Firewall Basic Initial Configuration

Primary Firewall Configuration:

A. Registering the Product on MySonicWall account:

1. Visit MySonicWall account and enter the Username & Password and

click LOG IN.

My sonicwall login details already shared to the current NOC Team

members. To login my sonicwall in any of the new device, we need to

enter the OTP which is sent to [email protected] which is a

shared mail box.

2. Navigate to Product Management | My Products page and click Register

products.

3. Choosing the Tenant is the first step in registering a product on

MySonicWall. Click on the appropriate Tenant from the Search Tenants list.
4. Enter the Serial number and Authentication code of the new Firewall.

Provide a Friendly name for the new Firewall. Location name along with

Primary or HA is preferrable.

Example:

Primary: DLF Primary

Secondary : DLF HA

5. After filling in the serial number, authentication code and friendly name,

click on Choose management options.

6. As the last step in Product registration is, to select the radio option On-

Box and click Done.

7. The registered product is displayed in the Product Management | My

Products page in MySonicWall.

 B. Downloading the Latest Firmware:

1. In the MySonicWall account, navigate to Resources & Support | Download

Centre page.

2. Choose Respective model or Product from the list as shown in the below

screenshot.

Before downloading the respective Firmware version, we need to check

with Sonicwall support for the recommended version and known issues on

the respective Firmware.

3. Once the firmware’s shows up, choose the firmware version; click on

the Expansion icon to see the firmware download option and click

on Download icon.

C. Upgrading the Firmware:

 1. Connect the Laptop (Management Computer) directly into MGMT

(Management) port of the Firewall.

2. The MGMT port of the Firewall is by default accessible using the IP

address 192.168.1.254.

3. Configure the Management Computer with IP address on the

subnet 192.168.1.x/24 and default gateway IP 192.168.1.254.

4. Install PuTTY application on the Management Computer.

5. Open the PuTTY application and enter the below details,

 Hostname (or IP address): 192.168.1.254
 Connection type: SSH

6. Click Open.

7. There is a PuTTY Security Alert and click Yes to proceed.

8. Provide the login as: admin and press Enter on the keyboard.

9. Type the password: password and press Enter on the keyboard.

10. Once the credentials are validated, Firewall goes to the User EXEC mode as

shown in the screenshot below.

11. Type safemode and press Enter in the keyboard.

12. There is a prompt “Are you sure you wish to enter into safemode?

(yes/cancel)”, type yes and press Enter in the keyboard.

13. Open CMD prompt on the Management Computer and initiate a ping to the

MGMT interface IP ping 192.168.1.254 -t to check the Firewall is UP.

14. In the MySonicWall account, navigate to Product Management | My Products,

click on the Serial Number of the registered Firewall.

15. Make a note of the Maintenance Key for the respective Firewall as shown in

the below screenshot.

16. Open a browser and type in the IP address https://192.168.1.254 in the

address bar.
17. Type in the Maintenance Key and click LOGIN.

18. Safemode page by default lands on FIRMWARE tab. Click on Upload

Firmware.
19. Browse for the respective firmware and click Upload.

20. Once the upload is complete, the Uploaded Firmware appears.

21. Click on the BOOT icon of the Uploaded Firmware Version and select Boot

firmware option with Factory Default Configuration.

22. Warning prompt would appear, click OK to proceed.

23. The Firewall restarts and comes UP automatically.

24. Open a browser and type in the IP address https://192.168.1.254 in the

address bar.

25. Override the certificate error on the browser by clicking on Advanced option

and then Proceed with the firewall IP address.

26. Login to the Firewall with default login credentials and click LOG IN option.
Username: admin
Password: password

D. Run the Setup Wizard or Manual Setup:

1. Launch the Setup Guide wizard or manually configure the Firewall to configure

the WAN interface, change the admin password, and select other settings.
2. Click on the option “To manually configure SonicWall, click here”.

3. Upon launching the manual setup, Firewall goes to the default

page HOME | Dashboard | System | Device tab on the GUI.
4. Navigate to NETWORK | System | Interfaces, click on the Configure/Edit option
of the X1 (WAN) interface to setup Internet access.

5. In the Edit Interface - X1, configure below parameters

 Zone: WAN
 Mode/IP Assignment: Static or DHCP (This is purely based on the
ISP’s offering)
1. If ISP provides static IP address, specify the IP Address, Subnet
Mask, Default Gateway and DNS Server 1, 2 and 3 respectively.
2. If ISP offers a Dynamic IP address, the fields IP Address, Subnet
Mask, Default Gateway and DNS Servers can be left blank as they
would get populated automatically when the configuration is saved.
 Enable the MANAGEMENT and USER LOGIN options as required.
 Click OK.

Note: As per our Network Standard and Firewall Hardening policy, we need
enable or disable as per the below configurations.

Any interface allowing HTTP management is replaced with HTTPS Management

 Any setting to Add rule to enable redirect from HTTP to HTTPS is disabled (Except
LAN Interface)
Ping Management is disabled on all interfaces (Except LAN Interface) and can be
allowed trusted source IPs for monitoring.
User and Management login should be disabled for interfaces (Except LAN Interface)

6. The X1 WAN interface is configured, and IP address detail appears as shown in

the below screenshot.

E. Registering the Product:

1. To complete the Firewall registration, navigate

to DEVICE | Settings | Licenses page and enter the MySonicWall Login
Username/Password and click Register.
2. The Firewall is registered and displays all the licensing details of SonicWall
Services/Features in the DEVICE | Settings | Licenses page.
 F. LAN Interface Configuration:

1. Based on the required, we need to select the Default LAN Interface as 1G

Copper, 10G Copper, 10G SFP+, 25G SFP28, or 40G SFP28 and Configured it with
static IP as per

2. In case if we select X7 as Default LAN Interface then Edit Interface – X7 and

configure the below parameters.

Note: As per our Network Standard and Firewall Hardening policy, we need
enable or disable as per the below configurations.
Zone: LAN
Mode/IP Assignment: Static IP Mode
Enter Static LAN IP address, Subnet Mask, Default Gateway, and DNS
Servers details as per the requirements.
Disable “Add rule to enable redirect from HTTP to HTTPS”
Enable HTTPS, Ping, SNMP, SSH in MANAGEMENT options and HTTPS in
USER LOGIN options as per the required.

Click Advanced tab and enable the “Enable flow reporting” option.
In case if we are configuring Redundancy or Link Aggregation for the
default LAN port, we need to select the respective options in
Redundant/Aggregate Ports field. Then Click Ok. For DMZ configuration,
Repeat this same process on the respective Interface instead of LAN select DMZ.
 G. Configuring Failover & LB:

Since we are using secondary ISP, it is mandatory to configure the Failover & LB.
Our standard Failover concept is Basic Failover, that is when Primary ISP is down, It
should automatically failover to the secondary.
Configure the Secondary WAN Interfaces by repeating the steps from “D”. Then
configure the Failover & LB on the Firewall.

1. Log in to the management page. Navigate to Network | System and click WAN Failover &
LB. The WAN Failover & LB page displays.

2. Enable the boxes Enable Load Balancing and Respond to Probes

3. To configure failover, click on the tab Groups and click on the pencil/edit icon on the extreme right

of the Default LB group

Select Basic Failover

Click on the WAN interface and push it from the left box to the right 'Interface Ordering'

On the right box, the interface which is on top is the Primary WAN

When the primary WAN fails to provide a connection, it enters standby and allows the

secondary device to take over Internet traffic.

4. Check “Preempt and failback to Primary WAN when possible” to enable immediate failback to

the primary WAN when it is back online.

5. The arrow below the right box is used to change the priority of the WAN interface. The interface on

top would always be the Primary.

6. Click on the Probing tab on the same window. The default probing intervals to find out how often

Firewall should check if there is active internet on one interface and if the internet is down, how long

to wait before switching to the secondary WAN.

Specify how often the SonicWall appliance checks the interface (5-300 seconds) in the Check

interface every field (default: 5 seconds).

Specify the number of times the SonicWall appliance tests the interface as inactive before

failing over in the Deactive interface after field (default: 6 times). For example, if the

SonicWall appliance tests the interface every five seconds and finds the interface inactive

after three successive attempts, it fails over to the secondary interface after 30 seconds. Low

value ensures quick failover, however, slight internet breakage can lead to unnecessary

failover/failback.

Specify the number of times the SonicWall appliance tests the interface as active before

failing back to the primary interface in the Reactive interface after field (default: 3 times). For

example, if the SonicWall appliance tests the interface every five seconds and finds the

interface active after three successive attempts, it fails back to the primary interface after 15

seconds.

Probe responder.global.SonicWall.com on all interfaces in this group - Enable this checkbox

to automatically set Logical/Probe Monitoring on all interfaces in the Group. When enabled,

this sends TCP probe packets to the global SNWL host that responds to SNWL TCP packets,

responder.global.SonicWall.com on port TCP 50000 or Configure the vendor provide

destinations for Probe Monitoring.

6. Click OK to save the changes on the Load Balancing group.

H. INTERFACE PROBING:

The next and most important setting that ensures proper failover is the Probing on each of

the WAN interface. The SonicWall appliance can monitor the WAN connectivity by

detecting whether the link is unplugged or disconnected or by sending probes to a target

IP address of an “always available” target upstream device on the WAN network, such as

an ISP side router. To enable probe monitoring, select Enable Probe

Monitoring Under Manage | Network | Failover and Load Balancing page. Then click on

the edit/pencil icon next to the WAN Interface under the LB group. Here you would be

able to see 2 options:

Physical probing - checks for Physical connectivity, like loose ethernet on WAN, WAN

modem off and the like. Physical disconnection would rarely be a cause when the internet

is lost.

Logical Probing - checks for Ping (ICMP) or TCP probes to specific hosts. If selected,

all the options below it then become available.

Now, from the drop-down, select when probe succeeds. There are four options. And the first option is

the recommended setting.

Probe succeeds when either Main Target or Alternate Target responds.

Probe succeeds when both Main Target and Alternate Target respond.

Probe succeeds when Main Target responds.

Succeeds Always (no probing). – Default; all other options are greyed.

Select the protocol (TCP or ICMP) used for monitoring and enter the IP address and port (TCP only)

of the target. TCP probing is useful if you do not have ping (ICMP) response enabled on your network
devices. In this case, TCP can be used to probe the device on a user-specified port. Ping can be used

to any public domain name/IP address.

Click OK to save the changes.

This process should be repeated on each WAN interface in the LB group.

I. Creating Routing Policy for All VLAN:

When we configured each Interfaces, there will be a new default Route policy created
automatically, we can’t change anything on these Default Routing Policy.
To enable Communication between Core Switch and Firewall for all VLANs, we
need to create a customized policy by allowing all VLANs Traffics to Core Switch
Default Gateway. Following the below steps to create the Routing Policy.
We need to create Address objects for each VLANs, and Those Address objects need
to be added to an Address Group.

I.a. Creating Address Object and Group:

1. To create an Address Object, we need to Navigate to Manage | Policies | Objects

| Addresses and click Add underneath Address Object. Enter the below details,

Enter the Name of the Address Object

Select the Zone (Commonly LAN)
Select the Type (Commonly Network)
Enter the Subnet Mask or Prefix Lenth
Click Save
3. To create an Address Object, we need to Navigate to Manage | Policies | Objects
| Addresses and click Add underneath Address Groups. Enter the below details,

Click Add to display the Add Address Object Group window.

Create a name for the group in the Name field.

Select the Address Object from the list and click the right arrow. It is added to the group.

Clicking while pressing the Ctrl key allows you to select multiple objects.

Click OK.

I.b. Adding Routing Rule:

1. Navigate to Policy | Rules and Policies | Routing Rules.

2. Click Add at the bottom of the screen.

4. Select the following route policy settings:

Under Lookup tab, Enter the Name of the Policy and Select the required

options as per below,

Source = Any.

Destination = Click the Drop-Down icon and select the respective

Address Group. Commonly all VLAN subnets.

Service = Any.

Under NextHop:

Select Standard Route

Interface= Select respective LAN Interface.

Gateway= Select Address Object of the Default Gateway of

respective Core Switch.

Metric = Least Number Commonly below 5 to make it as

most priority.

Click Save.