Configuring Advanced Firewall Settings This section provides advanced firewall settings for configuring detection prevention, dynamic ports, source routed packets, connection selection, and access rule options. To configure advanced access rule options, select Security Configuration | Firewall Settings > Advanced Settings. The Firewall Settings > Advanced Settings page includes the following firewall configuration option groups: • • • • • • • • • • Detection Prevention Dynamic Ports Source Routed Packets Connections Dynamic Connection Sizing Access Rule Service Options IP and UDP Checksum Enforcement Jumbo Frame IPv6 Advanced Configuration Control Plane Flood Protection Detection Prevention • Enable Stealth Mode - By default, the security appliance responds to incoming connection requests as either “blocked” or “open.” If you enable Stealth Mode, your security appliance does not respond to blocked inbound connection requests. Stealth Mode makes your security appliance essentially invisible to hackers. • Randomize IP ID - Select Randomize IP ID to prevent hackers using various detection tools from detecting the presence of a security appliance. IP packets are given random IP IDs, which makes it more difficult for hackers to “fingerprint” the security appliance. • Decrement IP TTL for forwarded traffic - Time-to-live (TTL) is a value in an IP packet that tells a network router whether or not the packet has been in the network too long and should be discarded. Select this option to decrease the TTL value for packets that have been forwarded and, therefore, have already been in the network for some time. • Never generate ICMP Time-Exceeded packets - The firewall generates Time-Exceeded packets to report when it has dropped a packet because its TTL value has decreased to zero. Select this option if you do not want the firewall to generate these reporting packets. Dynamic Ports • Enable FTP Transformations for TCP port(s) in Service Object - Select from the service group drop-down menu to enable FTP transformations for a particular service object. By default, service group FTP (All) is selected. FTP operates on TCP ports 20 and 21, where port 21 is the Control Port and 20 is Data Port. When using non-standard ports (for example, 2020, 2121), however, SonicWall drops the packets by default as it is not able to identify it as FTP traffic. The Enable FTP Transformations for TCP port(s) in Service Object option allows you to select a Service Object to specify a custom control port for FTP traffic. To illustrate how this feature works, consider the following example of an FTP server behind the SonicWall listening on port 2121: a On the Policies | Objects > Address Objects page, create an Address Object for the private IP address of the FTP server with the following values: • Name: FTP Server Private • Zone: LAN • Type: Host • IP Address: 192.168.168.2 b On the Policies | Objects > Services Objects page, create a custom Service for the FTP Server with the following values: • Name: FTP Custom Port Control • Protocol: TCP(6) • Port Range: 2121 - 2121 c On the Policies | Rules > NAT Policies page, create the following NAT Policy: d On the Policies | Rules > Access Rules page, create the following Access Rule: e On the Security Configuration | Firewall Settings > Advanced Settings page, from the Enable FTP Transformations for TCP port(s) in Service Object drop-down menu, select the FTP Custom Port Control Service Object. NOTE: For more information on configuring service groups and service objects, refer to SonicWall SonicOS 6.5 System Setup. • Enable support for Oracle (SQLNet) - Select this option if you have Oracle9i or earlier applications on your network. For Oracle10g or later applications, it is recommended that this option not be selected. For Oracle9i and earlier applications, the data channel port is different from the control connection port. When this option is enabled, a SQLNet control connection is scanned for a data channel being negotiated. When a negotiation is found, a connection entry for the data channel is created dynamically, with NAT applied if necessary. Within SonicOS, the SQLNet and data channel are associated with each other and treated as a session. For Oracle10g and later applications, the two ports are the same, so the data channel port does not need to be tracked separately; thus, the option does not need to be enabled. • Enable RTSP Transformations - Select this option to support on-demand delivery of real-time data, such as audio and video. RTSP (Real Time Streaming Protocol) is an application-level protocol for control over delivery of data with real-time properties. Source Routed Packets • Drop Source Routed IP Packets - (Enabled by default.) Clear this checkbox if you are testing traffic between two specific hosts and you are using source routing. IP Source Routing is a standard option in IP that allows the sender of a packet to specify some or all of the routers that should be used to get the packet to its destination. This IP option is typically blocked from use as it can be used by an eavesdropper to receive packets by inserting an option to send packets from A to B via router C. The routing table should control the path that a packet takes, so that it is not overridden by the sender or a downstream router. Connections IMPORTANT: Any change to the Connections setting requires the SonicWall security appliance be restarted for the change to be implemented. The Connections section provides the ability to fine-tune the firewall to prioritize for either optimal throughput or an increased number of simultaneous connections that are inspected by Deep-Packet Inspection (DPI) services. See the Connection count table. Connection count Platform SPI connections DPI Maximum connections Performance optimized SuperMassive 9600 10,000,000 2,000,000 1,750,000 SuperMassive 9400 7,500,000 1,500,000 1,250,000 SuperMassive 9200 5,000,000 1,500,000 1,250,000 NSA 6600 2,000,000 1,000,000 750,000 NSA 5600 2,000,000 1,000,000 750,000 NSA 4600 1,000,000 500,000 375,000 NSA 3600 750,000 375,000 250,000 NSA 2600 500,000 250,000 125,000 TZ600 150,000 125,000 125,000 TZ500/TZ500 W 125,000 100,000 100,000 50,000 50,000 50,000 TZ400/TZ400 W TZ300/TZ300 W SOHO W Only one option can be chosen. There is no change in the level of security protection provided by the DPI Connections settings. • Maximum SPI Connections (DPI services disabled) - This option (Stateful Packet Inspection) does not provide SonicWall DPI Security Services protection and optimizes the firewall for maximum number of connections with only stateful packet inspection enabled. This option should be used by networks that require only stateful packet inspection, which is not recommended for most SonicWall network security appliance deployments. • Maximum DPI Connections (DPI services enabled) - This is the default and recommended setting for most SonicWall network security appliance deployments. • DPI Connections (DPI services enabled with additional performance optimization) - This option is intended for performance critical deployments. This option trades off the number of maximum DPI connections for an increased firewall DPI inspection throughput. NOTE: If either DPI Connections option is chosen and the DPI connection count is greater than 250,000, you can have the firewall resize the DPI connection and DPI-SSL counts dynamically. For more information, see Dynamic Connection Sizing. The maximum number of connections depends on the physical capabilities of the particular model of SonicWall security appliance as shown in the Connection count table. Flow Reporting does not reduce the connection count on NSA Series and SM Series firewalls. Mousing over the Question Mark icon next to the Connections heading displays a pop-up table of the maximum number of connections for your specific SonicWall security appliance for the various configuration permutations. The table entry for your current configuration is indicated in the popup table. Dynamic Connection Sizing NOTE: Dynamic connection sizing is supported on NSA 3600 Series (and higher) and SuperMassive Series network security appliances. If either Maximum DPI Connections (DPI services enabled) or DPI Connections (DPI services enabled with additional performance optimization) is selected for Connections and the DPI connection count is greater than 250,000, the Dynamic Connection Sizing section displays. Configuring this option allows you to have the firewall increase the number of DPI-SSL connections by 750 by reducing the number of DPI connections by 1250000 dynamically. • DPI Connections – Allows you to choose the maximum number of DPI connections, in increments of 125,000. Changing this count changes the value in the DPI-SSL Connections drop-down menu. • DPI-SSL Connections – Allows you to choose the maximum number of DPI-SSL Connections, in increments of 750. Changing this count changes the value in the DPI-SSL Connections drop-down menu. For example, if the number of DPI connections selected in the DPI Connections drop-down menu is 1250000, the number of DPI-SSL connections in the DPI-SSL Connections drop-down menu is 165000. If you select 1000000 from the DPI Connections drop-down menu, the number of DPI-SSL connections changes to 18000. If you select 12000 from the DPI-SSL Connections drop-down menu, the number of DPI connections changes to 2000000. Access Rule Service Options • Force inbound and outbound FTP data connections to use default port 20 - The default configuration allows FTP connections from port 20, but remaps outbound traffic to a port such as 1024. If the checkbox is selected, any FTP data connection through the security appliance must come from port 20 or the connection is dropped. The event is then logged as a log event on the security appliance. • Apply firewall rules for intra-LAN traffic to/from the same interface - Applies firewall rules that are received on a LAN interface and destined for the same LAN interface. Typically, this only necessary when secondary LAN subnets are configured. • Always issue RST for discarded outgoing TCP connections – Sends an RST (reset) packet to drop the connection for discarded outgoing TCP connections. This option is selected by default. • Enable ICMP Redirect on LAN zone – Redirects ICMP packets on LAN zone interfaces. This option is selected by default. • Drop packets which source IP is subnet broadcast address – Drops packets when the detected IP address is recognized as the one by the subnet. IP and UDP Checksum Enforcement • Enable IP header checksum enforcement - Select this to enforce IP header checksums. Packets with incorrect checksums in the IP header are dropped. This option is disabled by default. • Enable UDP checksum enforcement - Select this to enforce UDP packet checksums. Packets with incorrect checksums are dropped. This option is disabled by default. Jumbo Frame NOTE: Jumbo frames are supported on NSA 3600 and higher appliances. • Enable Jumbo Frame support – Enabling this option increases throughput and reduces the number of Ethernet frames to be processed. Throughput increase may not be seen in some cases. However, there will be some improvement in throughput if the packets traversing are really jumbo size. NOTE: Jumbo frame packets are 9000 kilobytes in size and increase memory requirements by a factor of 4. Interface MTUs must be changed to 9000 bytes after enabling jumbo frame support as described in SonicWall SonicOS 6.5 System Setup. IPv6 Advanced Configuration • Drop IPv6 Routing Header type 0 packets – Select this to prevent a potential DoS attack that exploits IPv6 Routing Header type 0 (RH0) packets. When this setting is enabled, RH0 packets are dropped unless their destination is the SonicWall security appliance and their Segments Left value is 0. Segments Left specifies the number of route segments remaining before reaching the final destination. Enabled by default. For more information, see http://tools.ietf.org/html/rfc5095. • Decrement IPv6 hop limit for forwarded traffic – Similar to IPv4 TTL, when selected, the packet is dropped when the hop limit has been decremented to 0. Disabled by default. • Drop and log network packets whose source or destination address is reserved by RFC – Select this option to reject and log network packets that have a source or destination address of the network packet defined as an address reserved for future definition and use as specified in RFC 4921 for IPv6. Disabled by default. • Never generate IPv6 ICMP Time-Exceeded packets – By default, the SonicWall appliance generates IPv6 ICMP Time-Exceeded Packets that report when the appliance drops packets due to the hop limit decrementing to 0. Select this option to disable this function; the SonicWall appliance will not generate these packets. This option is selected by default. • Never generate IPv6 ICMP destination unreachable packets – By default, the SonicWall appliance generates IPv6 ICMP destination unreachable packets. Select this option to disable this function; the SonicWall appliance will not generate these packets. This option is selected by default. • Never generate IPv6 ICMP redirect packets – By default, the SonicWall appliance generates redirect packets. Select this option to disable this function; the SonicWall appliance will not generate redirect packets. This option is selected by default. • Never generate IPv6 ICMP parameter problem packets – By default, the SonicWall appliance generates IPv6 ICMP parameter problem packets. Select this option to disable this function; the SonicWall appliance will not generate these packets. This option is selected by default. • Allow to use Site-Local-Unicast Address – By default, the SonicWall appliance allows Site-Local Unicast (SLU) address and this checkbox is selected. As currently defined, SLU addresses are ambiguous and can present multiple sites. The use of SLU addresses may adversely affect network security through leaks, ambiguity, and potential misrouting. To avoid the issue, deselect the checkbox to prevent he appliance from using SLU addresses. • Enforce IPv6 Extension Header Validation – Select this option if you want the SonicWall appliance to check the validity of IPv6 extension headers. By default, this option is disabled. When both this option and the Decrement IPv6 hop limit for forwarded traffic option are selected, the Enforce IPv6 Extension Header Order Check option becomes available. (You may need to refresh the page.) • Enforce IPv6 Extension Header Order Check – Select this option to have the SonicWall appliance check the order of IPv6 Extension Headers. By default, this option is disabled. • Enable NetBIOS name query response for ISATAP – Select this option if you want the SonicWall appliance to generate a NetBIOS name in response to a broadcast ISATAP query. By default, this option is disabled. NOTE: Select this option only when one ISATAP tunnel interface is configured. Control Plane Flood Protection • Enable Control Plane Food Protection – Select to have the firewall forward only control traffic destined to the firewall to the system Control Plane core (Core 0) if traffic on the Control Plane exceeds the threshold specified in Control Flood Protection Threshold (CPU %). This option is not enabled by default. To give precedence to legitimate control traffic, excess data traffic is dropped. This restriction prevents too much data traffic from reaching the Control Plane core, which can cause slow system response and potential network connection drops. The percentage configured for control traffic is guaranteed. • Control Flood Protection Threshold (CPU %) – Enter the flood protection threshold as a percentage. The minimum is 5 (%), the maximum is 95, and the default is 75.