allow hosts on these interfacesto communicate with each other.
3. Select the checkboxes for the security services to enableon this zone. Typically, you would enable Gateway Anti-Virus, IPS, andAnti -Spyware. If your wireless clients areall running SonicWALL Client Anti-Virus, select EnableClient AV Enforcement Service.
4. Click on the Wireless tab. In the Wireless Settings section, select Only allow
traffic generated by a SonicPoint to allow only trafrom SonicWALL SonicPoints to enter the WLAN Zointerface. This provides maximum security on yourWLAN. Uncheck this option if you want to allow anytraffic on your WLAN Zone regardless of whether onot it is from a SonicPoint.
5. Optionally configure the settings on the Guest Servicestab. For information about configuring Guest Services, sthe SonicOS Enhanced Administrators Guide.
6. When finished, clickOK.
Assigning an Interface to the Wireless Zone 3 Enterthe IP address andsubnetmask ofthe Zone
-
7/15/2019 SonicWALL TZ 210 Series Guide
50/88
SonicWALL TZ 210 Series Getting Started Guid
Assigning an Interface to the Wireless Zone
Once the wireless zone is configured, you can assign aninterface to it. This is the interface where you will connect theSonicPoint.
1. On the Network >Interfaces page, click the Configureicon on the row of the interface that you want to use, forexample, X3. The interface must be unassigned.
2. In the Edit Interface dialog box on the General tab, selectWLAN or the zone that you created from the Zone drop-down list. Additional fields are displayed.
3. Enter the IP address and subnet mask of the Zone Address and Subnet Mask fields.
4. In the SonicPoint Limit field, select the maximum of SonicPoints allowed on this interface. If you wanenable remote management of the SonicWALL secappliance from this interface, select the supportedmanagement protocol(s): HTTP, HTTPS, SSH, PinSNMP, and/or SSH.
5. If you want to allow selected users with limitedmanagement rights to log in to the security appliancselect HTTP and/or HTTPS inUser Login.
6. Click OK.
Connecting the SonicPoint Public Server on DMZ
-
7/15/2019 SonicWALL TZ 210 Series Guide
51/88
Page 40 Public Server on DMZ
Connecting the SonicPoint
When a SonicPoint unit is first connected and powered up, itattempts to find a SonicOS device with which to peer. If it isunable to find a peer SonicOS device, it will enter into a stand-alone mode of operation with a separate stand-aloneconfiguration allowing it to operate as a standard Access Point.
If the SonicPoint locates a peer SonicOS device, such as your
SonicWALL TZ 210 series appliance, the two units perform anencrypted exchange and the profile assigned to the relevantwireless zone is used to automatically configure (provision) thenewly added SonicPoint unit.
To connect the SonicPoint:
1. Using a CAT 5 Ethernet cable, connect the SonicPoint tothe interface that you configured. Then connect theSonicPoint to a power source.
2. In the SonicOS user interface on the SonicPoint >SonicPoints page, click the Synchronize SonicPointsbutton. The SonicWALL appliance downloads a SonicPointimage from the SonicWALL back-end server.
3. Follow the instructions in the SonicPoint wizard. Be sure toselect the same authentication type and enter the samekeys or password that you configured in SonicOS.
Note: For more information about wireless configuration, see
the SonicOS Enhanced Administrators Guide.
Public Server on DMZ
This section provides instructions for configuring yourSonicWALL TZ 210 series appliance to support a public Weserver on a DMZ zone.
A Web server can be placed on the LAN by completing theserver wizard, which creates the proper address objects andrules for safe access.
Many network administrators, however, choose to place theWeb server on a DMZ, as it provides a dedicated Ethernetinterface for added security and bandwidth management.
This section contains the following subsections:
Completing the Public Server Wizard - page42 Configuring a DMZ Zone - page43 Editing the Address Object - page43
Editing the Firewall Access Rule - page44
-
7/15/2019 SonicWALL TZ 210 Series Guide
52/88
SonicWALL TZ 210 Series Getting Started Guid
Net w orkSecur it yAppliance
X1 WAN
X2 DMZ
X0 LAN
W0 WLAN
In this deployment, the SonicWALL TZ
210 is configured to operate as a
network gateway with the following
zones:
Local Network (LAN) - wired localclient computers and servers
Wireless (WLAN)* - wireless local
client computers and devices
DMZ - wired resources available to
public Internet such as Web servers
and Mail servers.
Internet (WAN) - worldwide public and
private networks
*For the TZ 210 wired appliance, wireless is
achieved by adding a SonicWALL
SonicPoint appliance to any free interface
(X3-X5) and zoning that interface as WLAN.
Internet Gateway with Public Server on DMZ
Completing the Public Server Wizard 6. Enter a Server Comment (optional) and click Next.
-
7/15/2019 SonicWALL TZ 210 Series Guide
53/88
Page 42 Public Server on DMZ
Completing the Public Server Wizard
The Public Server Wizard guides you through a few simplesteps, automatically creating address objects and rules to allowserver access. To complete the public server wizard, performthe following steps:
1. Click the Wizards button in the upper right corner of theSonicOS management interface to launch the wizard.
2. SelectPublic Server Wizard and click Next to continue.3. SelectWeb Serveras the server type and ensure that the
HTTP and HTTPS services are selected.
Tip: HTTPS is required for servers authenticating SSL orother HTTPS-supported encryption methods. If your
server does not require encryption, you can de-select
the HTTPS service.
4. Enter a Server Name in the field that is easy to remembersuch as My Web Server. This name is for your referenceand does not necessarily need to be a domain or address.
5. Enter the Private IP Address of your server. This is the IPaddress where the server will reside within the DMZ zone.If you do not have a DMZ configured yet, select a private IPaddress (such as 192.168.168.123) and write it down, youwill need to refer to this later.
6. Enter a Server Comment (optional) and click Next.
7. Enter the Server Public IP Address in the field (normayour primary WAN IP address). This IP Address is usedaccess your Web server from the Internet.
8. Click Next and then clickApply to finish the wizard.
Note: If your server is on the LAN zone, you have completthe required steps for basic server access.
If you wish to continue with an advanced DMZ zone
configuration, turn to the Configuring a DMZ Zone
section, on page 43.
Configuring a DMZ Zone
-
7/15/2019 SonicWALL TZ 210 Series Guide
54/88
SonicWALL TZ 210 Series Getting Started Guid
Configuring a DMZ Zone
Since the public server is added to the LAN zone by default,configure a DMZ zone by performing the following steps:
1. In the Network > Interfaces panel, click the Configurebutton for the X2 interface. The Edit Interface windowdisplays.
Note: If the X2 interface is not displayed in the Interfaces list,click the Show PortShield Interfaces button to show
all interfaces.
2. SelectDMZ as the Zone Type.
3. Select Static as the IP assignment.
4. Enter an IP Address for the interface. This IP addressmust be in the same subnet as your Web servers local IP
address.
Tip: Since we used 192.168.168.123 in the examplepage 42, use 192.168.168.1 as the DMZ interfa
The newly created DMZ interface appears in the Interfa
Editing the Address Object
The address object that was automatically created muschanged from the LAN zone to DMZ zone.
1. On the Network > Address Objects page, click thconfigure button corresponds to your Web server oour case, the object is called My Web Server Priva
2. Change the Zone Assignment to DMZ and click O
Editing the Firewall Access Rule Schedule Always on, unless you choose to specify an uptime
-
7/15/2019 SonicWALL TZ 210 Series Guide
55/88
Page 44 Configuring High Availability
d t g t e e a ccess u e
An access rule that allows traffic from the WAN zone to theserver on the DMZ must be created, and the original WAN >LAN rule that was created by the Public Server Wizard shouldbe deleted.
1. On the Firewall > Access Rules page, chose Drop-downBoxes as the View Style.
2. Select WAN as the From Zone and ALL as theTo Zone,then click OK. All of the WAN-based access rules display.
3. Click the Delete button corresponding to the WAN My WebServer Services rule. Click OK when prompted.
4. On the Firewall > Access Rules page, click theAddbutton. TheAdd Rule window displays.
5. Configure the new rule as follows:
6. Click OK to create this rule.The new rule displays in the Access Rules table:
Configuring High Availability
This section provides instructions for configuring a pair ofSonicWALL TZ 210 series appliances for redundant HighAvailability (HA) networking.
This section contains the following subsections:
About High Availability - page46 Initial HA Setup - page46
HA License Synchronization Overview - page47 Associating Pre-Registered Appliances - page48 Disabling PortShield Before Configuring HA - page Configuring HA Settings - page49 Configuring Advanced HA Settings - page49 Configuring HA Monitoring - page51 Synchronizing Settings - page52 Verifying HA Functionality - page53
Selection Port Assignment
Act ion Allow
From Zone WAN
To Zone DMZ
Service My Web Server Services. This service was automaticallycreated during the Public Server Wizard and is namedbased on the Server Name you provided during setup.
Source Any
Destination WAN Interface IP. All traffic attempting to access yourWAN IP address will be bound by this rule.
Users Allowed All
Schedule ays o , u ess you c oose o spec y a up eschedule such as business hours only.
Comment Leave a comment such as Web server on DMZ
-
7/15/2019 SonicWALL TZ 210 Series Guide
56/88
SonicWALL TZ 210 Series Getting Started Guid
Remote VPN Users
Remote Servers
Internet (WAN)
Local Clients
Local Servers
CDP Backup Appliance
Local Network (LAN)
Front Lobby Sales Marketing
Hotel / Home Oc
X1 WAN
X1 WAN X6 HA
X0 LAN X0 LAN
In this scenario, two SonicWALL TZ 210 series
appliances are each configured with a single LAN zoneand High Availability (HA) zone and linked to the LAN
and WAN segments with a hub or switch. Typical zone
assignments in this deployment are as follows:
Local Network (LAN) - linked to wired local client
computers and servers through a hub or switch.
Internet (WAN) - linked to your internet service
provider using a hub or switch connected to your
modem.
HA - linked between two TZ 210 series appliances
using the X6 port
High-Availability Mode
Internet
Hub/Switch
Hub/Switch
About High Availability Initial HA Setup
-
7/15/2019 SonicWALL TZ 210 Series Guide
57/88
Page 46 Configuring High Availability
g y
In this scenario, one SonicWALL TZ 210 series applianceoperates as the Primary gateway device and the other acts asthe Backup. Once configured for High Availability, the BackupSonicWALL contains a real-time mirrored configuration of thePrimary SonicWALL via an Ethernet link between thedesignated HA interfaces on each appliance.
During normal operation, the Primary SonicWALL is in Activemode and the Backup SonicWALL is in Idle mode. If thePrimary device loses connectivity, the Backup SonicWALLtransitions to Active mode and assumes the configuration androle of the Primary gateway device. This automatic failoverensures a reliable connection between the protected networkand the Internet.
After a failover to the Backup appliance, all the pre-existingnetwork connections must be re-established, including the VPN
tunnels that must be re-negotiated.
p
Before you begin the configuration of HA on the PrimarySonicWALL security appliance, perform the following setup:
1. On the back panel of the Backup SonicWALL securityappliance, locate the serial number and write the numbedown. You need to enter this number in the HighAvai lab il ity >Settings page.
2. Verify that the Primary SonicWALL appliance is registerand licensed for SonicOS Enhanced and the desiredSonicWALL security services.
3. Associate the two SonicWALL appliances as HA Primarand HA Secondary on MySonicWALL, for licensesynchronization.
4. Make sure the Primary SonicWALL and BackupSonicWALL security appliances LAN, WAN and otherinterfaces are properly configured for failover.
5. Connect the X6 ports on the Primary SonicWALL and
Backup SonicWALL appliances with a CAT 5 Ethernetcable. The Primary and Backup SonicWALL securityappliances must have a dedicated connection.
6. Power up the Primary SonicWALL security appliance, athen power up the Backup SonicWALL security applianc
7. Do not make any configuration changes to the PrimaryX6 interface; the High Availability configuration in anupcoming step takes care of this issue.
HA License Synchronization Overview
-
7/15/2019 SonicWALL TZ 210 Series Guide
58/88
SonicWALL TZ 210 Series Getting Started Guid
y
You can configure HA license synchronization by associatingtwo SonicWALL security appliances as HA Primary and HASecondary on MySonicWALL. Note that the Backup applianceof your HA pair is referred to as the HA Secondary unit onMySonicWALL.
You need only purchase a single license for SonicOS
Enhanced, a single Support subscription, and a single set ofsecurity services licenses for the HA Primary appliance. Theselicenses are shared with the HA Secondary appliance. Onlyconsulting services such as the SonicWALL GMS Preventive
Maintenance Service license are not shared. See Registeringand Licensing Your Appliance on MySonicWALL -page10.
License synchronization is used during HA so that the Backup
appliance can maintain the same level of network protectionprovided before the failover. To enable HA, you can use theSonicOS UI to configure your two appliances as a HA pair inActive/Idle mode.
MySonicWALL provides several methods of associating the twoappliances. You can start by registering a new appliance, andthen choosing an already-registered unit to associate it with.
You can associate two units that are both already registered. Oryou can select a registered unit and then add a new appliance
with which to associate it.
Note: After registering new SonicWALL appliances oMySonicWALL, you must also register each app
from the SonicOS management interface by clic
registration link on the System > Status page.
allows each unit to synchronize with the SonicW
license server and share licenses with the asso
appliance.
Associating Pre-Registered Appliances To use the PortShield Wizard to disable PortShield on each
-
7/15/2019 SonicWALL TZ 210 Series Guide
59/88
Page 48 Configuring High Availability
g g
To associate two already-registered SonicWALL securityappliances so that they can use HA license synchronization,perform the following steps:
1. Login to MySonicWALL and click My Products.
2. On the My Products page, under Registered Products,scroll down to find the appliance that you want to use as
the parent, or primary, unit. Click the product name orserial number.
3. On the Service Management page, scroll down to theAssociated Products section.
4. Under Associated Products, click HA Secondary.
5. On the My Product - Associated Products page, in the textboxes under Associate New Products, type the serialnumberand the friendly name of the appliance that youwant to associate as the secondary/backup unit.
6. Select the group from the Product Group drop-down list.The product group setting specifies the MySonicWALLusers who can upgrade or modify the appliance.
7. Click Register.
Disabling PortShield Before Configuring HA
The HA feature can only be enabled if PortShield is disabled onall interfaces ofboth the Primary and Backup appliances. Youcan disable PortShield either by using the PortShield Wizard,or manually from the Network >PortShield Groups page.
SonicWALL, perform the following steps:
1. On one appliance of the HA Pair, click the Wizards buttat the top right of the management interface.
2. In the Welcome screen, select PortShield InterfaceWizard, and then click Next.
3. In the Ports Assignment screen, selectWAN/LAN/HAand then click Next.
4. In the SonicWALL Configuration Summary screen, cApply.
5. In the PortShield Wizard Complete screen, click Close. Configuring Advanced HA Settings
-
7/15/2019 SonicWALL TZ 210 Series Guide
60/88
SonicWALL TZ 210 Series Getting Started Guid
6. Log into the management interface of the other appliancein the HA Pair, and repeat this procedure.
Configuring HA Settings
After disabling PortShield on all interfaces of both appliances,the next task in setting up HA is configuring the High
Avai lab il ity >Settings page on the Primary SonicWALLsecurity appliance. Once you configure HA on the Primary, itcommunicates the settings to the Backup SonicWALL securityappliance.
To configure HA on the Primary SonicWALL, perform thefollowing steps:
1. Navigate to the High Availability >Settings page.
2. Select the Enable High Availability checkbox.
3. Under SonicWALL Address Settings, type in the serialnumber for the Backup SonicWALL appliance.
You can find the serial number on the back of theSonicWALL security appliance, or in the System >Statusscreen of the backup unit. The serial number for thePrimary SonicWALL is automatically populated.
4. ClickApply to retain these settings.
1. Navigate to the High Availability >Advanced pag
2. To configure the HA Pair so that the Primary Sonicresumes the Active role when coming back online afailover, select Enable Preempt Mode.
3. To backup the settings when you upgrade the firmwversion, select Generate/Overwrite Backup Firmw
and Settings When Upgrading Firmware.
4. Select the Enable Virtual MAC checkbox. Virtual MACll h P i d B k li h
10. Select the Include Certificates/Keys checkbox to haveh li h i ll ifi d k
-
7/15/2019 SonicWALL TZ 210 Series Guide
61/88
Page 50 Configuring High Availability
allows the Primary and Backup appliances to share asingle MAC address. This greatly simplifies the process ofupdating network ARP tables and caches when a failoveroccurs. Only the switch to which the two appliances areconnected needs to be notified. All outside devices willcontinue to route to the single shared MAC address.
5. The Heartbeat Interval controls how often the two unitscommunicate. The default is 5000 milliseconds; the
minimum supported value is 1000 milliseconds.6. Set the Failover Trigger Level to the number of
heartbeats that can be missed before failing over. Bydefault, this is set to 5 missed heartbeats.
7. Set the Probe Interval to the interval in seconds betweenprobes sent to specified IP addresses to monitor that thenetwork critical path is still reachable. This is used in logicalmonitoring. SonicWALL recommends that you set theinterval for at least 5 seconds. The default is 20 seconds,and the allowed range is 5 to 255 seconds. You can set the
Probe IP Address(es) on the High Availability >Monitoring screen.
8. Set the Probe Count to the number of consecutive probesbefore SonicOS Enhanced concludes that the networkcritical path is unavailable or the probe target isunreachable. This is used in logical monitoring. The defaultis 3, and the allowed range is 3 to 10.
9. The Election Delay Time is the number of secondsallowed for internal processing between the two units in theHA pair before one of them takes the primary role. The
default is 3 seconds.
the appliances synchronize all certificates and keys.
11. You do not need to clickSynchronize Settings at thistime, because all settings will be automaticallysynchronized to the Idle unit when you clickAccept aftecompleting HA configuration. To synchronize all settingsthe Active unit to the Idle unit immediately, clickSynchronize Settings. The Idle unit will reboot.
12. Click Synchronize Firmware if you previously uploadenew firmware to your Primary unit while the Backup unitwas offline, and it is now online and ready to upgrade to tnew firmware. Synchronize Firmware is typically usedafter taking your Backup appliance offline while you testnew firmware version on the Primary unit before upgradboth units to it.
13. When finished with all High Availability configuration, cliAccept. All settings will be synchronized to the Idle unitautomatically.
Configuring HA Monitoring To set the independent LAN management IP addresses
-
7/15/2019 SonicWALL TZ 210 Series Guide
62/88
SonicWALL TZ 210 Series Getting Started Guid
On the High Availability > Monitoring page, you can configureboth physical and logical interface monitoring. By enablingphysical interface monitoring, you enable link detection for thedesignated HA interfaces. The link is sensed at the physicallayer to determine link viability.
Logical monitoring involves configuring the SonicWALL to
monitor a reliable device on one or more of the connectednetworks. Failure to periodically communicate with the deviceby the Active unit in the HA Pair will trigger a failover to the Idleunit. If neither unit in the HA Pair can connect to the device, noaction will be taken.
The Primary and Backup IP addresses configured on this pageare used for multiple purposes: As independent management addresses for each unit (only
on X0 and X1 interfaces)
To allow synchronization of licenses between the Idle unitand the SonicWALL licensing server
As the source IP addresses for the probe pings sent outduring logical monitoring
configure physical and/or logical interface monitoring, pthe following steps on the Primary unit:
1. Navigate to the High Availability >Monitoring pa
2. Click the Configure icon for the X0 interface.
3. To enable link detection between the designated Hinterfaces on the Primary and Backup units, leave tEnable Physical Interface Monitoring checkboxselected.
4. In the Primary IP Address field, enter the unique Lmanagement IP address of the Primary unit.
5. In the Backup IP Address field, enter the unique L
management IP address of the Backup unit.
6. In the Logical Probe IP Address field, enter the IPdd f d t d i th LAN t k th t
Synchronizing Settings
-
7/15/2019 SonicWALL TZ 210 Series Guide
63/88
Page 52 Configuring High Availability
address of a downstream device on the LAN network thatshould be monitored for connectivity. Typically, this shouldbe a downstream router or server. (If probing is desired onthe WAN side, an upstream device should be used.) ThePrimary and Backup appliances will regularly ping thisprobe IP address. If both can successfully ping the target,no failover occurs. If neither can successfully ping thetarget, no failover occurs, because it is assumed that the
problem is with the target, and not the SonicWALLappliances. But, if one appliance can ping the target but theother appliance cannot, failover will occur to the appliancethat can ping the target.
The Primary IP Address and Backup IP Address fieldsmust be configured with independent IP addresses on theX0 interface (X1 for probing on the WAN) to allow logicalprobing to function correctly.
7. SonicWALL recommends that you do not selectOverrideVirtual MAC. When Virtual MAC is enabled, the SonicOS
firmware automatically generates a Virtual MAC addressfor all interfaces. Allowing the SonicOS firmware togenerate the Virtual MAC address eliminates the possibilityof configuration errors and ensures the uniqueness of theVirtual MAC address, which prevents possible conflicts.
8. Click OK.
9. To configure monitoring on any of the other interfaces,repeat the above steps.
10. When finished with all High Availability configuration, clickAccept . All settings will be synchronized to the Idle unitautomatically.
Once you have configured the HA settings on the PrimarySonicWALL security appliance, it will automatically synchronthe settings to the Backup unit, causing the Backup to reboo
You do not need to click theSynchronize Settings button.However, if you later choose to do a manual synchronizationsettings, click the Synchronize Settings button. You will seeHA Peer Firewall has been updated notification at the bottof the management interface page. Also note that themanagement interface displays Logged Into: PrimarySonicWALL Status: (green ball) Active in the upper-right-hand corner.
By default, the Include Certificate/Keys setting is enabled.This specifies that certificates, certificate revocation lists (CRand associated settings are synchronized between the Primand Backup units. When local certificates are copied to the
Backup unit, the associated private keys are also copied.Because the connection between the Primary and Backup unis typically protected, this is generally not a security concern
Tip: A compromise between the convenience ofsynchronizing certificates and the added security of
synchronizing certificates is to temporarily enable th
Include Certificate/Keys setting and manually
synchronize the settings, and then disable Include
Certificate/Keys.
Verifying HA Functionality Multiple ISP / WAN Failover and Load
-
7/15/2019 SonicWALL TZ 210 Series Guide
64/88
SonicWALL TZ 210 Series Getting Started Guid
To verify that Primary and Backup SonicWALL securityappliances are functioning correctly, wait a few minutes, thentrigger a test failover by logging into the Primary unit andpowering it off. The Backup SonicWALL security applianceshould quickly take over. After a failover to the Backupappliance, all the pre-existing network connections must bere-established, including the VPN tunnels that must bere-negotiated.
From your management workstation, test connectivity throughthe Backup SonicWALL by accessing a site on the publicInternet. Note that unless virtual MAC is enabled, the BackupSonicWALL will not assume the Ethernet MAC address.
Log into the Backup SonicWALLs unique LAN IP address. Themanagement interface should now display Logged Into:Backup SonicWALL Status: (green ball) Active in the upper-
right-hand corner.
Now, power the Primary SonicWALL back on, wait a fewminutes, then log back into the management interface. If theBackup SonicWALL is active, you can use the shared IPaddress to log into it.
If you are using the Monitor Interfaces feature, experiment withdisconnecting each monitored link to ensure correctconfiguration.
Balancing
WAN Failover and Load Balancing allows you to designinterface as a Secondary or backup WAN port.
The secondary WAN port can be used as a backup if thprimary WAN port is down and/or unavailable, or it can m
a persistent connection for WAN port traffic to divide outtraffic flows between the Primary fixed WAN port and thassigned Secondary WAN port.
This section contains the following subsections: Configuring Secondary WAN Interface - page5 Activating and Configuring WAN Failover - pag Configuring WAN Interface Monitoring - page5 WAN Probe Monitoring Overview - page56 Configuring WAN Probe Monitoring - page57
Multiple ISP / WAN Failover and Load Balancing
-
7/15/2019 SonicWALL TZ 210 Series Guide
65/88
Page 54 Multiple ISP / WAN Failover and Load Balancing
X1 WAN
In this scenario, the SonicWALL TZ 210 is
configured in NAT/Route mode to operate
as a network gateway with multiple
Internet Service Providers (ISPs) to allow
load balancing and/or failover. Typical
zone assignments for this scenario are as
follows:
Local Network (LAN) - wired local client
computers and servers
Multiple Internet (WAN) - two Internet
service providers connected through X1
and a second open port (X3 in this case)
DMZ - (optional) wired resources
available to public Internet such as Web
servers and Mail servers
Wireless (WLAN)* - wireless local client
computers and devices
*For the TZ 210 wired appliance, wireless is
achieved by adding a SonicWALL SonicPoint
appliance to any free interface (X4-X5) and
zoning that interface as WLAN.
Multiple ISP / WAN Failover and Load Balancing
Wireless Clients
Wireless Devices
Wireless (WLAN)
Outdoor Access
SonicWALLSonicPointSONICPOINT
Configuring Secondary WAN Interface Activating and Configuring WAN Failover
-
7/15/2019 SonicWALL TZ 210 Series Guide
66/88
SonicWALL TZ 210 Series Getting Started Guid
Perform the following steps to configure WAN Failover andLoad Balancing on the SonicWALL security appliance:
1. On Network > Interfaces page, configure the chosen portto be in WAN zone, and enter the correct address settingsprovided by the Secondary ISP.
Note: In the example Multiple ISP / WAN Failover and LoadBalancing section, on page 53, the SonicWALL security
appliance is acquiring its secondary WAN address
dynamically from ISP #2, using DHCP. Any interface
added to the WAN zone by default creates a NAT policy
allowing internal LAN subnets to enforce NAT on this
Secondary WAN interface.
To configure the SonicWALL for WAN failover and loadbalancing, follow the steps below:
1. On Network > WAN Failover & LB page, select ELoad Balancing.
2. If there are multiple possible secondary WAN interfselect an interface from the Secondary WAN EtheInterface.
3. Select a load balancing method. By default, theSonicWALL will select Basic Active/Passive Failover as
Configuring WAN Interface Monitoring
-
7/15/2019 SonicWALL TZ 210 Series Guide
67/88
Page 56 Multiple ISP / WAN Failover and Load Balancing
SonicWALL will select Basic Active/Passive Failoverasthe method, but there are four load balancing methodsavailable:
Under the WAN Interface Monitoring heading, you cancustomize how the SonicWALL security appliance monitors tWAN interface:
1. Enter a number between 5 and 300, in the CheckInterface Every _ Seconds field. The default value is 5seconds.
2. In the Deactivate Interface after _ missed intervals,enter a number between 1 and 10. The default value iswhich means the interface is considered inactive after 3consecutive unsuccessful attempts.
3. Enter a number between 1 and 100 in the ReactivateInterface after _ successful intervals. The default valis 3, which means the interface is considered active afteconsecutive successful attempts.
WAN Probe Monitoring Overview
If Probe Monitoring is not activated, the SonicWALL securityappliance performs physical monitoring only on the Primary aSecondary WAN interfaces, meaning it only marks a WANinterface as failed if the interface is disconnected or stopsreceiving an Ethernet-layer signal. This is not an assuredmeans of link monitoring, because it does not address mostfailure scenarios (for example, routing issues with your ISP oan upstream router that is no longer passing traffic). If the WAinterface is connected to a hub or switch, and the router
Basic Active/Passive Failover
Only sends traffic through the Secondary WANinterface if the Primary WAN interface has beenmarked inactive. If the Primary WAN fails, then theSonicWALL security appliance reverts t