User manual SONICWALL SONICOS ENHANCED 5.6 ADMINISTRATORS

[. . . ] SonicOS Enhanced 5. 6 Administrator's Guide PROTECTION AT THE SPEED OF BUSINESSTM Table of Contents Table of Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii Part 1: Introduction Chapter 1: Preface . . 37 Part 2: System Chapter 3: Viewing the SonicWALL Security Dashboard . . 52 SonicOS Enhanced 5. 6 Administrator Guide iii Latest Alerts . 89 iv SonicOS Enhanced 5. 6 Administrator Guide SafeMode - Rebooting the SonicWALL Security Appliance . [. . . ] Setting General Tab Action From Zone To Zone Service Source Destination Users Allowed Schedule Enable Logging Allow Fragmented Packets Qos Tab DSCP Marking Action Allow 802. 1p Marking to override DSCP values 802. 1p Marking Action Map Enabled Map Map Enabled Map Allow LAN VPN VOIP Lan Subnets All Always on Enabled Enabled Allow VPN LAN VOIP Remote Site 1 Subnets All Always on Enabled Enabled Access Rule 1 Access Rule 2 Remote Site 1 Subnets Lan Subnets VoIP traffic (as defined by the Service Group) arriving from Remote Site 1 Subnets across the VPN destined to LAN Subnets on the LAN zone at the Main Site would hit the Access Rule for inbound VoIP calls. Traffic arriving at the VPN zone will not have any 802. 1p tags, only DSCP tags. ­ Traffic exiting the tunnel containing a DSCP tag (e. g. Before the packet is delivered to the destination on the LAN, it will also be 802. 1p tagged according to the QoS Mapping settings (e. g. CoS = 6) by the SonicWALL at the Main Site. ­ Assuming returned traffic has been 802. 1p tagged (e. g. CoS = 6) by the VoIP phone receiving the call at the Main Site, the return traffic will be DSCP tagged according to the conversion map (CoS = 48) on both the inner and outer packet sent back across the VPN. ­ Assuming returned traffic has been DSCP tagged (e. g. CoS = 48) by the VoIP phone receiving the call at the Main Site, the return traffic will have the DSCP tag preserved on both the inner and outer packet sent back across the VPN. ­ Assuming returned traffic has been both 802. 1p tagged (e. g. CoS = 14) by the VoIP phone receiving the call at the Main Site, the return traffic will be DSCP tagged according to the conversion map (CoS = 48) on both the inner and outer packet sent back across the VPN. SonicOS Enhanced 5. 6 Administrator Guide 569 Firewall > QoS Mapping (Not Supported on TZ platforms nor the NSA 240) Bandwidth Management SonicOS Enhanced offers an integrated traffic shaping mechanism through its Egress (outbound) and Ingress (inbound) bandwidth management (BWM) interfaces. Outbound BWM can be applied to traffic sourced from Trusted and Public zones (e. g. Inbound BWM can be applied to traffic sourced from Untrusted and Encrypted zones destined to Trusted and Public zones. Note Although BWM is a fully integrated QoS system, wherein classification and shaping is performed on the single SonicWALL appliance, effectively eliminating the dependency on external systems and thus obviating the need for marking, it is possible to concurrently configure BWM and QoS (i. e. This allows those external systems to benefit from the classification performed on the SonicWALL even after it has already shaped the traffic. BWM configurations begin by enabling BWM on the relevant WAN interface, and declaring the interface's available bandwidth in Kbps (Kilobits per second). This is performed from the Network > Interfaces page by selecting the Configure icon for the WAN interface, and navigating to the Advanced tab: Egress and Ingress BWM can be enabled jointly or separately on WAN interfaces. Different bandwidth values may be entered for outbound and inbound bandwidth to support asymmetric links. Link rates up to 100, 000 Kbps (100Mbit) may be declared on Fast Ethernet interface, 570 SonicOS Enhanced 5. 6 Administrator Guide Firewall > QoS Mapping (Not Supported on TZ platforms nor the NSA 240) while Gigabit Ethernet interfaces will support link rates up to 1, 000, 000 (Gigabit). The speed declared should reflect the actual bandwidth available for the link. declaring a value greater than the available bandwidth) is not recommended. Note Once BWM has been enabled on an interface, and a link speed has been defined, traffic traversing that link will be throttled--both inbound and outbound--to the declared values, even if no Access Rules are configured with BWM settings. Once one or both BWM settings are enabled on the WAN interface and the available bandwidth has been declared, a Ethernet BWM tab will appear on Access Rules. The Bandwidth tab will present either Inbound settings, Outbound settings, or both, depending on what was enabled on the WAN interface: The configuration on the General tab will classify the traffic. In the above example, which assumes no other configured BWM rules, traffic from the LAN (Trusted) zone's LAN Subnets destined to the VPN (Encrypted) zone's 10. 50. 165. 0 remote subnet, consisting of Service Group VOIP will be guaranteed 30% of the declared bandwidth (30% of 1500Kbps = 450Kbps), but it will not be permitted to exceed 80% (80% of 1500Kbps = 1200Kbps), leaving 300Kbps for other traffic. SonicOS Enhanced 5. 6 Administrator Guide 571 Firewall > QoS Mapping (Not Supported on TZ platforms nor the NSA 240) Declaration Limits Bandwidth Management rules each consume memory for packet queuing, so the number of allowed queued packets and rules on SonicOS Enhanced is limited by platform (values are subject to change): Max Queued Packets 2080 2080 2080 6420 6420 6420 Max Total BWM Rules 100 100 100 100 100 100 Platform NSA 3500 NSA 4500 NSA 5000 NSA E5500 NSA E6500 NSA E7500 Consider the following about bandwidth management: · The grand total of all declared Guaranteed Bandwidth percentages across all BWM rules cannot exceed 100%, since it is not possible to guarantee greater than 100% of the available bandwidth. The grand total of all Maximum Bandwidth values must be equal to or greater than the total Guaranteed Bandwidth. every BWM rule may specify 100% Maximum Bandwidth, if no explicit throttling is required). · · Outbound Bandwidth Management Bandwidth Management as employed by SonicOS Enhanced is based on an amalgamation of queue management and congestion avoidance techniques, but in empirical practice it most closely resembles Class Base Queuing (CBQ), as defined by Sally Floyd and Van Jacobson in Link-sharing and Resource Management Models for Packet Networks, while incorporating elements of RFC2309 Recommendations on Queue Management and Congestion Avoidance in the Internet and various credit-based flow control theory. The overarching goals of the SonicOS BWM scheme are: · · Simplicity ­ The processing overhead must be consistently and appreciably less than average packet transmission times. [. . . ] If super-g is selected, all clients must use access cards that support this mode Sets the RTS threshold in bytes Sets Service Set Identifier identifying a particular SonicPoint Sets the on/off schedule string for 802. 11g radio Sets a convenient time to schedule an Intrusion Detection Scan (IDS) Allows clients to disassociate and re-associate more quickly Sets Transmit Power Control strength Sets the IP address location of the RADIUS authentication server Sets the port for authentication through the RADIUS server Sets the secret passcode for the RADIUS authentication server Sets the IP address for the backup RADIUS authentication server Sets the port for authentication through the backup RADIUS server Sets the secret passcode for the backup RADIUS authentication server SonicOS Enhanced 5. 6 Administrator's Guide 1169 SonicOS Enhanced Command Listing Command SSH SUB-COMMANDS ssh enable <interface> ssh genkey ssh port <port> ssh restore ssh terminate SSL VPN SUB-COMMANDS sslvpn client sslvpn portal sslvpn settings TIMEOUT SUB-COMMAND timeout <minutes> VPN SUB-COMMANDS [no] vpn <enable|disable> <policy name> [no] vpn policy <policy-name> [preshared| manual|cert] VPN SUB-COMMANDS (PRE-SHARED SECRET) abort [no] advanced apply-nat <local|remote> <translated address object> [no] advanced auto-addrule advanced bound-to interface <interface> advanced bound-to zone <zone> [no] advanced defaultlan-gw <ip address> [no] advanced keepalive Description Enables SSH management for the specified interface Creates a new key to use with SSH Assigns the SSH port or resets to the default port Restores SSH management settings to defaults Stops all SSH sessions, disables all SSH management, and resets the port Configures or modifies SSL VPN client settings Configures or modifies SSL VPN portal settings Configures or modifies SSL VPN settings Sets login timeout in minutes Enables or disables VPN for a specific policy Enables or disables a specific VPN policy Exits to top-level menu and cancels changes where needed Enable or disable translation of the local and/or remote networks communicating with this VPN tunnel Enables or disables the auto-add access rule Binds VPN policy to specific interface Binds VPN policy to a specific zone Sets the default LAN domain gateway for VPN tunnel traffic Enables or disables heartbeat messages between peers on this VPN tunnel Enables or disables HTTP as the management method security association Enables or disables HTTPS as the management method security association [no] advanced management http [no] advanced management https 1170 SonicOS Enhanced 5. 6 Administrator's Guide SonicOS Enhanced Command Listing Command [no] advanced multicast [no] advanced netbios [no] advanced use-xauth <group-name> [no] advanced user-login http [no] advanced user-login https cancel end exit finished gw domain-name <domain name> gw ip-address <ip address> id local <domainname|email address|ipaddress|sonicwall-id> <our id> id remote <domain name|email address|ipaddress|sonicwall-id> <their id> info network local <addressobject> <address object string>|any|dhcp> network remote <addressobject<address object string>|any|dhcp> pre-shared-secret <string> proposal ike [<main|aggressive|ikev2>] [encr <des|triple-des|aes128|aes-192|aes-256>] [auth <md5|sha1>] [dh <1|2|5>] [lifetime <seconds>] Description Enables IP multicasting traffic to pass through the VPN tunnel Enables or disables Windows Networking (NetBIOS) Broadcast Configures or removes the specified user group for XAUTH users Enables or disables required user login through HTTP Enables or disables required user login through HTTPS Cancel from menu without applying changes Exits VPN configuration mode Exits menu and applies changes Exits to top-level and applies changes where needed Sets the primary gateway domain name Sets the primary gateway IP address Sets the name and IP address of the local connection Sets the name and IP address of the remote connection Displays information on a specific VPN policy Sets a local network for the VPN tunnel, or configures the network to obtain IP addresses using DHCP Sets a specific VPN tunnel as the default route for all incoming Internet traffic Established specified preshared secret Sets the desired IKE encryption suite configurations for VPN tunnel traffic SonicOS Enhanced 5. 6 Administrator's Guide 1171 SonicOS Enhanced Command Listing Command proposal ipsec [<esp|ah>] [encr <des|tripledes|aes-128|aes-192|aes256>] [auth <md5|sha1>] [dh <1|2|5>] [lifetime <seconds>] sec-gw domain-name <domain name> sec-gw ip-address <ip address> Description Sets encryption settings for IPSec proposal Sets the secondary gateway domain name Sets the secondary gateway's IP address 1172 SonicOS Enhanced 5. 6 Administrator's Guide SonicOS Enhanced Command Listing Command VPN SUB-COMMANDS (MANUAL KEY) abort [no] advanced apply-nat <local|remote> <translated address object> [no] advanced auto-addrule advanced bound-to interface <interface> advanced bound-to zone <zone> [no] advanced keepalive Description Exits to top-level menu and cancels changes where needed Enable or disable translation of the local and/or remote networks communicating with this VPN tunnel Enables or disables the auto-add access rule Binds VPN policy to specific interface Binds VPN policy to a specific zone Enables or disables heartbeat messages between peers on this VPN tunnel Enables or disables HTTP as the management method security association Enables or disables HTTPS as the management method security association Enables IP multicasting traffic to pass through the VPN tunnel Enables or disables Windows Networking (NetBIOS) Broadcast Configures or removes the specified user group for XAUTH users Enables or disables required user login through HTTP Enables or disables required user login through HTTPS Cancel from menu without applying changes Exits configuration mode Exits menu and applies changes Exits to top-level and applies changes where needed Sets the primary gateway domain name Sets the primary gateway IP address Displays information on a specific VPN policy Sets a local network for the VPN tunnel, or configures the network to obtain IP addresses using DHCP Sets a specific VPN tunnel as the default route for all incoming Internet traffic [no] advanced management http [no] advanced managment https [no] advanced multicast [no] advanced netbios [no] advanced use-xauth <group name> [no] advanced user-login http [no] advanced user-login https cancel end exit finished gw domain-name <domain name> gw ip-address <ip address> info network local <address object <address object string> | any> network remote <address object <address object string> | any> SonicOS Enhanced 5. 6 Administrator's Guide 1173 SonicOS Enhanced Command Listing Command proposal ipsec [<esp|ah>] [encr <des|tripledes|aes-128|aes-192|aes256>] [auth <md5|sha1>] [dh <1|2|5>] [lifetime <seconds>] sa [in-spi <Incoming SPI>] [out-spi <Outgoing SPI>] [encr-key <Encryption Key>] [auth-key <Authentication Key>] VPN SUB-COMMANDS (3rd PARTY CERTIFICATE) abort [no] advanced apply-nat Description Sets encryption settings for IPSec proposal Sets hexidecimal incoming and outgoing Security Parameter Index (SPI) to allow the SonicWALL to uniquely identify all security associations Exits to top-level menu and cancels changes where needed Enable or disable translation of the local and/or remote networks communicating with this VPN tunnel Enables or disables the auto-add access rule Binds VPN policy to specific interface Binds VPN policy to a specific zone Sets the default LAN gateway for VPN tunnel traffic Enables or disables heartbeat messages between peers on this VPN tunnel Enables or disables HTTP as the management method security association Enables or disables HTTPS as the management method security association Enables IP multicasting traffic to pass through the VPN tunnel Enables or disables Windows Networking (NetBIOS) Broadcast Enables use of Online Certificate Status Protocol (OCSP) to check VPN certificate status and specifies the URL where to check the certificate status Configures or removes the specified user group for XAUTH users Enables or disables required user login through HTTP Enables or disables required user login through HTTPS Cancel from menu without applying changes [no] advanced auto-addrule advanced bound-to interface <interface> advanced bound-to zone <zone> [no] advanced defaultlan-gw <ip address> [no] advanced keepalive [no] advanced management http [no] advanced managment https [no] advanced multicast [no] advanced netbios [no] advanced ocsp <url> [no] advanced use-xauth <group name> [no] advanced user-login http [no] advanced user-login https cancel 1174 SonicOS Enhanced 5. 6 Administrator's Guide SonicOS Enhanced Command Listing Command cert <certname> end exit finished gw domain-name <domain name> gw ip-address <ip address> id remote <domain name | email address | distinguished name> <peer-id> info network local <address object <address object string> | any> network remote <address object <address object string> | any> proposal ike [<main|aggressive|ikev2>] [encr <des|triple-des|aes128|aes-192|aes-256>] [auth <md5|sha1>] [dh <1|2|5>] [lifetime <seconds>] proposal ipsec [<esp|ah>] [encr <des|tripledes|aes-128|aes-192|aes256>] [auth <md5|sha1>] [dh <1|2|5>] [lifetime <seconds>] sec-gw domain-name <domain name> sec-gw ip-address <ip address> Description Selects a certificate for the SonicWALL Exits configuration mode Exits menu and applies changes Exits to top-level and applies changes where needed Sets the primary gateway domain name Sets the primary gateway IP address Sets peer IKE ID type Displays information on a specific VPN policy Sets a local network for the VPN tunnel, or configures the network to obtain IP addresses using DHCP Sets a specific VPN tunnel as the default route for all incoming Internet traffic Sets the desired IKE encryption suite configurations for VPN tunnel traffic Sets encryption settings for IPSec proposal Sets the secondary gateway domain name Sets the secondary gateway's IP address SonicOS Enhanced 5. 6 Administrator's Guide 1175 SonicOS Enhanced Command Listing Command SSL VPN CLIENT SUB-COMMANDS abort Description Exits to top-level menu without applying changes address <start ip Sets the global IP address pool from address> <end ip address> which NetExtender clients are <interface> assigned an IP address [no] auto-update Enables/Disables auto-update which assists users in updating their NetExtender client when a newer version is required to establish a connection cache-username-password Sets the user name and password <username-only | passcache policy used for the NetExtender word-username | prohibit> client cancel Exits from menu without applying changes [no] client-communicate Enables/Disables traffic between hosts connecting to server with NetExtender [no] create-connectionEnables/Disables NetExtender client's profile ability to create a connection profiles dns-domain <DNS domain Sets the DNS domain which is the name> NetExtender client DNS-specific suffix dns1 <ip address> Sets the primary DNS server IP address to be used by all NetExtender clients dns2 <ip address> Sets the secondary DNS server IP address to be used by all NetExtender clients end Exits SSL VPN configuration mode exit Exits menu and applies changes [no] exit-after-disconEnables/Disables the forcing of a nect NetExtender client to exit after disconnecting from the server finished Exits to top-level and applies changes where needed help Displays available sub-commands for SSL VPN client configuration info Displays SSL VPN client settings no Inverts sense of a command show Invokes show commands sslvpn-access Enables SSL VPN access on specified <LAN|WAN|DMZ|WLAN> zone [no] uninstall-after-exit Enables/Disables automatic uninstall of NetExtender clients after exit user-domain <user domain Sets the user domain to which all SSL name> VPN users belong wins1 <ip address> Sets the primary WINS server IP address wins2 <ip address> Sets the secondary WINS server IP address 1176 SonicOS Enhanced 5. 6 Administrator's Guide SonicOS Enhanced Command Listing Command SSL VPN PORTAL SUB-COMMANDS abort [no] auto-launch Description Exits to top-level menu without applying changes Enables/Disables automatic launch of NetExtender after a user logs into the portal Sets the portal banner title that displays next to the logo on the portal home page Enables/Disables the use of some HTML META tags to tell browser to cache UI files in portal pages Exits the menu without applying changes Sets a customized logo to be used on the portal page. Enables/Disables the use of the default SonicWALL logo on the portal page Enables/Disables the display of the button to import the SSL VPN server certificate Exits SSL VPN portal configuration Exits menu and applies changes Exits to top-level menu and applies changes Displays available subcommands for SSL VPN portal settings Displays current SSL VPN portal settings Inverts sense of a command Invokes show commands Sets the portal HTML page title that displays in the browser window's title banner-title <portal banner title name> [no] cache-control cancel custom logo <url> [no] default-logo [no] display-cert end exit finished help info no show site-title <portal site title name> SonicOS Enhanced 5. 6 Administrator's Guide 1177 SonicOS Enhanced Command Listing Command SSL VPN ROUTE SUB-COMMANDS abort add-routes <address object name> cancel delete-routes <address object name> end exit finished help info no show [no] tunnel-all Description Exits to top-level menu without applying changes Adds an address object as a client route entry Exits from menu without applying changes Deletes specified SSL VPN client route entry, identified as an address object Exits SSL VPN client routes configuration mode Exits menu and applies changes Exits to top-level menu and applies changes Displays available subcommands for SSL VPN client routes settings Displays current SSL VPN client routes settings Inverts sense of a command Invokes show commands Enables/Disables tunnel all mode which configures the NetExtender client to tunnel all traffic over the SSL VPN connection Configures one-time password for VPN user access to the appliance WEB MANAGEMENT SUB-COMMANDS [no] web-management otp enable 1178 SonicOS Enhanced 5. 6 Administrator's Guide SonicOS Enhanced Command Listing Table 8 LAN Interface Configuration Description Assigns zone and enters the configuration mode for the interface Sets the interface to auto negotiate Adds comment as part of the port configuration duplex <full|half> Sets the interface duplex speed end Exits the configuration mode finished Exits configuration mode to the top menu help <command> Displays the command and description [no] https-redirect Enables or disables https redirect on enable the interface info Displays information about the interface show interface all Displays the configuration of all interfaces [no] management Enables or disables specified manage<http|https|ping|snmmp|ss ment protocol on the interface h> enable [no] user-login Configures user-login protocol for the <http|https> interface LAN MODE Enters the LAN configuration mode <lan> end Exits configuration mode finished Exits configuration mode to top menu level help <command> Displays the command and description info Displays information about the interface ip <IP Address> netmask Sets the IP address for the interface <mask> name <interface name> Sets the name for the interface speed <10|100> Sets the interface speed Command interface <x0|x1|x2|x3|x4|x5> [<lan|wan|dmz>] auto comment <string> SonicOS Enhanced 5. 6 Administrator's Guide 1179 SonicOS Enhanced Command Listing Table 9 WAN Interface Configuration Command <wan> auto bandwidth-management enable bandwidth-management size <uvalue> comment <string> duplex <full|half> end finished fragment-packets ignore-df-bit help <command> [no] https-redirect enable info Description Sets the interface to auto-negotiate Enables bandwidth management Sets the bandwidth management size Adds comment as part of the port configuration Sets the interface duplex speed Exits the configuration mode Exits configuration mode to the top menu Enables/disables fragmentation of packets larger than the interface MTU Enables/disables ignoring the don't fragment bit Displays the command and description Enables or disables https redirect on the interface Displays information about the interface Enables or disables specified management protocol on the interface Configures user-login protocol for the interface Sets the mode for the WAN interface and enters the mode configuration [no] management <http|https|ping|snmmp| ssh> enable [no] user-login <http|https> mode <static|dhcp|pptp|l2tp|pppoe> Mode Static WAN Interface Configuration [no] dns <IP Address> end finished gateway <IP Address> help <command> info [no] ip <IP Address> Enters or removes IP address of DNS servers Exits configuration mode Exits configuration mode to top menu Sets or removes default gateway for the interface Displays help for given command Displays IP information about the interface Sets the IP address for the interface 1180 SonicOS Enhanced 5. 6 Administrator's Guide SonicOS Enhanced Command Listing Command Mode DHCP WAN Interface Configuration end finished help <command> info [no] hostname <string> release renew Mode PPTP WAN Interface Configuration [no] dynamic end finished help <command> [no] hostname <string> [no] inactivity timeout <uvalue> info [no] ip <IP Address> [no] password <quoted string> [no] server ip <IP Address> start stop [no] username <string> L2TP WAN Configuration Mode [no] dynamic end finished help <command> [no] hostname <string> [no] inactivity timeout <uvalue> Description Exits configuration mode Exits configuration mode to top menu Displays help for given command Displays IP information about the interface Sets the hostname for the interface Releases IP address information Renews IP address information Sets the SonicWALL to obtain the IP address dynamically Exits configuration mode Exits configuration mode to top menu Displays help for given command Clears/Sets PPTP hostname Enables/disables the PPTP inactivity timer Sets/Clears the PPTP inactivity timeout Displays IP information about the interface Sets/Clears the IP address for the interface Sets/Clears the PPTP password Sest/Clears the PPTP server IP address Sets/Clears the PPTP username Sets the SonicWALL to obtain the IP address dynamically Exits configuration mode Exits configuration mode to top menu Displays help for given command Clears/Sets L2TP hostname Enables/disables the L2TP inactivity timer Sets/Clears the L2TP inactivity timeout SonicOS Enhanced 5. 6 Administrator's Guide 1181 SonicOS Enhanced Command Listing Command info [no] ip <IP Address> [no] password <quoted string> [no] server ip <IP Address> start stop [no] username <string> mtu <uvalue> name <interface name> speed <10|100> Other Interface Configuration Description Displays IP information about the interface Sets/Clears the IP address for the interface Sets/Clears the L2TP password Sets/Clears the L2TP server IP address Sets/Clears the L2TP username Sets the MTU of the interface Sets the name for the interface Sets the interface speed Sets the interface to autonegotiate Adds a comment as part of the force configuration duplex <full|half> Sets the interface duplex speed end Exits configuration mode finished Exits configuration mode to top menu help <command> Displays help for given command info Displays IP information about the interface name <interface name> Sets the name for the interface speed <10|100> Sets the interface to autonegotiate [no] log categories [all] Assigns/clears logging categories auto comment <string> Log Category Information [no] all [no] attack [no] blocked-code [no] blocked-sites [no] connection [no] conn-traffic [no] debug end finished help <command> [no] icmp Assigns/clears all logging categories Assigns/clears attack logging category Assigns/clears blocked code logging category Assigns/clears blocked sites logging category Assigns/clears connection logging category Assigns/clears conn traffic logging category Assigns/clears debug logging category Exits configuration mode Exits configuration mode to top menu Displays help for given command Assigns/clears ICMP logging category 1182 SonicOS Enhanced 5. 6 Administrator's Guide SonicOS Enhanced Command Listing Command info [no] lan-icmp [no]lan-tcp [no]lan-udp [no]maintenance [no] mgmt-80211b [no] modem-debug [no] sys-env [no] sys-err [no] tcp [no] udp [no] user-activity [no] vpn-stat [no] vpn-tunnel-status [no] log filter-time <uvalue> log ordering <choices> [invert] name <string> [no] route default <IP address> [no] route <Destination> <Netmask> <Gateway> [metric <route metric>] [no] web-management http enable <x0 | x1 | x2 | x3 | x4 | x5> web-management http port <tcp port or 'default'> [no] web-management https enable <x0 | x1 | x2 | x3 | x4 | x5> web-management https port <tcp port or 'default'> web-management restore Description Displays IP information about the interface Assigns/clears LAN-ICMP logging category Assigns/clears LAN-TCP logging category Assigns/clears LAN-UDP logging category Assigns/clears maintenance logging category Assigns/clears 80211b management logging category Assigns/clears modem debugging logging category Assigns/clears sys env logging category Assigns/clears sys error logging category Assigns/clears TCP logging category Assigns/clears UDP logging category Assign/clear user-activity logging category Assigns/clears vpn-stat logging category Assigns/clears vpn tunnel status logging category Assigns/clears log filter time Assign/clear ordering method when displaying log entries Sets/clears the firewall name Assigns clear default route Assigns clear static routes Enables/disables HTTP web management Assigns the HTTP web management port or reset to default Enables/disables HTTPS web management Assigns the HTTPS web management port or resets to default Restores default web-management port and interface assignments SonicOS Enhanced 5. 6 Administrator's Guide 1183 SonicOS Enhanced Command Listing Command zone <wan|lan|dms> end finished [no] intrazone-communications auto bandwidth-management enable bandwidth-management size <uvalue> comment <string> duplex <full|half> end finished fragment-packets ignore-df-bit show zone all [no] sslvpn-access Description Enters the zone configuration menu Exits configuration mode Exits configuration mode to top menu Enables/disables intra-zone communications Sets the interface to autonegotiate Enables bandwidth management Sets the bandwidth management size Adds comment as part of the port configuration Sets the interface duplex speed Exit the configuration mode Exit configuration mode to the top menu Enable/disable fragmentation of packets larger than the interface MTU Enable/disable ignoring the don't fragment bit Displays the configuration of all zones Configures SSL VPN access on the zone 1184 SonicOS Enhanced 5. 6 Administrator's Guide SonicOS Enhanced Command Listing Command <guest services> SUB-COMMANDS abort bypass antivirus bypass auth <string|identifier custom enable custom footer-text <string|identifier custom footer-type <text|url> custom header-text <string|identifier> custom header-type <text|url> deny <string|identifier> enable end exit finished help info maxguests <value> no pass <string|identifier> post enable post url <string|identifier> show smtp-redirect <string|identifier> Description Exits to top-level menu and cancels changes where needed Configures the zone's bypass settings for anti-virus Configures the zone's bypass authentication based on string or identifier input Enables custom authentication page settings Configures custom footer text for the authentication page Configures custom footer text font for the authentication page Configures custom header text for the authentication page Configures custom header text font for the authentication page Configures deny settings for access to the zone Enables WGS Exits upon configuring WGS settings Exits menu and applies changes Exits to top-level menu and applies changes where needed Displays help commands for this menu Displays current WGS configuration state Sets maximum guest limit for the zone at specified value Inverts sense of a command Allows traffic through zone from the specified network Enables guests to be directed to a landing page post-authentication Configures which URL guests are directed to after authentication Invoke show commands Configures SMTP redirect settings for the zone SonicOS Enhanced 5. 6 Administrator's Guide 1185 Configuring Site-to-Site VPN Using CLI Configuring Site-to-Site VPN Using CLI This section describes how to create a VPN policy using the Command Line Interface. The examples used are a SonicWALL TZ 170 appliance with SonicOS Enhanced 3. 2 firmware. You can configure all of the parameters using the CLI, and enable the VPN without using the Web management interface. Note In this example, the VPN policy on the other end has already been created. CLI Access 1. [. . . ]