Firewall Training in India Cyber Security Training & Firewall Training Provider in India
Sonicwall Routing and Switching
The networking field in general is an extremely complex area, with terms that people (myself included) half understand being thrown around and tons of information that seems not relevant. In this How-to I attempt to clear up a few things regarding SonicWALL configurations, how to route properly and how to make a public server accessible. Hopefully I can do a good job of this without making it too complex.
PLEASE NOTE: The screenshots for this article were taken from a TZ100 running F/W 5.8.1.15-71o. The instructions included in this How-to SHOULD work for ANY SonicOS-Enhanced version.
Issue
- Scenarios for Sonicwall Proper configuration
- Scenarios for Sonicwall
Environment
- HPE switch and Sonicwall firewall
- Cause
- Users set up the servers and the PCs, etc., that are plugged into HPE switches, capable of routing, to have a default gateway of the Sonic Firewall instead of the VLAN interface of the switch the end device plugs into. This means that when the user has multiple VLANs with multiple subnets, local traffic from a PC in VLAN 1 that is destined to a PC in VLAN 10 plugged into the same switch the packet goes to the firewall and is looped back out. In many cases, this extra traffic overruns the interface for no good reason.
Resolution
Put a gateway of last resort in the switch to the Sonicwall for traffic to the internet. Sonicwall notes learnt from their L2:1. The Sonicwall does not receive tagged traffic, unless the tagged traffic is destined specifically for one of its interfaces. It will see such tagged traffic as unsolicited and it will drop those packets.
2. According to their engineer, it is designed to work one of two ways.
a. Either have an 802.1Q trunk to the uplink port, and have the Sonicwall work as a \”router on a stick\”. or
b. Place routing statements in the sonicwall to be routed to the proper physical interface. In this case, we created a group called ALL NETWORKS which contained all of the subnets of the vlan interfaces. We placed it in the routing table as source ANY destination ALL NETWORKS servce ANY and the gateway as the vlan 1 interface of the switch the sonicwall was plugged into. This allowed us to set the default gateway of the servers and PCs to the switch for inter-vlan routing and the Instant Messaging and Conference calling which authenticated through the firewall back to the server to work as well.
The first step to configuring an edge firewall/router is to first determine WHAT you want to do, and HOW you’re going to do it. In order to do that however we must know what we’re actually doing -clicking on random buttons, filling out random info does little to help you for long term efficiency or diagnostics if something doesn’t work.
NAT stands for Network Address Translation and essentially allows you to re-direct traffic originally for Point A to Point B, it cannot however tell traffic where to go (what path to take) in order to find it’s destination. Lets follow that abstract with a practical demo.
Bob calls a Chinese place and places an order for delivery. The driver walks into the building by the address location only to find that it’s a huge office building, an office number wasn’t given and the receptionist is under strict orders not to let anyone pass without special permission.
Bob tells Christine, the receptionist that the delivery driver is on the way and to send the food up. The delivery driver comes to the location and runs into (the firewall) Christine. Christine knows where the packet, err- food should go because she was told ‘Hey if someone comes in with chinese delivery (service/port number) from Chef Chu’s (source) then send them to me at my office(destination).’ that statement is our NAT policy.
Now what happens if Bob didn’t warn Christine? Aside from him going hungry, the point is the Firewall would block the packet and it would be refused access to the building. On a side note, if someone were to flood Christine with visitors and delivery drivers, you’d end up with a very frazzled Christine and the equivalent of a DDOS attack.
Lets abuse Bob, Christine and the delivery driver a little more here, what happens if Bob let’s Christine know the driver is coming but doesn’t specify that he’ll be at his desk. The delivery driver comes in, lets Christine know who he’s here for and Christine says Ok go on in, now the Driver is wandering around looking for Bob -since it’s a huge building and Bob isn’t easily visible the driver gives up and leaves, this is called a connection time-out. Additionally this is dangerous because now the driver/traffic/malicious packet is potentially inside the network, and can end up wherever it wants to (your server where you most sensitive data is stored of course).
Switching back to networking terms here, NAT is specifically so that the Router knows the final destination IP of whatever is expecting the traffic (then sends the traffic to that IP based on the route’s that exist). Access Rules (Firewalls) are meant to DENY access completely unless otherwise allowed, this prevents malicious packets (or nosy delivery drivers) from entering in the first place.
AUTHORIZED TRAINING PARTNERS
- An extensive global network of highly skilled training partners, carefully selected to deliver quality up-to-date training to SonicWall Customers and Partners
- Delivering effective training designed to provide a deep understanding of networking, security and SonicWall security solutions
- ATPs have completed rigorous SonicWall training requirements designed to ensure students exit their training with the skills and knowledge needed to maximize their investment in SonicWall security solutions
- For information about becoming an Authorized Training Partner visit
Overview
We can identify and manage every programme that is active on your network thanks to SonicWall firewalls. This additional control enhances compliance and data leakage prevention by identifying applications based on unique signatures rather than ports or protocols. Visualization is used to achieve this. By analysing application traffic to identify usage trends, specific policies for people and apps are created. or even user groups, the time of day, and other factors enabling flexible control that may be adapted to any situation where a network is needed. SonicWall uses a large, constantly expanding, and automatically updated array of software signatures to identify programmes that rely on their “DNA” as well as less recognisable traits like source port, destination port, or protocol type.
You can, for example, permit quick email and text but impose restrictions on file transfers, or let Facebook access but impose limitations on the use of Facebook-based games. All SSL-encrypted traffic, which must be examined in the same manner as unencrypted connections, is accessible to these control systems. You can readily see the results of your controls, which enables you to optimise consumption and network traffic.
