SonicWall® Global Management System Firewall Administration Contents 1
Setting Firewall Access Rules ...... 6 About Stateful Packet Inspection Default Access Rules ...... 7 About Connection Limiting ...... 7 Using Bandwidth Management with Access Rules ...... 8 Connection Limiting Overview ...... 8 Configuring Access Rules ...... 9 Configuring Access Rules for IPv6 ...... 14 Configuring Access Rules for NAT64 ...... 14 Access Rules for DNS Proxy ...... 14 User Priority for Access Rules ...... 14 Displaying Access Rules ...... 15 Specifying Maximum Zone-to-Zone Access Rules ...... 16 Configuring Access Rules for a Zone ...... 17
Setting Firewall Application Rules ...... 18 Application Control Rules Overview ...... 18 What is Application Control? ...... 19 Benefits of Application Control ...... 20 Configuring App Rules ...... 22 Configuring App Rules Global Settings ...... 23 Searching App Rules Policies ...... 23 Filtering the Policies View ...... 23 Sorting App Rules Policies ...... 24 Viewing Tooltips for App Rules Policies ...... 25 Adding or Editing App Rules Policies ...... 25 Enabling or Disabling App Rules Policies ...... 28 Deleting App Rules Policies ...... 28 Policy Type Reference ...... 28
Configuring App Control Advanced Policies ...... 32 Viewing App Control Status ...... 33 Enabling App Control on Network Zones ...... 33 Configuring App Control Advanced Global Settings ...... 35 Displaying App Control Status ...... 35 Enabling App Control Globally ...... 36 Configuring an App Control Advanced Exclusion List ...... 36 Synchronizing the Signature Database ...... 38 Resetting App Control to Factory Defaults ...... 38 Configuring Advanced App Control Policies ...... 39 Configuring App Control by Category ...... 39 Configuring App Control by Application ...... 41 Configuring App Control by Signature ...... 43 Sorting App Control Advanced Items ...... 46
Global Management System 9.3 Administration 2 Contents Configuring Address Objects ...... 47 Creating Address Object Groups ...... 48 Editing Address Groups ...... 49 Deleting Address Groups ...... 49 Working with Dynamic Addresses ...... 49 Key Features of Dynamic Address Objects ...... 51 Enforcing the Use of Sanctioned Servers on the Network ...... 53 Using MAC and FQDN Dynamic Address Objects ...... 54 Creating Address Objects ...... 58 Modifying Network Address Groups or Objects ...... 59 Deleting Network Address Group or Objects ...... 60
Configuring Match Objects ...... 61 Searching Match Objects ...... 62 Adding or Editing Match Objects ...... 62 Negative Matching ...... 64 Adding Application List Objects ...... 65 Application View ...... 65 Category View ...... 67 Sorting Match Objects ...... 68 Deleting Match Objects ...... 68 Match Object Type Reference ...... 69
Configuring Action Objects ...... 74 Searching Action Objects ...... 75 Adding or Editing Action Objects ...... 75 Configuring Application Layer Bandwidth Management ...... 77 Configuring Bandwidth Management Actions ...... 79 Sorting Action Objects ...... 82 Deleting Action Objects ...... 83 Action Type Reference ...... 83
Configuring Service Objects ...... 86 Adding Service Objects ...... 86 Editing Custom Services ...... 88 Deleting Custom Services ...... 88 Adding Service Groups ...... 88 Editing Custom Services Groups ...... 89 Deleting Custom Services Groups ...... 89
Configuring Bandwidth Objects ...... 90 Search for Bandwidth Objects ...... 91 Adding Bandwidth Objects ...... 91
Configuring Email Address Objects ...... 93 Searching Email Address Objects ...... 93 Adding or Editing Email Address Objects ...... 94
Global Management System 9.3 Administration 3 Contents Sorting Email Address Objects ...... 95 Deleting Email Address Objects ...... 95
Configuring Content Filter Objects ...... 96 About Content Filter Objects ...... 96 About URI List Objects ...... 97 Managing URI List Objects ...... 100 About the URI List Objects Table ...... 101 Configuring URI List Objects ...... 101 Editing a URI List Object ...... 105 Deleting URI List Objects ...... 106 Managing URI List Groups ...... 106 About the URI List Groups Table ...... 106 Adding URI List Groups ...... 107 Editing a URI List Group ...... 108 Deleting URI List Groups ...... 108 Managing CFS Action Objects ...... 109 About the CFS Action Objects Table ...... 109 Configuring CFS Action Objects ...... 109 Editing CFS Action Objects ...... 118 Deleting CFS Action Objects ...... 118 Managing CFS Profile Objects ...... 118 About the CFS Profile Objects Table ...... 119 Configuring CFS Profile Objects ...... 120 Custom Header view ...... 124 Editing a CFS Profile Object ...... 125 Deleting CFS Profile Objects ...... 125 Applying Content Filter Objects ...... 126
Configuring AWS Objects ...... 127 Firewall > AWS Objects ...... 127 About Address Object Mapping with AWS ...... 128 Viewing Instance Properties in GMS ...... 130 Creating a New Address Object Mapping ...... 131 Enabling Mapping ...... 133 Configuring Synchronization ...... 133 Configuring Regions to Monitor ...... 134 Verifying AWS Address Objects and Groups ...... 134
Configuring Content Filter Policies ...... 137 About CFS ...... 137 About Content Filter Policies ...... 137 About Content Filter Objects ...... 138 How CFS Works ...... 138 Configuring CFS Policies ...... 139 About the Content Filter Policy Table ...... 139 Adding a Content Filter Policy ...... 140 Editing a Content Filter Policy ...... 141
Global Management System 9.3 Administration 4 Contents Deleting Content Filter Policies ...... 141
Configuring Dynamic External Objects ...... 142 Objects > Dynamic External Objects ...... 142 High Availability Requirements ...... 143 Adding Dynamic External Objects ...... 143 Editing Dynamic External Objects ...... 145 Deleting Dynamic External Objects ...... 145
SonicWall Support ...... 147 About This Document ...... 148
Global Management System 9.3 Administration 5 Contents 1
Setting Firewall Access Rules
This section provides an overview of the SonicWall network security appliance default access rules and custom access rules. Access rules are network management tools that allow you to define inbound and outbound access policies, configure user authentication, and enable remote management of your firewall. This section provides configuration examples to customize your access rules to meet your business requirements. Access rules are network management tools that allow you to define ingress and egress access policy, configure user authentication, and enable remote management of the SonicWall security appliance. The Firewall > Access Rules page provides a sortable access rule management interface. The subsequent sections provide high-level overviews on configuring access rules by zones and configuring bandwidth management using access rules. The rules are categorized into separate tables for each source zone to destination zone and for IPv4/IPv6. Accordingly, all the priority types only apply within the rule table to which the rule belongs.
Topics: • About Stateful Packet Inspection Default Access Rules • About Connection Limiting • Using Bandwidth Management with Access Rules • Connection Limiting Overview • Configuring Access Rules • Configuring Access Rules for IPv6 • Configuring Access Rules for NAT64 • Access Rules for DNS Proxy • User Priority for Access Rules • Displaying Access Rules • Specifying Maximum Zone-to-Zone Access Rules • Configuring Access Rules for a Zone
Global Management System 9.3 Administration 6 Setting Firewall Access Rules About Stateful Packet Inspection Default Access Rules By default, the SonicWall network security appliance’s stateful packet inspection allows all communication from the LAN to the Internet, and blocks all traffic to the LAN from the Internet. The following behaviors are defined by the Default stateful inspection packet access rule enabled on the SonicWall network security appliance: • Allow all sessions originating from the LAN, WLAN to the WAN, or DMZ (except when the destination WAN IP address is the WAN interface of the firewall itself). • Allow all sessions originating from the DMZ to the WAN. • Deny all sessions originating from the WAN to the DMZ. • Deny all sessions originating from the WAN and DMZ to the LAN or WLAN. Additional network access rules can be defined to extend or override the default access rules. For example, access rules can be created that allow access from the LAN zone to the WAN Primary IP address, or block certain types of traffic such as IRC from the LAN to the WAN, or allow certain types of traffic, such as Lotus Notes database synchronization, from specific hosts on the Internet to specific hosts on the LAN, or restrict use of certain protocols such as Telnet to authorized users on the LAN. Custom access rules evaluate network traffic source IP addresses, destination IP addresses, IP protocol types, and compare the information to access rules created on the SonicWall security appliance. Network access rules take precedence, and can override the SonicWall security appliance’s stateful packet inspection. For example, an access rule that blocks IRC traffic takes precedence over the SonicWall security appliance default setting of allowing this type of traffic. CAUTION: The ability to define network access rules is a very powerful tool. Using custom access rules can disable firewall protection or block all access to the Internet. Use caution when creating or deleting network access rules.
About Connection Limiting The Connection Limiting feature is intended to offer an additional layer of security and control when coupled with such GMS features as SYN Cookies and Intrusion Prevention Services (IPS). Connection limiting provides a means of throttling connections through the firewall using Access Rules as a classifier, and declaring the maximum percentage of the total available connection cache that can be allocated to that class of traffic. Coupled with IPS, this can be used to mitigate the spread of a certain class of malware as exemplified by Sasser, Blaster, and Nimda. These worms propagate by initiating connections to random addresses at atypically high rates. For example, each host infected with Nimda attempted 300 to 400 connections per second, Blaster sent 850 packets per second, and Sasser was capable of 5,120 attempts per second. Typical, non-malicious network traffic generally does not establish anywhere near these numbers, particularly when it is Trusted > Untrusted traffic (that is, LAN > WAN). Malicious activity of this sort can consume all available connection-cache resources in a matter of seconds, particularly on smaller appliances. In addition to mitigating the propagation of worms and viruses, Connection limiting can be used to alleviate other types of connection-cache resource consumption issues, such as those posed by uncompromised internal hosts running peer-to-peer software (assuming IPS is configured to allow these services), or internal or external hosts using packet generators or scanning tools. Finally, connection limiting can be used to protect publicly available servers (such as, Web servers) by limiting the number of legitimate inbound connections permitted to the server (that is, to protect the server against the Slashdot-effect). This is different from SYN flood protection that attempts to detect and prevent partially-open or spoofed TCP connection. This is most applicable for Untrusted traffic, but it can be applied to any zone traffic as needed.
Global Management System 9.3 Administration 7 Setting Firewall Access Rules Connection limiting is applied by defining a percentage of the total maximum allowable connections that might be allocated to a particular type of traffic. The previous figures show the default LAN > WAN setting, where all available resources might be allocated to LAN > WAN (any source, any destination, any service) traffic. More specific rules can be constructed; for example, to limit the percentage of connections that can be consumed by a certain type of traffic (for example, FTP traffic to any destination on the WAN), or to prioritize important traffic (for example, HTTPS traffic to a critical server) by allowing 100% to that class of traffic, and limiting general traffic to a smaller percentage (minimum allowable value is 1%). NOTE: It is not possible to use IPS signatures as a connection limiting classifier; only Access Rules (for example, Address Objects and Service Objects) are permissible.
Using Bandwidth Management with Access Rules Bandwidth management (BWM) allows you to assign guaranteed and maximum bandwidth to services and prioritize traffic. Using access rules, BWM can be applied on specific network traffic. Packets belonging to a bandwidth management enabled policy are queued in the corresponding priority queue before being sent. You must configure Bandwidth Management individually for each interface on the Network > Interfaces page. NOTE: This applies when the Bandwidth Management Type on the Firewall Services > BWM page is set to other than None.
The options for configuring BWM on an interface differ depending on whether Advanced or Global was selected for BWM type.
Connection Limiting Overview The Connection Limiting feature is intended to offer an additional layer of security and control when coupled with such features as SYN Cookies and Intrusion Prevention Services (IPS). Connection limiting provides a means of throttling connections through the firewall using Access Rules as a classifier, and declaring the maximum percentage of the total available connection cache that can be allocated to that class of traffic. Coupled with IPS, this can be used to mitigate the spread of a certain class of malware as exemplified by Sasser, Blaster, and Nimda. These worms propagate by initiating connections to random addresses at atypically high rates. For example, each host infected with Nimda attempted 300 to 400 connections per second, Blaster sent 850 packets per second, and Sasser was capable of 5,120 attempts per second. Typical, non-malicious network traffic generally does not establish anywhere near these numbers, particularly when it is Trusted > Untrusted traffic (that is, LAN > WAN). Malicious activity of this sort can consume all available connection-cache resources in a matter of seconds, particularly on smaller appliances. In addition to mitigating the propagation of worms and viruses, Connection limiting can be used to alleviate other types of connection-cache resource consumption issues, such as those posed by uncompromised internal hosts running peer-to-peer software (assuming IPS is configured to allow these services), or internal or external hosts using packet generators or scanning tools. Finally, connection limiting can be used to protect publicly available servers (such as, Web servers) by limiting the number of legitimate inbound connections permitted to the server (that is, to protect the server against the Slashdot-effect). This is different from SYN flood protection that attempts to detect and prevent partially-open or spoofed TCP connection. This is most applicable for Untrusted traffic, but it can be applied to any zone traffic as needed.
Global Management System 9.3 Administration 8 Setting Firewall Access Rules Connection limiting is applied by defining a percentage of the total maximum allowable connections that might be allocated to a particular type of traffic. The previous figures show the default LAN > WAN setting, where all available resources might be allocated to LAN > WAN (any source, any destination, any service) traffic. More specific rules can be constructed; for example, to limit the percentage of connections that can be consumed by a certain type of traffic (for example, FTP traffic to any destination on the WAN), or to prioritize important traffic (for example, HTTPS traffic to a critical server) by allowing 100 percent to that class of traffic, and limiting general traffic to a smaller percentage (minimum allowable value is one percent). NOTE: It is not possible to use IPS signatures as a connection limiting classifier; only Access Rules (for example, Address Objects and Service Objects) are permissible.
Configuring Access Rules
Topics: • Configuring Access Rules for IPv6 • Configuring Access Rules for NAT64 • Access Rules for DNS Proxy • User Priority for Access Rules • Displaying Access Rules • Specifying Maximum Zone-to-Zone Access Rules • Configuring Access Rules for a Zone To configure rules for the GMS, the service or service group that the rule applies to must first be defined. If it is not, you can define the service or service group and then create one or more rules for it. The following procedure describes how to add, modify, reset to defaults, or delete firewall rules for the GMS firewall appliances running SonicOS. For appliances running SonicOS, GMS supports paginated navigation and sorting by column header on the Access Rules screen. In the Access Rules table, you can click the column header to use for sorting. An arrow is displayed to the right of the selected column header. You can click the arrow to reverse the sorting order of the entries in the table. By hovering your mouse over entries on the Access Rules screen, you can display information about an object, such as an Address Object or Service. IPv6 is supported for Access Rules. Search for IPv6 Access Rules in the Access Rules Search section. A list of results displays in a table.
From there you can click the Configure icon for the Access Rule you want to edit. The IPv6 configuration for Access Rules is almost identical to IPv4.
Global Management System 9.3 Administration 9 Setting Firewall Access Rules To configure an access rule, complete the following steps: 1 Select the global icon, a group, or a GMS appliance. 2Navigate to Firewall > Access Rules. The Access Rules page displays. The Firewall > Access Rules page enables you to select multiple views of Access Rules.
3 From the Access Rules View, under Configure column click the Edit icon ( ) for the source and destination interfaces for which you are configuring a rule. The Access Rules table for that interface pair displays. 4 From the Access Rules table, click Add rule (+). The Add Policy dialog box displays.
5 Click the Action view. 6 Select whether to Allow, Deny, or Discard access. NOTE: If a policy has a “No-Edit” policy action, the Action settings are not editable.
7 Click the Zone view. 8 Select the Source and Destination zones from the Source and Destination menus. 9 Click the Service tab. 10 Select the Source Port. When configured, the Access Rule filters traffic based on the source port defined in the selected Service Object/Group. The Service Object/Group selected must have the same protocol types as the ones selected in Service. 11 Select a service object from the Service drop-down menu. If the service does not exist, refer to Configuring Service Objects. 12 Click the Address view. 13 Select the source network Address Object from the Source drop-down menu. 14 Select the destination network Address Object from the Destination drop-down menu. 15 Click the User view. 16 Specify if this rule applies to all users or to an individual user or group in the Users Included drop-down menu. You can exclude users as well. 17 Click the Schedule view. 18 Specify when the rule is applied by selecting a schedule or Schedule Group from the Schedule drop-down menu. If the rule is always applied, select Always on. If the schedule does not exist, refer to Configuring Schedules. 19 Click the Action view. 20 To enable logging for this rule, select Enable Logging.
Global Management System 9.3 Administration 10 Setting Firewall Access Rules 21 Check Allow Fragmented Packets to allow fragmented packets. 22 Check Enable flow reporting to allow flow reporting. 23 Check Enable packet monitor to allow packets to be monitored. 24 (optional) Click Enable Management. If this option is enabled, both management and non-management traffic is allowed. CAUTION: Fragmented packets are used in certain types of Denial of Service attacks and, by default, are blocked. You should only enable Allow Fragmented Packets if users are experiencing problems accessing certain applications and the SonicWall logs show many dropped fragmented packets.
25 Add any comments to the Comment field in the General view. 26 Click the Advanced view.
27 Specify how long (in minutes) TCP connections might remain idle before the connection is terminated in the TCP Connectivity Inactivity Timeout (minutes) field. 28 Specify how long (in seconds) UDP connections might remain idle before the connection is terminated in the UDP Connectivity Inactivity Timeout (seconds) field. 29 Specify the percentage of the maximum connections this rule is to allow in the Number of connections allowed (% of maximum connections) field. 30 Set a limit for the maximum number of connections allowed per source IP Address by selecting Enable connection limit for each Source IP Address and entering the value in the Threshold field. (Only available for Allow rules). 31 Set a limit for the maximum number of connections allowed per Destination IP Address by selecting Enable connection limit for each Destination IP Address and entering the value in the Threshold field. (Only available for Allow rules). 32 To disable Deep Packet Inspection (DPI) scanning on a per-rule basis, select Disable DPI. This option is not selected by default. 33 To disable client-side DPI-SSL scanning of traffic matching this rule, select Disable DPI-SSL Client. Client DPI-SSL scanning inspects HTTPS traffic when clients on the appliance’s LAN access content located on the WAN.
Global Management System 9.3 Administration 11 Setting Firewall Access Rules 34 To disable server-side DPI-SSL scanning of traffic matching this rule, select Disable DPI-SSL Server. Server DPI-SSL scanning inspects HTTPS traffic when remote clients connect over the WAN to access content located on the appliance’s LAN. 35 Under For traffic from an unauthenticated user: • Select Don’t Invoke Single Sign On to Authenticate Users if you don’t want to use SSO for traffic that matches the rule. Unauthenticated HTTP connections that match it are directed straight to the login page. • Select Don’t block traffic while waiting for Single Sign On to authenticate users to avoid browsing delays while SSO is attempting to identify the user whose traffic matches the rule. You can enable this setting only if Don’t block traffic while waiting for SSO and Including for: Selected access rules are set in the SSO agent general settings. • Select Don’t redirect unauthenticated users to log in to block HTTP/HTTPS traffic from unauthenticated users, rather than attempting to identify the user via SSO or redirecting to the login page. 36 Click the QoS view if you want to apply DSCP or 802.1p Quality of Service management to traffic governed by this rule. 37 Under DSCP Marking Settings, select DSCP Marking Action from the drop-down menu: •None: DSCP values in packets are reset to 0. •Preserve (default): DSCP values in packets remain unaltered. • Explicit: The Explicit DSCP Value drop-down menu displays. Select a numeric value between 0 and 63. Some standard values are: 0 - Best effort/Default (default) 20 - Class 2, Silver (AF122) 34 - Class 4, Gold (AF41) 8 - Class 1 22 - Class 2, Bronze (AF23) 36 - Class 4, Silver (AF42) 10 - Class 1, Gold (AF11) 24 - Class 3 38 - Class 4, Bronze (AF43) 12 - Class 1, Silver (AF12) 26 - Class 3, Gold (AF31) 40 - Express Forwarding 14 - Class 1, Bronze (AF13) 27 - Class 3, Silver (AF32) 46 - Expedited Forwarding 16 - Class 2 30 - Class 3, Bronze (AF33) 48 - Control 18 - Class 2, Gold (AF21) 32 - Class 4 56 - Control
•Map: The page displays, “Note: The QoS Mapping Settings on the Firewall Settings > QoS Mapping page will be used.” • Allow 802.1p Marking to override DSCP values displays. Select it to allow DSCP values to be overridden by 802.1p marking. This option is disabled by default. 38 Under 802.1p Marking Settings select the 802.1p Marking Action from the drop-down menu: •None (default): No 802.1p tagging is added to the packets. •Preserve: 802.1p values in packets remain unaltered. • Explicit: The Explicit 802.1p Value drop-down menu displays. Select a numeric value between 0 and 7: Some standard values are: 0 - Best effort (default) 4 - Controlled load 1 - Background 5 - Video (<100ms latency)
Global Management System 9.3 Administration 12 Setting Firewall Access Rules 2 - Spare 6 - Voice (<10ms latency) 3 - Excellent effort 7 - Network control
39 Click the Bandwidth view. The Bandwidth view displays. 40 GMS appliances can manage inbound and outbound traffic on the primary WAN interface using bandwidth management. 41 To enable outbound bandwidth management for this service, select Enable Egress Bandwidth Management. This option is disabled by default. a Select a bandwidth object from the Bandwidth Object drop-down menu. To create a new bandwidth object, select Create new Bandwidth Object. For more information about creating bandwidth objects, see Configuring Bandwidth Objects. 42 To enable inbound bandwidth management for this service, select Enable Ingress Bandwidth Management. This option is disabled by default. a Select a bandwidth object from the Bandwidth Object drop-down menu. To create a new bandwidth object, select Create new Bandwidth Object. NOTE: In order to configure bandwidth management for this service, bandwidth management must be enabled on the GMS appliance. For information on configuring bandwidth management in the GMS, refer to Configuring Interface Settings.
43 To track bandwidth usage, select Enable Tracking Bandwidth Usage. This option is disabled by default. To select this option, you must select either or both of the Enable Bandwidth Management options. 44 Click GeoIP. 45 Select Enable Geo-IP Filter to apply a filter to traffic matching this rule. 46 Select Global to apply the global GeoIP country list for this rule. 47 Select Custom to specify a custom GeoIP country list for this rule. Selecting Enable Geo-IP Filter and Custom enables the Available Countries and Selected Countries fields. a To select a country, click it in the Available Countries list and drag it to the Selected Countries field. b To remove a country from the Selected Countries list, click it and drag it back to Available Countries. 48 Select Block Unknown Countries to block traffic matching no known country. 49 To add this rule to the rule list, click OK. You are returned to the Access Rules page. 50 If the network access rules have been modified or deleted, you can restore the Default Rules. The Default Rules prevent malicious intrusions and attacks, block all inbound IP traffic and allow all outbound IP traffic. To restore the network access rules to their default settings, click Restore Rules to Defaults and then click Update. A task is scheduled to update the rules page for each selected GMS appliance.
51 To modify a rule, click its Edit icon ( ). The Add/Modify Rule dialog box displays. When you are finished making changes, click OK. The GMS creates a task that modifies the rule for each selected GMS appliance. 52 To enable logging for a rule, select Logging. 53 To disable a rule without deleting it, deselect Enable. 54 To delete a rule, click its trash can icon. The GMS creates a task that deletes the rule for each selected GMS appliance.
Global Management System 9.3 Administration 13 Setting Firewall Access Rules Configuring Access Rules for IPv6 For complete information on the GMS implementation of IPv6, see IPv6. Access Rules can be configured for IPv6 in a similar manner to IPv4 VPNs after selecting the IPv6 option on the Firewall > Access Rules page and clicking Add policy (+) and then clicking the Address view. The Source must be Any. The IP Version appears allowing you the opportunity to configure your policy for either IPv4 or IPv6.
Configuring Access Rules for NAT64 NOTE: Access Rules for NAT64 are not supported on the SuperMassive 9800.
Access Rules can be configured for NAT64 in a manner similar to IPv4 or IPv6.
Access Rules for DNS Proxy NOTE: Access Rules for DNS Proxy are supported by SuperMassive 9800 firewalls.
When DNS Proxy is enabled on an interface, one Allow Access Rule is added automatically with these settings: • From Interface and To Interface are the same. • Source is Any. • Destination is the interface IP. • Service is DNS (Name Service) TCP or DNS (Name Service) UDP. • Has the same attributes as other MGMT rules: • It cannot be disabled. • Only the Source IP can be modified to allow a less aggressive source than Any to be configured. If DNS Proxy over TCP is enabled, another Allow Rule is auto-added.
User Priority for Access Rules You now have the ability when configuring a new Access Rule to either:
Global Management System 9.3 Administration 14 Setting Firewall Access Rules • Have the priority set automatically by the GMS. • Insert the rule at the end of the Access Rules table. When you added a new Access Rule, the rule module decided where to place it in the Access Rule table. The rule module uses an Auto Prioritize algorithm that places the most specific rules at the top. The only way to change the priority was to manually edit the rule and then provide the index of where to place it. Finding the rule in a large table to edit it can be difficult. The User Priority for Access Rules provides two choices for the priority types of the new rule: •Auto Prioritize, which uses the Auto Prioritize algorithm that places the most specific rules on the top of the Access Rules table. This is the default choice. • Insert at the end, which indicates to the rule module to place the rule at the end of the Access Rules table, and as a result, makes the new rule easy to locate regardless of the size of the table. Regardless of which option is chosen, the priority of the new Access Rule can be edited and changed as before.
Displaying Access Rules There are several methods to customize the display of Access Rules. The methods can be used separately or in combination.
Topics: • By Zones • By Column
By Zones By default, all to/from zones are displayed. To limit the display to only those Access rules covering specific to/from zones, use the: •Search function to display all zones for a particular zone type, priority, source/destination, or any other criterion. For example, entering DMZ displays all DMZ to/from zones while entering firewall displays all zones regardless of type that have firewall as source or destination. •From/To drop-down menus to select the desired zones.
Global Management System 9.3 Administration 15 Setting Firewall Access Rules • Open Zone Matrix icon to display the Zone Matrix Selector dialog to quickly select the zones.
By Column By default, all columns are displayed. You can disable the display of specific columns by clicking the drop-down arrow at the top of a column and selecting to hide or display particular columns.
Specifying Maximum Zone‐to‐Zone Access Rules IMPORTANT: The appliance must be rebooted for this feature to function correctly.
Global Management System 9.3 Administration 16 Setting Firewall Access Rules The Access Rule table size for all Zone-to-Zone pairs is configurable up to the maximum size, which is fixed to a constant value based on the firewall platform; see Maximum Access Rules per Zone-to-Zone. Maximum Access Rules per Zone-to-Zone Platform Maximum Number of Rules SM 9200/9400/9600/9800 5000 NSA 2600/3600/4600/5600/6600 2500 TZ300/400/500/600 1250 TZ300 W/400 W/500 W/600W SOHO Wireless 250
To change the maximum size: 1 Select a Zone-to-Zone pair. The dimmed Max Rule Count at the bottom of the table becomes available and the Max Rule Count displays at the top of the table.
2 Click Edit Max Count Size. The Change Max Rule Count dialog displays.
3 Enter the maximum count in the Max Count Size field. 4 Click OK. 5 The system restarts. 6The Max Rule Count displays the new count.
Configuring Access Rules for a Zone To display the Access Rules for a specific zone select a zone from the Open Zone Matrix or the To/From drop- down menus. The access rules are sorted from the most specific at the top, to less specific at the bottom of the table. At the bottom of the table is the Any rule. The default access rule is all IP services except those listed in the Access Rules page. Access rules can be created to override the behavior of the Any rule; for example, the Any rule allows users on the LAN to access all Internet services, including NNTP News. TIP: If the Delete or Edit icons are dimmed (unavailable), the access rule cannot be changed or deleted from the list.
Global Management System 9.3 Administration 17 Setting Firewall Access Rules 2
Setting Firewall Application Rules
Topics: • Application Control Rules Overview • About App Control Policies • What is Application Control? • About Application Control Capabilities • Benefits of Application Control • Configuring App Rules Global Settings • Searching App Rules Policies • Filtering the Policies View • Sorting App Rules Policies • Viewing Tooltips for App Rules Policies • Adding or Editing App Rules Policies • Enabling or Disabling App Rules Policies • Deleting App Rules Policies • Policy Type Reference
Application Control Rules Overview App Rules utilizes Deep Packet Inspection to scan application layer network traffic as it passes through the gateway and locates content that matches configured applications. When a match is found, these features perform the configured action. When you configure App Control policies, you create global rules that define whether to block or log the application, which users, groups, or IP address ranges to include or exclude, and a schedule for enforcement. Additionally, you can create App Rules policies that define: • Type of applications to scan • Direction, content, keywords, or pattern to match • User or domain to match • Action to perform App Control allows you to set policy rules for application signatures. As a set of application-specific policies, App Control gives you granular control over network traffic on the level of users, email users, schedules, and IP-subnets. The primary functionality of this application-layer access control feature is to block, log, or manage bandwidth consumption of Web-based applications, Web browsing, file transfer, email, and email attachments.
Global Management System 9.3 Administration 18 Setting Firewall Application Rules What is Application Control? Application Control provides a solution for setting policy rules for application signatures. Application Control policies include global App Control policies, and App Rules policies that are more targeted. The GMS allows you to create certain types of App Control policies on the fly directly from the AppFlow > Flow Reporting page. As a set of application-specific policies, Application Control gives you granular control over network traffic on the level of users, email addresses, schedules, and IP-subnets. The primary functionality of this application-layer access control feature is to regulate Web browsing, file transfer, email, and email attachments. The ability to control application layer traffic in the GMS is significantly enhanced with the ability to view real-time application traffic flows, and new ways to access the application signature database and to create application layer rules. The GMS integrates application control with standard network control features for more powerful control over all network traffic.
Topics: • About App Control Policies • About Application Control Capabilities
About App Control Policies There are two ways to create App Control policies using the SonicWall GMS. You can configure App Control policies on the Firewall > App Rules page or on Firewall > App Control Advanced. • Firewall > App Rules – The App Rules page provides a way to create a targeted App Control policy using match objects, action objects, or email address objects. These objects allow you to be very specific about what to look for in the traffic and provide a number of ways to control it, including bandwidth management and custom actions. App Rules policies can define the type of applications to scan, the traffic direction, the content or keywords to match, the user or domain to match, and the action to complete. For ease of use, you can create App Rules policies for any of the categories, applications, or signatures that are also available on the Firewall > App Control Advanced page. • Firewall > App Control Advanced – The Advanced page provides a simple and direct way of configuring global App Control policies. A Firewall > App Control Advanced policy defines whether to block or log an application, which users, groups, or IP address ranges to include or exclude, and a schedule for enforcement. You can quickly enable blocking or logging for a whole category of applications, or can just as easily locate and do the same for an individual application or individual signature. After enabled, the category, application, or signature is blocked or logged globally without the need to create a policy on the Firewall > App Rules page. App Control is licensed together in a bundle with other security services, including SonicWall Gateway Anti-Virus (GAV), Anti-Spyware, and Intrusion Prevention Service (IPS). You must enable App Control before you can use it. Firewall > App Rules and Firewall > App Control Advanced are both enabled with global settings, and App Control must also be enabled on each network zone that you want to control. The SonicWall GMS supports App Control on SonicWall firewall appliances. The units must be licensed for Gateway Anti-Virus. App Control is supported for Firewalls at the group level and unit level in the SonicWall GMS. When a unit is selected that is running a version of SonicOS lower than 5.9, the App Control menu group is not visible in the middle panel. However, when the group level is selected, the App Control menu group is available and you can configure objects and policies, even if the group does not yet contain a unit running 5.9 or higher. This allows you to prepare the policy configuration prior to bringing a unit running SonicOS 5.9 under GMS management.
Global Management System 9.3 Administration 19 Setting Firewall Application Rules Inheritance is supported for App Control policies and configurations. Inheritance in the SonicWall GMS allows a node’s settings to be inherited to and from unit, group and parent nodes. On SonicWall TZ 100 and 200 series appliances, the Security Services > Application Control screen in the GMS interface corresponds to the Firewall > App Control Advanced screen in SonicWall GMS. TZ 100 and 200 boxes do not support App Rules policies. This means that the App Rules, Match Objects, Action Objects, and Email Address Objects screens do not appear for these models.
About Application Control Capabilities Application Control’s data leakage prevention component provides the ability to scan files and documents for content and keywords. Using Application Control, you can restrict transfer of certain file names, file types, email attachments, attachment types, email with certain subjects, and email or attachments with certain keywords or byte patterns. You can deny internal or external network access based on various criteria. You can use Packet Monitor to take a deeper look at application traffic, and can select among various bandwidth management settings to reduce network bandwidth usage by an application. Based on SonicWall’s Reassembly Free Deep Packet Inspection technology, Application Control also features intelligent prevention functionality that allows you to create custom, policy-based actions. Examples of custom actions include the following: • Blocking entire applications based on their signatures • Blocking application features or subcomponents • Bandwidth throttling for file types when using the HTTP or FTP protocols • Blocking an attachment • Sending a custom block page • Sending a custom email reply • Redirecting an HTTP request • Sending a custom FTP reply over an FTP control channel While Application Control primarily provides application level access control, application layer bandwidth management and data leakage prevention, it also includes the ability to create custom application or protocol match signatures. You can create a custom App Rules policy that matches any protocol you wish, by matching a unique piece of the protocol. See Custom Signature. Application Control provides excellent functionality for preventing the accidental transfer of proprietary documents. For example, when using the automatic address completion feature of Outlook Exchange, it is a common occurrence for a popular name to complete to the wrong address.
Benefits of Application Control The Application Control functionality provides the following benefits: • Application-based configuration makes it easier to configure policies for application control. • The Application Control subscription service provides updated signatures as new attacks emerge. • The related Application Intelligence functionality, as seen in AppFlow Monitor and the Real-Time Visualization Monitor, is available upon registration as a 30-day free trial App Visualization license. This allows any registered SonicWall appliance to clearly display information about application traffic in the
Global Management System 9.3 Administration 20 Setting Firewall Application Rules network. The App Visualization and App Control licenses are also included with the SonicWall Security Services license bundle. NOTE: This feature must be enabled in the GMS user interface to become active.
• You can use Create Rule to quickly apply bandwidth management or packet monitoring to an application that they notice while viewing the AppFlow Monitor page, or can completely block the application. • You can configure policy settings for individual signatures without influencing other signatures of the same application. • Application Control configuration windows are available in the Firewall menu in the GMS user interface, consolidating all Firewall and Application Control access rules and policies in the same area. Application Control functionality can be compared to three main categories of products: • Standalone proxy appliances • Application proxies integrated into firewall VPN appliances • Standalone IPS appliances with custom signature support Standalone proxy appliances are typically designed to provide granular access control for a specific protocol. SonicWall Application Control provides granular, application level access control across multiple protocols, including HTTP, FTP, SMTP, and POP3. Because Application Control runs on your firewall, you can use it to control both inbound and outbound traffic, unlike a dedicated proxy appliance that is typically deployed in only one direction. Application Control provides better performance and scalability than a dedicated proxy appliance because it is based on SonicWall’s proprietary Deep Packet Inspection technology. Today’s integrated application proxies do not provide granular, application level access control, application layer bandwidth management, and digital rights management functionality. As with dedicated proxy appliances, SonicWall Application Control provides much higher performance and far greater scalability than integrated application proxy solutions. While some standalone IPS appliances provide protocol decoding support, none of these products supports granular, application level access control, application layer bandwidth management, and digital rights management functionality. In comparing Application Control to SonicWall Email Security, there are benefits to using either. Email Security only works with SMTP, but it has a very rich policy space. Application Control works with SMTP, POP3, HTTP, FTP and other protocols, is integrated into GMS on the firewall, and has higher performance than Email Security. However, Application Control does not offer all the policy options for SMTP that are provided by Email Security.
Global Management System 9.3 Administration 21 Setting Firewall Application Rules Configuring App Rules The Firewall > App Rules page provides global settings, search functions, a policies view filter, and the list of App Rules policies. From here, you can add a new policy or delete a policy.
NOTE: Changing the Bandwidth Management Type on the Firewall Settings > BWM page from Global to Advanced, or from Advanced to Global, automatically sets the Medium priority action object for any policies using predefined Global or Advanced BWM action objects. If Bandwidth Management Type is set to None on the Firewall Settings > BWM page, you have to change the action object of the policy manually to replace the predefined Global or Advanced BWM action objects. See Configuring Bandwidth Objects for more information.
Topics: • Configuring App Rules Global Settings • Searching App Rules Policies • Filtering the Policies View • Sorting App Rules Policies • Viewing Tooltips for App Rules Policies • Adding or Editing App Rules Policies • Enabling or Disabling App Rules Policies • Deleting App Rules Policies • Policy Type Reference
Global Management System 9.3 Administration 22 Setting Firewall Application Rules Configuring App Rules Global Settings The Firewall > App Rules page provides global settings to enable the use of App Rules policies and to control logging behavior.
To configure App Rules global settings: 1 In the TreeControl, select the unit or group to configure. 2 Navigate to the Firewall > App Rules page. Select Enable App Rules to enable App Control on this unit or group. App Control also requires a separate license. 3 Enter the minimum number of seconds between log entries for multiple matches of the same policy in the Global Log Redundancy Filter field. If set to zero, a log entry is created for each policy match. This global setting applies to all Application firewall policies. Other values specify the minimum number of seconds between log entries for multiple matches for the same policy. You can also set custom log redundancy for an individual policy in the Add/Edit Policy screen. Per-policy settings override the global setting. 4 Click Update to apply changes in the global settings. Click Reset to clear all changes on the page and return fields to their default values.
Searching App Rules Policies You can search the list of App Rules policies using a target value that you provide.
To complete a filtered search of App Rules policies: 1 In the TreeControl, select the unit or group on which to search. 2 In the text box, type in the target value for which you are searching. 3 Click Search to search your policies for one or more matches. Click Clear to set the search fields back to defaults. The App Rules Policies list changes to display only the policies found by your search.
Filtering the Policies View The App Rules Policies View Style area provides two ways to filter the policies that are displayed on the Firewall > App Rules page. You can choose to display policies by the type of policy or by the type of action used in the policy. These filters can be combined, allowing you to display only policies of a specific type that use a particular type of action. Policies that do not match the selected filter settings are removed from the display.
Global Management System 9.3 Administration 23 Setting Firewall Application Rules To filter the display by a specific type of policy, select the desired type from the Policy Type drop-down menu. The available selections include the same policy types that are available when creating a policy.
For example, after selecting App Control Content as the Policy Type, the display changes to show only policies of the App Control Content type.
To filter the display by a specific type of action used in the policy: 1 Select the desired type from the Action Type drop-down menu. For example, after selecting App Control Content as the Policy Type, you could select Reset/Drop as the Action Type. The display changes to show only App Control Content type policies that use a Reset/Drop action type.
To change the display back to the default showing all policies: 1Either: • Select All for both Policy Type and Action Type. • Navigate away from the page and then back to it.
Sorting App Rules Policies You can sort the list of the App Rules Policies by clicking on any of the emboldened column headings, including Name, Object, Action, and Enable. The first time you click one of these headings, the policy list is sorted in descending alphabetical order from top to bottom, according to the first letter or symbol of the items in that column. To resort the list in ascending order, click the heading a second time. For example, clicking the Name heading sorts the policies alphabetically by the first letter of the policy name, from ‘A’ at the top to ‘Z’ at the bottom. A small upward-pointing arrow is displayed next to the Name heading, indicating that, if the heading is clicked, it causes the list to be sorted in ascending order by name (Z to A). • Names beginning with a symbol or number come before names beginning with any alphabetical character. When sorting by Object name, automatically created objects beginning with tilde (~) come before objects beginning with any alphabetical character. The same holds true if you use a symbol or number as the first letter when naming an object, action, or policy. • When sorting by the Enable heading, the first click places all enabled policies at the top of the list. Clicking again puts disabled policies at the top.
Global Management System 9.3 Administration 24 Setting Firewall Application Rules Viewing Tooltips for App Rules Policies The App Rules main page provides mouse-over tooltips for the policy values. These tooltips display a number of details about the values. To display the tooltips, move your mouse pointer slowly over the elements within each policy. The tooltip automatically pops up with the available information. Tooltip Displays lists some of the information that can be displayed for the elements under each heading. The type of information varies depending on the object type.
Tooltip Displays Heading Potential Settings Information in Tooltip Name Status – Enabled or Disabled Policy Type N/A Object Object Properties – Type, Match Type, Input Type, Negative Matching, Content Action Action Properties – Type, Content, BWM Inbound/Outbound Parameters Direction N/A Comments Comments – Source/Destination Address, To/From Service, Log, Log Redundancy Filter, Included/Excluded Users, Email Users, Schedule Enable N/A
The actual information displayed depends on the settings configured for the policy or object.
Adding or Editing App Rules Policies After creating a match object, and optionally, an action or an email address object, you are ready to create a policy that uses them. Only a limited number of App Rules policies are allowed, depending on the appliance model. You can use App Control to create custom App Rules Policies to control specific aspects of traffic on your network. A policy is a set of match objects, properties, and specific prevention actions.
To create a policy, complete the following steps: • Create a Match Object • Select and optionally customize an Action Object • Reference the Match Object and Action Object when you create the policy When you create a policy, you select a policy type. Each policy type specifies the values or value types that are valid for the source, destination, match object type, and action fields in the policy. You can further define the policy to include or exclude specific users or groups, select a schedule, turn on logging, and specify the connection side as well as basic or advanced direction types. A basic direction type simply indicates inbound or outbound. An advanced direction type allows zone to zone direction configuration, such as from the LAN to the WAN.
To configure an App Rules policy, complete the following steps: 1 In the TreeControl, select the unit or group to configure. 2 Navigate to the Firewall > App Rules page.
Global Management System 9.3 Administration 25 Setting Firewall Application Rules 3 To edit an existing policy, click the pencil icon under Configure for it. To add a new policy, click Add New Policy. The App Control Policy Settings window displays.
4 In the App Control Policies Settings window, type a descriptive name into the Policy Name field. 5 Select a Policy Type from the drop-down menu. Your selection here affects available options in the window. For information about available policy types, see Policy Type Reference. 6 Select a Source and Destination Address Group or Address Object from the Address drop-down menus. Only a single Address field is available for IPS Content, App Control Content, or CFS policy types. 7 Select the Source or Destination Service Object from the Service drop-down menus. Some policy types do not provide a choice of service. 8For Exclusion Address, optionally select an Address Group or Address Object from the drop-down menu. This address is not affected by the policy. 9For Match Object, select match objects to include and exclude from the drop-down menus. The menus contain the defined match objects that are applicable to the policy type. 10 For Action Object, select an action from the drop-down menu. The list contains actions that are applicable to the policy type and the match object, and can include the predefined actions, plus any customized actions. For a log-only policy, select No Action. 11 For Users/Groups, select from the drop-down menus for both Included and Excluded. The selected users or groups under Excluded are not affected by the policy.
Global Management System 9.3 Administration 26 Setting Firewall Application Rules 12 If the policy type is SMTP Client, select from the drop-down menus for MAIL FROM and RCPT TO, for both Included and Excluded. The selected users or groups under Excluded are not affected by the policy. 13 For Schedule, select from the drop-down menu. The list provides a variety of schedules for the policy to be in effect. 14 Select Enable flow reporting to enable internal and external flow reporting based on data flows, connection related flows, non-connection related flows regarding applications, viruses, spyware, intrusions, and other information. 15 If you want the policy to create a log entry when a match is found, select Enable Logging. 16 To record more details in the log, select Log individual object content. 17 If the policy type is IPS Content, select Log using IPS message format to display the category in the log entry as “Intrusion Prevention” rather than “Application Control,” and to use a prefix such as “IPS Detection Alert” in the log message rather than “Application Control Alert.” This is useful if you want to use log filters to search for IPS alerts. 18 If the policy type is App Control Content, select Log using App Control message format to display the category in the log entry as “Application Control,” and to use a prefix such as “Application Control Detection Alert” in the log message. This is useful if you want to use log filters to search for Application Control alerts. 19 If the policy type is CFS, select Log using CFS message format to display the category in the log entry as “Network Access,” and to use a log message such as “Web site access denied” in the log message rather than no prefix. This is useful if you want to use log filters to search for content filtering alerts. 20 For Log Redundancy Filter, you can either select Global Settings to use the global value set on the Firewall > App Rules page, or you can enter a number of seconds to delay between each log entry for this policy. The local setting overrides the global setting only for this policy; other policies are not affected. 21 For Connection Side, select from the drop-down menu. The available choices depend on the policy type and can include Client Side, Server Side, or Both, referring to the side where the traffic originates. IPS Content, App Control Content, or CFS policy types do not provide this configuration option. 22 For Direction, click either Basic or Advanced and select a direction from the drop-down menu. Basic allows you to select Incoming, Outgoing, or Both. Advanced allows you to select between zones, such as LAN to WAN. IPS Content, App Control Content, or CFS policy types do not provide this configuration option. 23 If the policy type is IPS Content, App Control Content, or CFS, select a zone from the Zone drop-down menu. The policy is applied to this zone. 24 If the policy type is CFS, select an entry from the CFS Allow/Excluded List drop-down menu. The list contains any defined CFS Allow/Forbidden List type of match objects, and also provides None as a selection. The domains in the selected entry are not affected by the policy. 25 If the policy type is CFS, select an entry from the CFS Forbidden/Included List drop-down menu. The list contains any defined CFS Allow/Forbidden List type of match objects, and also provides None as a selection. The domains in the selected entry are denied access to matching content, instead of having the defined action applied. 26 If the policy type is CFS, select Enable Safe Search Enforcement to prevent safe search enforcement from being disabled on search engines such as Google, Yahoo, Bing, and others. 27 Click Update. The Modify Task Description and Schedule window displays. 28 A description is automatically added in the Description field. Optionally change the description. 29 For Schedule, select one of the following radio buttons and set any associated fields: •Default – Use the default schedule configured for the Agent that manages this unit.
Global Management System 9.3 Administration 27 Setting Firewall Application Rules •Immediate – Activate this policy immediately. •At – Select the exact time to activate this policy using the drop-down menus for the hour, minute, time zone, month, and year. If your GMS deployment includes Agents in different time zones, you can select among them in the time zone drop-down menu. Select the date from the calendar. 30 Click Accept to save the policy with this schedule. Click Cancel to exit without saving the policy. At the unit level, you might need to refresh the Firewall > App Rules page to see your new policy in the list.
Enabling or Disabling App Rules Policies You can enable or disable existing App Rules policies directly on the Firewall > App Rules page.
To enable or disable a policy, complete the following steps: 1 In the TreeControl, select the unit or group to configure. 2 Navigate to the Firewall > App Rules page. 3 To enable a policy, select the checkbox in the Enable column for that policy. To disable the policy, clear the checkbox. 4 Click Update. The Modify Task Description and Schedule window displays. 5 Select the Schedule settings, then click Accept to save the policy with this schedule. Click Cancel to exit without saving the policy.
Deleting App Rules Policies
To delete one or more App Rules policies, complete the following steps: 1 In the TreeControl, select the unit or group to configure. 2 Navigate to the Firewall > App Rules page.
3 To delete a single policy, click the trash can icon under Configure for it, and then click OK in the confirmation dialog. 4 To delete one or more policies, select the checkboxes for the ones to delete and click Delete Policy(s), and then click OK in the confirmation dialog.
Policy Type Reference Following, Policy Types describes the characteristics of the available App Rules policy types.
Global Management System 9.3 Administration 28 Setting Firewall Application Rules Policy Types Valid Valid Source Destination Valid Match Valid Action Connection Policy Type Description Service / Service / Object Type Type Side Default Default App Control Policy using N/A N/A Application Reset/Drop, N/A Content dynamic Category List, No Action, Application Application Bypass DPI, Control List, Packet related Application Monitor, objects for Signature List BWM any Global-*, application WAN BWM * layer protocol CFS Policy for N/A N/A CFS Category CFS Block N/A content List, CFS Allow Page, Packet filtering / Forbidden Monitor, No List Action, BWM Global-*, WAN BWM * Custom Policy Policy using Any / Any Any / Any Custom Reset/Drop, Client Side, custom Object Bypass DPI, Server Side, objects for Packet Both any Monitor, No application Action, BWM layer Global-*, protocol; can WAN BWM * be used to create IPS-style custom signatures FTP Client Any FTP Any / Any FTP Control / FTP Reset/Drop, Client Side command FTP Control Command, Bypass DPI, transferred FTP Packet over the FTP Command + Monitor, No control Value, Custom Action channel Object FTP Client File An attempt to Any / Any FTP Control / Filename, file Reset/Drop, Client Side Upload upload a file FTP Control extension Bypass DPI, over FTP Packet (STOR Monitor, No command) Action, BWM Global-*, WAN BWM * FTP Client File An attempt to Any / Any FTP Control / Filename, file Reset/Drop, Client Side Download download a FTP Control extension Bypass DPI, file over FTP Packet (RETR Monitor, No command) Action, BWM Global-*, WAN BWM *
Global Management System 9.3 Administration 29 Setting Firewall Application Rules Policy Types (Continued) Valid Valid Source Destination Valid Match Valid Action Connection Policy Type Description Service / Service / Object Type Type Side Default Default FTP Data Data Any / Any Any / Any File Content Reset/Drop, Both Transfer transferred Object Bypass DPI, over the FTP Packet Data channel Monitor, No Action HTTP Client Policy that is Any / Any Any / HTTP HTTP Host, Reset/Drop, Client Side applicable to (configurable) HTTP Cookie, Bypass DPI, Web browser HTTP Referrer, Packet traffic or any HTTP Request Monitor1, HTTP request Custom No Action, that Header, HTTP BWM originates on URI Content, Global-*, the client HTTP User WAN BWM * Agent, Web Browser, File Name, File Extension Custom Object HTTP Server Response Any / HTTP Any / Any ActiveX Class Reset/Drop, Server Side originated by (configurable) ID, HTTP Set Bypass DPI, an HTTP Cookie, HTTP Packet Server Response, Monitor, No File Content Action, BWM Object, Global-*, Custom WAN BWM * Header, Custom Object IPS Content Policy using N/A N/A IPS Signature Reset/Drop, N/A dynamic Category List, Bypass DPI, Intrusion IPS Signature Packet Prevention List Monitor, No related Action, BWM objects for Global-*, any WAN BWM * application layer protocol POP3 Client Policy to Any / Any POP3 Custom Reset/Drop, Client Side inspect traffic (Retrieve Object Bypass DPI, generated by Email) / POP3 Packet a POP3 client; (Retrieve Monitor, No typically Email) Action useful for a POP3 server admin
Global Management System 9.3 Administration 30 Setting Firewall Application Rules Policy Types (Continued) Valid Valid Source Destination Valid Match Valid Action Connection Policy Type Description Service / Service / Object Type Type Side Default Default POP3 Server Policy to POP3 Any / Any Email Body, Reset/Drop, Server Side inspect email (Retrieve Email CC, Disable downloaded Email) / POP3 Email From, attachment, from a POP3 (Retrieve Email To, Bypass DPI, server to a Email) Email Subject, No action POP3 client; File Name, used for email File Extension, filtering MIME Custom Header SMTP Client Policy applies Any / Any SMTP (Send Email Body, Reset/Drop, Client Side to SMTP Email)/ SMTP Email CC, Block SMTP traffic that (Send Email) Email From, E-Mail originates on Email To, Without the client Email Size, Reply, Bypass Email Subject, DPI, Packet Custom Monitor, No Object, File Action Content, File Name, File Extension, MIME Custom Header 1.Packet Monitor action not supported for File Names or File Extension Custom Objects
Global Management System 9.3 Administration 31 Setting Firewall Application Rules 3
Configuring App Control Advanced Policies
The Firewall > App Control Advanced page provides an alternate method of adding App Control policies. The configuration method on the Firewall > App Control Advanced page allows granular control of specific categories, applications, or signatures. This includes granular logging control, granular inclusion and exclusion of users, groups, or IP address ranges, and schedule configuration. The settings here are global policies and independent from any custom App Rules policy, and do not need to be added to an App Rules policy to take effect. You can configure the following settings on this page: • Select a category, an application, or a signature. • Select blocking, logging, or both as the action. • Specify users, groups, or IP address ranges to include in or exclude from the action. • Set a schedule for enforcing the controls. The Firewall > App Control Advanced page provides application signatures management for all supported firewalls. Only 50 rows can be displayed in this page. To view additional rows, use the pagination controls to the right of the Items field.
The Firewall > App Control Advanced page provides an App Control View Style section. When you select Application or Signature in the Viewed By field in this section, the listed items are displayed as links in the App
Global Management System 9.3 Administration 32 Configuring App Control Advanced Policies Control Advanced section. You can click these links for more details about the application or signature. A summary is provided, as well as information from Wikipedia, if available. NOTE: When All is selected in the Category drop-down menu while Viewed By is set to Category, and then one of the category links is clicked, the View Style settings are changed to select that category in the Category drop-down menu and set Viewed By to Application, displaying all the applications in that category.
Topics: • Viewing App Control Status • Enabling App Control on Network Zones • Configuring App Control Advanced Global Settings • Configuring Advanced App Control Policies • Sorting App Control Advanced Items
Viewing App Control Status The Firewall > App Control Status section at the top of the page displays the date of the most recent signature database available in MySonicWall.com. This database contains thousands of signatures for application viruses and other malware being tracked by SonicWall. SonicWall appliances periodically synchronize with MySonicWall to download updates to the database.
The Status section also displays the expiration date of the App Control Service license. If the service expires, no new signatures are downloaded to the appliance from MySonicWall. A link to the Network > Zones page is provided next, for convenient navigation. You must enable App Control on each zone where you want it to inspect network traffic. If App Control is not enabled on any zones, a warning is displayed here. See Enabling App Control on Network Zones for a description of enabling App Control on a network zone.
Enabling App Control on Network Zones You must enable App Control on each zone where you want to use App Control Advanced policies to inspect network traffic. A link to the Network > Zones page is provided on the Firewall > App Control Advanced page for convenient navigation. NOTE: App Control policies are applied to traffic within a network zone only when you enable the App Control Service for that zone. App Rules policies are independent, and not affected by the App Control setting for network zones.
To enable App Control on a network zone: 1 In the TreeControl, select the unit or group to configure.
Global Management System 9.3 Administration 33 Configuring App Control Advanced Policies 2 Navigate to the Firewall > App Control Advanced page, click Network > Zones in the App Control Status section at the top of the page. 3 On the Network > Zones page, click the Edit icon for the desired zone. The Edit Network Zone screen displays.
4 Select Enable App Control Service. 5 Click OK. The Modify Task Description and Schedule window displays. 6 A description is automatically added in the Description field. Optionally change the description. 7For Schedule, select one of the following radio buttons and set any associated fields: •Default – Use the default schedule configured for the Agent that manages this unit. •Immediate – Enable the configuration immediately. •At – Select the exact time to enable the configuration by using the drop-down menus for the hour, minute, time zone, month, and year. If your GMS deployment includes Agents in different time zones, you can select among them in the time zone drop-down menu. Select the date from the calendar. 8 Click Accept to enable the configuration on this schedule. Click Cancel to exit without saving the configuration.
Global Management System 9.3 Administration 34 Configuring App Control Advanced Policies Configuring App Control Advanced Global Settings NOTE: App Control is a licensed service you must enable to activate the functionality.
The Firewall > App Control Advanced page provides the following global settings: • Enable App Control – Globally enable App Control • Enable Logging For All Apps – Enables system logging for all applications • Global Log Redundancy Filter Interval – Sets the interval (in minutes) for the global log redundancy interval. This setting applies to all App Control events. If this interval is set to 0, a log entry is created. • Configure Settings – Configure a global exclusion list for App Control • Update Signature Database – Synchronize signatures with MySonicWall • Reset Settings & Policies – Delete all App Control configuration and policies for the selected unit or for all units in the selected group.
Topics: • Displaying App Control Status • Enabling App Control Globally • Configuring an App Control Advanced Exclusion List • Synchronizing the Signature Database • Resetting App Control to Factory Defaults
Displaying App Control Status
The App Control Status section displays information about the signature database, indicates the App Control Service expiration date, and provides a link for enabling App Control. To enable App Control on a per-zone-basis, click the link in the Note to the Network > Zones page.
Global Management System 9.3 Administration 35 Configuring App Control Advanced Policies Enabling App Control Globally
To globally enable App Control Advanced policies: 1 In the TreeControl, select the unit or group to configure. 2 Navigate to the Firewall > App Control Advanced page. 3 In the App Control Global Settings area, select Enable App Control to globally enable App Control. App Control policies are applied to traffic within a network zone only if you enable the App Control Service for that zone. See Enabling App Control on Network Zones for a description of enabling App Control on a network zone. 4 If logging is required globally, select Enable Logging For All Apps. 5 Enter an interval, in seconds, for the global log redundancy filter in the Global Log Redundancy Filter Interval field. Global settings apply to all App Control events. The range is 0 to 999999 seconds, and the default is 60 seconds. If set to zero, a log entry is created. Other values specify the minimum number of seconds between log entries. Log redundancy can be set on a per-category or per-app basis. 6Click Update. The Modify Task Description and Schedule window displays. 7 A description is automatically added in the Description field. Optionally change the description. 8For Schedule, select one of the following radio buttons and set any associated fields: •Default – Use the default schedule configured for the Agent that manages this unit. •Immediate – Enable App Control Advanced policies immediately. •At – Select the exact time to enable App Control Advanced policies by using the drop-down menus for the hour, minute, time zone, month, and year. If your GMS deployment includes Agents in different time zones, you can select among them in the time zone drop-down menu. Select the date from the calendar. 9Click Accept to enable App Control Advanced policies on this schedule. Click Cancel to exit without saving the configuration.
Configuring an App Control Advanced Exclusion List
To configure an exclusion list for App Control Advanced policies: 1 In the TreeControl, select the unit or group to configure. 2 Navigate to the Firewall > App Control Advanced page.
Global Management System 9.3 Administration 36 Configuring App Control Advanced Policies 3 In the App Control Global Settings area, click Configure Settings to bring up the App Control Exclusion List window.
4 Select the Enable Application Control Exclusion List to activate the exclusion options in the window. 5 To use the IPS exclusion list, which can be configured from the Security Services > Intrusion Prevention page, and select Use IPS Exclusion List. 6 To use an address object for the exclusion list, select Use Application Control Exclusion Address Object, and then select an address object from the drop-down menu.
7 Click OK. The Modify Task Description and Schedule window displays. 8 A description is automatically added in the Description field. Optionally change the description. 9For Schedule, select one of the following radio buttons and set any associated fields: •Default – Use the default schedule configured for the Agent that manages this unit. •Immediate – Enable the exclusion list immediately. •At – Select the exact time to enable the exclusion list by using the drop-down menus for the hour, minute, time zone, month, and year. If your GMS deployment includes Agents in different time zones, you can select among them in the time zone drop-down menu. Select the date from the calendar. 10 Click Accept to enable the exclusion list on this schedule. Click Cancel to exit without saving the configuration.
Global Management System 9.3 Administration 37 Configuring App Control Advanced Policies Synchronizing the Signature Database
To synchronize the signature database with MySonicWall: 1 In the TreeControl, select the unit or group to configure. 2 Navigate to the Firewall > App Control Advanced page. 3 In the App Control Global Settings area, click Update Signature Database. The Modify Task Description and Schedule window displays. 4 A description is automatically added in the Description field. Optionally change the description. 5For Schedule, select one of the following radio buttons and set any associated fields: •Default – Use the default schedule configured for the Agent that manages this unit. •Immediate – Synchronize the database immediately. •At – Select the hours and day to synchronize the database using the drop-down menus for the specific day and so on. • Click Accept to close the window. 6 Click Update to synchronize the database on this schedule. Click Reset to exit without saving the configuration.
Resetting App Control to Factory Defaults
To reset App Control settings and policy configuration to the factory default values for the selected unit or for all units in the selected group: 1 In the TreeControl, select the unit or group to configure. 2 Navigate to the Firewall > App Control Advanced page. 3 In the App Control Global Settings area, click Reset Settings & Policies. 4 Click OK in the confirmation dialog box. The Modify Task Description and Schedule window displays. 5 A description is automatically added in the Description field. Optionally change the description. 6For Schedule, select one of the following radio buttons and set any associated fields: •Default – Use the default schedule configured for the Agent that manages this unit. •Immediate – Complete the reset immediately. •At – Select the exact time to do the reset using the drop-down menus for the hour, minute, time zone, month, and year. If your GMS deployment includes Agents in different time zones, you can select among them in the time zone drop-down menu. Select the date from the calendar. 7 Click Accept to complete the reset on this schedule. Click Cancel to exit without saving the configuration.
Global Management System 9.3 Administration 38 Configuring App Control Advanced Policies Configuring Advanced App Control Policies The Firewall > App Control Advanced page provides a way to configure global App Control policies to block or log categories, applications, and signatures. Policies configured on this page are independent from policies created on Firewall > App Rules, and do not need to be added to an App Rules policy to take effect. You can configure the following settings on this page: • Select a category, an application, or a signature. • Select blocking, logging, or both as the action. • Specify users, groups, or IP address ranges to include in or exclude from the action. • Set a schedule for enforcing the controls. While these application control settings are independent from App Rules policies, you can also create application match objects for any of the categories, applications, or signatures available here, and use those match objects in an App Rules policy.
Topics: • Configuring App Control by Category • Configuring App Control by Application • Configuring App Control by Signature
Configuring App Control by Category Category-based configuration is the most broadly-based method of policy configuration on the Firewall > App Control Advanced page. The list of categories is available in the Category drop-down menu in the App Control View Style section.
Global Management System 9.3 Administration 39 Configuring App Control Advanced Policies To configure an App Control policy for an application category: 1 In the TreeControl, select the unit or group on which to search. 2 Navigate to the Firewall > App Control Advanced page in the App Control View Style section, select Category from the Viewed By drop-down menu. The list of available categories is displayed in the App Control Advanced section. Each category has a Configure icon in its row. 3 Click Configure in the row for the category you want to work with. The App Control Category Settings window opens. 4 Alternatively, select an application category from the Category drop-down menu in the View Style area. A Configure icon appears to the right of the field as soon as a category is selected. Click the Configure icon to open up the App Control Category Settings window for the selected category.
5 To block applications in this category, select Enable in the Block drop-down menu. 6 To create a log entry when applications in this category are detected, select Enable in the Log drop-down menu. 7 To target the selected block or log actions to a specific user or group of users, select a user group or individual user from the Included Users/Groups drop-down menu. Select All to apply the policy to all users. 8 To exclude a specific user or group of users from the selected block or log actions, select a user group or individual user from the Excluded Users/Groups drop-down menu. Select None to apply the policy to all users. 9 To target the selected block or log actions to a specific IP address or address range, select an Address Group or Address Object from the Included IP Address Range drop-down menu. Select All to apply the policy to all IP addresses. 10 To exclude a specific IP address or address range from the selected block or log actions, select an Address Group or Address Object from the Excluded IP Address Range drop-down menu. Select None to apply the policy to all IP addresses. 11 To enable this policy during specific days of the week and hours of the day, select one of the schedules from the Schedule drop-down menu.
Global Management System 9.3 Administration 40 Configuring App Control Advanced Policies 12 To specify a delay between log entries for repetitive events, type the number of seconds for the delay into the Log Redundancy Filter field. By default, the Log Redundancy Filter has the Use Global Settings option deselected; the field is dimmed when selected and cannot be changed. To specify a different delay between log entries for repetitive events: a Deselect Use Global Settings. The field becomes available. b Enter the number of seconds for the delay into the Log Redundancy Filter field. The minimum number of seconds is 0 (no delay), the maximum is 999999, and the default is 0. 13 Click OK. The Modify Task Description and Schedule window displays, for GMS scheduling. 14 A description is automatically added in the Description field. Optionally change the description. 15 For Schedule, select one of the following radio buttons and set any associated fields: •Default – Use the default schedule configured for the Agent that manages this unit. •Immediate – Enable the policy immediately. •At – Select the exact time to enable the policy by using the drop-down menus for the hour, minute, time zone, month, and year. If your GMS deployment includes Agents in different time zones, you can select among them in the time zone drop-down menu. Select the date from the calendar. 16 Click Accept to save the configuration. Click Cancel to exit without saving the configuration.
Configuring App Control by Application Application-based configuration is the middle level of policy configuration on the Firewall > App Control Advanced page, between the category-based and signature-based levels. The list of applications is available in the Application drop-down menu in the App Control View Style section. With a category selected, the list contains applications within that category. If the category is set to All, applications for all categories are listed.
This configuration method allows you to create policy rules specific to a single application if you want to enforce the policy settings only on the signatures of this application without affecting other applications in the same category.
To configure an App Control policy for a specific application: 1 In the TreeControl, select the unit or group on which to search.
Global Management System 9.3 Administration 41 Configuring App Control Advanced Policies 2Navigate to Firewall > App Control Advanced page in the App Control View Style area. Select a category from the Category drop-down menu. 3Next, select Application in the Viewed By drop-down menu. The list of available applications in the selected category is displayed in the App Control Advanced section. Each application has a Configure icon in its row. 4 Click Configure in the row for the application you want to work with. The App Control App Settings window opens. 5 Alternatively, select an application in this category from the Application drop-down menu. A Configure icon appears to the right of the field as soon as an application is selected. Click that Configure icon to open up the App Control App Settings window for the selected application.
6 The fields at the top of the window display the values for the App Category Name and App Name, and are not editable. In the other fields, the application configuration parameters default to the current settings of the category to which the application belongs. To retain this connection to the category settings for one or more fields, leave the selection in place for those fields.
7 To block this application, select Enable in the Block drop-down menu. 8 To create a log entry when this application is detected, select Enable in the Log drop-down menu. 9 To target the selected block or log actions to a specific user or group of users, select a user group or individual user from the Included Users/Groups drop-down menu. Select All to apply the policy to all users.
Global Management System 9.3 Administration 42 Configuring App Control Advanced Policies 10 To exclude a specific user or group of users from the selected block or log actions, select a user group or individual user from the Excluded Users/Groups drop-down menu. Select None to apply the policy to all users. 11 To target the selected block or log actions to a specific IP address or address range, select an Address Group or Address Object from the Included IP Address Range drop-down menu. Select All to apply the policy to all IP addresses. 12 To exclude a specific IP address or address range from the selected block or log actions, select an Address Group or Address Object from the Excluded IP Address Range drop-down menu. Select None to apply the policy to all IP addresses. 13 To enable this policy during specific days of the week and hours of the day, select one of the schedules from the Schedule drop-down menu. 14 To use the same Log Redundancy Filter settings that are set for the entire category, leave Use Category Settings selected. To specify a different delay between log entries for repetitive events, clear Use Category Settings and type the number of seconds for the delay into the Log Redundancy Filter field. 15 Click OK. The Modify Task Description and Change Order window displays for GMS scheduling. 16 A description is automatically added in the Description field. Optionally change the description. 17 For Submit Change Order, select Create new Change Order from the drop-down menu. 18 Complete the form with a Description (a default is provided). 19 For Schedule, select one of the following radio buttons and set any associated fields: •Default – Personally configure the schedule for the Agent that manages this unit. •Immediate – Enable the policy immediately after approval. •At – Select the exact time to enable the policy by using the drop-down menus for the hour, minute, time zone, month, and year. If your GMS deployment includes Agents in different time zones, you can select among them in the time zone drop-down menu or click Add Schedule. Select the date from the calendar. 20 Click Accept to save the configuration. Click Cancel to exit without saving the configuration.
Configuring App Control by Signature Signature-based configuration is the lowest, most specific, level of policy configuration on the Firewall > App Control Advanced page. Setting a policy based on a specific signature allows you to configure policy settings for the individual signature without influence on other signatures of the same application.
To configure an App Control policy for a specific signature: 1 In the TreeControl, select the unit or group on which to search. 2 Navigate to the Firewall > App Control Advanced page. Select a category from the Category drop-down menu. 3 Next, select an application in this category from the Application drop-down menu.
Global Management System 9.3 Administration 43 Configuring App Control Advanced Policies 4 To display the specific signatures for this application, select Signature in the Viewed by drop-down menu. The Farmville gaming application has four signatures.
5 Click the Configure icon in the row for the signature you want to modify. The Edit App Control Signature window opens. 6 Alternatively, enter the Signature ID, shown in the ID column, into the Lookup Signature ID field and click Configure next to the field to open the Edit App Control Signature window. 7 In the App Control Signature Settings window, several fields at the top of the window are not editable. These fields display the values for the Signature Category, Signature Name, Signature ID, Application ID, Priority, and Direction of the traffic in which this signature can be detected.
Global Management System 9.3 Administration 44 Configuring App Control Advanced Policies In the other fields, the default policy settings for the signature are set to the current settings for the application to which the signature belongs. To retain this connection to the application settings for one or more fields, leave the selection in place for those fields.
8 To block this signature, select Enable in the Block drop-down menu. 9 To create a log entry when this signature is detected, select Enable in the Log drop-down menu. 10 To target the selected block or log actions to a specific user or group of users, select a user group or individual user from the Included Users/Groups drop-down menu. Select All to apply the policy to all users. 11 To exclude a specific user or group of users from the selected block or log actions, select a user group or individual user from the Excluded Users/Groups drop-down menu. Select None to apply the policy to all users. 12 To target the selected block or log actions to a specific IP address or address range, select an Address Group or Address Object from the Included IP Address Range drop-down menu. Select All to apply the policy to all IP addresses. 13 To exclude a specific IP address or address range from the selected block or log actions, select an Address Group or Address Object from the Excluded IP Address Range drop-down menu. Select None to apply the policy to all IP addresses. 14 To enable this policy during specific days of the week and hours of the day, select one of the schedules from the Schedule drop-down menu. 15 To use the same Log Redundancy Filter settings that are set for all signatures in the application, leave Use App Settings selected. To specify a different delay between log entries for repetitive events, clear Use App Settings and type the number of seconds for the delay into the Log Redundancy Filter field.
Global Management System 9.3 Administration 45 Configuring App Control Advanced Policies 16 To view more details about the signature, click the Note: Click here for comprehensive information regarding this signature. The SonicWall Security Center page for the signature is displayed. 17 Click OK. The Modify Task Description and Change Order window displays for GMS scheduling. 18 A description is automatically added in the Description field. Optionally change the description. 19 Complete the form with a Description. 20 For Schedule, select one of the following radio buttons and set any associated fields: •Deafult – Use the default schedule configured for the Agent that manages this unit. •Immediate – Enable the policy immediately. •At – Select the exact time to enable the policy by using the drop-down menus for the hour, minute, time zone, month, and year. If your GMS deployment includes Agents in different time zones, you can select among them in the time zone drop-down menu. Select the date from the calendar. 21 Click Accept to save the configuration. Click Cancel to exit without saving the configuration.
Sorting App Control Advanced Items You can sort the list of App Control Advanced items by clicking on several of the headings, including Category, Application, Name, and ID. The first time you click one of these headings the list is sorted in descending alphabetical order from top to bottom, according to the first letter or symbol of the items in that column.
For example, clicking the Application heading sorts all rows alphabetically by the first letter of the application name, from numbers at the top to ‘Z’ at the bottom. Names beginning with a symbol or number come before names beginning with any alphabetical character. To resort the list in ascending order, click the heading a second time.
Global Management System 9.3 Administration 46 Configuring App Control Advanced Policies 4
Configuring Address Objects
The SonicWall GMS supports Address Objects, which can be a host, network, MAC, or IP address range. An Address Object Group is a group of Address Objects or other Address Object Groups. After being defined, you can quickly establish NAT Policies, VPN Security Associations (SAs), firewall rules, and DHCP settings between Address Objects and Address Object Groups without individual configuration. All SonicWall appliances come with a group of predefined default network objects. These include subnets for each interface, interface IP addresses for each interface, management IP addresses, and more. GMS supports paginated navigation and sorting by column header on the Address Objects screen. In either of the tables, you can click a column header to use for sorting. An arrow is displayed to the right of the selected column header. You can click the arrow to reverse the sorting order of the entries in the table. IPv6 Address Objects and Address Object Groups can be viewed and configured on the Firewall > Address Objects page. The configuration of IPv6 Address Objects is nearly identical to the of IPv4 Address Objects.
Topics: • Creating Address Object Groups • Editing Address Groups • Deleting Address Groups • Working with Dynamic Addresses • Creating Address Objects • Modifying Network Address Groups or Objects • Deleting Network Address Group or Objects
Global Management System 9.3 Administration 47 Configuring Address Objects Creating Address Object Groups
To create an Address Object Group, complete the following steps: 1Navigate to Firewall > Address Objects. The Address Objects page displays.
Global Management System 9.3 Administration 48 Configuring Address Objects 2 Scroll down and click Add New Group.
3 Create a friendly, unique name for the group in the Name field. 4 Select an address object from the (Not In Group) list and click the right arrow to send it into the right (In Group) column. The selected item is added to the group. Clicking while pressing the Ctrl key allows you to select multiple objects. 5 When you are finished, click OK. TIP: To remove an address or subnet from the group, select the IP address or subnet in the right column and click the left arrow. The selected item moves from the right column to the left column.
Editing Address Groups NOTE: Only custom and some Address Groups can be edited.
To edit a group, click the Edit icon in the Configure column of the Network Address Groups Settings table. The Edit Address Object Group window is displayed. This window is the same as the Add Address Object Group window; see Creating Address Object Groups.
Deleting Address Groups NOTE: Only custom Address Groups can be deleted.
• To delete a custom Address Group, click the Delete icon in the Configure column to delete an individual Address Group. A dialog box is displayed asking you to confirm the deletion. Click OK to delete the Address Group. • To delete multiple active custom Address Groups, select them and click Delete Group(s). • To delete all custom Address Groups, click the checkbox in the top left column heading and when all custom Address Groups are selected, click Delete Group(s).
Working with Dynamic Addresses The GMS uses Address Objects (AOs) to represent IP addresses in most areas throughout the user interface. Address Objects come in the following varieties:
Global Management System 9.3 Administration 49 Configuring Address Objects •Host – Defines a single host by its IP address and zone association. The netmask for a host address object is automatically set to 32-bit (255.255.255.255) to identify it as a single host. For example, My Web Server with an IP address of 67.115.118.110 and a default netmask of 255.255.255.255. •Range – A starting and ending IP address, inclusive of all addresses in between meaning it defines a range of contiguous IP addresses. No netmask is associated with range address objects, but internal logic generally treats each member of the specified range as a 32-bit masked host object. For example, My Public Servers with an IP address starting value of 67.115.118.66 and an ending value of 67.115.118.90. All 25 individual host addresses in this range are included in this address object. •Network – Similar to range objects in that they include multiple hosts, but rather than being bound by specified upper and lower range delimiters, the boundaries are defined by a valid netmask. Network address objects must be defined by the network’s address and a corresponding netmask. For example, My Public Network with a network address of 67.115.118.64 and a netmask of 255.255.255.224 would include addresses from 67.115.118.64 through 67.115.118.95. As a general rule, the first address in a network (the network address) and the last address in a network (the broadcast address) cannot be assigned to a host. •MAC – Allows for the identification of a host by its hardware address or IPv4/IPv6 MAC (Media Access Control) address. MAC addresses are uniquely assigned to every piece of wired or wireless networking device by their hardware manufacturers, and are intended to be immutable. MAC addresses are 48-bit values that are expressed in 6-byte hex-notation. For example, My Access Point with a MAC address of 00:06:01:AB:02:CD. MAC addresses are resolved to an IP address by referring to the ARP cache on the security appliance. MAC address objects are used by various components of wireless configurations throughout SonicOS, such as SonicPoint or SonicWave identification, and authorizing the BSSID (Basic Service Set Identifier, or WLAN MAC) of wireless access points detected during wireless scans. MAC address objects can also be used to allow hosts to bypass Guest Services authentication. •Group – A collection of Address Objects of any assortment of types. Groups can contain other Groups, Host, MAC, Range, or FQDN Address Objects. •FQDN – Allows for the identification of a host by its IPv4/IPv6 Fully Qualified Domain Name (FQDN), such as www.SonicWall.com. FQDNs are be resolved to their IP address (or IP addresses) using the DNS server configured on the security appliance. Wild card entries are supported through the responses to queries sent to the DNS servers. While more effort is involved in creating an Address Object than in simply entering an IP address, AOs were implemented to complement the management scheme of GMS, providing the following characteristics: •Zone Association – When defined, Host, MAC, and FQDN AOs require an explicit zone designation. In most areas of the interface (such as Access Rules) this is only used referentially. The functional application are the contextually accurate populations of Address Object drop-down menus and the area of VPN Access definitions assigned to Users and Groups. When AOs are used to define VPN Access, the Access Rule auto-creation process refers to the AO’s zone to determine the correct intersection of VPN [zone] for rule placement. In other words, if the Host AO, 192.168.168.200 Host, belonging to the LAN zone was added to VPN Access for the Trusted Users User Group, the auto-created Access Rule would be assigned to the VPN LAN zone. • Management and Handling – The versatilely typed family of Address Objects can be easily used throughout the GMS interface, allowing for handles (for example, from Access Rules) to be quickly defined and managed. The ability to simply add or remove members from Address Object Groups effectively enables modifications of referencing rules and policies without requiring direct manipulation. • Reusability – Objects only need to be defined once, and can then be easily referenced as many times as needed.
Global Management System 9.3 Administration 50 Configuring Address Objects Key Features of Dynamic Address Objects The term Dynamic Address Object (DAO) describes the underlying framework enabling MAC and FQDN AOs. By transforming AOs from static to dynamic structures Firewall > Access Rules can automatically respond to changes in the network.
Global Management System 9.3 Administration 51 Configuring Address Objects Dynamic Address Objects: Features and Benefits Feature Benefit FQDN wildcard FQDN Address Objects support wild card entries, such as *.somedomainname.com, by support first resolving the base domain name to all its defined host IP addresses, and then by constantly actively gleaning DNS responses as they pass through the firewall. For example, creating an FQDN AO for *.myspace.com first uses the DNS servers configured on the firewall to resolve myspace.com to 63.208.226.40, 63.208.226.41, 63.208.226.42, and 63.208.226.43 (as can be confirmed by nslookup myspace.com or equivalent). As most DNS servers do not allow zone transfers, it is typically not possibly to automatically enumerate all the hosts in a domain. Instead, the firewall looks for DNS responses coming from sanctioned DNS servers as they traverse the firewall. So, if a host behind the firewall queries an external DNS server that is also a configured/defined DNS server on the firewall, the firewall parses the response to see if it matches the domain of any wild card FQDN AOs. NOTE: Sanctioned DNS servers are those DNS servers configured for use by firewall. The reason that responses from only sanctioned DNS servers are used in the wild card learning process is to protect against the possibility of FQDN AO poisoning through the use of unsanctioned DNS servers with deliberately incorrect host entries. Future versions of the GMS might offer the option to support responses from all DNS servers. The use of sanctioned DNS servers can be enforced with the use of Access Rules, as described later in Enforcing the Use of Sanctioned Servers on the Network. To illustrate, assume the firewall is configured to use DNS servers 4.2.2.1 and 4.2.2.2, and is providing these DNS servers to all firewalled clients through DHCP. If firewalled client-A performs a DNS query against 4.2.2.1 or 4.2.2.2 for vids.myspace.com, the response is examined by the firewall and matched to the defined *.myspace.com FQDN AO. The result (63.208.226.224) is then added to the resolved values of the *.myspace.com DAO. NOTE: If the workstation, client-A, in the previous example, had resolved and cached vids.myspace.com before the creation of the *.myspace.com AO, vids.myspace.com would not be resolved by the firewall because the client would use its resolver’s cache rather than issuing a new DNS request. As a result, the firewall would not have the chance to learn about vids.myspace.com unless it was resolved by another host. On a Microsoft Windows workstation, the local resolver cache can be cleared using the command ipconfig /flushdns. This forces the client to resolve all FQDNs, thereby allowing the firewall to learn them as they are accessed. Wild card FQDN entries resolve all host names within the context of the domain name, up to 256 entries per AO. For example, *.SonicWall.com resolves www.SonicWall.com, software.SonicWall.com, and licensemanager.SonicWall.com, to their respective IP addresses, but it does not resolve sslvpn.demo.SonicWall.com because it is in a different context; for sslvpn.demo.SonicWall.com to be resolved by a wild card FQDN AO, the entry *.demo.SonicWall.com would be required that would also resolve sonicos-enhanced.demo.SonicWall.com, csm.demo.SonicWall.com, sonicos-standard.demo.SonicWall.com, and so on. NOTE: Wild cards only support full matches, not partial matches. In other words, *.SonicWall.com is a legitimate entry, but w*.SonicWall.com, *w.SonicWall.com, and w*w.SonicWall.com are not. A wild card can only be specified once per entry, so *.*.SonicWall.com, for example, is not functional.
Global Management System 9.3 Administration 52 Configuring Address Objects Dynamic Address Objects: Features and Benefits (Continued) Feature Benefit FQDN resolution FQDN Address Objects are resolved using the DNS servers configured on the firewall on the using DNS Network > DNS page. Because it is common for DNS entries to resolve to multiple IP addresses, the FQDN DAO resolution process retrieves all of the addresses to which a host name resolves, up to 256 entries per AO. In addition to resolving the FQDN to its IPs, the resolution process also associates the entry’s TTL (time to live) as configured by the DNS administrator. TTL is then honored to ensure the FQDN information does not become stale. MAC Address When a node is detected on any of the firewall’s physical segments through the ARP resolution using (Address Resolution Protocol) mechanism, the firewall’s ARP cache is updated with that live ARP cache node’s MAC and IP address. When this update occurs, if a MAC Address Objects data referencing that node’s MAC is present, it is instantly updated with the resolved address pairing. When a node times out of the ARP cache because of disuse (for example, the host is no longer L2 connected to the firewall) the MAC AO transitions to an unresolved state. MAC Address MAC AOs can be configured to support multi-homed nodes, where multi-homed refers to Object nodes with more than one IP address per physical interface. Up to 256 resolved entries are multi-homing allowed per AO. This way, if a single MAC address resolves to multiple IPs, all of the IP are support applicable to the Access Rules and so on, that refer to the MAC AO. Automatic and MAC AO entries are automatically synchronized to the firewall’s ARP cache, and FQDN AO manual refresh entries abide by DNS entry TTL values, ensuring that the resolved values are always fresh. processes In addition to these automatic update processes, manual Refresh and Purge capabilities are provided for individual DAOs, or for all defined DAOs.
Enforcing the Use of Sanctioned Servers on the Network Although not a requirement, it is recommended to enforce the use of authorized or sanctioned servers on the network. This practice can help to reduce illicit network activity, and also serves to ensure the reliability of the FQDN wild card resolution process. In general, it is good practice to define the endpoints of known protocol communications when possible. For example: • Create Address Object Groups of sanctioned servers (for example, SMTP, DNS).
• Create Access Rules in the relevant zones allowing only authorized SMTP servers on your network to communicate outbound SMTP; block all other outbound SMTP traffic to prevent intentional or unintentional outbound spamming. • Create Access Rules in the relevant zones allowing authorized DNS servers on your network to communicate with all destination hosts using DNS protocols (TCP/UDP 53). IMPORTANT: Be sure to have this rule in place if you have DNS servers on your network, and you are configuring the restrictive DNS rule that follows.
Global Management System 9.3 Administration 53 Configuring Address Objects • Create Access Rules in the relevant zones allowing Firewalled Hosts to only communicate DNS (TCP/UDP 53) with sanctioned DNS servers; block all other DNS access to prevent communications with unauthorized DNS servers. • Unsanctioned access attempts are then viewable in the logs.
Using MAC and FQDN Dynamic Address Objects MAC and FQDN DAOs provide extensive Access Rule construction flexibility. MAC and FQDN AOs are configured in the same fashion as static Address Objects, that is from the Firewall > Address Objects page. After creation, their status can be viewed by a mouse-over of their appearance, and log events record their addition and deletion. Dynamic Address Objects lend themselves to many applications. The following are just a few examples of how they can be used.
Topics: • Blocking All Protocol Access to a Domain using FQDN DAOs • Using an Internal DNS Server for FQDN-based Access Rules • Controlling a Dynamic Host’s Network Access by MAC Address • Bandwidth Managing Access to an Entire Domain
Blocking All Protocol Access to a Domain using FQDN DAOs There might be instances where you wish to block all protocol access to a particular destination IP because of non-standard ports of operations, unknown protocol use, or intentional traffic obscuration through encryption, tunneling, or both. An example would be a user who has set up an HTTPS proxy server (or other method of port-forwarding/tunneling on trusted ports like 53, 80, 443, as well as nonstandard ports, like 5734, 23221, and 63466) on his DSL or cable modem home network for the purpose of obscuring his traffic by tunneling it through his home network. The lack of port predictability is usually further complicated by the dynamic addressing of these networks, making the IP address equally unpredictable. Because these scenarios generally employ dynamic DNS (DDNS) registrations for the purpose of allowing users to locate the home network, FQDN AOs can be put to aggressive use to block access to all hosts within a DDNS registrar. NOTE: A DDNS target is used in this example for illustration. Non-DDNS target domains can be used just as well.
Assumptions • The firewall is configured to use DNS server 10.50.165.3, 10.50.128.53. • The firewall is providing DHCP leases to all firewalled users. All hosts on the network use the previously configured DNS servers for resolution. • DNS communications to unsanctioned DNS servers optionally can be blocked with Access Rules, as described in Enforcing the Use of Sanctioned Servers on the Network. • The DSL home user is registering the hostname, moosifer.dyndns.org, with the DDNS provider DynDNS. For this session, the ISP assigned the DSL connection the address 71.35.249.153. • A wild card FQDN AO is used for illustration because other host names could easily be registered for the same IP address. Entries for other DDNS providers could also be added, as needed.
Global Management System 9.3 Administration 54 Configuring Address Objects Step 1 – Create the FQDN Address Object • From Firewall > Address Objects, select Add New Address Object and create the following Address Object:
• When first created, this entry resolves only to the address for dyndns.org, for example, 63.208.196.110.
Step 2 – Create the Firewall Access Rule • From the Firewall > Access Rules page, LAN->WAN zone intersection, Add (+) an Access Rule by clicking through and filling in the following information on the views.
NOTE: Rather than specifying LAN Subnets as the source, a more specific source could be specified, as appropriate, so that only certain hosts are denied access to the targets.
• When a host behind the firewall attempts to resolve moosifer.dyndns.org using a sanctioned DNS server, the IP address(es) returned in the query response are dynamically added to the FQDN AO. • Any protocol access to target hosts within that FQDN is blocked, and the access attempt is logged.
Global Management System 9.3 Administration 55 Configuring Address Objects Using an Internal DNS Server for FQDN-based Access Rules It is common for dynamically configured (DHCP) network environments to work in combination with internal DNS servers for the purposes of dynamically registering internal hosts – a common example of this is Microsoft’s DHCP and DNS services. Hosts on such networks can easily be configured to dynamically update DNS records on an appropriately configured DNS server (for example, see the Microsoft Knowledgebase article How to configure DNS dynamic updates in Windows Server 2003 at http://support.microsoft.com/kb/816592/en-us). The following illustrates a packet dissection of a typical DNS dynamic update process, showing the dynamically configured host 10.50.165.249 registering its full hostname bohuymuth.moosifer.com with the (DHCP provided) DNS server 10.50.165.3: In such environments, it could prove useful to employ FQDN AOs to control access by hostname. This would be most applicable in networks where host names are known, such as where hostname lists are maintained, or where a predictable naming convention is used.
Controlling a Dynamic Host’s Network Access by MAC Address Because DHCP is far more common than static addressing in most networks, it is sometimes difficult to predict the IP address of dynamically configured hosts, particularly in the absence of dynamic DNS updates or reliable host names. In these situations, it is possible to use MAC Address Objects to control a host’s access by its relatively immutable MAC (hardware) address. Like most other methods of access control, this can be employed either inclusively, for example, to deny access to/for a specific host or group of hosts, or exclusively, where only a specific host or group of hosts are granted access, and all other are denied. In this example, the latter is illustrated. Assuming you had a set of DHCP-enabled wireless clients running a proprietary operating system that precluded any type of user-level authentication, and that you wanted to only allow these clients to access an application-specific server (for example, 10.50.165.2) on your LAN. The WLAN segment is using WPA-PSK for security, and this set of clients should only have access to the 10.50.165.2 server, but to no other LAN resources. All other wireless clients should not be able to access the 10.50.165.2 server, but should have unrestricted access everywhere else.
Step 1 – Create the MAC Address Objects
To create the MAC Address Object: 1From Firewall > Address Objects, select Add New Address Object and create the following Address Objects (Multi-homing optional, as needed).
Global Management System 9.3 Administration 56 Configuring Address Objects 2 After creation, if the hosts are present in the firewall’s ARP cache, they are resolved immediately, otherwise they appear in an unresolved state in the Address Objects table until they are activated and are discovered through ARP.
3 Create an Address Object Group comprising of the Hand-held devices.
Step 2 – Create the Firewall Access Rules
To create the firewall Access Rules: 1 To create access rules, navigate to the Firewall > Access Rules page: a Click All Rules. b Scroll to the bottom of the page. c Click Add rule (+). 2 Create the following four access rules:
Sample Access Rules Setting Access Rule 1 Access Rule 2 Access Rule 3 Access Rule 4 From Zone WLAN WLAN WLAN WLAN To Zone LAN LAN LAN LAN Service Management Services Management Services Any Any Source Hand-held Devices Any Hand-held Devices Any Destination 10.50.165.3 10.50.165.3 Any Any
Global Management System 9.3 Administration 57 Configuring Address Objects Sample Access Rules (Continued) Setting Access Rule 1 Access Rule 2 Access Rule 3 Access Rule 4 Users allowed All All All All Schedule Always on Always on Always on Always on
NOTE: The Management Services service is used to represent the specific application used by the hand-held devices. The declaration of a specific service is optional, as needed.
Bandwidth Managing Access to an Entire Domain Streaming media is one of the most profligate consumers of network bandwidth. But trying to control access, or manage bandwidth allotted to these sites is difficult because most sites that serve streaming media tend to do so off large server farms. Moreover, these sites frequently re-encode the media and deliver it over HTTP, making it even more difficult to classify and isolate. Manual management of lists of servers is a difficult task, but wild card FQDN Address Objects can be used to simplify this effort.
Step 1 – Create the FQDN Address Object
To create the FQDN Address Object: 1Navigate to Firewall > Address Objects. 2 Click Add New Address Object. 3 Create the Address Object.
Upon initial creation, youtube.com resolves to IP addresses 208.65.153.240, 208.65.153.241, 208.65.153.242, but after an internal host begins to resolve hosts for all of the elements within the youtube.com domain, the learned host entries are added, such as the entry for the v87.youtube.com server (208.65.154.84).
Creating Address Objects The Firewall > Address Objects page allows you to create address objects. You can create various kinds of address objects, including Host, Range, and Network. For a SonicWall appliance running the GMS, you can create Fully Qualified Domain Name (FQDN) or MAC dynamic address objects. The FQDN and MAC address objects are available in the Address Objects drop-down menus in a number of other configuration screens, including Zones, SonicPoints, and Access Rules. These dynamic address objects are resolved to an IP address when used, either by the ARP cache or the DNS server of the GMS.
Global Management System 9.3 Administration 58 Configuring Address Objects To create an address object, complete the following steps: 1 Scroll to the bottom of the Address Objects page and click Add New Address Object.
2 Enter a name for the Address Object in the Name field. 3 Select the zone to which this Address Object is assigned from the Zone Assignment list box. 4 Select from the following: • To specify an individual IP address, select Host from the Type drop-down menu and enter the IP address. • To specify an IP address range, select Range from the Type drop-down menu and enter the starting and ending IP addresses. • To specify a network, select Network from the Type drop-down menu and enter the IP address and subnet mask. • To specify a MAC address, select MAC from the Type drop-down menu and enter the MAC address. • To specify a FQDN, select FQDN from the Type drop-down menu and enter the host name. NOTE: IPv6 addresses can be entered for Firewalls that support IPv6.
5 When you are finished, click Update. 6 Repeat this procedure for each Address Object to add.
Modifying Network Address Groups or Objects
To modify a network address group or object, complete the following steps: 1 Go to the Firewall > Address Objects page.
2 Click the Edit icon ( ) next to the selected address group or object. 3 Modify the settings and click Update.
Global Management System 9.3 Administration 59 Configuring Address Objects Deleting Network Address Group or Objects The GMS allows you to delete a single address group or object, as well as select multiple objects at a time.
To delete network address group objects, complete the following steps: 1 Go to the Firewall > Address Objects page. 2 Click the Trash can icon of the selected custom address group or object. 3 A confirmation message appears. Click OK. 4 You can also select one or multiple Address Group or Address Object checkboxes, or select all (custom) groups or objects checkboxes by clicking the top checkbox in the leftmost column heading, and click Delete Group(s) or Delete Address Object(s).
Global Management System 9.3 Administration 60 Configuring Address Objects 5
Configuring Match Objects
This section describes match objects and includes procedures for searching match objects and for adding, editing, or deleting a match object on the Firewall > Match Objects page. A limited number of match objects are allowed, depending on the appliance model.
Topics: • Searching Match Objects • Adding or Editing Match Objects • Adding Application List Objects • Sorting Match Objects • Deleting Match Objects • Match Object Type Reference Match objects represent the set of conditions that must be matched in order for actions to take place. This includes the object type, the match type (exact, partial, prefix, or suffix), the input representation (text or hexadecimal), and the actual content to match. Hexadecimal input representation is used to match binary content such as executable files, while text input representation is used to match things like file or email content. You can also use hexadecimal input representation for binary content found in a graphic image. Text input representation could be used to match the same graphic if it contains a certain string in one of its properties fields. The maximum size for a match object is 8192 (8K) bytes. You can use a proxy server for this functionality. The File Content match object type provides a way to match a pattern or keyword within a compressed (zip/gzip) file. This type of match object can only be used with FTP Data Transfer, HTTP Server, or SMTP Client policies.
NOTE: The Firewall > Match Objects page might not contain values in all columns for some types of match objects, when those fields are not applicable to those particular match object types.
Global Management System 9.3 Administration 61 Configuring Match Objects Searching Match Objects You can search the list of match objects.
To complete a filtered search of match objects: 1 Navigate to the Firewall > Match Objects page, enter one of the following search objects in the first Search field: •Name – the full or partial name of the match object. •Object Type – the object type of the match object; see Match Object Types for the list of match object types. •Match Type – the match type, one of Exact, Partial, Prefix, Suffix, used in the match object 2 Click Search to search your objects for one or more matches. Click Clear to set the search fields back to defaults. The Match Objects list changes to display only the match objects found by your search.
Adding or Editing Match Objects
To configure a match object, complete the following steps: 1 In the TreeControl, select the unit or group to configure. 2 Navigate to the Firewall > Match Objects page.
Global Management System 9.3 Administration 62 Configuring Match Objects 3 To edit an existing match object, click the pencil icon under Configure for it. To add a new match object, click Add Match Object. The Match Object Settings window displays.
4 In the Match Object Settings window, in the Object Name text box, type a descriptive name for the object. 5 Select a Match Object Type from the drop-down menu. Your selection here affects available options in this screen. See Match Object Types for a description of Match Object Types. 6 Select a Match Type from the drop-down menu. The available selections depend on the Match Object Type. 7 See the Extra Properties column in Match Object Types for a description of the additional fields and options that might appear on the page for different Match Object Types. Select the desired values for any additional fields or options. 8 For the Input Representation, click Alphanumeric to match a text pattern, or click Hexadecimal if you want to match binary content. You can use a hex editor or a network protocol analyzer like Wireshark to obtain hex format for binary files. 9 Enable Negative Matching might be available, depending on the Match Type. Select the checkbox to match anything except the pattern in the Content text box. See Negative Matching for more information about using this option. 10 In the Content text box, type the pattern to match, and then click Add. The content appears in the List text box. Repeat to add another element to match. You can add multiple entries to create a list of content elements to match. All content that you provide in a match object is case-insensitive for matching purposes. List entries are matched using the logical OR, so if any item in the list is matched, the action for the policy is executed. 11 Alternatively, you can click Load From File to import a list of elements from a text file. Each element in the file must be on a line by itself. The maximum file size is limited to 8192 bytes. 12 To remove an element from the list, select the element in the List box and then click Remove. To remove all elements, click Remove All. 13 Click OK. The Modify Task Description and Schedule window displays.
Global Management System 9.3 Administration 63 Configuring Match Objects 14 A description is automatically added in the Description field. Optionally change the description. 15 For Schedule, select one of the following radio buttons and set any associated fields: •Default – Use the default schedule configured for the Agent that manages this unit. •Immediate – Create the object immediately. •At – Select the exact time to activate this object using the drop-down menus for the hour, minute, time zone, month, and year. If your GMS deployment includes Agents in different time zones, you can select among them in the time zone drop-down menu. Select the date from the calendar. 16 Click Accept to save the match object with this schedule. Click Cancel to exit without saving the match object. At the unit level, you might need to refresh the Firewall > Match Objects page to see your new match object in the list.
Negative Matching Negative matching provides an alternate way to specify which content to block. You can enable negative matching in a match object when you want to block everything except a particular type of content. When you use the object in a policy, the policy executes actions based on absence of the content specified in the match object. Multiple list entries in a negative matching object are matched using the logical AND, meaning that the policy action is executed only when all specified negative matching entries are matched. Although all App Rules policies are DENY policies, you can simulate an ALLOW policy by using negative matching. For instance, you can allow email .TXT attachments and block attachments of all other file types. Or you can allow a few types, and block all others.
Global Management System 9.3 Administration 64 Configuring Match Objects Not all match object types can utilize negative matching. For those who can, you see Enable Negative Matching on the Match Object Settings screen.
Adding Application List Objects The Firewall > Match Objects page also contains Add Application List Object that opens the Add Application List Object screen. This screen provides another interface for creating an application list object and an application category list object, both of which are specific types of match objects. Two tabs are available: • Application – You can create an application list object on this tab. This screen allows selection of the application category, threat level, and type of technology. After selections are made, the list of applications matching those criteria is displayed, and you can select one or more for the object. •Category – You can create a category list object on this tab. A list of application categories and their descriptions are provided.
Application View The Application tab provides a list of applications for selection. Each application includes one or more signatures. You can control which applications are displayed by selecting one or more application categories, threat levels, and technologies. To select all application categories, threat levels, and technologies, click the green check mark below the Search button near the top right of the display. To search for a keyword in all application names and signatures, type it into the Search field and click Search. For example, type “bittorrent” into the Search field and click Search to find multiple applications with “bittorrent” (not case-sensitive) in the application name or in the name of a signature under the application. To display the signatures included by an application, click the arrow next to the application name to expand the details for it.
Global Management System 9.3 Administration 65 Configuring Match Objects When the application list is reduced to a list that is focused on your preferences, you can select the individual applications for your filter by clicking the Plus icon next to them, and then save your selections as an application filter object with a custom name or an automatically generated name.
To configure an application list object: 1 On the Firewall > Match Objects page, click Add Application List Object. The Add Application List Object screen displays. 2 In the Application view, to name this object, clear Auto-generate match object name and then type a name for the object in the Match Object Name field. To use automatic naming, leave the field blank and leave Auto-generate match object name selected. 3 Clear specific category checkboxes or clear Category to clear all category checkboxes, then select the checkboxes for the desired categories. Use the scroll bar in this section to view the entire category list. The list of applications in the lower panel changes as you clear and select categories. 4 Clear specific threat level checkboxes or clear Threat Level to clear all threat level checkboxes, then select the checkboxes for the desired threat levels. The list of applications in the lower panel changes as you clear and select threat levels. 5 Clear specific technology checkboxes or clear Technology to clear all technology checkboxes, then select the checkboxes for the desired technologies. The list of applications in the lower panel changes as you clear and select technologies. 6 In the application list, click the Plus to select the desired applications for your object. The Plus changes to a green check mark, and the application is added to the Application Group field on the right.
Global Management System 9.3 Administration 66 Configuring Match Objects You can edit the list in this field by deleting individual items or by clicking the red X at the top to delete all items. 7 Click OK. The Modify Task Description and Schedule window displays. 8 A description is automatically added in the Description field. Optionally change the description. 9For Schedule, select one of the following radio buttons and set any associated fields: •Default – Use the default schedule configured for the Agent that manages this unit. •Immediate – Create the object immediately. •At – Select the exact time to activate this object using the drop-down menus for the hour, minute, time zone, month, and year. If your GMS deployment includes Agents in different time zones, you can select among them in the time zone drop-down menu. Select the date from the calendar. 10 Click Accept to save the match object with this schedule. Click Cancel to exit without saving the match object. You see the object name listed on the Firewall > Match Objects page with an object type of Application List. This object can then be selected when creating an App Rules policy. Match Objects created using the Auto-generate match object name option display a tilde (~) as the first character of the object name.
Category View The Category tab provides a list of application categories for selection. You can select any combination of categories and then save your selections as an application category list object with a custom or automatic name. By hovering your mouse pointer over a category in the list, you can see a description of it.
To configure an application category list object: 1 On the Firewall > Match Objects page, click Add Application List Object. The Add Application List Object screen displays.
Global Management System 9.3 Administration 67 Configuring Match Objects 2 Click the Category view. 3 To name this object, clear Auto-generate match object name and then type a name for the object in the Match Object Name field. To use automatic naming, leave the field blank and leave Auto-generate match object name selected. 4 Clear specific category checkboxes or clear Category to clear all category checkboxes, then select the checkboxes for the desired categories. Use the scrollbar in this section to view the entire category list. 5 Click OK. The Modify Task Description and Schedule window displays. 6 A description is automatically added in the Description field. Optionally change the description. 7For Schedule, select one of the following radio buttons and set any associated fields: •Default – Use the default schedule configured for the Agent that manages this unit. •Immediate – Create the object immediately. •At – Select the exact time to activate this object using the drop-down menus for the hour, minute, time zone, month, and year. If your GMS deployment includes Agents in different time zones, you can select among them in the time zone drop-down menu. Select the date from the calendar. 8 Click Accept to save the match object with this schedule. Click Cancel to exit without saving the match object. You see the object name listed on the Firewall > Match Objects page with an object type of Application Category List. This object can then be selected when creating an App Rules policy. Match Objects created using the Auto-generate match object name option display a tilde (~) as the first character of the object name.
Sorting Match Objects You can sort the list of match objects by clicking on the Name column heading. The first time you click the heading, the match objects list is sorted in descending alphabetical order from top to bottom, according to the first letter or symbol of the items in that column. A small upward-pointing arrow is displayed next to the Name heading, indicating that, if the heading is clicked again, it causes the list to be sorted in ascending order by name (Z to A). Names beginning with a symbol or number come before names beginning with any alphabetical character. In descending order, automatically created objects beginning with tilde (~) are displayed before objects beginning with any alphabetical character. The same holds true if you use a symbol or number as the first letter when naming an object.
Deleting Match Objects Match objects can be deleted unless they are in use by an App Rules policy.
To delete one or more match objects, complete the following steps: 1 In the TreeControl select the unit or group to configure. 2 Navigate to the Firewall > Match Objects page. 3 Do one of the following: • To delete one or more match objects, select the checkboxes for the ones to delete and click Delete Match Object(s).
Global Management System 9.3 Administration 68 Configuring Match Objects • To delete a single match object, click the trash can icon under Configure for it, and then click OK in the confirmation dialog. If any of the selected objects is currently in use by an App Rules policy, a pop-up message notifies you that it cannot be deleted. Click OK in the dialog box. If multiple objects were selected for deletion and one of them is in use by a policy, none are deleted when Delete Match Object(s) is clicked. 4 In the confirmation dialog box, click OK. 5In the Modify Task Description and Schedule window, select the Schedule settings for this task and then click Accept.
Match Object Type Reference The following table describes the supported match object types.
Match Object Types Negative Object Type Description Match Types Extra Properties Matching ActiveX ClassID Class ID of an Active-X Exact No None component. For example, ClassID of Gator Active-X component is “c1fb8842-5281-45ce-a 271-8fd5f117ba5f” Application Category Allows specification of N/A No Application List application categories, Categories – select the such as Multimedia., category from a P2P, or Social drop-down menu of Networking application categories Application List Allows specification of N/A No Application individual applications Categories – see within the application previous; category that you select Application – select the specific application from the drop-down menu Application Signature Allows specification of N/A No Application List individual signatures for Categories – see the application and previous; category that you select Application – see previous; Application Signature – select the specific signature from the drop-down menu CFS Allow/Forbidden Allows specification of Exact, Partial, No None List allowed and forbidden Prefix, Suffix domains for Content Filtering
Global Management System 9.3 Administration 69 Configuring Match Objects Match Object Types (Continued) Negative Object Type Description Match Types Extra Properties Matching CFS Category List Allows selection of one N/A No A list of 64 categories is or more Content provided from which to Filtering categories choose Custom Object Allows specification of Exact No There are four an IPS-style custom set additional, optional of conditions. parameters that can be set: Offset (describes from what byte in packet payload we should start matching the pattern – starts with 1; helps minimize false positives in matching), Depth (describes at what byte in the packet payload we should stop matching the pattern – starts with 1), Payload Size – Minimum and Maximum size of data in a packet. Email Body Any content in the body Partial No None of an email. Email CC (MIME Any content in the CC Exact, Partial, Yes None Header) MIME Header. Prefix, Suffix Email From (MIME Any content in the From Exact, Partial, Yes None Header) MIME Header. Prefix, Suffix Email Size Allows specification of N/A No Email Size – the the maximum email size number of bytes in the that can be sent. email Email Subject (MIME Any content in the Exact, Partial, Yes None Header) Subject MIME Header. Prefix, Suffix Email To (MIME Header) Any content in the To Exact, Partial, Yes None MIME Header. Prefix, Suffix MIME Custom Header Allows for creation of Exact, Partial, Yes A Custom header name MIME custom headers. Prefix, Suffix needs to be specified. File Content Allows specification of a Partial No ‘Disable attachment’ pattern to match in the action should never be content of a file. The applied to this object. pattern is matched even when the file is compressed.
Global Management System 9.3 Administration 70 Configuring Match Objects Match Object Types (Continued) Negative Object Type Description Match Types Extra Properties Matching Filename In cases of email, this is Exact, Partial, Yes None an attachment name. In Prefix, Suffix cases of HTTP, this is a filename of an uploaded attachment to the Web mail account. In cases of FTP, this is a filename of an uploaded or downloaded file. Filename Extension In cases of email, this is Exact Yes None an attachment filename extension. In cases of HTTP, this is a filename extension of an uploaded attachment to the Web mail account. In cases of FTP, this is a filename extension of an uploaded or downloaded file. FTP Command Allows selection of N/A No Command – the FTP specific FTP commands. command, such as ABORT, DELETE, GET, PASSWORD, RESTART, QUIT, SIZE. Type HELP for the complete list of commands. FTP Command + Value Allows selection of Exact, Partial, Yes Command (see specific FTP commands Prefix, Suffix previous); and specification of Argument – a value their values. you type in, such as the filename to GET/PUT or the directory name used with MKDIR HTTP Cookie Header Allows specification of a Exact, Partial, Yes None Cookie sent by a Prefix, Suffix browser. HTTP Host Header Content found inside of Exact, Partial, Yes None the HTTP Host header. Prefix, Suffix Represents hostname of the destination server in the HTTP request, such as www.google.com.
Global Management System 9.3 Administration 71 Configuring Match Objects Match Object Types (Continued) Negative Object Type Description Match Types Extra Properties Matching HTTP Referrer Header Allows specification of Exact, Partial, Yes None content of a Referrer Prefix, Suffix header sent by a browser – this can be useful to control or keep stats of which Web sites redirected a user to customer’s Web site. HTTP Request Custom Allows handling of Exact, Partial, Yes Custom Header Name Header custom HTTP Request Prefix, Suffix – Specify a custom headers. header name. HTTP Response Custom Allows handling of Exact, Partial, Yes Custom Header Name Header custom HTTP Response Prefix, Suffix – Specify a custom headers. header name. HTTP Set Cookie Set-Cookie headers. Exact, Partial, Yes None Provides a way to Prefix, Suffix disallow certain cookies to be set in a browser. HTTP URI Content Any content found Exact, Partial, No None inside of the URI in the Prefix, Suffix HTTP request. HTTP URL Any HTTP URL that Partial, Regex, No None needs to be matched. Exact, Prefix, Suffix HTTP User-Agent Any content inside of a Exact, Partial, Yes None User-Agent header. For Prefix, Suffix example: User-Agent: Skype. MIME Custom Header Any content inside of a Exact, Partial, Yes Custom Header Name MIME header. Prefix, Suffix – Specify the MIME header name to match. Web Browser Allows selection of N/A Yes Browser – Specify the specific Web browsers browser type; choose (MSIE, Netscape, from MSIE, Netscape, Firefox, Safari, Chrome). Firefox, Safari, Chrome
Global Management System 9.3 Administration 72 Configuring Match Objects Match Object Types (Continued) Negative Object Type Description Match Types Extra Properties Matching IPS Signature Category Allows selection of one N/A No IDP Categories – List or more IPS signature choose from the a groups. Each group drop-down menu of IPS contains multiple attack categories, predefined IPS including ACTIVEX, signatures. EXPLOIT, JAVA, LDAP, MEDIA-PLAYERS, SQL-INJECTION, WEB-ATTACKS, and others IPS Signature List Allows selection of one N/A No IDP Category – (see or more specific IPS previous); IDP signatures for enhanced Signature – choose granularity. signatures from any IDP Category
Global Management System 9.3 Administration 73 Configuring Match Objects 6
Configuring Action Objects
Action Objects define how the App Rules policy reacts to matching events. You can choose a customizable action or select one of the predefined actions. The predefined actions have no configurable settings and are displayed in the Firewall > Action Objects page. A number of BWM (bandwidth management) action options are available in the predefined action list. The BWM action options change depending on the Bandwidth Management Type setting on the Firewall > BWM page. If the Bandwidth Management Type is set to Global, all eight levels of BWM are available. If the Bandwidth Management Type is set to WAN, the predefined actions list includes three levels of WAN BWM. If the Bandwidth Management Type is set to None, the predefined actions list does not include any BWM actions. You can view the settings by mousing over the Content column of a BWM action on the Firewall > Action Objects page. For more information about BWM actions, see Configuring Application Layer Bandwidth Management. Predefined Actions lists the actions available on the Firewall > Action Objects page. If the BWM Type = None, no additional predefined BWM actions are available.
Predefined Actions Always Available If BWM Type = Global If BWM Type = WAN Block SMTP E-Mail Without Reply BWM Global-High WAN BWM High Bypass DPI BWM Global-Highest WAN BWM Medium CFS Block Page BWM Global-Low WAN BWM Low No Action BWM Global-Lowest Packet Monitor BWM Global-Medium Reset/Drop BWM Global-Medium High BWM Global-Medium Low BWM Global-Realtime
Topics: • Searching Action Objects • Adding or Editing Action Objects • Configuring Application Layer Bandwidth Management • Deleting Action Objects • Action Type Reference
Global Management System 9.3 Administration 74 Configuring Action Objects Searching Action Objects You can search the list of action objects using different filters, each combined with an operator and a target value.
To complete a filtered search of action objects: 1 In the TreeControl, select the unit or group on which to search. 2 Navigate to the Firewall > Action Objects page, enter one of the following search objects in the Search field: •Name – the full or partial name of the action object •Action Type – the action type of the action object; see Action Types for the list of action types 3 Click Search to search your policies for one or more matches. Click Clear to set the search fields back to defaults. The Action Objects list changes to display only the action objects found by your search.
Adding or Editing Action Objects If you do not want one of the predefined actions, you can add an action object that uses one of the configurable actions. The Actions Objects Settings window provides a way to customize a configurable action with text or a URL, or custom bandwidth management settings if BWM Type is set to Advanced on the Firewall Settings > BWM page. The predefined actions plus any configurable actions that you have created are available for selection when you create an App Rules policy. A limited number of action objects are allowed, depending on the appliance model.
To configure an action object, complete the following steps: 1 In the TreeControl, select the unit or group to configure. 2 Navigate to the Firewall > Action Objects page.
Global Management System 9.3 Administration 75 Configuring Action Objects 3 To edit an existing action object, click the pencil icon under Configure for it. To add a new action object, click Add. The Action Object Settings window displays.
4 In the Action Name field, type a descriptive name for the action. 5 In the Action drop-down menu, select the action that you want. 6 In the Content text box, type the text or URL to be used in the action. 7If HTTP Block Page is selected as the action, a Color drop-down menu is displayed. Choose a background color for the block page from the Color drop-down menu. Color choices are white, yellow, red, or blue. 8 Click Preview to see a preliminary rendering. 9If Bandwidth Management is selected as the action, additional fields are displayed. Bandwidth management has some prerequisites; see Configuring Application Layer Bandwidth Management for configuration information. 10 Click OK. The Modify Task Description and Schedule window displays. 11 A description is automatically added in the Description field. Optionally change the description. 12 For Schedule, select one of the following radio buttons and set any associated fields: •Default – Use the default schedule configured for the Agent that manages this unit. •Immediate – Create the object immediately. •At – Select the exact time to activate this object using the drop-down menus for the hour, minute, time zone, month, and year. If your GMS deployment includes Agents in different time zones, you can select among them in the time zone drop-down menu. Select the date from the calendar. 13 Click Accept to save the action object with this schedule. Click Cancel to exit without saving the action object. At the unit level, you might need to refresh the Firewall > Action Objects page to see your new action object in the list.
Global Management System 9.3 Administration 76 Configuring Action Objects Configuring Application Layer Bandwidth Management Application layer bandwidth management (BWM) allows you to create policies that regulate bandwidth consumption by specific file types within a protocol, while allowing other file types to use unlimited bandwidth. This enables you to distinguish between desirable and undesirable traffic within the same protocol. Application layer bandwidth management is supported for all Application matches, as well as custom App Rules policies using HTTP client, HTTP Server, Custom, and FTP file transfer types. For details about policy types, see Policy Type Reference. If the Bandwidth Management Type on the Firewall Settings > BWM page is set to Global, application layer bandwidth management functionality is supported with eight predefined, default BWM priority levels, available for selection on the Firewall > Action Objects page. There is also a customizable Bandwidth Management type action, available when adding a new action object. NOTE: The maximum action objects allowed is the total of 17 default action objects plus the allowed number of custom action objects. Of the default action objects, 14 are Global type default actions and 3 are WAN type default actions.
All application bandwidth management is tied in with global bandwidth management that is configured on the Firewall Settings > BWM page. Two types of bandwidth management are available: WAN and Global. The None option allows you to specify no bandwidth management. When the type is set to WAN, bandwidth management is allowed only on interfaces in the WAN zone. With a type of Global, interfaces in all zones can be configured with bandwidth management. All App Control screens that offer an option for bandwidth management provide a link to the Firewall Settings > BWM page so that you can easily configure global bandwidth management settings for the type and configure the guaranteed and maximum percentages allowed for each priority level.
Global Management System 9.3 Administration 77 Configuring Action Objects The Firewall Settings > BWM page is shown in the following figure.
It is a best practice to configure global bandwidth management settings before configuring App Control policies that use BWM. Changing the Bandwidth Management Type on the Firewall Settings > BWM page between Advanced and Global causes BWM to be disabled in all Firewall Access Rules, while default BWM action objects in App Rules policies convert accordingly to correspond to the new bandwidth management type. When you change the Bandwidth Management Type from Global to Advanced, the default BWM actions that are in use in any App Rules policies are automatically converted to WAN BWM Medium, no matter what level they were set to before the change. When you change the Type from Advanced to Global, the default BWM actions are converted to BWM Global-Medium. The firewall does not store your previous action priority levels when you switch the Type back and forth. You can view the conversions on the Firewall > App Rules page. Custom bandwidth management actions behave differently than the default BWM actions. Custom BWM actions are configured by adding a new action object from the Firewall > Action Objects page and selecting the Bandwidth Management action type. Custom bandwidth management actions and policies using them retain their priority level setting when the Bandwidth Management Type is changed from Global to Advanced, and from Advanced to Global. When the Bandwidth Management Type is set to Global, the Add/Edit Action Object screen provides the Bandwidth Priority option, but uses the values that are specified in the Priority table on the Firewall Settings > BWM page for Guaranteed Bandwidth and Maximum Bandwidth. The Per Action or Per Policy Bandwidth Aggregation Method options are not available for Action Objects when Bandwidth Management Type is set to Global. NOTE: All priorities are displayed (Realtime through Lowest), regardless if all have been configured. Refer to the Firewall Settings > BWM page to determine which priorities are enabled. If the Bandwidth Management Type is set to Global and you select a Bandwidth Priority that is not enabled, the traffic is automatically mapped to the level 4 priority (Medium). For a BWM Type of Advanced, the default priority is level 7 (Low).
When the Bandwidth Management Type is set to Advanced, the Add/Edit Action Object screen provides Per Action or Per Policy Bandwidth Aggregation Method options and you can specify values for Guaranteed Bandwidth, Maximum Bandwidth, and Bandwidth Priority.
Global Management System 9.3 Administration 78 Configuring Action Objects When configuring a Bandwidth Management action, you can select either Per Action or Per Policy. Per Policy means that when you create a limit of 10Mbps in an Action Object, and three different policies use the Action Object, then each policy can consume up to 10Mbps of bandwidth. Per Action means that the three policies combined can only use 10Mbps. When using Per Action, multiple policies are subject to a single aggregate bandwidth management setting when they share the same action. For example, consider the following two App Rules policies: • One manages the bandwidth for downloading executable files • Another manages the bandwidth for P2P applications traffic If these two policies share the same bandwidth management Action (500Kbit/sec max bandwidth): • Using the Per Action aggregation method, the downloads of executable files and traffic from P2P applications combined cannot exceed 500Kbit/sec. • Using the Per Policy bandwidth aggregation method, a bandwidth of 500Kbit/sec is allowed for executable file downloads while concurrent P2P traffic is also allowed a bandwidth of 500Kbit/sec. The predefined BWM High, BWM Medium, and BWM Low actions are all Per Action. Application layer bandwidth management configuration is handled in the same way as the Ethernet bandwidth management configuration associated with Firewall > Access Rules. Both are tied in with the global bandwidth management settings. However, with App Control you can specify all content type, which you cannot do with access rules. When the Bandwidth Management Type on the Firewall Settings > BWM page is set to Advanced, bandwidth management policies defined with Firewall > Access Rules always have priority over application layer bandwidth management policies. Accordingly, if an access rule bandwidth management policy is applied to a certain connection, then an application layer bandwidth management policy is never applied to that connection. When the Bandwidth Management Type is set to Global, the reverse is true, giving App Control bandwidth management policies priority over Firewall Access Rule bandwidth management policies.
Configuring Bandwidth Management Actions To use application layer bandwidth management, you must first enable bandwidth management on the interface that handles the traffic. After being enabled, you can select Bandwidth Management in the Action drop-down menu when creating an action object. If the global bandwidth management settings have the Bandwidth Management Type set to Advanced on the Firewall Settings > BWM page, then only interfaces in WAN zones can have assigned guaranteed and maximum bandwidth settings and have prioritized traffic. If the Bandwidth Management Type is set to Global, then all zones can have assigned guaranteed and maximum bandwidth settings and have prioritized traffic. See the following sections for configuration details: • Configuring Bandwidth Management on an Interface • Configuring a Bandwidth Management Action
Configuring Bandwidth Management on an Interface
To enable bandwidth management on an interface, complete the following steps: 1 In the TreeControl, select the unit or group to configure. 2 Navigate to the Network > Interfaces page.
Global Management System 9.3 Administration 79 Configuring Action Objects 3 In the Interface Settings table, click the icon under Edit for the desired interface. 4 In the Edit Interface window, click the Advanced view.
5 Do one or both of the following: • Under Bandwidth Management, to manage outbound bandwidth, select Enable Interface Egress Bandwidth Limitation, and optionally set the Maximum Interface Egress Bandwidth (Kbps) field to the maximum for the interface. See Maximum Interface Bandwidth Settings. • Under Bandwidth Management, to manage inbound bandwidth, select Enable Interface Ingress Bandwidth Limitation and optionally set the Maximum Interface Ingress Bandwidth (Kbps) field to the maximum for the interface. See Maximum Interface Bandwidth Settings.
Maximum Interface Bandwidth Settings Interface Rating Max Bandwidth in Kilobits/second 100 Megabits per second 100,000 1 Gigabit per second 1,000,000
6 Click Update.
Global Management System 9.3 Administration 80 Configuring Action Objects Configuring a Bandwidth Management Action After bandwidth management is enabled on the interface, you can configure Bandwidth Management for an action object in App Control.
To configure Bandwidth Management in an action object: 1 In the TreeControl, select the unit or group to configure. 2 Navigate to the Firewall > Action Objects page. 3 To edit an existing action object, click the pencil icon under Configure for it. To add a new action object, click Add. The Action Object Settings window displays. 4 In the Action Name field, type a descriptive name for the action. In the Action drop-down menu, select Bandwidth Management.
If the Bandwidth Management Type is set to Advanced on the Firewall Settings > BWM page, the screen displays the following options that are not displayed if Bandwidth Management Type is set to Global: • Bandwidth Aggregation Method • Guaranteed Bandwidth • Maximum Bandwidth • Bandwidth Priority • Enable Tracking Bandwidth Usage When the BWM type is Global, the global values for these options are used for the action. In case of a BWM type of Advanced, the configuration of these options is included in the following steps. 5 In the Bandwidth Aggregation Method drop-down menu, select one of the following:
Global Management System 9.3 Administration 81 Configuring Action Objects • Per Policy – When multiple policies are using the same Bandwidth Management action, each policy can consume up to the configured bandwidth even when the policies are active at the same time. •Per Action – When multiple policies are using the same Bandwidth Management action, the total bandwidth is limited as configured for all policies combined if they are active at the same time. 6 To manage outbound bandwidth, select Enable Egress Bandwidth Management. 7 To specify the Guaranteed Bandwidth, optionally enter a value either as a percentage or as kilobits per second. In the drop-down menu, select either % or Kbps. If you plan to use this custom action for rate limiting rather than guaranteeing bandwidth, you do not need to change the Guaranteed Bandwidth field. 8 To specify the Maximum Bandwidth, optionally enter a value either as a percentage or as kilobits per second. In the drop-down menu, select either % or Kbps. If you plan to use this custom action for guaranteeing bandwidth rather than rate limiting, you do not need to change the Maximum Bandwidth field. 9For Bandwidth Priority, select a priority level from the drop-down menu, where 0 is the highest and 7 is the lowest. 10 Optionally select Enable Tracking Bandwidth Usage to track the usage. When bandwidth usage tracking is enabled, you can view the usage in the Action Properties tooltip by mousing over the Action of a policy on the Firewall > App Rules page. 11 Click OK. The Modify Task Description and Schedule window displays. 12 A description is automatically added in the Description field. Optionally change the description. 13 For Schedule, select one of the following radio buttons and set any associated fields: •Default – Use the default schedule configured for the Agent that manages this unit. •Immediate – Activate the configuration immediately. •At – Select the exact time to activate this configuration using the drop-down menus for the hour, minute, time zone, month, and year. If your GMS deployment includes Agents in different time zones, you can select among them in the time zone drop-down menu. Select the date from the calendar. 14 Click Accept to configure bandwidth settings with this schedule. Click Cancel to exit without saving the action object. You can see the resulting action in the Action Objects screen.
Sorting Action Objects You can sort the list of action objects by clicking on the Name column heading. The first time you click the heading, the action objects list is sorted in descending alphabetical order from top to bottom, according to the first letter or symbol of the items in that column. • The list of predefined action objects is sorted separately from the list of custom, configurable action objects. The sorted list of predefined action objects always appears on the first page, followed by the sorted list of configurable action objects. • A small upward-pointing arrow is displayed next to the Name heading, indicating that, if the heading is clicked again, it causes the predefined and configurable action object lists to be sorted in ascending order by name (Z to A). • In descending order, names beginning with a symbol or number come before names beginning with any alphabetical character.
Global Management System 9.3 Administration 82 Configuring Action Objects Deleting Action Objects Action objects created from one of the configurable actions can be deleted, unless they are in use by an App Rules policy. The predefined action objects cannot be deleted or edited.
To delete one or more action objects, complete the following steps: 1 In the TreeControl select the unit or group to configure. 2 Navigate to the Firewall > Action Objects page. 3 Do one of the following: • To delete one or more action objects, select the checkboxes for the ones to delete and click Delete. The checkboxes cannot be selected for predefined action objects. • To delete a single action object, click the trash can icon under Configure for it, and then click OK in the confirmation dialog. The trash can icon is not enabled for predefined action objects. If any of the selected objects is currently in use by an App Rules policy, a pop-up message notifies you that it cannot be deleted. Click OK in the dialog box. If multiple objects were selected for deletion and one of them is in use by a policy, none are deleted when Delete is clicked. 4 In the confirmation dialog box, click OK. 5In the Modify Task Description and Schedule window, select the Schedule settings for this task and then click Accept.
Action Type Reference The following Action Types table describes available action types. You can view the settings by mousing over the Content column of a BWM action on the Firewall > Action Objects page.
Action Types Predefined or Action Type Description Custom BWM Global-Realtime Manages inbound and outbound bandwidth, can be configured Predefined for guaranteed bandwidth in varying amounts and maximum/burst bandwidth usage up to 100 percent of total available bandwidth, sets a priority of zero. BWM Global-Highest Manages inbound and outbound bandwidth, can be configured Predefined for guaranteed bandwidth in varying amounts and maximum/burst bandwidth usage up to 100 percent of total available bandwidth, sets a priority of one. BWM Global-High Manages inbound and outbound bandwidth, can be configured Predefined for guaranteed bandwidth in varying amounts (default is 30 percent) and maximum/burst bandwidth usage up to 100 percent of total available bandwidth, sets a priority of two. BWM Global-Medium High Manages inbound and outbound bandwidth, can be configured Predefined for guaranteed bandwidth in varying amounts and maximum/burst bandwidth usage up to 100 percent of total available bandwidth, sets a priority of three.
Global Management System 9.3 Administration 83 Configuring Action Objects Action Types (Continued) Predefined or Action Type Description Custom BWM Global-Medium Manages inbound and outbound bandwidth, can be configured Predefined for guaranteed bandwidth in varying amounts (default is 50 percent) and maximum/burst bandwidth usage up to 100 percent of total available bandwidth, sets a priority of four. BWM Global-Medium Low Manages inbound and outbound bandwidth, can be configured Predefined for guaranteed bandwidth in varying amounts and maximum/burst bandwidth usage up to 100 percent of total available bandwidth, sets a priority of five. BWM Global-Low Manages inbound and outbound bandwidth, can be configured Predefined for guaranteed bandwidth in varying amounts (default is 20 percent) and maximum/burst bandwidth usage up to 100 percent of total available bandwidth, sets a priority of six. BWM Global-Lowest Manages inbound and outbound bandwidth, can be configured Predefined for guaranteed bandwidth in varying amounts and maximum/burst bandwidth usage up to 100 percent of total available bandwidth, sets a priority of seven. Block SMTP E-Mail Without Blocks SMTP email and do not notify the sender. Predefined Reply Bypass DPI Bypasses Deep Packet Inspection components IPS, GAV, Predefined Anti-Spyware and Application Control. This action persists for the duration of the entire connection as soon as it is triggered. Special handling is applied to FTP control channels that are never bypassed for Application Control inspection. This action supports proper handling of the FTP data channel. Note that Bypass DPI does not stop filters that are enabled on the Firewall > SSL Control page. WAN BWM High Manages inbound and outbound bandwidth, can be configured Predefined for guaranteed bandwidth in varying amounts and maximum/burst bandwidth usage up to 100 percent of total available bandwidth. WAN BWM Medium Manages inbound and outbound bandwidth, can be configured Predefined for guaranteed bandwidth in varying amounts and maximum/burst bandwidth usage up to 100 percent of total available bandwidth. WAN BWM Low Manages inbound and outbound bandwidth, can be configured Predefined for guaranteed bandwidth in varying amounts and maximum/burst bandwidth usage up to 100 percent of total available bandwidth. Block SMTP Email - Send Blocks SMTP email and notifies the sender with a customized Custom Error Reply error message. Disable Email Attachment - Disables attachment inside of an email and adds customized Custom Add Text text. Email - Add Text Appends custom text at the end of the email. Custom FTP Notification Reply Sends text back to the client over the FTP control channel Custom without terminating the connection. HTTP Block Page Allows a custom HTTP block page configuration with a choice Custom of colors.
Global Management System 9.3 Administration 84 Configuring Action Objects Action Types (Continued) Predefined or Action Type Description Custom HTTP Redirect Provides HTTP Redirect functionality. For example, if someone Custom would like to redirect people to the Google Web site, the customizable part looks like: http://www.google.com If an HTTP Redirect is sent from Application Control to a browser that has a form open, the information in the form is lost. Bandwidth Management Allows definition of bandwidth management constraints with Custom same semantics as Access Rule BWM policy definition.
Global Management System 9.3 Administration 85 Configuring Action Objects 7
Configuring Service Objects
A Service Object is a protocol/port range combination that defines a service. A Service Group is a group of services that, after defined, enable you to quickly establish firewall rules without manually configuring each service. By default, a large number of services are predefined. The GMS supports paginated navigation and sorting by column header in the Service Objects screen. In any of the tables, you can click the column header to use for sorting. An arrow is displayed to the right of the selected column header. You can click the arrow to reverse the sorting order of the entries in the table.
Topics: • Adding Service Objects • Editing Custom Services • Deleting Custom Services • Adding Service Groups • Editing Custom Services Groups • Deleting Custom Services Groups
Adding Service Objects
To add a service, complete the following steps: 1 Select the global icon, a group, or a SonicWall appliance running GMS.
Global Management System 9.3 Administration 86 Configuring Service Objects 2Navigate to Firewall > Service Objects.
3 To add a service in the Custom Services section, click Add Service.
4 Enter the name of the service in the Name field. 5 Select the type of protocol from the Protocol drop-down menu. 6 What you enter next depends on your IP protocol selection: • For Custom IP Type, specify a custom IP protocol type in the Protocol field. • For TCP and UDP protocols, specify the Port Range.
Global Management System 9.3 Administration 87 Configuring Service Objects • For ICMP, IGMP, OSPF, and PIM protocols, select a Sub Type from the Sub Type drop-down menu. NOTE: PIM subtypes apply to both PIM-SM and PIM-DM except the following are for PIM-SM only: •Type1: Register •Type2: Register Stop •Type3: Join/Prune •Type4: Bootstrap • Type8: Candidate RP Advertisement
• For the remaining protocols, you do not need to specify anything further. 7If Enable NDPP Mode was selected on the System > Management page, enter the ICMP code in the Code field. 8 Click Update. The service is added and appears in the Custom Services section. NOTE: Although most default services cannot be edited or deleted, you can edit or delete custom services by clicking the Edit or Delete icons that correspond to the desired custom service.
9 Click Enable Logging to disable or enable the logging of the service activities.
Editing Custom Services
Click the Edit icon under Configure to edit the service in the Edit Service window that includes the same configuration settings as the Add Service window.
Deleting Custom Services
Click the Trashcan icon to delete an individual custom service. You can delete all custom services by selecting the checkboxes on the left side of the rows under Service Objects, and then clicking Delete Service(s).
Adding Service Groups A Service Group is a group of services that can be used to quickly apply rules to large numbers of services without individually configuring each service. By default, many Service Groups are predefined.
Global Management System 9.3 Administration 88 Configuring Service Objects To add a new Service Group, complete the following steps: 1 To add a service group, navigate to Firewall > Service Objects, click the Service Groups view, and then click Add Group. The Add Service Group dialog box displays.
2 Enter a name for the service group in the Name field. 3 To add a service, select it and click the right arrow button. You can select multiple services using the Shift and Ctrl keys. 4 To remove a service, select it and click the left arrow button. 5 Click OK. The service group is added. NOTE: Service Groups can be edited or deleted by clicking the Edit or Trashcan icons that correspond to the desired Service Group.
Editing Custom Services Groups
To edit the custom service group:
1 Click the Edit icon under Configure in the Edit Service Group window that includes the same configuration settings as the Add Group window.
Deleting Custom Services Groups
To delete an individual custom service group entry:
1 Click the Trashcan icon .
To delete all individual custom service group entries: 1 Select the checkboxes on the left side of the rows under Service Groups. 2 Click Delete Group(s).
Global Management System 9.3 Administration 89 Configuring Service Objects 8
Configuring Bandwidth Objects
NOTE: CFS Action Bandwidth Objects created on the Firewall > Content Filter Objects page are similar to, but not the same as, bandwidth objects. CFS Action BWM objects do not appear on the Firewall > Bandwidth Objects page, and BWM bandwidth objects do not appear on the Firewall > Content Filter Objects page.
Bandwidth management configuration is based on policies that specify bandwidth limitations for traffic classes. A complete bandwidth management policy consists of two parts: a classifier and a bandwidth rule. A classifier specifies the actual parameters, such as priority, guaranteed bandwidth, and maximum bandwidth, and is configured in a bandwidth object. Classifiers identify and organize packets into traffic classes by matching specific criteria. For information on using Bandwidth Objects in Access Rules, App Rules, and Action Objects, see Firewall Settings > BWM. The following configuration options are available in the Bandwidth Objects list: • Select bandwidth objects using the checkboxes next to the name of the objects. You can also select all objects by clicking the checkbox in the header. • Edit bandwidth objects by clicking the Edit icon for that object. • Delete bandwidth object by clicking Delete for that object. You can also select multiple objects, then click Delete Bandwidth Object(s). • Hover the pointer over the Comment icon to display comments about the bandwidth object.
Topics: • Search for Bandwidth Objects • Adding Bandwidth Objects
Global Management System 9.3 Administration 90 Configuring Bandwidth Objects Search for Bandwidth Objects 1 Navigate to the Firewall > Bandwidth Objects page. 2 Enter the search criteria in the text-field, and then click Search.
Adding Bandwidth Objects 1 Navigate to the Firewall > Bandwidth Objects page. 1 Click the Add link.
2 In the General view, enter a name for the new bandwidth object. 3 In the Guaranteed Bandwidth box, enter the amount of bandwidth that this bandwidth object guarantees to provide for a traffic class (in kbps or Mbps). 4 In the Maximum Bandwidth box, enter the maximum amount of bandwidth that this bandwidth object provides for a traffic class (in kbps or Mbps). The actual allocated bandwidth might be less than this value when multiple traffic classes compete for a shared bandwidth. 5 In the Traffic Priority box, enter the priority that this bandwidth object provides for a traffic class. The highest priority is 0 Realtime. The lowest priority is 7. When multiple traffic classes compete for shared bandwidth, classes with the highest priority are given precedence. 6 In the Violation Action box, enter the action that this bandwidth object provides (Delay or Drop) when traffic exceeds the maximum bandwidth setting. •Delay specifies that excess traffic packets are queued and sent when possible. •Drop specifies that excess traffic packets are dropped immediately. 7 In the Comment box, enter a text comment or description for this bandwidth object.
Global Management System 9.3 Administration 91 Configuring Bandwidth Objects 8 Click the Elemental view.
9 If you want each individual IP address under its parent rule to be applied to the bandwidth management setting, click Enable Per-IP Bandwidth Management. 10 With the Per IP option selected, you can enter the desired Maximum Bandwidth in Kbps or Mbps. 11 Click Update.
Global Management System 9.3 Administration 92 Configuring Bandwidth Objects Configuring Email Address Objects
App Control allows the creation of custom email address lists as email address objects. These email address objects can be used in an SMTP client policy configuration. Email address objects can represent either individual users or the entire domain. You can also create an email address object that represents a group by adding a list of individual addresses to the object. This provides a way to easily include or exclude a group of users when creating an App Rules policy of type SMTP Client. A limited number of email address objects are allowed, depending on the appliance model.
Topics: • Searching Email Address Objects • Adding or Editing Email Address Objects • Sorting Email Address Objects • Deleting Email Address Objects
Searching Email Address Objects You can search the list of email address objects.
To complete a search of email address objects: 1 In the TreeControl, select the unit or group on which to search. 2 Navigate to the Firewall > Email Addr Objects page, and search for one of the following in the Email Address Objects Search field: •Name – the full or partial name of the email address object. •Match Type – the match type of the email address object. 3 Click Search to search your policies for one or more matches. Click Clear to set the search fields back to defaults. The Email Address Objects list changes to display only the email address objects found by your search.
Global Management System 9.3 Administration 93 Configuring Email Address Objects Adding or Editing Email Address Objects You can create email address objects for use with SMTP Client policies. An email address object can be a list of user email addresses or an entire domain.
To configure email address object settings, complete the following steps: 1 In the TreeControl, select the unit or group to configure. 2 Navigate to the Firewall > Email Addr Objects page. 3 To edit an existing email address object, click the pencil icon under Configure for it. To add a new email address object, click Add. The Add Email Address Object window displays. 4 In the Email Address Object Name field, type a descriptive name for the action. 5 Select one of the following from the Match Type drop-down menu: •Exact Match – To match the given email address exactly •Partial Match – To match any part of the given email address •Regex Match – To match a predefined regular expression 6 In the Content text box, type the content to match and then click Add. Repeat this step until you have added as many elements as you want. For example, to match on a domain, select Partial Match in the previous step and then type @ followed by the domain name in the Content field, for example, type: @SonicWall.com. To match on an individual user, select Exact Match in the previous step and then type the full email address in the Content field, for example: [email protected]. Alternatively, you can click Load From File to import a list of elements from a text file. Each element in the file must be on a line by itself. The maximum file size is 2048 bytes. Although existing user groups cannot be specified during configuration, by defining an email address object with a list of users, you can use App Control to simulate groups. 7 Click OK. The Modify Task Description and Schedule window displays.
Global Management System 9.3 Administration 94 Configuring Email Address Objects 8 A description is automatically added in the Description field. Optionally change the description. 9For Schedule, select one of the following radio buttons and set any associated fields: •Default – Use the default schedule configured for the Agent that manages this unit. •Immediate – Create the object immediately. •At – Select the exact time to activate this object using the drop-down menus for the hour, minute, time zone, month, and year. If your GMS deployment includes Agents in different time zones, you can select among them in the time zone drop-down menu. Select the date from the calendar. 10 Click Accept to save the email address object with the selected schedule. Click Cancel to exit without saving the email address object. At the unit level, you might need to refresh the Firewall > Email Addr Objects page to see your new email address object in the list.
Sorting Email Address Objects You can sort the list of email address objects by clicking on the Name or Match Type column heading. The first time you click the Name heading, the email address objects list is sorted in descending alphabetical order (A to Z) from top to bottom, according to the first letter or symbol of the items in that column. Names beginning with a symbol or number come before names beginning with any alphabetical character. The first time you click the Match Type heading, the email address objects list is sorted to display objects using Exact Match at the top of the list, following by those using Partial Match. This is descending order. A small upward-pointing arrow is displayed next to the heading, indicating that, if the heading is clicked again, it causes the list to be sorted in ascending order.
Deleting Email Address Objects Email address objects can be deleted unless they are in use by an App Rules policy.
To delete one or more email address objects, complete the following steps: 1 In the TreeControl select the unit or group to configure. 2 Navigate to the Firewall > Email Addr Objects page. 3 Do one of the following: • To delete one or more email address objects, select the checkboxes for the ones to delete and click Delete.
• To delete a single email address object, click the trash can icon under Configure for it, and then click OK in the confirmation dialog. If any of the selected objects is currently in use by an App Rules policy, a pop-up message notifies you that it cannot be deleted. Click OK in the dialog box. If multiple objects were selected for deletion and one of them is in use by a policy, none are deleted when Delete is clicked. 4 In the confirmation dialog box, click OK. 5In the Modify Task Description and Schedule window, select the Schedule settings for this task and then click Accept.
Global Management System 9.3 Administration 95 Configuring Email Address Objects 10
Configuring Content Filter Objects
CFS delivers content filtering enforcement for educational institutions, businesses, libraries, and government agencies. With content filter objects, you can control the websites students and employees can access using their IT-issued computers while behind the organization’s firewall. NOTE: For more a detailed description of CFS as well as how to license and install it, see the SonicWall™ Content Filtering Service (CFS) Feature Guide, and the SonicWall™ Content Filtering Service Upgrade Guide. Also, for applying these objects in CFS policies, see Configuring Content Filter Policies.
Topics: • About Content Filter Objects • Managing URI List Objects • Managing URI List Groups • Managing CFS Action Objects • Managing CFS Profile Objects • Applying Content Filter Objects
About Content Filter Objects CFS uses secure objects for filtering content. CFS uses these objects for content filtering: • URI List Objects; see About URI List Objects • URI List Groups; see About URL List Groups • CFS Action Objects; see About CFS Action Objects
Global Management System 9.3 Administration 96 Configuring Content Filter Objects • CFS Profile Objects; see About CFS Profile Objects You can add or edit any object except the default CFS Action Object and CFS Profile Object created by GMS.
About URI List Objects A URI List Object defines the list of URIs or domains that can be marked as allowed or forbidden. You can also export a URI list to an external file or import a file into a URI list. NOTE: When processing, URI lists have a higher priority than the category of a URI.
Topics: • Importing and Exporting URI List Objects • Matching URI List Objects • Using URI List Objects
Importing and Exporting URI List Objects You can import a file containing a list of URIs. The file can be created manually, or can be a file that was previously exported from the appliance.
You can export the URI List Objects into a text (.txt) file that you can import later.
Matching URI List Objects The matching process for URI List Objects is based on tokens. A valid token sequence is composed of one or more tokens, joined by a specific character, like “.” or “/.” A URI represents a token sequence. For example, the URI www.example.com is a token sequence consisting of www, example, and com, joined by a “.”. Generally, if a URI contains one of the URIs in a URI List Object, then the URI List Object matches that URI.
Topics: • Normal Matching • Wild Card Matching • IPv6 Address Matching • IPv6 Wildcard Matching
Normal Matching If a list object contains a URI such as example.com, then that object matches URIs defined as: [
Global Management System 9.3 Administration 97 Configuring Content Filter Objects The URI List Object does not match the URI, specialexample.com, because specialexample is identified as a different token than example.
Wild Card Matching Wild card matching is supported. An asterisk (*) is used as the wild card character, and represents a valid sequence of tokens. If a list object contains a URI such as example.*.com, then that list object matches URIs defined as: [
IPv6 Address Matching IPv6 address string matching is also supported. While an IPv4 address can be handled as a normal token sequence, an IPv6 address string needs to be handled specially. If a URI List Object contains a URI such as [2001:2002::2008], then that URI List Object matches URIs defined as: [2001:2002::2008][/
IPv6 Wildcard Matching Wild card matching in the IPv6 address string is supported. If a list object contains a URI such as [2001:2002:*:2008]/*/abc.mp3, then that list object matches URIs defined as: [2001:2002:
Using URI List Objects Currently, URI List Objects can be used in these fields: • Allowed URI List of a CFS profile • Forbidden URI List of a CFS profile • Web Excluded Domains of Websense
Global Management System 9.3 Administration 98 Configuring Content Filter Objects CFS URI List Objects are used in these fields differently. When used in an Allowed or URI Forbidden List of a CFS profile, the CFS URI List Object acts normally. For example, if the URI List Object contains a URI such as example.com/path/abc.txt, then that list object matches URIs defined as: [
About URL List Groups URI List Groups are supported for flexible and convenient management of URI List Objects, including CFS profile allowed and forbidden lists or for a Websense exclusion list. You can assign multiple URI List Objects to one group, and refer to that group directly within other modules. The URI List Group supports nested inclusion, allowing one URI List Group to contain other URI List Groups. A URI List Group can be used anywhere that a URI List Object can be used. You can configure up to 128 URI List Groups, and the maximum length of a URI List Group name is 49 characters. You can assign up to 128 URI List Objects and/or URI List Groups to a URI List Group. The maximum number of unique URIs is 5000, and the maximum number of unique keywords is 100.
About CFS Action Objects The CFS Action Object defines what happens after a packet is filtered by CFS and used by CFS Policy.
About CFS Profile Objects A CFS Profile Object defines the action triggered for each HTTP/HTTPS connection.
About the Passphrase Feature The passphrase feature, in conjunction with the Confirm feature, restricts web access based on a passphrase or password. You need to configure the passphrase operation for special URI categories or domains in the Forbidden URI List. To access the forbidden URIs, users have to submit the correct password or web access is blocked. IMPORTANT: Passphrase only works for HTTP requests. HTTPS requests cannot be redirected to a Passphrase page.
How the Passphrase operation works: 1 The user attempts to access a restricted website. 2A Passphrase page displays on the user’s browser. 3 The user must enter the passphrase or password and then submit it. 4 CFS validates the submitted passphrase/password with the website’s password: • If the passphrase/password matches, web access is allowed. No further confirmations are needed, and users can continue to access websites of the same category for the Active Time period is set for the Confirm feature. The default is 60 minutes.
Global Management System 9.3 Administration 99 Configuring Content Filter Objects • If the passphrase/password does not match, access is blocked, and a Block page is sent to the user. NOTE: You have three chances to enter the passphrase/password. The site is blocked if all chances fail.
If you select Cancel, the site is blocked immediately.
About the Confirm Feature The Confirm feature restricts web access by requiring a confirmation from the user before allowing access. You need to configure the Confirm operation for special URL categories or domains, and the users need to confirm the web request when they first visit the sites. IMPORTANT: Confirm only works for HTTP requests. HTTPS requests cannot be redirected to a Confirm page.
How the Confirm operation works: 1 The user attempts to access a blocked website. 2 A pop-up dialog appears, requesting confirmation. 3 Users must select Continue or Close. • If a user confirms that they accesses this category of websites, they are redirected to the first confirmed website. No further confirmations are needed, and they can continue to access websites of the same category for the Active Time period that is set for the Confirm feature. The default is 60 minutes. • If you choose Close, you are shown the Block page and are blocked from that category of website for the period of the Active Time setting.
Managing URI List Objects TIP: To display only the part of the Firewall > Content Filter Objects page that is of interest, click the Collapse icon for those tables not of interest. To redisplay a table, click its Expand icon.
Topics: • About the URI List Objects Table • Configuring URI List Objects • Editing a URI List Object • Deleting URI List Objects
Global Management System 9.3 Administration 100 Configuring Content Filter Objects About the URI List Objects Table
URL List Objects Name Name of the URI List Object. URL List Specifies the URIs in the URI List Object. Keyword List Specifies any keywords associated with the URI list Object Configure Contains the Edit and Delete icons for each entry in the table.
Configuring URI List Objects
To configure URI List Objects: 1Navigate to Firewall > Content Filter Objects.
Global Management System 9.3 Administration 101 Configuring Content Filter Objects 2Under URI List Objects, click Add URI List Object. The Add URI List Object dialog displays.
3 Enter a descriptive name for the URI List Object in the Name field. 4 You can either add the URIs or import them from a file. To: • Add URIs, go to Step 5. • Import URIs, go to Step 10. 5 Click Add URI. The Add URI dialog displays.
6 Enter a URI that follows these conditions: • Up to 128 URI List Objects are allowed. • Each URI List Object supports up to 5000 URIs. The minimum number is 1. • Each URI can be up to 255 characters. • The maximum combined length of all URIs in one URI list object is 131,072 (1024*128) characters, including one character for each new line (carriage return) between the URIs. • By definition, a URI is a string containing host and path. Port and other content are currently not supported. • The host portion of a URI can be an IPv4 or IPv6 address string.
Global Management System 9.3 Administration 102 Configuring Content Filter Objects • Each URI can contain up to 16 tokens. A token in a URI is a string composed of the characters: • 0 through 9 • a through z • A through Z • $ - _ + ! ' ( ) , . • Each token can be up to 64 characters, including one character for each separator (. or /) surrounding the token. • An asterisk (*) can be used as a wild card representing a sequence of one or more valid tokens, not one or more characters. Examples of valid URIs Examples of invalid URIs • news.example.com Using the wild card character (*) incorrectly • news.example.com/path can result in invalid URIs such as: • news.example.com/path/abc.txt • example*.com • news.*.com/*.txt • exa*ple.com • 10.10.10.10 • example.*.*.com • 10.10.10.10/path Note: The wild card character represents a • [2001:2002::2003]/path sequence of one or more tokens, not one or • [2001:2002::2003:*:2004]/path/*.txt more characters.
7 Click Save. 8 Repeat Step 6 and Step 7 until you have added all the URIs for the list. 9Go to Step 14. 10 Click Import. A confirmation message displays.
IMPORTANT: The file must follow the conditions stated in Step 6.
URIs in the file can be separated by any of the following separators: Separator Style \r\n Windows style, new line separator \r MAC OS style, new line separator \n UNIX style, new line separator
Only the first 2000 valid URIs in the file are imported. Invalid URIs are skipped and do not count toward the maximum of 2000 URIs per URI List Object. 11 Click OK. 12 The File Upload dialog displays.
Global Management System 9.3 Administration 103 Configuring Content Filter Objects 13 Select the file and click Open. The URI List table is populated.
14 Click Add URI List Object. The URI List Objects table is populated.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Global Management System 9.3 Administration 104 Configuring Content Filter Objects Editing a URI List Object
To edit a URI List Object: 1 Click the Configure icon for the list object to be edited.
2The Edit URI List Object dialog displays. You can: • Edit an entry by clicking the Configure icon. The Edit URI dialog displays.
a) Make changes to the URI. b) Click Save. The URI List table is updated. c) Repeat Step 2 for each change. 3 Click OK.
Global Management System 9.3 Administration 105 Configuring Content Filter Objects Deleting URI List Objects
To delete URI List Objects: 1 Do one of these: • Click the Delete icon for the list object to be deleted. • Click the checkbox for one or more list objects to be deleted. Delete URI List Object(s) becomes active; click it.
To delete all URI List Objects: 1 Select all URI List Objects by selecting the top checkbox in the column heading and when all checkboxes are selected, click Delete URI List Object(s).
Managing URI List Groups
Topics: • About the URI List Groups Table • Adding URI List Groups • Editing a URI List Group • Deleting URI List Groups
About the URI List Groups Table
Name Name of the URI List Group. URI List Specifies the URIs in the URI List Group. Keyword List Specifies the Keywords configured in the URI List Group. Configure Contains the Edit and Delete icons for each entry in the table.
Global Management System 9.3 Administration 106 Configuring Content Filter Objects Adding URI List Groups
To add a URI List Group: 1Navigate to Firewall > Content Filter Objects. 2 Click the URI List Groups view to display the URI List Groups screen. 3 At the top of the page, click Add. The Add CFS URI List Group dialog displays. A list of all configured URI List Objects and URI List Groups is displayed on the left side of the dialog.
4 Enter a descriptive name for the URI List Group in the Name field. 5 Click an item in the left list that you want to include in the URI List Group. 6 Click the right arrow to move the selected item into the field on the right.
You can select an item on the right and click the left arrow button to move it back, or click Remove All to move all items back into the list on the left. 7 Click OK to create the URI List Group using the list on the right. 8 Click Cancel to close the Add URI List Group dialog.
Global Management System 9.3 Administration 107 Configuring Content Filter Objects Editing a URI List Group
To edit a URI List Group: 1Navigate to Firewall > Content Filter Objects. 2 If necessary, click URI List Groups to display the URI List Groups screen. 3 Click the Configure icon for the group to be edited. The Edit URI List Group dialog displays.
4 Click an item in either side and use the left or right arrow to move it to the other side. Items on the right are part of the URI List Group. You can click Remove All to move all items from the right to the left side, if you want to remove all of them from the URI List Group. 5 Click OK. 6 Click Cancel to close the Edit URI List Group dialog.
Deleting URI List Groups
To delete URI List Groups: 1Navigate to Firewall > Content Filter Objects. 2 If necessary, click URI List Groups to display the URI List Groups screen. 3 Do one of these: • Click the Delete icon in the Configure column for the group to be deleted. • Click the checkbox for one or more groups to be deleted. Click Delete URI List Group(s).
To delete all URI List Groups: 1 Click the top left checkbox located in the column heading of URI List Groups. See that all checkboxes are selected and click Delete URI List Group(s).
Global Management System 9.3 Administration 108 Configuring Content Filter Objects Managing CFS Action Objects
Topics: • About the CFS Action Objects Table • Configuring CFS Action Objects • Editing CFS Action Objects • Deleting CFS Action Objects
About the CFS Action Objects Table
CFS Action Objects Name Name of the CFS Action Object; the name of the default CFS Action Object is CFS Default Action. The default object can be edited, but not deleted. Safe Search Indicates whether the Enable Safe Search Enforcement option has been selected. This option is used specifically for HTTPS sites, and only when the Client DPI-SSL Content Filter is enabled does the feature take effect. Block Page Indicates whether a block page has been Configured or Unconfigured. Passphrase Indicates whether a passphrase page has been Configured or Unconfigured. Confirm Indicates whether a confirm page has been Configured or Unconfigured. BWM Indicates whether a BWM has been Configured or Unconfigured. Configure Contains the Edit and Delete icons for each entry in the table.
Configuring CFS Action Objects A default CFS Action Object, CFS Default Action, is created by the GMS. You can configure and edit this CFS Action Object, but you cannot delete it.
Global Management System 9.3 Administration 109 Configuring Content Filter Objects To configure CFS Action Objects: 1Navigate to Firewall > Content Filter Objects.
2 Select the CFS Action Objects view and click Add Action Object. The Add CFS Action Object dialog displays.
3 Enter the name of the CFS Action Object in the Name field.
Global Management System 9.3 Administration 110 Configuring Content Filter Objects 4 To have cookies removed automatically to protect privacy, select Wipe Cookies. When enabled and Client DPI-SSL Content Filter is also enabled, cookies for HTTPS sites are removed. This option is not selected by default. IMPORTANT: Enabling this option could break the Safe Search Enforcement function of some search engines.
5 To send URI information to the AppFlow Monitor, select Enable Flow Reporting. This option is not selected by default. 6 You can configure these pages, which display when a site is blocked: NOTE: A default version of each of these pages has been created. You can use the default, modify it to meet your needs, or create a new page.
• Blocked site per company policy, go to the Block View. • Password-protected web page, go to the Passphrase View. • Restricted web page that requires confirmation before a user can view it, go to the Confirm View. 7 You can allocate bandwidth resources as part of CFS Action Objects; go to the BWM View.
Global Management System 9.3 Administration 111 Configuring Content Filter Objects 8 Click OK. The new CFS Action Object is added to the CFS Action Object table.
Block View
To create a page that displays when a site is blocked: 1 Click the Block view.
A default page is defined already, but you can fully customize the web page that is displayed to the user when access to a blocked site is attempted. Or, you can create your own page. 2 To see a preview of the display, click Preview. IMPORTANT: Because of potential vulnerability issues, scripting code (JavaScript) and HTML inline event attributes that invoke scripting code are not evaluated and/or might be disabled. Some of your preview pages might not render properly because of this limitation.
Global Management System 9.3 Administration 112 Configuring Content Filter Objects If you have not modified the provided code, clicking Preview displays the default web page. The Block policy, Client IP address, and the reason for the block are shown.
To remove all content from the Block Page field, click Clear. To revert to the default blocked page message, click Default.
Passphrase View NOTE: For information about the Passphrase feature, see About the Passphrase Feature.
To create a password-protected web page: 1 Click the Passphrase view.
2In the Enter Password field, enter the passphrase/password for the web site. The password can be up to 64 characters. 3 Enter it again in the Confirm Password field.
Global Management System 9.3 Administration 113 Configuring Content Filter Objects 4 Enter the time, in minutes, of the effective duration for a passphrase based on category or domain in the Active Time (minutes) field. The minimum time is one minute, the maximum is 9999, and the default is 60 minutes. 5 A default page is defined already, but you can fully customize the web page that is displayed to the user when access to a blocked site is attempted. Or, you can create your own page. To create the page that displays when a site is blocked: • To see a preview of the display, click Preview. IMPORTANT: Because of potential vulnerability issues, scripting code (JavaScript) and HTML inline event attributes that invoke scripting code are not evaluated and/or might be disabled. Some of your preview pages might not render properly because of this limitation.
If you have not modified the provided code, clicking Preview displays the default web page. The web site URL, Client IP address, block policy, and the reason for the block are shown along with a field for entering the password.
• To remove all content from the Passphrase Page field, click Clear. • To revert to the default blocked page message, click Default.
Global Management System 9.3 Administration 114 Configuring Content Filter Objects Confirm View NOTE: Requiring confirmation (consent) only works for HTTP requests. HTTPS requests cannot be redirected to a Confirm page.
To create a restricted web page that requires confirmation before a user can view it: 1 Click the Confirm view.
2 Enter the time, in minutes, of the effective duration for a confirmed user, based on category or domain in the Active Time (minutes) field. The minimum time is 1 minute, the maximum is 9999, and the default is 60 minutes. 3 A default page is defined already, but you can fully customize the web page that is displayed to the user when access to a confirm site is attempted. Or, you can create your own page. To create the page that displays when a site is blocked: • To see a preview of the display, click Preview. IMPORTANT: Because of potential vulnerability issues, scripting code (JavaScript) and HTML inline event attributes that invoke scripting code are not evaluated and/or might be disabled. Some of your preview pages might not render properly because of this limitation.
Global Management System 9.3 Administration 115 Configuring Content Filter Objects If you have not modified the provided code, clicking Preview displays the default web page. The web site URL, Client IP address, block policy, and the reason for the block are shown along with a field for entering the confirmation.
• To remove all content from the Confirm Page field, click Clear. • To revert to the default blocked page message, click Default.
BWM View IMPORTANT: CFS Action bandwidth Objects are similar to, but not the same as, bandwidth objects created on the Firewall > Bandwidth Objects page. CFS Action BWM objects do not appear on the Firewall > Bandwidth Objects page, and BWM bandwidth objects do not appear on the Firewall > Content Filter Objects page.
NOTE: For information about bandwidth management, see Configuring Bandwidth Objects. For information about BWM objects, see Configuring Content Filter Objects.
IMPORTANT: To create a CFS Action BWM object, BWM must be enabled.
To allocate bandwidth resources for content filtering: 1 Click the BWM view.
2 From the Bandwidth Aggregation Method drop-down menu, choose how the BWM object is to be applied: • Per Policy (default) • Per Action
Global Management System 9.3 Administration 116 Configuring Content Filter Objects 3 To enable BWM on outbound traffic, select Enable Egress Bandwidth Management. This option is not selected by default. The Bandwidth Object drop-down menu and Enable Tracking Bandwidth Usage become active. 4 From the Bandwidth Object drop-down menu, choose either: • An existing BWM object. • Create new Bandwidth Object. The Add Bandwidth Object dialog displays. For information on creating a new bandwidth object, see Configuring Content Filter Objects. 5 To enable BWM on inbound traffic, select Enable Ingress Bandwidth Management. This option is not selected by default. The Bandwidth Object drop-down menu becomes active and, if Enable Ingress Bandwidth Management has not been selected, so does Enable Tracking Bandwidth Usage. 6 From the Bandwidth Object drop-down menu, choose either: • An existing BWM object. • Create new Bandwidth Object. The Add Bandwidth Object dialog displays. For information on creating a new bandwidth object, see Configuring Content Filter Objects. 7 To track bandwidth usage, select Enable Tracking Bandwidth Usage. This option is not selected by default. NOTE: Enable Egress Bandwidth Management and/or Enable Ingress Bandwidth Management must be selected also.
8 Click Update to save your changes.
Threat API View IMPORTANT: Before configuring Threat API, you must enable it. For further information about Threat API and how to enable it, see the Threat API Reference Manual.
To add a policy to block URLs in the threat list: 1 Click the Threat API view. 2 A default page is defined already, but you can fully customize the web page that is displayed to the user when access to a blocked site is attempted. Or, you can create your own page. To create the page that displays when a site is blocked: • To see a preview of the display, click Preview. IMPORTANT: Because of potential vulnerability issues, scripting code (JavaScript) and HTML inline event attributes that invoke scripting code are not evaluated and/or might be disabled. Some of your preview pages might not render correctly because of this limitation.
Global Management System 9.3 Administration 117 Configuring Content Filter Objects If you have not modified the provided code, clicking Preview displays the default web page. The web site URL, Client IP address, block policy, and the reason for the block are shown along with a field for entering the confirmation.
• To remove all content from the Confirm Page field, click Clear. • To revert to the default blocked page message, click Default.
Editing CFS Action Objects
To edit a CFS Action Object: 1 Click the Edit icon for the CFS Action Object to be edited. The Edit CFS Action Object dialog displays. This dialog is the same as the Add CFS Action Object dialog. 2 To make your changes, follow the appropriate procedures in Configuring Action Objects.
Deleting CFS Action Objects
To delete CFS Action Objects: 1 Do one of these: • Click the Delete icon for the action object to be deleted. • Click the checkbox for one or more action objects to be deleted. Delete Action Object(s) becomes active; click it.
To delete all CFS Action Objects: 1 Click all the checkboxes by selecting the top checkbox in the left column heading and when all checkboxes are selected, click Delete Action Object(s). All CFS Action Objects are deleted except for the default object, CFS Default Action.
Managing CFS Profile Objects
Topics: • About the CFS Profile Objects Table
Global Management System 9.3 Administration 118 Configuring Content Filter Objects • Configuring CFS Profile Objects • Editing a CFS Profile Object • Deleting CFS Profile Objects
About the CFS Profile Objects Table
Name Name of the CFS Profile Object; the name of the default CFS Profile Object is CFS Default Profile. The default object can be edited, but not deleted. Allowed URI List Name of the URI List Object listed in the Allowed List. Forbidden URI List Name of the URI List Object listed in the Forbidden List. Blocked Categories Names of all the categories blocked by the CFS Profile Object. Passphrase Categories Names of all the categories requiring a passphrase by this CFS Profile Object. Confirm Categories Names of all the categories requiring confirmation by this CFS Profile Object. BWM Categories Names of all the categories governed by bandwidth management by this CFS Profile Object. Allowed Categories Names of all the categories allowed by the CFS Profile Object. Configure Contains the Edit and Delete icons for each entry in the table.
Global Management System 9.3 Administration 119 Configuring Content Filter Objects Configuring CFS Profile Objects A default CFS Profile Object, CFS Default Profile, is created by the GMS. You can configure and edit this CFS Profile Object, but you cannot delete it.
To configure CFS Action Objects: 1Navigate to Firewall > Content Filter Objects.
2 Click Add Profile Object for the CFS Profile Objects table. The Add CFS Profile Object dialog displays.
3 Enter the name of the CFS Profile Object in the Name field. 4 From the Allowed URI List drop-down menu, choose the URI List Object that contains URIs for which unrestricted access is allowed; treat this list as a white list: •None (default).
Global Management System 9.3 Administration 120 Configuring Content Filter Objects • Name of a URI Expression. Accessing all URIs in this expression is allowed. 5 From the Forbidden URI List drop-down menu, choose the URI List Object that contains URIs for which access is not allowed at all; treat this list as a black list: •None (default). • Name of a URI Expression. Accessing all URIs in this expression is forbidden. 6 From the URI Searching Order drop-down menu, choose which URI list is searched first during filtering: • Allowed URI List First (default) • Forbidden URI List First 7 From the Operation for Forbidden URI drop-down menu, choose the action to be taken when a URI on the Forbidden List is encountered: Block (default) The block page configured for the CFS Action Object is displayed to the user accessing the site. Confirm The confirm page configured for the CFS Action Object is displayed to the user accessing the site. The user must confirm access permission. Passphrase The passphrase page configured for the CFS Action Object is displayed to the user accessing the site. The user must enter a valid password to enter the site.
8The Category Configuration table lists all the categories of URIs, such as Arts & Entertainment, Business, Education, Travel, Weapons, and Shopping. You can configure the action to be taken for all URIs in each category instead of individually. As you scroll down the list, choose the action from the drop-down menu for each category: Allow Block BWN Confirm Passphrase
NOTE: By default, Categories 1-12 and 59 are blocked; the remaining categories are allowed.
• To change all categories to the same action, click an operation such as Allow and click Set to All. • To reset all the categories to its default action, click Default. 9To enable Smart Filtering and Safe Search options, click the Advanced view. For how to configure this tab, go to Advanced view. 10 To set up web usage consent, click the Consent view. For how to configure this tab, go to Consent view. 11 Click Update. The CFS Profile Objects table is updated.
Global Management System 9.3 Administration 121 Configuring Content Filter Objects Advanced view
NOTE: By default, none of the options are selected.
1 To enable content filtering for HTTPS sites, select Enable HTTPS Content Filtering. This option replaces the global HTTPS content filtering option used in previous versions on the Firewall > Content Filter Objects page. NOTE: When DPI-SSL client inspection is enabled and Content Filter is selected for inspection, then that inspection takes precedence and the policy-based HTTPS content filtering setting is ignored.
Specifically, when the Enable SSL Client Inspection and Content Filter options are enabled on the DPI-SSL > Client SSL page, then the Enable HTTPS Content Filtering option in the CFS policy is ignored. In this case, DPI-SSL decrypts the connection and sends it as plain text to CFS later for filtering.
HTTPS content filtering is IP based and does not inspect the URL, but uses other methods to obtain the URL rating. When this option is enabled, CFS performs URL rating lookup in this order: a Searches the client hello for the Server Name, which CFS uses to obtain the URL rating. b If the Server Name is not available, searches the SSL certificate for the Common Name, which CFS uses to obtain the URL rating. c If neither Server Name nor Common Name is available, CFS uses the IP address to obtain the URL rating. While HTTP content filtering can perform redirects to enforce authentication or provide a block page, HTTPS filtered pages will be silently blocked. 2 To detect the embedded URL inside Google Translate (https://translate.google.com) and filter the embedded URI, select Enable Smart Filtering for Embedded URI. This option is not selected by default. IMPORTANT: This feature requires enabling Client DPI-SSL with content filter.
NOTE: This feature takes effect only on Google Translate, which works on currently rated embedded web sites.
3 To enforce Safe Search when searching on any of the following websites, select Enable Safe Search Enforcement (these options are not selected by default): • www.yahoo.com • www.ask.com
Global Management System 9.3 Administration 122 Configuring Content Filter Objects • www.dogpile.com • www.lycos.com NOTE: This enforcement cannot be configured at the policy level as the function employs DNS redirection to HTTPS sites. For HTTPS sites, client DPI-SSL with content filter must be enabled.
4 To enable Threat API, select Enable Threat API Enforcement. IMPORTANT: Before enabling Threat API, see the Threat API Reference Manual.
NOTE: After the GMS receives the initial threat list and creates a Threat URI List Object, the Threat URI List Object is referenced by Enable Threat API Enforcement.
5 To override the Safe Search option for Google inside each CFS Policy and its corresponding CFS Action, select Enable Google Force Safe Search. This option is not selected by default. NOTE: Typically, Safe Search happens automatically and is powered by Google, but when this option is enabled, the GMS rewrites the Google domain in the DNS response to the Google Safe Search virtual IP address.
NOTE: This feature takes effect only after the DNS cache of the client host is refreshed.
6 To access YouTube in Safety mode, select Enable YouTube Restrict Mode. This option is not selected by default. NOTE: YouTube provides a new feature to screen videos that might contain inappropriate content flagged by users and other signals. When this feature is enabled, the GMS rewrites the DNS response for the YouTube domain to its Safe Search virtual IP address.
NOTE: This feature takes effect only after the DNS cache of the client host is refreshed.
7 To override the Safe Search option for Bing inside each CFS Policy and its corresponding CFS Action, select Enable Bing Force Safe Search. This option is not selected by default. NOTE: When this feature is enabled, the GMS rewrites the DNS response for the Bing domain to its Safe Search virtual IP address.
NOTE: This feature takes effect only after the DNS cache of the client host is refreshed.
Global Management System 9.3 Administration 123 Configuring Content Filter Objects Consent view NOTE: Consent only works for HTTP requests. HTTPS requests cannot be redirected to a Confirm (consent) page.
1 To enable consent, which displays the Consent (Confirm) page when a user visits a site requiring consent before access, check Enable Consent. This option is not selected by default. When this option is selected, the other options become available. 2 To remind users that their time has expired by displaying the Consent page, enter the idle-time duration in the User Idle Timeout (minutes) field. The minimum idle time is 1 minute, the maximum is 9999 minutes, and the default is 15 minutes. 3 In the Consent Page URL (optional filtering) field, enter the URL of the website where a user is redirected if they go to a website requiring consent. The Consent page must: • Reside on a web server and be accessible as a URI by users on the network. • Contain links to the following two pages in the SonicWall appliance, which, when selected, tells the firewall the type of access the user wishes to have: • Unfiltered access:
Custom Header view You can configure your firewall as a web proxy server to control web service, such as preventing users from signing in to some web services using any account other than the accounts provided, or restricting the content viewable by users. The web proxy server adds a custom header to all traffic matched by the Content Filtering
Global Management System 9.3 Administration 124 Configuring Content Filter Objects policy, and the header identifies the domains whose users can access the web services or the content that users can access. Encrypted HTTPS traffic is supported if DPI-SSL is enabled. This feature requires the following: • Content Filter Service is enabled. • Custom header insertion is enabled in the matched CFS profile object. • DPI-SSL is enabled for custom header insertion with encrypted HTTPS requests.
To configure a CFS custom header and enable custom header insertion: 1 Navigate to the Firewall > Content Filter Objects page. 2 On the CFS Profile Objects view, click Add Profile Object. 3 In the Add/Edit CFS Profile Object dialog, click the Custom Header view to display the Custom Header Insertion options. 4 Select Enable Custom Header Insertion. 5 Click Add Custom Header to configure the Domain, Key, and Value for the custom header entry. Domain is used to check whether the host in an HTTP request is matched to an entry during packet handling. Key and Value are used to generate the right header for the entry when building runtime data for custom header insertion. The Domain can contain: • Each domain name can contain up to 16 tokens separated by periods (.). • The domain name cannot start or end with separators. • Each token can contain up to 128 printable ASCII characters. • Tokens in a domain name can only contain the characters: 0-9a-zA-z$-_+!’(),. • IPv4/IPv6 addresses can be defined as a domain name, such as “[2001:2002:2003::2005:2006].” 6 Click Save. 7 If the Custom Header suits your needs, click Update.
Editing a CFS Profile Object
To edit a CFS Profile Object: 1 Click the Edit icon for the CFS Profile Object to be edited. The Edit CFS Profile Object dialog displays. This dialog is the same as the Add CFS Profile Object dialog. 2 To make your changes, follow the appropriate procedures in Configuring CFS Profile Objects.
Deleting CFS Profile Objects
To delete CFS Profile Objects: 1 Do one of these: • Click the Delete icon for the Profile object to be deleted. Click OK.
Global Management System 9.3 Administration 125 Configuring Content Filter Objects • Click the checkbox for one or more Profile objects to be deleted. Click Delete Profile Object(s). Click OK or Cancel.
To delete all CFS Profile Objects: 1 Select all CFS Profile Objects by selecting the top checkbox in the left column. When all CFS Profile Objects are selected, click Delete Profile Object(s). All CFS Profile Objects are deleted except for the default object, CFS Default Profile.
Applying Content Filter Objects After you finish configuring your Content Filter Objects, you need to apply them to Content Filter polices. Configuring Content Filters are created on the Security Services > Content Filter page. For quick access to this page, there is a link below the CFS Profile Objects table.
Global Management System 9.3 Administration 126 Configuring Content Filter Objects 11
Configuring AWS Objects
Topics: • Firewall > AWS Objects • About Address Object Mapping with AWS • Viewing Instance Properties in GMS • Creating a New Address Object Mapping • Enabling Mapping • Configuring Synchronization • Configuring Regions to Monitor • Verifying AWS Address Objects and Groups Before setting up Amazon Web Services (AWS) objects or groups, be sure to configure the firewall with the AWS credentials that it needs to use. You can configure these credentials in Firewall > AWS Objects. In addition, Test Configuration is available there to validate your settings before proceeding. For more information, see Configuring AWS Credentials in the GMS Network administration documentation. If AWS is not yet configured, the Firewall > AWS Objects page displays a link to the configuration page. Click that to open the Network > AWS Configuration page.
Firewall > AWS Objects
The AWS Objects page is used to map the IP addresses of EC2 Instances running in the AWS Cloud with address objects and address groups configured on the firewall. New address objects are created for Instance IP addresses, address groups for all addresses of an Instance and those Instance address groups can be added to existing address groups. Those objects, as with any other address objects and address groups, can then be used in firewall policies and features to permit or block access, route traffic and so on. The Firewall > AWS Objects page allows a GMS administrator to specify sets of EC2 Instance properties. If any of the Instances in one of the monitored regions matches a set of properties, address objects and address groups are created so that, effectively an address group representing the Instance is added to the custom, preexisting address group specified in the relevant mapping. This address group can be used in firewall policies and as a result, those policies can shape the interaction with EC2 Instances running on AWS.
Topics: • About Address Object Mapping with AWS • Viewing Instance Properties in GMS
Global Management System 9.3 Administration 127 Configuring AWS Objects • Creating a New Address Object Mapping • Enabling Mapping • Configuring Synchronization • Configuring Regions to Monitor • Verifying AWS Address Objects and Groups
About Address Object Mapping with AWS EC2 Instances are virtual machines (VMs) running on AWS. Each instance can be one of a number of different available types, depending on the resources required for that instance by the customer. The virtual machine is an instance of a particular Amazon Machine Image (AMI), essentially a template and a specification for VMs that are created from it. All EC2 Instances have a number of properties including: • Instance type • AMI used in their creation • Running state • ID used for identification • ID of the Virtual Private Cloud (VPC) where the Instance is located • A set of user defined tags You can use any or all of those properties to map matching Instances to address groups that a GMS administrator has previously configured on the firewall. Those address groups can be used in Route, VPN and Firewall Policies that can affect how the firewall interacts with AWS hosted machines. In order to map EC2 Instances to firewall address groups, the Administrator configures any number of mappings between sets of instance properties and preexisting address groups. If an EC2 Instance, in any of the monitored AWS Regions, matches a set of specified properties, one or more address objects and a single address group are created to represent that Instance and that address group is added to the target address group of the relevant mapping. EC2 Instances can have multiple private and public IP addresses depending on the number of virtual network interfaces and the use of Elastic IP Addresses. When an Instance matches the properties specified in a mapping, address objects are created for each of its IP addresses, both public and private. Those address objects are then added into one address group that represents the EC2 Instance as a whole. It is that “Instance address group” that is then added to the mapping's target address group, an existing address group used in the configuration of the various firewall policies. Any one EC2 Instance might match the criteria of more than one mapping, in which case the Instance address group is added to more than one target address group. There are no limits.
Global Management System 9.3 Administration 128 Configuring AWS Objects Tagging an EC2 Instance on AWS There are multiple ways to tag an EC2 Instance. This section describes how to do so manually.
To manually add a tag to an existing EC2 Instance: 1 On the AWS Console, navigate to the EC2 Dashboard and launch a virtual server by clicking Launch Instance. 2 Select the Instance that you wish to tag by selecting the checkbox in the first column of the table.
3 With the Instance selected, click Review and Launch to launch the pop-up menu. 4 Select Instance Settings and then select Add/Edit Tags.
The Add/Edit Tags dialog is displayed.
Global Management System 9.3 Administration 129 Configuring AWS Objects 5 In the Add/Edit Tags dialog, enter descriptive values in the Key and Value fields.
6 Click Save to tag the Instance with this key and value. 7 Verify the tag on the Instances page under the EC2 Dashboard. With the Instance still selected, view the associated tags by clicking the Tags tab in the panel at the bottom of the page. This provides confirmation that the EC2 Instance has been tagged.
You can now use that tag when defining address object mappings in the GMS user interface.
Viewing Instance Properties in GMS The Firewall > AWS Objects page provides a way to define mappings between sets of EC2 Instance properties and firewall address groups. Address objects and an address group are created for any EC2 Instance that matches the set of specified properties, and the address group is added to the mapping's targeted address group. For any EC2 Instance, you can view the values of the different properties that can be used in a mapping by clicking Information in the row for the Instance. This launches a pop-up dialog that displays the various
Global Management System 9.3 Administration 130 Configuring AWS Objects properties including the Instance's ID, running state, AMI, type, the VPC ID and the different IP addresses. The user defined or custom tags, and their values, are also listed.
Creating a New Address Object Mapping
To create a new address object mapping: 1 Navigate to the Firewall > AWS Objects page. 2Click New Mapping. This pops up a dialog enabling you to specify the details of the mapping.
3 In the Address Group drop-down list, select the existing address group to which the address groups representing any matched EC2 Instances are added. Only custom address groups are shown in the selection control. If you have added a custom tag to an address group, you can use this custom tag to add a new condition to the mapping.
Global Management System 9.3 Administration 131 Configuring AWS Objects 4 Click New Condition. The Mapping Condition dialog is displayed.
5 Choose the desired property from the Property drop-down list. For example, select Custom Tag. 6 In the Key field, enter the key for the tag. 7 In the Value field, enter the value that you wish to match against, such as true.
8 Click OK. 9Back in the Address Group Mapping dialog, optionally add another mapping condition by clicking New Condition again. 10 Select the desired property from the Property drop-down menu. 11 Fill in the displayed fields as needed.
Global Management System 9.3 Administration 132 Configuring AWS Objects 12 Click OK. 13 Back in the Address Group Mapping dialog, review the whole mapping condition you are about to create.
Any EC2 Instance in the regions of interest that match our specified conditions (in this example, having a custom tag of AccountsServer = true and of type t2.micro) has address objects created for each of their IP addresses. Those address objects are added to an address group, representing the EC2 Instance as a whole and that address group is added to the address group targeted in the mapping. In this example, that is the address group called AccountsDeptServers. 14 Optionally edit or delete particular conditions by clicking the corresponding button in the Manage column of the row. 15 When ready, click OK. 16 In the Firewall > AWS Objects page, click ACCEPT to save the mapping.
Enabling Mapping You can create any number of address object mappings, however, they do not take effect until you enable mapping.
To enable mapping: 1 On the Firewall > AWS Objects page, select Enable Mapping. 2 Click Update.
Configuring Synchronization The Synchronization Interval determines how often the firewall should check for changes and make any necessary updates to the relevant address objects and address groups. Synchronization is needed because the address object mappings and the AWS regions being monitored can be changed or reconfigured at any time, while the IP addresses and running state of the EC2 instances might be changed on AWS.
Global Management System 9.3 Administration 133 Configuring AWS Objects To configure the Synchronization Interval: 1 On the Firewall > AWS Objects page, enter the desired number of seconds into the Synchronization Interval field. The default value is 180 seconds. 2 Click Update.
To force synchronization: 1 On the Firewall > AWS Objects page, click either Force Synchronization or Delete AWS Address Objects. This is useful if you are aware of changes and in a hurry to see the address objects updated accordingly. 2 Click Update. 3 Click Request Latest Data so that the page updates and reflects the latest data.
Configuring Regions to Monitor EC2 Instances are tied to particular AWS Regions. GMS only monitors those AWS regions of particular interest. By default, this setting is initialized to the AWS region chosen as the Default Region during AWS Configuration and used if sending firewall logs to AWS CloudWatch Logs. However, it is possible to select multiple regions to monitor and the mappings are applied across each of those selected.
To select one or more regions to monitor: 1 On the Firewall > AWS Objects page, click the Regions to Monitor drop-down menu and select the region of interest.
You can also use Ctrl-A or to select all, or hold down the Ctrl key to select multiple regions. 2 Click Update.
Verifying AWS Address Objects and Groups With mappings in place, a Synchronization Level set, Regions to Monitor specified and, most importantly, Mapping enabled, you can view address objects and address groups representing the matched EC2 Instances and their IP addresses.
Global Management System 9.3 Administration 134 Configuring AWS Objects For example, on the AWS Objects page itself, the address group and the Mapped address groups are shown in the AWS EC2 Instances table.
Expanding the relevant row reveals the address objects corresponding to an Instance’s public and private IP addresses. Navigating to the Firewall > Address Objects page in GMS and viewing the Address Object screen shows those same host address objects. VPN is used for the zone of private IP addresses and WAN is used for a public address zone.
Global Management System 9.3 Administration 135 Configuring AWS Objects A naming convention is used for the Instance address group and the address objects for each of the IP addresses, based on the Instance ID and, for the address objects, a suffix depending on whether the address is public or private.
Viewing the Address Groups screen and expanding the rows of interest shows that the original AccountsDeptServers address group now has an address group, representing an EC2 Instance, as a member.
The EC2 Instance address group itself contains the address objects that were created for each of its IP addresses.
Global Management System 9.3 Administration 136 Configuring AWS Objects 12
Configuring Content Filter Policies
• About CFS • Configuring CFS Policies
About CFS The SonicWall Content Filtering Service (CFS) delivers content filtering enforcement for educational institutions, businesses, libraries, and government agencies. With Content Filter policies and objects, you can control the websites students and employees can access using their IT-issued computers while behind the organization’s firewall.
NOTE: For more information about CFS, as well as how to license and install it, see the SonicWall Content Filtering Service Upgrade Guide. For how to create Content Filter Objects for CFS policies, see Configuring Content Filter Objects.
CFS compares requested websites against a massive cloud database that contains millions of rated URIs, IP addresses, and websites. It also provides you with the tools to create and apply policies that allow or deny access to sites based on individual or group identity and/or by time of day.
Topics: • About Content Filter Policies • About Content Filter Objects • How CFS Works
About Content Filter Policies A Content Filter policy determines whether a packet is filtered (by applying the configured CFS Action) or simply allowed through to the user. A Content Filter policy defines the filtering conditions to which a packet is compared:
• Name • Source Zone • Destination Zone • Source Address Included • User/Group Included • Schedule
If a packet matches all the defined conditions, the packet is filtered according to the corresponding CFS Profile, and the CFS Action is applied. NOTE: If authentication data for a User/Group is not available during matching, no match can be made for this condition. This strategy prevents performance issues, especially when Single Sign-On is in use.
Each Content Filter policy has a priority level, and policies with higher priorities are checked first.
Global Management System 9.3 Administration 137 Configuring Content Filter Policies CFS uses a policy table internally to manage all the configured policies. For each policy element, the table is constructed by the configuration data and runtime data. The configuration data includes parameters that define the policy from the user interface, such as policy name, properties and others. The runtime data includes the parameters used for packet handling. CFS also uses a policy lookup table to accelerate runtime policy lookup for matching conditions:
• Source Zone • Destination Zone • IPv4 AO • IPv6 AO
About Content Filter Objects CFS uses Content Filter Objects in its Content Filter Policies to identify URLs and domains for filtering, and to specify the type of action to be taken when filtering. Under the CFS rating design, a domain might be resolved to one of four ratings; from highest to lowest priority, the ratings are: 1Block 2 Passphrase 3Confirm 4 BWM (bandwidth management) If the URL is not categorized into any of these ratings, then the operation is allowed.
How CFS Works CFS must be licensed and enabled before you can use it. For more information about global CFS settings, exclusions, and custom categories, see the GMS Security Services administration documentation. An outline of how CFS works is as follows: 1 A packet arrives and is examined by CFS. 2 CFS checks the packet against the configured exclusion addresses and allows it through if a match is found. 3 CFS checks its policies to locate the first policy that matches these conditions within the packet: • Source zone • Destination zone • Source Address Object Included • Users/Groups Included • Schedule • Enabled state 4 CFS uses the CFS Profile defined in the matching policy to complete the filtering and returns the corresponding action for this packet. NOTE: If no policy is matched, the packet is passed through without any action by CFS.
5 CFS performs the action defined in the CFS Action Object for the matching policy.
Global Management System 9.3 Administration 138 Configuring Content Filter Policies Configuring CFS Policies This section describes the Content Filter policy table and provides instructions for configuring, editing, and deleting a Content Filter policy.
Topics: • About the Content Filter Policy Table • Adding a Content Filter Policy • Editing a Content Filter Policy • Deleting Content Filter Policies
About the Content Filter Policy Table
Name Name of the Content Filter policy. Source Zone Source zone for the Content Filter policy. Destination Zone Destination zone for the Content Filter policy. Source Address Source address object for the Content Filter policy. Included/Excluded User/Groups User or group to which the Content Filter policy applies. Included/Excluded Schedule Time that the Content Filter policy is in effect. Action CFS action object used by the Content Filter policy. Enabled To enable the Content Filter policy, select its checkbox. The default policy, CFS Default Policy, is enabled by default. Configure Displays these icons for each policy: •Edit: Clicking this icon displays the Edit CFS Policy dialog. •Delete: Clicking this icon deletes the Content Filter policy. A confirmation dialog displays. Click OK. NOTE: The default Content Filter policy, CFS Default Policy, cannot be deleted, and the icon is dimmed.
Global Management System 9.3 Administration 139 Configuring Content Filter Policies Searching the Content Filter Policy Table You can search a long table for a specific Content Filter policy name by: 1 Entering the policy name in the Search field at the top of the table. 2 Press Search.
Adding a Content Filter Policy
To add a Content Filter policy: 1Navigate to Firewall > Content Filter Policies.
2 Click Add Policy. The CFS Policy dialog displays.
3 In the Name field, enter a friendly, meaningful name for the new policy. 4 From the Source Zone drop-down menu, choose a zone. 5 From the Destination Zone drop-down menu, choose a zone. 6 From the Source Address Included drop-down menu, choose an address. The default is Any. You also can create a new address object by choosing Create new Address; for information about creating an address object, see Configuring Address Objects.
Global Management System 9.3 Administration 140 Configuring Content Filter Policies 7 From the User/Groups Included drop-down menu, choose the user or groups to which the policy applies. The default is All. 8 From the User/Group Excluded drop-down menu, choose any user or groups you would like to excluded from the policy parameters. None is the default. 9 From the Schedule drop-down menu, choose when the policy is in effect. The default is Always On. You also can create a customized schedule by choosing Create new Schedule; for information about creating a schedule, see SonicWall GMS System Setup. 10 From the Profile drop-down menu, choose a CFS profile object. You also can create a new CFS profile object by choosing Create new Profile; for information about creating a CFS profile object, see Configuring Content Filter Objects. 11 From the Action drop-down menu, choose a CFS action object. You also can create a new CFS action object by choosing Create new Action; for information about creating a CFS action object, see Configuring Action Objects. 12 Click OK.
Editing a Content Filter Policy
To edit a Content Filter policy: 1Navigate to Firewall > Content Filter Policies.
2 Click the Edit icon for the Content Filter policy to be edited. The Edit CFS Policy dialog displays.
3 To make your changes, follow the steps in Adding a Content Filter Policy.
Deleting Content Filter Policies
To delete one or more Content Filter policies: 1 In the Content Filter Policies page, do one of the following: • Click the Delete icon in the Configure column for the Content Filter policy to be deleted. • Select the checkbox for one or more Content Filter policies to be deleted. Click Delete Policy(s). 2Click OK in the confirmation dialog.
To delete all Content Filter policies: 1 Select the checkbox on top left of the table to select all CFS policies, click Delete Policy(s). All Content Filter policies are deleted except for the default policy, CFS Default Policy. 2Click OK in the confirmation dialog.
Global Management System 9.3 Administration 141 Configuring Content Filter Policies 13
Configuring Dynamic External Objects
Topics: • Objects > Dynamic External Objects • High Availability Requirements • Adding Dynamic External Objects • Editing Dynamic External Objects • Deleting Dynamic External Objects
Objects > Dynamic External Objects Dynamic External Objects are comprised of Dynamic External Address Objects (DEAO) and Dynamic External Address Groups (DEAG). Dynamic External Address Objects are intermediate, internal objects that are dynamically created and placed under a Dynamic External Address Group when a Dynamic External Address Group file is downloaded. A Dynamic External Address Group is an Address Group whose members are dynamic. DEAG eliminates the need for manually modifying an Address Group to add or remove members. Multiple Dynamic External Address Groups can be configured and you can use these DEAGs in an access rule. The maximum number of DEAOs is 25 percent of the total number of Address Objects supported by the device or the number of Address Objects that can still be created, whichever is lesser. The same applies to DEAGs but the limits are based on the number of Address Groups. For example, if a device supports 1024 Address Groups and you are using only 20 Address Groups, then 256 DEAGs (25% of 1024) can be created. However, if you have already manually created 1000 Address Groups, then only 24 DEAGs can be created.
Dynamic External Objects Page
The creation of a Dynamic External Object consists of two parts:
Global Management System 9.3 Administration 142 Configuring Dynamic External Objects • The user-provided configuration of the Dynamic External Address Group. This is similar to the dynamic botnet list, but with a few extra parameters. • Creation of the Dynamic External Address Group with the information downloaded from the Dynamic External Address Group file. This is a text file with a list of IP addresses, one per line. It can include subnets specified in CIDR format. The maximum number of IP addresses and subnets the file can contain is 25 percent of the total number of address objects supported by the device. For example, if you want to maintain a group for all partner IP addresses on which certain access rules are enforced, you can create a Dynamic External Address Group / Dynamic External Object.
Topics: • High Availability Requirements • Adding Dynamic External Objects • Editing Dynamic External Objects • Deleting Dynamic External Objects
High Availability Requirements When deployed as a High Availability pair, both the active and standby firewalls must have a connection to the server to download the file that contains the list of IP addresses. This requires configuring the monitoring IP address on the standby unit.
Adding Dynamic External Objects You can add dynamic address objects using the Dynamic External Object page. Edit, flush, download, or delete these address objects using the options available under Configure.
To create a new address object mapping: 1 Navigate to the Firewall > Dynamic External Objects page.
Global Management System 9.3 Administration 143 Configuring Dynamic External Objects 2 Click Add Address Object. This pops up a dialog enabling you to specify the Dynamic Address Object details.
3The Type field is set to Address Group, with no other options. 4 Enter a unique, descriptive name for the dynamic external address group in the Name field. “DEAG_” is automatically prepended to the name when saved. 5 In the Zone Assignment drop-down list, select the zone for the Dynamic External Address Group. 6 Select Enable Periodic Download for ongoing, periodic downloads. 7If Enable Periodic Download is enabled, select the number of minutes or hours between downloads in the Download interval field. You can select one of: • 5 minutes • 15 minutes • 1 hour • 24 hours 8 Select the type of IP protocol to use for communication with the server from the Protocol drop-down list. The choices are FTP or HTTPS. The fields in remainder of the dialog are different for FTP and HTTPS. 9If you selected FTP as the protocol, specify the following: • Server IP Address – the IP address of the FTP server •Login ID – the user name for logging into the FTP server •Password – the password for logging into the FTP server •Directory Path – the folder in which the Dynamic External Address Group file resides on the FTP server • File Name – the Dynamic External Address Group file on the FTP server
Global Management System 9.3 Administration 144 Configuring Dynamic External Objects This file is a text file with a list of IP addresses, one per line. It can include subnets specified in CIDR format. The maximum number of IP addresses and subnets the file can contain is 25 percent of the total number of address objects supported by the device. 10 If you selected HTTPS as the protocol, specify the following: •URL Name – the URL that has the list of IP addresses (up to 25% of the total address objects allowed on the firewall)
The URL Name should start with https:// and follow with the page name. This page contains the list of IP addresses. 11 Click OK. Based on the configuration, the firewall reads the list of IP addresses from the file or URL. Then GMS automatically creates the following: • Address group with the name provided in the Add Dynamic External Object dialog. This address group is read-only, meaning that you cannot edit or delete it. • Address objects for every valid unique IP address in the file. These address objects are also read-only. The individual address objects are then added to the Dynamic External Address Group / Dynamic External Object. You can use this in access rules and policies.
Editing Dynamic External Objects Click the Edit icon in the Configure column to edit the Dynamic External Address Group / Dynamic External Object in the Edit Dynamic External Object dialog, which includes the same configuration settings as the Add Dynamic External Object dialog. You cannot change the Name of the DEAG or the Zone Assignment when editing the Dynamic External Object.
Deleting Dynamic External Objects The Firewall > Dynamic External Objects page shows the complete set of dynamic external objects added. You can use the search box to find a specific address object using its name, group type, zone, or protocol.
To delete a new address object mapping: 1 Navigate to the Firewall > Dynamic External Objects page.
Global Management System 9.3 Administration 145 Configuring Dynamic External Objects 2 Do one of the following: • Click the Delete icon in the Configure column for the object to be deleted. • Click the checkbox for one or more objects to be deleted, or to delete ALL Dynamic External Objects, click the top left checkbox from the column heading and when all check boxes are selected, click Delete Address Object(s). NOTE: If a Dynamic External Address Group is in use, such as when an access rule is using it, the deletion attempt fails.
Global Management System 9.3 Administration 146 Configuring Dynamic External Objects 14
SonicWall Support
Technical support is available to customers who have purchased SonicWall products with a valid maintenance contract. The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year. To access the Support Portal, go to https://www.sonicwall.com/support. The Support Portal enables you to: • View knowledge base articles and technical documentation • View and participate in the Community forum discussions at https://community.sonicwall.com/technology-and-support. • View video tutorials • Access MySonicWall • Learn about SonicWall professional services • Review SonicWall Support services and warranty information • Register for training and certification • Request technical support or customer service To contact SonicWall Support, visit https://www.sonicwall.com/support/contact-support.
Global Management System 9.3 Administration 147 SonicWall Support About This Document
Legend
NOTE: A NOTE icon indicates supporting information.
IMPORTANT: An IMPORTANT icon indicates supporting information that may need a little extra attention.
TIP: A TIP indicates helpful information.
CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.
WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.
Global Management System Firewall Administration Updated - November 2020 Software Version - 9.3 232-005124-00 RevB
Copyright © 2020 SonicWall Inc. All rights reserved.
The information in this document is provided in connection with SonicWall and/or its affiliates’ products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, SONICWALL AND/OR ITS AFFILIATES ASSUME NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL SONICWALL AND/OR ITS AFFILIATES BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF SONICWALL AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SonicWall and/or its affiliates make no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. and/or its affiliates do not make any commitment to update the information contained in this document. For more information, visit https://www.sonicwall.com/legal.
End User Product Agreement To view the SonicWall End User Product Agreement, go to: https://www.sonicwall.com/en-us/legal/license-agreements.
Open Source Code SonicWall is able to provide a machine-readable copy of open source code with restrictive licenses such as GPL, LGPL, AGPL when applicable per license requirements. To obtain a complete machine-readable copy, send your written requests, along with certified check or money order in the amount of USD 25.00 payable to “SonicWall Inc.”, to: General Public License Source Code Request SonicWall Inc. Attn: Jennifer Anderson 1033 McCarthy Blvd Milpitas, CA 95035
Global Management System 9.3 Administration 148 SonicWall Support