User manual SONICWALL SONICOS ENHANCED 5.7 ADMINISTRATOR GUIDE

[. . . ] SonicOS Enhanced 5. 7 Administrator's Guide PROTECTION AT THE SPEED OF BUSINESSTM Table of Contents Table of Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii Part 1: Introduction Chapter 1: Preface . . 37 Part 2: System Chapter 3: Viewing the SonicWALL Security Dashboard . . 52 SonicOS Enhanced 5. 7 Administrator Guide iii System Information . 88 iv SonicOS Enhanced 5. 7 Administrator Guide Firmware Management . [. . . ] Firewall packets are user-generated packets that always pass through the BWM module. Real time packets are usually firewall generated packets that are not processed by the BWM module, and are implicitly given the highest priority. Real Time (firewall generated) packets include: · · · · · · · · · · WAN Load Balancing Probe ISAKMP Web CFS PPTP and L2TP control packets DHCP ARP Packets Web Sense Syslog NTP Security Services (AV, signature updates, license manager) Outbound BWM Packet Processing Path a. Queue the packet in the appropriate rule queue. 544 SonicOS Enhanced 5. 7 Administrator Guide Firewall > QoS Mapping (Not Supported on TZ platforms nor the NSA 240) Guaranteed Bandwidth Processing This algorithm depicts how all the policies use up the GBW. a. If that packet length is less than or equal to the class credit, transmit the packet and deduct the length from class credit and link credit. d. Choose the next packet from queue and repeat step c until class credit is lesser or rule queue is empty. e. Choose the next rule queue and repeat steps b through d. Maximum Bandwidth Processing This algorithm depicts how the unutilized link BW is used up by the policies. We start with the highest priority ring and transmit packets from all the rule queues in a round robin fashion until link credit is exhausted or all queues are empty. Then we move on to the next lowest priority ring and repeat the same. a. Start with the link credit equal to the left over link BW after GBW utilization. Check if the length of a packet from the rule queue is below class credit as well as link credit. e. If yes, transmit the packet and deduct the length from class credit and link credit. Choose the next rule queue and repeat steps c through f until link credit gets exhausted or this priority ring has all its queues empty. g. Choose the next lowest priority ring and repeat steps c through f. SonicOS Enhanced 5. 7 Administrator Guide 545 Firewall > QoS Mapping (Not Supported on TZ platforms nor the NSA 240) Example of Outbound BWM Priority 0 Priority 1 Priority 6 Priority 7 Priority Ring 0 Priority Ring 7 Rule 1 Rule 2 Rule 4 Rule 3 Default Queue BWM Queue Structure The above diagram shows 4 policies are configured for OBWM with a link capacity of 100 Kbps. BWM values FTP GBW 1280 MBW 2560 H323 2560 5120 Yahoo Messenger 640 1920 VNC 2560 3200 a. For GBW processing, we start with the first queue in the rule queue list which is FTP. Link credit is 12800 and class credit is 1280. Pkt1 of 400B is sent out on the WAN link and link credit becomes 12400 and class credit becomes 880. Pkt2 is not sent out because there is not enough class credit to send 1500 Bytes. The remaining class credit is carried over to the next time slice. b. Pkt1 of 1500B is sent out and link credit becomes 10900 and class credit for H323 becomes 1060. Pkt2 is also sent from queue hence link credit = 10200 and class credit = 360. The remaining class credit is carried over to the next time slice. c. [. . . ] If super-g is selected, all clients must use access cards that support this mode Sets the RTS threshold in bytes Sets Service Set Identifier identifying a particular SonicPoint Sets the on/off schedule string for 802. 11g radio Sets a convenient time to schedule an Intrusion Detection Scan (IDS) Allows clients to disassociate and re-associate more quickly Sets Transmit Power Control strength Sets the IP address location of the RADIUS authentication server Sets the port for authentication through the RADIUS server Sets the secret passcode for the RADIUS authentication server Sets the IP address for the backup RADIUS authentication server Sets the port for authentication through the backup RADIUS server Sets the secret passcode for the backup RADIUS authentication server SonicOS Enhanced 5. 7 Administrator Guide 1117 SonicOS Enhanced Command Listing Command SSH SUB-COMMANDS ssh enable <interface> ssh genkey ssh port <port> ssh restore ssh terminate SSL VPN SUB-COMMANDS sslvpn client sslvpn portal sslvpn settings TIMEOUT SUB-COMMAND timeout <minutes> VPN SUB-COMMANDS [no] vpn <enable|disable> <policy name> [no] vpn policy <policy-name> [preshared| manual|cert] VPN SUB-COMMANDS (PRE-SHARED SECRET) abort [no] advanced apply-nat <local|remote> <translated address object> [no] advanced auto-addrule advanced bound-to interface <interface> advanced bound-to zone <zone> [no] advanced defaultlan-gw <ip address> [no] advanced keepalive Description Enables SSH management for the specified interface Creates a new key to use with SSH Assigns the SSH port or resets to the default port Restores SSH management settings to defaults Stops all SSH sessions, disables all SSH management, and resets the port Configures or modifies SSL VPN client settings Configures or modifies SSL VPN portal settings Configures or modifies SSL VPN settings Sets login timeout in minutes Enables or disables VPN for a specific policy Enables or disables a specific VPN policy Exits to top-level menu and cancels changes where needed Enable or disable translation of the local and/or remote networks communicating with this VPN tunnel Enables or disables the auto-add access rule Binds VPN policy to specific interface Binds VPN policy to a specific zone Sets the default LAN domain gateway for VPN tunnel traffic Enables or disables heartbeat messages between peers on this VPN tunnel Enables or disables HTTP as the management method security association Enables or disables HTTPS as the management method security association [no] advanced management http [no] advanced management https 1118 SonicOS Enhanced 5. 7 Administrator Guide SonicOS Enhanced Command Listing Command [no] advanced multicast [no] advanced netbios [no] advanced use-xauth <group-name> [no] advanced user-login http [no] advanced user-login https cancel end exit finished gw domain-name <domain name> gw ip-address <ip address> id local <domainname|email address|ipaddress|sonicwall-id> <our id> id remote <domain name|email address|ipaddress|sonicwall-id> <their id> info network local <addressobject> <address object string>|any|dhcp> network remote <addressobject<address object string>|any|dhcp> pre-shared-secret <string> proposal ike [<main|aggressive|ikev2>] [encr <des|triple-des|aes128|aes-192|aes-256>] [auth <md5|sha1>] [dh <1|2|5>] [lifetime <seconds>] Description Enables IP multicasting traffic to pass through the VPN tunnel Enables or disables Windows Networking (NetBIOS) Broadcast Configures or removes the specified user group for XAUTH users Enables or disables required user login through HTTP Enables or disables required user login through HTTPS Cancel from menu without applying changes Exits VPN configuration mode Exits menu and applies changes Exits to top-level and applies changes where needed Sets the primary gateway domain name Sets the primary gateway IP address Sets the name and IP address of the local connection Sets the name and IP address of the remote connection Displays information on a specific VPN policy Sets a local network for the VPN tunnel, or configures the network to obtain IP addresses using DHCP Sets a specific VPN tunnel as the default route for all incoming Internet traffic Established specified preshared secret Sets the desired IKE encryption suite configurations for VPN tunnel traffic SonicOS Enhanced 5. 7 Administrator Guide 1119 SonicOS Enhanced Command Listing Command proposal ipsec [<esp|ah>] [encr <des|tripledes|aes-128|aes-192|aes256>] [auth <md5|sha1>] [dh <1|2|5>] [lifetime <seconds>] sec-gw domain-name <domain name> sec-gw ip-address <ip address> Description Sets encryption settings for IPSec proposal Sets the secondary gateway domain name Sets the secondary gateway's IP address 1120 SonicOS Enhanced 5. 7 Administrator Guide SonicOS Enhanced Command Listing Command VPN SUB-COMMANDS (MANUAL KEY) abort [no] advanced apply-nat <local|remote> <translated address object> [no] advanced auto-addrule advanced bound-to interface <interface> advanced bound-to zone <zone> [no] advanced keepalive Description Exits to top-level menu and cancels changes where needed Enable or disable translation of the local and/or remote networks communicating with this VPN tunnel Enables or disables the auto-add access rule Binds VPN policy to specific interface Binds VPN policy to a specific zone Enables or disables heartbeat messages between peers on this VPN tunnel Enables or disables HTTP as the management method security association Enables or disables HTTPS as the management method security association Enables IP multicasting traffic to pass through the VPN tunnel Enables or disables Windows Networking (NetBIOS) Broadcast Configures or removes the specified user group for XAUTH users Enables or disables required user login through HTTP Enables or disables required user login through HTTPS Cancel from menu without applying changes Exits configuration mode Exits menu and applies changes Exits to top-level and applies changes where needed Sets the primary gateway domain name Sets the primary gateway IP address Displays information on a specific VPN policy Sets a local network for the VPN tunnel, or configures the network to obtain IP addresses using DHCP Sets a specific VPN tunnel as the default route for all incoming Internet traffic [no] advanced management http [no] advanced managment https [no] advanced multicast [no] advanced netbios [no] advanced use-xauth <group name> [no] advanced user-login http [no] advanced user-login https cancel end exit finished gw domain-name <domain name> gw ip-address <ip address> info network local <address object <address object string> | any> network remote <address object <address object string> | any> SonicOS Enhanced 5. 7 Administrator Guide 1121 SonicOS Enhanced Command Listing Command proposal ipsec [<esp|ah>] [encr <des|tripledes|aes-128|aes-192|aes256>] [auth <md5|sha1>] [dh <1|2|5>] [lifetime <seconds>] sa [in-spi <Incoming SPI>] [out-spi <Outgoing SPI>] [encr-key <Encryption Key>] [auth-key <Authentication Key>] VPN SUB-COMMANDS (3rd PARTY CERTIFICATE) abort [no] advanced apply-nat Description Sets encryption settings for IPSec proposal Sets hexidecimal incoming and outgoing Security Parameter Index (SPI) to allow the SonicWALL to uniquely identify all security associations Exits to top-level menu and cancels changes where needed Enable or disable translation of the local and/or remote networks communicating with this VPN tunnel Enables or disables the auto-add access rule Binds VPN policy to specific interface Binds VPN policy to a specific zone Sets the default LAN gateway for VPN tunnel traffic Enables or disables heartbeat messages between peers on this VPN tunnel Enables or disables HTTP as the management method security association Enables or disables HTTPS as the management method security association Enables IP multicasting traffic to pass through the VPN tunnel Enables or disables Windows Networking (NetBIOS) Broadcast Enables use of Online Certificate Status Protocol (OCSP) to check VPN certificate status and specifies the URL where to check the certificate status Configures or removes the specified user group for XAUTH users Enables or disables required user login through HTTP Enables or disables required user login through HTTPS Cancel from menu without applying changes [no] advanced auto-addrule advanced bound-to interface <interface> advanced bound-to zone <zone> [no] advanced defaultlan-gw <ip address> [no] advanced keepalive [no] advanced management http [no] advanced managment https [no] advanced multicast [no] advanced netbios [no] advanced ocsp <url> [no] advanced use-xauth <group name> [no] advanced user-login http [no] advanced user-login https cancel 1122 SonicOS Enhanced 5. 7 Administrator Guide SonicOS Enhanced Command Listing Command cert <certname> end exit finished gw domain-name <domain name> gw ip-address <ip address> id remote <domain name | email address | distinguished name> <peer-id> info network local <address object <address object string> | any> network remote <address object <address object string> | any> proposal ike [<main|aggressive|ikev2>] [encr <des|triple-des|aes128|aes-192|aes-256>] [auth <md5|sha1>] [dh <1|2|5>] [lifetime <seconds>] proposal ipsec [<esp|ah>] [encr <des|tripledes|aes-128|aes-192|aes256>] [auth <md5|sha1>] [dh <1|2|5>] [lifetime <seconds>] sec-gw domain-name <domain name> sec-gw ip-address <ip address> Description Selects a certificate for the SonicWALL Exits configuration mode Exits menu and applies changes Exits to top-level and applies changes where needed Sets the primary gateway domain name Sets the primary gateway IP address Sets peer IKE ID type Displays information on a specific VPN policy Sets a local network for the VPN tunnel, or configures the network to obtain IP addresses using DHCP Sets a specific VPN tunnel as the default route for all incoming Internet traffic Sets the desired IKE encryption suite configurations for VPN tunnel traffic Sets encryption settings for IPSec proposal Sets the secondary gateway domain name Sets the secondary gateway's IP address SonicOS Enhanced 5. 7 Administrator Guide 1123 SonicOS Enhanced Command Listing Command SSL VPN CLIENT SUB-COMMANDS abort Description Exits to top-level menu without applying changes address <start ip Sets the global IP address pool from address> <end ip address> which NetExtender clients are <interface> assigned an IP address [no] auto-update Enables/Disables auto-update which assists users in updating their NetExtender client when a newer version is required to establish a connection cache-username-password Sets the user name and password <username-only | passcache policy used for the NetExtender word-username | prohibit> client cancel Exits from menu without applying changes [no] client-communicate Enables/Disables traffic between hosts connecting to server with NetExtender [no] create-connectionEnables/Disables NetExtender client's profile ability to create a connection profiles dns-domain <DNS domain Sets the DNS domain which is the name> NetExtender client DNS-specific suffix dns1 <ip address> Sets the primary DNS server IP address to be used by all NetExtender clients dns2 <ip address> Sets the secondary DNS server IP address to be used by all NetExtender clients end Exits SSL VPN configuration mode exit Exits menu and applies changes [no] exit-after-disconEnables/Disables the forcing of a nect NetExtender client to exit after disconnecting from the server finished Exits to top-level and applies changes where needed help Displays available sub-commands for SSL VPN client configuration info Displays SSL VPN client settings no Inverts sense of a command show Invokes show commands sslvpn-access Enables SSL VPN access on specified <LAN|WAN|DMZ|WLAN> zone [no] uninstall-after-exit Enables/Disables automatic uninstall of NetExtender clients after exit user-domain <user domain Sets the user domain to which all SSL name> VPN users belong wins1 <ip address> Sets the primary WINS server IP address wins2 <ip address> Sets the secondary WINS server IP address 1124 SonicOS Enhanced 5. 7 Administrator Guide SonicOS Enhanced Command Listing Command SSL VPN PORTAL SUB-COMMANDS abort [no] auto-launch Description Exits to top-level menu without applying changes Enables/Disables automatic launch of NetExtender after a user logs into the portal Sets the portal banner title that displays next to the logo on the portal home page Enables/Disables the use of some HTML META tags to tell browser to cache UI files in portal pages Exits the menu without applying changes Sets a customized logo to be used on the portal page. Enables/Disables the use of the default SonicWALL logo on the portal page Enables/Disables the display of the button to import the SSL VPN server certificate Exits SSL VPN portal configuration Exits menu and applies changes Exits to top-level menu and applies changes Displays available subcommands for SSL VPN portal settings Displays current SSL VPN portal settings Inverts sense of a command Invokes show commands Sets the portal HTML page title that displays in the browser window's title banner-title <portal banner title name> [no] cache-control cancel custom logo <url> [no] default-logo [no] display-cert end exit finished help info no show site-title <portal site title name> SonicOS Enhanced 5. 7 Administrator Guide 1125 SonicOS Enhanced Command Listing Command SSL VPN ROUTE SUB-COMMANDS abort add-routes <address object name> cancel delete-routes <address object name> end exit finished help info no show [no] tunnel-all Description Exits to top-level menu without applying changes Adds an address object as a client route entry Exits from menu without applying changes Deletes specified SSL VPN client route entry, identified as an address object Exits SSL VPN client routes configuration mode Exits menu and applies changes Exits to top-level menu and applies changes Displays available subcommands for SSL VPN client routes settings Displays current SSL VPN client routes settings Inverts sense of a command Invokes show commands Enables/Disables tunnel all mode which configures the NetExtender client to tunnel all traffic over the SSL VPN connection Configures one-time password for VPN user access to the appliance WEB MANAGEMENT SUB-COMMANDS [no] web-management otp enable 1126 SonicOS Enhanced 5. 7 Administrator Guide SonicOS Enhanced Command Listing Table 8 LAN Interface Configuration Description Assigns zone and enters the configuration mode for the interface Sets the interface to auto negotiate Adds comment as part of the port configuration duplex <full|half> Sets the interface duplex speed end Exits the configuration mode finished Exits configuration mode to the top menu help <command> Displays the command and description [no] https-redirect Enables or disables https redirect on enable the interface info Displays information about the interface show interface all Displays the configuration of all interfaces [no] management Enables or disables specified manage<http|https|ping|snmmp|ss ment protocol on the interface h> enable [no] user-login Configures user-login protocol for the <http|https> interface LAN MODE Enters the LAN configuration mode <lan> end Exits configuration mode finished Exits configuration mode to top menu level help <command> Displays the command and description info Displays information about the interface ip <IP Address> netmask Sets the IP address for the interface <mask> name <interface name> Sets the name for the interface speed <10|100> Sets the interface speed Command interface <x0|x1|x2|x3|x4|x5> [<lan|wan|dmz>] auto comment <string> SonicOS Enhanced 5. 7 Administrator Guide 1127 SonicOS Enhanced Command Listing Table 9 WAN Interface Configuration Command <wan> auto bandwidth-management enable bandwidth-management size <uvalue> comment <string> duplex <full|half> end finished fragment-packets ignore-df-bit help <command> [no] https-redirect enable info Description Sets the interface to auto-negotiate Enables bandwidth management Sets the bandwidth management size Adds comment as part of the port configuration Sets the interface duplex speed Exits the configuration mode Exits configuration mode to the top menu Enables/disables fragmentation of packets larger than the interface MTU Enables/disables ignoring the don't fragment bit Displays the command and description Enables or disables https redirect on the interface Displays information about the interface Enables or disables specified management protocol on the interface Configures user-login protocol for the interface Sets the mode for the WAN interface and enters the mode configuration [no] management <http|https|ping|snmmp| ssh> enable [no] user-login <http|https> mode <static|dhcp|pptp|l2tp|pppoe> Mode Static WAN Interface Configuration [no] dns <IP Address> end finished gateway <IP Address> help <command> info [no] ip <IP Address> Enters or removes IP address of DNS servers Exits configuration mode Exits configuration mode to top menu Sets or removes default gateway for the interface Displays help for given command Displays IP information about the interface Sets the IP address for the interface 1128 SonicOS Enhanced 5. 7 Administrator Guide SonicOS Enhanced Command Listing Command Mode DHCP WAN Interface Configuration end finished help <command> info [no] hostname <string> release renew Mode PPTP WAN Interface Configuration [no] dynamic end finished help <command> [no] hostname <string> [no] inactivity timeout <uvalue> info [no] ip <IP Address> [no] password <quoted string> [no] server ip <IP Address> start stop [no] username <string> L2TP WAN Configuration Mode [no] dynamic end finished help <command> [no] hostname <string> [no] inactivity timeout <uvalue> Description Exits configuration mode Exits configuration mode to top menu Displays help for given command Displays IP information about the interface Sets the hostname for the interface Releases IP address information Renews IP address information Sets the SonicWALL to obtain the IP address dynamically Exits configuration mode Exits configuration mode to top menu Displays help for given command Clears/Sets PPTP hostname Enables/disables the PPTP inactivity timer Sets/Clears the PPTP inactivity timeout Displays IP information about the interface Sets/Clears the IP address for the interface Sets/Clears the PPTP password Sest/Clears the PPTP server IP address Sets/Clears the PPTP username Sets the SonicWALL to obtain the IP address dynamically Exits configuration mode Exits configuration mode to top menu Displays help for given command Clears/Sets L2TP hostname Enables/disables the L2TP inactivity timer Sets/Clears the L2TP inactivity timeout SonicOS Enhanced 5. 7 Administrator Guide 1129 SonicOS Enhanced Command Listing Command info [no] ip <IP Address> [no] password <quoted string> [no] server ip <IP Address> start stop [no] username <string> mtu <uvalue> name <interface name> speed <10|100> Other Interface Configuration Description Displays IP information about the interface Sets/Clears the IP address for the interface Sets/Clears the L2TP password Sets/Clears the L2TP server IP address Sets/Clears the L2TP username Sets the MTU of the interface Sets the name for the interface Sets the interface speed Sets the interface to autonegotiate Adds a comment as part of the force configuration duplex <full|half> Sets the interface duplex speed end Exits configuration mode finished Exits configuration mode to top menu help <command> Displays help for given command info Displays IP information about the interface name <interface name> Sets the name for the interface speed <10|100> Sets the interface to autonegotiate [no] log categories [all] Assigns/clears logging categories auto comment <string> Log Category Information [no] all [no] attack [no] blocked-code [no] blocked-sites [no] connection [no] conn-traffic [no] debug end finished help <command> [no] icmp Assigns/clears all logging categories Assigns/clears attack logging category Assigns/clears blocked code logging category Assigns/clears blocked sites logging category Assigns/clears connection logging category Assigns/clears conn traffic logging category Assigns/clears debug logging category Exits configuration mode Exits configuration mode to top menu Displays help for given command Assigns/clears ICMP logging category 1130 SonicOS Enhanced 5. 7 Administrator Guide SonicOS Enhanced Command Listing Command info [no] lan-icmp [no]lan-tcp [no]lan-udp [no]maintenance [no] mgmt-80211b [no] modem-debug [no] sys-env [no] sys-err [no] tcp [no] udp [no] user-activity [no] vpn-stat [no] vpn-tunnel-status [no] log filter-time <uvalue> log ordering <choices> [invert] name <string> [no] route default <IP address> [no] route <Destination> <Netmask> <Gateway> [metric <route metric>] [no] web-management http enable <x0 | x1 | x2 | x3 | x4 | x5> web-management http port <tcp port or 'default'> [no] web-management https enable <x0 | x1 | x2 | x3 | x4 | x5> web-management https port <tcp port or 'default'> web-management restore Description Displays IP information about the interface Assigns/clears LAN-ICMP logging category Assigns/clears LAN-TCP logging category Assigns/clears LAN-UDP logging category Assigns/clears maintenance logging category Assigns/clears 80211b management logging category Assigns/clears modem debugging logging category Assigns/clears sys env logging category Assigns/clears sys error logging category Assigns/clears TCP logging category Assigns/clears UDP logging category Assign/clear user-activity logging category Assigns/clears vpn-stat logging category Assigns/clears vpn tunnel status logging category Assigns/clears log filter time Assign/clear ordering method when displaying log entries Sets/clears the firewall name Assigns clear default route Assigns clear static routes Enables/disables HTTP web management Assigns the HTTP web management port or reset to default Enables/disables HTTPS web management Assigns the HTTPS web management port or resets to default Restores default web-management port and interface assignments SonicOS Enhanced 5. 7 Administrator Guide 1131 SonicOS Enhanced Command Listing Command zone <wan|lan|dms> end finished [no] intrazone-communications auto bandwidth-management enable bandwidth-management size <uvalue> comment <string> duplex <full|half> end finished fragment-packets ignore-df-bit show zone all [no] sslvpn-access Description Enters the zone configuration menu Exits configuration mode Exits configuration mode to top menu Enables/disables intra-zone communications Sets the interface to autonegotiate Enables bandwidth management Sets the bandwidth management size Adds comment as part of the port configuration Sets the interface duplex speed Exit the configuration mode Exit configuration mode to the top menu Enable/disable fragmentation of packets larger than the interface MTU Enable/disable ignoring the don't fragment bit Displays the configuration of all zones Configures SSL VPN access on the zone 1132 SonicOS Enhanced 5. 7 Administrator Guide SonicOS Enhanced Command Listing Command <guest services> SUB-COMMANDS abort bypass antivirus bypass auth <string|identifier custom enable custom footer-text <string|identifier custom footer-type <text|url> custom header-text <string|identifier> custom header-type <text|url> deny <string|identifier> enable end exit finished help info maxguests <value> no pass <string|identifier> post enable post url <string|identifier> show smtp-redirect <string|identifier> Description Exits to top-level menu and cancels changes where needed Configures the zone's bypass settings for anti-virus Configures the zone's bypass authentication based on string or identifier input Enables custom authentication page settings Configures custom footer text for the authentication page Configures custom footer text font for the authentication page Configures custom header text for the authentication page Configures custom header text font for the authentication page Configures deny settings for access to the zone Enables WGS Exits upon configuring WGS settings Exits menu and applies changes Exits to top-level menu and applies changes where needed Displays help commands for this menu Displays current WGS configuration state Sets maximum guest limit for the zone at specified value Inverts sense of a command Allows traffic through zone from the specified network Enables guests to be directed to a landing page post-authentication Configures which URL guests are directed to after authentication Invoke show commands Configures SMTP redirect settings for the zone SonicOS Enhanced 5. 7 Administrator Guide 1133 Configuring Site-to-Site VPN Using CLI Configuring Site-to-Site VPN Using CLI This section describes how to create a VPN policy using the Command Line Interface. The examples used are a SonicWALL TZ 170 appliance with SonicOS Enhanced 3. 2 firmware. You can configure all of the parameters using the CLI, and enable the VPN without using the Web management interface. Note In this example, the VPN policy on the other end has already been created. CLI Access 1. [. . . ]