2. SonicWALL NSA 2400
Getting Started Guide
This Getting Started Guide provides instructions for basic
installation and configuration of the SonicWALL Network
Security Appliance (NSA) 2400 running SonicOS Enhanced.
After you complete this guide, computers on your Local Area
Network (LAN) will have secure Internet access.
Document Contents
This document contains the following sections:
1 Pre-Configuration Tasks - page 3
2 Registering Your Appliance on MySonicWALL - page 9
3 Deployment Scenarios - page 15
4 Additional Deployment Configuration - page 37
5 Support and Training Options - page 59
6 Product Safety and Regulatory Information - page 67
SonicWALL NSA 2400 Getting Started Guide Page 1
3. SonicWALL NSA 2400 Physical Characteristics
Front
Network Security Appliance
2400
Form Factor 1U rack-mountable
Dimensions 17 x 10.25 x 1.75 in
43.18 x 26.04 x 4.44 cm
Back Weight 8.05 lbs/ 3.71 kg
WEEE Weight 8.05 lbs/ 3.71 kg
Voltage 1 Amp / 50-60Hz
PML
I
o
Note: Always observe proper safety and regulatory guidelines when removing administrator-serviceable parts from the SonicWALL
NSA appliance. Proper guidelines can be found in the Safety and Regulatory Information section, on page 68 of this guide.
Page 2 SonicWALL NSA 2400 Physical Characteristics
4. Pre-Configuration Tasks 1
In this Section:
This section provides pre-configuration information. Review this section before setting up your SonicWALL NSA 2400 appliance.
• Check Package Contents - page 4
• Obtain Configuration Information - page 5
• The Front Panel - page 6
• The Back Panel - page 7
SonicWALL NSA 2400 Getting Started Guide Page 3
5. Check Package Contents
Before setting up your SonicWALL NSA appliance, verify that your
package contains the following parts: Any Items Missing?
If any items are missing from your package, please contact
SonicWALL support.
1 NSA 2400 Appliance 6 Release Notes
2 DB9 -> RJ45 (CLI) Cable 7 Global Support Services Guide A listing of the most current support documents are available online
at: <http://www.sonicwall.com/us/support.html>
3 Standard Power Cord* 8 Getting Started Guide
4 Ethernet Cable 9 Rack Mount Kit ** *The included power cord is intended for use in North America only. For
European Union (EU) customers, a power cord is not included.
5 Red Crossover Cable **This item is not included in the below illustration.
SonicOS Release Notes
1 Network Security Appliance
2400
Contents
6 7
2 3 4 5
SonicWALL Network Security Appliances
NET WORK SECURIT Y NSA 2400
Getting Started Guide
8
Page 4 Check Package Contents
6. Obtain Configuration Information Administrator Information
Please record and keep for future reference the following setup Admin Name: Select an administrator account name.
information: (default is admin)
Registration Information
Admin Password: Select an administrator password.
Serial Number: Record the serial number found on the (default is password)
bottom panel of your SonicWALL
appliance.
Authentication Code: Record the authentication code found on Obtain Internet Service Provider (ISP) Information
the bottom panel of your SonicWALL Record the following information about your current Internet service:
appliance.
If you connect Please record
Networking Information using
LAN IP Address: Select a static IP address for your DHCP No information is usually required: Some providers
SonicWALL appliance that is within the may require a Host name:
range of your local subnet. If you are
. . . unsure, you can use the default IP Static IP IP Address: . . .
address (192.168.168.168).
Subnet Mask: . . .
Subnet Mask: Record the subnet mask for the local
subnet where you are installing your Default Gateway: . . .
SonicWALL appliance.
. . . Primary DNS: . . .
Ethernet WAN IP Select a static IP address for your DNS 2 (optional): . . .
Address: Ethernet WAN. This setting only applies
if you are already using an ISP that DNS 3 (optional): . . .
. . . assigns a static IP address.
Note: If you are not using one of the network configurations above,
refer to <http://www.sonicwall.com/us/support.html>.
SonicWALL NSA 2400 Getting Started Guide Page 5
7. The Front Panel
Network Security Appliance
2400
A B D F
A C E
Icon Feature Description
Reset Button Press and hold the button for a few seconds to manually reset the appliance using SafeMode.
Console Port Used to access the SonicOS Command Line Interface (CLI) via the DB9 -> RJ45 cable.
USB Ports (2) For future use.
LED (Top to Bottom) Power LED: Indicates the SonicWALL NSA appliance is powered on.
Test LED: Flickering: Indicates the appliance is initializing. Steady blinking: Indicates the
appliance is in SafeMode. Solid: Indicates that the appliance is in test mode.
Alarm LED: Indicates an alarm condition.
X0 (LAN), X1 (WAN) Gigabit Ethernet ports for LAN and WAN connections.
X2-X5 (LAN) Gigabit Ethernet ports for other configurable Ethernet connections.
Page 6 The Front Panel
8. The Back Panel
Icon Feature Description
Fans(2) The SonicWALL NSA 2400 includes two fans for system temperature control.
Power Supply The SonicWALL NSA 2400 power supply.
SonicWALL NSA 2400 Getting Started Guide Page 7
10. Registering Your Appliance on MySonicWALL 2
In this Section:
This section provides instructions for registering your SonicWALL NSA 2400 appliance.
• Before You Register - page 10
• Creating a MySonicWALL Account - page 11
• Registering and Licensing Your Appliance on MySonicWALL - page 11
• Licensing Security Services and Software - page 12
• Registering a Second Appliance as a Backup - page 14
• Registration Next Steps - page 14
Note: Registration is an important part of the setup process and is necessary in order to receive the benefits of SonicWALL security
services, firmware updates, and technical support.
SonicWALL NSA 2400 Getting Started Guide Page 9
11. Before You Register
You need a MySonicWALL account to register the SonicWALL Note: Your SonicWALL NSA appliance does not need to be
NSA appliance. You can create a new MySonicWALL account powered on during account creation or during the
on www.mysonicwall.com or directly from the SonicWALL MySonicWALL registration and licensing process.
management interface. This section describes how to create an
account by using the Web site.
If you already have a MySonicWALL account, go to Registering Note: After registering a new SonicWALL appliance on
and Licensing Your Appliance on MySonicWALL - page 11 to MySonicWALL, you must also register the appliance
register your appliance on MySonicWALL. You can also from the SonicOS management interface. This allows
postpone registration until after having set up the appliance. the unit to synchronize with the SonicWALL License
Skip ahead to Deployment Scenarios - page 15 and register Server and to share licenses with the associated
your appliance directly from the management interface once appliance, if any. See Accessing the Management
you reach Accessing the Management Interface - page 22. Interface - page 22.
Note: For a High Availability configuration, you must use
MySonicWALL to associate a backup unit that can
share the Security Services licenses with your primary
SonicWALL.
If you do not yet have a MySonicWALL account, you can use
MySonicWALL to register your SonicWALL appliance and
activate or purchase licenses for Security Services, ViewPoint
Reporting and other services, support, or software before you
even connect your device. This method allows you to prepare
for your deployment before making any changes to your
existing network.
Page 10 Before You Register
12. Creating a MySonicWALL Account Registering and Licensing Your Appliance
To create a MySonicWALL account, perform the following steps:
on MySonicWALL
1. In your browser, navigate to www.mysonicwall.com. This section contains the following subsections:
2. In the login screen, click If you are not a registered user,
Click here. • Product Registration - page 11
• Licensing Security Services and Software - page 12
• Registering a Second Appliance as a Backup - page 14
Product Registration
You must register your SonicWALL security appliance on
MySonicWALL to enable full functionality.
1. Login to your MySonicWALL account. If you do not have an
account, you can create one at www.mysonicwall.com.
2. On the main page, in the Register A Product field, type
the appliance serial number and then click Next.
3. On the My Products page, under Add New Product,
type the friendly name for the appliance, select the
Product Group if any, type the authentication code into
3. Complete the Registration form and then click Register. the appropriate text boxes, and then click Register.
4. Verify that the information is correct and then click Submit. 4. On the Product Survey page, fill in the requested
5. In the screen confirming that your account was created, information and then click Continue.
click Continue.
SonicWALL NSA 2400 Getting Started Guide Page 11
13. Licensing Security Services and Software
• Support Services:
The Service Management - Associated Products page in • Dynamic Support 8x5
MySonicWALL lists security services, support options, and
• Dynamic Support 24x7
software such as ViewPoint that you can purchase or try with a
• Software and Firmware Updates
free trial. For details, click the Info button. Your current licenses
are indicated in the Status column with either a license key or
an expiration date. You can purchase additional services now or
at a later time.
The following products and services are available for the
SonicWALL NSA 2400:
• Service Bundles:
• Client/Server Anti-Virus Suite
• Comprehensive Gateway Security Suite
• Gateway Services:
• Gateway Anti-Virus, Anti-Spyware,
Intrusion Prevention, Application Firewall
• Global Management System
• Content Filtering: Premium Edition
• Stateful High Availability Upgrade
• Desktop and Server Software:
• Enforced Client Anti-Virus and Anti-Spyware
• Global VPN Client
• Global VPN Client Enterprise
• ViewPoint
Page 12 Registering and Licensing Your Appliance on MySonicWALL
14. To manage your licenses, perform the following tasks: 4. To license a product of service, do one of the following:
1. In the MySonicWALL Service Management - Associated • To try a Free Trial of a service, click Try in the Service
Products page, check the Applicable Services table for Management page. A 30-day free trial is immediately
services that your SonicWALL appliance is already activated. The Status page displays relevant
licensed for. Your initial purchase may have included information including the activation status, expiration
security services or other software bundled with the date, number of licenses, and links to installation
appliance. These licenses are enabled on MySonicWALL instructions or other documentation. The Service
when the SonicWALL appliance is delivered to you. Management page is also updated to show the status
2. If you purchased a service subscription or upgrade from a of the free trial.
sales representative separately, you will have an • To purchase a product or service, click Buy Now.
Activation Key for the product. This key is emailed to you
after online purchases, or is on the front of the certificate 5. In the Buy Service page, type the number of licenses you
that was included with your purchase. Locate the product want in the Quantity column for either the 1 year, 2 year, or
on the Service Management page and click Enter Key in 3 year license row and then click Add to Cart.
that row. 6. In the Checkout page, follow the instructions to complete
3. In the Activate Service page, type or paste your key into the your purchase.
Activation Key field and then click Submit. Depending on The MySonicWALL server will generate a license key for the
the product, you will see an expiration date or a license key
product. The key is added to the license keyset. You can use
string in the Status column when you return to the Service
Management page. the license keyset to manually apply all active licenses to your
SonicWALL appliance.
For more information, see Registration Next Steps - page 14.
SonicWALL NSA 2400 Getting Started Guide Page 13
15. Registering a Second Appliance as a 6. On the Service Management - Associated Products page,
scroll down to the Associated Products section to verify
Backup that your product registered successfully. You should see
the HA Primary unit listed in the Parent Product section, as
To ensure that your network stays protected if your SonicWALL
well as a Status value of 0 in the Associated Products /
appliance has an unexpected failure, you can purchase a Child Product Type section.
license to associate a second SonicWALL of the same model
7. Although the Stateful High Availability Upgrade and all the
as the first in a high availability (HA) pair. You can purchase the Security Services licenses can be shared with the HA
license associate the two appliances as part of the registration Primary unit, you must purchase a separate ViewPoint
process on MySonicWALL. The second SonicWALL will license for the backup unit. This will ensure that you do not
automatically share the Security Services licenses of the miss any reporting data in the event of a failover. Under
primary appliance. Desktop & Server Software, click Buy Now for ViewPoint.
Follow the instructions to complete the purchase.
To register a second appliance and associate it with the
primary, perform the following steps: To return to the Service Management - Associated Products
page, click the serial number link for this appliance.
1. Login to your MySonicWALL account.
2. On the main page, in the Register A Product field, type the
appliance serial number and then click Next.
Registration Next Steps
3. On the My Products page, under Add New Product, type Your SonicWALL NSA 2400 HA Pair is now registered and
the friendly name for the appliance, select the Product licensed on MySonicWALL. To complete the registration
Group if any, type the authentication code into the process in SonicOS and for more information, see:
appropriate text boxes, and then click Register.
4. On the Product Survey page, fill in the requested • Accessing the Management Interface - page 22
information and then click Continue. The Create
• Activating Licenses in SonicOS - page 24
Association Page is displayed.
• Enabling Security Services in SonicOS - page 44
5. On the Create Association Page, click the radio button to
• Applying Security Services to Network Zones - page 48
select the primary unit for this association, and then click
Continue. The screen only displays units that are not
already associated with other appliances.
Page 14 Registering a Second Appliance as a Backup
16. Deployment Scenarios 3
In this Section:
This section provides detailed overviews of advanced deployment scenarios as well as configuration instructions for connecting your
SonicWALL NSA 2400.
• Selecting a Deployment Scenario - page 16
• Scenario A: NAT/Route Mode Gateway - page 17
• Scenario B: State Sync Pair in NAT/Route Mode - page 18
• Scenario C: L2 Bridge Mode - page 19
• Initial Setup - page 20
• Upgrading Firmware on Your SonicWALL - page 25
• Configuring a State Sync Pair in NAT/Route Mode - page 28
• Configuring L2 Bridge Mode - page 35
Tip: Before completing this section, fill out the information in Obtain Configuration Information - page 5. You will need to enter this
information during the Setup Wizard.
SonicWALL NSA 2400 Getting Started Guide Page 15
17. Selecting a Deployment Scenario
Before continuing, select a deployment scenario that best fits your network scheme. Reference the table below and the diagrams on the
following pages for help in choosing a scenario.
Current Gateway Configuration New Gateway Configuration Use Scenario
No gateway appliance Single SonicWALL NSA as a primary gateway. A - NAT/Route Mode Gateway
Pair of SonicWALL NSA appliances for high B - NAT with State Sync Pair
availability.
Existing Internet gateway appliance SonicWALL NSA as replacement for an existing A - NAT/Route Mode Gateway
gateway appliance.
SonicWALL NSA in addition to an existing C - Layer 2 Bridge Mode
gateway appliance.
Existing SonicWALL gateway appliance SonicWALL NSA in addition to an existing B - NAT with State Sync Pair
SonicWALL gateway appliance.
A B C
Network Security Appliance
2400
Network Security Appliance
2400
Network Security Appliance
2400
Network Security Appliance
2400
Scenario A: NAT/Route Mode Gateway - page 17 Scenario B: State Sync Pair in NAT/Route Mode - page 18 Scenario C: L2 Bridge Mode - page 19
Page 16 Registration Next Steps
18. Scenario A: NAT/Route Mode Gateway
For new network installations or installations where the
SonicWALL NSA 2400 is replacing the existing network
gateway. A SonicWALL NSA
Internet
In this scenario, the SonicWALL NSA 2400 is configured in Network Security Appliance
NAT/Route mode to operate as a single network gateway. Two
2400
Internet sources may be routed through the SonicWALL
appliance for load balancing and failover purposes. Because
only a single SonicWALL appliance is deployed, the added
benefits of high availability with a stateful synchronized pair are
not available.
LAN Zone
To set up this scenario, follow the steps covered in
Initial Setup - page 20. If you have completed setup procedures
in that section, continue to Additional Deployment Configuration
- page 37 to complete configuration.
SonicWALL NSA 2400 Getting Started Guide Page 17
19. Scenario B: State Sync Pair in NAT/Route Mode
For network installations with two SonicWALL NSA 2400
appliances configured as a stateful synchronized pair for
redundant high-availability networking.
B
In this scenario, one SonicWALL NSA 2400 operates as the SonicWALL NSA 1
primary gateway device and the other SonicWALL NSA 2400 is Network Security Appliance
2400
in passive mode. All network connection information is Internet HA Link
synchronized between the two devices so that the backup SonicWALL NSA 2
appliance can seamlessly switch to active mode without Network Security Appliance
dropping any connections if the primary device loses
2400
connectivity.
To set up this scenario, follow the steps covered in the Initial
Setup - page 20 and the Configuring a State Sync Pair in NAT/
Route Mode - page 28 sections. If you have completed setup
procedures in those sections, continue to the Additional
Deployment Configuration - page 37 to complete configuration.
Page 18 Registration Next Steps
20. Scenario C: L2 Bridge Mode
For network installations where the SonicWALL NSA 2400 is
running in tandem with an existing network gateway.
In this scenario, the original gateway is maintained. The
SonicWALL NSA 2400 is integrated seamlessly into the existing
C Network Gateway
network, providing the benefits of deep packet inspection and
LAN
comprehensive security services on all network traffic. SonicWALL NSA
L2 Bridge Link
L2 Bridge Mode employs a secure learning bridge architecture, Internet or
Network Security Appliance
2400
LAN Segment 2
X0
X1
enabling it to pass and inspect traffic types that cannot be
handled by many other methods of transparent security
appliance integration. Using L2 Bridge Mode, a SonicWALL Network Resources
security appliance can be non-disruptively added to any
Ethernet network to provide in-line deep-packet inspection for
all traversing IPv4 TCP and UDP traffic. L2 Bridge Mode can
pass all traffic types, including IEEE 802.1Q VLANs, Spanning
Tree Protocol, multicast, broadcast and IPv6.
To set up this scenario, follow the steps covered in the Initial
Setup - page 20 and thme Configuring L2 Bridge Mode -
page 35 sections. If you have completed setup procedures in
those sections, continue to the Additional Deployment
Configuration - page 37 to complete configuration.
SonicWALL NSA 2400 Getting Started Guide Page 19
21. Initial Setup
Accepted Browser Version
This section provides initial configuration instructions for Browser Number
connecting your SonicWALL NSA 2400. Follow these steps if Internet Explorer 6.0 or higher
you are setting up scenario A, B, or C.
This section contains the following subsections: Firefox 2.0 or higher
Netscape 9.0 or higher
• System Requirements - page 20
• Connecting the WAN Port - page 20
Opera 9.10 or higher for
• Connecting the LAN Port - page 21
Windows
• Applying Power - page 21
• Accessing the Management Interface - page 22 Safari 2.0 or higher for MacOS
• Using the Setup Wizard - page 22
• Connecting to Your Network - page 23
• Testing Your Connection - page 23
• Activating Licenses in SonicOS - page 24 Connecting the WAN Port
• Upgrading Firmware on Your SonicWALL - page 25 1. Connect one end of an Ethernet cable to your Internet
connection.
2. Connect the other end of the cable to the X1 (WAN) port on
System Requirements your SonicWALL NSA Series appliance.
Before you begin the setup process, check to verify that you SonicWALL NSA 2400
have:
• An Internet connection Network Security Appliance
2400
• A Web browser supporting Java Script and HTTP uploads
Internet X0
X1
Management
Station
Page 20 Initial Setup
22. Connecting the LAN Port The Power LED on the front panel lights up blue when you
1. Connect one end of the provided Ethernet cable to the plug in the SonicWALL NSA. The Alarm LED may light up
computer you are using to manage the
and the Test LED will light up and may blink while the
SonicWALL NSA Series.
2. Connect the other end of the cable to the X0 port on your appliance performs a series of diagnostic tests.
SonicWALL NSA Series. When the Power LEDs are lit and the Test LED is no longer lit,
The Link LED above the X0 (LAN) port will light up in green the SonicWALL NSA is ready for configuration. This typically
or amber depending on the link throughput speed, occurs within a few minutes of applying power to the appliance.
indicating an active connection:
- Amber indicates 1 Gbps
- Green indicates 100 Mbps
- Unlit while the right (activity) LED is illuminated Note: If the Test or Alarm LEDs remain lit after the
indicates 10 Mbps SonicWALL NSA appliance has been booted, restart
Applying Power the appliance by cycling power.
1. Plug the power cord into an appropriate power outlet.
2. Turn on the power switch on the rear of the appliance next
to the power cords.
I
o
To power
source
SonicWALL NSA 2400 Getting Started Guide Page 21
23. Accessing the Management Interface Using the Setup Wizard
The computer you use to manage the SonicWALL NSA Series If you cannot connect to the SonicWALL NSA appliance or the
must be set up to have an unused IP address on the Setup Wizard does not display, verify the following
192.168.168.x/24 subnet, such as 192.168.168.20. configurations:
• Did you correctly enter the management IP address in your
To access the SonicOS Enhanced Web-based management Web browser?
interface: • Are the Local Area Connection settings on your computer
1. Start your Web browser. set to use DHCP or set to a static IP address on the
192.168.168.x/24 subnet?
• Do you have the Ethernet cable connected to your
Note: Disable pop-up blocking software or add the computer and to the X0 (LAN) port on your SonicWALL?
management IP address http://192.168.168.168 to your
• Is the connector clip on your network cable properly seated
pop-up blocker’s allow list.
in the port of the security appliance?
• Some browsers may not launch the Setup Wizard
2. Enter http://192.168.168.168 (the default LAN automatically. In this case:
management IP address) in the Location or Address field.
3. The SonicWALL Setup Wizard launches and guides you • Log into SonicWALL NSA appliance using “admin” as
through the configuration and setup of your SonicWALL the user name and “password” as the password.
NSA appliance. • Click the Wizards button on the System > Status
page.
The Setup Wizard launches only upon initial loading of the • Select Setup Wizard and click Next to launch the
SonicWALL NSA management interface. Setup Wizard.
4. Follow the on-screen prompts to complete the Setup • Some pop-up blockers may prevent the launch of the
Wizard. Setup Wizard. You can temporarily disable your pop-
Depending on the changes made during your setup up blocker, or add the management IP address of your
configuration, the SonicWALL may restart. SonicWALL (192.168.168.168 by default) to your pop-
up blocker's allow list.
Page 22 Initial Setup
24. Connecting to Your Network Testing Your Connection
1. After you exit the Setup Wizard, the login page reappears.
Internet Log back into the Management Interface and verify your IP
and WAN connection.
SonicWALL NSA 2400 X1
2. Ping a host on the Internet, such as sonicwall.com.
Network Security Appliance
2400
3. Open another Web browser and navigate to:
<http://www.sonicwall.com>.
X0
X3
X5 If you can view the SonicWALL home page, you have
configured your SonicWALL NSA appliance correctly.
SonicPoint
If you cannot view the SonicWALL home page, renew your
management station DHCP address.
4. If you still cannot view a Web page, try one of these
solutions:
LAN Zone WLAN Zone DMZ Zone
• Restart your Management Station to accept new
network settings from the DHCP server in the
SonicWALL security appliance.
The SonicWALL NSA 2400 ships with the internal DHCP server
active on the LAN port. However, if a DHCP server is already • Restart your Internet Router to communicate with
active on your LAN, the SonicWALL will disable its own DHCP the DHCP Client in the SonicWALL security appliance.
server to prevent conflicts.
Ports X1 and X0 are preconfigured as WAN and LAN. The
remaining ports (X2-X5) can be configured to meet the needs of
your network. As an example, zones in the example above are
configured as:
• X1: WAN
• X2: LAN
• X3: WLAN
• X5: DMZ
SonicWALL NSA 2400 Getting Started Guide Page 23
25. Activating Licenses in SonicOS Manual upgrade using the license keyset is useful when your
appliance is not connected to the Internet. The license keyset
After completing the registration process in SonicOS, you must includes all license keys for services or software enabled on
perform the following tasks to activate your licenses and enable MySonicWALL. It is available on <http://www.sonicwall.com> at
your licensed services from within the SonicOS user interface: the top of the Service Management page for your SonicWALL
NSA appliance.
• Activate licenses
• Enable security services To activate licenses in SonicOS:
• Apply services to network zones 1. Navigate to the System > Licenses page.
This section describes how to activate your licenses. For 2. Under Manage Security Services Online do one of the
following:
instructions on how to enable security services and apply
• Enter your MySonicWALL credentials, then click the
services to network zones, see the following sections:
Synchronize button to synchronize licenses with
MySonicWALL.
• Enabling Security Services in SonicOS - page 44
• Applying Security Services to Network Zones - page 48 • Paste the license keyset into the Manual Upgrade
Keyset field.
To activate licensed services in SonicOS, you can enter the 3. Click Submit.
license keyset manually, or you can synchronize all licenses at
once with MySonicWALL.
The Setup Wizard automatically synchronizes all licenses with
MySonicWALL if the appliance has Internet access during initial
setup. If initial setup is already complete, you can synchronize
licenses from the System > Licenses page.
Page 24 Initial Setup
26. Upgrading Firmware on Your SonicWALL Saving a Backup Copy of Your Preferences
The following procedures are for upgrading an existing Before beginning the update process, make a system backup of
SonicOS Enhanced image to a newer version: your SonicWALL security appliance configuration settings. The
backup feature saves a copy of the current configuration
• Obtaining the Latest Firmware - page 25 settings on your SonicWALL security appliance, protecting all
• Saving a Backup Copy of Your Preferences - page 25 your existing settings in the event that it becomes necessary to
• Upgrading the Firmware with Current Settings - page 26 return to a previous configuration state. The System Backup
• Upgrading the Firmware with Factory Defaults - page 26 shows you the current configuration and firmware in a single,
• Using SafeMode to Upgrade Firmware - page 26 clickable restore image.
Obtaining the Latest Firmware In addition to using the backup feature to save your current
1. To obtain a new SonicOS Enhanced firmware image file for configuration state to the SonicWALL security appliance, you
your SonicWALL security appliance, connect to your can export the configuration preferences file to a directory on
MySonicWALL account at your local management station. This file serves as an external
<http://www.mysonicwall.com>. backup of the configuration preferences, and can be imported
2. Copy the new SonicOS Enhanced image file to a back into the SonicWALL security appliance.
convenient location on your management station.
Perform the following procedures to save a backup of your
configuration settings and export them to a file on your local
management station:
1. On the System > Settings page, click Create Backup.
Your configuration preferences are saved. The System
Backup entry is displayed in the Firmware Management
table.
2. To export your settings to a local file, click Export Settings.
A popup window displays the name of the saved file.
SonicWALL NSA 2400 Getting Started Guide Page 25
27. Upgrading the Firmware with Current Settings Upgrading the Firmware with Factory Defaults
Perform the following steps to upload new firmware to your Perform the following steps to upload new firmware to your
SonicWALL appliance and use your current configuration SonicWALL appliance and start it up using the default
settings upon startup. configuration:
1. Download the SonicOS Enhanced firmware image file from
MySonicWALL and save it to a location on your local
Tip: The appliance must be properly registered before it can computer.
be upgraded. Refer to Registering and Licensing Your 2. On the System > Settings page, click Create Backup.
Appliance on MySonicWALL - page 11 for more 3. Click Upload New Firmware.
information. 4. Browse to the location where you saved the SonicOS
Enhanced firmware image file, select the file and click the
1. Download the SonicOS Enhanced firmware image file from Upload button.
MySonicWALL and save it to a location on your local 5. On the System > Settings page, click the Boot icon in the
computer. row for Uploaded Firmware with Factory Default
2. On the System > Settings page, click Upload New Settings.
Firmware. 6. In the confirmation dialog box, click OK. The SonicWALL
3. Browse to the location where you saved the SonicOS restarts and then displays the login page.
Enhanced firmware image file, select the file and click the 7. Enter the default user name and password (admin/
Upload button. password) to access the SonicWALL management
4. On the System > Settings page, click the Boot icon in the interface.
row for Uploaded Firmware. Using SafeMode to Upgrade Firmware
5. In the confirmation dialog box, click OK. The SonicWALL
restarts and then displays the login page. If you are unable to connect to the SonicWALL security
6. Enter your user name and password. Your new SonicOS appliance’s management interface, you can restart the
Enhanced image version information is listed on the SonicWALL security appliance in SafeMode. The SafeMode
System > Settings page. feature allows you to recover quickly from uncertain
configuration states with a simplified management interface that
includes the same settings available on the System > Settings
page.
Page 26 Upgrading Firmware on Your SonicWALL
28. To use SafeMode to upgrade firmware on the SonicWALL 6. Select the boot icon in the row for one of the following:
security appliance, perform the following steps: • Uploaded Firmware - New!
1. Connect your computer to the X0 port on the SonicWALL Use this option to restart the appliance with your
appliance and configure your IP address with an address current configuration settings.
on the 192.168.168.0/24 subnet, such as 192.168.168.20. • Uploaded Firmware with Factory Defaults - New!
2. To configure the appliance in SafeMode, perform one of the Use this option to restart the appliance with default
following: configuration settings.
• Use a narrow, straight object, like a straightened paper 7. In the confirmation dialog box, click OK to proceed.
clip or a toothpick, to press and hold the reset button
8. After successfully booting the firmware, the login screen is
on the front of the security appliance for one second. displayed. If you booted with factory default settings, enter
The reset button is in a small hole next to the USB the default user name and password (admin / password) to
ports. access the SonicWALL management interface.
• The Test light starts blinking when the SonicWALL
security appliance has rebooted into SafeMode.
3. Point the Web browser on your computer to If You Are Following Proceed to Section:
192.168.168.168. The SafeMode management interface Scenario...
displays.
A - NAT/Route Mode Additional Deployment Configuration -
4. If you have made any configuration changes to the security Gateway page 37
appliance, select the Create Backup On Next Boot
checkbox to make a backup copy of your current settings. B - NAT with State Sync Pair Configuring a State Sync Pair in NAT/
Your settings will be saved when the appliance restarts. Route Mode - page 28
5. Click Upload New Firmware, and then browse to the C - L2 Bridge Mode Configuring L2 Bridge Mode - page 35
location where you saved the SonicOS Enhanced firmware
image, select the file and click the Upload button.
SonicWALL NSA 2400 Getting Started Guide Page 27
29. Configuring a State Sync Pair in Initial High Availability Setup
NAT/Route Mode Before you begin the configuration of HA on the Primary
SonicWALL security appliance, perform the following setup:
This section provides instructions for configuring a pair of
SonicWALL NSA appliances for high availability (HA). This
section is relevant to administrators following deployment 1. On the back panel of the Backup SonicWALL security
scenario B. appliance, locate the serial number and write the number
down. You need to enter this number in the High
This section contains the following subsections: Availability > Settings page.
2. Verify that the Primary SonicWALL and Backup
• Initial High Availability Setup - page 28 SonicWALL security appliances are registered, running the
• Configuring High Availability - page 29 same SonicOS Enhanced versions, and running the same
SonicWALL Security services.
• Configuring Advanced HA Settings - page 29
3. Make sure the Primary SonicWALL and Backup
• Synchronizing Settings - page 31 SonicWALL security appliances’ LAN, WAN and other
• Synchronizing Firmware - page 32 interfaces are properly configured for failover.
• Configuring HA License Overview - page 33 4. Connect the X5 ports on the Primary SonicWALL and
• Associating Pre-Registered Appliances - page 34 Backup SonicWALL appliances with a CAT6-rated
crossover cable (red crossover cable). The Primary and
Backup SonicWALL security appliances must have a
X1 (WAN) dedicated connection. SonicWALL recommends cross-
connecting the two together using a CAT 6 crossover
Network Security Appliance
2400 Ethernet cable, but a connection using a dedicated
SonicWALL NSA 1
100Mbps hub/switch is also valid.
Internet
X5 (HA Link) X0 (LAN)
X0 (LAN)
5. Power up the Primary SonicWALL security appliance, and
Network Security Appliance
2400 then power up the Backup SonicWALL security appliance.
SonicWALL NSA 2
X1 (WAN)
6. Do not make any configuration changes to the Primary’s
Local Network
X5; the High Availability configuration in an upcoming step
takes care of this issue. When done, disconnect the
workstation.
Page 28 Configuring a State Sync Pair in NAT/Route Mode
30. Configuring High Availability Configuring Advanced HA Settings
The first task in setting up HA after initial setup is configuring the 1. Navigate to the High Availability > Advanced page.
High Availability > Settings page on the Primary SonicWALL 2. To configure Stateful HA, select Enable Stateful
security appliance. Once you configure HA on the Primary Synchronization. A dialog box is displayed with
recommended settings for the Heartbeat Interval and
SonicWALL security appliance, it communicates the settings to
Probe Interval fields. The settings it shows are minimum
the Backup SonicWALL security appliance. recommended values. Lower values may cause
To configure HA on the Primary SonicWALL, perform the unnecessary failovers, especially when the SonicWALL is
under a heavy load. You can use higher values if your
following steps:
SonicWALL handles a lot of network traffic. Click OK.
1. Navigate to the High Availability > Settings page.
2. Select the Enable High Availability checkbox.
3. Under SonicWALL Address Settings, type in the serial Tip: Preempt mode is automatically disabled after enabling
number for the Backup SonicWALL appliance. Stateful Synchronization. This is because preempt
You can find the serial number on the back of the SonicWALL mode can be over-aggressive about failing over to the
security appliance, or in the System > Status screen of the backup appliance. For example if both devices are idle,
backup unit. The serial number for the Primary SonicWALL is preempt mode may prompt a failover.
automatically populated.
3. To backup the firmware and settings when you upgrade the
4. Click Apply to retain these settings.
firmware version, select Generate/Overwrite Backup
Firmware and Settings When Upgrading Firmware.
4. Select the Enable Virtual MAC checkbox. Virtual MAC
allows the Primary and Backup appliances to share a
single MAC address. This greatly simplifies the process of
updating network ARP tables and caches when a failover
occurs. Only the WAN switch to which the two appliances
are connected to needs to be notified. All outside devices
will continue to route to the single shared MAC address.
SonicWALL NSA 2400 Getting Started Guide Page 29
31. 5. The Heartbeat Interval controls how often the two units - During this time, the newly-active appliance relearns
communicate. The default is 5000 milliseconds; the the dynamic routes in the network. When the Dynamic
minimum recommended value is 1000 milliseconds. Less Route Hold-Down Time duration expires, it deletes the
than this may cause unnecessary failovers, especially old routes and implements the new routes it has
when the SonicWALL is under a heavy load. learned from RIP or OSPF. The default value is
6. Typically, SonicWALL recommends leaving the Heartbeat 45 seconds. In large or complex networks, a larger
Interval, Election Delay Time (seconds), and Dynamic value may improve network stability during a failover.
Route Hold-Down Time fields to their default settings.
These fields can be tuned later as necessary for your 7. Select the Include Certificates/Keys checkbox to have
specific network environment: the appliances synchronize all certificates and keys.
- The Failover Trigger Level sets the number of 8. Click Synchronize Settings to synchronize the settings
heartbeats that can be missed before failing over. By between the Primary and Backup appliances.
default, this is set to 5 missed heartbeats. 9. Click Synchronize Firmware if you previously uploaded
- The Election Delay Time is the number of seconds new firmware to your Primary unit while the Secondary unit
allowed for internal processing between the two units in was offline, and it is now online and ready to upgrade to the
the HA pair before one of them takes the primary role. new firmware. Synchronize Firmware is typically used
after taking your Secondary appliance offline while you test
- The Probe Level sets the interval in seconds between
a new firmware version on the Primary unit before
communication with upstream or downstream systems. upgrading both units to it.
The default is 20 seconds, and the allowed range is 5
10. Click Apply to retain the settings on this screen.
to 255 seconds. You can set the Probe IP Address(es)
on the High Availability > Monitoring screen.
- The Dynamic Route Hold-Down Time setting is used
when a failover occurs on a HA pair that is using either
RIP or OSPF dynamic routing, and it is only displayed
when the Advanced Routing option is selected on the
Network > Routing page. When a failover occurs,
Dynamic Route Hold-Down Time is the number of
seconds the newly-active appliance keeps the dynamic
routes it had previously learned in its route table.
Page 30 Configuring a State Sync Pair in NAT/Route Mode
32. Synchronizing Settings To verify that Primary and Backup SonicWALL security
appliances are functioning correctly, wait a few minutes, then
Once you have configured the HA setting on the Primary trigger a test failover by logging into the Primary unit and doing
SonicWALL security appliance, click the Synchronize Settings a restart. The Backup SonicWALL security appliance should
button. You should see a HA Peer Firewall has been updated quickly take over.
message at the bottom of the management interface page. Also
note that the management interface displays Logged Into: From your management workstation, test connectivity through
Primary SonicWALL Status: (green ball) Active in the upper- the Backup SonicWALL by accessing a site on the public
right-hand corner. Internet – note that the Backup SonicWALL, when active,
assumes the complete identity of the Primary, including its IP
By default, the Include Certificate/Keys setting is enabled. addresses and Ethernet MAC addresses.
This specifies that certificates, certificate revocation lists (CRL)
and associated settings (such as CRL auto-import URLs and Log into the Backup SonicWALL’s unique LAN IP address. The
OCSP settings) are synchronized between the Primary and management interface should now display Logged Into:
Backup units. When local certificates are copied to the Backup Backup SonicWALL Status: (green ball) Active in the upper-
unit, the associated private keys are also copied. Because the right-hand corner.
connection between the Primary and Backup units is typically
Now, power the Primary SonicWALL back on, wait a few
protected, this is generally not a security concern.
minutes, then log back into the management interface. If
stateful synchronization is enabled (automatically disabling
preempt mode), the management GUI should still display
Tip: A compromise between the convenience of Logged Into: Backup SonicWALL Status: (green ball)
synchronizing certificates and the added security of not Active in the upper-right-hand corner.
synchronizing certificates is to temporarily enable the
Include Certificate/Keys setting and manually If you are using the Monitor Interfaces feature, experiment with
synchronize the settings, and then disable Include disconnecting each monitored link to ensure correct
Certificate/Keys. configuration.
SonicWALL NSA 2400 Getting Started Guide Page 31
33. Synchronizing Firmware
Selecting the Synchronize Firmware Upload and Reboot
checkbox allows the Primary and Backup SonicWALL security
appliances in HA mode to have firmware uploaded on both
devices at once, in staggered sequence to ensure that security
is always maintained. During the firmware upload and reboot,
you are notified via a message dialog box that the firmware is
loaded on the Backup SonicWALL security appliance, and then
the Primary SonicWALL security appliance. You initiate this
process by clicking on the Synchronize Firmware button.
Page 32 Configuring a State Sync Pair in NAT/Route Mode
34. Configuring HA License Overview License synchronization is used during HA so that the Backup
appliance can maintain the same level of network protection
You can configure HA license synchronization by associating provided before the failover. To enable HA, you can use the
two SonicWALL security appliances as HA Primary and HA SonicOS UI to configure your two appliances as a HA pair in
Secondary on MySonicWALL. Note that the Backup appliance Active/Idle mode.
of your HA pair is referred to as the HA Secondary unit on
MySonicWALL. MySonicWALL provides several methods of associating the two
appliances. You can start by registering a new appliance, and
You must purchase a single set of security services licenses for then choosing an already-registered unit to associate it with.
the HA Primary appliance. To use Stateful HA, you must first You can associate two units that are both already registered. Or,
activate the Stateful High Availability Upgrade license for the you can select a registered unit and then add a new appliance
primary unit in SonicOS. This is automatic if your appliance is with which to associate it.
connected to the Internet. See Registering and Licensing Your
Appliance on MySonicWALL - page 11.
Note: After registering new SonicWALL appliances on
MySonicWALL, you must also register each appliance
from the SonicOS management interface by clicking the
registration link on the System > Status page. This
allows each unit to synchronize with the SonicWALL
license server and share licenses with the associated
appliance.
SonicWALL NSA 2400 Getting Started Guide Page 33
35. Associating Pre-Registered Appliances 7. Select the group from the Product Group drop-down list.
The product group setting specifies the MySonicWALL
To associate two already-registered SonicWALL security users who can upgrade or modify the appliance.
appliances so that they can use HA license synchronization, 8. Click Register.
perform the following steps:
1. Login to MySonicWALL. If You Are Following Proceed to Section:
2. In the left navigation bar, click My Products. Scenario...
3. On the My Products page, under Registered Products, B - NAT with State Sync Pair Additional Deployment Configuration -
scroll down to find the appliance that you want to use as page 37
the parent, or primary, unit. Click the product name or
serial number.
4. On the Service Management - Associated Products page,
scroll down to the Associated Products section.
5. Under Associated Products, click HA Secondary.
6. On the My Product - Associated Products page, in the text
boxes under Associate New Products, type the serial
number and the friendly name of the appliance that you
want to associate as the child/secondary/backup unit.
Page 34 Configuring a State Sync Pair in NAT/Route Mode
36. Configuring L2 Bridge Mode Configuring the Primary Bridge Interface
This section provides instructions to configure the SonicWALL The primary bridge interface is your existing Internet gateway
NSA appliance in tandem with an existing Internet gateway device. The only step involved in setting up your primary bridge
device. This section is relevant to users following deployment interface is to ensure that the WAN interface is configured for a
scenario C. static IP address. You will need this static IP address when
configuring the secondary bridge.
This section contains the following subsections:
• Connection Overview - page 35 Note: The primary bridge interface must have a static IP
• Configuring the Primary Bridge Interface - page 35 assignment.
• Configuring the Secondary Bridge Interface - page 36
Connection Overview
Connect the X1 port on your SonicWALL NSA 2400 to the LAN
port on your existing Internet gateway device. Then connect the
X0 port on your SonicWALL to your LAN.
Network Gateway
SonicWALL NSA LAN
Internet or
LAN Segment 2
L2 Bridge Link
Network Security Appliance
2400
X0
X1
Network Resources
SonicWALL NSA 2400 Getting Started Guide Page 35
37. Configuring the Secondary Bridge Interface
Complete the following steps to configure the SonicWALL Note: Do not enable Never route traffic on the bridge-pair
appliance: unless your network topology requires that all packets
1. Navigate to Network > Interfaces. entering the L2 Bridge remain on the L2 Bridge
2. Click the Configure icon in the right column of the X0 (LAN) segments.
interface.
You may optionally enable the Block all non-IPv4
traffic setting to prevent the L2 bridge from passing
non-IPv4 traffic.
If You Are Following Proceed to Section:
Scenario...
C - L2 Bridge Mode Additional Deployment Configuration
- page 37
3. In the IP Assignment drop-down list, select Layer 2
Bridged Mode.
4. In the Bridged to drop-down list, select the X1 interface.
5. Configure management options (HTTP, HTTPS, Ping,
SNMP, SSH, User logins, or HTTP redirects).
Page 36 Configuring L2 Bridge Mode
38. Additional Deployment Configuration 4
In this Section:
This section provides basic configuration information to begin building network security policies for your deployment. This section also
contains several SonicOS diagnostic tools and a deployment configuration reference checklist.
• Creating Network Access Rules - page 38
• Creating a NAT Policy - page 40
• Creating Address Objects - page 42
• Configuring NAT Policies - page 43
• Enabling Security Services in SonicOS - page 44
• Applying Security Services to Network Zones - page 48
• Deploying SonicPoints for Wireless Access - page 49
• Troubleshooting Diagnostic Tools - page 54
• Deployment Configuration Reference Checklist - page 58
SonicWALL NSA 2400 Getting Started Guide Page 37
39. Creating Network Access Rules To create an access rule:
1. On the Firewall > Access Rules page in the matrix view,
A Zone is a logical grouping of one or more interfaces designed select two zones that will be bridged by this new rule.
to make management, such as the definition and application of 2. On the Access Rules page, click Add.
access rules, a simpler and more intuitive process than
following a strict physical interface scheme.
By default, the SonicWALL security appliance’s stateful packet
inspection allows all communication from the LAN to the
Internet, and blocks all traffic from the Internet to the LAN. The
following behaviors are defined by the “Default” stateful
inspection packet access rule enabled in the SonicWALL
security appliance:
Originating Zone Destination Zone Action
LAN, WLAN WAN, DMZ Allow
DMZ WAN Allow The access rules are sorted from the most specific at the
WAN DMZ Deny top to the least specific at the bottom of the table. At the
bottom of the table is the Any rule.
WAN and DMZ LAN or WLAN Deny
Page 38 Creating Network Access Rules
40. 3. In the Add Rule page in the General tab, select Allow or • Select the service or group of services affected by the
Deny or Discard from the Action list to permit or block IP access rule from the Service drop-down list. If the
traffic. service is not listed, you must define the service in the
Add Service window. Select Create New Service or
Create New Group to display the Add Service
window or Add Service Group window.
• Select the source of the traffic affected by the access
rule from the Source drop-down list. Selecting Create
New Network displays the Add Address Object
window.
• Select the destination of the traffic affected by the
access rule from the Destination drop-down list.
Selecting Create New Network displays the Add
Address Object window.
• Select a user or user group from the Users Allowed
drop-down list.
• Select a schedule from the Schedule drop-down list.
The default schedule is Always on.
• Enter any comments to help identify the access rule in
the Comments field.
SonicWALL NSA 2400 Getting Started Guide Page 39
41. 4. Click on the Advanced tab. more information on managing QoS marking in access
rules.
6. Click OK to add the rule.
Creating a NAT Policy
The Network Address Translation (NAT) engine in SonicOS
Enhanced allows users to define granular NAT policies for their
incoming and outgoing traffic. By default, the SonicWALL
security appliance has a preconfigured NAT policy to perform
Many-to-One NAT between the systems on the LAN and the IP
• In the TCP Connection Inactivity Timeout (minutes) address of the WAN interface. The appliance does not perform
field, set the length of TCP inactiviy after which the NAT by default when traffic crosses between the other
access rule will time out. The default value is 15 interfaces.
minutes.
• IIn the UDP Connection Inactivity Timeout You can create multiple NAT policies on a SonicWALL running
(minutes) field, set the length of UDP inactivity after SonicOS Enhanced for the same object – for instance, you can
which the access rule will time out. The default value specify that an internal server uses one IP address when
is 30 minutes. accessing Telnet servers, and uses a different IP address for all
other protocols. Because the NAT engine in SonicOS
• In the Number of connections allowed (% of
Enhanced supports inbound port forwarding, it is possible to
maximum connections) field, specify the percentage
access multiple internal servers from the WAN IP address of
of maximum connections that is allowed by this access
the SonicWALL security appliance. The more granular the NAT
rule. The default is 100%.
Policy, the more precedence it takes.
• Select Create a reflexive rule to create a matching
access rule for the opposite direction, that is, from Before configuring NAT Policies, you must create all Address
your destination back to your source. Objects that will be referenced by the policy. For instance, if you
5. Click on the QoS tab to apply DSCP or 802.1p Quality of are creating a One-to-One NAT policy, first create Address
Service coloring/marking to traffic governed by this rule. Objects for your public and private IP addresses.
See the SonicOS Enhanced Administrator’s Guide for
Page 40 Creating a NAT Policy
42. Address Objects are one of four object classes (Address, User, SonicOS Enhanced provides a number of default Address
Service and Schedule) in SonicOS Enhanced. Once you define Objects that cannot be modified or deleted. You can use the
an Address Object, it becomes available for use wherever default Address Objects when creating a NAT policy, or you can
appliacable throughout the SonicOS management interface. create custom Address Objects to use. All Address Objects are
For example, consider an internal Web server with an IP available in the drop-down lists when creating a NAT policy.
address of 67.115.118.80. Rather than repeatedly typing in the
IP address when constructing Access Rules or NAT Policies,
you can create an Address Object to store the Web server’s IP
address. This Address Object, “My Web Server”, can then be
used in any configuration screen that employs Address Objects
as a defining criterion.
Since there are multiple types of network address expressions,
there are currently the following Address Objects types:
• Host – Host Address Objects define a single host by its IP
address.
• Range – Range Address Objects define a range of
contiguous IP addresses.
• Network – Network Address Objects are like Range
objects in that they comprise multiple hosts, but rather than
being bound by specified upper and lower range delimiters,
the boundaries are defined by a valid netmask.
• MAC Address – MAC Address Objects allow for the
identification of a host by its hardware address or MAC
(Media Access Control) address.
• FQDN Address – FQDN Address Objects allow for the
identification of a host by its Fully Qualified Domain Names
(FQDN), such as www.sonicwall.com.
SonicWALL NSA 2400 Getting Started Guide Page 41
43. Creating Address Objects 4. Select the zone to assign to the Address Object from the
Zone Assignment drop-down list.
The Network > Address Objects page allows you to create 5. Select Host, Range, Network, MAC, or FQDN from the
and manage your Address Objects. You can view Address Type menu.
Objects in the following ways using the View Style menu: - For Host, enter the IP address in the IP Address field.
- For Range, enter the starting and ending IP addresses
• All Address Objects – displays all configured Address in the Starting IP Address and Ending IP Address
Objects. fields.
• Custom Address Objects – displays Address Objects - For Network, enter the network IP address and
with custom properties. netmask in the Network and Netmask fields.
• Default Address Objects – displays Address Objects - For MAC, enter the MAC address and netmask in the
configured by default on the SonicWALL security Network and MAC Address field.
appliance. - For FQDN, enter the domain name for the individual
site or range of sites (with a wildcard) in the FQDN
To add an Address Object:
field.
1. Navigate to the Network > Address Objects page. 6. Click OK.
2. Below the Address Objects table, click Add.
3. In the Add Address Object dialog box, enter a name for
the Address Object in the Name field.
Page 42 Creating a NAT Policy
44. Configuring NAT Policies An example configuration illustrates the use of the fields in the
Add NAT Policy procedure. To add a One-to-One NAT policy
NAT policies allow you to control Network Address Translation that allows all Internet traffic to be routed through a public IP
based on matching combinations of Source IP address, address, two policies are needed: one for the outbound traffic,
Destination IP address and Destination Services. Policy-based and one for the inbound traffic. To add both parts of a One-to-
NAT allows you to deploy different types of NAT simultaneously. One NAT policy, perform the following steps:
The following NAT configurations are available in SonicOS
1. Navigate to the Network > NAT Policies page. Click Add.
Enhanced:
The Add NAT Policy dialog box displays.
2. For Original Source, select Any.
• Many-to-One NAT Policy
• Many-to-Many NAT Policy 3. For Translated Source, select Original.
• One-to-One NAT Policy for Outbound Traffic 4. For Original Destination, select X0 IP.
• One-to-One NAT Policy for Inbound Traffic (Reflexive) 5. For Translated Destination, select Create new address
• One-to-Many NAT Load Balancing object and create a new address object using WAN for
• Inbound Port Address Translation via One-to-One NAT Zone Assignment and Host for Type.
Policy 6. For Original Service, select HTTP.
• Inbound Port Address Translation via WAN IP Address 7. For Translated Service, select Original.
8. For Inbound Interface, select X0.
This section describes how to configure a One-to-One NAT 9. For Outbound Interface, select Any.
policy. One-to-One is the most common NAT policy used to
10. For Comment, enter a short description.
route traffic to an internal server, such as a Web Server. Most of
11. Select the Enable NAT Policy checkbox.
the time, this means that incoming requests from external IPs
are translated from the IP address of the SonicWALL security 12. Select the Create a reflexive policy checkbox if you want
a matching NAT Policy to be automatically created in the
appliance WAN port to the IP address of the internal web
opposite direction. This will create the outbound as well as
server. the inbound policies.
For other NAT configurations, see the SonicOS Enhanced 13. Click OK.
Administrator’s Guide.
SonicWALL NSA 2400 Getting Started Guide Page 43
45. Policies for subnets behind the other interfaces of the Enabling Gateway Anti-Virus
SonicWALL security appliance can be created by emulating
these steps. Create a new NAT policy in which you adjust the To enable Gateway Anti-Virus in SonicOS:
source interface and specify the Original Source: the subnet 1. Navigate to the Security Services > Gateway Anti-Virus
behind that interface. page. Select the Enable Gateway Anti-Virus checkbox.
Enabling Security Services in SonicOS
SonicWALL security services are key components of threat
management in SonicOS. The core security services are
Gateway Anti-Virus, Intrustion Prevention Services, and Anti-
Spyware.
You must enable each security service individually in the
SonicOS user interface. See the following procedures to enable
and configure the three security services that must be enabled:
• Enabling Gateway Anti-Virus - page 44
• Enabling Intrusion Prevention Services - page 46
• Enabling Anti-Spyware - page 47
2. Select the Enable Inbound Inspection checkboxes for the
protocols to inspect. By default, SonicWALL GAV inspects
all inbound HTTP, FTP, IMAP, SMTP and POP3 traffic.
CIFS/NetBIOS can optionally be enabled to allow access
to shared files. Generic TCP Stream can optionally be
enabled to inspect all other TCP based traffic, such as non-
standard ports of operation for SMTP and POP3, and IM
and P2P protocols.
Page 44 Enabling Security Services in SonicOS