sonicwall global management service system...gms system administration contents 2 viewing system...

SonicWall® Global Management Service SystemAdministration Guide

Contents

Viewing System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Acquisition History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

Subscription . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

Firewall Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

Configuring Administrator Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Firewall Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

Administrator Name & Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

Change the Administrator Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

Feature Visibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

Login Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

Multiple Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

Enhanced Audit Logging Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

Wireless Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

Web Management Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

Managing Tooltips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

Certificate Expire Checking Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

Enabling SonicOS API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

UUID Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

Applying Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

Applying Updates Immediately . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

Scheduling Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

Configuring Management Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Management Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18

Management Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

Miscellaneous . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

Enable Preempt Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

One-Touch Configuration Overrides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

FIPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22

NDPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22

Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Managing Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

About Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

GMS System Administration

Contents2

Navigating the Certificates Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Certificates Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Certificates View Style . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Certificates and Certificate Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Configuring CA Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Importing New Local and CA Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Creating and Importing a Public Certificate and Private Key File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Creating Certificate Signing Requests and Private Key using OpenSSL . . . . . . . . . . . . . . . . . . . . . . 31

Importing Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Generating a Certificate Signing Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Configuring SCEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Deleting Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Configuring Time-Related Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Changing Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

NTP Server Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Adding an NTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Editing an NTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Deleting NTP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Configuring Schedules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Using Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Restarting SonicWall Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Requesting Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Inheriting Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Synchronizing Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Synchronizing Licenses with MySonicWall.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Restart Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Configuring Contact Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Configuring System Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Saving Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Applying Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Deleting Saved Settings Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Storing External Preferences Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Automatically Backing Up Preferences for SonicWall Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Automatically Purging Older Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Configuring the Number of Heartbeat Messages That Can Be Missed . . . . . . . . . . . . . . . . . . . . . . . . . . 55

SonicWall Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

About This Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57


Contents3

1

Viewing System Status

The system goes through a series of steps when acquiring a firewall, and these steps can be monitored on the Status page, whether you use Zero Touch Deployment or manually bring it under management. The unit must first be plugged in for power and wired to both LAN and WAN.

The information on the System | Status page is displayed in the following sections:

• Acquisition History

• Firewall

• Network

• Management

• Reporting

• Subscription

• Firewall Information

On the bottom of the page, you can:

• Click Fetch Information to collect or refresh current information for the selected firewall.

• Click Synchronize with MySonicWall.com to synchronize the information for the selected firewall with the information currently stored on your MySonicWall account.

Acquisition HistoryThe steps taken while a unit is being acquired is tracked in the Acquisition History section of the System | Status page. As each stage is completed, success is indicated by a green check mark along with a messages indicating status. If you want more information about each stage, you can expand it by clicking on the right arrow. More messages and status are displayed.

If an error occurs, or if a process seems to be taking too long, you can use the information from the expanded options to determine where to begin your troubleshooting. When the acquisition completes successfully, green check marks are shown for every stage.


Viewing System Status4

FirewallThe Firewall section of the System | Status page shows the data for the selected firewall.

A green up arrow indicates that IPFIX packets are being received from the firewall. If the acquisition has not completed successfully, the status shows a red down arrow, indicating that the firewall is not online or that there is some kind of error. You can use the messages from the page to help diagnose what the issue might be.

NetworkThe Network section of the System | Status page shows the network interfaces and DHCP status for the selected firewall.

A green up arrow indicates the network interfaces that are active and available. A yellow warning symbol indicates that there is a connection issue with those network interfaces.



ManagementThe Management section of the System | Status page shows the management status for the selected firewall.

A green up arrow indicates the selected firewall is online and connected.

ReportingThe Reporting section of the System | Status page shows the current status of additional reporting services for the selected firewall.

SubscriptionThe Subscription section of the System | Status page shows the current subscription status of all subscription services for the selected firewall.



Firewall InformationThe Firewall Information section of the System | Status page shows the time since the selected firewall was last restarted and its firmware last modified.



2

Configuring Administrator Settings

The Administrator page provides settings for the configuration of the SonicWall security appliance for secure and remote management. The Administrator page configures administrator settings for the SonicWall appliance. These settings affect both the GMS and other administrators.

To change administrator settings on one or more SonicWall appliances:

1 Navigate to System | Administrator.

The Administrator page displays.

Topics:

• Firewall Name

• Administrator Name & Password

• This section lets you to enable or disable the Wireless LAN and IPv6. To enable, check the box next to Enable Wireless LAN. A message is displayed to restart when enabling or disabling Wireless LAN.

• Multiple Administrators

• Enhanced Audit Logging Support

• Web Management Settings

• Certificate Expire Checking Settings

• Enabling SonicOS API

• UUID Settings

• Applying Updates

Firewall Name

TIP: When you change the settings in a section, click Update to apply the new settings. To clear all screen settings and start over, click Reset.

TIP: This section displays only at the unit level.

NOTE: The firewall name is displayed. This field is read-only and cannot be configured from GMS.


Configuring Administrator Settings8

To auto-append a HA/Clustering suffix or enter the firewall’s domain name:

1 An option is available to Auto-Append HA/Clustering suffix to Firewall Name. To facilitate recognition of the primary/secondary firewalls in the Log Monitor log, appends an appropriate suffix automatically to the firewall name in the Dashboard > Log Monitor:

• Primary

• Secondary

• Primary Node <n>

• Secondary Node <n>

This option is not selected by default.

2 Enter the Firewall’s Domain Name. Can be private, for internal users, or an externally registered domain name. This domain name is used in conjunction with User Web Login Settings on the Users > Settings page for user-authentication redirects.

3 Click Update. (See Applying Updates for information on applying and scheduling updates.)

Administrator Name & Password

To change the administrator’s name:

1 Enter the login name for the administrator in the Administrator Login Name field. The default is admin.

2 For added security, enter a GMS Password.

3 You can add and confirm an additional appliance password in New Appliance Password and Confirm New Appliance Password.


Change the Administrator PasswordTo change the administrator password:

1 Select from the following options to change the SonicWall appliance password(s):

• If you are configuring a SonicWall appliance at the unit level, enter and reenter the new SonicWall password. Then, enter the Management password and click Change Password. The password is changed.

• If you are configuring a SonicWall appliance at the group or global level, enter the Management password and click Change Password. Each SonicWall appliance receives a unique randomly generated password. This unique password is encrypted and recorded in the Management database.



At the non-unit level, passwords can be configured in two ways:

• The GMS can assign random passwords to the appliances (recommended for security purposes).

• The user can specify a specific password that is assigned to all the appliances in the node (not recommended).

To have the GMS assign random passwords, leave the New SonicWall Password and Confirm New SonicWall Passwords fields empty.

2 When you are finished, click Change Password. A task gets spooled and after it is executed successfully, the settings are updated for the selected SonicWall appliances.


Feature Visibility This section lets you to enable or disable the Wireless LAN and IPv6. To enable, check the box next to Enable Wireless LAN. A message is displayed to restart when enabling or disabling Wireless LAN.

Login SecurityGMS provides the ability to enforce complex login passwords for improved security audits. Passwords can now be created based on the following rules:

1 Time requirements for password changes.

2 Password changing can be limited to hourly intervals.

3 Barring of repeated passwords.

4 Enforce a minimum character difference from previous passwords. (Default is eight (8) characters.

5 Enforce a minimum password length. Eight (8) characters is the default.

6 Passwords can include characters from at least two (2) of the following groupings: alpha, numeric, and symbolic characters.

7 The last four passwords used cannot be repeated.

Additionally, the following rules are also applicable:

NOTE: The unique encrypted password is also written into a file in <gms_directory>/etc/. The filename format is Prefs<serialnumber>.pwd; each file contains the old and the new password for the SonicWall appliance. The file gets overwritten every time the password for the SonicWall appliance is changed. The encryption is base64.

NOTE: When enabling or disabling Wireless LAN feature visibility, it requires a reboot.



1 You should change your passwords every 90 days.

2 User accounts are temporarily locked-out after established invalid access attempts.

After a user account has been locked out, the account remains locked for a minimum of administrator-defined minutes or until the administrator resets the account.

3 The system/session idle time-out features default to 15 minutes or less.

To specify login security:

1 Specify the maximum number of days after which the a password expires and must be updated in the Password must be changed every (days) field.

2 Specify the number of previous passwords that are remembered and that a new password cannot match in the Bar repeated passwords for this many changes field.

3 Select New password must contain 8 characters different from the old password to make the user create a password that has eight different characters than the old one if they are changing the password.

4 Specify the minimum password length in the Enforce a minimum password length of field.

5 Select the level of password complexity from the Enforce Password Complexity drop-down menu. You can select one of the following:

• None

• Require both alphanumeric and numeric characters

• Require alphabetic, numeric and symbolic characters

6 After the password complexity is chosen, enter the complexity requirements:

NOTE: The appliance password should be in compliance with selected password complexity. Otherwise, the appliance password has to be set manually from its web interface.



• Upper Case Characters

• Lower Case Characters

• Number Characters

• Symbolic Characters

7 Select the types of users for which the password constraints should apply.

• Select Administrator to apply these password constraints only to full and read-only administrators.

• Select Other full administrators to apply these password constraints to all administrators with local passwords.

• Select Limited administrators to apply these password constraints to all local users with limited administrator privileges.

• Select Other local users to apply these password constraints only to non-administrator users.

• Select Guest administrators to apply these password constraints only to guest admins.

8 Specify how long the SonicWall appliance(s) wait (in minutes) before logging out inactive administrators in the Log out the Administrator after inactivity of field.

9 To lockout the SonicWall appliance after user login failure, select Enable administrator/user lockout. When enabling, Enable local administrator/user account lockout option is made available. Uncheck this box when logging in using IP address lockout). Check the box to Log event only without lockout.

10 Specify the number of login failure attempts that must occur before the user is locked out in the Failed login attempts per minute before lockout field. This field is accessible only after enabling administrator/user lockout option.

11 Specify how long the user is locked out in the Lockout Period field. This field is accessible only after enabling administrator/user lockout option.

12 Indicate the maximum tolerated Max login attempts through CLI.


Multiple Administrators

To manage Multiple Administrators:

1 Choose, in the On preemption by another administrator setting, what happens when one administrator preempts another administrator using the Multiple Administrators feature:

• Drop to non-config mode - move the preempted administrator to non-configuration mode.

• Log out - log out the preempted administrator.

NOTE: Selecting Log Out disables Non-Config mode and prevents entering Non-Config mode manually.



2 In the Allow preemption by a lower priority administrator after inactivity of (minutes) field, enter the number of minutes of inactivity by the current administrator that allows a lower-priority administrator to preempt. The default is 10 minutes.

3 Select Enable inter-administrator messaging to allow administrators to send text messages through the management interface to other administrators logged into the appliance. The message appears in the browser’s status bar.

4 In the Messaging polling interval (seconds) field, set how often the administrator’s browser checks for inter-administrator messages. If there are likely to be multiple administrators who need to access the appliance, this should be set to a reasonably short interval to ensure timely delivery of messages. The default is 10 minutes.

5 Select Enable Multiple Administrator Roles to enable access by System Administrators, Cryptographic (Crypto) Administrators, and Audit Administrators. This option is disabled by default. When this option is disabled, the three administrators cannot access the system and all related user groups and information about them are hidden.


Enhanced Audit Logging Support

To enable enhanced audit logging:

1 Select Enable Enhanced Audit Logging to enable logging of all configuration changes in the Log > Log Monitor page. The log entry contains the parameter changed and user name.

2 Click Update.

Wireless ControllerYou can change the Wireless controller mode to the available options listed from the drop-down.

NOTE: Changing Wireless LAN controller mode, requires a reboot of the device.

Web Management SettingsIMPORTANT: These settings display only for appliances running SonicOS 6.2.5 or higher.



To configure web management settings:

1 To allow you to enable/disable HTTP management globally, select Allow management via HTTP.

2 To enable tooltips (see Managing Tooltips), select Enable Tooltip. Tooltips are enabled by default. To disable Tooltips, clear Enable Tooltip.

You can configure the duration of time before Tooltips display:

• Form Tooltip Delay - Duration in milliseconds before Tooltips display for forms (boxes where you enter text). The default is 2000 ms.

• Button Tooltip Delay - Duration in milliseconds before Tooltips display for radio buttons and checkboxes. The default is 3000 ms.

• Text Tooltip Delay - Duration in milliseconds before Tooltips display for UI text. The default is 500 ms.

3 The GMS supports versions 1.1 and 1.2 of the Transport Layer Security (TLS) protocol. To enforce use of TLS versions 1.1 and higher, select Enforce TLS 1.1 and Above.


Managing TooltipsEmbedded tool tips are available for many elements in the GMS UI. These Tooltips are small pop-up windows that are displayed when you hover your mouse over an information icon usually to the right of the element. These pop-ups provide brief information describing the element. Tooltips are displayed for many forms, buttons, table headings and entries.

When applicable, Tooltips display the minimum, maximum, and default values for form entries. These entries are generated directly from the GMS firmware, so the values are correct for the specific platform and firmware combination you are using.

Certificate Expire Checking Settings

NOTE: Not all UI elements have Tooltips. If a Tooltip does not display after hovering your mouse over an element for a couple of seconds, you can safely conclude that it does not have an associated Tooltip.

IMPORTANT: These settings display only for appliances running SonicOS 6.2.5 or higher.



To enable checking for certificate expiration:

1 Enable periodic certificate expiration check – Activates periodic checks of certificate’s expiration. When enabled, the Certificate expiration alert interval option becomes available.

2 Certificate expiration alert interval: 1 - 168 (in hours) – Sets the interval between certificate checks, in hours. The minimum time is 1 hour, the maximum is 168 hours, and the default is 168.


Enabling SonicOS APIYou can use SonicOS API as an alternative to the GMS Command Line Interface (CLI) for configuring selected functions. To do so, you must first enable SonicOS API. Use SonicOS API for certificate expiration checking. For more information about SonicOS API, see the SonicOS API Reference.

To enable SonicOS API:

1 Navigate to System | Administrator.

2 Scroll to SonicOS API.

3 Select Enable SonicOS API. This option is not selected by default.

Additional features appear.

4 You can Enable RFC-7616 HTTP Digest Access authentication (for example), and employ a number of different authentication schemes, some standardized, and some proprietary, and each with pros and cons. You can choose one or more to be enabled for use by API clients, and select option for those schemes that provide them. See the SonicOS API documentation and the relevant RFCs for more information, and note that the selections must mast match what the API client is set up to do. If multiple schemes are enabled, then a client is able to choose which it uses.

5 Click Update.

UUID SettingsUniversally Unique Identifiers (UUID) Settings have been added to the System > Administrator page that allow you to reveal the UUID of various objects and policies.



Applying UpdatesYou can apply any updates you have made immediately or schedule them to be applied at a specific time and date.

Topics:

• Applying Updates Immediately

• Scheduling Updates

Applying Updates ImmediatelyWhen you click Update to apply your changes, the Modify Task Description and Schedule dialog displays.

1 Select Immediate to apply your updates immediately to your configuration.

2 Click Accept.



Scheduling UpdatesWhen you click Update to apply your changes, the Modify Task Description and Schedule dialog displays.

1 Select At to schedule a specific date and time for your updates to be applied. The Modify Task Description and Schedule dialog changes to display additional fields and a selectable calendar.

2 Enter the name of the schedule in the Description field. This field is populated with the name of the setting to which the schedule applies.

3 Select a time when you want your updates applied. You can also select for this time to be either in your local timezone or that of one of the available agents.

4 Select the month, year, and day when you want your updates applied.

• Select the month and year from the drop-down menus.

• Select the day by clicking on the date on the calendar.

5 Click Accept.



3

Configuring Management Settings

To edit the remote management settings for a SonicWall security appliance:

1 Expand the SETUP tree and click System > Management. The Management page displays.

Topics:

• Management Protocol

• Management Method

• Miscellaneous

• Enable Preempt Mode

• One-Touch Configuration Overrides

• FIPS

• NDPP

• Click OK.

Management Protocol

To specify and configure the management protocol:

1 Navigate to the System > Management page.

2 To enable HTTPS access to the appliance at the GlobalView, select Enable HTTPS Access to the unit and enter the port number in the HTTPS Port field.

IMPORTANT: When you change the settings in a section, click Update to apply the new settings. To return the settings to default values, click Reset.

CAUTION: Changing the management parameters can cause units to be disconnected from the GMS.

NOTE: To change the HTTP or HTTPS ports for SonicOS units, go to the Firewall > Service Objects page and edit the corresponding service object.


Configuring Management Settings18

3 The Certificate Common Name field defaults to the SonicWall LAN Address. This allows you to continue using a certificate without downloading a new one each time you log into the appliance.


Management Method

To specify and configure the management method:


2 In the Management Method section, click Enable Management Using and specify whether the appliance is to be managed by GMS or a VPN Client in the drop-down menu.

3 When using GMS, enter the IP address or host name of the GMS server in the GMS HostName or IPAddress field.

4 Enter the syslog server port (default: 514) in the GMS Syslog Server Port field.

5 If the GMS is behind a device doing Network Address Translation (NAT), select GMS behind NAT Device and enter the IP address in the NAT Device IPAddress field.

6 If the appliance is managed over an existing VPN tunnel, select GMS on VPN (No SA Required).

7 Click Enable out of Band Management on the management port to enable the automatic creation of a management interface address object for the MGMT interface that works as an out-of-band interface, and configures a route policy for the newly created address object.

This management interface provides a trusted interface to the management appliance. Network connections to this interface are very limited. If the NTP, DNS, and SYSLOG servers are configured in the MGMT subnet, the appliance uses the MGMT IP as the source IP and creates MGMT address object and route policies automatically. All traffic from the management interface is routed by this policy. Created routes display on the Network > Route Policies page.

The MGMT address object and route policies are create/update IPv4 management IP. As the IPv6 management IP address object is created by default, this feature doesn't work on IPv6 management IP address object creation.


NOTE: To avoid conflict for delete/create route policies, updating this option to create a management interface address object and configure route policy causes system reboot.



Miscellaneous

To configure the miscellaneous options:


2 To minimize the amount of Syslog between the GMS and the SonicWall security appliance, select Send Heartbeat Status Messages Only.

When you check this setting, the unit only sends heartbeat (m=96) messages that tell the GMS that the unit is alive.

3 To allow users on the LAN interface to ping the appliance to verify that it is online, select Enable Ping from LAN/WorkPort to management interface.


Enable Preempt Mode

To enable Preempt Mode:


2 To allow GMS administrators to preempt users who are logged in directly to the SonicWall security appliance, select Allow GMS to preempt a logged in administrator.


One-Touch Configuration OverridesThe One-Touch Configuration Overrides feature can be thought of us as a quick tune-up for your SonicWall network security appliance’s security settings. With a single click, One-Touch Configuration Override applies over sixty configuration settings to implement SonicWall’s recommended best practices. These settings ensure that your appliance is taking advantage of SonicWall’s security features.

NOTE: This option should be used if you do not need the data to generate reports using the GMS.

IMPORTANT: A system restart is required for the updates to take full effect.



There is a set of One-Touch Configuration Overrides buttons:

• DPI and Stateful Firewall Security – For network environments with Deep Packet Inspection (DPI) security services enabled, such as Gateway Anti-Virus, Intrusion Prevention, Anti-Spyware, and App Rules.

• Stateful Firewall Security – For network environments that do not have DPI security services enabled, but still want to employ SonicWall’s stateful firewall security best practices.

Both of the One-Touch Configuration Override deployments implement the following configurations:

• Configure Administrator security best practices

• Enforce HTTPS login and disables ping

• Configure DNS Rebinding

• Configure Access Rules best practices

• Configure Firewall Settings best practices

• Configure Firewall Flood Protection best practices

• Configure VPN Advanced settings best practices

• Configure Log levels

• Enable Flow Reporting and Visualization

The DPI and Stateful Firewall Security deployment also configures the following DPI-related configurations:

• Enable DPI services on all applicable zones

• Enable App Rules

• Configure Gateway Anti-Virus best practices

• Configure Intrusion Prevention best practices

• Configure Anti-Spyware best practices

To see exactly which settings are reconfigured, click on the Preview applicable changes link next to each button. A page displays with a list of each setting and the value to which it is set.

To apply One-Touch Configuration:


2 Scroll to the One-Touch Configuration Overrides section.

3 To view the changes that are made for each link, click the Preview applicable changes link to display a list of configuration changes.

4 Apply one-touch configuration overrides by clicking DPI and Stateful Firewall Security or Stateful Firewall Security. A confirmation dialog displays.

5 Click OK. (See Applying Updates for information on applying and scheduling updates.)

CAUTION: Be aware that the One-Touch Configuration Override might change the behavior of your SonicWall security appliance. Review the list of configurations before applying One-Touch Configuration Override. In particular, the following configurations might affect your experience:

• Administrator password requirements on the System > Administration page• Requiring HTTPS management• Disabling HTTP to HTTPS redirect• Disabling Ping management

IMPORTANT: If you are currently connected using HTTP, you have to manually reconnect through HTTPS after the reboot.



FIPSWhen operating in FIPS (Federal Information Processing Standard) Mode, the SonicWall security appliance supports FIPS 140-2 Compliant security. Among the FIPS-compliant features of the SonicWall Security Appliance include PRNG-based on SHA-1 and only FIPS-approved algorithms are supported (DES, 3DES, and AES with SHA-1).

To enable FIPs and see a list of which of your current configurations are not allowed or are not present:

1 Navigate to the Systems > Management page.

2 Scroll to the FIPS section.

3 To display the list of enforcements that need to be followed, click the here link. Click OK to close the dialog box.

4 If your SonicWall appliance:

• Complies with the checklist, go to Step 5.

• Does not comply with the checklist, manually change or disable settings to be compliant with FIPS mode requirement.

5 Select Enable FIPS Mode.

6 Click Update. A confirmation message displays.

7 Click OK to reboot the security appliance in FIPS mode.

To return to normal operation:

1 Clear Enable FIPS Mode.


3 Click OK to reboot the firewall in non-FIPS mode.

NDPPA SonicWall network security appliance can be enabled to be compliant with Network Device Protection Profile (NDPP), but certain firewall configurations are not allowed or are required.

NOTE: FIPS in SonicOS 6.2.5.1 and higher supports FIPS 2K certificate signing support (112 bits of security strength; 2048-bit key) while maintaining backward compatibility with previous signature modes.

CAUTION: When using the SonicWall Security Appliance for FIPS-compliant operation, the tamper-evident sticker that is affixed to the SonicWall Security Appliance must remain in place and untouched.

NOTE: NDPP is a part of Common Criteria (CC) certification. However, NDPP in the GMS is not currently certified.



The security objectives for a device that claims compliance to a Protection Profile are defined as follows:

Compliant TOEs (Targets Of Evaluation) provides security functionality that addresses threats to the TOE and implements policies that are imposed by law or regulation. The security functionality provided includes protected communications to and between elements of the TOE; administrative access to the TOE and its configuration capabilities; system monitoring for detection of security relevant events; control of resource availability; and the ability to verify the source of updates to the TOE.

You enable NDPP by selecting Enable NDPP Mode on the System > Settings page. After you do this, a pop-up message displays with the NDPP mode setting compliance checklist. The checklist displays every setting in your current GMS configuration that violates NDPP compliance so that you can change these settings. You need to navigate around the GMS management interface to make the changes. The checklist for an appliance with factory default settings is shown in the following procedure.

To enable NDPP and see a list of which of your current configurations are not allowed or are not present:

1 Navigate to the Systems > Management page.

2 Scroll to the NDPP section.

3 Select Enable NDPP Mode. The NDPP Mode Setting Verification message appears with a list of your required and not allowed configurations.

4 If your SonicWall appliance:

• Complies with the checklist, go to Step 6.

• Does not comply with the checklist, manually change or disable settings to be compliant with NDPP mode requirement.


6 Click OK.

NOTE: Enable NDPP Mode cannot be enabled at the same time as Enable FIPS Mode, which is also on the System > Settings page.

NOTE: This step is only applicable for units running SonicOS 5.9 and higher.

TIP: Leave the checklist dialog open while you make the configuration changes. If you click OK before all required changes are complete, Enable NDPP Mode is cleared automatically upon closing the checklist dialog. Select the checkbox again to see what configuration changes are still needed for NDPP compliance.




Configuring SNMP

4

24

Configuring SNMP

This section describes how to configure Simple Network Management Protocol (SNMP) settings for one or more SonicWall appliances.

To enable SNMP:

1 Navigate to System > SNMP.

2 Select Enable SNMP.

3 Click Update. A confirmation is displayed. (See Applying Updates for information on applying and scheduling updates.)

IMPORTANT: The options available on the SNMP page depends on whether the view is global or unit.

5

Managing Certificates

Topics:

• About Certificates

• Navigating the Certificates Page

• Configuring CA Certificates

• Importing New Local and CA Certificates

• Creating and Importing a Public Certificate and Private Key File

• Generating a Certificate Signing Request

• Configuring SCEP

• Deleting Certificates

About CertificatesA digital certificate is an electronic means to verify identity by using a trusted third-party known as a Certificate Authority (CA). SonicWall now supports third-party certificates in addition to the existing Authentication Service.

SonicWall security appliances interoperate with any X.509v3-compliant provider of Certificates. However, SonicWall security appliances have been tested with these vendors of Certificate Authority Certificates:

• Entrust

• Microsoft

• OpenCA

• OpenSSL and TLS

• VeriSign

Navigating the Certificates PageThe System | Certificates page:

• Displays details for Certificate Authority (CA) Certificates and local certificates that you have imported or configured on your SonicWall appliance.


Managing Certificates25

• Provides all the settings for managing CA and Local Certificates.

Topics:

• Certificates Search

• Certificates View Style

• Certificates and Certificate Requests

• Creating Certificate Signing Requests and Private Key using OpenSSL

• Importing Certificates

Certificates SearchThe Certificates Search section allows you to filter the Certificates and Certificate Request table to only those certificates of interest.

To search for a particular certificate or certificates:

1 Navigate to the System | Certificates page.

2 Scroll down to the Certificates Search section.



3 Select what to search for; the default is Name.

4 Refine the search criterion by selecting:

• Equals (default)

• Starts with

• Ends with

• Contains

5 Enter the criterion in the Search field.

6 Click Search. The results display in the Certificates and Certificate Requests table.

7 When finished, click Clear.

Certificates View StyleThe Certificates View Style menu allows you to choose which certificates are displayed.

• Choose the certificates and requests to display:

• All Certificates - displays all certificates and certificate requests.

• Imported certificates and requests - displays all imported certificates and generated certificate requests.

• Built-in certificates - displays all certificates included with the SonicWall security appliance.

• Include expired and built-in certificates - displays all expired and built-in certificates.



Certificates and Certificate RequestsThe Certificates and Certificate Requests table displays information about your certificates.

Information and options include:

• Name - Certificate name.

• Type - Certificate type, which can include CA or Local.

• Validated - Whether the certificate is validated: Yes, No.

• Expires - Date and time the certificate expires.

• Details - Certificate details. Moving the cursor over the Info icon displays the detail.

• Configure - Allows configuration with the following options:

• Edit icon to make changes to the certificate.

• Delete icon to remove a certificate; this icon is dimmed for built-in certificates.

• Email icon to email the certificate; this icon is dimmed for built-in certificates.

• Import icon to import either certificate revocation lists (for CA certificates) or signed certificates (for Pending requests).

NOTE: Built-in certificates cannot be deleted or emailed; the Delete and Email icons are dimmed.

NOTE: Default certificates are not editable. Only imported certificates and CSRs can be edited.

NOTE: Default certificates are not editable. Only imported local certificates and CSRs can be edited.



• Import button - Displays the Import Certificate dialog for importing local end-user and CA certificates from specifically encoded files.

• New Signing Request button - Create a new signing request directly from the GMS user interface.

• SCEP button - Manage certificates using the Simple Certificate Enrollment Protocol (SCEP) standard.

• Delete Certificate(s) button - Delete one or more certificates.

Configuring CA CertificatesTo configure CA Certificates:


2 Scroll to the Certificates and Certificate Requests section.

3 Under Name, select an imported certificate (built-in certificates cannot be configured).

4 Mouse-over the certificate’s Info icon in the Details column to display the Details pop-up.

5 Note the details.

6 Click an icon under Configure:

• Delete to remove the certificate.

• Email to export the certificate to a location by email.

• Upload to upload the certificate.

7 Specify a URL of the location of the Certificate Revocation List (CRL) in the CRL URL field. Then click CRL URL to launch the CRL.

8 To import a CRL, click Browse for the Import CRL field and navigate to the CRL. Then click Import CRL to import the CRL.

9 Click Invalidate Certificates and Security Association if CRL import or processing fails to ensure safe cleanup of half-imported certificates if when trying to import a CRL, the process is interrupted.



Importing New Local and CA CertificatesThis option allows you to import preexisting certificates stored locally.

To import a certificate:



3 Click Import… The Import Certificate dialog displays.

4 Choose either:

• Import a local end-user certificate with private key from a PKCS#12 (.p12 or .pfx) encoded file (default; local user).

• Import a CA certificate from a PDCS#7 (.p7b), PEM (.pem) or DER (.der or .cert) encoded file; the Certificate Name and Certificate Management Password fields do not display; go to Step 7.

5 Enter a name in the Certificate Name field.

6 Enter the password used to encrypt the certificate in the Certificate Management Password field.

7 Click Choose FIle.

8 Browse to the certificate location.

9 Open the file. The file name displays next to the Choose File button.

10 Click Import to complete the process.

Creating and Importing a Public Certificate and Private Key FileWhen a signed certificate along with it’s private key must be imported into the SonicWall GMS, the certificate can be in the Java Key Store format with a .JKS extension or a signed public certificate and a private key file. The importing is done under the appliance Deployment > Settings page of the System Interface (/appliance) in



Management. Create and import a public certificate and private key file. The certificate file (.crt/.cer), its corresponding key file (.key), and the password are required.

To create and import a signed certificate with private key into GMS (7.2 or later) for an HTTPS login using OpenSSL:

1 Navigate to the OpenSSL download page at OpenSLL.

2 Download the latest version of Win32 OpenSSL.

3 Launch the OpenSSL .EXE file.

4 As an administrator, open a DOS command prompt and type: cd c:openssl-win32bin (If your folder is not in c:openssl-win32 you should change it).

5 Type at the DOS prompt: set OPENSSL_CONF=c:openssl-win32binopenssl.cfg (if you do not run this line, you will see the following error message: WARNING: cannot open config file: /usr/local/ssl/openssl.cnf.

Creating Certificate Signing Requests and Private Key using OpenSSLTo create a certificate signing request (CSR) and private key file with a command prompt, use the following commands:

1 Navigate to: [install location]OpenSSL-Win32bin

openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key

2 Provide the appropriate information for the CSR generation (Common Name, Organization, and so on.)

3 Gather the CSR and private key files from the OpenSSL-Win32bin folder.

4 Submit the CSR to CA for a re-key of your current certificate or to request a new certificate.

Importing CertificatesTo import the new certificate:

1 Gather the signed certificate from CA (Apache or Tomcat format).

2 Import the certificate (provided by CA) and the .KEY file created through OpenSSL from the System Interface under Deployment > Settings > SSL Access Configuration of System Interface (/appliance).

3 Reboot the server.

WARNING: Do NOT click the “Enable HTTPS redirection” option on the /Appliance console Deployment > Settings page after importing the certificate until you have first tested that you can still connect to GMS over the designated HTTPS port. Otherwise, if something is wrong with the certificate, you cannot get back into the GMS WebUI and you have to call Support to receive help in disabling the HTTPS Redirection setting from the CLI.



http://slproweb.com/products/Win32OpenSSL.html

Generating a Certificate Signing Request

To generate a certificate signing request:

1 Navigate to System | Certificates.


3 Click New Signing Request. The Certificate Signing Request dialog displays.

4 Specify a name for the certificate in the Certificate Alias field.

5 Specify and then enter one or more Subject Name attributes:

• Country (default), State, Locality or County, Company or Organization

• Country, State (default); Locality, City, or County; Company or Organization; Department

• Locality, City, or County (default); Company or Organization; Department; Group; Team

• Company or Organization (default), Department, Group, Team

• Department (default), Group, Team, Common Name, Serial Number, E-mail Address

• Group (default), Team, Common Name, Serial Number, E-mail Address

• Team (default), Common Name, Serial Number, E-mail Address

• Common Name (default), Serial Number, E-mail Address

As you enter the Subject Name attribute(s), the Subject Distinguished Name field is populated.

6 Optionally, select and enter a Subject Alternative Name (Optional):

• Domain Name (default)

NOTE: This section assumes that you are familiar with Public Key Infrastructure (PKI) and the implementation of digital certificates with VPN.

NOTE: This option is available only at the unit level.



• E-mail Address

• IPv4 Address

The Subject Key Type is RSA.

7 Select the Signature Algorithm:

• MD5

• SHA1

• SHA256

• SHA284

• SHA512

8 Select a key size from Subject Key Size:

• 1024 bits (default)

• 1536 bits

• 2048 bits

• 4096 bits

9 Click Generate. The request displays in the Certificates and Certificate Requests section.

10 Click Export. You are prompted to save the file. It is saved in the PKCS 10 format.

11 Obtain a certificate from one of the approved certificate authorities using the PKCS 10 file.

12 After you receive the certificate file, locate and import the file by clicking Browse in the Import Certificate With Private Key section. Then click Import. The certificate appears in the Current Local Certificates section.

Configuring SCEP

The Simple Certificate Enrollment Protocol (SCEP) simplifies the process of issuing large numbers of certificates using an automatic enrollment technique. SCEP is supported for appliances running SonicOS Enhanced 5.5 or higher.

To configure SCEP:

1 Navigate to the System > Certificates page.

NOTE: After applied to the unit, the generated CSR is then available for Export.

NOTE: SCEP configuration is supported at the appliance level.



2 Click SCEP. The SCEP Configuration dialog displays.

3 Configure the following options for the SCEP configuration:

• CSR List - Select a certificate signing request (CSR) list if one has been uploaded.

• Challenge Password - (optional) Enter the password used to authenticate the enrollment request.

• CA URL - Enter the URL of the certificate authority.

• Request Count - The default is 256.

• Polling Interval(S) - The default is 30.

• Max Polling Time(S) - The default is 28800.

4 Click SCEP to apply the SCEP configuration.

Deleting Certificates

To delete a certificate:


2 Scroll down to the Certificates and Certificate Requests section.

3 Click the Delete icon for the certificate you want to delete. A confirmation message displays.

4 Click OK.

To delete one or more certificates:


1 Scroll down to Certificates and Certificate Requests.

2 Select the checkbox(es) for the certificate(s) you want to delete.

3 Click Delete Certificate(s). A confirmation message displays.

4 Click OK.

IMPORTANT: Built-in certificates cannot be deleted. Both the checkbox and Delete icon are dimmed for built-in certificates.



6

Configuring Time-Related Settings

The GMS user interface (UI) is similar to the standard SonicWall appliance UI. However, GMS offers the ability to push configuration settings to a single SonicWall appliance, a group of SonicWall appliances, or all SonicWall appliances being managed by GMS.

Topics:

• Changing Time

• NTP Server Search

• Adding an NTP Server

• Editing an NTP Server

• Deleting NTP Servers

NOTE: The unit view does not contain NTP server sections.


Configuring Time-Related Settings35

Changing TimeTo change time settings on one or more SonicWall appliances:

1 Navigate to the System | Time page.

2 Scroll down to the Set Time section.

3 Select the Time Zone of the appliance(s) from Time Zone.

4 To configure the SonicWall(s) to automatically adjust their clocks for Daylight Savings Time, select Automatically adjust clock for daylight savings time.

5 To configure the SonicWall(s) to use Universal Time Coordinated (UTC) or Greenwich Mean Time (GMT) instead of local time, select Display UTC in logs (instead of local time).

6 To configure the SonicWall(s) to display the date in the international time format, select Display date in International format.

7 To configure the SonicWall(s) to only use custom NTP servers, select Only use custom NTP servers.

8 Under NTP Settings, to configure the SonicWall(s) to automatically set the local time using Network Time Protocol (NTP), select Set time automatically using NTP.

9 Enter the update interval in the Update Interval every (minutes) field. The minimum interval is 5 minutes, the maximum is 99999 minutes, and the default is 60 minutes.



10 When you are finished, click Update. The Modify Task Description and Change Order dialog displays.

11 Click Accept. The modifications are made to the Access entry in the Accesses table.

12 To clear all screen settings and start over, click Reset.

13 If you do not want to use the SonicWall appliance's internal NTP list, you can add your own NTP list. To add an NTP server, click Add under the NTP Servers section. A pop-up window displays:

14 Enter the IP address or FQDN of the remote NTP server. A task gets scheduled to add the NTP server to each selected SonicWall appliance.

15 From the NTP Server drop-down menu, select No Auth or MD5, depending on your deployment. If you selected an auth type, enter the trust key number, key number, and password.

16 Click Update, the newly added server is populated in the NTP Servers list. Multiple servers can be added by clicking Add.

NOTE: If you are not using NTP for the appliance, then the GMS configures the time of the appliance to be identical to the time of the GMS Agent pushing the configuration to the appliance (after adjusting for any time zone differences).



NTP Server SearchThe NTP Server Search section allows you to filter the NTP Server Search table to only those NTP servers of interest.

To search for a particular NTP server:


2 Scroll down to the NTP Server Search section.

3 Select what to search for. (The default is NTP Server.)

4 Refine the search criterion by selecting:

• Equals (default)

• Starts with

• Ends with

• Contains

5 Enter the criterion in the Enter Search text field.

6 Click Search. The servers that match your criteria display in the NTP Servers table.

7 When finished, click Clear.

Adding an NTP ServerTo add an NTP server:


2 Scroll down to the NTP Servers section.

3 Click Add. The Add NTP Server dialog displays.

4 In the NTP Server field, enter the IP address of FQDN of the remote NTP server.

5 From NTP Auth Type select:

• No Auth (default); go to Step 9.

• MD5; the following options become available.



6 In the Trust Key No. field, enter the trust key number.

7 In the Key Number field, enter the key number, which must be a positive number.

8 In the Password field, enter a new password for the appliance. If this field is left blank, the current password of the appliance remains unchanged.

9 Click OK. The Modify Task Description and Schedule dialog displays.


11 Select the type of schedule for the task:

• Default

• Immediate

• At: (specify when the task is to take place)

12 Click Accept. The server is added to the NTP Servers table.

Editing an NTP ServerTo edit an NTP server:



3 Click the Edit icon for the NTP server to be edited. The Edit NTP Server dialog displays.

4 Make the changes.

5 Click OK. The entry in the NTP Servers table is updated.

Deleting NTP ServersTo delete an NTP server:



3 Click the Delete icon for the NTP server to be deleted. A confirmation message displays.

4 Click OK.

To delete one or more NTP servers:



3 Click the checkbox(es) for the NTP server(s) to be deleted. A confirmation message displays.

4 Click OK.



7

Configuring Schedules

You can configure schedule groups on the Schedules page. Schedule Groups are groups of schedules to which you can apply firewall rules. For example, you might want to block access to auction sites during business hours, but allow employees to access the sites after hours.

You can apply rules to specific schedule times or all schedules within a Schedule Group. For example, you might create an Engineering Work Hours group that runs from 11:00 AM to 9:00 PM, Monday through Friday and 12:00 PM to 5:00 PM, Saturday and Sunday. After configured, you can apply specific firewall rules to the entire Engineering Work Hours Schedule Group or only to the weekday schedule.

The Schedules page has predefined schedules that you can edit but not delete; their Delete icons are dimmed:

• Work Hours

• After Hours

• Weekend Hours

• AppFlow Report Hours

• App Visualization Report Hours

• TSR Report Hours

• Cloud Backup Hours

• Guest Cycle Quota Update

To create a Schedule Group:

1 Navigate to the System > Schedules page.


Configuring Schedules40

2 To add a Schedule Group, click Add Schedule Group. The Add Schedule dialog displays.

3 Enter the name of the Schedule Group in the Name field.

4 In the Schedule Type section, select if the schedule occurs:

• Once – Go to Step 5.

• Recurring – Go to Step 6.

• Mixed – Allows you to enter both Once and Recurring.

5 For a schedule that occurs only once:

a Select the year, month, date, hour, and minutes for the Start and End fields. The Recurring options are dimmed.

b Go to Step 7.

6 For recurring schedules:

a Select the checkboxes for each day the schedule applies or select All.

b Enter the start time for the recurring schedule in the Start Time fields. Make sure to use the 24-hour format.

c Enter the end time for the recurring schedule in the Stop Time fields. Make sure to use the 24-hour format.

d To add more times for the recurring schedule, click Add. The time is added to the schedule list.

e Repeat Step a through Step d for each recurring time to add to the schedule list.

7 Click OK. The Schedule Group is added to the Schedules table.

8 To edit a Schedule Group, click its Edit icon. The Edit Schedule Group dialog displays.

NOTE: The Once and Mixed schedule types are only available for systems running SonicOS Enhanced 5.5 and newer.

TIP: The hours are listed in 24-hour format.

NOTE: To delete a time from the schedule, select the schedule in the list and then click Delete. To delete all times from the schedule list, click Delete All.



9 Edit the Schedule Group details.

10 Click OK. The Modify Task Description and Schedule dialog displays.


12 Select the type of schedule for the task:

• Default

• Immediate

• At: (specify when the task is to take place)

13 Click Accept. The server is added to the Schedules table.



8

Using Tools

You can use SonicWall tools for:

• Restarting SonicWall Appliances

• Requesting Diagnostics

• Inheriting Settings

• Synchronizing Appliances

• Synchronizing Licenses with MySonicWall.com

• Restart Appliance

Some of these tools are available only for certain levels (domain, group, or unit) or change by level.

Restarting SonicWall AppliancesSome GMS changes require that the SonicWall appliance(s) be automatically restarted after changes are applied. However, there might be instances when you want to restart the SonicWall appliance(s) manually.

To restart one or more SonicWall appliances:

1 Navigate to the System > Tools page. The Tools page displays.

2 To restart the selected SonicWall appliance(s) on the:

• Domain level, click Restart all Appliances in the System.

• Group level, click Restart all Appliances in the Group.

• Unit level, click Restart Appliance.

TIP: We recommend restarting the SonicWall appliance(s) when network activity is low.

TIP: This is the domain Tools page. The Tools page for the group and unit levels are slightly different.


Using Tools43

Requesting DiagnosticsTo request diagnostics for SonicWall appliances:


2 To request diagnostics for the selected SonicWall appliance(s) on the:

• Domain level, click Request Diagnostics for all Appliances in the System.

• Group level, click Request Diagnostics for all Appliances in the Group.

• Unit level, click Request Diagnostics for Appliance.

A confirmation message displays.


4 To view the diagnostics, navigate to Application Configuration Panel | Current Status | Diagnostics > Snapshot Status.

5 From Diagnostics Requested, select the diagnostics you want to review.

6 Click View SnapShot Data.

TIP: This is the domain Tools page. The Tools page for the group and unit levels are slightly different.


Using Tools44

Inheriting SettingsOn the System > Tools page, you can apply inheritance filters at a global, group, or appliance level. You can select an existing inheritance filter and customize which of its rules are actually inherited. You can do this on the fly, without the need to create an entirely separate filter.

To apply the inheritance filters:


2 In the Inherit Settings at Group (or Unit) section, choose either:

• Forward Inheritance.

• Reverse Inheritance.

3 Use the Filter drop-down menu to select the desired filter to apply.

4 Click Preview to display the Preview of Inheritance Settings dialog.

TIP: The Preview of Inheritance Settings dialog for reverse inheritance is slightly different from that for forward inheritance.

NOTE: When configuring forward inheritance at the group or global level, all selected settings are pushed to all units in the group or system.

TIP: Clicking the View Page icon displays the appropriate page; for example, the Firewall > Address Objects.


Using Tools45

Forward Inheritance Preview

Reverse Inheritance Preview

5 Review the settings to be inherited. You can continue with all of the default settings selected for inheritance or select only specific settings for inheritance by selecting their checkboxes.

6 If the Type chosen was:

• Forward Inheritance, go to Step 8.

• Reverse Inheritance, the Reverse Inheritance Options section displays on the Preview of Inheritance Settings dialog.

7 Choose either:

• Update only the target parent node.


Using Tools46

• Update the target parent node and all unit nodes under it.

8 Click Next to see more settings. A progress bar displays.

When the operation completes, the next page of settings displays. The Update button also displays.

9 Select settings from the new display.


After the inheritance operation is complete, the desired settings from the unit or group node should now be updated and reflected in the parent node’s settings, as well as in the settings of all other units, if selected.

Synchronizing AppliancesIf a change is made to the SonicWall appliance through any means other than through GMS, the GMS is notified of the change through the Syslog data stream. You can configure an alert through the Granular Event Management framework to send email notification when a local administrator makes changes to a SonicWall appliance through the local user interface rather than through GMS. After the Syslog notification is received, GMS schedules a task to synchronize its database with the local change. After the task successfully executes, the current configuration (prefs) file is read from the SonicWall appliance and loaded into the database.

Auto-synchronization automatically occurs whenever GMS receives a local change notification status Syslog message from a SonicWall appliance.

You can also force an auto-synchronization at any time for a SonicWall appliance or a group of SonicWall appliances.

To synchronize the appliance:

1 Navigate to the System | Tools page. The Tools page displays.

2 To synchronize the selected SonicWall appliance(s), click Synchronize Settings. A confirmation message displays.


NOTE: For the Firewall > Service Objects and Firewall > Access Rules pages, by default, inheriting group settings overwrites the values at the unit level with the group values.

NOTE: The auto-synchronization feature can be disabled on the Settings page by unchecking Enable Auto Synchronization option.


Using Tools47

Synchronizing Licenses with MySonicWall.comSonicWall appliances check their licenses/subscriptions with MySonicWall.com once every 24 hours. You can have an appliance synchronize this information with MySonicWall.com without waiting for the 24-hour schedule.

To force the SonicWall to synchronize with MySonicWall.com:


2 To synchronize the selected SonicWall appliance(s) on the:

• Global level, click Synchronize all Appliance(s) in the System with MySonicWall.com.

• Group level, click Synchronize all Appliance(s) in the Group with MySonicWall.com.

• Unit level, click Synchronize the Appliance with MySonicWall.com.

A confirmation message displays.


Restart ApplianceThe appliance can be restarted if there are any changes made or to reflect any changed settings.


Using Tools48

www.MySonicWall.com

To force restart the appliance:


2 To restart the SonicWall appliance(s) on the:

• Global level, click Restart Appliance.

• Group level, click Restart Appliance.

• Unit level, click Restart Appliance.A confirmation message displays.



Using Tools49

9

Configuring Contact Information

The System > Info page contains contact information for the SonicWall appliance. These settings are for informational purposes only and do not affect the operation of SonicWall appliances.

To change informational settings on one or more SonicWall appliances:

1 Navigate to the System > Info page. The Info page displays.

2 In the Appliance Contact Info section, enter appliance contact information for the SonicWall appliance(s).


Configuring Contact Information50

3 Click Locate Geocode. A pop-up dialog displays with the results.

4 Select the correct Match Address.

5 Click Accept. The GeoLocation Latitude and Longitude fields populate with the SonicWall appliance latitude and longitude coordinates.

6 Click Close.

7 Optionally, complete the Contact Info fields.

8 Optionally, complete the ISP Info fields.

9 When you are finished, click Update. A task gets spooled and after it is executed successfully, the information is updated for the selected SonicWall appliances. A success message displays at the top of the page.

To reset all settings and start over, click Reset.

TIP: Scroll to the right to view the latitude and longitude.

TIP: You can enter the latitude or longitude coordinates in the GeoLocation fields, and click Locate Address to populate the address information fields. The location information enables your SonicWall appliance to display on the Dashboard Geographic Map.


Configuring Contact Information51

10

Configuring System Settings

The GMS enables you to save SonicWall appliance settings to the GMS database that can be used for restoration. The GMS can automatically take back ups of the appliance configuration files at regular schedules and store them in the database. The schedule is configured in the Settings page by specifying a schedule for the Automatically save settings file… option. Here you can specify that a back up should never be taken or back ups should be taken on a daily or weekly schedule. If the schedules are set for daily or weekly, then the back ups are done for all appliances for which Enable Prefs File Backup is selected in this screen.

Topics:

• Saving Settings

• Applying Settings

• Deleting Saved Settings Files

• Storing External Preferences Files

• Automatically Backing Up Preferences for SonicWall Appliances

• Automatically Purging Older Backups

• Configuring the Number of Heartbeat Messages That Can Be Missed


Configuring System Settings52

Saving Settings

To save the settings of a SonicWall appliance to the SonicWall GMS database:

1 Navigate to the System | Settings page. The Settings page displays.

2 Select a settings from the Saved Settings table.

3 Click Save the settings to a local file. An Opening Settings_filename dialog displays.

4 Save the file.

TIP: You can save multiple version of settings for each SonicWall appliance to the GMS database and to different local files.



Applying SettingsTo apply settings to the SonicWall appliance directly from the GMS database:


2 Select the saved settings from the Saved Settings table.

3 Click Restore the settings to the unit.

Deleting Saved Settings FilesTo delete a saved settings file:

1 Navigate to the System > Settings page. The Settings page displays.

2 Select a file from the Saved Settings table.

3 Click the Delete the settings link. A confirmation message displays.

4 Click OK.

Storing External Preferences FilesTo store an external Prefs file into the database:

1 Navigate to the System > Settings page. The Settings page displays.

2 Scroll to the Store New Settings section.

3 Enter a name for the Prefs file in the Name field.

4 Choose either:

• Store settings read from unit (default).

• Store settings from local file; stores the prefs file from the local hard disk into the GMS database so that it displays in the Saved Settings table.

5 Click Browse. A File Upload dialog displays.

6 Select the file.

7 Click Open. The name of the file is displayed next to the Browse button.


After the prefs file is stored in the database, it displays in the Saved Settings table, you can click Restore the settings to the unit.

NOTE: The Restore the settings to the unit option is available only at the unit level, and not at the group and global levels. This option does not display at the group and global levels to minimize the risk o writing a non-compatible Prefs file to an incorrect firmware version running on a SonicWall appliance.



Automatically Backing Up Preferences for SonicWall AppliancesTo automatically backup the preferences for the selected SonicWall appliance:


2 Select Enable Settings File Backup.

3 Click Update. The Modify Task Description and Schedule dialog displays. (See Applying Updates for information on applying and scheduling updates.)

Automatically Purging Older BackupsIf you want to automatically purge older backups:

1 Enter the number of newer backup files you want to keep in the Number of newest Setting Files to be preserved field. Enter 0 to prevent purging of older backups.

2 Click Update. The Modify Task Description and Schedule dialog displays. (See Applying Updates for information on applying and scheduling updates.)

Configuring the Number of Heartbeat Messages That Can Be MissedThe GMS relies on special syslogs called heartbeat messages to determine if an appliance is up and running.

To configure the number of heartbeat messages the GMS can miss before considering the unit to be down:


2 Scroll to the Configure Missed Reports Settings section.

3 Set the number of missed heartbeat messages in the Missed Reports Threshold field. A value of 0 means the unit is never reported as Down/Red in GMS. The default is 3.


NOTE: The backed up prefs file contains the configuration settings and the firmware version of the security appliance you are backing up.

TIP: Go to the APPLICATION CONFIGURATION PANEL | Management > Settings page and update the values in the Automatically save settings file option. This enables you to specify when and how frequently the GMS backs up the preferences files.



11

SonicWall Support

Technical support is available to customers who have purchased SonicWall products with a valid maintenance contract and to customers who have trial versions.

The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year. To access the Support Portal, go to https://www.SonicWall.com/support.

The Support Portal enables you to:

• View knowledge base articles and technical documentation

• View video tutorials

• Access MySonicWall

• Learn about SonicWall professional services

• Review SonicWall Support services and warranty information

• Register for training and certification

• Request technical support or customer service

To contact SonicWall Support, visit https://www.SonicWall.com/support/contact-support.


SonicWall Support56

https://www.sonicwall.com/support

https://www.sonicwall.com/support/contact-support

About This Document

SonicWall GMS System AdministrationUpdated - January 2021Software Version - 9.3232-005119-00 Rev B

Copyright © 2021 SonicWall Inc. All rights reserved.

SonicWall is a trademark or registered trademark of SonicWall Inc. and/or its affiliates in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective owners.

The information in this document is provided in connection with SonicWall Inc. and/or its affiliates’ products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of SonicWall products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, SONICWALL AND/OR ITS AFFILIATES ASSUME NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON- INFRINGEMENT. IN NO EVENT SHALL SONICWALL AND/OR ITS AFFILIATES BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF SONICWALL AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SonicWall and/or its affiliates make no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. SonicWall Inc. and/or its affiliates do not make any commitment to update the information contained in this document.

For more information, visit https://www.SonicWall.com/legal.

End User Product Agreement

To view the SonicWall End User Product Agreement, go to:https://www.sonicwall.com/legal/end-user-product-agreements/

Open Source Code

SonicWall is able to provide a machine-readable copy of open source code with restrictive licenses such as GPL, LGPL, AGPL when applicable per license requirements. To obtain a complete machine-readable copy, send your written requests, along with certified check or money order in the amount of USD 25.00 payable to “SonicWall Inc.” to:

General Public License Source Code RequestSonicWall Inc. Attn: Jennifer Anderson1033 McCarthy BlvdMilpitas, CA 95035

Legend

WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.

CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.

IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.


SonicWall Support57

https://www.sonicwall.com/legal

https://www.sonicwall.com/legal/end-user-product-agreements/

sonicwall global management service system...gms system administration contents 2 viewing system...

Documents