SONICWALL SonicOS 7.1 Device Settings Administration Guide User Guide

SONICWALL SonicOS 7.1 Device Settings Administration Guide

Product Information: SonicOS 7.1 Device Settings

Specifications

• Version: SonicOS 7.1
• Administration Guide: Included

Product Usage Instructions

About SonicOS
SonicOS is a software operating system designed for SonicWall appliances. It provides a range of features and settings to configure and manage your device.

Working with SonicOS
SonicOS offers a user-friendly interface for easy navigation and configuration of your SonicWall appliance.

SonicOS Workflow
The SonicOS workflow guides you through the necessary steps to set up and manage your device effectively.

How to Use the SonicOS Administration Guides
The SonicOS Administration Guides provide detailed instructions on how to configure and manage specific settings and features of your device.

Guide Conventions

The guide uses specific conventions to help you understand and follow the instructions easily.

About Device Settings

The Device Settings section allows you to manage various aspects of your SonicWall appliance, including licenses, security services, system administration, firmware settings, and more.

Managing SonicWall Licenses

You can manage your SonicWall licenses in this section, including activating licenses, managing security services, and enabling free trials.

Managing Security Services
This subsection provides a summary of available security services and guides you on how to manage them online or perform manual upgrades for closed environments.

System Administration

This subsection covers various system administration tasks, such as configuring firewall name, enabling wireless LAN and IPv6, changing administrator name and password, configuring login security, password compliance, login constraints, multiple administrators support, enhanced audit logging support, wireless LAN controller, SonicOS API, GMS management, and management interface configuration.

Managing Certificates
This subsection explains the management of digital certificates, including importing certificates, deleting certificates, generating certificate signing requests, and configuring Simple Certificate Enrollment Protocol.

Administering SNMP
This subsection provides information on setting up SNMP access, enabling and configuring SNMP access, setting up SNMPv3 groups and access, and configuring SNMP as a service.

Firmware Settings

This subsection covers firmware management and backup, including searching the table, creating backup firmware images (local or cloud), scheduling firmware image backups, updating firmware manually or using SafeMode, and importing/exporting settings.

Boot Settings
This subsection allows you to configure one-touch configuration overrides for specific boot settings.

FAQ (Frequently Asked Questions)

Q: How can I activate licenses for my SonicWall appliance?
A: To activate licenses, navigate to the Device Settings section, select “Managing SonicWall Licenses,” and follow the instructions provided.

Q: How do I change the administrator name and password?
A: In the System Administration subsection of Device Settings, there are instructions on how to change the administrator name and password.

Q: Can I import certificates into my SonicWall appliance?
A: Yes, you can import certificates by following the instructions in the “Managing Certificates” subsection of Device Settings.

About SonicOS

This guide is a part of the SonicOS collection of administrative guides that describes how to administer and monitor the SonicWall family of firewalls. SonicOS provides network administrators the management interface, API (Application Program Interface), and the Command Line Interface (CLI) for firewall configuration by setting objects to secure and protect the network services, to manage traffic, and to provide the desired level of network service. This guide focuses on
Topics:
l Working with SonicOS l SonicOS Workflow l How to Use the SonicOS Administration Guides l Guide Conventions
Working with SonicOS
SonicOS provides a web management interface for configuring, managing, and monitoring the features, policies, security services, connected devices, and threats to your network. SonicOS runs on top of SonicCore, SonicWall’s secure underlying operating system. The SonicOS management interface facilitates:
l Setting up and configuring your firewall l Configuring external devices like access points or switches l Configuring networks and external system options that connect to your firewall l Defining objects and policies for protection l Monitoring the health and status of the security appliance, network, users, and connections l Monitoring traffic, users, and threats l Investigating events SonicWall offers two different modes of operation in SonicOS; the modes differ mainly in the areas of policy, object configuration and diagnostics.

SonicOS 7.1 Device Settings Administration Guide

5

About SonicOS

l Policy Mode provides a unified policy configuration work flow. It combines Layer 3 to Layer 7 policy enforcement for security policies and optimizes the work flow for other policy types. This unified policy work flow gathers many security settings into one place, which were previously configured on different pages of the management interface.
l Classic Mode is more consistent with earlier releases of SonicOS; you need to develop individual policies and actions for specific security services. The Classic Mode has a redesigned interface.
This table identifies which modes can be used on the different SonicWall firewalls:

Firewall Type TZ Series
NSa Series
NSsp 10700, NSsp 11700, NSsp 13700 NSsp 15700
NSv Series

Classic Mode yes yes
yes no
yes

Policy Mode Comments

no

The entry level TZ Series, also known as desktop

firewalls, deliver revamped features such as 5G

readiness, better connectivity options, improved

threat, SSL and decryption performance that

address HTPPS bandwidth issues; built-in SD-

WAN, and lawful TLS 1.3 decryption support.

no

NSa firewalls provide your mid sized network with

enhanced security . They are designed

specifically for businesses with 250 and up. it can

provide cloud-based and on-box capabilities like

TLS/SSL decryption and inspection, application

intelligence and control, SD-WAN, real-time

visualization, and WLAN management.

no

The NSsp platforms high-end firewalls that

deliver the advanced threat protection and fast

speeds that large enterprises, data centers, and

service providers need.

yes

The NSsp 15700 is designed for large distributed

enterprises, data centers, government agencies

and services providers. It provides advanced

threat protection like Real-Time Deep Memory

Inspection, multi-instance firewall configuration,

and unified policy creation and modification, with

scalability and availability.

yes

The NSv series firewalls offers all the security

advantages of a physical firewall with the

operational and economic benefits of

virtualization. The NSv firewalls can operate in

either Policy Mode or Classic Mode. You can

switch between modes, but some configuration

information from extra interfaces is removed.

In addition to the management interface, SonicOS also has a full-featured API and a CLI to manage the firewalls. For more information, refer to:
l SonicOS 7.1 API Reference Guide

SonicOS 7.1 Device Settings Administration Guide

6

About SonicOS

l SonicOS Command Line Interface Reference Guide
SonicOS Workflow
When working with SonicWall products, you can use the following workflow as a guide for setting up your security solution.
You begin your planning as you start making your purchasing decisions. Your sales partners can help you assess your network and make recommendations based on the kinds of security services you need. You can learn more about SonicWall products by reviewing product information and solutions. After selecting the solution, you can schedule your implementation. After planning and scheduling your solution, you begin setting up the firewalls. The Getting Started Guides for your products can help you begin setting up the pieces to your solution. The getting started guides are designed to help you install the firewall to a minimal level of operation. Before performing any detailed configuration tasks described in the SonicOS Administration Guides, you should have your firewall set up and basic operation validated. The configuration block of the workflow refers to the many tasks that combine to define how your firewall is integrated into your security solution and how it behaves when protecting your environment. Depending on the features of your security solution, this task can be quite complex. The System Administration Guides are broken into the key command sets and features. Some documents may be used for all solutions, but others may be used use only if you integrated that feature into your solution. For example, High Availability or Wireless Access Points are not necessarily used by all customers. More information about a feature’s workflow is presented in the feature administration guide. Refer to the specific Administration Guide for a SonicOS feature for more information. Configuration tends to be a one-time activity, although you might make minor adjustments after monitoring performance or after diagnosing an issue. The configuration activity can be broken down into the more detailed flow as the following figure shows. This also mirrors the key functions that are listed across the top of the management interface.

SonicOS 7.1 Device Settings Administration Guide

7

About SonicOS

There is some flexibility in the order in which you do things, but this is the general work-flow you would follow when configuring your firewall. Start by defining the settings on the firewall. Next you set up the system and other devices that your firewall is connected to, and you can choose to implement High Availability when done. After your device, network, and system is configured, you should define the objects that you want to monitor. Then you use those objects to define the policies that protect your network. The final step to preparing your setup is to validate the user authentication.
How to Use the SonicOS Administration Guides
The SonicOS Administration Guide is a collection of guides that detail the features represented by each of the main menu items in the management interface. Within each guide, you can find topics covering commands in that menu group, along with procedures and in-depth information. The exceptions are the SonicOS 7.1 Monitor Guide and the SonicOS 7.1 Objects Guide which combine the topics for each of those functions into a single book.
To help you understand how the books align with the features and commands, the following figure shows the books organized like the SonicWall management interface.

The SonicOS Administration Guides, along with related documentation, such as the getting started guides, are available on the https://www.sonicwall.com/support/technical-documentation/.

SonicOS 7.1 Device Settings Administration Guide

8

About SonicOS

Guide Conventions
These text conventions are used in this guide:
NOTE: A NOTE icon indicates supporting information. IMPORTANT: An IMPORTANT icon indicates supporting information. TIP: A TIP icon indicates helpful information. CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed. WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.

Convention Bold text
Function | Menu group > Menu item
Code
Italics

Description

Used in procedures to identify elements in the management interface like dialog boxes, windows, screen names, messages, and buttons. Also used for file names and text or values you are being instructed to select or type into the interface.
Indicates a multiple step menu choice on the user interface. For example, NETWORK | System > Interfaces means to select the NETWORK functions at the top of the window, then click on System in the left navigation menu to open the menu group (if needed) and select Interfaces to display the page.
Indicates sample computer programming code. If bold, it represents text to be typed in the command line interface.
Represents a variable name. The variable name and angle brackets need to be replaced with an actual value. For example in the segment serialnumber=<your serial number>, replace the variable and brackets with the serial number from your device, such as serialnumber=2CB8ED000004.
Indicates the name of a technical manual. Also indicates emphasis on certain words in a sentence, such as the first instance of a significant term or concept.

SonicOS 7.1 Device Settings Administration Guide

9

About SonicOS

About Device Settings
The web-based SonicOS Management Interface enables you to configure SonicWall network security appliances (firewalls). This document provides information on:
l Managing SonicWall Licenses l System Administration l Configuring Time Settings l Managing Certificates l Administering SNMP l Firmware Settings l Restarting the System
SonicOS 7.1 Device Settings Administration Guide 10 About Device Settings

Managing SonicWall Licenses

IMPORTANT: By design, the SonicWall License Manager cannot be configured to use a third-party proxy server. Networks that direct all HTTP and HTTPS traffic through a third-party proxy server may experience License Manager issues. Topics: l Licenses l Managing Security Services l Registering Your SonicWall Appliance l Activating the Gateway Anti-Virus, Anti-Spyware, and IPS License l Activating FREE TRIALs
Licenses
Device | Settings > Licenses page in the SonicOS management interface provides links to activate, upgrade, or renew SonicWall Security Services licenses. From this page, you can manage all the licenses for your SonicWall security appliance. The information listed in the Services table is updated from your mysonicwall.com account. The Licenses page also includes links to FREE trials of SonicWall Security Services.
SonicOS 7.1 Device Settings Administration Guide 11 Managing SonicWall Licenses

Managing Security Services
When you have established your Internet connection, it is recommended you register your SonicWall security appliance, which provides the following benefits:
l Try a FREE 30-day trial of SonicWallGateway Anti-Virus, Anti-Spyware, and Intrusion Prevention, Content Filtering Service, and Client Anti-Virus
l Activate SonicWall Anti-Spam l Activate SonicWall security services and upgrades l Access SonicOS firmware updates l Get SonicWall technical support Topics: l Services Summary l Managing Security Services Online
Services Summary
The Device | Settings > Licenses page lists all the available and activated services on the SonicWall security appliance. The friendly name of the security appliance is displayed above the SERVICES table. Select appropriate option in the View drop-down box to list the services based on their activation status. The available options are:
l Licensed and Unlicensed l Licensed l Unlicensed
The table displays the following information: l SERVICES – lists all the available SonicWall Security Services and upgrades available for the SonicWall security appliance. l STATUS – indicates if the security service is activated (Licensed), available for activation (Not Licensed), or no longer active (Expired). l ACTION – displays options to upgrade, renew, try, or activate the service, depending on its license status.
SonicOS 7.1 Device Settings Administration Guide 12 Managing SonicWall Licenses

l Count – displays the number of nodes/users currently connected to your appliance. If your security appliance is licensed for unlimited nodes, the count is displayed as Unlimited.
l Max. Count – displays the maximum number of nodes/users allowed for the license. l EXPIRY DATE – displays the expiration date for any Licensed Security Service. The information listed in the Services table is updated from your mysonicwall.com account the next time the SonicWall security appliance automatically synchronizes with MySonicWall (once a day) or you can click the SYNCHRONIZE button on this page to update the table. For more information on SonicWall Security Services, see SonicOS 7.0 Security Services document available at https://www.sonicwall.com/support/technical-documentation/.
Managing Security Services Online
You can activate, upgrade or renew services using one of the following methods: l Performing service license updates in MySonicWall and synchronizing the changes in SonicOS management interface. 1. Navigate to Device | Settings

Licenses page. 2. Click MySonicWall above the Services table. 3. Log into your MySonicWall account and upgrade the licenses. See MSW online help. 4. Synchronize changes. See Synchronizing Changes. l Performing service license updates through SonicOS management interface. See Managing Services from SonicOS Management Interface.
Topics:
l Managing Services from SonicOS Management Interface l Synchronizing Changes
Managing Services from SonicOS Management Interface
You can activate, upgrade, or renew licenses for the Security Services on Device | Settings > Licenses page.
To activate, upgrade, or renew services: 1. Navigate to Device | Settings > Licenses. 2. Select the appropriate option in the View drop-down box above the SERVICES table. 3. Locate the service you want to activate / renew / upgrade. 4. Click any option listed in the ACTIONS column based on what you need to do with the service. The options listed for a service in the ACTIONS column depend on the status of the service. l To activate a FREE trial, click Try. l To activate a Security Service, click the Activate link. l To renew a Security Service, click the Renew link.
SonicOS 7.1 Device Settings Administration Guide 13 Managing SonicWall Licenses

l To upgrade a Security Service, click the Upgrade. 5. Follow the prompts to activate/renew/upgrade the service license. After completion, you are returned to
the Licenses page.
Synchronizing Changes
When you make changes to your Security Services in MySonicWall, you can synchronize them instead of waiting for the system to do it automatically. To synchronize your MySonicWall account with the Services table in SonicOS management interface:
1. Navigate to Device | Settings > Licenses . 2. Click Synchronize option above the SERVICES table.
Manual Upgrade for Closed Environments
If your SonicWall security appliance is deployed in a high-security environment that does not allow direct Internet connectivity from the SonicWall security appliance, you can enter the encrypted license key information from https://mysonicwall.com manually on the Device | Settings > Licenses page in the SonicOS management interface.
NOTE: Manual upgrade of the encrypted license keyset is only for closed environments. If your firewall is connected to the Internet, it is recommended you use the automatic registration and Security Services upgrade features of your appliance. You need to perform steps 1 through 4 from a computer connected to the internet and then continue the procedure in the SonicOS Management Interface of the security appliance that does not have internet connectivity. 1. Make sure you have an account at https://mysonicwall.com and your SonicWall security appliance is
registered to the account before proceeding. 2. After logging into MySonicWall, click on the serial number of your registered SonicWall security appliance
listed in Product Management > My Products.
SonicOS 7.1 Device Settings Administration Guide 14 Managing SonicWall Licenses

3. Click MANUAL UPGRADE and select Add keyset to your product. The scrambled text displayed is the License Keyset for the selected SonicWall security appliance and activated Security Services.
4. Click Copy Code to copy the Keyset text for pasting into the Settings | Licenses page. 5. Make sure your SonicWall appliance is running the latest version of SonicOS. 6. Navigate to Device | Settings > Licenses. 7. Click Manual License at the upper-right corner of the page. 8. Paste (or type) the Keyset (from the step 3) into the Enter Keyset field in the Manual License Upgrade
dialog.
9. Click APPLY to update your SonicWall security appliance. The status field at the bottom of the page displays The configuration has been updated.
10. You can generate the report from Device | Diagnostics > Tech Support Report to verify the upgrade details.
NOTE: After the manual upgrade, the Settings | Licenses page does not contain any registration and upgrade information.
Registering Your SonicWall Appliance
When you log in to your primary appliance for the first time, a Software Transaction Agreement (STA) form displays for your acceptance before you can proceed. If you are using a CLI, you must type (or select) Yes before proceeding. When you have accepted the STA, it is not shown for upgrades of either firmware or software.
NOTE: MySonicWall registration information is not sold or shared with any other company.
SonicOS 7.1 Device Settings Administration Guide 15 Managing SonicWall Licenses

See the Quick Start Guide for your security appliance for additional information on applying licenses manually, synchronizing licenses manually, and upgrading firmware.
Activating the Gateway Anti-Virus, AntiSpyware, and IPS License
Your security appliance must be registered on MySonicWall to use these security services. See Registering Your SonicWall Appliance or the Quick Start Guide for your security appliance. Because SonicWall Anti-Spyware is part of SonicWall Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention, the Activation Key you receive is for all three services on your SonicWall security appliance. If you do not have a SonicWall Gateway Anti-Virus , Anti- Spyware , and Intrusion Prevention license activated on your SonicWall security appliance, you must purchase it from a SonicWall reseller or through your MySonicWall account (limited to customers in the USA and Canada).
Activating FREE TRIALs
You can try FREE TRIAL versions of SonicWallGateway Anti-Virus, Anti-Spyware, and Intrusion Prevention. For information about activating a free trial of any or all of the Security Services, see the Quick Start Guide for your security appliance or Managing Security Services Online.
SonicOS 7.1 Device Settings Administration Guide 16 Managing SonicWall Licenses

System Administration

Configuring the Firewall Name
To configure the firewall name: 1. Navigate to Device | Settings > Administration. 2. Click Firewall Administrator.
3. Enter the hexadecimal serial number of the firewall in the Firewall Name field. This number uniquely identifies the SonicWall security appliance and defaults to the serial number of the firewall. The serial number is also the MAC address of the unit. To change the Firewall Name, enter a unique alphanumeric name in the Firewall Name field. It must be at least 8 characters in length and can be up to 63 characters long.
4. Enter a friendly name in the Firewall’s Domain Name field. The name can be private, for internal users, or an externally registered domain name. This domain name is used in conjunction with User Web Login Settings.
5. To facilitate recognition of the primary/secondary firewalls in the Event Logs, enable Auto-Append HA/Clustering suffix to Firewall Name. When this option is enabled, an appropriate suffix is appended automatically to the firewall name in the Monitor | Logs > System Logs page. This option is not selected by default. For more information about Event Logs, see the SonicOS 7.0 Logs (Monitor) document.
SonicOS 7.1 Device Settings Administration Guide 17 System Administration

Enabling Wireless LAN and IPv6
To enable the visibility of a wireless LAN and/or IPv6: 1. Navigate to Device | Settings > Administration > Firewall Administrator. 2. Click Enable Wireless LAN and/or Enable IPv6. These options are selected by default. A confirmation message is displayed. IMPORTANT: Enabling or disabling the Wireless LAN feature requires a restart of the firewall.
When WLAN is disabled: l All access point and wireless-related management interface pages do not display. l WLAN is not displayed as a zone type. l Any existing WLAN zones or objects become uneditable.
When IPv6 is disabled, all IPv6 packets are dropped by the firewall and the Monitor | Tools and Monitor > Packet Monitor page displays the log messages. 3. Click OK.
Changing the Administrator Name and Password
Each SonicWall security appliance has a default administrator name of admin and a password of password. To change the administrator name and/or password:
1. Navigate to Device | Settings > Administration. 2. Click Firewall Administrator.
3. Type the new name in the Administrator Login Name field.
SonicOS 7.1 Device Settings Administration Guide 18 System Administration

The Administrator Name can be changed from the default setting of admin to any word using alphanumeric characters up to 32 characters in length. 4. Perform the following steps to change password, otherwise skip to step 4:
a. Click Change Password. b. Type the old password in the Old Password field. c. Type the new password in the New Password field. The new password can be up to 32
alphanumeric and special characters. d. It is recommended you change the default password, password, to your own custom password.
Enter a strong password that cannot be easily guessed by others. A strong password should have at least one uppercase letter, one lowercase letter, one number, and one special character. For example, MyP@ssw0rd. e. Type the new password again in the Confirm Password field. f. Click Accept. 5. To enforce Two-factor Authentication, select TOTP from the One-time Passwords Method drop-down. You can now bind your mobile authentication application with your user account during the next login. 6. Click Accept.

Configuring Login Security
The internal SonicOS Web-server supports TLS 1.1 and above with strong ciphers (128 bits or greater) when negotiating HTTPS management sessions. SSL implementations are not supported. This heightened level of HTTPS security protects against potential SSLv2 rollback vulnerabilities and ensures compliance with the Payment Card Industry (PCI) and other security and risk- management standards.
TIP: SonicOS uses advanced browser technologies, such as HTML5, which are supported in most recent browsers. SonicWall recommends using the latest Chrome, Firefox, Internet Explorer, or Safari (does not operate on Windows platforms) browsers for administration of SonicOS. Mobile device browsers are not recommended for SonicWall system administration. Configuring SonicOS password constraint enforcement ensures that administrators and users are using secure passwords. This password constraint enforcement can satisfy the confidentiality requirements as defined by current information security management systems or compliance requirements, such as Common Criteria and the Payment Card Industry (PCI) standard.
SonicOS 7.1 Device Settings Administration Guide 19 System Administration

Topics: l Configuring Password Compliance l Configuring Login Constraints
Configuring Password Compliance
To configure password compliance: 1. Navigate to Device | Settings > Administration. 2. Click Login / Multiple Administrators. Configure the following settings in the LOGIN SECURITY section. 3. To require users to change their passwords after a designated number of days has elapsed: a. Select Password must be changed every (days). The field becomes active. This option is not selected by default. b. Enter the elapsed time in the field. The default number of days is 90, the minimum is 1 day, and the maximum is 9999. When a user attempts to login with an expired password, a popup window prompts the user to enter a new password. The User Login Status window now includes a Change Password button so users can change their passwords at any time. 4. To specify the minimum length of time, in hours, allowed between password changes: a. Select Change password after (hours) . The field becomes active. b. Enter the number of hours. The minimum ­ and default ­ time is 1 hour; the maximum is 9999 hours.
SonicOS 7.1 Device Settings Administration Guide 20 System Administration

5. To require users to use unique passwords for the specified number of password changes: a. Select Bar repeated passwords for this many changes. The field becomes active. b. Enter the number of changes. The default number is 4, the minimum number is 1, and the maximum number is 32.
6. To require users to change at least 8 alphanumeric/symbolic characters of their old password when creating a new one, select Apply password constrains. For how to specify what characters are allowed, see Step 7.
7. Specify the shortest allowed password, enter the minimum number of characters in the Enforce a minimum password length of field. The default number is 8, the minimum is 1, and the maximum is 99.
8. Choose how complex a user’s password must be to be accepted from the Enforce password complexity drop-down menu: l None (default) l Alphanumeric characters– Requires both alphabetic and numeric characters l Alphanumeric and symbolic characters– Requires alphabetic, numeric, and symbolic characters ­ for symbolic characters, only !, @, #, $, %, ^, &, *, (, and ) are allowed; all others are denied
9. When a password complexity option other than None is selected, the options under Complexity Requirement become active. Enter the minimum number of alphanumeric and symbolic characters required in a user’s password. The default number for each is 0, but the total number of characters for all options cannot exceed 99. l Upper Case Characters l Lower Case Characters l Number Characters l Symbolic Characters NOTE: The Symbolic Characters field becomes active only if Alphanumeric and symbolic characters is selected.
10. Select to which classes of users the password constraints are applied under Apply the above password constraints for. By default, all options are selected: l Admin ­ Refers to the default administrator with the username admin. l Other full admin l Limited admin l Guest admin l Other local users
SonicOS 7.1 Device Settings Administration Guide 21 System Administration

Configuring Login Constraints

To configure login constraints: 1. Navigate to Device | Settings > Administration. 2. Click Login/Multiple Administrators.
In the LOGIN SECURITY section, configure the following:
1. To specify the length of inactivity time that elapses before you are automatically logged out of the Management Interface, enter the time, in minutes, in the Log out the Admin after inactivity of (mins) field. By default, the SonicWall Security Appliance logs out the administrator after 5 minutes of inactivity. The inactivity timeout can range from 1 to 9999 minutes. TIP: If the Administrator Inactivity Timeout is extended beyond five minutes, you should end every management session by clicking Logout in the upper right corner of the view to prevent unauthorized access to the firewall’s Management Interface.
2. To configure the SonicWall Security Appliance to lockout an administrator or a user if the login credentials are incorrect, enable Admin/user lockout. Both administrators and users are locked out of accessing the firewall after the specified number of incorrect login attempts. This option is disabled by default. When this option is enabled, the following fields become active. CAUTION: If the administrator and a user are logging into the firewall using the same source IP address, the administrator is also locked out of the firewall. The lockout is based on the source IP address of the user or administrator. a. Select Enable local admin/user account lockout (uncheck for login IP address lockout). This option locks out user accounts and IP addresses when they have surpassed a specified number of incorrect login attempts. This option is only available when admin/user lockout is enabled. b. Select Log event only without lockout for SonicOS to log failed user login attempts that have reached the established threshold, but does not lock out the user or IP address. This option is only available when Admin/user lockout is enabled.
SonicOS 7.1 Device Settings Administration Guide 22 System Administration

After a user or IP address is locked out, a “User login denied – User is locked out” message displays on the login screen and the login is rejected.
NOTE: You can review and edit all locked out user accounts on the Active Users page when local admin/user account lockout is enabled. c. Enter the number of failed attempts within a specified time frame before the user is locked out in the Failed login attempts per minute before lockout field. The default number is 5, the minimum is 1, and the maximum is 99. Enter the maximum time in which failed attempts can be made. The default is 5 minutes, the minimum is 1 minute, and the maximum is 240 minutes (4 hours). d. Enter the length of time that must elapse before the user is allowed to attempt to log into the firewall again in the Lockout Period (mins) field. The default is 5 minutes, the minimum is 0 (permanent lockout), and the maximum is 60 minutes. 3. Enter the number of incorrect login attempts from the command line interface (CLI) that triggers a lockout in the Max login attempts through CLI field. The default is 5, the minimum is 3, and the maximum is 15. 4. Click Accept.
Multiple Administrators Support
SonicOS supports multiple concurrent administrators with full administrator privileges, read-only privileges, and limited privileges. The original version of SonicOS supported only a single administrator to log on to a firewall with full administrative privileges. Additional users can be granted “limited administrator” access, but only one administrator can have full access to modify all areas of the SonicOS GUI at one time. SonicOS provides support for multiple concurrent administrators. This feature allows for multiple users to log-in with full administrator privileges. In addition to using the default admin user name, additional administrator user names can be created. Because of the potential for conflicts caused by multiple administrators making configuration changes at the same time, only one administrator is allowed to make configuration changes. The additional administrators are given full access to the GUI, but they cannot make configuration changes. Multiple Administrators Support provides the following benefits:
l Improved productivity: Allowing multiple administrators to access a firewall simultaneously eliminates auto logout, a situation that occurs when two administrators require access to the appliance at the same time and one is automatically forced out of the system.
l Reduced configuration risk: The new read-only mode allows users to view the current configuration and status of a firewall without the risk of making unintentional changes to the configuration.
SonicOS 7.1 Device Settings Administration Guide 23 System Administration

Working of Multiple Administrators Support
Topics:
l Configuration Modes l User Groups l Priority for Preempting Administrators l GMS and Multiple Administrator Support

Configuration Modes
To allow multiple concurrent administrators, while also preventing potential conflicts caused by multiple administrators making configuration changes at the same time, these configuration modes have been defined:

Configuration mode
Read-only mode
Non-configuration mode

Administrator has full privileges to edit the configuration. If no administrator is already logged into the appliance, this is the default behavior for administrators with full and limited administrator privileges (but not read-only administrators).
NOTE: Administrators with full configuration privilege can also log in using the Command Line Interface (CLI; see the SonicOS 7.0 CLI Reference Guide).
Administrator cannot make any changes to the configuration, but can view the entire management UI and perform monitoring actions.
Only administrators who are members of the SonicWall Read-Only Admins user group are given read-only access, and it is the only configuration mode they can access.
Administrator can view the same information as members of the read-only group and they can also initiate management actions that do not have the potential to cause configuration conflicts.
Only administrators who are members of the SonicWall Administrators user group can access non-configuration mode. This mode can be entered when another administrator is already in configuration mode and the new administrator chooses not to preempt the existing administrator. By default, when an administrator is preempted out of configuration mode, he or she is converted to non-configuration mode. On the Device | Settings > Administration page, this behavior can be modified so that the original administrator is logged out.

Access rights available to configuration modes table provides a summary of the access rights available to the configuration modes. Access rights for limited administrators are included also, but note that this table does not include all functions available to limited administrators.

SonicOS 7.1 Device Settings Administration Guide 24 System Administration

ACCESS RIGHTS AVAILABLE TO CONFIGURATION MODES

Function Import certificates Generate certificate signing requests Export certificates Export appliance settings Download TSR Use other diagnostics Configure network Flush ARP cache Setup DHCP Server Renegotiate VPN tunnels Log users off
Unlock locked-out users Clear log Filter logs Export log Email log Configure log categories Configure log settings Generate log reports Browse the full UI Generate log reports

Full admin in config mode
X X X X X X X X X X X
X X X X X X X X X X

Full admin in

non-config Read-only

Limited

mode

administrator administrator

X

X

X

X

X

X

X

X

X

X

X

guest users

only

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

SonicOS 7.1 Device Settings Administration Guide 25 System Administration

User Groups
The Multiple Administrators Support feature supports two new default user groups:
l SonicWall Administrators: Members of this group have full administrator access to edit the configuration. l SonicWall Read-Only Admins: Members of this group have read-only access to view the full management
interface, but they cannot edit the configuration and they cannot switch to full configuration mode.
It is not recommended to include users in more than one of these user groups. If you do so, however, the following behavior applies:

If members of this user group Are

SonicWall Administrators

Also included in the Limited Administrators or SonicWall Read-Only Admins user groups, the members have full administrator rights.

Limited Administrators

Included in the SonicWall Read-Only Admins user group, the members have limited administrator rights.

Read-Only Admins

Later included in another administrative group, If this read-only admin group is used with other administrative groups option in the SonicWall Read-Only Admins group configuration determines whether the members are still restricted to read-only access or have the full administration capabilities set by their other group.

Priority for Preempting Administrators
These rules govern the priority levels that the various classes of administrators have for preempting administrators that are already logged into the appliance:
1. The admin user and SonicWall Global Management System (GMS) both have the highest priority and can preempt any users.
2. A user who is a member of the SonicWall Administrators user group can preempt any users except for the admin and SonicWall GMS.
3. A user who is a member of the Limited Administrators user group can only preempt other members of the Limited Administrators group.
GMS and Multiple Administrator Support
When using SonicWall GMS to manage a firewall, GMS frequently logs in to the appliance (for such activities as ensuring that GMS management IPSec tunnels have been created correctly). These frequent GMS log-ins can make local administration of the appliance difficult because the local administrator can be preempted by GMS.

SonicOS 7.1 Device Settings Administration Guide 26 System Administration

Configuring Multiple Administrator Access
To configure multiple administrator access: 1. Navigate to Device | Settings > Administration. Click Login / Multiple Administrators.
2. To configure what happens when one administrator preempts another administrator, from the On preemption by another admin option, select whether the preempted administrator can be converted to non-config mode or logged out: l Drop to non-config mode: More than one administrator to access the appliance in non-config mode without disrupting other administrators. This option is not selected by default. l Log out: The new administrator to preempt other sessions. NOTE: Selecting Log Out disables Non-Config mode and prevents entering Non-Config mode manually.
3. To allow a lower-priority administrator to preempt the current administrator after a specified time, enter the time, in minutes, in the Allow preemption by a lower priority administrator after inactivity of (mins) field. The default is 10 minutes, the minimum is 1 minute, and the maximum is 9999 minutes.
4. The SonicOS Management Interface allows administrators to send text messages through the Management Interface to other administrators logged into the appliance. The message appears in the browser’s status bar. To enable this option: a. Select Inter-administrator messaging. The Messaging polling interval (seconds) field becomes active. b. Specify how often an administrator’s browser checks for inter-administrator messages in the Messaging polling interval (secs) field. Specify a reasonably short interval to ensure timely delivery of messages, especially if there are likely to be multiple administrators who need to access the appliance. The default is 10 seconds, the minimum is 1 second, and the maximum is 99 seconds.
5. To enable access by System Administrators, Cryptographic (Crypto) Administrators, and Audit Administrators, select Multiple Admin Roles. When this option is disabled, these administrators cannot access the system, and all related user groups and information about them are hidden. This option is not selected by default.
SonicOS 7.1 Device Settings Administration Guide 27 System Administration

Enabling Enhanced Audit Logging Support
An enhanced log entry contains the parameter changed and user name in the Monitor| Logs > System Events page. To enable logging of all configuration changes in the Monitor| Logs > System Logs page:
1. Navigate to Device | Settings > Administration. 2. Click Audit / SonicOS API. 3. In the ENHANCED AUDIT LOGGING SUPPORT section, enable Enhanced Audit Logging
4. Click ACCEPT.
Configuring the Wireless LAN Controller
To enable wireless controller mode: IMPORTANT: You must reboot the firewall after changing Wireless Controller modes. 1. Navigate to Device | Settings > Administration. 2. Click Audit/SonicOS API. 3. In the Wireless LAN Controller section, select any one of the options from the Wireless Controller Mode drop- down menu: l Wireless-Controller-Only (default) This option enables wireless controller mode l Non-Wireless This option enables non-wireless controller mode l Full-Feature-Gateway This option enables normal firewall mode
SonicOS 7.1 Device Settings Administration Guide 28 System Administration

4. After you select the appropriate wireless controller mode, click OK in the warning message displayed. 5. Click Accept.
Enabling SonicOS API and Configuring Authentication Methods
You can use SonicOS API as an alternative to the SonicOS Command Line Interface (CLI) for configuring selected functions. To do so, you must first enable SonicOS API. For more information about SonicOS API, see the SonicOS 7.0 API document available at https://www.sonicwall.com/support/technical- documentation/.
To enable SonicOS API and configure client authentication: 1. Navigate to Device | Settings > Administration. 2. Click Audit / SonicOS API. 3. In the SONICOS API section, enable SonicOS API. 4. Select any of the authentication methods for initial client authentication: l RFC-7616 HTTP Digest Access authentication l Select the appropriate digest algorithms: SHA256 (default), MD5 l Integrity protection: Disabled (default), Allowed, or Enforced. l Session variant (password hashes in place of passwords):Disabled, Allowed (default), or Enforced l CHAP authentication. l RFC-2617 HTTP Basic Access authentication l Public Key Authentication l RSA modulus (key/cipher size in bits): 2014 is the default. l RSA padding type: PKCS#1 v1.5 or PKCS#1 v2.0 OAEP l OAEP hash method: SHA-1, SHA-256, or Other l OAEP mask (MGF1) method: SHA1, SHA-256, or Other l Session security using RFC-7616 Digest Access Authentication l Can hold user passwords received from the client. l Maximum nonce use: 10 by default l Two-Factor and Bearer Token Authentication 5. Click Accept.
SonicOS 7.1 Device Settings Administration Guide 29 System Administration

Enabling GMS Management
NOTE: For more information on SonicWall Global Management System, see the SonicWall GMS and SonicWall Management Services administration documentation, available at https://www.sonicwall.com/support/technical-documentation/. To configure the Security Appliance for GMS management: 1. Navigate to Device | Settings > Administration. 2. Click Audit / SonicOS API. 3. Scroll to the ADVANCED MANAGEMENT section.
4. Enable Management using GMS. The Configure button becomes available. 5. Click Configure. The GMS Settings screen in displayed.
6. Enter the host name or IP address of the GMS Console in the GMS Host Name or IP Address field. 7. Enter the port in the GMS Syslog Server Port field. The default value is 514. 8. To send only heartbeat status instead of log messages, select Send Heartbeat Status Messages Only. 9. If the GMS Console is placed behind a device using NAT on the network, select GMS behind NAT
Device. When you select GMS behind NAT Device, the NAT Device IP Address field becomes active. 10. Enter the IP address of the NAT device in the NAT Device IP Address field.
SonicOS 7.1 Device Settings Administration Guide 30 System Administration

11. Select one of the following GMS modes from the Management Mode drop-down menu:
l IPSEC Management Tunnel – Allows the firewall to be managed over an IPsec VPN tunnel to the GMS management console. If you selected this option, go to step 11.
l Existing Tunnel – Uses an existing VPN tunnel over the connection between the GMS server and the firewall. If you selected this option, go to step 13.
l HTTPS – Allows HTTPS management from two IP addresses: the GMS Primary Agent and the Standby Agent IP address. The SonicWall firewall also sends encrypted syslog packets and SNMP traps using 3DES and the firewall administrator’s password. Options for configuring the GMS reporting server display. If you selected this option, go to step 12.
12. The default IPsec VPN settings are displayed with values populated by SonicOS. Verify the settings.

a. From Encryption Algorithms, select the appropriate algorithm. b. Optionally, enter a new encryption key in the Encryption Key field:

For DES 3DES

The key must be 16 hexadecimal characters 48 hexadecimal characters

c. Optionally, enter a new authentication key in the Authentication Key field:

For MD5 SHA1

The key must be 32 hexadecimal characters 40 hexadecimal characters

d. Go to Step 13. 13. SonicOS needs to know the GMS reporting server.

a. Select Send Syslog Messages to a Distributed GMS Reporting Server. The GMS Reporting Server IP Address and GMS Reporting Server Port options become available.
SonicOS 7.1 Device Settings Administration Guide 31 System Administration

b. In the GMS Reporting Server IP Address field, enter the IP address of the GMS server. c. In the GMS Reporting Server Port field, enter the port of the GMS server. The default port is 514. 14. Click OK. 15. Click Accept.
Configuring the Management Interface
In this section, you configure: l How the Management Interface tables display. l Certificate usage. l Whether you are operating in Configuration or Non- Config mode. l Other management options.
SonicOS 7.1 Device Settings Administration Guide 32 System Administration

Topics:
l Managing through HTTP/HTTPS l Selecting a Security Certificate l Controlling the Management Interface Tables l Enforcing TLS Version l Switching Configuration Modes l Deleting Browser Cookies l Configuring SSH Management
Managing through HTTP/HTTPS
You can manage the SonicWall security appliance using HTTP or HTTPS and a Web browser. HTTP web-based management is disabled by default. Use HTTPS to log into the SonicOS Management Interface with factory default settings.
To manage through HTTP or HTTPS: 1. Navigate to Device | Settings > Administration. 2. Click Management. 3. To enable HTTP management globally, select Allow management via HTTP in the WEB MANAGEMENT SETTINGS section, This option is not selected by default. 4. The default port for HTTP is port 80, but you can configure access through another port. Enter the number of the desired port in the HTTP Port field. IMPORTANT: If you configure another port for HTTP management, you must include the port number when you use the IP address to log into the SonicWall Security Appliance. For example, if you configure the port to be 76, then you must type LAN IP Address:76 into the Web browser, for example, http://192.18.16.1:76. 5. The default port for HTTPS management is 443. To add another layer of security for logging into the SonicWall Security Appliance by changing the default port, enter the preferred port number into the HTTPS Port field. IMPORTANT: If you configure another port for HTTPS management Port, you must include the port number when you use the IP address to log into the SonicWall Security Appliance. For example, if you use 700 for the port, then you must log into the SonicWall using the port number as well as the IP address; for example, https://192.18.16.1:700.
Selecting a Security Certificate
Security certificates provide data encryption and a secure web site.
SonicOS 7.1 Device Settings Administration Guide 33 System Administration

To specify the type of security certificate: 1. Navigate to Device | Settings

Administration. 2. Click Management. 3. From Certificate Selection drop-down box, select the type of certificate for your website:
l Use Self-signed Certificate, which allows you to continue using a certificate without downloading a new one each time you log into the SonicWall Security Appliance. This option is selected by default. Go to Step 3.
l Import Certificate to select an imported certificate from the Device | Settings > Certificates page to use for authentication to the management interface. A confirmation message displays. a. Click OK. The Device | Settings Certificates page is displayed. b. See Managing Certificates section.
4. In the Certificate Common Name field, enter the IP address or common name for the firewall. If you choose Use Selfsigned Certificate, SonicOS populates the field with the firewall’s IP address.
5. Click Accept. To regenerate a Self-Signed Certificate:
1. Navigate to Device | System > Administration > Management. 2. In the WEB MANAGEMENT SETTINGS section, click Regenerate Certificate. 3. Click OK in the confirmation message that is displayed.
Controlling the Management Interface Tables
The SonicWall Management Interface allows you to control the display of large tables of information across all tables in the Management Interface by changing the:
SonicOS 7.1 Device Settings Administration Guide 34 System Administration

l Number of table entries displayed on a page. l Frequency of background automatic refresh of tables. Some tables have individual settings for items per page that are initialized at login to the value configured here. After these pages are viewed, their individual settings are maintained. Subsequent changes made here affect these pages only following a new login. To change the display and refresh of tables: 1. Navigate to Device | Settings > Administration. 2. Click Management. 3. In the WEB MANAGEMENT SETTINGS section:
a. Enter the desired number of items per page in the Default Table Size (items per page) field. The minimum is 1, the maximum is 5000, and the default is 50.
b. Enter the desired refresh interval, in seconds, in the Auto-updated Table Refresh Interval (secs) field. The minimum is 1 second, the maximum is 300 seconds, and the default is 10 seconds.
4. Click Accept.
Enforcing TLS Version
SonicOS supports versions 1.0, 1.1, and 1.2 of the Transport Layer Security (TLS) protocol. You can ensure that the more secure version 1.1 and above are used. To enforce use of TLS versions 1.1 and above:
1. Navigate to Device | Settings > Administration. 2. Click Management. 3. In the WEB MANAGEMENTS SETTINGS section, enable Enforce TLS 1.1 and Above.
4. Click Accept.
Switching Configuration Modes
Each appliance includes a Mode option that toggles the configuration mode of the Management Interface. If you are in Configuration Mode, you can switch to Non-Config Mode at any time, or if you are in Non-Config Mode. you
SonicOS 7.1 Device Settings Administration Guide 35 System Administration

can switch to Configuration Mode. TIP: This method is in addition to switching modes from the Mode setting on each view. For more information about modes, see the SonicOS 7.1 About SonicOS documentation.
To switch modes: 1. Navigate to Device | Settings > Administration. 2. Click Management. 3. In the WEB MANAGEMENT SETTINGS section, If you are in: l Configuration Mode, click End Config Mode, and click OK. The Mode indicator in the top right of the page displays Non-Config. l Non-Config Mode, click Configuration Mode. The Mode indicator in the top right of the page displays Configuration.
Deleting Browser Cookies
IMPORTANT: Deleting cookies causes you to lose any unsaved changes made in the Management Interface. To delete all browser cookies saved by the Security Appliance: 1. Navigate to Device | Settings > Administration. 2. Click Management. 3. Click Delete Cookies. 4. Click OK.
Configuring SSH Management
If you use SSH to manage the firewall, you can change the SSH port for additional security. To change the SSH port:
1. Navigate to Device | Settings > Administration. 2. Click Management. 3. Scroll to SSH MANAGEMENT SETTINGS.
SonicOS 7.1 Device Settings Administration Guide 36 System Administration

4. Enter the port in the SSH Port field. The default SSH port is 22. 5. Click Accept.
Client Certificate Verification
You can configure certificate verification with or without a Common Access Card (CAC). NOTE: None of the options is selected by default.
Topics: l About Common Access Card l Configuring Client Certificate Verification l Using the Client Certificate Check l Troubleshooting User Lock Out
About Common Access Card
A Common Access Card (CAC) is a United States Department of Defense (DoD) smart card used by military personnel and other government and non-government personnel who require highly secure access over the Internet. A CAC uses PKI authentication and encryption.
NOTE: Using a CAC requires an external card reader connected on a USB port. The Client Certificate Check was developed for use with a CAC; however, it is useful in any scenario that requires a client certificate on an HTTPS/SSL connection. CAC support is available for client certification only on HTTPS connections.
NOTE: CACs might not work with browsers other than Microsoft Internet Explorer.
SonicOS 7.1 Device Settings Administration Guide 37 System Administration

Configuring Client Certificate Verification
To configure Client Certificate Check: 1. Navigate to Device | Settings > Administration. 2. Click Certificate Check.
3. To enable client certificate checking and CAC support on the SonicWall Security Appliance, select Enable Client Certificate Check. If you enable this option, the other options become available. A warning confirmation message displays:
4. Click OK. 5. To activate the client certification cache, select Enable Client Certificate Cache.
NOTE: The cache expires 24 hours after being enabled. 6. To specify from which certificate field the user name is obtained, choose an option from User Name Field:
l Subject: Common Name (default) l Sub Alt: Email l Sub Alt: Microsoft Universal Principal Name 7. To select a Certification Authority (CA) certificate issuer, choose one from the Client Certificate Issuer drop-down menu. The default is thawte Primary Root CA – G3. NOTE: If the appropriate CA is not listed, you need to import that CA into the SonicWall Security Appliance. See Managing Certificates section. 8. To select how to obtain the CAC user group membership and, thus, determine the correct user privilege, choose from the CAC user group memberships retrieve method drop-down menu:
SonicOS 7.1 Device Settings Administration Guide 38 System Administration

l Local Configured (default) ­ If selected, you should create local user groups with proper memberships.
l From LDAP ­ If selected, you need to configure the LDAP server. (see Configuring the SonicWall for LDAP section in SonicOS 7.0 Users document available at https://www.sonicwall.com/support/technical-documentation/.
9. To enable the Online Certificate Status Protocol (OCSP) check to verify the client certificate is still valid and has not been revoked, select Enable OCSP Checking. When this option is enabled, the OCSP Responder URL field displays and the Enable periodic OCSP Check option displays.
Enter the URL of the OSCP server that verifies the status of the client certificate in the OCSP Responder URL field. The OCSP Responder URL is usually embedded inside the client certificate and does not need to be entered. If the client certificate does not have an OCSP link, you can enter the URL link. The link should point to the Common Gateway Interface (CGI) on the server side, which processes the OCSP checking. For example: http://10.103.63.251/ocsp. 10. To enable a periodic OCSP check for the client certificate for verifying that the certificate is still valid and has not been revoked:
a. Select Enable periodic OCSP Check. The OCSP check interval field becomes available. b. Enter the interval between OCSP checks, in hours, in the OCSP check interval 1~72 (in hours)
field. The minimum interval is 1 hour, the maximum is 72 hours, and the default is 24 hours. 11. Click Accept.
Using the Client Certificate Check
If you use the client certificate check without a CAC, you must manually import the client certificate into the browser. If you use the Client Certificate Check with a CAC, the client certificate is automatically installed on the browser by middleware. When you begin a management session through HTTPS, a certificate selection window asks you to confirm the certificate. After you select the client certificate from the drop-down menu, the HTTPS/SSL connection is resumed, and the SonicWall Security Appliance checks the Client Certificate Issuer to verify that the client certificate is signed by the CA. If a match is found, the administrator login page displays. If no match is found, the browser displays a standard browser connection fail message, such as:
SonicOS 7.1 Device Settings Administration Guide 39 System Administration

…..cannot display web page! If OCSP is enabled, before the administrator login page is displayed, the browser performs an OCSP check and displays the following message while it is checking. Client Certificate OCSP Checking….. If a match is found, the administrator login page is displayed, and you can use your administrator credentials to continue managing the SonicWall Security Appliance. If no match is found, the browser displays: OCSP Checking fail! Please contact system administrator!
Checking Certificate Expiration
To activate periodic checks of certificate’s expiration: 1. Navigate to Device | Settings > Administration > Certificate Check. 2. In the CHECK CERTIFICATE EXPIRATION SETTINGS section, select Enable periodic certificate expiration check. This option is selected by default. When enabled, the Certificate expiration alert interval field becomes available.
3. To set the interval between certificate checks, in hours, enter the interval in the Certificate expiration alert interval: 1 – 168 (in hours) field. The minimum time is 1 hour, the maximum is 168 hours, and the default is 168.
4. Click Accept.
Troubleshooting User Lock Out
When using the client certificate feature, these situations can lock the user out of the SonicWall Security Appliance:
l Enable Client Certificate Check is checked, but no client certificate is installed on the browser. l Enable Client Certificate Check is checked and a client certificate is installed on the browser, but either
no Client Certificate Issuer is selected or the wrong Client Certificate Issuer is selected. l Enable OSCP Checking is enabled, but either the OSCP server is not available or a network problem is
preventing the SonicWall Security Appliance from accessing the OSCP server. To restore access to a user who is locked out, the following CLI commands are provided:
SonicOS 7.1 Device Settings Administration Guide 40 System Administration

l web-management client-cert disable l web-management ocsp disable

Selecting a Language

If your firmware contains other languages besides English, one can be selected from Language Selection. NOTE: Changing the language of the SonicOS Management Interface requires that the SonicWall Security Appliance be rebooted.
To select a language for the Management Interface: 1. Navigate to Device | Settings > Administration. 2. Click Language.
3. In the LANGUAGE section, select the appropriate language from the Language Selection drop-down box.
4. Click Accept.
SonicOS 7.1 Device Settings Administration Guide 41 System Administration

5
Configuring Time Settings
The Device | Settings > Time page provides a way to define the time and date settings used to time stamp log events, to automatically update SonicWall Security Services, and for other internal purposes.
By default, the SonicWall security appliance uses an internal list of public NTP servers to update the time automatically. Network Time Protocol (NTP) is a protocol used to synchronize computer clock times in a network of computers. NTP uses Coordinated Universal Time (UTC) to synchronize computer clock times to a millisecond, and sometimes to a fraction of a millisecond.
SonicOS 7.1 Device Settings Administration Guide 42 Configuring Time Settings

Setting System Time
You set the system time in the Settings screen of the Device | Settings > Time page.
To set the system time: 1. Navigate to Device | Settings > Time. 2. On the Settings screen, select the time zone you are in from the Time Zone drop-down list. 3. To set the time automatically, select Set time automatically using NTP to use NTP (Network Time Protocol) servers from an internal list. This option is selected by default. 4. To set the time manually: a. Clear Set time automatically using NTP. The Date/Time option becomes available. b. Click the calendar icon in the Date/Time field to display the calendar. c. Select the date, hour, minute, and seconds in the calendar. d. Click away from the calendar to accept the settings.
SonicOS 7.1 Device Settings Administration Guide 43 Configuring Time Settings

5. To enable automatic adjustments for daylight savings time, select Automatically adjust clock for daylight saving time. For those areas that observe daylight savings time, this option is selected by default.
6. To use universal time (UTC) rather than local time for log events, select Display UTC in logs (instead of local time). This option is not selected by default.
7. To display the date in International format, with the day preceding the month, select Display date in International format.
8. To use the manually entered list of NTP servers to set the firewall clock rather than the internal list of NTP servers, select Only use custom NTP servers. IMPORTANT: Select this option only if you have configured one or more NTP servers. For more information about NTP servers, see Configuring NTP Settings.
9. Click Accept.
Configuring NTP Settings
Network Time Protocol (NTP) is a protocol used to synchronize computer clock times in a network of computers. NTP uses Coordinated Universal Time (UTC) to synchronize computer clock times to a millisecond, and sometimes, to a fraction of a millisecond.
TIP: The SonicWall security appliance uses an internal list of NTP servers, so manually entering a NTP server is optional.
SonicOS 7.1 Device Settings Administration Guide 44 Configuring Time Settings

Using a Custom NTP Server for Updating the Firewall Clock
To use a local server to set the firewall clock: 1. Navigate to Device | Settings > Time. 2. Add one or more NTP servers as described in Adding an NTP Server. 3. Select Only use custom NTP servers (see Setting System Time). This option is not selected by default. 4. To configure the frequency for the NTP server to update the firewall, enter the interval in Update Interval every (minutes). The default value is 60 minutes. The range is 5 to 99,999 minutes. 5. Click Accept.
Adding an NTP Server
To add an NTP server to the firewall configuration: 1. Click NTP Servers tab on Device | Settings > Time page. 2. Click the +Add button. The Add NTP Server dialog is displayed. 3. Type the IP address of the remote NTP server in the NTP Server field.
SonicOS 7.1 Device Settings Administration Guide 45 Configuring Time Settings

4. Select the authentication type from the NTP Auth Type drop-down list: a. No Auth – Authentication is not required and the following three options are dimmed. Go to Step 8. b. MD5 – Authentication is required and the following three options are active.
5. Enter the Trust Key number in the Trust Key No field. The minimum is 1 and the maximum is 65535. 6. Enter the Key number in the Key Number field. The minimum is 1 and the maximum is 65535. 7. Enter the password in the Password field. 8. Click Add. A Success message is displayed. 9. Click Close to return to the NTP Servers screen. The NTP Server table shows the added server.
Editing an NTP Server Entry
To edit an NTP server entry: 1. Navigate to the NTP Servers screen on Device | Settings > Time page. 2. In the NTP Server table, hover over the row with the NTP server and click the Edit icon. The Add NTP Server dialog opens, displaying the current settings for the server. 3. Make the changes. For more information, see Adding an NTP Server. 4. Click Edit.
Deleting NTP Server Entry
To delete an NTP server entry: 1. Navigate to the NTP Servers screen on Device | Settings > Time. 2. In the NTP Server table, hover over the row with the NTP server and click the Delete icon. 3. Click OK.
To delete multiple NTP servers: 1. Navigate to the NTP Servers screen on Device | Settings > Time. 2. Select the checkboxes next to the NTP servers that you want to delete. NOTE: To delete all the NTP servers, select the checkbox next to NTP Server table title.
SonicOS 7.1 Device Settings Administration Guide 46 Configuring Time Settings

3. Click the Delete button at the top right of the table. 4. Click OK.
SonicOS 7.1 Device Settings Administration Guide 47 Configuring Time Settings

6
Managing Certificates
To implement the use of certificates for VPN policies, you must locate a source for a valid CA certificate from a third-party CA service. When you have a valid CA certificate, you can import it into the firewall to validate your Local Certificates. You import the valid CA certificate into the firewall using the Device | Settings > Certificates page. After you import the valid CA certificate, you can use it to validate your local certificates. SonicOS provides a large number of certificates with the SonicWall network security appliance; these are built-in certificates and cannot be deleted or configured. SonicOS supports a local Certificate Revocation List (CRL), which is a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date and should no longer be trusted. For further information about local CRL, contact Technical Support.
About Digital Certificates
A digital certificate is an electronic means to verify identity by a trusted third party known as a Certificate Authority (CA). The X.509 v3 certificate standard is a specification used with cryptographic certificates and allows you to define extensions that you can include with your certificate. SonicWall has implemented this standard in its thirdparty certificate support. You can use a certificate signed and verified by a third-party CA to use with an IKE (Internet Key Exchange) VPN policy. IKE is an important part of IPsec VPN solutions, and it can use digital certificates to authenticate peer devices before setting up Security Associations (SAs). Without digital certificates, VPN users must authenticate by manually exchanging shared secrets or symmetric keys. Devices or clients using digital signatures do not require configuration changes every time a new device or client is added to the network. A typical certificate consists of two sections: a data section and a signature section. The data section typically contains information such as the version of X.509 supported by the certificate, a certificate serial number, information about the user’s public key, the Distinguished Name (DN), validation period for the certificate, and optional information such as the target use of the certificate. The signature section includes the cryptographic algorithm used by the issuing CA, and the CA digital signature. SonicWall Security Appliances interoperate with any X.509v3-compliant provider of Certificates. SonicWall Security Appliance have been tested with the following vendors of Certificate Authority Certificates:
l Entrust l Microsoft
SonicOS 7.1 Device Settings Administration Guide 48 Managing Certificates

l OpenCA l OpenSSL and TLS l VeriSign Topics:
l About the Certificates Table l Importing Certificates l Deleting Certificates l Generating a Certificate Signing Request l Configuring Simple Certificate Enrollment Protocol
About the Certificates Table

The Certificates page provides all the settings for managing CA and Local Certificates. The table on the Certificates page displays this information about certificates:

Column CERTIFICATE TYPE

Information displayed
Name of the certificate. Type of certificate:
l CA certificate l Local certificate l Pending request

SonicOS 7.1 Device Settings Administration Guide 49 Managing Certificates

Column VALIDATED
Expires

Information displayed
Validation information:
l Blank l Self-signed l Expire in n days l Expired
Date and time the certificate expires.

About Certificate Details
Clicking on the certificate’s row in the table displays information about the certificate, which might include the following, depending on the type of certificate:

l Signature Algorithm l Certificate Issuer l Subject Distinguished Name l Public Key Algorithm l Certificate Serial Number l Valid from l Expires On l CRL Status (for Pending requests and local certificates) The details depend on the type of certificate Certificate Issuer, Certificate Serial Number, Valid from, and Expires On are not shown for Pending requests as this information is generated by the Certificate provider.
Importing Certificates
After your CA service has issued a Certificate for your Pending request, or has otherwise provided a Local Certificate, you can import it for use in VPN or Web Management authentication. CA Certificates might also be imported to verify local Certificates and peer Certificates used in IKE negotiation.
SonicOS 7.1 Device Settings Administration Guide 50 Managing Certificates

Topics: l Importing a Certificate Authority Certificate l Importing a Local Certificate l Creating a PKCS-12 Formatted Certificate File (Linux Systems Only)
Importing a Local Certificate
To import a certificate from a certificate authority: 1. Navigate to Device | Settings > Certificates. 2. Click Import. The IMPORT CERTIFICATE dialog is displayed.
3. Enter a certificate name in the Certificate Name field. 4. Enter the password used by your Certificate Authority to encrypt the PKCS#12 file in the Certificate
Management Password field. 5. Click Add File to locate the certificate file. 6. Select the certificate and click Open. 7. Click Import to import the certificate into the firewall. When it is imported, you can view the certificate entry
in the Certificates table. 8. Click the certificate displayed on the Certificates page, to know the status and other details.
SonicOS 7.1 Device Settings Administration Guide 51 Managing Certificates

Importing a Certificate Authority Certificate
To import a local certificate: 1. Navigate to Device | Settings > Certificates. 2. Click Import. The IMPORT CERTIFICATE dialog is displayed.
3. Choose Import a CA certificate from a PKCS#7 (*.p7b) or DER (.der or .cer) encoded file. The Import Certificate dialog settings change.
4. Click Add File and locate the certificate file. 5. Click Open. 6. Click Import to import the certificate into the firewall. When it is imported, you can view the certificate entry
in the Certificates table. 7. Click the certificate displayed on the Certificates page, to know the status and other details.
Creating a PKCS-12 Formatted Certificate File (Linux Systems Only)
A PKCS12-formatted certificate file can be created using Linux system with OpenSSL. To create a PKCS-12 formatted certificate file, one needs to have two main components of the certificate:
l Private key (typically a file with .key extension or the word key in the filename) l Certificate with a public key (typically a file with .crt extension or the word cert as part of filename).
SonicOS 7.1 Device Settings Administration Guide 52 Managing Certificates

For example, the Apache HTTP server on Linux has its private key and certificate in these locations: l /etc/httpd/conf/ssl.key/server.key l /etc/httpd/conf/ssl.crt/server.crt
With these two files available, run the following command: openssl pkcs12 -export -out out.p12 -inkey server.key -in server.crt In this example out.p12 become the PKCS-12 formatted certificate file and server.key and server.crt are the PEM-formatted private key and the certificate file respectively. After running the openssl command, you are prompted for the password to protect/encrypted the file. After choosing the password, the creation of the PKCS-12-formatted certificate file is complete, and it can be imported into the appliance.
SonicOS 7.1 Device Settings Administration Guide 53 Managing Certificates

Deleting Certificates
NOTE: Built-in certificates cannot be deleted. You can delete an imported certificate if it has expired or if you decide not to use third-party certificates for VPN authentication. You can always delete certificates you created. To delete a certificate:
1. Navigate to Device | Settings > Certificates. 2. Hover over the certificate and click the Delete icon. To delete multiple certificates: 1. Navigate to Device | Settings > Certificates. 2. Select the certificates that you want the delete by selecting the checkbox(es) next to the certificates.
TIP: To select all the certificates, select the checkbox next to the Certificate column in the header row. 3. Click the Delete icon at the top of the table.
SonicOS 7.1 Device Settings Administration Guide 54 Managing Certificates

Generating a Certificate Signing Request
You should create a Certificate Policy to be used in conjunction with local certificates. A Certificate Policy determines the authentication requirements and the authority limits required for the validation of a certificate. To generate a certificate signing request:
1. Navigate to Device | Settings > Certificates. 2. Click New Signing Request. The Certificate dialog is displayed.
3. Enter an alias name for the certificate in the Certificate Alias field. 4. Create a Distinguished Name (DN) using the drop-down menus shown in table below, then enter
information for the certificate in the associated fields.
SonicOS 7.1 Device Settings Administration Guide 55 Managing Certificates

NOTE: For each DN, you can select your country from the associated drop-down menu; for all other components, enter the information in the associated field.
SonicOS 7.1 Device Settings Administration Guide 56 Managing Certificates

Drop-down menu Country State
Locality, City, or County Company or Organization
Department
Group
Team Common Name

Select appropriate information
Country (default) State Locality or County Company or Organization
Country State (default) Locality, City, or County Company or Organization Department
Locality, City, or County (default) Company or Organization Department Group Team
Company or Organization (default) Department Group Team Common Name Serial Number E-Mail Address
Department (default) Group Team Common Name Serial Number E-Mail Address
Group (default) Team Common Name Serial Number E-Mail Address
Team (default) Common Name Serial Number E-Mail Address
Common Name (default) Serial Number E-Mail Address

SonicOS 7.1 Device Settings Administration Guide 57 Managing Certificates

As you enter information for the components, the Distinguished Name (DN) is created in the Subject Distinguished Name field.

5. Optionally, you can also attach a SUBJECT ALTERNATIVE NAME to the certificate after selecting the type from the drop-down menu:
l Domain Name l Email Address l IPv4 Address
6. Select a signature algorithm from the Signature Algorithm drop-down menu:
l SHA1 (default) l MD5 l SHA256 l SHA384 l SHA512
7. Select a subject key type from the Subject Key Type drop-down menu:

RSA (default) ECDSA

A public key cryptographic algorithm used for encrypting data,
Encrypts data using the Elliptic Curve Digital Signature Algorithm, which has a high strength-per-key-bit security.

8. Select a subject key size or curve from the Subject Key Size/Curve drop- down menu.
NOTE: Not all key sizes or curves are supported by a Certificate Authority, therefore, you should check with your CA for supported key sizes.

SonicOS 7.1 Device Settings Administration Guide 58 Managing Certificates

IF YOU SELECTED A KEY TYPE OF

RSA, select a key size
1024 bits (default) 1536 bits 2048 bits 4096 bits

ECDSA, select a curve prime256vi: X9.62.SECG curve over a 256 bit prime field (default) secp384r1: NIST/SECG curve over a 384 bit prime field secp521r1: NIST/SECG curve over a 521 bit prime field

9. Click Generate to create a certificate signing request file.
When the Certificate Signing Request is generated, a message describing the result is displayed and a new entry appears in the Certificates table with the type Pending request.

10. Click the Export icon. The Export Certificate Request dialog is displayed.

11. Click the Export icon to download the file to your computer. An Opening