Sonicwall and Kiwi Syslog 9.4.1

6 Comments

I could not get my sonicwall NSA2400 to log to a syslog server. I used Kiwi 9.4.1 Free version and no matter what i did it would not log the messages.  I followed the steps in the following article with no luck

http://www.kiwisyslog.com/help/syslog/index.html?configure_sonicwall.htm

I had to end up putting the IP address of the device in the input tab and it finally started capturing. i don’t remember having to do that in the past. Hope this saves someone some time.

sonicwallKiwi

sonicwallKiwi

Advertisements

Sonicpoint Becomes Unresponsive

8 Comments

I have a Sonicpoint N using POE (not sure if this matters) The problem is that everything works ok for about a day but then it becomes unresponsive. In order to get it back to a working condition i would have to unplug the power (ethernet) and then plug it back in. Apparently there are a lot of people who have had this problem as evidenced by this post. According to the post the solution to this is to set the Radio Band to “Standard – 20Mhz Channel” I’ve had it working for 2 weeks now with no problem.

Here’s the steps to get to the Radio Band setting on a Sonicwall NSA240:

1. Log into your Sonicwall (not your Sonicpoint)
2. On the left hand side, expand Sonicpoint.
3. Select Sonicpoints
4. Under Sonicpoint Provisioning Profiles, On the right hand side click “Configure”

5. Choose the 802.11N Radio Tab
6. Next to Radio Band select “Standard – 20MHz Channel

7. Click OK on the bottom.

That should be it. Hope this keeps you from smashing the Sonicpoint against the wall like I was going to do!

Sonicpoint Setup To Access From WLAN Zone to LAN

20 Comments

I  purchased a Sonicpoint NE to hook up to my Sonicwall NSA240.  What I like about these is the central configuration.  What I don’t like about them is that that you cannot just attach this to your Sonicwall and expect to access your LAN after connecting it to an interface.   As I understand it, the way Sonicpoints are  are meant to work is to be setup so you can get Internet Access, but for the local LAN access you would need to use a VPN connection.  This is not always ideal for all setups, but is probably the most secure. Here’s a quick writeup on how to get your Sonicpoint WLAN network to communicate with your LAN without having to VPN in.  You should always make sure that this will conform to your company’s security policy’s for wireless access because they may need to comply with the Payment Card Industry standards for security or some other policy.    For this writeup, my LAN is on the X0 interface which is 192.168.1.1, and I am placing my Sonicpoint on the X8 interface.

 

NOTE: This might knock your existing users off of the wireless, so please make sure that no one is using the device before you perform these steps.

Initial Setup

  1. Plug your Sonicpoint into your desired port.  I plugged mine into X8. Then make sure that the Sonicwall recognizes it by going to the Sonicpoint section on the Sonicwall menu, then looking under the SonicpointN’s section, (or Sonicpoints section if you don’t have a Sonicwall N device) to make sure that it recognizes it.  If it doesn’t you may need to upgrade the firmware in the Sonicwall. Sometimes when a Sonicwall gets shipped to you it’s using a really old Firmware and it needs to be upgraded to recognize newer devices.
  2. Configure the Provisioning profile so you can apply this to all of your Sonicpoints that you will place in this zone.  There are 2 of these, one for Wireless N and one for A/G.
    1. On the “Settings Tab”, name it, and click the box to “Enable Sonicpoint”
    2. On the “802.11n Radio Tab” (if you’re using an N device), set all your security including SSID and password, for this I’m using WPA2 Personal – PSK with AES.  (You can also use EAP if you would like to configure this with a RADIUS server  or Windows IAS.)

 

Setup to Allow Access From WLAN Zone to LAN

  1. Login to your Sonicwall, then in the address bar change the address from https://192.168.1.1/main.html  to https://192.168.1.1/diag.html
  2. Click “Internal Settings” on the left hand side of the page.
  3. About 3/4 down the page you will see the “Wireless Settings” section. Under that check the setting that says ”Enable Local Wireless Zone Traffic To Bypass Gateway Firewalling” then click “Accept” and go back to main.html by clicking close.
  4. Under Network go to “Zones”
    1. Under the General tab make sure that “Allow Interface Trust” is checked
    2. Under the Wireless Tab.  Uncheck “Only allow traffic generated by a Sonicpoint/SonicpointN” and Check “Enforce local wireless zone traffice to bypass gateway firewalling”  then click OK.
    3. Now go to your interface where you plugged the Sonicpoint into, in my case I will go to configure X8.
      1. Change the Zone to “WLAN”
      2. Change the IP Assignment to “Layer 2 Bridged Mode”
      3. Change “Bridged To” to  “X0” or whatever your LAN is.

 

That should be it. This should allow you to connect to your Sonicpoint, and access your local LAN resources.

 

Here’s some other info.

 

This person allows access to LAN and has pictures:

http://briandagan.com/fix-configuring-sonicpoint-aps-on-a-sonicwall

When you cannot connect  a Sonicwall directly to the port workaround:

http://www.brandontek.com/networking/solution-to-your-sonicpoint-wlan-woes/

Corporate VPN Setup for Guests and Employees

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5801

Solve Proxy Bypass Problems

12 Comments

I noticed that a lot of people were bypassing my proxy using Firefox Portable and other standalone browsers.  I am using a proxy installed on a machine that is not directly attached to my default gateway, so I have them pick up the proxy address from wpad, and lockdown the proxy settings page in IE through Group Policy.

A simple solution to people bypassing your proxy, is to put an entry in your firewall to only allow HTTP and HTTPS traffic that originates from your proxy server.  If you’re not administering a very large network this is ideal.  Another advantage, since it is not specific to just Firefox, it will allow you to catch any browser that users throw at it and force them to put in proxy settings to use the internet.  This also solves the problem if they try to get around the proxy by modifying their “auto detect proxy” settings.  Since Group Policy cannot lockdown the proxy editing page of every browser, and people always find clever ways to install the multitude of internet browsers out there, this will not allow them to simply bypass it by turning the “don’t detect proxy” setting off .   Here’s what the entries look like in a Sonicwall router to allow only http/https traffic that comes from your proxy  (the proxy server in this example is called flserver4.)

bypassproxy

Once you have a rule like the above setup, you can add a few exceptions in for your servers, etc. by placing an “allow” for those addresses with a lower priority than the deny.  In the example above, I created an Address Group and can add IP addresses/hosts to it whenever I need. I would put an allow entry in where the source is my Server IP, the destination is ANY, and the service is Http/Https, at a priority of 17/18, which would process before the deny.  To make it easier you can create a Service Group containing both HTTP and HTTPS ports so you don’t have to put every exception in twice as well as the address group to contain the hosts you would like to allow this way you do not have to create an entry for every ip address.

Obviously, The best way to use a proxy is to use two nics and place the server/device in front of your router, or use a content filtering solution that is installed on the router itself since all traffic leaving must go through this server/device to get out.  Sonicwall has one, Cisco has one on a certain series of routers.  However, if you have a proxy working on a standalone server that is not installed in front of your gateway so that all traffic has to pass through it, then the above solution should suffice. Everyone out there has a different setup so this will help when you do not have the luxury of having this type of setup.

There is a also an ADM out there that allows you to configure Firefox through Windows Group Policy, however, since Firefox standalone is not actually installed on the machine and does not contain registry entries, I’m not sure that this will work, so you might want to investigate that.  Another person has a great writeup on how to create your own.  If you need to enforce more than just proxy settings then you should take a look at it.

http://ilias.ca/blog/2005/03/locking-mozilla-firefox-settings/

Here’s another writeup I had on autoconfiguration setup a little while ago that addresses how to set it up and contains links at the bottom on troubleshooting and concerns with using wpad.

Sonicwall Site-To-Site VPN Setup

38 Comments

Setting up a Site-to-Site VPN is pretty simple in Sonicwall. Whether you have a dynamic IP connecting to a Static IP, or 2 static IP’s, its pretty simple to setup and you can have it up and running in no time. It’s as reliable as your internet connection and allows for quick failover to a backup IP address if one should go down. Here’s a quick write-up that will show you how to do it whether you have a 2 static addresses or 1 static and 1 dynamic address. Two Dynamic IP’s might require you to use Dynamic DNS or some other tool that automatically updates your IP address with a DNS server to make it appear static.  For this write-up, I am connecting a TZ100 router to an NSA240 router.

Quick Note: For a dynamic IP to static IP  site-to-site configuration,  use 0.0.0.0 as the “IPSec Primary Gateway Name or Address” on the static side because obviously the dynamic address will change.

1. To start on both Sonicwalls: Login to the Sonicwall, Go to VPN Settings page and write down both of your unique firewall ID. Lets call the routers Sonicwall1 and Sonicwall2 to keep things simple. For this writeup I’ve also kept it simple and put the Unique ID of 000000000001 and 000000000002, and IP addresses of 1.1.1.1 for Sonicwall1 and 2.2.2.2 for Sonicwall2 that way we know which one we’re talking about here. We will need it in a little bit. By default I believe this is the MAC address of your sonicwall. You might want to change this to something more secure. If not then leave it as the MAC address.

2. Now on Sonicwall one >> Click VPN Settings again >> and click Add Under VPN Policies.

3. Now we Enter our information on the General Tab.

a. For auth. method use IKE using Preshared Secret. For the name put whatever you want, I put ConnectionToSonicwall2.

b. Set the IPSec Primary Gateway Name or Address to that of Sonicwall 2. If your Sonicwall2 has a dynamic address instead of a static address then enter 0.0.0.0 as the IP address.

c. The Ipsec Secondary is the backup route to your Sonicwall2. This would be if you had 2 WAN connections on the Sonicwall2. If one of them went down it would automatically switch to the other line until the Primary becomes available again.

d. Enter your shared secret and then confirm it. This should be a pretty random set of numbers, letters, special characters, etc Write it down for now since you will need it when configuring Sonicwall2

e. For the local IKE ID: In the dropdown select “Sonicwall Identifier” and enter the Unique Firewall ID of Sonicwall1 (the one you’re currently on)

f. For the Peer IKE ID: In the dropdown select “SonicwallIdentifier” and enter the Unique Firewall ID of Sonicwall2. Here’s a screenshot

4. On the Network Tab

a. Under Local Networks choose local Network from the list, click “Lan Subnets.” If you would like the remote Sonicwall to access whatever is on your local network

b. Under Destination Networks click “Choose destination network from List” in which I add the Sonicwall2 network (2.2.2.0) by clicking “Create New Address Object” and entering the appropriate info. Here’s a screenshot of what I put for network 2:

5. On the proposals tab. You want to change the Exchange to “Aggressive Mode”, and I changed the encryption to AES-256. Although you can leave it at its default of 3DES. Everything else I left default. Here’s what looks like:

6. On the “Advanced” tab I checked “Enable Keep Alive” and “Enable Windows Networking ( Netbios) Broadcast and left everything else default. Click OK when you’re done.

7. Now we go to Sonicwall2, and basically enter the same settings reversed. So Login to Sonicwall2 and go to the VPN Settings page and click Add under VPN Policies.

8. Now we Enter our information on the General Tab.

a. For auth. method use IKE using Preshared Secret. For the name put whatever you want, I put ConnectionToSonicwall1.

b. Set the IPSec Primary Gateway Name or Address to that of Sonicwall 1. If your Sonicwall1 has a dynamic address instead of a static address then enter 0.0.0.0 as the IP address. My Sonicwall one has a static address of 1.1.1.1, so Enter that here

c. The Ipsec Secondary is the backup route to your Sonicwall1. This would be if you had 2 WAN connections on the Sonicwall1. If one of them went down it would automatically switch to the other line until the Primary becomes available again. So if I had a failover on Sonicwall one of 3.3.3.3 then I would enter it here.

d. Enter the shared secret that you entered when configuring Sonicwall1.

e. For the local IKE ID: In the dropdown select “Sonicwall Identifier” and enter the Unique Firewall ID of Sonicwall2 (the one you’re currently on)

f. For the Peer IKE ID: In the dropdown select “Sonicwall Identifier” and enter the Unique Firewall ID of Sonicwall1 that you copied earlier. Here’s a screenshot:

9. On the Network Tab

a. Under Local Networks choose local Network from the list, click “Lan Subnets.” If you would like the remote Sonicwall to access whatever is on your local network

b. Under Destination Networks click “Choose destination network from List” in which I add the Sonicwall2 network (2.2.2.0) by clicking “Create New Address Object” and entering the appropriate info. Here’s a screenshot of what I put for network 2:

10. On the proposals tab. You want to change the Exchange to “Aggressive Mode”, and I changed the encryption to AES-256. Although you can leave it at its default of 3DES. Everything else I left default. Here’s what looks like:

11. On the “Advanced” tab I checked “Enable Keep Alive” and “Enable Windows Networking ( Netbios) Broadcast and left everything else default. Click OK when you’re done.

That should be it. To see if it connected correctly, go back to the VPN settings page and see if it connected. There will be a “Green Light” to the right of Gateway under VPN Policies. If it does not connect then you may want to go the the Logs menu and under the filter category select VPN IKE to filter out only your VPN traffic. On both routers it will give you the reason it is not connecting, which can be cryptic.  However, there are plenty of info on the errors you may receive if you Google. Before pulling your hair out, Go back and double check your settings to make sure that they match in areas like IP Address, Preshared Secrets, Sonicwall Identifiers, and the Proposals Tab. Also make sure that “Enable VPN” is checked on the VPN Settings page and make sure that “Enable” is checked on the VPN settings page next to your VPN policy or else it will not try to connect.

Android to Sonicwall VPN

2 Comments

I was having trouble setting up my Motorola Droid with my sonicwall VPN.  The reason I couldn’t connect is because Android (for some reason unbeknownst to me) uses DES instead of 3des for Phase 2 of IPSec Negotiation.  This is far less secure than DES, but for the purposes of getting the droid connected we’ll just ignore that fact. My setup is a Motorola Droid running android 2.2.1 (FRG83D)  and I am connecting to a Sonicwall NSA240 with firmware of SonicOS Enhanced 5.1.1.1-18o. Here’s some step by step instructions:

UPDATE 12/30/11: I have this working on my Sonicwall TZ100 Wireless-N router, with SonicOS Enhanced 5.6.0.11-61o and my Droid Bionic With Android 2.3.4. I’ve also added some additional instructions regarding setting up an L2TP Server that are necessary to get this to work.

1.       On the Sonicwall Go to VPN Settings Pages (make sure “enable VPN” is checked) and then click on the Edit button for the WAN Group VPN.

2. On the General Tab “IKE using Preshared Secret” , and then enter your preshared secret.

3. On the Proposals tab make sure all your settings look like so:

4. On the advanced tab make sure your settings look like the following:

5. On the Client Tab make sure it looks like this:

6. Now Also under VPN go to the the L2TP Server. Make sure that “Enable L2TP Server” is checked.

7. Click the “Configure button” and put in your dns servers, and IP address range that you would like to use.  UPDATE: Please see the update below (step 11 for additional info on this)

8. Next go to the “Users” menu and click on “Local Users” and click on “Add User”.  On the User Settings Tab, enter the username/password combo you want to use

9. On the Group Tab make sure you have the following:  I think you can leave off Sonicwall Administrators and Limited Administrators but i’m not sure, so for testing just leave them in, and remove them later and see if you can still connect and browse the network.

10. On the VPN Access Page  make sure you have “Lan Subnets” in the “Access List” then click OK to Finish.

UPDATE: 12/30/2011

11. Now that we have that done we also need to setup L2TP.  To do this perform the following:

a. On the sonicwall go to VPN menu, then click on L2TP Server

b. Click “enable L2TP server” and then click “Configure”

c. The fields should look like this

1. Keep Alive: 60

2. DNS Server 1 and 2: 208.67.222.222 (this is opendns but you can enter anything here)

3. Wins Server 1 and 2: not necessary unless you use them. Mine say 0.0.0.0

4. Click Use the Local L2TP IP Pool

5. For the start IP and End IP.  You need to enter a Subnet Other than the subnet that the Sonicwall is currently on.   I actually put in a subnet that does not exist on my network. For instance, My network is 192.168.4.0, but I entered for the start 192.168.5.101 and for the end 192.168.5.110 as the start and end addresses. This has to do with L2TP needing to route traffic, i guess that’s why it cannot be on the same network.

6: User Group For L2TP users should be set to “Trusted Users” or whatever group you would like

UPDATE: 12/30/2011

Now for the DROID BIONIC Setup

1. Go to Settings, then Wireless & Networks, then VPN Setup

2. Click “Basic VPN”, Then Click “Add VPN”

3. Choose Add L2TP/IPSec PSK VPN

4. Set your all your parameters like VPN Name, Server, Pre-shared key,  Do not check Enable L2TP Secret, and I did not put in any DNS Search Domains

5. Click on the VPN name that you just created, and it should ask you for your credentials. That should be it.

NOW FOR THE OG DROID SETUP I DON”T HAVE SCREENSHOTS FOR THIS BECAUSE YOU NEED TO BE ROOTED IN ORDER TO DO THAT:

1. Go to your applications menu, click on “Settings”, and then click on “Wireless& Network Settings”, then “VPN Settings”

2. Click “Add VPN”

3. Choose “Add L2TP/IPSec PSK VPN”

4. Click “VPN Name” and enter a name.

5. click VPN and enter the URL that points to your sonicwall device, or enter the IP address of your sonicwall device. If you don’t know your IP address, and are behind the Sonicwall, go to the settings tab and look at the WAN address.  If you have a dynamic address, consider using a tool like Dynamic DNS which will update your changing IP address by using a tool installed on a computer on the same subnet as your sonicwall.

6. Click “Set IPSec pre-shared key” and enter the key that you entered in Step 2 of the sonicwall setup.

7. Leave the rest of the fields empty and save the VPN.

8. Now click on your VPN that you just setup, enter the password you entered in step 8 of the Sonicwall Setup and it should connect.  If it doesn’t look at the logs and see if it says anything there.  if you don’t see anything in the logs then you might want to double check that you entered the correct IP Address/URL in step 5 of the droid setup.  You can get back to edit the settings by “Long-Pressing” your the VPN name.

What can you do now?  To test out if it’s working download a Ping tool from the Android Market. I download one called DNS and Ping.  Then try to ping something on your network like a printer or computer without a firewall. Another thing I use this for is for Remote Desktop and VNC.  A really good client that I use is called xtralogic remote desktop client. It does cost $18 or something like that, but the UX is great and allows you to use your finger as the mouse and your keyboard like a regular keyboard as well as having options for Function Keys and such.  It is invaluable when your an admin and you get an emergency call with no computer. Here’s some more information on it: http://www.xtralogic.com/rdpclient.shtml

UPDATE 12/30/11 – Obviously now that I am on the Bionic I don’t have a keyboard. I will give some feedback on the Xtralogic program in the future when i install it.

There’s also a free VNC client out there that works pretty well and there might be a few other free RDP clients or trials that you can use. i just haven’t looked at the market in a while.

Another one called pocket cloud allows you to use a google account and install a client on your computer to connect. this is ok for your home computer, not sure how safe it is to use with servers. Enjoy.