Property. With Students.: Network Security Basic Administration

ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
Network Security
e AL
Basic Administration
ar W
sh nic
Hands-On Exercise Guide: NS-101-EG-B

to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
© 2012 Dell SonicWALL is a registered trademark of Dell SonicWALL, Inc. Other product names mentioned herein may be
ar cu
trademarks and/or registered trademarks of their respective companies.

u do
Last revision date: 8/16/12

Yo is
Th
The contents of this document may not be copied or duplicated in any form, in whole or in part, without the prior written permission
of Dell SonicWALL, Inc.
The information in this document is subject to change without notice. Dell SonicWALL, Inc. shall not be liable for any damages
resulting from technical errors or omissions which may be present in this document, or from use of this document.
This document is an unpublished work protected by the United States copyright laws and is proprietary to Dell SonicWALL, inc.
Disclosure, copying, reproduction, merger, translation, modification, enhancement, or use of this document by anyone other than
authorized employees, authorized users, or authorized partners of Dell SonicWALL, Inc. without the prior written consent of Dell
SonicWALL Inc. is prohibited.
Dell SonicWALL, the Dell SonicWALL logo are registered trademarks of Dell SonicWALL Inc. All other trademarked names used
herein are the properties of their respective owners and are used for identification purposes only.
Th
Yo is
u do
ar cu
e m
no m
t a en
ut t c
ho on
riz ta
ed ins
to So
sh nic
ar W
This page left blank intentionally \ Student Notes.
e AL
th L
is In
do te
cu lle
m ct
en ua
tw lP
ith rop
st ert
ud y.
en
ts
.
Table of Contents
Exercise Instructions 3
Hands-On Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
ud y.
.
ts
st ert
en
Hands-On Exercises for Section 2: Operating System Fundamentals 5
ith rop
tw lP
Exercise 2.1 - Updating SonicOS Firmware 6
en ua
Exercise 2.2 - Initial Setup and Configuration 13
m ct
Exercise 2.3 - SonicWALL Administration 26
cu lle
Exercise 2.4 - NAT: Inbound Server Access 33
do te
Hands-On Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
is In
Hands-On Exercises for Section 3: Scalability and Reliability 45
th L
Exercise 3.1 - WAN ISP Failover and Outbound Load Balancing 45
e AL
Exercise 3.2 - Policy-Based Routing 54

ar W
Hands-On Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
sh nic
Hands-On Exercises for Section 4: Secure Access 59

to So
Secure Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
ed ins
Exercise 4.1 - Site to Site VPN Settings 60

Exercise 4.1a (Optional) - Hub & Spoke VPN Settings 65
riz ta
Exercise 4.2 - Route Based VPN 82

ho on
Exercise 4.3 (Optional) - Global VPN Client with Local Database 86

ut t c
Exercise 4.4 - SSL VPN with Local Database 96

t a en
Exercise 4.5 - SSL VPN with LDAP Authentication 104

no m
Exercise 4.6 - Content Filtering Service with LDAP Authentication 111

e m
Exercise 4.7 - CFS with LDAP Authentication Using Single Sign-On 121
ar cu
Hands-On Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

u do
Hands-On Exercises for Section 5: Unified Threat Management 123

Yo is
Exercise 5.1 - Unified Threat Management 123

Th
Th
Yo is
u do
ar cu
e m
no m
t a en
ut t c
ho on
riz ta
ed ins
This page left blank intentionally \ Student Notes.
to So
sh nic
ar W
e AL
th L
is In
do te
cu lle
m ct
en ua
tw lP
ith rop
st ert
ud y.
en
ts
.
Hands-On Exercises - Exercise Instructions
Exercise Instructions
Exercise Steps Hands-On Exercises
The hands-on exercises for this course are designed so that you can select to perform each individual task
on your own with limited help, or follow detailed steps that will walk you through each task step-by-step.
CHALLENGE YOURSELF: If you would like to challenge yourself, you can perform each task by reading the
instructions and using any required information that directly follows the instructions.
ud y.
.
ts
st ert
en
STEP-BY-STEP: If you would prefer to walk through the detailed steps for each task, read the instructions
and then proceed to the procedure following the (OR) DETAILED STEP-BY-STEP INSTRUCTIONS
ith rop
heading.
tw lP
Workstation Setup
en ua
The host workstation is running a VMware computer image known as Coffee. Coffee is a Windows Server
m ct
2003 server running as the training.sonicwall.com domain controller, an internal DNS server, and the
EchoFloor Manufacturing Web and FTP servers. You will need to start this VMware server at the beginning
cu lle
of Exercise 2.3.
do te
is In
Be sure to read each step thoroughly, as it is clearly specified when to use the host management workstation
or the Coffee VMWare image. If you have any questions, be sure to ask your instructor.
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
Hands-On Exercises - Exercise Instructions | 3

Hands-On Exercises - Exercise Instructions
Network Topology
The following diagram illustrates the final network architecture for the hands-on exercises:
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
Exercise Company Scenario

riz ta
EchoFloor Manufacturing, Inc. is a fictitious company used in our training materials to represent an
ho on
enterprise-level organization, whose various network security needs illustrate the effectiveness of Dell
SonicWALL products. For these purposes, we suppose the following organizational information:
ut t c
EchoFloor is in the business of designing, developing, and manufacturing commercial and high-end,
t a en
residential flooring; with over 700 employees, offices worldwide, and conducting business domestically and
internationally, they are a recognized leader in their industry.
no m
EchoFloor, like any such organization, faces challenges securing the networks (both physical and wireless)
e m
of their corporate and branch offices, providing secure remote access for employees and partners,
ar cu
protecting the integrity of corporate e-mail, and maintaining a safe and continuous data protection system.
u do
As part of the addition of a remote office, EchoFloor has purchased a new Dell SonicWALL security appliance.
EchoFloor needs to install the appliance at the remote location, set up access to their Web and FTP servers,
Yo is
configure various forms of VPN access, set up Web content filtering, and enable and configure the unified
Th
threat management features.
4 | Network Security Basic Administration Hands-On Exercise Guide

Hands-On Exercises -
Hands-On Exercises for Section 2: Operating System Fundamentals

Resulting Network Topology
Hands-On Exercises
At the end of all of the exercises for section 2, your network topology will be represented by the following
diagram:
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
Hands-On Exercises
e m
ar cu
u do
Yo is
Th
Hands-On Exercises - | 5
Hands-On Exercises - Exercise 2.1 - Updating SonicOS Firmware
Exercise 2.1 - Updating SonicOS Firmware

EchoFloor Manufacturing needs to replace their legacy firewall with a new, state-of-the-art firewall. To this
end, they have purchased a new Dell SonicWALL security appliance, which you will install and configure for
scalability and reliability, secure access and control, and unified threat management.
In order to register the appliance using the management interface, you must have a MySonicWALL user ID.
if you already have a MySonicWALL user ID you can skip to Task 2.
 Tasks
ud y.
.
ts
1. Creating a New MySonicWALL User ID
st ert
en
2. Cabling the SonicWALL
ith rop
3. Resetting the SonicWALL to the Factory Default (SafeMode)
4. Connecting to the SonicWALL and Uploading Firmware
tw lP
en ua
m ct
CHALLENGE YOURSELF TASK 1: Creating a New MySonicWALL User ID
cu lle
In order to register the Dell SonicWALL appliance, you will need to create a MySonicWALL user ID.
do te
If you already have a MySonicWALL user ID you can skip this task.
is In
th L
e AL
(OR) DETAILED STEP-BY-STEP INSTRUCTIONS
1. Open Internet Explorer and go to http://www.MySonicWALL.com.
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

2. If you already have a MySonicWALL user ID, you can skip to Task 2. If
you do not have a MySonicWALL user ID, click Not a registered user.
ud y.
.
ts
st ert
en
ith rop
3. Under Account Information, enter your Email Address, Password,
tw lP
Secret Question, and Answer. Be sure to use an Email Address that
you will be able to access, as a required Subscription Code will be
en ua
emailed to you.
m ct
4. Under Company Information, enter all required fields.
cu lle
5. Under Personal Contact Information, enter all required fields.
do te
6. Click Register.
is In
7. On the Confirm Registration screen, click Submit.
th L
8. The page notifies you that your account will not be created unless you
e AL
specify the Subscription Code that is being emailed to you. Click OK.
ar W
9. Connect to the email account you specified in step 3. Open the email
sh nic
message sent by Dell SonicWALL, which contains your Subscription

Code.
to So
10. Click on the link found in the email to activate your account.
ed ins
11. Using your new username and password, log into mySonicWALL.com.
riz ta
12. Close the Web browser.

ho on
Note: If you are having difficulty registering your security appliance, go to log into it, then go to System > Time
and uncheck NTP setting. Then try to register the unit again.
ut t c
t a en
no m
CHALLENGE YOURSELF TASK 2: Cabling the Dell SonicWALL Appliance

e m
Remove the Dell SonicWALL appliance from its outer box and connect the power cable and the
ar cu
Ethernet cables.
u do
Yo is

Th
1. Connect the external power supply to the power cord.

2. Plug your power cord into a power outlet and connect it to the
appliance.
Hands-On Exercises - Exercise 2.1 - Updating SonicOS Firmware | 7

3. Remove the WAN/ISP connection from your workstation and connect it

to the WAN port of the appliance.
4. Connect the Ethernet cable included with the Dell SonicWALL appliance
to your workstation and to LAN ports 1 (X0) on the appliance.
CHALLENGE YOURSELF TASK 3: Resetting the Dell SonicWALL Appliance to the Factory
ud y.
Default
.
ts
(SafeMode)
st ert
en
Modify the IP settings of the management workstation so that you can access the appliance. Use
ith rop
the reset button to return the Dell SonicWALL appliance to the factory default settings.
IP Address 192.168.168.20
tw lP
Subnet Mask 255.255.255.0
en ua
m ct
cu lle
do te
1. On your management workstation, go to Start > Settings > Network
is In
Connections.
th L
2. Right-click the Local Area Connection, and then select Properties.
e AL
The Local Area Connection Properties dialog box appears.

ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

3. In the This connection uses the following items list, scroll down
and select Internet Protocol (TCP/IP), and then click Properties.
The Internet Protocol (TCP/IP) Properties dialog box appears.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
4. Click the Use the following IP address option.
do te
5. In the IP address box, type: 192.168.168.20
6. is In
In the Subnet mask box, type: 255.255.255.0
th L
e AL
7. In the Default gateway box, type: 192.168.168.168

ar W
8. Click OK, and then click OK again.

sh nic
9. Close the Network Connections window.

to So
10. Use a narrow, straight object - such as a straightened paper clip - to

press and hold the reset button on the back of the security appliance for
ed ins
approximately 20 to 30 seconds.
The reset button is in a small hole next to the power supply. The Test
riz ta
light, shaped like a wrench, should be solid amber. Once the Test light
ho on
begins to blink, the appliance has finished rebooting and is in SafeMode.

ut t c
NOTE If this procedure does not work while the power is on, turn the
unit off and on while pressing and holding the reset button, until the
t a en
Test light starts blinking.

no m
e m
ar cu
u do
Yo is
Th

CHALLENGE YOURSELF TASK 4: Connecting to the Dell SonicWALL Appliance and

Uploading Firmware
Open a Web browser, connect to the appliance and upload the latest firmware to the appliance.
Default appliance management URL 192.168.168.168
Firmware location \\Desktop\Course Materials\Firmware folder
ud y.
.
ts
st ert
en
ith rop
1. Open a browser (such as Chrome) and go to http://192.168.168.168.
The Dell SonicWALL SafeMode window appears.
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

2. Click Upload New Firmware. The Upload Firmware window appears.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
3. Click Browse.
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
4. Navigate to the workstation desktop, open the Course Materials >

Firmware folder, and then select the firmware file. (Instructor may
ut t c
provide firmware.)
t a en
5. Click Open.
no m
6. Click Upload.
e m
7. In the Firmware Image section, click the Boot icon in the Uploaded
ar cu
Firmware with Factory Default Settings- New! row.

u do
Yo is
Th

A Windows Internet Explorer dialog box appears, warning that booting

uploaded firmware requires between 1 to 2 minutes to complete.
ud y.
.
ts
st ert
8. Click OK.
en
The uploaded firmware begins writing to flash.
ith rop
tw lP
en ua
After several minutes, the Dell SonicWALL appliance automatically
m ct
restarts.
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

Hands-On Exercises - Exercise 2.2 - Initial Setup and Configuration
Exercise 2.2 - Initial Setup and Configuration

EchoFloor Manufacturing needs to migrate Internet access to their new Dell SonicWALL appliance and allow
public access to their internal servers with the least amount of downtime.
 Tasks
1. Configuring the SonicWALL using the Setup Wizard
2. Reconfiguring the Management Workstation for DHCP
ud y.
.
3. Documenting the Management Workstation DHCP Assigned IP Address
ts
st ert
4. Accessing the SonicWALL Management Interface
en
ith rop
5. Verifying Internet Access
6. Modifying the Default Admin Account
tw lP
7. Modifying the Default Admin Account
en ua
8. Registering the SonicWALL Appliance
m ct
cu lle
do te
CHALLENGE YOURSELF TASK 5: Configuring the Dell SonicWALL Appliance using the
Setup Wizard
is In
th L
Use a Web browser to connect to the Dell SonicWALL management interface using factory
e AL
defaults. Use the following default username and password to access the appliance.
ar W
Factory default IP address 192.168.168.168

sh nic
Username admin
to So
Password password
ed ins
riz ta

ho on
1. With your pc NIC card connected directly in the X0 LAN port. Open a
ut t c
Web browser, and go to http://192.168.168.168. The initial Welcome

screen appears and asks if you want Setup wizard or go directly to the
t a en
no m
e m
ar cu
u do
Yo is
Th
Hands-On Exercises - Exercise 2.2 - Initial Setup and Configuration | 13

management interface. Select the management interface. The

Network Security Login page appears.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
2. In the Username box, type:
do te
admin
3. is In
In the Password box, type:
th L
e AL
password
4. Click Login.
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
5. The System > Status page appears.

CHALLENGE YOURSELF TASK 6: Configuring the Dell SonicWALL Appliance with the
Setup Wizard
EchoFloor Manufacturing has the following settings.
Language English
ud y.
.
ts
st ert
Admin Password password
en
Time Zone Local time zone
ith rop
PC Card (if available) None
tw lP
WAN Network Mode DHCP
en ua
LAN IP (gateway) 172.20.__.1 (your student number)
m ct
cu lle
LAN DHCP Scope 172.20.__.20 to 172.20.__.254
do te
is In
Ports Assignment th L WAN/OPT/LAN Switch
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th


1. With your pc NIC card connected directly in the X0 LAN port. Open a
Web browser, and go to http://192.168.168.168. The initial Welcome
screen appears and asks if you want Setup wizard or go directly to the
management interface. Select to go to the SonicOS Setup Wizard
page.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
Note: If you are configuring a Wireless Device, you will be prompted for additional information.
ar W
sh nic
2. Click Next.
3. On the Change Administrator Password section, Don Not Change
to So
the Password - leave the default password un-changed, click Next.

ed ins
4. On the Change Time Zone section, select the time zone, from the
drop-down list, where we are located.
riz ta
5. Click Next.
ho on
6. The next screen will depend on the appliance we are configuring.

ut t c
If the Configure PC Card Device Type section appears, click Next.

t a en
no m
e m
ar cu
u do
Yo is
Th

7. If no PC Card configuration can be configured, then the WAN Network

Mode section is next. On the WAN Network Mode section select the
Cable/Modem-based Connections (use DHCP) option.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
8. Click Next. The WAN Network Mode: NAT with DHCP Client page
m ct
appears.
cu lle
9. Click Next.
do te
10. On the WAN Network Mode NAT with DHCP Client page: Click on
the enable HTTPS and Allow Ping on this Interface checkboxes.
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
11. On the LAN Settings section, enter your LAN IP 172.20._.1 (your
student number). Leave the 24-bit subnet mask of 255.255.255.0.
u do
12. Click Next.

Yo is
Th

ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
13. On the LAN DHCP Settings section, change the LAN Address Range
cu lle
(DHCP scope) in the first box to 172.20._.20 and leave the second box
set to 172.20._.254.
do te
14. Click Next.
15. is In
On the Ports Assignment page, select WAN/LAN Switch.
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
16. Click Next. The Dell SonicWALL Configuration Summary page appears.
e m
ar cu
u do
Yo is
Th

17. Verify your settings and if correct, click Apply. The Setup Wizard
Complete page appears. Record the appliance URL/IP address.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
18. Read this information to understand what happens next.

sh nic
19. Click Close.

to So
ed ins
CHALLENGE YOURSELF TASK 7: Reconfiguring the Management Workstation for DHCP

riz ta
Reset the network settings of your management workstation to receive an IP address from the Dell
ho on
SonicWALL appliance DHCP server.

ut t c
t a en

no m
1. On your management workstation, go to Start > Settings > Network

e m
Connections.
ar cu
2. Right-click the Local Area Connection, and then select Properties.

u do
3. Select Internet Protocol (TCP/IP), and then click Properties.

Yo is
4. Select the Obtain an IP Address automatically option.

Th
5. Select the Obtain DNS server address automatically option.

6. Click OK, and then click OK again.

7. Close the Network Connections window.
CHALLENGE YOURSELF TASK 8: Documenting the Management Workstation DHCP

Assigned IP Address
Document the DHCP assigned IP address settings of your management workstation.
ud y.
.
ts
IP Address
st ert
en
Subnet Mask
ith rop
Default Gateway
tw lP
en ua
m ct
1. Go to Start > Run.
cu lle
2. Type cmd and click OK.
do te
3. In the command prompt, type:
is In ipconfig /all
th L
For the Local Area Connection, document the IP Address, Subnet Mask,
e AL
and Default Gateway.

ar W
4. Close the command prompt window.

sh nic
to So
CHALLENGE YOURSELF TASK 9: Accessing the Dell SonicWALL Management Interface

ed ins
Connect to the Dell SonicWALL appliance using the LAN interface address you previously
riz ta
configured, which is also the default gateway for your management workstation.
ho on
LAN interface IP Address 172.20.__.1

ut t c
t a en
no m

e m
1. Open Internet Explorer and go to http://172.20.__.1. The Network

ar cu
Security Login page appears.

u do
Yo is
Th

ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
admin
m ct
3. In the Password box, type:
cu lle
password
do te
4. Click Login.
5.
is In
If prompted, click Continue to preempt the existing administrator
th L
session. The System > Status page appears.
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

CHALLENGE YOURSELF TASK 10: Verifying Internet Access

Verify that you have set up the interfaces properly by using the Dell SonicWALL Ping utility to ping
sonicwall.com. Also verify that you can access the Internet from your management workstation by
attempting to connect to http://training.sonicwall.com.
ud y.
.
ts
1. From the left navigation menu, go to System > Diagnostics.
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
2. From the Diagnostic Tool drop-down list, select Ping.

riz ta
ho on
ut t c
t a en
no m
e m
3. In the Ping host or IP address box, type:

ar cu
yahoo.com
u do
4. Click Go.
Yo is
The host name yahoo.com is alive, which means that the Dell
Th
SonicWALL appliance can access the Internet and resolve host names.
5. In Internet Explorer, use a new tab to go to
http://training.sonicwall.com.

The SonicWALL Product Training Web page appears, identifying that

your management workstation can now access the Internet through the
Dell SonicWALL appliance.
6. Close the second Web browser tab.
CHALLENGE YOURSELF TASK 11: Modifying the Default Admin Account
ud y.
.
For your convenience during the hands-on exercises, increase the administrator inactivity time-out
ts
st ert
value.
en
Log out the administrator after inactivity of (minutes) 60
ith rop
tw lP
en ua
m ct
1. From the left navigation menu, go to System > Administration.
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
2. Edit the Log out the administrator after inactivity of (minutes)

ho on
box to:
ut t c
60
3. Click Accept.
t a en
no m
e m
ar cu
u do
Yo is
Th

CHALLENGE YOURSELF TASK 12: Registering the Dell SonicWALL Appliance

Register your Dell SonicWALL appliance using your MySonicWALL credentials.
Friendly Name EchoFloor FW
ud y.
.
ts
st ert
1. From the left navigation menu, go to System > Status.
en
2. Click the Register link.
ith rop
Be patient as the page redirects to the Registration.html page. Each of
the rest of the steps of this task may take several seconds to complete.
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
3. On the License Management page, in the Email Address/User box,

ed ins
type your MySonicWALL user ID.

riz ta
You must have a valid, personal, MySonicWALL user ID. If you do not,
you should go back and complete Exercise 2.1, Task 1.
ho on
4. In the Password box, type your MySonicWALL password.

ut t c
5. Click Submit.
t a en
6. Skip the remaining Product Survey questions and click Submit.

no m
e m
ar cu
u do
Yo is
Th
7. Once the registration is finished, click Continue.

8. Continue through any additional licensing screens until the completed

License Management page appears.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

Hands-On Exercises - Exercise 2.3 - Dell SonicWALL Administration
Exercise 2.3 - Dell SonicWALL Administration

EchoFloor Manufacturing needs to create additional local administrator user accounts with varying levels of
administrative capabilities.
 Tasks
1. Creating a SonicWALL Administrators User
2. Validating User Login
ud y.
.
3. Enabling HTTP User Login
ts
st ert
4. Validating User Login
en
ith rop
5. Configuring Management using a Custom Port
6. Documenting the SonicWALL WAN IP Address
tw lP
en ua
m ct
CHALLENGE YOURSELF TASK 1: Creating a Dell SonicWALL Administrators User
cu lle
Create a local user, and then make them a member of the SonicWALL Administrators group.
do te
Name EFAdmin
Password
is In
training
th L
e AL
User Groups SonicWALL Administrators
ar W
sh nic

to So
1. From the left navigation menu, go to Users > Local Users.

ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

2. Click Add User. The Add User window appears.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
3. In the Name box, type:
cu lle
EFAdmin
do te
4. In the Password and Confirm Password boxes, type:
is In
training
5. Click on the Groups tab.
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
6. In the User Groups list, select SonicWALL Administrators, and then

no m
click the -> button.

e m
7. Click OK.
ar cu
8. Click Logout to exit.

u do
Yo is
Th
Hands-On Exercises - Exercise 2.3 - Dell SonicWALL Administration | 27

CHALLENGE YOURSELF TASK 2: Validating User Login

Attempt to log in as the full administrator account you created in the previous task.
Name EFAdmin
Password training
ud y.
.
ts
st ert
en
1. In Internet Explorer, select the Click here to log back in link.
ith rop
tw lP
EFAdmin
en ua
training
m ct
4. Click Login.
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
Note that EFAdmin user is denied access because HTTP user login is not
ed ins
allowed.
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

CHALLENGE YOURSELF TASK 3: Enabling HTTP User Login

Log back in as the default admin account and configure the LAN interface to enable HTTP user login.

1. On the Network Security Login page, in the Username box, type:
ud y.
.
ts
admin
st ert
en
ith rop
password
3. Click Login.
tw lP
4. From the left navigation menu, go to Network > Interfaces.
en ua
5. Click on the Configure icon for the X0 interface.
m ct
6. In the User Login row, select the HTTP check box.
cu lle
7. Click OK.
do te
8. In the Dell SonicWALL management console, click Logout.
is In
th L
e AL
CHALLENGE YOURSELF TASK 4: Validating User Login

ar W
Attempt to log in as the full administrator account you created in the previous task. In addition,
sh nic
modify the user session details.

to So
Name EFAdmin
Password training
ed ins
Inactivity login session limit 30

riz ta
ho on
Login session limit (minutes) 120

ut t c
t a en

no m
1. In Internet Explorer, select the Click here to log back in link.

e m

ar cu
EFAdmin
u do

Yo is
training
Th

4. Click Login.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
The User Login Status window appears, displaying your user privileges,
in addition to showing your total login session time.
cu lle
5. Click Manage. You have access to all Dell SonicWALL administration
do te
Web pages.
6.
is In
From the left navigation menu, go to Users > Settings.
th L
7. Edit the Inactivity timeout (minutes) box to:
e AL
30
ar W
8. Edit the Login session limit (minutes) box to:

sh nic
120
to So
9. Click Accept.
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

CHALLENGE YOURSELF TASK 5: Configuring Management using a Custom Port

Configure the HTTP management options to use a custom port.
HTTP port 8080
ud y.
.
ts
st ert
1. As EFAdmin, and go to System > Administration.
en
2. Scroll down to the Web Management Settings section.
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
3. Change the HTTP Port to 8080.

ed ins
4. Click Accept.
riz ta
The Web browser automatically redirects to http://172.20.__.1:8080.

ho on
5. In the User Login Status window, click Logout.

ut t c
6. In Internet Explorer, go to http://172.20.__.1 (your student number).

An Internet Explorer cannot display the webpage error displays. LAN
t a en
management using HTTP can no longer use the default port 80.
no m
7. Go to http://172.20.__.1:8080 (your student number).

e m
The Network Security Login page appears.

ar cu
u do
Yo is
Th

CHALLENGE YOURSELF TASK 6: Documenting the Dell SonicWALL Appliance WAN IP

Address
Document the DHCP assigned IP address settings of your WAN interface.
IP Address
Subnet Mask
ud y.
.
Gateway (Router) Address
ts
st ert
en
ith rop
tw lP
en ua
admin
m ct
password
cu lle
3. From the left navigation menu, go to Networks > Interfaces.
do te
4. Click on the Configure icon for the WAN interface.
is In
Document that the DHCP-assigned IP Address, Subnet Mask, and
th L
Gateway (Router) Address. These settings were set by the local
e AL
network’s DHCP server.

ar W
5. Click Cancel.
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

Hands-On Exercises - Exercise 2.4 - NAT: Inbound Server Access
Exercise 2.4 - NAT: Inbound Server Access

In order to make the EchoFloor Manufacturing Web and FTP servers accessible from external users, you will
first need to start the VMware image that runs these two servers, and then modify the network topology to
match your VMware network. Next you will create two network address objects: one for your internal Web
server and one for your internal FTP server. You will create a service group that references the HTTP and
FTP services. NAT policies will then be set up to direct HTTP and FTP requests to the downstream servers.
Finally you will set up a firewall access policy allowing the WAN to LAN traffic.
 Tasks
ud y.
.
ts
1. (Optional) (Optional) Launching the Coffee VMware Image and Modifying IP Addressing
st ert
en
2. Creating a Web Server Address Object
ith rop
3. Creating an FTP Server Address Object
tw lP
4. Creating a Firewall Service Group
5. Configuring a NAT Policy for the Espresso Web Server
en ua
6. Configuring a NAT Policy for the Latte FTP Server
m ct
cu lle
7. Creating a Firewall Access Rule
8. Validating Access to Web and FTP Servers
do te
9. Deleting NAT Settings
is In
th L
e AL
ar W
CHALLENGE YOURSELF TASK 1: (Optional) Launching the Coffee VMware Image and
Modifying IP Addressing
sh nic
Launch the Coffee VMware image, which will be used as the back-end Web and FTP servers. The IP
to So
addressing will need to be updated to match your IP subnet. Then you will need to change the IIS
Web server and FTP server properties to use the correct IP address on the Coffee server.
ed ins
User name administrator

riz ta
Password training
ho on
IP address 172.20.__.101
ut t c
Default gateway 172.20.__.1

t a en
2nd IP address 172.20.__.102

no m
e m
3rd IP address 172.20.__.103

ar cu
Espresso Web-server IP address 172.20.__.102

u do
Latte FTP Server IP address 172.20.__.103

Yo is
Note: This task is not required in every lab environment. Ask your instructor to confirm if this task is
Th
required or optional.
Hands-On Exercises - Exercise 2.4 - NAT: Inbound Server Access | 33


1. On the management workstation desktop, double-click the VMware
Server Console icon.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
2. In the Connect to Host window, leave Local host selected and click OK.
m ct
3. In the VMware Server Console, under Inventory, click Coffee.
cu lle
4. Under Commands, click the Start this virtual machine link.
do te
5. In the Coffee - Virtual Machine dialog box, leave the Create option
selected, and then click OK.
is In
The Windows Server 2003 server boots.
th L
e AL
6. If your local workstation does not have an A: drive, you will need to
click OK twice.
ar W
7. When the Welcome to Windows login screen appears, press the

sh nic
Ctrl + Alt + Insert keyboard combination. (You should NOT use Ctrl +
Alt + Delete.)
to So

ed ins
training
riz ta
9. Click OK.
ho on
10. On the Coffee VMware server desktop, double-click the Local Area
Connection icon.
ut t c
11. Click Properties.

t a en
12. Select Internet Protocol (TCP/IP), and then click Properties.

no m
13. Edit the IP address to:

e m
172.20.__.101 (your number)

ar cu
14. Edit the Subnet mask to:

u do
255.255.255.0
Yo is
15. Edit the Default gateway to:

Th
172.20.__.1 (your number)

16. Click Advanced.
17. Add the second and third IP addresses:

172.20.__.102 (your number)

172.20.__.103 (your number)
255.255.255.0
18. Click OK, Close, Close.
19. Go to Start > Programs > Administrative Tools > Internet
Information Services (IIS) Manager.
20. Expand TRAINING.
ud y.
.
21. Expand Web Sites.
ts
st ert
22. Right-click Espresso Web-server, and then select Properties.
en
23. From the IP address list, select 172.20.__.102 (your number).
ith rop
Ensure that your VMware Home Directory Tab points to the Local Path
for The Espresso directory; if not, you will not have the correct
tw lP
parameters in your IP address list.
The local path is: E:\Expresso\
en ua
24. Click OK.
m ct
25. Expand FTP Sites.
cu lle
26. Right-click Latte FTP Server, and then select Properties.
do te
27. From the IP address list, select 172.20.__.103 (your number).
is In
Ensure that your VMware Home Directory Tab points to the Local Path
th L
for the Latte directory; if not, you will not have the correct parameters
e AL
in your IP address list.
The local path is: E:\Latte\
ar W
28. Click OK.

sh nic
29. Close Internet Information Services (IIS) Manager.

to So
30. Leave VMware running by minimizing the window.

ed ins
31. From the Host PC, make sure you can ping all three IP addresses you
just configured for VMware.
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

CHALLENGE YOURSELF TASK 2: Creating a Web Server Address Object

Create and configure a network address object for the Espresso Web server.
Name Espresso WS - 172.20.__.102
Zone Assignment LAN
Type Host
ud y.
.
ts
IP Address 172.20.__.102
st ert
en
ith rop
tw lP
1. On the management workstation, log into the appliance as admin.
en ua
2. From the left navigation menu, go to Network > Address Objects.
m ct
3. Select the Custom Address Objects view style to hide the default
cu lle
objects.
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

4. Scroll down to the Address Objects section, and then click Add. The
Add Address Object window appears.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
Espresso WS - 172.20.__.102
do te
6. From the Zone Assignment drop-down list, leave LAN selected.
7.
is In
From the Type drop-down list, leave Host selected.
th L
8. In the IP Address box, type:
e AL
172.20.__.102
ar W
9. Click Add.
sh nic
to So
CHALLENGE YOURSELF TASK 3: Creating an FTP Server Address Object

ed ins
Create and configure an address object for the Latte FTP server.
riz ta
Name Latte FTP - 172.20.__.103

ho on
Zone Assignment LAN

ut t c
Type Host
t a en
IP Address 172.20.__.103
no m
e m
ar cu

u do
The Add Address Objects window stays open.

Yo is

Th
Latte FTP - 172.20.__.103

2. From the Zone Assignment drop-down list, leave LAN selected.
3. From the Type drop-down list, leave Host selected.

4. In the IP Address box, type:

172.20.__.103
5. Click Add.
6. Click Close.
CHALLENGE YOURSELF TASK 4: Creating a Firewall Service Group
ud y.
.
ts
st ert
Set up a service group for the Espresso Web Server and Latte FTP Server address objects you
en
created in the previous tasks.
ith rop
Service Group Name Web and FTP Service Group
tw lP
Services FTP
en ua
HTTP
m ct
cu lle
do te
1. From the left navigation menu, go to Firewall > Service Objects.
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
Note: For increased convenience and accessibility, the Services page

ar cu
can be accessed either from Firewall > Service Objects or Network >
Services. The page is identical regardless from which tab it is
u do
accessed.
Yo is
Th

2. In the Service Groups section, click Add Group. The Add Service
Group window appears.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
Web and FTP Service Group
4. is In
In the left-hand list, select FTP (All), and then click the -> button.
th L
e AL
Note: the FTP (All) group includes both the FTP Data and the FTP
ar W
Control streams.
sh nic
5. In the left-hand list, select HTTP, and then click the -> button.
6. Click OK.
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

CHALLENGE YOURSELF TASK 5: Configuring a NAT Policy for the Espresso Web Server
Create a NAT policy for all HTTP requests directed to the WAN IP address to be sent to the Espresso
Web Server.
Original Source Any
Translated Source Original
ud y.
Original Destination WAN Interface IP
.
ts
st ert
Translated Destination Espresso WS - 172.20.__.102
en
ith rop
Original Service HTTP
Translated Service Original
tw lP
Inbound Interface X1
en ua
Outbound Interface Any
m ct
cu lle
do te
is In
1. From the left navigation menu, go to Network > NAT Policies.
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

2. Click Add. The Add NAT Policy window appears.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
3.
is In
From the Original Source drop-down list, select Any.
th L
4. From the Translated Source drop-down list, select Original.
e AL
5. From the Original Destination drop-down list, select

ar W
WAN Interface IP.

sh nic
6. From the Translated Destination drop-down list, select

Espresso WS - 172.20.__.102.
to So
7. From the Original Service drop-down list, select HTTP.

ed ins
8. From the Translated Service drop-down list, select Original.

riz ta
9. From the Inbound Interface drop-down list, select X1.

ho on
10. From the Outbound Interface drop-down list, leave Any selected.
ut t c
11. Check the Create a reflexive policy checkbox.

12. Click Add. The Add NAT Policy window stays open.
t a en
no m
e m
ar cu
u do
Yo is
Th

CHALLENGE YOURSELF TASK 6: Configuring a NAT Policy for the Latte FTP Server
Create a NAT policy for all FTP requests directed to the WAN IP address to be re-directed to the
Latte FTP Server.
Original Source Any
Translated Source Original
ud y.
Original Destination WAN Interface IP
.
ts
st ert
Translated Destination Latte FTP - 172.20.__.103
en
ith rop
Original Service FTP
Translated Service Original
tw lP
Inbound Interface X1
en ua
Outbound Interface Any
m ct
cu lle
do te
is In
1. From the Add NAT Policy window, add a policy for the Latte FTP server.
th L
From the Original Source drop-down list, select Any.
e AL
2. From the Translated Source drop-down list, select Original.

ar W
3. From the Original Destination drop-down list, select

sh nic
WAN Interface IP.

to So
4. From the Translated Destination drop-down list, select

Latte FTP - 172.20.__.103.
ed ins
5. From the Original Service drop-down list, select FTP.

riz ta
6. From the Translated Service drop-down list, select Original.

ho on
7. From the Inbound Interface drop-down list, select X1.

ut t c
8. From the Outbound Interface drop-down list, leave Any selected.

9. Check the Create a reflexive policy checkbox.
t a en
10. Click Add.

no m
11. Click Close.

e m
ar cu
u do
Yo is
Th

CHALLENGE YOURSELF TASK 7: Creating a Firewall Access Rule

Create a WAN to LAN firewall access rule using the service group created in the previous task.
Service Web and FTP Service Group
Source Any
Destination Any
ud y.
.
ts
st ert
en
ith rop
1. From the left navigation menu, go to Firewall > Access Rules.
tw lP
2. Select the Matrix View Style.
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
3. Click the Configure icon for the WAN to LAN access rule. The Access
Rules (WAN > LAN) window appears.
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

4. Click Add. The Add Rule window appears.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
5. is In
From the Service drop-down list, select Web and FTP Service Group.
th L
6. From the Source drop-down list, select Any.
e AL
7. From the Destination drop-down list, select WAN Interface IP.

ar W
sh nic
8. In the Users Allowed: window, leave the default as All.

9. In the Schedule: window, leave the default as Always on.
to So
10. Click Add.

ed ins
11. Click Close.

riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

CHALLENGE YOURSELF TASK 8: Validating Access to Web and FTP Servers

Test access to your partner’s Web server and FTP server.
Partner’s Web Server http://<partner’s WAN IP address>
Partner’s FTP Server ftp://<partner’s WAN IP address>
ud y.
.
ts
st ert
en
1. Open a new Web browser window.
ith rop
1. In the Web browser, go to http://<partner’s WAN IP address>.
tw lP
Your partner’s Espresso Web site appears.
en ua
2. In the Web browser, go to ftp://<partner’s WAN IP address>.
m ct
Your partner’s Latte FTP site appears.
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

Student Notes:
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

Hands-On Exercises - Exercise 3.1 - WAN ISP Failover and Outbound Load
Hands-On Exercises for Section 3: Scalability and Reliability

Hands-On Exercises
diagram:
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
Exercise 3.1 - WAN ISP Failover and Outbound Load Balancing

EchoFloor has dual ISP connections: a DSL line and a T1 line. They have vital business applications that
require Internet redundancy, specifically outbound traffic load balancing with the ability to route SMTP-only
traffic on the T1 line. They also have redundant Web and FTP servers that require inbound load balancing.
Hands-On Exercises - Exercise 3.1 - WAN ISP Failover and Outbound Load Balancing | 45
The customer has acquired a secondary ISP lease and now requires Internet redundancy if the primary
Internet connection fails.
You will work on this exercise with a partner. Only one student will configure their Dell SonicWALL appliance
to utilize WAN Failover; their partner’s appliance will simply act as the Secondary WAN/ISP Router for this
exercise. If there is time remaining, you can disable the failover settings and trade positions.
 Tasks
1. Configuring the X2 Interface as a Secondary WAN
ud y.
.
ts
2. Testing WAN Failover
st ert
en
3. Testing WAN Failover
ith rop
4. Modifying WAN Failover Settings
5. Testing Internet Access over the X2 Port
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

CHALLENGE YOURSELF TASK 1: Configuring the X2 Interface as a Secondary WAN

The student configuring their Dell SonicWALL appliance to utilize a Secondary WAN will configure
their X2 interface to use their partner’s appliance, which is acting as the Secondary WAN/ISP Router.
Zone WAN
IP Assignment Static
ud y.
IP Address 172.20.__.2 (your partner’s number)
.
ts
st ert
en
ith rop
Default Gateway 172.20.__.1 (your partner’s number)
tw lP
Note: The only step required by the Secondary WAN/ISP Provider partner is to port shield X2 to the LAN on X0.
en ua
m ct
cu lle
1. On the workstation being set up for redundancy, log into the Dell
do te
SonicWALL appliance as admin. Assign X2 interface to the WAN zone,
and assign a static address for that interface, that is within the range of
is In your partner’s LAN.
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
3. In the Interface Settings section, click the Configure icon for the X2
interface. The Interface “X2” Settings window appears.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
4. From the Zone drop-down list, select WAN.

sh nic
5. From the IP Assignment drop-down list, leave Static selected.

6. In the IP address box, type:
to So
172.20.__.2 (Enter your partner’s number.)

ed ins
7. In the Default Gateway box, type:

riz ta
172.20.__.1 (Enter your partner’s number.)

ho on
8. Click OK.
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

9. Go to Network > Failover & LB
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
10. Click the Configure icon for the Default LB Group.
th L
e AL
Note: Probing options and the Global Probing Target are set in the Probing Tab. If Global probing is set, individual
ar W
target assignments can not be made per interface.

sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
11. Add the X2 interface into the group.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
12. Click OK.

to So
13. Expand Default LB Group to see targets for each interface,

14. Click OK.
ed ins
15. Click Configure icon next to each interface to set individual targets
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

16. Configure Probe Monitoring on X1.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
CHALLENGE YOURSELF TASK 2: Testing WAN Failover

to So
On the workstation being set up for redundancy, test the WAN failover settings using the ping
command. Once the ping command is running, remove the Ethernet cable from your WAN interface.
ed ins
Document the number of unsuccessful ping attempts before WAN failover begins.
riz ta
Number of unsuccessful ping messages

ho on
ut t c

t a en
1. On the workstation being set up for redundancy, open a command

no m
prompt and type:

e m
ping yahoo.com -t
ar cu
2. Refresh the Network > WAN Failover & LB page, and then view the
u do
WAN Load Balancing Statistics. Verify that the X2 Link Status reads
Link Up.
Yo is
3. Switch back to the command prompt window.

Th
4. Remove the Ethernet cable from the X1 WAN interface of your

appliance.
5. Document the number of Request timed out messages display before

successful replies resume.
6. Switch back to and refresh the Network > WAN Failover & LB page,
and then view the WAN Load Balancing Statistics. Verify that the X1
Link Status is Link Down, that the X1 Load Balance State is Failover,
and the X2 Load Balance State is Active - Available.
7. Reconnect the Ethernet cable to the WAN interface of your Dell
SonicWALL appliance.
ud y.
.
8. Wait about ten seconds, refresh the Network > WAN Failover & LB
ts
st ert
page, and then view the WAN Load Balancing Statistics. Verify that
en
the X1 Link Status is Link Up, that the X1 Load Balance State is Active -
ith rop
Available, and the X2 Load Balance State is Available.
The Dell SonicWALL appliance automatically recognized that the WAN
tw lP
connection was available and reactivated it as the primary interface.
en ua
Leave the ping command running.
m ct
cu lle
CHALLENGE YOURSELF TASK 3: Modifying WAN Failover Settings
do te
is In
Modify the number of missed intervals before enabling the secondary WAN interface. Test the WAN
failover settings again using the ping command from the primary user’s workstation. Once the ping
th L
command is running, remove the Ethernet cable from your WAN interface. Document the number
e AL
of unsuccessful ping attempts before WAN failover begins.

ar W
Deactivate Interface after 1 missed interval

sh nic
Number of unsuccessful probes

to So
ed ins

riz ta
1. On the Network > Failover & LB page, select the Configure option
ho on
for the default Load Balancing group and click on the Probing tab, in
the WAN Interface Monitoring section, edit the Deactivate
ut t c
Interface after box to:

t a en
1 missed intervals
no m
2. Click OK.
e m
3. Switch back to the command prompt window.

ar cu
4. Remove the Ethernet cable from the X1 WAN interface of your

u do
appliance.
5. Document the number of Request timed out messages display before
Yo is
successful replies resume.

Th
The number of Request timed out responses should be considerably

lower than in the prior task due to the smaller number of missed
intervals the Dell SonicWALL appliance uses to determine an inactive
connection.

CHALLENGE YOURSELF TASK 4: Testing Internet Access over the X2 Port

With the X1 connection unavailable on the primary user’s workstation, verify that Internet access
is available by attempting to connect to http://training.sonicwall.com. Test how quickly the
appliance reactivates the X1 port after the X2 port becomes unavailable.
ud y.
.
ts
1. On the primary workstation, with the WAN connection unavailable, open
st ert
en
Internet Explorer, and then go to http://training.sonicwall.com.
ith rop
The Dell SonicWALL Product Training page appears. The workstation
can access the Internet using the X2 port as WAN failover.
tw lP
2. Simultaneously, reconnect the X1 port while disconnecting the X2 port.
en ua
3. On the Dell SonicWALL Product Training page, click CLASS
SCHEDULES.
m ct
Depending on how quickly you performed the above step, you may get
cu lle
an Internet Explorer cannot display the webpage error. If that happens,
do te
use the F5 key to refresh the browser.
is In
The schedule page displays, demonstrating that the Dell SonicWALL
appliance has determined the active and inactive ports.
th L
e AL
4. Close the Dell SonicWALL Product Training page.
ar W
5. Close the command prompt.

sh nic
6. Reconnect the Ethernet cable to the X2 port.

to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
Hands-On Exercises - Exercise 3.2 - Policy-Based Routing
Exercise 3.2 - Policy-Based Routing

EchoFloor would like to use the two available WAN ports for specific services. All FTP requests will
use the primary WAN interface, while all HTTP requests will use the X2 secondary WAN interface.
You will continue to work on this exercise with your partner.
 Tasks
1. Configuring a Route for HTTP Traffic
ud y.
.
2. Testing Ping Failover
ts
st ert
3. Testing HTTP Failover
en
4. Changing Partner Positions and Removing Settings
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

CHALLENGE YOURSELF TASK 1: Configuring a Route for HTTP Traffic

On the workstation being set up for redundancy, set up a route for all HTTP requests to use the X2
secondary WAN interface.
Source LAN Subnets
Destination Any
ud y.
Service HTTP
.
ts
st ert
Gateway Secondary Default Gateway
en
ith rop
Interface X2
tw lP
en ua
m ct
1. On the workstation being set up for redundancy, navigation menu, go to
Network > Routing.
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
Hands-On Exercises - Exercise 3.2 - Policy-Based Routing | 55

2. Under Route Policies, click Add.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
3. From the Source drop-down list, select LAN Subnets.
e AL
4. From the Destination drop-down list, select Any.

ar W
5. From the Service drop-down list, select HTTP.

sh nic
6. From the Gateway drop-down list, select X2 Default Gateway.

to So
7. From the Interface drop-down list, select X2.

ed ins
8. Set Metric to 1.
riz ta
9. Do Not check the Disable route when probe succeeds checkbox.

ho on
10. Click OK.

ut t c
t a en
CHALLENGE YOURSELF TASK 2: Testing Ping Failover

no m
On the workstation being set up for redundancy, test the WAN failover settings using the ping
e m
command from the primary user’s workstation. Once the ping command is running, remove the
ar cu
Ethernet cable from your primary X1 WAN interface.

u do
Yo is

Th
1. On the workstation being set up for redundancy, open a command

prompt and type:
ping yahoo.com -t

2. Remove the Ethernet cable from the WAN interface of your appliance.
Verify that after a couple of Request timed out messages, successful
ping replies resume.
3. Reconnect the Ethernet cable to the X1 interface of your Dell SonicWALL
appliance, and then disconnect the Ethernet cable from the X2
interface.
Verify that after a couple of Request timed out messages, successful
ping replies resume.
ud y.
.
ts
This demonstrates that the ping service is set to use the appliance
st ert
en
failover option of both interfaces.
ith rop
4. Reconnect the Ethernet cable to the X2 interface of your Dell SonicWALL
appliance.
tw lP
en ua
m ct
cu lle
CHALLENGE YOURSELF TASK 3: Testing HTTP Failover
do te
On the workstation being set up for redundancy, test the WAN failover settings using HTTP from
the primary user’s workstation. Access http://training.sonicwall.com. Remove the X1 primary WAN
is In
connection and browse to other pages. Reconnect the X1 primary WAN connection, remove the
secondary WAN connection, and browse to the other pages.
th L
e AL
ar W

sh nic
1. On the workstation being set up for redundancy, open a new Web

to So
browser and go to http://training.sonicwall.com.

2. Remove the Ethernet cable from the WAN interface of your Dell
ed ins
SonicWALL appliance, and then select the CLASS SCHEDULES link.

riz ta
The page displays immediately, demonstrating that the HTTP

ho on
connection was already using the secondary WAN port.

ut t c
3. Reconnect the Ethernet cable to the WAN interface of your appliance,

disconnect the Ethernet cable from the secondary WAN interface, and
t a en
then wait a few seconds.

no m
4. Select the CERTIFICATION link.

e m
An Internet Explorer cannot display the webpage error displays. This

ar cu
shows that the HTTP service uses only the secondary WAN port. It will
not use the X1 interface for failover.
u do
5. Reconnect the Ethernet cable to the secondary WAN interface of your

appliance, and then wait a few seconds.
Yo is
Th
6. Refresh the Web browser.

The Certifications page displays.
Hands-On Exercises - Exercise 3.2 - Policy-Based Routing | 57

7. Close the Dell SonicWALL Product Training page.
CHALLENGE YOURSELF TASK 4: Changing Partner Positions and Removing Settings

If time permits, swap positions and go through Exercise 3.1 and 3.2 again. Before starting Exercise
4.1, you will need to disable the secondary WAN port settings you configured in Exercise 3.1, Task
ud y.
.
ts
1. You will also need to remove the Route Policies that you created in Exercise 3.2, Task 1 and 2.
st ert
en
ith rop
tw lP
en ua
2. In the Interface Settings section, click the Configure icon for the
secondary WAN interface.
m ct
cu lle
3. From the Zone drop-down list, select Unassigned.
4. Click OK.
do te
5. From the left navigation menu, go to Network > Routing.
is In
6. Select the check boxes for the two route policies you created for the FTP
th L
and HTTP services.
e AL
7. Click Delete.
ar W
sh nic
8. Click OK.
9. Remove the Ethernet cable between your Dell SonicWALL appliance
to So
secondary WAN port and your partner’s appliance LAN port.

ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

Hands-On Exercises - Section 4 - Secure Access
Hands-On Exercises for Section 4:Hands-On

Secure Access
Exercises
diagram:
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
Secure Access
ar cu
u do
Yo is
Th
Hands-On Exercises - Section 4 - Secure Access | 59

Secure Access - Exercise 4.1 - Site to Site VPN Settings
Exercise 4.1 - Site to Site VPN Settings

EchoFloor Manufacturing would like secure communication between satellite offices and to securely
authenticate the traveling employees. They also want strong user-specific content filtering policies. All of
these security measures must be transparent to the user.
 Tasks
1. Configuring a Site-to-Site VPN
2. Verifying Connectivity Using the Site-to-Site VPN
ud y.
.
ts
st ert
3. Accessing File Shares Across the VPN
en
ith rop
tw lP
CHALLENGE YOURSELF TASK 1: Configuring a Site-to-Site VPN
Set up a site-to-site VPN. Perform the following tasks on both management workstations.
en ua
m ct
VPN Policy Name Site __ to Site __ VPN tunnel (the lower
student number should be first, followed by
cu lle
the larger student number)
do te
IPsec Primary Gateway Partner’s WAN interface IP address
Shared Secret is In training

th L
e AL
Local IKE ID Firewall Identifier
ar W
Firewall Identifier Site __ (your student number)

sh nic
Peer IKE ID Firewall Identifier

to So
Firewall Identifier Site __ (your partner’s number)
Local Network LAN Subnets

ed ins
Destination Network Create new address object

riz ta
ho on
New Destination Network: Name Site __ Network (your number)

ut t c
New Destination Network: Zone Assignment VPN

t a en
New Destination Network: Type Network

no m
New Destination Network: Network 172.20.__.0

e m
New Destination Network: Netmask 255.255.255.0

ar cu
IKE Exchange Mode Aggressive

u do
Yo is
Th


1. From the left navigation menu, go to VPN > Settings.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
2.
is In
In the VPN Policies section, click Add. The VPN Policy window
appears.
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
Secure Access - Exercise 4.1 - Site to Site VPN Settings | 61


Site __ to Site __ VPN tunnel
(The lower student number should be first, followed by the
larger student number.)
4. In the IPsec Primary Gateway Name or Address box, type the IP
address of your partner’s WAN interface.
5. In the Shared Secret and Confirm Shared Secret boxes, type:
training
ud y.
.
ts
6. From the Local IKE ID drop-down list, select Firewall Identifier.
st ert
en
7. In the Local IKE ID: Firewall Identifier box, type:
ith rop
Site __ (your number)
8. From the Peer IKE ID drop-down list, select Firewall Identifier.
tw lP
9. In the Peer IKE ID: Firewall Identifier box, type:
en ua
Site __ (your partner’s number)
m ct
10. Click the Network tab.
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
11. In the Local Networks section, select LAN Subnets from the drop-
riz ta
down list.
ho on
12. In the Destination Networks section, select Create new address

ut t c
object from the drop-down list.

t a en
13. In the Add Address Object window, in the Name box, type:
Site __ Network (your partner’s number)
no m
e m
14. From the Zone Assignment drop-down list, select VPN.

ar cu
15. From the Type drop-down list, select Network.

u do
16. In the Network box, type:

172.20.__.0 (your partner’s number)
Yo is
17. In the Netmask box, type:

Th
255.255.255.0
18. Click OK.

19. Click the Proposals tab.

20. Leave all the settings at the default values. Make sure all other sites
match your settings.
21. Click the Advanced tab.
22. In the Enable Keep Alive box, you and your partner should agree on
who will provide Keep Alive.
23. Click OK.
ud y.
.
ts
Wait for your partner to complete this task before moving on.
st ert
en
ith rop
CHALLENGE YOURSELF TASK 2: Verifying Connectivity Using the Site-to-Site VPN
tw lP
Verify if the VPN tunnel is established yet. Send a ping to your partner’s Espresso Web server at
en ua
172.20.__.102 (your partner’s number).
m ct
cu lle
do te
1. Refresh the VPN > Settings page.
is In
In the Currently Active VPN Tunnels section, there are no active VPN
th L
tunnels.
e AL
ar W
sh nic
to So
ed ins

riz ta

ho on

ut t c
ping 172.20.__.102 (your partner’s number).

t a en
Successful replies are received from your partner’s Web server.

no m
e m
In the Currently Active VPN Tunnels section, there is an active tunnel

between your Dell SonicWALL appliance and your partner’s appliance.
ar cu
u do
Yo is
Th
Secure Access - Exercise 4.1 - Site to Site VPN Settings | 63

CHALLENGE YOURSELF TASK 3: Accessing File Shares Across the VPN

Test whether you can access the file shared on your partner’s file server using
\\172.20.__.101\Shared (your partner’s number).
ud y.
.
ts
st ert
2. In the Open box, type:
en
\\172.20.__.101\Shared (your partner’s number)
ith rop
3. Click OK.
tw lP
4. In the Connecting to 172.20.__.101 dialog box, in the User name
box, type:
en ua
salesuser
m ct
cu lle
training
do te
6. Click OK.
is InThe shared folder for your partner’s file server appears, demonstrating
that you have shared folder access across the VPN.
th L
e AL
7. Close the Shared on Training (172.20.__.101) window.

ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

Secure Access - Exercise 4.1a (Optional) - Hub & Spoke VPN Settings
Exercise 4.1a (Optional) - Hub & Spoke VPN Settings

Optional exercise as time permits:
EchoFloor Manufacturing would like secure communication between several satellite offices to the main
office called the Hub and to securely authenticate the traveling employees. They also want strong user-
specific content filtering policies. All of these security measures must be transparent to the user.
 Tasks
1. Configuring a Hub and Spoke VPN
ud y.
.
ts
2. Verifying Connectivity Using the Site-to-Site VPN
st ert
en
ith rop
tw lP
CHALLENGE YOURSELF TASK 1: Configuring a Hub and Spoke VPN
Set up a Hub and Spoke A VPN and Hub to Spoke C VPN. Perform the following tasks on the Hub
en ua
management workstation. (Your instructor will assign who will perform the Hub VPN, Spoke A VPN,
m ct
and Spoke C VPN configurations.)
cu lle
Hub VPN Policy Names Hub to Spoke A VPN tunnel
do te
Hub to Spoke C VPN tunnel
is In Spoke A to Hub VPN tunnel

th L
Spoke C to Hub VPN tunnel
e AL
IPsec Primary Gateway Hub WAN interface IP address

ar W
sh nic
Spoke A WAN interface IP address
Spoke C WAN interface IP address

to So
Shared Secret training

ed ins
Local IKE ID Firewall Identifier

riz ta
Firewall Identifier Hub or Spoke A or Spoke C

ho on
Peer IKE ID Firewall Identifier

ut t c
Firewall Identifier Hub or Spoke A or Spoke C

t a en
Local Network LAN Subnets

no m
Destination Networks Create new address objects

e m
ar cu
Create new address object groups

u do
New Destination Network: Name Hub Network
Spoke A Network
Yo is
Th
Spoke C Network
Secure Access - Exercise 4.1a (Optional) - Hub & Spoke VPN Settings | 65
New Destination Network: Zone Assignment VPN
New Destination Network: Type Network
New Destination Network: Network 172.20.__.0 (Hub, Spoke A, Spoke C)
New Destination Network: Netmask 255.255.255.0
IKE Exchange Mode Aggressive
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

Hub VPN Configuration

2. In the Address Objects section, click Add.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
3. In the Name box, type Spoke A Network.
do te
4. In the Zone Assignment drop-down list, select VPN.
5.
is In
In the Type drop-down list, select Network.
th L
6. In the Network box, type the LAN network address for Spoke A
e AL
172.20.__.0 (LAN of spoke A)
ar W

sh nic
255.255.255.0
8. Click Add.
to So
9. Configure the next Address Object for Spoke C.

ed ins

riz ta
Spoke C Network
ho on

ut t c
12. In the Type drop-down list, select Network.

13. In the Network box type, the LAN network address for Spoke C
t a en
172.20.__.0 (LAN of spoke C)

no m
14. In the Netmask box, type

e m
255.255.255.0
ar cu
15. Click Add.

u do
16. Click Close.

Yo is
Th
17. In the Address Group section, click Add.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
Hub and Spoke C Group
19. In the left window, select LAN Subnets and Spoke C Network, and
th L
click -> to move the entries to the window on the right.
e AL
20. Click OK.

ar W

sh nic

to So
Hub and Spoke A Group

ed ins
23. In the left window, select LAN Subnets and Spoke A Network, and
riz ta
24. Click OK.

ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
2. In the VPN Policies section, click Add. The VPN Policy window
appears.
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m

e m
Hub to Spoke A VPN tunnel

ar cu
4. In the IPSec Primary Gateway Name or Address box, type the IP

u do
address of Spoke A WAN interface.

Yo is
Th
training
Hub
Spoke A
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
11. In the Local Networks section, click Choose local network from list
do te
Address, and select LAN Subnets and Spoke C from the drop-down
is In
list.
th L
12. In the Destination Networks section, select Spoke A Network from
e AL
the drop-down list.

ar W
13. On the Proposals tab, leave all values at default. (Make sure all Spokes
sh nic
match the Hub values).

to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
15. As the Hub, select Enable Keep Alive.

16. Click OK.

17. In the VPN Policies section, click Add (to add spoke C tunnel).
Hub to Spoke C VPN tunnel
address of Spoke C WAN interface.
training
ud y.
.
ts
st ert
en
ith rop
Hub
tw lP
en ua
Spoke C
m ct
cu lle
Address, and select Hub and Spoke A Group from the drop-down list.
do te
27. In the Destination Networks section, select Spoke C Network from
is In
the drop-down list.
th L
e AL
match the Hub values.)

ar W

sh nic
30. As the Hub, select Enable Keep Alive.

to So
31. Click OK.

Wait for Spoke A and Spoke C to complete their task before moving on.
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
Spoke A VPN Configuration

ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
Hub Network
do te
5.
is In
In the Type drop-down list, select Network.
th L
6. In the Network box, type the LAN network address for the Hub
e AL
172.20.__.0 (LAN of Hub)

ar W

sh nic
255.255.255.0
to So
8. Click Add.
9. Configure the next Address Object for Spoke C.
ed ins
10. In the Name box, type

riz ta
Spoke C Network
ho on
11. In the Zone Assignment drop-down list select VPN.

ut t c

t a en
13. In the Network box, type the LAN network address for Spoke C:
no m
172.20.__.0 (LAN of Spoke C)

e m

ar cu
255.255.255.0
u do
15. Click Add.

16. Click Close.
Yo is
Th

ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
Hub and Spoke C Group
do te
19. In the left window, select Hub Network and Spoke C Network and
is In
th L
20. Click OK.
e AL

ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
appears.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
Spoke A to Hub VPN Tunnel
24. is In
In the IPsec Primary Gateway Name or Address box, type the IP
th L
address of the Hub WAN interface.
e AL
ar W
training
sh nic
to So

ed ins
Spoke A
riz ta

ho on
Hub
ut t c

t a en
no m
e m
ar cu
u do
Yo is
Th

Address, and from the drop-down list, select LAN Subnets.
32. In the Destination Networks section, select Hub and Spoke C
Group from the drop-down list.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
35. The Hub has selected Enable Keep Alive.

to So
36. Click OK.

ed ins
Wait for Hub and Spoke A to complete their task before moving on.
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
Spoke C VPN Configuration

ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
3. In the Name box type:
do te
Hub Network
4. is In
In the Zone Assignment drop-down list select, VPN.
th L
e AL
5. In the Type drop-down list select, Network.
6. In the Network box, type the LAN network address for the Hub:
ar W
sh nic
172.20.__.0 (LAN of Hub)

to So
255.255.255.0
ed ins
8. Click Add.
9. Configure the next Address Object for Spoke A.
riz ta

ho on
Spoke A Network
ut t c

t a en

no m
13. In the Network box, type the LAN network address for Spoke A:
e m
172.20.__.0 (LAN of Spoke A)

ar cu

u do
255.255.255.0
Yo is
15. Click Add.

Th
16. Click Close.


ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
Hub and Spoke A Group
th L
e AL
19. In the left window, select Hub Network and Spoke A Network and
ar W
20. Click OK.

sh nic

to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
appears.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
Spoke C to Hub VPN Tunnel
is In
address of the Hub WAN interface.
th L
e AL
training
ar W
sh nic

to So
Spoke C
ed ins
riz ta
Hub
ho on

ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

Address, and from the drop-down list, select LAN Subnets.
32. In the Destination Networks section, select Hub and Spoke A from
the drop-down list.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
35. The Hub has selected Enable Keep Alive.

sh nic
36. Click OK.

to So
Wait for Hub and Spoke A to complete their task before moving on.
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
CHALLENGE YOURSELF TASK 2: Verifying Connectivity Using the Hub and Spoke VPN
Verify that the VPN tunnel is established. Send a ping to the Hub, Spoke A, and Spoke C Espresso
Web server at 172.20.__.102.
ud y.
.
ts
st ert
en
tunnels.
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
ping 172.20.__.102 (Hub, Spoke A, Spoke C number)
e AL

ar W

sh nic

to So
between your Dell SonicWALL appliance and your spokes appliance.

ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

CHALLENGE YOURSELF TASK 3: Deleting the Hub and Spoke VPN Tunnel
Delete the Hub to Spoke A VPN and Hub to Spoke C VPN tunnels from the management
workstations.
ud y.
.
1. On the VPN > Settings page, select the Hub and Spoke VPN tunnels
ts
check box.
st ert
en
2. Click Delete.
ith rop
3. Click OK.
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
Secure Access - Exercise 4.2 - Route Based VPN
Exercise 4.2 - Route Based VPN
Using Route Based VPN

Route Based VPN configuration is a two step process. The first step involves creating a Tunnel Interface.
The encryption suites used to secure the traffic between two end-points are defined in the Tunnel Interface.
The second step involves creating a static route using Tunnel Interface.
The Tunnel Interface is created when a Policy of type “Tunnel Interface” is added for the remote gateway.
The Tunnel Interface must be bound to a physical interface and the IP address of that physical interface is
ud y.
.
used as the source address of the tunneled packet.
ts
st ert
A Static Route ties the traffic (source, destination, and service) to the Tunnel Interface. Any number of
en
overlapping static routes can be added for the tunneled traffic. When networks are added or removed from
ith rop
the topology, the static routes only need to be updated accordingly; the tunnel interface configuration does
not need to be updated.
tw lP
 Tasks
en ua
1. Change the existing Site-to-Site VPN to a Route Based VPN
m ct
2. Create a static route for the tunnel interface.
cu lle
3. Verify connectivity through the route based VPN.
do te
4. Delete the existing VPN Tunnel.
is In
th L
e AL
CHALLENGE YOURSELF TASK 1: Change the existing Site-to-site VPN to a Route Based
ar W
VPN
sh nic
In order to create a route based VPN, you will modify the VPN policy created in 4.1, then add a
to So
Route to your lab partner’s IP Address.

ed ins

riz ta
ho on

2. Locate the existing VPN tunnel created in lab 4.1 and click configure.
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

3. Change the Policy Type from Site-To-Site to Tunnel Interface.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
4. Click On Add.
ar W
sh nic
to So
CHALLENGE YOURSELF TASK 2: Creating a Static Route for Tunnel Interface

After you have successfully added a Tunnel Interface, you may then create a Static Route. Follow the
ed ins
procedures to create a Static Route for a Tunnel Interface:

riz ta
1. Navigate to Network > Routing.

ho on
2. Click the Add button. A dialog window appears for adding Static Route.
ut t c
3. From the Source drop-down list, select LAN Subnet.

4. From the Destination drop-down list, select Parner site
t a en
5. From the Service drop-down list, leave Any

no m
e m
6. For Gateway, leave the default value of 0.0.0.0.

ar cu
u do
Yo is
Th
Secure Access - Exercise 4.2 - Route Based VPN | 83

7. From the Interface drop-down list, select the tunnel interface.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
Note: If the “Auto-add Access Rule” option is selected, firewall rules are automatically added and traffic is
e AL
allowed between the configured networks using tunnel interface.
ar W
8. Click on OK.
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

CHALLENGE YOURSELF TASK 3: Verifying Connectivity through the route-based VPN

Verify that the VPN tunnel is established. Send a ping to your partner’s Espresso Web server at
172.20.__.102.
ud y.
.
ts
st ert
en
tunnels.
ith rop
tw lP
en ua
m ct
cu lle
do te
4.
is In
In the command prompt, type:
th L
ping 172.20.__.102 (Partner number)
e AL

ar W

sh nic

to So
between your Dell SonicWALL appliance and your partner’s appliance.

ed ins
riz ta
ho on
CHALLENGE YOURSELF TASK 4: Deleting the existing VPN Tunnel

ut t c
Delete the Site-to-Site __ VPN tunnel from both management workstations.

t a en
no m

e m
ar cu
1. On the VPN > Settings page, select the check box for the Site __ to
Site __ VPN tunnel.
u do
2. Click Delete.
Yo is
3. Click OK.
Th
Secure Access - Exercise 4.2 - Route Based VPN | 85

Secure Access - Exercise 4.3 (Optional) - Global VPN Client with Local Database
Exercise 4.3 (Optional) - Global VPN Client with Local Database

Optional exercise as time permits:
EchoFloor Manufacturing wants to authenticate remote users before they can establish a VPN connection to
the corporate network. EchoFloor does not have a separate authentication server. The Dell SonicWALL
appliance local database will be used to authenticate the remote users.
You will work with your partner in this exercise: one partner being the GVC client workstation and the other
partner being the VPN server.
Before starting this exercise, remove all existing VPN connections and policies.
ud y.
.
ts
st ert
 Tasks
en
ith rop
1. Installing the Global VPN Client.
2. Configuring a New GVC Connection.
tw lP
3. Configuring the WAN GroupVPN Policy.
en ua
4. Configuring a Local User for GVC Access.
m ct
5. Validating the GVC Connection to the SonicWALL.
cu lle
do te
is In
CHALLENGE YOURSELF TASK 1: Installing the Global VPN Client
th L
On the GVC client workstation, install the Dell SonicWALL Global VPN Client (GVC) from the GVC
e AL
folder in the Course Materials folder on the management workstation desktop.

ar W
sh nic

to So
1. On the GVC client workstation, from the desktop, open the Course
Materials\GVC folder.
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

2. Double-click setup.exe. The Dell SonicWALL Global VPN Client -

InstallShield Wizard appears.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
3. Click Next twice.
do te
4. On the License Agreement page, accept the license terms, and then
is In
click Next twice.
th L
5. Click Install.
e AL
Dell SonicWALL Global VPN Client installs on the workstation.

ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
6. Once the setup is complete, click Finish.

Yo is
7. Close the GVC folder.

Th
Secure Access - Exercise 4.3 (Optional) - Global VPN Client with Local Database | 87
CHALLENGE YOURSELF TASK 2: Configuring a New GVC Connection

On the GVC client workstation, configure GVC to connect your partner’s Dell SonicWALL appliance,
which will be configured as a VPN.
IP Address or Domain Name Your partner’s WAN IP address
Connection Name Site __ VPN (your partner’s number)
ud y.
Create a desktop shortcut Yes (selected)
.
ts
st ert
en
ith rop
tw lP
1. On the GVC client workstation, go to Start > Programs > SonicWALL
Global VPN Client. The New Connection Wizard appears.
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
2. Click Next. The Choose Scenario page appears.

ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

3. Leave the Remote Access option selected, and then click Next. The
Remote Access page appears.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
4. In the IP Address or Domain Name box, type the IP address of your
cu lle
partner’s WAN interface.
do te
5. In the Connection Name box, type:
is In
Site __ VPN (your partner’s number)
6. Click Next. The Completing the New Connection Wizard page appears.
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
7. Select the Create a desktop shortcut for this connection check box.
no m
8. Click Finish.
e m
ar cu
9. Close the Dell SonicWALL Global VPN Client window.

u do
Yo is
Th
The Dell SonicWALL Global VPN Client Hide Notification window appears.
10. Select the Don’t show me this message again check box.
11. Click OK.
CHALLENGE YOURSELF TASK 3: Configuring the WAN GroupVPN Policy
ud y.
On the VPN workstation, set up the SonicWALL WAN GroupVPN policy settings to allow connections
.
ts
from your partner’s GVC.
st ert
en
Enable VPN Yes (selected)
ith rop
Authentication Method IKE using Preshared Secret
tw lP
Shared Secret training
en ua
Require Authentication of VPN Clients via XAUTH Yes (selected)
m ct
User Group for XAUTH users Create a new group
cu lle
New group: Name GVC Group
do te
New group: Networks LAN Subnets
is In
th L
e AL

ar W
1. On the VPN workstation, from the left navigation menu, go to

sh nic
VPN > Settings.

to So
2. Leave the Enable VPN check box selected.

ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

3. In the VPN Policies section, select the Enable check box for the WAN
GroupVPN policy.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
4. Click the Configure icon for the WAN GroupVPN policy. The VPN
is In
Policy window appears.
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
5. From the Authentication Method drop-down list, leave IKE using

Preshared Secret selected.
ut t c
6. Edit the Shared Secret box to show:

t a en
training
no m

e m
8. In the Client Authentication section, leave the Require

ar cu
Authentication for VPN Clients Via XAUTH check box selected.

u do
Yo is
Th
9. From the User Group for XAUTH users drop-down list, select Create
a new user group. The Add Group window appears.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
GVC Group
m ct
11. Click the VPN Access tab.
cu lle
12. In the Networks list, select LAN Subnets, and then click the ->
button.
do te
13. Click OK. The new group is created.
14. is In
In the VPN Policy window, click the Client tab.
th L
e AL
15. In the User Name and Password Caching section, verify that Never
is selected in the drop-down list.
ar W
16. In the Clients Connections section, from the Virtual Adapter

sh nic
settings drop-down list, select DHCP Lease.

to So
17. From the Allow Connections to drop-down list, select This Gateway
Only.
ed ins
18. Select the Set Default Route as this Gateway check box. Doing so
riz ta
will expose a new checkbox: Apply VPN Access Control List

ho on
19. Click OK.

ut t c
20. From the left navigation menu, go to VPN > DHCP over VPN.
t a en
no m
e m
ar cu
u do
Yo is
Th
21. Click the Configure button. The DHCP Relay settings window appears.

ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
22. Select the Use Internal DHCP Server check box.
m ct
23. Select the For Global VPN Client check box.
cu lle
24. Click OK.
do te
is In
th L
CHALLENGE YOURSELF TASK 4: Configuring a Local User for GVC Access
e AL
On the VPN workstation, create a local user on the Dell SonicWALL appliance, and then make the
ar W
user a member of the GVC Group created in the previous task.

sh nic
Name GVCUser
to So
Password training
ed ins
User Groups GVC Group

riz ta
ho on

ut t c
1. On the VPN workstation, from the left navigation menu, go to

t a en
Users > Local Users.

no m
2. Click Add User.

e m

ar cu
GVCUser
u do

training
Yo is
5. Click the Groups tab.

Th
6. In the User Groups list, select GVC Group, and then click the ->
button.
7. Click OK.
CHALLENGE YOURSELF TASK 5: Validating the GVC Connection to the Dell SonicWALL
Appliance
On the GVC client workstation, launch the Connection to Site __ VPN icon on the desktop. Establish
a connection with your partner’s appliance by logging in as GVCUser, and then access resources by
browsing to the \\172.20.__.101\Shared folder.
ud y.
.
ts
st ert
en
1. On the GVC client workstation, double-click the Connection to Site __
VPN icon on the desktop. The Site __ VPN window appears.
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
2. In the Pre-Shared Key box, type:
th L
training
e AL
3. Click OK.
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
The Site __ VPN dialog box appears.

t a en

no m
GVCUser
e m

ar cu
training
u do
6. Click OK.
Yo is
Th

You might need to enter the user credentials twice.
A VPN connection is established with your partner’s VPN server.
ud y.
.
ts
st ert
en
ith rop
ping 172.20.__.102 (your partner’s number)
tw lP
Four successful ping responses are returned.
en ua
m ct
11. In the Open box, type:
cu lle
\\172.20.__.101\Shared (using your partner’s number)
do te
12. Click OK.
is In
The shared folder for your partner’s file server appears, demonstrating
that you have shared folder access across the VPN connection.
th L
e AL
13. Close the Shared on Training (172.20.__.101) window.

ar W

sh nic
15. Right-click the SonicWALL VPN icon is the system tray, and then
select Disable > Site __ VPN.
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
Secure Access - Exercise 4.4 - SSL VPN with Local Database
Exercise 4.4 - SSL VPN with Local Database

EchoFloor Manufacturing wants to authenticate the remote users before they can establish a VPN connection
to the corporate network. EchoFloor does not have a separate authentication server. The Dell SonicWALL
appliance local database will be used to authenticate the remote users.
You will work with your partner in this exercise: one partner being the SSL VPN client workstation and the
other partner being the VPN server.
 Tasks
ud y.
.
ts
1. Enable HTTPS User Login WAN Interface
st ert
en
2. Validating the SSL VPN Connection to the SonicWALL
ith rop
tw lP
CHALLENGE YOURSELF TASK 1: Enable HTTPS User Login WAN Interface
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
2. Click the Configure icon for the X1 Interface used for SSL VPN access.
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
3. In the WAN Interface Setting for User Login, select the HTTPS box.
sh nic
4. Click OK.
to So
5. From the left navigation menu, go to SSLVPN > Server Settings.

ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
Secure Access - Exercise 4.4 - SSL VPN with Local Database | 97

6. In the SSLVPN Status on Zones section, click WAN to enable the

WAN zone for SSL VPN access.
7. Click on Accept
8. Go to SSLVPN > Client Settings and there In the SSLVPN Client
Address Range section, select X0 in the Interface drop-down list.
9. In the NetExtender Start IP box, type:
172.20._.5 (your LAN IP network)
ud y.
.
10. In the NetExtender End IP box, type:
ts
st ert
172.20._.20
en
11. In the DNS Server 1 box, click the Default DNS Settings button.
ith rop
12. In the User Domain box, type
tw lP
LocalDomain
en ua
13. Click Accept.
m ct
14. From the left navigation menu, go to SSLVPN > Client Routes.
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
15. In the Add client routes drop-down list, select the LAN Primary
Subnet. *
ut t c
Note: The Lan Primary Subnet is an Address Group specific to TZ appliances. NSA appliances use the
t a en
X0 Subnet.
no m
16. Click Accept.

e m
ar cu
u do
Yo is
Th

17. From the left navigation menu, go to SSLVPN > Portal Settings.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
18. Select the Enable HTTP meta tags for cache control
do te
(recommended) check box.
is In
19. Select the Display Import Certificate checkbox (Best Practice).
20. Click Accept.
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

22. Click Add User button.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
joe
do te
is In
password
25. Click the Groups tab.
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
26. In the left window, select SSLVPN Services, and click -> to move the
u do
entries to the window on the right.

27. Click the VPN Access tab.
Yo is
Th
28. In the left window, select LAN Subnets, and click -> to move the
29. Click OK.

CHALLENGE YOURSELF TASK 2: Validating the SSL VPN Connection to the Dell
SonicWALL Appliance
On the SSL VPN client workstation, open a browser window to your partner’s appliance WAN IP.
Log in and click NetExtender. Open a cmd window and ping the Espresso server.
ud y.
.
ts
st ert
1. On the SSL VPN workstation, from the desktop, open a browser session
en
with Internet Explorer.
ith rop
2. Browse to https://Partner_IP_Address:4433.
3. Click the Continue to this website (not recommended) link
tw lP
displayed on the screen.
en ua
4. In the User Name box, type:
m ct
joe
cu lle
do te
password
6. Leave LocalDomain for the Domain drop-down list.
7. is In
Click Login. The Dell SonicWALL Virtual Office portal page appears.
th L
e AL
8. Click the NetExtender icon to launch the SSLVPN session.

ar W
9. In the web browser, click Install ActiveX Control.

sh nic
10. Click the NetExtender icon again to launch the SSLVPN session.
to So
11. Click Install on the Internet Explorer – Security Warning pop-up

screen. The Dell SonicWALL SSL-VPN NetExtender window appears.
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
TIP: Configure the silent settings profile under Client Setting > Net Extender
> Create Client Setting profile. This will automatically fill-in client field
ar W
information.
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

12. Open a cmd (DOS) window and ping your partner’s Espresso web server
(172.20._.102).
13. From your partner’s left navigation menu, go to SSLVPN > Status.
Note that “joe” has an Active SSLVPN Session with an IP address from
the SSLVPN pool.
ud y.
.
ts
st ert
en
ith rop
tw lP
14. On the SSLVPN host PC, disconnect joe from the SSL VPN session.
en ua
15. From your partner’s left navigation menu, go to SSLVPN > Status and
click the Refresh button. Note that there are no active sessions.
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
17. From the list of Local Users, delete joe. The confirm delete window
appears.
to So
ed ins
riz ta
ho on
ut t c
18. Click OK.

t a en
no m
e m
ar cu
u do
Yo is
Th
Secure Access - Exercise 4.5 - SSL VPN with LDAP Authentication
Exercise 4.5 - SSL VPN with LDAP Authentication

The customer employee base has grown significantly. The administrator has implemented a Domain
Controller (Microsoft Active Directory) for which users authenticate using LDAP. The customer does not want
to maintain two authentication databases. He is phasing out the Dell SonicWALL local database
authentication method and will use LDAP to authenticate his remote SSL VPN users.
You will continue to work with your partner: with one partner being the SSL VPN client workstation and the
other partner being the VPN server. However, both partners will configure the LDAP settings in Task 1 and
import the sales and engineering groups in Task 2.
ud y.
.
Note: Verify that user “joe” is removed from the local database before doing this lab.
ts
st ert
en
 Tasks
ith rop
1. Configuring LDAP Authentication
tw lP
2. Importing LDAP Group
3. Validating SSL VPN Access Using an LDAP User
en ua
m ct
cu lle
CHALLENGE YOURSELF TASK 1: Configuring LDAP Authentication
do te
On both workstations, set up the Dell SonicWALL appliance to use LDAP as the authentication
is In
method, and then test the connection to the downstream LDAP server.
th L
Authentication Method LDAP
e AL
Name or IP address 172.20.__.101 (your number)

ar W
sh nic
Anonymous login No (cleared)

to So
Login user name administrator
Login password training

ed ins
Use TLS (SSL) No (cleared)

riz ta
Primary domain training.sonicwall.com

ho on
Test LDAP Settings: User joe

ut t c
Test LDAP Settings: Password password

t a en
no m
e m
ar cu
u do
Yo is
Th


1. On both workstations, from the left navigation menu, go to
Users > Settings.
2. In the User Login Settings section, from the Authentication method
for login drop-down list, select LDAP.
3. Click Configure. The Base Dialog -- Webpage Dialog window
appears.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
4. Click No. The LDAP Configuration window appears.
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
5. Click the Settings tab, in the Name or IP address box, type:

e m
ar cu
172.20.__.101 (your number)

6. Select the Give login name/location in tree radio button.
u do
7. In the Login user name box, type:

Yo is
administrator
Th
8. In the Login password box, type:

training
Secure Access - Exercise 4.5 - SSL VPN with LDAP Authentication | 105
9. Clear the Use TLS (SSL) check box. A warning dialog box appears.
ud y.
.
ts
10. Click OK.
st ert
en
11. Click the Schema tab.
ith rop
12. Leave the default for the LDAP Schema section as Microsoft Active
Directory.
tw lP
13. Click the Directory tab.
en ua
14. In the Primary domain box, type:
m ct
training.sonicwall.com
cu lle
15. Click anywhere in the window. A dialog box appears asking you to
update the domain.
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
16. Click OK.

riz ta
17. Leave the Referrals, LDAP Users, and LDAP Relay tabs with the
ho on
default values.
ut t c
18. Click the Test tab.

t a en
19. In the User box, type:

no m
salesuser
e m

ar cu
training
u do
21. Click Test.

Yo is
Th

The Test Status field will display Awaiting reply from LDAP Server. After
a few seconds, the field will display LDAP authentication succeeded.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
The Returned User Attributes box displays LDAP information about the
do te
user.
22.
is In
Click OK.
th L
e AL
ar W
CHALLENGE YOURSELF TASK 2: Importing LDAP Group

sh nic
On both workstations, import a group from the LDAP server to the Dell SonicWALL appliance, and
then configure VPN access.
to So
Groups to import Engineering

ed ins
Sales
riz ta
VPN Access: Networks LAN Subnets

ho on
ut t c
t a en

no m
1. On both workstations, from the left navigation menu, go to Users >

Local Groups.
e m
ar cu
u do
Yo is
Th
A new button appears at the bottom of the page.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
2. Click Import From LDAP. The LDAP Import User Groups window
cu lle
appears.
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
3. Select the Sales and Engineering check boxes.

no m
e m
4. Click Save Selected.

ar cu
u do
Yo is
Th

5. To configure an SSL VPN LDAP user by the name of Joe, navigate to the
Users > Local Groups page, click the Configure icon for the SSLVPN
Services group. The Edit Group window appears.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
6. Click on the Members tab.
m ct
7. From the Non-Member Users and Groups window, select the
cu lle
engineering group and click -> to move the entries to the Members
do te
Users and Groups window.
is In
8.
th L Click the VPN Access tab.
9. In the left window, select LAN Subnets, and click -> to move the
e AL
ar W
10. Click OK.

sh nic
to So
CHALLENGE YOURSELF TASK 3: Validating SSL VPN Access Using an LDAP User
ed ins
On the SSL VPN client workstation, test the VPN access of the LDAP users that you imported in the
previous task by logging into the SSL VPN as Joe.
riz ta
ho on
ut t c

t a en
1. On the SSL VPN workstation, from the desktop, open a browser session
with Internet Explorer.
no m
2. Browse to https://Partner_IP_Address:4433
e m
ar cu
3. Click the Continue to this website (not recommended) link

displayed on the screen.
u do
4. In the User Name box, type

Yo is
joe
Th
5. In the Password box, type

password
6. Leave LocalDomain for the Domain drop-down list.
7. Click Login. The Dell SonicWALL Virtual Office portal page appears.
8. Click the NetExtender icon to launch the SSLVPN session.
9. If the web browser needs to install ActiveX control, click Install
ActiveX Control.
10. Click the NetExtender icon again to launch the SSLVPN session. The
Dell SonicWALL SSL-VPN NetExtender screen appears.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
11. Open a cmd (DOS) window and ping your partner’s Espresso web server
(172.20._.102).
sh nic
12. From your partner’s left navigation menu, go to SSLVPN > Status.
to So
Note that “joe” has an Active SSLVPN Session with an IP address

from the SSLVPN pool.
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
13. On the SSLVPN host PC, disconnect joe from the SSL VPN session.
ar cu
u do
Yo is
Th

Secure Access - Exercise 4.6 - Content Filtering Service with LDAP
Exercise 4.6 - Content Filtering Service with LDAP Authentication

EchoFloor Manufacturing wants to grant different CFS policies to different departments. The administrator
will modify the default CFS policy to block all the categories. The HR department will have access to a limited
number of Web categories, while the IT department will have access to all Web categories. Active Directory
will provide all the user and group information.
You will not work with a partner in this exercise. Each student should apply all settings in Tasks 1 - 7 to
their workstation environment.
 Tasks
ud y.
.
ts
st ert
1. Configuring a Content Filtering Service Policy
en
2. Configuring an Open CFS Policy
ith rop
3. Modifying the Default CFS Policy to Block All Categories
tw lP
4. Applying CFS Policies to the HR and IT Groups
en ua
5. Creating a Firewall Access Rule
m ct
6. Enabling HTTPS User Login
cu lle
7. Validating the CFS Policies
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
Secure Access - Exercise 4.6 - Content Filtering Service with LDAP Authentication | 111
CHALLENGE YOURSELF TASK 1: Configuring a Content Filtering Service Policy

Set up a Content Filtering Service (CFS) policy on the Dell SonicWALL appliance for the HR staff.
Content Filter Type SonicWALL CFS
Message to Display when Blocking EchoFloor Manufacturing has blocked this site
using the SonicWALL Content Filter Service.
ud y.
CFS Policy Name HR CFS Policy
.
ts
st ert
Select all Categories Yes (selected)
en
ith rop
Allowed Categories 11. Gambling.
14. Arts/Entertainment
tw lP
15. Business and Economy
en ua
17. Education
m ct
20. Online Banking
cu lle
27. Information Technology/Computers
do te
33. News and Media
is In 40. Real Estate
th L
e AL
45. Travel
ar W
sh nic

to So
1. From the left navigation menu, go to Security Services > Content

ed ins
Filter.
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

2. In the Content Filter Type section, leave Content Filter Service

selected in the drop-down list.
3. Search for the following text in the Web Page to Display when
Blocking box:
This site has been blocked by the network administrator.
4. Replace the text with:
EchoFloor Manufacturing has blocked this site using the
SonicWALL Content Filtering Service
ud y.
.
ts
5. Click Accept.
st ert
en
6. In the Content Filter Type section, click Configure. The Dell
ith rop
SonicWALL Filter Properties window appears.
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
7. Select the Policy tab, and then click Add. The Add CFS Policy window
to So
appears.
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

HR CFS Policy
9. Click the URL List tab.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
10.
is In
Leave the Select all Categories check box selected.
th L
11. Clear the 11. Gambling check box.
e AL
12. Clear the 14. Arts/Entertainment check box.

ar W
13. Clear the 15. Business and Economy check box.

sh nic
14. Clear the 17. Education check box.

to So
15. Clear the 20. Online Banking check box.

ed ins
16. Clear the 27. Information Technology/Computers check box.

riz ta
17. Clear the 33. News and Media check box.

ho on
18. Clear the 40. Real Estate check box.

ut t c
19. Clear the 45. Travel check box.

20. Click OK.
t a en
no m
e m
ar cu
u do
Yo is
Th

CHALLENGE YOURSELF TASK 2: Configuring an Open CFS Policy

Set up an open CFS policy for the EchoFloor IT staff.
CFS Policy Name IT CFS Policy
Select all Categories No (cleared)
ud y.
.
ts
st ert
en
1. On the Policy tab, click Add.
ith rop
tw lP
IT CFS Policy
en ua
m ct
4. Clear the Select all Categories check box.
cu lle
5. Click OK.
do te
is In
th L
CHALLENGE YOURSELF TASK 3: Modifying the Default CFS Policy to Block All Categories
e AL
Change the default CFS policy on the Dell SonicWALL appliance to block all categories.
ar W
Policy Default
sh nic
Select all Categories Yes (selected)

to So
ed ins

riz ta
1. On the Policy tab, click the Configure icon for the Default policy.
ho on

ut t c
3. Select the Select all Categories check box.

t a en
4. Click OK.
no m
5. On the Dell SonicWALL Filter Properties page, click OK.

e m
ar cu
u do
Yo is
Th
CHALLENGE YOURSELF TASK 4: Applying CFS Policies to the HR and IT Groups

Import groups from your LDAP server to the Dell SonicWALL appliance, and then apply the CFS
policies you configured in the previous tasks.
Groups to Import HR
IT
HR: CFS Policy HR CFS Policy
ud y.
.
ts
st ert
IT: CFS Policy IT CFS Policy
en
ith rop
tw lP
en ua
1. From the left navigation menu, go to Users > Local Groups.
m ct
2. Click Import from LDAP.
cu lle
3. Select the HR and IT check boxes.
do te
4. Click Save Selected.
is In
5. Click the Configure icon for the HR group.
6. Click the CFS Policy tab.
th L
e AL
7. From the Policy drop-down list, select HR CFS Policy.

ar W
sh nic
to So
ed ins
riz ta
8. Click OK.
ho on
9. Click the Configure icon for the IT group.

ut t c
10. Click the CFS Policy tab.

t a en
11. From the Policy drop-down list, select IT CFS Policy.

no m
12. Click OK.

e m
ar cu
u do
Yo is
Th

CHALLENGE YOURSELF TASK 5: Creating a Firewall Access Rule

Create a LAN to WAN firewall access rule to allow HTTP access for authenticated users.
Service HTTP
Source LAN Subnets
Destination Any
ud y.
.
ts
Users Allowed Trusted Users
st ert
en
ith rop
tw lP
1. From the left navigation menu, go to Firewall > Access Rules.
en ua
2. Select the Matrix view style.
m ct
3. Click the Configure icon for the LAN to WAN access rule. The Access
cu lle
Rules (LAN > WAN) page appears.
do te
4. Click Add.
5.
is In
From the Service drop-down list, select HTTP.
th L
6. From the Source drop-down list, select LAN Subnets.
e AL
7. From the Destination drop-down list, select Any.

ar W
8. From the Users Allowed drop-down list, select Trusted Users.

sh nic
9. Click Add.
to So
10. Click Close.

ed ins
riz ta
CHALLENGE YOURSELF TASK 6: Enabling HTTPS User Login

ho on
Configure the LAN interface to enable HTTPS user login.

ut t c
t a en

no m
e m

ar cu
2. Click the Configure icon for the X0 interface.

u do
3. In the User Login row, verify that the HTTPS check box is selected.
4. Click OK.
Yo is
Th
CHALLENGE YOURSELF TASK 7: Validating the CFS Policies

Validate both LDAP authentication and the CFS policies by using the Coffee VMware image to
attempt connection to www.microsoft.com, www.bankofamerica.com and www.hotjobs.com using
three different user accounts. Document whether the user is able to access each site.
User Web site Accessible?
salesuser www.microsoft.com
ud y.
.
ts
www.bankofamerica.com
st ert
en
www.hotjobs.com
ith rop
hruser www.microsoft.com
tw lP
en ua
www.hotjobs.com
m ct
ituser www.microsoft.com
cu lle
do te
www.hotjobs.com
is In
th L
e AL

ar W
1. On the Coffee VMware image, open Internet Explorer.

sh nic
2. Go to http://www.microsoft.com.
to So
3. If you receive the Microsoft Phishing Filter dialog box, select the
Turn off automatic Phishing Filter option, and then click OK.
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

An Authentication Required page appears.
ud y.
.
ts
st ert
en
4. Click the Click here to log in link.
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
Because the appliance is configured to use a self-signed certificate, you

ar W
must accept the certificate.

sh nic
5. Click Continue to this website (not recommended).

to So

salesuser
ed ins

riz ta
training
ho on
8. Click Login.
ut t c
9. Minimize the User Login Status window.

t a en
no m
e m
ar cu
u do
Yo is
Th
Salesuser is blocked from viewing Web pages with the category

Information Technologies/Computers.
10. In Internet Explorer, go to http://www.bankofamerica.com.

Salesuser is blocked from viewing Web pages with the category Online
Banking.
11. In Internet Explorer, go to http://www.hotjobs.com.
Salesuser is blocked from viewing Web pages with the category Job
Search. Salesuser is currently blocked from all Web pages due to the
default CFS policy.
ud y.
.
12. Restore the User Login Status window, and then click Logout.
ts
st ert
13. Close Internet Explorer, and then go to Start > Log off.
en
14. Click Log Off.
ith rop
15. Repeat steps 3 through 20 for hruser and document the results for
tw lP
each Web site. You may need to retype the URL after authentication.
Hruser is able to view the Microsoft and Bank of America Web pages;
en ua
however, the user is blocked from Web pages with the category Job
m ct
Search due to the HR CFS policy.
cu lle
16. Repeat steps 3 through 20 for ituser and document the results for each
Web site.
do te
Ituser is able to view all Web pages, due to the IT CFS policy.
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

Secure Access - Exercise 4.7 - CFS with LDAP Authentication Using Single Sign-
Exercise 4.7 - CFS with LDAP Authentication Using Single Sign-On

EchoFloor would like to allow users to connect to Internet resources without having to enter their user
credentials in the Web browser.
 Tasks
1. Installing the SonicWALL SSO Agent
ud y.
.
ts
2. Configuring the SonicWALL for Single Sign-On
st ert
en
3. Validating LDAP Authentication using Single Sign-On
ith rop
4. Disabling the SSO Agent
tw lP
en ua
CHALLENGE YOURSELF TASK 1: Installing the Dell SonicWALL SSO Agent
m ct
In the Coffee VMware image, install and configure the Dell SonicWALL SSO agent located in the
cu lle
Desktop\Shared\Common Software\SonicWALL\SSO Agent folder.
do te
Username administrator
Password is In training
th L
e AL
Domain Name training.sonicwall.com

ar W
Dell SonicWALL Appliance IP 172.20.__.1 (your number)

sh nic
Dell SonicWALL Appliance Port 2258

to So
Shared Key 1234567890

ed ins
Launch Dell SonicWALL Directory Yes (selected)

Connector
riz ta
ho on
ut t c

t a en
1. Log into the Coffee VMware image as administrator.

no m
2. On the Coffee VMware image, open the \\Desktop\Shared\Common

Software\SonicWALL\SSO Agent folder.
e m
ar cu
3. Double-click SonicWALL Directory Connector (32-Bit) 3.1.7.exe.

u do
4. If an Open File - Security Warning dialog box pops up, click Run.
5. Click Next.
Yo is
6. Accept the License Agreement, and then click Next.

Th
7. On the Customer Information page, leave the default settings and click
Next three times.
Secure Access - Exercise 4.7 - CFS with LDAP Authentication Using Single Sign-On | 121
8. Click Install.
ud y.
.
ts
st ert
en
ith rop
tw lP
The SonicWALL Directory Connector service User Configuration dialog
en ua
box appears.
m ct
cu lle
administrator
do te
is Intraining
th L
11. In the Domain Name box, type:
e AL
training.sonicwall.com
ar W
12. Click Next.

sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
The Default SSO Agent Dell SonicWALL Appliance Configuration dialog

box appears.
u do
13. In the SonicWALL Appliance IP box, type:

Yo is
172.20.__.1 (your number)

Th
14. In the SonicWALL Appliance Port box, type:

2258

15. In the Shared Key box, type:

1234567890
16. Click Next.
17. Select the Launch SonicWALL Directory Connector check box.
18. Click Finish.
ud y.
.
ts
st ert
en
ith rop
A Dell SonicWALL SSO Agent Configurator dialog box appears, because
the Dell SonicWALL SSO Agent service is not running.
tw lP
19. Click No.
en ua
20. Click OK.
m ct
21. Close the Directory Connector Configurator and the SSO Agent
cu lle
folder.
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
CHALLENGE YOURSELF TASK 2: Configuring the Dell SonicWALL Appliance for Single
Sign-On
Configure the appliance to use single sign-on (SSO), and then test the connection.
Name or IP Address 172.20.__.101 (your number)
Port Number 2258
ud y.
.
Shared Key 1234567890
ts
st ert
en
Workstation IP address 172.20.__.101 (your number)
ith rop
tw lP
en ua
1. On the management workstation, from the left navigation menu, go to
Users > Settings.
m ct
2. From the Single-sign-on method drop-down list, select
cu lle
SonicWALL SSO Agent.
do te
3. Click Configure. The Base Dialog -- Webpage Dialog window appears.
is In
4. Click No.
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
The SonicWALL SSO Agent Authentication Configuration window

appears.
5. Click Add.

6. In the Name or IP Address box, type:

172.20.__.101 (your number)
7. Leave the Port Number set to 2258.
8. In the Shared Key and Confirm Shared Key boxes, type:
1234567890
9. Click the Test tab.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
10. Leave the Check agent connectivity option selected, and then click
riz ta
Test.
ho on
The Test Status field will display Awaiting reply from

authentication agent. After a few seconds, the field will display
ut t c
Agent is ready.
t a en
no m
e m
ar cu
11. Select the Check user option.

u do
12. In the Workstation IP address box, type:

Yo is
172.20.__.101
Th
13. Click Test.
The Test Status field displays User name:

TRAINING01/Administrator.
ud y.
.
14. Click OK.
ts
st ert
en
ith rop
CHALLENGE YOURSELF TASK 3: Validating LDAP Authentication using Single Sign-On
tw lP
Validate both LDAP authentication using single sign-on (SSO) and the CFS policies by using the
Coffee VMware image to attempt connection to www.microsoft.com, www.bankofamerica.com and
en ua
www.hotjobs.com using user accounts. Document whether the user is able to access each site.
m ct
cu lle
User Website Accessible?
do te
hruser www.microsoft.com
is In
th L
e AL
ar W
sh nic

to So
1. On the Coffee VMware image, go to Start > Log Off administrator.

ed ins
2. Click Log off.

riz ta
3. In the Welcome to Windows dialog box, press the Ctrl + Alt + Insert
keyboard combination.
ho on
4. In the User name box, type:

ut t c
hruser
t a en

no m
training
e m
6. Click OK.
ar cu
7. Open Internet Explorer.

u do
Yo is
Th

8. Go to http://www.microsoft.com.
9. If you receive the Microsoft Phishing Filter dialog box, select the Turn
off automatic Phishing Filter option, and then select OK.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
Note that hruser is not blocked from viewing Web pages with the
do te
category Information Technologies/Computers.
10.is In
In Internet Explorer, go to http://www.bankofamerica.com.
th L
e AL
Note that hruser is not blocked from viewing Web pages with the
category Online Banking.
ar W
11. Close Internet Explorer, and then go to Start > Log off.
sh nic
12. Click Log Off.

to So
ed ins
CHALLENGE YOURSELF TASK 4: Disabling the SSO Agent

riz ta
Disable the SSO agent on the Dell SonicWALL appliance and the VMware Coffee image.
ho on
ut t c
t a en

no m
1. From the SonicOS interface, browse to the Users > Settings page.
e m
2. From the Single-sign-on method drop-down list, select None.

ar cu
3. From the Users > Status page, logout hruser by clicking the logout
button.
u do
4. Click Accept.
Yo is
5. On the Coffee VMware image, go to Start > Programs >

Th
Administrative Tools > Services.

6. Scroll down to the SonicWALL SSO Agent service.
7. Right-click SonicWALL SSO Agent, and then click Stop.
8. Close the Services window.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

Hands-On Exercises - Exercise 5.1 - Unified Threat Management
Hands-On Exercises for Section 5: Unified Threat Management

Exercise 5.1 - Unified Threat Management
Hands-On Exercises
EchoFloor Manufacturing needs protection from various intrusive methods, including malware, spyware,
viruses, and application vulnerabilities, such as Instant Messaging clients—all with zero-day protection.
ud y.
.
 Tasks
ts
st ert
en
1. Configuring the Gateway Anti-Virus Service
ith rop
2. Configuring the Intrusion Prevention Service
3. Configuring the Anti-Spyware Service
tw lP
4. Validating the Unified Threat Management Services
en ua
m ct
cu lle
CHALLENGE YOURSELF TASK 1: Configuring the Gateway Anti-Virus Service
do te
Set up the Dell SonicWALL appliance to use the Gateway Anti-Virus (GAV) service.
is In
Enable Gateway Anti-Virus Yes (selected)
th L
e AL
Enable Inbound Inspection HTTP, FTP, IMAP, SMTP, POP3, CIFS/Netbios, and TCP
Stream
ar W
Disable detection of EICAR test virus No (cleared)

sh nic
to So
ed ins

1. From the left navigation menu, go to Security Services > Gateway
riz ta
Anti-Virus.
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th
2. In the Gateway Anti-Virus Global Settings section, select the

Enable Gateway Anti-Virus check box.
Hands-On Exercises - Exercise 5.1 - Unified Threat Management | 123

3. In the Enable Inbound Inspection row, select the HTTP, FTP, IMAP,
SMTP, POP3, CIFS/Netbios, and TCP Stream check boxes.
4. Click Accept.
5. Click Configure Gateway AV Settings. The Gateway AV Config View
window appears.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
6. Clear the Disable detection of EICAR test virus check box.

ar W
7. Click OK.
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

CHALLENGE YOURSELF TASK 2: Configuring the Intrusion Prevention Service

Enable and configure the Dell SonicWALL appliance to use the Intrusion Prevention Service (IPS).
Disable the use of any IM programs.
Enable IPS Yes (selected)
High Priority Attacks Prevent All, Detect All
ud y.
Medium Priority Attacks Prevent All, Detect All
.
ts
st ert
Low Priority Attacks Detect All
en
ith rop
Prevention Enable
Detection Enable
tw lP
en ua
m ct
cu lle
1. From the left navigation menu, go to Security Services > Intrusion
Prevention.
do te
is In
th L
e AL
ar W
sh nic
to So
2. In the IPS Global Settings section, select the Enable IPS check box.
ed ins
3. For High Priority Attacks, select the Prevent All and Detect All
check boxes.
riz ta
ho on
4. For Medium Priority Attacks, select the Prevent All and Detect All
check boxes.
ut t c
5. For Low Priority Attacks, select the Detect All check box.
t a en
6. At the top of this page, Click Accept.

no m
e m
ar cu
u do
Yo is
Th

CHALLENGE YOURSELF TASK 3: Configuring the Anti-Spyware Service

Enable and configure the Dell SonicWALL appliance to use the Anti-Spyware service.
Enable Anti-Spyware Yes (selected)
High Danger Level Spyware Prevent All, Detect All
Medium Danger Level Spyware Prevent All, Detect All
ud y.
.
ts
Low Danger Level Spyware Detect All
st ert
en
ith rop
tw lP
1. From the left navigation menu, go to Security Services > Anti-
en ua
Spyware.
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
2. In the Anti-Spyware Global Settings section, select the Enable

ed ins
Anti-Spyware check box.

3. For High Danger Level Spyware, select the Prevent All and Detect
riz ta
All check boxes.

ho on
4. For Medium Danger Level Spyware, select the Prevent All and
ut t c
Detect All check boxes.

5. For Low Danger Level Spyware, select the Detect All check box.
t a en
6. Click Accept.
no m
e m
ar cu
u do
Yo is
Th

CHALLENGE YOURSELF TASK 4: Validating the Unified Threat Management Services

Validate the Unified Threat Management service by using the Coffee VMWare image to connect to
www.eicar.org and clicking to download the Anti-Malware Test file. If you have a user account for
Windows Live Messenger or Yahoo Messenger, attempt to log into Instant Messenger (IM).
ud y.
.
ts
1. On the Coffee VMware image, open Internet Explorer.
st ert
en
2. Go to http://www.eicar.org. An Authentication Required page
ith rop
appears.
3. Click the Click here to log in link.
tw lP
4. Click Continue to this website (not recommended).
en ua
m ct
ituser
cu lle
do te
training
7.
is In
Click Login.
th L
8. Minimize the User Login Status window.
e AL
9. In Internet Explorer, go to http://www.eicar.org.

ar W
10. On the eicar Web page, click the Anti-Malware Testfile link.
sh nic
You may receive an Internet Explorer cannot display the webpage error.
to So
If that occurs, click the Go back to the previous page link.

ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

11. In SonicOS, browse to Log > View, and notice the virus alert.
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

Student Notes:
ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

ud y.
.
ts
st ert
en
ith rop
tw lP
en ua
m ct
cu lle
do te
is In
th L
e AL
ar W
sh nic
to So
ed ins
riz ta
ho on
ut t c
t a en
no m
e m
ar cu
u do
Yo is
Th

Property. With Students.: Network Security Basic Administration

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Property. With Students.: Network Security Basic Administration

Uploaded by

Copyright:

Available Formats

ud y.

Hands-On Exercise Guide: NS-101-EG-B

trademarks and/or registered trademarks of their respective companies.

Last revision date: 8/16/12

Exercise 3.2 - Policy-Based Routing 54

Hands-On Exercises for Section 4: Secure Access 59

Exercise 4.1 - Site to Site VPN Settings 60

Exercise 4.2 - Route Based VPN 82

Exercise 4.3 (Optional) - Global VPN Client with Local Database 86

Exercise 4.4 - SSL VPN with Local Database 96

Exercise 4.5 - SSL VPN with LDAP Authentication 104

Exercise 4.6 - Content Filtering Service with LDAP Authentication 111

Hands-On Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Hands-On Exercises for Section 5: Unified Threat Management 123

Exercise 5.1 - Unified Threat Management 123

Exercise Steps Hands-On Exercises

Hands-On Exercises - Exercise Instructions | 3

Exercise Company Scenario

threat management features.

4 | Network Security Basic Administration Hands-On Exercise Guide

Hands-On Exercises for Section 2: Operating System Fundamentals

Exercise 2.1 - Updating SonicOS Firmware

6 | Network Security Basic Administration Hands-On Exercise Guide

message sent by Dell SonicWALL, which contains your Subscription

12. Close the Web browser.

CHALLENGE YOURSELF TASK 2: Cabling the Dell SonicWALL Appliance

(OR) DETAILED STEP-BY-STEP INSTRUCTIONS

1. Connect the external power supply to the power cord.

Hands-On Exercises - Exercise 2.1 - Updating SonicOS Firmware | 7

3. Remove the WAN/ISP connection from your workstation and connect it

The Local Area Connection Properties dialog box appears.

8 | Network Security Basic Administration Hands-On Exercise Guide

7. In the Default gateway box, type: 192.168.168.168

8. Click OK, and then click OK again.

9. Close the Network Connections window.

10. Use a narrow, straight object - such as a straightened paper clip - to

begins to blink, the appliance has finished rebooting and is in SafeMode.

Test light starts blinking.

Hands-On Exercises - Exercise 2.1 - Updating SonicOS Firmware | 9

CHALLENGE YOURSELF TASK 4: Connecting to the Dell SonicWALL Appliance and

Default appliance management URL 192.168.168.168

Firmware location \\Desktop\Course Materials\Firmware folder

10 | Network Security Basic Administration Hands-On Exercise Guide

2. Click Upload New Firmware. The Upload Firmware window appears.

4. Navigate to the workstation desktop, open the Course Materials >

Firmware with Factory Default Settings- New! row.

Hands-On Exercises - Exercise 2.1 - Updating SonicOS Firmware | 11

A Windows Internet Explorer dialog box appears, warning that booting

12 | Network Security Basic Administration Hands-On Exercise Guide

Exercise 2.2 - Initial Setup and Configuration

Factory default IP address 192.168.168.168

(OR) DETAILED STEP-BY-STEP INSTRUCTIONS

Web browser, and go to http://192.168.168.168. The initial Welcome

Hands-On Exercises - Exercise 2.2 - Initial Setup and Configuration | 13

management interface. Select the management interface. The

5. The System > Status page appears.

14 | Network Security Basic Administration Hands-On Exercise Guide

Hands-On Exercises - Exercise 2.2 - Initial Setup and Configuration | 15

(OR) DETAILED STEP-BY-STEP INSTRUCTIONS

the Password - leave the default password un-changed, click Next.

6. The next screen will depend on the appliance we are configuring.

If the Configure PC Card Device Type section appears, click Next.

16 | Network Security Basic Administration Hands-On Exercise Guide