Getting started with SonicWall firewalls
Description
The article here describes some of the recommendations when configuring a new firewall.
Following these will allow you to run the firewall with the proper balance between performance and security.
Resolution
FIRST STEP OUT OF THE BOX
More Info: How can I upgrade SonicOS Firmware? | SonicWall
- Start from Safemode (Recommended): How can I put the SonicWall into safe mode? | SonicWall
- Enter Safemode by booting up the firewall – then using a paper clip or similar sized item, insert into the small hole either in front or back of the firewall, and hold the “button” down for 10 seconds or more.
The wrench light will start flashing, and you can release the “button”. - Load latest firmware and boot to factory defaults
- Enter Safemode by booting up the firewall – then using a paper clip or similar sized item, insert into the small hole either in front or back of the firewall, and hold the “button” down for 10 seconds or more.
NOTE: Safemode is not required but is the most cautious method and leaves least room for technology induced issues
- If you do not start from Safemode, do the following:
- Skip Setup Guide (Wizard)
- Register the appliance: How to register SonicWall firewall? | SonicWall
- Load latest firmware and boot to factory defaults.
TIP: Booting with factory default will help you avoid issues present in the configuration file. Corruptions created in old/initial release RTM firmware can survive firmware upgrades; this step eliminates this chance, however small it may be.
If you're not connected to the Internet:
- Licenses: View then copy firewall’s license keyset from firewall’s MySonicWALL page and paste into System | Licenses page: How to manually Register a SonicWall device? | SonicWall
- Download latest countermeasure database (‘signature file’) from firewall’s MySonicWALL page and upload via Security Services | Summary | Import Signatures.
More info: How to upload security services signatures manually on Closed Environments? | SonicWall
APPLY THE SYSTEM BEST PRACTICES:
- From the System | Administration page:
- For PCI/Better Security: Change super user administration account from ‘admin’ to another user.
- Enable Enhanced Audit Logging: How can I enable Enhanced Audit Logging Support? | SonicWall
- Change HTTP/HTTPS management port (i.e. from 443 to 8443)
- Change the default Admin Timeout from 5 minutes to your preferred amount
- From the System | Time page:
- Set time automatically using NTP: [[How to enable and configure NTP|170503915727840]]
- Don’t configure additional NTP Servers unless needed for internal synchronization
- From the System | Diagnostics page:
- Check Network Settings and run all the tests to verify whether all services are connecting.
CAUTION: “Content Filtering” will fail until licensed or if UDP/2257 is blocked to SonicWALL GRID CFS Servers: [[Content Filter Server Not Responding|170505300660525]] - MTU Discovery: Paste determined value into WAN/Internet interface used in test.
Double check the MTU following [[How can I test and change the MTU size of WAN interfaces?|170504812146650]]
NOTE: Some ISP’s values change each time you test. In that case review your ISP’s KB articles for optimum MTU.
- Check Network Settings and run all the tests to verify whether all services are connecting.
- From System | Settings:
- Click on DPI and Stateful Firewall Security. This will apply in one touch all the configuration best practices for Deep packet Inspection and security.
More info: [[One-Touch Configuration Override|170504743686320]]
- Click on DPI and Stateful Firewall Security. This will apply in one touch all the configuration best practices for Deep packet Inspection and security.
NETWORK BEST PRACTICES:
- From Network | Interfaces page:
- Link Speed: Set to Auto or, if possible, hard code on both sides to best possible (i.e. 100/full duplex, 1 GB)
- Enable HTTPS Management on WAN Interfaces but create access rules to avoid opening to whole world:
- Create Address Objects for external IP addresses that can manage device
- Add those to new Address Object Group created for this purpose
- Edit WAN to WAN HTTPS and HTTP Management auto rules
- Change Source to the newly created group
TIP: The best option is to manage firewall via a VPN Tunnel for best security.
- Network | Zones: Make sure all desired security services are enforced on proper zones
- Network | Services:
- “Any” in firewall policy does not mean ‘any’ unless firewall knows about the service.
- If a service is not present in the firewall, you may need to add any Services by creating a Service Object: How can I configure Service Objects? | SonicWall
TIP: Log Event ID 41: Network Access | Unknown Protocol Dropped will expose these
NAT POLICIES:
More info: How do I configure NAT policies on a SonicWall firewall? | SonicWall
- On outbound policies, select a specific outbound Interface (it's not recommended to use “Any”)
- On inbound policies, select a specific inbound Interface (Public Server Wizard sets this to Any however it's recommended to manually set it afterwards)
- If you use Public Server Wizard:
- Only use once to show/use as a reference then manually create additional Firewall/NAT policies. CAUTION: While the Wizard is good for creating a quick policy, it’s recommended to build policies manually for learning purposes (the Wizard creates 3 policies each time).
- For inbound NAT policies change the inbound Interface from Any to specific inbound interface.
- Don’t create unnecessary Loopback policies as this can increase the processing loops in case of errors and cause many issues.
- Outbound Many-to-Few NAT polocies:
- Use Address Object type Range for Source Translated (Range is preferred because of predictable outcome).
EXAMPLE: YouTube can blacklist a university due to too many connections from one WAN IP. (Note: This is if you own a block of IP addresses)
- Use Address Object type Range for Source Translated (Range is preferred because of predictable outcome).
- NEVER set Service Translated to same Service as Service Original.
Always use ORIGINAL or PAT Port. This could occur due to replicating a config from another manufacturer's firewall - Avoid using firewall's Primary WAN IP (or other high priority IP in Subnet, such as your outbound email SMTP IP) for Guest Network’s Outbound NAT Policy.
This protects against blacklisting in case of guests bad behaviors in the network.
FIREWALL SETTINGS:
- Firewall Settings | Advanced:
- Enable Stealth Mode
- Enable Randomize IP ID
- Enable Decrement IP TTL for forwarded traffic.
- Choose best “Connections” setting. There is a Help icon you can mouse-over to view these values. If connections in ‘DPI Connections’ mode is enough, use that as it has best DPI performance. (Allocates more memory to DPI and please note that it requires a reboot)
- [[More info: Configuring Advanced Firewall settings|170505400210715]]
BANDWIDTH MANAGEMENT:
How can I configure bandwidth management? | SonicWall
- Don’t enable it if you are not using it. Most people forget to adjust when their ISP speed changes.
- Use the Advanced Mode for better stability and performance. Global is a legacy method and it may cause unstable/low performance.
- Use a descriptive name for the Bandwidth Objects. Example: ‘BWM - P4/G00Kb/M10Mb/E1Mb/Delay
Reason: GUI pages where BWM Objects are selected display nothing other than the name.
SSLVPN:
More info: How can I setup SSL-VPN? | SonicWall
- From SSL VPN | Server Settings:
- Change SSLVPN Port to 443. This is done to enhance the end user’s experience as the port 443 is usually never blocked by ISPs thus end users will be able to access the SSLVPN from anywhere. NOTE: You must first change the default HTTPS Management port (443) mentioned previously
- SSLVPN terminates on the SonicWall’s Interface IP(s) and cannot be changed to another IP in Interface’s subnet.
- Change SSLVPN Port to 443. This is done to enhance the end user’s experience as the port 443 is usually never blocked by ISPs thus end users will be able to access the SSLVPN from anywhere. NOTE: You must first change the default HTTPS Management port (443) mentioned previously
- It is recommended to have a public (purchased) cert meeting the latest encryption standards. The self signed cert provided by the firewall is adequate, but will not pass PCI audits as it's a self-signed certificate.
SECURITY SERVICES:
More info: Security Services (GAV, Network AV, IPS, CFS, Firewall Registration) Ports and Protocol Usage | SonicWall
- Gateway Anti-Virus:
- Check all boxes on main screen and don’t forget Cloud AV
NOTE: If you do not enable, DPI will only scan listed protocols (HTTP, FTP, SMTP, etc.) on default port(s)
- Check all boxes on main screen and don’t forget Cloud AV
- Intrusion Prevention:
- Set High/Medium Priority to Prevent & Detect
- Set Low Priority to Detect only
- Customize the following Categories to Prevent+Detect (and change log redundancy as needed):
- Backdoors, Bad-Files, Compromised-Certs, DB-Attacks, Virus, Web-Attacks
- Review other Low priority signatures and change to Prevent+Detect as needed
- Anti-Spyware:
- Check all the boxes.
- Geo IP:
- Turn on in either “All connections” or “Firewall Rule-based Connections” (recommended) mode depending on needs. For example, do you have a DNS server that must perform recursive lookups on a DNS server in a blocked country?
- Enable logging
- Consider blocking ‘Anonymous Proxy/Private IP’ and ‘All Unknown’. However, note that you may have IP addresses requiring exclusion
- Botnet Filter:
- Turn on in “All connections” mode
- Enable logging
NOTE: For ransomware related incidents, refer to Common configurations to protect against Ransomware
LOGGING:
More info: Reduce CPU usage reviewing logs configuration | SonicWall
- Log | Name Resolution | Name Resolution Method:
- Disable (None) or set to DNS
- Point to Internal DNS servers otherwise no RFC1918 resolution (192.168.x.x, 172.16-31.x.x, 10.x.x.x)
- Log | Automation: In most cases, this creates an overwhelming amount of email and can put undue strain firewall’s Core0
- Thus, this feature is not recommended for logs. Utilize syslog to SonicWall GMS or Analyzer or send to a 3rd party Syslog collector.
- For Alerts, don’t set globally here. Set specific alerts you wish to receive by email via Log >>> Settings >>> Edit the Event
- Regardless, verify email settings are correct if doing this
- Better: SonicWall GMS’s Live Monitor feature is recommended for this as it is more efficient, will send a more detailed email alert and can send a SNMP trap as well. Up to 5 destinations, each with a different schedule
- Log | Settings:
- Security Services | General: Disable ‘Raw Data’ (Event ID 1391) by unchecking GUI, Alert, Syslog, & Email, Click Apply
- Network | NAT: Disable ‘Connection NAT Mapping’ (Event ID 1197) by unchecking GUI, Alert, Syslog, & Email, Click Apply
- Note: This information can be useful. For example, if you need to determine who downloaded a pirated movie because you received a DMCA violation email that your public IP broke the law, you need to log this information to track down what private IP was associated with the public ip:port in the notice. Also note that GMS and Analyzer have a filter for this event (as well as Raw Data) so, by default, it is not written to GMS's/Analyzer’s reporting database.
- Reduce the redundancy of the log entries: How to change Global Logging Redundancy level | SonicWall
The reason is: for a 60 second video, a value of "0" creates ~180 events which translate to 180 syslogs. Changing it to just 1 second reduces that down to ~38. Old default was 0, new default is 60 seconds.
- Log | Settings | Firewall | Application Control:
- Disable ‘Application Control Detection Alert’ (Event ID 1154) from GUI.
- Don’t disable for Syslog as you need that for GMS/Analyzer reporting on Application Data Usage.
- This change saves on-box logging and Core0 from processing the large number of events whose on-box log display provides little value in most installations.
- Global Log Redundancy Filter: Set to 0 needs to be changed to 60.
The reason is: for a 60 second video, a value of "0" creates ~180 events which translate to 180 syslogs. Changing it to just 1 second reduces that down to ~38. Old default was 0, new default is 60 seconds.- Change the Log Redundancy filters for Web Browser and Protocols categories to 60 seconds.
- For other categories, at least increase it to 15-20 seconds
- Disable ‘Application Control Detection Alert’ (Event ID 1154) from GUI.
HIGH AVAILABILITY:
More info: How to Configure High Availability (HA) | SonicWall
- Try to always use X0, and configure its Monitoring IP addresses: Configuring High Availability Monitoring settings | SonicWall
- X0 is hardcoded in SonicOS as the backup heartbeat link and should always be used a primary Monitoring interface.
- Additionally, if no WAN interface has Monitoring IP addresses configured, SonicOS will use it as the Secondary/Standby unit’s path to Internet for GRID and License Manager communication.
- The Secondary unit is never licensed automatically. Always login to it via one of its Monitoring IP addresses, put in the registration code and sync its licensing with MySonicWall. If both units have been properly associated in MySonicWall, they will both start receiving all licensing information.
- Firewall changes requiring a reboot can easily cause an outage. When a change requiring a firewall reboot is made, the “Status” shown at the bottom left-hand corner of the firewall’s administration GUI changes from “Status: Ready” to “Status: Reboot…”.
When this happens in a HA pair, the behavior is the Standby firewall will reboot when the change is made prior to clicking on “Status: Reboot”. So, if you click Reboot while the Standby unit is rebooting both firewalls will be unavailable and the network will go down. - Use the Virtual MAC option: This simply reduces ARP convergence time during a Failover and will maintain a seamless transition when a failover occurs.
- HA Pair connected to the same switch: Make sure that the Switch Ports connected to the SonicWALL Interfaces have STP (Spanning Tree Protocol) disabled.
Essentially STP has a real problem with our Virtual MAC being seen on multiple interfaces, and will cause a flapping effect to the firewalls.
ADDITIONAL SECURITY ENHANCEMENTS:
- Firewall Rules for Security Enhancement:
- DNS: Add Outbound Rules for DNS:
- Deny Rule: Block all DNS queries (UDP/53) from Inside to Outside (i.e. LAN to WAN)
- Allow Rule: Only allows DNS queries (UDP/53) to specific/sanctioned DNS servers like Google, etc.
- SMTP: Only allow Outbound SMTP access for sanctioned email servers, block everything else.
- SSH: Add a Deny Rule to block all outbound SSH. When malware tries everything to get out it could try SSH which currently cannot be scanned by man-in-the-middle (DPI-SSL). Alternatively, you can use DPI-SSH: Configuring DPI-SSH | SonicWall
- DNS: Add Outbound Rules for DNS:
- Content Filtering – Categories to always control: Hacking/Proxy Avoidance Systems, Pay to Surf Sites, Internet Watch Foundation and Malware
- Where Possible block the Not Rated category - Blocking this category will cause Availability/Usability challenges as new websites are created everyday and they might be Not Rated for the initial days/weeks which means that if the category is allowed the website may be reachable even though it's a threat.
Therefore, before implementing, look at report of traffic to Not Rated sites (and IP addresses) and add sanctioned destinations to allow list or re-categorize those sites. (i.e. http://IPaddress is almost certainly not rated)
- To help mitigate this, CFS 4.0 in SonicOS 6.2.6+ adds both Confirm and Passphrase bypass page options, rather than Block. Thus, could be used to mitigate this issue for N/R sites.
- Make sure to report rating issues to our CFS Team.
- Where Possible block the Not Rated category - Blocking this category will cause Availability/Usability challenges as new websites are created everyday and they might be Not Rated for the initial days/weeks which means that if the category is allowed the website may be reachable even though it's a threat.
- Gateway Anti-Virus Lockdown:
- On each protocol (HTTP, FTP, etc.) you can additionally block:
- Restrict Transfer of password-protected ZIP files
- Restrict Transfer of MS-Office type files containing macros (VBA 5 and above)
- Restrict Transfer of packed executable files (UPX, FSG, etc.)
- NOTE: Enabling TCP Stream Inspection will drastically reduce the throughput as every protocol under TCP will be fully inspected by GAV.
- On each protocol (HTTP, FTP, etc.) you can additionally block:
CAUTION: These Settings may cause Usability/Availability challenges for users.
HOW TO DOWNLOAD SUPPORT LOGS: How can I download required tech support files (TSR, settings, GUI logs, trace logs)? | SonicWall