Configuring a Real Firewall
This chapter is a visual tour through the configuration of a SonicWALL Pro VX, a powerful firewall
from SonicWALL. As such, it shows every feature that this line of firewalls supports, and this line of
firewalls represents the state of the art in device based firewalls.− − − −
This chapter is not a review—the comparative review for SonicWALL devices can be found in
Chapter 19. This chapter simply describes the features and configuration of this firewall as a
complete introduction in case you've never dealt with a firewall before. If you have done it before,
you'll probably just want to skim through this chapter.
The SonicWALL Appliance Wizard
SonicWALL devices come from the factory with the preconfigured IP address 192.168.168.168/24.
This means that in order to attach to the device, your management workstation's IP address must
be within the 192.168.168 subnet. In Windows 2000, you can simply set your IP address manually
and plug the SonicWALL into the same Ethernet network in order to reach it. This graphic shows a
management workstation's IP address set to 192.168.168.170 in order to begin the SonicWALL
configuration.
200
After configuring your management workstation's IP address, open a web browser (Internet Explorer
or Netscape) and direct it to http://192.168.168.168. When you do, the SonicWALL Appliance
Wizard screen will appear as shown here.
201
To avoid the common problem of shipping a device with a standard default password that might
never be changed, the SonicWALL Wizard requires you to change the administrative password as
the first configuration step, as shown here.
Of course, you should choose the strongest possible password and you should not use the
password on any other non firewall devices to prevent its compromise. Although SonicWALL−
devices can only be configured from the LAN port or by administrators who have authenticated with
the VPN, there are many unobvious ways to get LAN access from outside the network. Opening
port forwards for Terminal Services or VNC, connecting an improperly secured 802.11 wireless−
bridge, or a user accidentally downloading a Trojan horse are just a few of the ways that a hacker
might be able to gain access to the web based firewall management interface from the interior of−
202

the network.
In fact, I frequently set up a temporary port forward on new SonicWALLs to facilitate the−
establishment of a permanent VPN connection. I do this because it allows me to work
simultaneously on both devices even though no VPN exists yet. Once the VPN is established, I
remove the rule that forwards the dangerous service through to the internal network. You will
probably find yourself doing this as well, so be certain you remove these dangerous rules.
The next step is to set your time zone. SonicWALL devices automatically configure their internal
time using the NTP (Network Time Protocol) to synchronize with the Universal Standard Time
generated by the U.S. Naval Observatory. You have the option of changing the NTP time server in
the administrative interface once the initial configuration is complete. It would be nice if the firewall
could be configured as an NTP time server for the rest of the network, but it can't.
The next pane is simply an information pane that asks you to gather your IP circuit network
information from your ISP and informs you that the WAN port has not been connected if you have
not connected it. You must have this information ready in order to proceed, and you should connect
the WAN port now to ensure that everything works correctly during the configuration.
203
The SonicWALL Configuration Wizard then asks you what type of service you have from your ISP,
and makes some assumptions about how you want to configure the device based on answer. For
example, if you respond that you've received only a single IP address or that your device receives
its address from a PPPoE (Point to Point Protocol over Ethernet) or DHCP server, the wizard
assumes that you want to enable NAT. If you indicate that you've received multiple IP addresses,
the device will ask you whether you want to enable NAT. In any case, just select the answer that
comes closest to your grade of service.
If you've selected the multiple IP address option, the wizard will prompt you whether or not you want
Network Address Translation enabled. In the vast majority of cases, you do. Besides conserving
your public IP addresses and allowing you to grow your network irrespective of the number of
204
addresses your ISP has assigned you, Network Address Translation has built in immunity to a−
number of hacking attacks. But if you are really certain that you don't want NAT, select the Don't
Use NAT option, shown here.

After you've selected your service type and determined whether or not you want to use NAT, the
wizard will prompt for your public IP address information provided by your ISP. This graphic shows
the configuration for my company's firewall with the actual IP addresses blanked out. Normally your
IP address would appear.
After configuring the public IP address information, you will enter your private IP address
information. You can choose any IP range you want, but you should never vary from using a
205
reserved IP block like the 10.0.0.0/8 range or the 192.168.0.0/16 range because if you do, you'll
prevent your users from reaching any public IP services with coincidental IP addresses. You may
want to avoid using the 10 range as well because it's used for internal routing by a number of
second tier ISPs and could potentially cause conflicts for you. If you have strange routing problems−
using the 10 reserved block, contact your ISP to determine if they're using any portion of it.. Here
you can see the internal IP address configuration for a firewall configured to use NAT.
The next pane asks you whether you want the SonicWALL device to provide DHCP addresses, and
if so, what range you want DHCP to assign. I generally configure DHCP to be served by a
solid state device in the networks I manage because it's somewhat more reliable than using−
general purpose servers to provide DHCP. However, servers are usually a little more flexible and−
easier to configure if you need to use a large number of static DHCP entries. In my experience, it's
easiest to permanently assign static IP addresses to every device that will provide any sort of
service, and then use DHCP for clients that provide no services. In this environment, firewalls make
ideal DHCP servers.
206
After you've configured DHCP, the firewall initialization is complete and the wizard shows a
summary page that looks like this.
The final step in the configuration is to reboot the firewall. Once you do this, the firewall will come up
on its new IP address, so you'll no longer be able to reach it until you reconfigure the IP address on
your management workstation. Before clicking Restart, you can page back through the Wizard to
check your settings and change anything that was entered incorrectly. It's crucial that you remember
what the SonicWALL's NAT IP address is and that it is set correctly, because even if you flash the
SonicWALL's firmware and reload its operating system from a binary image, the NAT address will

not revert to 192.168.168.168. You'll have to use a sniffer and an ARP tool to determine its IP
address if you've forgotten it. Here is the restart pane of the SonicWALL Configuration Wizard.
207
After you click restart, the SonicWALL Wizard displays an informational pane to keep you occupied
for the 30 seconds it takes the device to restart.
At this point, you've completed the SonicWALL Wizard and the firewall is ready for basic operation.
To continue configuring the firewall, you'll use the built in web management interface.−
SonicWALL Registration
Once you've completed the Configuration Wizard and restarted the firewall, point your web browser
208
back to the SonicWALL's LAN IP address. This time, instead of the Configuration Wizard you'll get
the SonicWALL Web Manager login prompt.
If you're using Internet Explorer, the login prompt can be confusing because it won't actually work
until the Java applet (the applet is that tiny grey dot on the right side of the screen) used by the
device actually loads completely. This is indicated in the web browser status bar in the lower
left hand corner of the screen. Until the status bar says "Done," any attempts to log in will be−
responded to with a JavaScript error. Unless you know this, attempting to log in can be frustrating.
Netscape does not exhibit this problem because it's a side effect of the way that Internet Explorer−
supports Java.
Once you've logged in, you'll see the General Status page. This page provides low level status of−
the SonicWALL device, along with support information. Any internal problems the device is
experiencing will show up as red text in the General Status page—for example, if the DMZ or WAN
interfaces are not connected or if the SonicWALL is not registered.
209
The first thing you should do (though it's not required for the device to operate) is register your
firewall. This activates your support and warranty services and allows you to purchase additional
services such as VPN (if it wasn't included in your device), website filtering, virus scanning, and so
forth. The easy way to do this is to select your firewall's MAC address (which serves as the serial
number) in the general page and copy it to the clipboard.
Then you can register your firewall by going to creating an account for

yourself, and logging in. Here is the SonicWALL website login prompt.
210
Once you've logged in, you'll see the registered products page. All the SonicWALL devices
registered to your account will appear on this page, shown here.
Click the product registration link to bring up the Quick Registration page shown in next. You'll enter
the device's MAC address (which is also the serial number) and a descriptive name in order to
register the product to your login account.
211
Of course an annoying marketing survey pops up next, as shown next. Just click Continue to
dismiss it, and then click the newly registered firewall in the Registered Device page.
The next screen shows the SonicWALL Service Management page, which provides a convenient
place to access the latest firmware upgrades for your device as well as keep track of your
registration codes for value added services that you subscribe to. You'll need to enter these codes−
in the device to activate various features, and they'll be needed again if you ever have to clear the
firewall.
212
The Registration Status page shows the registration status and activation codes for a specific
firewall device, as shown next. You'll need to copy the registration code on this page and paste it
into the firewall's general status page in order to clear the unregistered error condition on your
firewall's General Status page.
You'll also visit this page whenever you need to activate a new service or reactivate a service after
clearing a firewall's configuration; this is rare, but sometimes required in certain troubleshooting
operations.
213
SonicWALL Configuration
Once your firewall is registered, you're ready to begin configuring the firewall with your specific
Internet access policy. As explained elsewhere in this book, you should take a pessimistic approach
to security by disabling all access and then specifically enabling only those protocols your
organization requires to perform its work.
SonicWALL device configuration is divided into topical sections, which form a column of navigation

buttons on the left side of the screen. The General Status page, shown in the next section, appears
as it would after the firewall has been registered. For each topical section, a row of tabs displayed
across the top indicates each configuration detail page.
Context sensitive help is available anywhere by clicking the Help icon in the upper right hand− −
corner. The help pages are essentially the product documentation in HTML format. When you click
the icon, a new browser window will appear with the specific section of the documentation for the
current page showing.
This layout is clear and easy to navigate, and it is a major reason why these firewalls are so
popular. In the following sections, we'll discuss each of the navigation buttons, and the pages
available under each topic.
General
The General topical section is used for low level network configuration of the firewall. All of the−
information in this section is automatically filled in by the Configuration Wizard that you've already
run, so you won't need to configure anything on these pages initially—unless you need to correct a
mistake made in the Configuration Wizard.
The Status page shown here shows the hardware status of the device.
214