SonicWall® SonicOS 6.5 Common Criteria Addendum · SonicWall SonicOS CC Addendum 2 Version Date...

SonicWall SonicOS CC Addendum 1

SonicWall® SonicOS 6.5 Common Criteria Addendum


Version Date Notes

1.0 January 2019 Initial Release

1.1 February 2019 Clarified content


Contents Product Administration ......................................................................................................................... 6

1.1. Enabling NDcPP Mode ...................................................................................................................... 6

1.2. System Restart .................................................................................................................................. 6

1.3. System Shutdown ............................................................................................................................. 7

1.4. Startup and Self-Testing .................................................................................................................... 7

1.5. Logging Out ....................................................................................................................................... 7

1.6. Setting System Time .......................................................................................................................... 7

1.7. Configuring Web UI ........................................................................................................................... 8

1.8. Zeroization ........................................................................................................................................ 8

Deployment Modes .............................................................................................................................. 9

2.1. IPS Sniffer (Promiscuous) Mode ....................................................................................................... 9

2.2. Wire (Inline) Mode ............................................................................................................................ 9

2.3. Management Mode ........................................................................................................................ 10

Configuring Settings for Managing Users ........................................................................................... 11

3.1. Users | Settings ............................................................................................................................... 11

3.2. Configuring User Authentication and Login Settings ...................................................................... 11

3.2.1. User Authentication Settings ...................................................................................................... 11

3.2.2. Configuring Administrator Lockout ............................................................................................. 12

3.2.3. Configuring Password Compliance ............................................................................................. 13

3.2.4. Adding Local Users ...................................................................................................................... 13

3.2.5. Editing Local Users ...................................................................................................................... 14

3.2.6. User Session Settings .................................................................................................................. 15

3.2.7. Pre‐Login Policy Banner .............................................................................................................. 15

IPSec VPN ............................................................................................................................................ 16

4.1. Configuring IKE/IPsec with a Manual Key ....................................................................................... 17

4.2. Configuring IKE/IPsec with a Third-Party Certificate ...................................................................... 18

4.3. Configuring Advanced VPN Settings ............................................................................................... 19

4.4. SPD creation .................................................................................................................................... 20

Managing Certificates ......................................................................................................................... 21

5.1. About Certificates ........................................................................................................................... 21

5.2. About the Certificates and Certificate Requests Table ................................................................... 21


5.3. About Certificate Details ................................................................................................................. 22

5.4. Importing Certificates ..................................................................................................................... 22

5.4.1. Importing a Local Certificate ....................................................................................................... 23

5.4.2. Importing a Certificate Authority Certificate .............................................................................. 23

5.4.3. Deleting a Certificate .................................................................................................................. 24

5.4.4. Generating a Certificate Signing Request ................................................................................... 24

5.4.5. Checking Certificate Expiration ................................................................................................... 28

5.4.6. Configuring Client Certificate Verification .................................................................................. 28

Firewall ................................................................................................................................................ 30

6.1. Firewall > Access Rules .................................................................................................................... 30

6.2. About Stateful Packet Inspection Default Access Rules ................................................................. 30

6.3. Configuring Access Rules for a Zone ............................................................................................... 31

6.3.1. Changing Priority ......................................................................................................................... 31

6.3.2. Adding Access Rules .................................................................................................................... 32

6.3.3. Configuring GeoIP Settings ......................................................................................................... 33

6.3.4. Editing an Access Rule ................................................................................................................. 34

6.3.5. Deleting a Custom Access Rule ................................................................................................... 35

6.3.6. Default Deny Rule ....................................................................................................................... 35

6.3.7. Reconnection .............................................................................................................................. 35

6.3.8. TCP Connections ......................................................................................................................... 35

Intrusion Protection ............................................................................................................................ 36

7.1. IPS Status ......................................................................................................................................... 36

7.2. IPS Global Settings .......................................................................................................................... 37

7.3. Resetting the IPS Settings and Policies ........................................................................................... 38

7.4. Configuring IPS Protection on Zones .............................................................................................. 39

7.5. Packet Dissection ............................................................................................................................ 39

7.6. Priority Menu .................................................................................................................................. 40

7.7. Matching String Objects .................................................................................................................. 40

Firmware ............................................................................................................................................. 41

8.1. Firmware Management .................................................................................................................. 41

8.2. Updating Firmware ......................................................................................................................... 41

Auditing ............................................................................................................................................... 43

9.1. Configuring Syslog Settings ............................................................................................................. 43


9.2. Syslog Settings ................................................................................................................................. 43

9.3. Adding a Syslog Server .................................................................................................................... 44

9.4. Audit Logs ........................................................................................................................................ 45


Product Administration

1.1. Enabling NDcPP Mode A SonicWall network security appliance can be enabled to be compliant with Network Device Protection

Profile (NDPP), but certain firewall configurations are either not allowed or are required.

The security objectives for a device that claims compliance to a Protection Profile are defined as follows:

Compliant TOEs (Targets Of Evaluation) will provide security functionality that address threats to

the TOE and implement policies that are imposed by law or regulation. The security functionality

provided includes protected communications to and between elements of the TOE;

administrative access to the TOE and its configuration capabilities; system monitoring for

detection of security relevant events; control of resource availability; and the ability to verify the

source of updates to the TOE.

You enable NDPP by selecting the Enable NDPP Mode option on the Settings window available from the

UPDATES | Firmware & Backups page. Once you do this, a popup message displays with the NDPP mode

setting compliance checklist. The checklist displays every setting in your current SonicOS configuration

that violates NDPP compliance so that you can change these settings. You need to navigate around the

SonicOS management interface to make the changes. The checklist for an appliance with factory default

settings is shown in the following procedure

To enable NDPP and see a list of which of your current configurations are not allowed or are not

present:

• Navigate to the Updates | Firmware & Backups page.

• Click the Settings button. The Settings window displays.

• Scroll down to the NDPP section.

1.2. System Restart The SonicWall Security Appliance can be restarted from the Web Management interface. To restart the

firewall:

• Go to the System > Restart page.

• Click Restart.


The firewall takes approximately 60 seconds to restart. During the restart time, all users are

disconnected and internet access is momentarily interrupted on the LAN.

1.3. System Shutdown To shutdown the system:

• Go to System > Restart.

• Click Shutdown System.

Shutting down the system disconnects all users and disrupts access to the firewall. To restart, you must

power cycle the system.

1.4. Startup and Self-Testing During system start up, SonicOS performs several self-tests, these self-tests include

• CPU test of the following (MMU, Memory, I/O ports, Interrupts, Timers)

• RAM memory corruption test

• Firmware integrity test

• AES-CBC Encrypt and Decrypt Known Answer Tests

• SHA-1, -256, -384, -512 Known Answer Tests

• HMAC-SHA-1, -256, -512 Known Answer Tests

• DSA Signature Verification Pairwise Consistency Test

• RSA Sign and Verify Known Answer Tests

• DH Pairwise Consistency Test

• DRBG Known Answer Test

• ECDSA Known Answer Test

• ECSDA Signature and Verification Known Answer Tests

If any of these tests fail, the product enters a hard error state which requires administrative

intervention. Errors are generally cleared by rebooting the product. However, if errors persist, contact

Fortinet.

1.5. Logging Out Occurs when the user actively ends the session by closing their Session Popup window or by using the

Logout button provided on the Session Popup window. The Session Popup window is the preferred

method for user logout; however, the same result can be achieved without this method by allowing the

session’s lifetime to expire. The latter removes the dependency on the Session Popup window, but

manages resources less efficiently. To log out of the CLI enter “logout”.

1.6. Setting System Time You set the system time in the System Time section of Appliance | Time.


To set the system time:

• Navigate to Appliance | Time.

• Select the time zone you are in from Time Zone.

• Clear Set time automatically using NTP. The Time and Date options become available.

• Select the time in the 24‐hour format using the Time (hh:mm:ss) drop‐down menus

• Select the date from the Date drop‐down menus.

1.7. Configuring Web UI SonicOS supports versions 1.0, 1.1, and 1.2 of the Transport Layer Security (TLS) protocol. You can

ensure that the more secure version 1.1 and above are used. To enforce use of TLS versions 1.1 and

above:

• In the Manage view, navigate to System Setup | Appliance | Base Settings | Web Management

Settings.

• Select Enforce TLS 1.1 and Above.

• Click Accept

1.8. Zeroization All keys and Critical Security Parameters (CSPs) may be zeroized by booting the system with a factory

default configuration. To perform this operation, select System | Settings in the GUI to display the

Firmware Management & Backups page. Click on Boot and then select Boot Current Firmware with

Factory Default Configuration.

There are no restrictions on which keys or CSPs are zeroized by booting with a factory default

configuration.


Deployment Modes The product supports multiple modes of operation. The following sections describe each.

2.1. IPS Sniffer (Promiscuous) Mode Supported on SonicWall Security Appliances, IPS Sniffer Mode is a variation of Layer 2 Bridged Mode

that is used for intrusion detection. IPS Sniffer Mode configuration allows an interface on the firewall to

be connected to a mirrored port on a switch to examine network traffic. Typically, this configuration is

used with a switch inside the main gateway to monitor traffic on the intranet.

In IPS Sniffer Mode, a Layer 2 Bridge is configured between two interfaces in the same zone on the

firewall, such as LAN‐LAN or DMZ‐DMZ. You can also create a custom zone to use for the Layer 2 Bridge.

Only the WAN zone is not appropriate for IPS Sniffer Mode.

The reason for this is that SonicOS detects all signatures on traffic within the same zone such as LAN‐

LAN traffic, but some directional specific (client‐side versus server‐side) signatures do not apply to some

LAN‐WAN cases.

Either interface of the Layer 2 Bridge can be connected to the mirrored port on the switch. As network

traffic traverses the switch, the traffic is also sent to the mirrored port and from there into the firewall

for deep packet inspection. Malicious events trigger alerts and log entries, and if SNMP is enabled,

SNMP traps are sent to the configured IP address of the SNMP manager system. The traffic does not

actually continue to the other interface of the Layer 2 Bridge. IPS Sniffer Mode does not place the

firewall inline with the network traffic, it only provides a way to inspect the traffic.

The Edit Interfaces dialog available from the Network > Interfaces page provides a checkbox called Only

sniff traffic on this bridge‐pair for use when configuring IPS Sniffer Mode. When selected, this checkbox

causes the firewall to inspect all packets that arrive on the L2 Bridge from the mirrored switch port. The

Never route traffic on this bridge‐pair checkbox should also be selected for IPS Sniffer Mode to ensure

that the traffic from the mirrored switch port is not sent back out onto the network.

2.2. Wire (Inline) Mode Wire Mode is a simplified form of Layer 2 Bridged Mode, and is configured as a pair of interfaces. In

Wire Mode, the destination zone is the Paired Interface Zone. Access rules are applied to the Wire Mode

pair based on the direction of traffic between the source Zone and its Paired Interface Zone. For

example, if the source Zone is WAN and the Paired Interface Zone is LAN, then WAN to LAN and LAN to

WAN rules are applied, depending on the direction of the traffic.

In Wire Mode, you can enable Link State Propagation, which propagates the link status of an interface to

its paired interface. If an interface goes down, its paired interface is forced down to mirror the link

status of the first interface. Both interfaces in a Wire Mode pair always have the same link status.

In Wire Mode, you can Disable Stateful Inspection. When Disable Stateful Inspection is selected, Stateful

Packet Inspection is turned off. When Disable Stateful Inspection is not selected, new connections can

be established without enforcing a 3‐way TCP handshake. Disable Stateful Inspection must be selected if

asymmetrical routes are deployed.


2.3. Management Mode Each appliance includes a distinct and dedicated MGMT port. When using this port, you are in

management mode.


Configuring Settings for Managing Users

3.1. Users | Settings

On MANAGE | System Setup | Users | Settings, you can configure the authentication method required,

global user settings, and an acceptable user policy that is displayed to users when logging onto your

network.

3.2. Configuring User Authentication and Login Settings IMPORTANT: When you have finished configuring the Users | Settings page, click Accept.

3.2.1. User Authentication Settings


To configure user authentication settings:

• Navigate to MANAGE | System Setup | Users | Settings.

• If partitioning is:

o Not enabled, go to Step 4.

o Enabled, the Separate settings per authentication partition (for certain settings only)

option displays. Select the option. the Settings for partition options display.

• For each partition, perform Step 4 onward.

• From User Authentication method, select the type of user account management your network

uses:

o Local Users: To configure users in the local database in the security appliance using the

Users | Local Users & Groups page.

3.2.2. Configuring Administrator Lockout To configure login constraints:

• In the Manage view, navigate to System Setup | Appliance | Base Settings | Login Security

• To specify the length of inactivity time that elapses before you are automatically logged out of

the Management Interface, enter the time, in minutes, in the Log out the Administrator after

inactivity of (minutes) field. By default, the SonicWall Security Appliance logs out the

administrator after 5 minutes of inactivity. The inactivity timeout can range from 1 to 9999

minutes.


• To configure the SonicWall security appliance to lockout an administrator or a user if the login

credentials are incorrect, select Enable administrator/user lockout. Both administrators and

users are locked out of accessing the firewall after the specified number of incorrect login

attempts. This option is disabled by default. When this option is enabled, the following fields

become active

o Enter the number of failed attempts within a specified time frame before the user is

locked out in the first Failed login attempts per minute before lockout field. The default

number is 5, the minimum is 1, and the maximum is 99.

o Enter the maximum time in which failed attempts can be made. The default is 5

minutes, the minimum is 1 minute, and the maximum is 240 minutes (4 hours)

o Enter the length of time that must elapse before the user is allowed to attempt to log

into the firewall again in the Lockout Period (minutes) field. The default is 5 minutes, the

minimum is 0 (permanent lockout), and the maximum is 60 minutes.

• Enter the number of incorrect login attempts from the command line interface (CLI) that trigger

a lockout in the Max login attempts through CLI field. The default is 5, the minimum is 3, and the

maximum is 15.

• Click Accept.

3.2.3. Configuring Password Compliance In the Manage view, navigate to System Setup | Appliance | Base Settings | Login Security.

• To require users to change at least 15 alphanumeric/symbolic characters of their old password

when creating a new one, select New password must contain 15 characters different from the

old password. For how to specify what characters are allowed

• Specify the shortest allowed password, enter the minimum number of characters in the Enforce

a minimum password length of field. The default number is 8, the minimum is 1, and the

maximum is 99.

3.2.4. Adding Local Users You can add local users to the internal database on the security appliance from the Users | Local Users

& Groups page

To add local users to the database:

• Navigate to MANAGE | System Setup | Users | Local Users & Groups.

• If partitioning is:

• Not enabled, go to Step 3.

• Enabled, select the partition to which the settings apply from the Authentication

partitioning drop‐down menu. The default is All.

• Click Add User. The Add User dialog displays


• Type the user name into the Name field.

• In the Password field, type a password for the user. Passwords are case‐sensitive and should

consist of a combination of 32 letters and numbers rather than names of family, friends, or pets.

• Confirm the password by retyping it in the Confirm Password field.

o NOTE: The possible password character sets include, upper case letters, lower case

letters, numbers, and the following special characters “!”, “@”, “#”, “$”, “%”, “^”, “&”,

“*”, “(“, “)”

3.2.5. Editing Local Users You can edit local users from the Users | Local Users & Groups page.

To edit a local user:

• In the Local Users table, click the user’s Edit icon under Configure. The Edit User dialog displays.

• Configure the options exactly as when adding a new user


3.2.6. User Session Settings

To configure settings that apply to all users who are authenticated through the security appliance:

• Specify the length of time for inactivity after which users are logged out of the security

appliance in the Inactivity timeout (minutes) field. The default is 15 minutes. At the local login

the administrative session is terminated.

3.2.7. Pre‐Login Policy Banner In this section, you create a policy statement that is presented to all users as a banner in the window

before web login. The policy banner may include HTML formatting.

To create a pre‐login policy banner:

Navigate to MANAGE | System Setup | Users | Settings.

• Click Customization.

• Scroll to the Pre‐Login Policy Banner section.

• In the Pre‐Login Policy Banner section, select Start with policy banner before login page. This

option is not selected by default.

• In the Policy banner content field, enter your policy text.. You can include HTML formatting. The

page that is displayed to the user includes an I Accept button and Cancel button for user

confirmation


• Click Accept

IPSec VPN To configure a VPN Policy using Internet Key Exchange (IKE)

• Select the MANAGE view.

• Under Connectivity, select VPN > Base Settings

• Click ADD to create a new policy or click the Edit icon if you are updating and existing policy

• From the Policy Type drop‐down menu on the General tab, Site to Site.

• In the Authentication Method drop‐down menu, select IKE using Preshared Secret.

• Enter a name for the policy in the Name field.

• Enter the host name or IP address of the remote connection in the IPsec Primary Gateway Name

or Address field.

• If the Remote VPN device supports more than one endpoint, enter a second host name or IP

address of the remote connection in the IPsec Secondary Gateway Name or Address field

(optional).

• In the IKE Authentication section, in the Shared Secret and Confirm Shared Secret fields, enter a

Shared Secret password. This is used to be used to setup the SA (Security Association). The

Shared Secret password must be at least 4 characters long, and should include both numbers

and letters.

• To see the shared secret key in both fields, clear the checkbox for Mask Shared Secret. By

default, Mask Shared Secret checkbox is selected, which causes the shared secret key to be

displayed as black circles.

• Click Proposals.


• Under IKE (Phase 1) Proposal, choose IKEV2 Mode from the Exchange drop‐down menu:

• Under IKE (Phase 1) Proposal, set the values for the remaining options. The default values for DH

Group, Encryption, Authentication, and Life Time are acceptable for most VPN configurations.

• For the DH Group, when in Main Mode or Aggressive Mode, you can select from several Diffie

Hellman exchanges

• For the Encryption field, if Main Mode or Aggressive Mode was selected, choose AES‐128, or

AES‐256 from the drop‐down menu. CBC mode is implied.

• For the Authentication field, if Main Mode or Aggressive Mode was selected, choose SHA‐1

(default), SHA256, SHA384, or SHA512 for enhanced authentication security.

• For all Exchange modes, enter a value for Life Time (seconds). The default setting of 28800

forces the tunnel to renegotiate and exchange keys every 8 hours.

• NOTE: SonicOS only supports Tunnel mode for IPsec connections. No configuration is necessary.

• Under Ipsec (Phase 2) Proposal, set the values for the remaining options. The protocol must be

ESP. The default values for Encryption, Authentication, Enable Perfect Forward Secrecy and Life

Time are acceptable for most VPN configurations.

• For the Encryption field, choose AES‐128, AES‐256, AESGCM16-128 or AESGCM16-256 from the

drop‐down menu. CBC mode is implied unless GCM16 is included in the name.

• For the Authentication field, choose SHA‐1 (default), SHA256, SHA384, or SHA512 for enhanced

authentication security.

• Enter a value for Life Time (seconds). The default setting of 28800 forces the SA to renegotiate

and exchange keys every 8 hours.

4.1. Configuring IKE/IPsec with a Manual Key To configure a VPN policy using Manual Key:


Select the MANAGE view.

• Under Connectivity, select VPN > Base Settings.

• Click ADD to create a new policy or click the Edit icon if you are updating and existing policy.

• In the Authentication Method field, select Manual Key from drop‐down list. The window shows

only the Manual Key options.

• Enter a name for the policy in the Name field.

• Enter the host name or IP address of the remote connection in the IPsec Gateway Name or

Address field.

• In the Authentication Key field, enter a 40‐character hexadecimal authentication key or use the

default value. Write down the key to use while configuring the firewall settings.

4.2. Configuring IKE/IPsec with a Third-Party Certificate

• In the Authentication Method field, select IKE using 3rd Party Certificates. The VPN Policy

window displays the third‐party certificate options in the IKE Authentication section.

• Type a name for the Security Association in the Name field.

• Type the IP address or Fully Qualified Domain Name (FQDN) of the primary remote SonicWall in

the IPsec Primary Gateway Name or Address field.

• If you have a secondary remote SonicWall, enter the IP address or Fully Qualified Domain Name

(FQDN) in the IPsec Secondary Gateway Name or Address field.

• Under IKE Authentication, select a third‐party certificate from the Local Certificate list. You must

have imported local certificates before selecting this option.

• From the Peer IKE ID Type drop‐down menu, select one of the following Peer ID types


4.3. Configuring Advanced VPN Settings Advanced VPN Settings globally affect all VPN policies. This section also provides solutions for Online

Certificate Status Protocol (OCSP). OCSP allows you to check VPN certificate status without Certificate

Revocation Lists (CRLs). This allows timely updates regarding the status of the certificates used on your

firewall.

• Enable NAT Traversal ‐ Select this setting if a NAT device is located between your VPN

endpoints. IPsec VPNs protect traffic exchanged between authenticated endpoints, but

authenticated endpoints cannot be dynamically re‐mapped mid‐session for NAT traversal to

work. Therefore, to preserve a dynamic NAT binding for the life of an IPsec session, a 1‐byte

UDP is designated as a “NAT Traversal keepalive” and acts as a “heartbeat” sent by the VPN

device behind the NAT or NAPT device. The “keepalive” is silently discarded by the IPsec peer.


• Enable OCSP Checking and OCSP Responder URL ‐ Enables use of Online Certificate Status

Protocol (OCSP) to check VPN certificate status and specifies the URL where to check certificate

status

4.4. SPD creation The SPD for IPsec connections are created via the configured Firewall policy. Creation of these can be

found in the section titled “Firewall” of this document.


Managing Certificates

5.1. About Certificates To implement the use of certificates for VPN policies, you must locate a source for a valid CA certificate

from a third-party CA service. When you have a valid CA certificate, you can import it into the firewall to

validate your Local Certificates. You import the valid CA certificate into the firewall using the Appliance >

Certificates page. After you import the valid CA certificate, you can use it to validate your local

certificates.

SonicOS provides a large number of certificates with the SonicWall Security Appliance; these are built‐in

certificates and cannot be deleted or configured.

5.2. About the Certificates and Certificate Requests Table

The Certificate and Certificate Requests table provides all the settings for managing CA and Local

Certificates.

The View Style menu allows you to display your certificates based on these criteria:

The Certificates and Certificate Requests table displays this information about certificates.


5.3. About Certificate Details Clicking on the Comment icon in the Details column displays information about the certificate, which

may include the following, depending on the type of certificate:

• Signature Algorithm

• Certificate Issuer

• Subject Distinguished Name

• Public Key Algorithm

• Certificate Serial Number

• Valid from

• Expires On

• Status (for Pending requests and local certificates)

The details depend on the type of certificate. Certificate Issuer, Certificate Serial Number, Valid from,

and Expires On are not shown for Pending requests as this information is generated by the Certificate

provider

5.4. Importing Certificates After your CA service has issued a Certificate for your Pending request, or has otherwise provided a

Local Certificate, you can import it for use in VPN or Web Management authentication. CA Certificates

may also be imported to verify local Certificates and peer Certificates used in IKE negotiation.


5.4.1. Importing a Local Certificate To import a local certificate:

• Navigate to Appliance > Certificates.

• Click Import. The Import Certificate dialog displays

• Enter a certificate name in the Certificate Name field.

• Enter the password used by your Certificate Authority to encrypt the PKCS#12 file in the

Certificate Management Password field.

• Click Browse to locate the certificate file.

• Click Open to set the directory path to the certificate.

• Click Import to import the certificate into the firewall. When it is imported, you can view the

certificate entry in the Certificates and Certificate Requests table

• Moving your pointer to the Comment icon in the Details column displays the certificate details

information

5.4.2. Importing a Certificate Authority Certificate To import a certificate from a certificate authority:


• Click Import. The Import Certificate dialog displays.

• Choose Import a CA certificate from a PKCS#7 (*.p7b) or DER (.der or .cer) encoded file. The

Import Certificate dialog settings change


• Click Browse to locate the certificate file.

• Click Open to set the directory path to the certificate.

• Click Import to import the certificate into the firewall. When it is imported, you can view the

certificate entry in the Certificates and Certificate Requests table.

• Moving your pointer to the Comment icon in the Details column displays the certificate details

information.

5.4.3. Deleting a Certificate You can delete an imported certificate if it has expired or if you decide not to use third‐party certificates

for VPN authentication. You can always delete certificates you created.

To delete:

• A certificate, click its Delete icon.

• One or more certificates:

o Click their checkbox(es). The DELETE and DELETE ALL buttons become available.

o Click either DELETE or DELETE ALL.

• All non built‐in certificates:

o Click the checkbox in the table heading. The DELETE and DELETE ALL buttons become

available.

o Click either DELETE or DELETE ALL.

5.4.4. Generating a Certificate Signing Request To generate a certificate signing request:


• Click New Signing Request. The Certificate Signing Request dialog displays.


• Enter an alias name for the certificate in the Certificate Alias field.

• Create a Distinguished Name (DN) using the drop‐down menus shown in Distinguished name

components, then enter information for the certificate in the associated fields


As you enter information for the components, the Distinguished Name (DN) is created in the Subject

Distinguished Name field.

• Optionally, you can also attach a Subject Alternative Name to the certificate after selecting the

type from the drop‐down menu:


o Domain Name

o Email Address

o IPv4 Address

• Select a signature algorithm from the Signature algorithm drop‐down menu:

o MD5

o SHA1 (default)

o SHA256

o SHA384

o SHA512

• Select a subject key type from the Subject Key Type drop‐down menu:

o RSA (default) A public key cryptographic algorithm used for encrypting data,

o ECDSA Encrypts data using the Elliptic Curve Digital Signature Algorithm, which has a

high strength‐per‐key‐bit security

• Select a subject key size or curve from the Subject Key Size/Curve drop‐down menu.

• Click Generate to create a certificate signing request file.

When the Certificate Signing Request is generated, a message describing the result is displayed in the

Status area at the bottom of the browser window and a new entry appears in the Certificates and

Certificate Requests table with the type Pending request.

• Click the Export icon to download the file to your computer. An Opening dialog displays.

• Click OK to save the file to a directory on your computer. You have generated the Certificate

Request that you can send to your Certificate Authority for validation.

• Click the Upload icon to upload the signed certificate for a signing request. the Upload

Certificate dialog displays

• Click Browse to select a file. The Open File dialog displays.

• Select the file.

• Click Open.

• Click UPLOAD


5.4.5. Checking Certificate Expiration To activate periodic checks of certificate’s expiration:

• In the Manage view, navigate to System Setup | Appliance | Base Settings | Check Certificate

Expiration Settings.

• Select Enable periodic certificate expiration check. This option is selected by default. When

enabled, the Certificate expiration alert interval field becomes available.

• To set the interval between certificate checks, in hours, enter the interval in the Certificate

expiration alert interval: 1 ‐ 168 (in hours) field. The minimum time is 1 hour, the maximum is

168 hours, and the default is 168. 4

• Click Accept.

5.4.6. Configuring Client Certificate Verification To configure Client Certificate Check:

• In the Manage view, navigate to System Setup | Appliance | Base Settings | Client Certificate

Check.

• To enable certificate checking select Enable Client Certificate Check.

• Click OK

• To specify from which certificate field the user name is obtained, choose an option from the

User Name Field drop‐down menu:

o Subject: Common Name (default)

o Sub Alt: Email

o Sub Alt: Microsoft Universal Principal Name

• To select a Certification Authority (CA) certificate issuer, choose one from the Client Certificate

Issuer drop‐down menu. The default is ComSign CA

• To enable the Online Certificate Status Protocol (OCSP) check to verify the client certificate is

still valid and has not been revoked, select Enable OCSP Checking. When this option is enabled,

the OCSP Responder URL field displays and the Enable periodic OCSP Check option displays


• Enter the URL of the OSCP server that verifies the status of the client certificate in the OCSP

Responder URL field.


Firewall

6.1. Firewall > Access Rules

This section provides an overview of the SonicWall network security appliance default access rules and

custom access rules. Access rules are network management tools that allow you to define inbound and

outbound access policies, configure user authentication, and enable remote management of your

firewall. This section provides configuration examples to customize your access rules to meet your

business requirements.

Access rules are network management tools that allow you to define ingress and egress access policy,

configure user authentication, and enable remote management of the SonicWall security appliance.

Rules may be applied to various types of traffic including, Internet Protocol (IPv4): RFC 791, Internet

Protocol version 6 (IPv6): RFC 2460, Transmission Control Protocol (TCP): RFC 793, and User Datagram

Protocol (UDP): RFC 768.

The SonicOS Firewall > Access Rules page provides a sortable access rule management interface. The

subsequent sections provide high‐level overviews on configuring access rules by zones and configuring

bandwidth management using access rules.

The rules are categorized into separate tables for each source zone to destination zone and for

IPv4/IPv6. Thus all the priority types only apply within the rule table to which the rule belongs.

6.2. About Stateful Packet Inspection Default Access Rules By default, the SonicWall network security appliance’s stateful packet inspection allows all

communication from the LAN to the Internet, and blocks all traffic to the LAN from the Internet. The

following behaviors are defined by the Default stateful inspection packet access rule enabled on the

SonicWall network security appliance:

• Allow all sessions originating from the LAN, WLAN to the WAN, or DMZ (except when the

destination WAN IP address is the WAN interface of the firewall itself)

• Allow all sessions originating from the DMZ to the WAN.

• Deny all sessions originating from the WAN to the DMZ.

• Deny all sessions originating from the WAN and DMZ to the LAN or WLAN.


Additional network access rules can be defined to extend or override the default access rules. For

example, access rules can be created that allow access from the LAN zone to the WAN Primary IP

address, or block certain types of traffic such as IRC from the LAN to the WAN, or allow certain types of

traffic, such as Lotus Notes database synchronization, from specific hosts on the Internet to specific

hosts on the LAN, or restrict use of certain protocols such as Telnet to authorized users on the LAN.

Custom access rules evaluate network traffic source IP addresses, destination IP addresses, IP protocol

types, and compare the information to access rules created on the SonicWall security appliance.

Network access rules take precedence, and can override the SonicWall security appliance’s stateful

packet inspection. For example, an access rule that blocks IRC traffic takes precedence over the

SonicWall security appliance default setting of allowing this type of traffic.

6.3. Configuring Access Rules for a Zone To display the Access Rules for a specific zone select a zone from the Matrix or To/From drop‐down

menus.

The access rules are sorted from the most specific at the top, to less specific at the bottom of the table.

At the bottom of the table is the Any rule. The default access rule is all IP services except those listed in

the Access Rules page. Access rules can be created to override the behavior of the Any rule; for example,

the Any rule allows users on the LAN to access all Internet services, including NNTP News.

6.3.1. Changing Priority To change the priority ranking of an access rule:

• From the From and To drop‐down menus, specify specific source and destination zones. The

Priority column contains Priority icons


• Click the Priority icon in the Priority column of the Access Rule. The Change Priority dialog

displays

• Enter the new priority number (1‐10) in the Priority field.

• Click OK

6.3.2. Adding Access Rules Click the Add button of the Access Rules table. The Add Rule dialog displays.


• In the General tab, under Settings, select an Action, that is, how the rule processes (permits or

blocks) the specified IP traffic:

o Allow (default)

o Deny

o Discard

• Select the from and to zones from the From Zone and To Zone drop‐down menus.

• From the Select Port drop‐down menu, select the source port defined in the selected Service

Object/Group. The Service Object/Group selected must have the same protocol types as the

ones selected in the Service drop‐down menu. The default is Any.

• Select the service or group of services affected by the access rule from the Service drop‐down

menu. The Any service encompasses all IP services. If the service is not listed, you must define

the service in the Add Service dialog by selecting either

o Create new service to display the Add Service dialog

o Create new group to display the Add Service Group dialog

• Select the source of the traffic affected by the access rule from the Source drop‐down menu

• Select the destination of the traffic affected by the access rule from the Source drop‐down

menu

• From the Users Allowed drop‐down menu, select the user or user group affected by the access

rule

• Select a schedule from the Schedule drop‐down menu. The default schedule is Always on

• Select a priority for the new rule from the Priority drop‐down menu

• Enter any comments to help identify the access rule in the Comments field

• If you want to enable the logging of the service activities, select the Enable Logging checkbox.

This option is selected by default.

6.3.3. Configuring GeoIP Settings • Click GeoIP.

• Select the Enable Geo‐IP Filter checkbox to apply a filter to traffic matching this rule.

• Select Global to apply the global GeoIP country list for this rule.

• Select Custom to specify a custom GeoIP country list for this rule. Selecting Enable Geo‐IP Filter

and Custom enables the Available Countries and Selected Countries fields.


• To select a country, click it in the Available Countries list and drag it to the Selected Countries

field.

• To remove a country from the Selected Countries list, click it and drag it back to Available

Countries

• Select Block Unknown Countries to block traffic matching no known country

6.3.4. Editing an Access Rule To edit an Access Rule:

• Click the Edit icon of the Access Rule. The Edit Rule dialog, which has the same settings as the

Add Rule dialog) except the Priority drop‐down menu has an extra option

o Retain original priority, which is the default


• Make your changes

• Click OK. A message appears in the Status bar.

6.3.5. Deleting a Custom Access Rule To delete:

• An individual custom access rule, click its Delete icon.

• Selected custom access rules, click their checkboxes, and then click the Delete button. This

button is dimmed until a custom access rule checkbox is selected.

• All custom access rules, click the Delete All button.

6.3.6. Default Deny Rule In the evaluated configuration, a deny rule applied to any interface, any zone, and for any traffic with

the lowest priority must created. This ensures that any traffic that does not match a configured rule will

be denied.

6.3.7. Reconnection If an IPsec tunnel loses connectivity, no additional administrative actions are required. The tunnel will

attempt to restart automatically. Plaintext data will never be sent.

6.3.8. TCP Connections The TOE tracks and maintains information relating to the number of half-open TCP connections as

follows:

• There is an administratively defined limit for half-open TCP connections based on: o TCP Handshake Timeout (seconds) o Maximum Half Open TCP Connections

• There is a TCP Handshake Timeout (seconds) o Each half-open TCP connection is removed if the handshake is not complete by the time

this timeout is reached

• There is a maximum number of allowable Half Open TCP Connections

A global counter is used by the TOE to track the number of all half-open TCP connections. When this

number reaches the value of Maximum Half Open TCP Connections, new incoming TCP connections are

dropped


Intrusion Protection Intrusion Prevention Service (IPS) is configured on the Security Services > Intrusion Prevention page,

which is divided into three panels:

• IPS Status

• IPS Global Settings

• IPS Policies •

7.1. IPS Status The IPS Status panel displays status information for the signature database and your IPS license.


The IPS Status panel displays the following information:

• Signature Database indicates whether the signature database is being downloaded, has been

downloaded, or needs to be downloaded. The signature database is updated automatically

about once an hour. You can also manually update your IPS database at any time by clicking the

Update button located in the IPS Status section.

• Signature Database Timestamp displays the last update to the IPS signature database, not the

last update to your SonicWALL security appliance.

• Last Checked indicates the last time the SonicWALL security appliance checked the signature

database for updates. The SonicWALL security appliance automatically attempts to synchronize

the database on startup, and once every hour.

• IPS Service Expiration Date indicates the date when the IPS service expires. If your IPS

subscription expires, the SonicWALL IPS inspection is stopped and the IPS configuration settings

are removed from the SonicWALL security appliance. After renewing your IPS license, these

settings are automatically restored to the previously configured state.

• Note: Enable the Intrusion Prevention Service per zone from the Network > Zones page.

7.2. IPS Global Settings The IPS Global Settings panel provides the key settings for enabling IPS on your firewall.

To enable IPS on your firewall:

• Go to the Security Services > Intrusion Prevention page.

• Go to the IPS Global Settings panel.


• Select Enable IPS.

• Select the action that you want (Prevent All, Detect All, or both) for each of the Signature

Groups:

o High Priority Attacks

o Medium Priority Attack

o Low Priority Attacks

7.3. Resetting the IPS Settings and Policies To reset the IPS Settings and Policies:

• Go to the Security Services > Intrusion Prevention page.

• In the IPS Global Settings panel, click the Reset IPS Settings & Policies button.

The following message is displayed.

• Click OK.

• The following message appears at the bottom of the screen: Status: The configuration has been

updated.


7.4. Configuring IPS Protection on Zones You apply SonicWALL IPS to zones on the Network > Zones page to enforce SonicWALL IPS not only

between each network zone and the WAN, but also between internal zones. For example, enabling

SonicWALL IPS on the LAN zone enforces SonicWALL IPS on all incoming and outgoing LAN traffic. In

the IPS Status section of the Security Services > Intrusion Prevention Service page, click the Network >

Zones link to access the Network > Zones page. You apply SonicWALL IPS to a zone listed on the Network

> Zones page.

To enable SonicWALL on a zone, perform these steps:

• Go to Network > Zones or from the IPS Status section on the Security Services > Intrusion

Prevention page, click the Network > Zones link. The Network > Zones page is displayed.

• In the Configure column in the Zone Settings table, click the Edit icon for the zone you want to

apply SonicWALL IPS. The Edit Zone window is displayed.

• Click the Enable IPS checkbox. A checkmark appears. To disable SonicWALL IPS, clear the box.

• Click OK.

7.5. Packet Dissection The Packet Dissection Menu lets you specify specific packet characteristics to filter on.

To specify the characteristics to filter on select from the following,

• Name – Name of the rule

• Enable Negative Matching – Allows you to only examine the traffic type specified in the rule

• Family – Type of analysis to be performed

• Header field – The header to be examined

• Data Type – Type of data to be examined

• Value – Examination value

The following fields can be examined

• IPv4: Version; Header Length; Packet Length; ID; IP Flags; Fragment Offset; Time to Live (TTL); Protocol; Header Checksum; Source Address; Destination Address; and IP Options.

• IPv6: Version; traffic class; flow label; payload length; next header; hop limit; source address; destination address; routing header; home address options.

• ICMP: Type; Code; Header Checksum; and Rest of Header(varies based on the ICMP type and code).

• ICMPv6: Type; Code; and Header Checksum.

• TCP: Source port; destination port; sequence number; acknowledgement number; offset; reserved; TCP flags; window; checksum; urgent pointer; and TCP options.

• UDP: Source port; destination port; length; and UDP checksum.


7.6. Priority Menu The Priority menu lets you specify the priority of the signatures you want to display.

To specify the priority of the signatures you want to display:

• Select one of the following priorities from the Priority menu:

o All

o High

o Medium

o Low

The Default priority is “All.”

7.7. Matching String Objects Pattern matching for arbitrary strings in packets can be configured by selecting Firewall > Match Objects

> Add New Match Object.

Set the Match Object Type to Custom Object and enter the desired string in the Content field, and then

select Add to apply that string to the object.


Firmware

8.1. Firmware Management

The Local section of the Firmware Management & Backup table displays the following information:

• Current Firmware Version ‐ firmware currently loaded on the firewall.

• Firmware Load Date ‐ the date and time the firmware was installed on the appliance

• Firmware Build Date ‐ the date and time the firmware was created

• Configuration Date ‐ the date and time when the configuration of the appliance was last

updated

• Username ‐ the user who installed or updated the firmware

• Boot ‐ clicking the Boot icon reboots the firewall with the firmware version listed in the same

row.

• Firmware Actions‐ clicking the Download icon saves the firmware to a new location on your

computer or network. Only uploaded firmware can be saved to a different location

8.2. Updating Firmware Click the Upload Firmware button to update the firmware on your SonicWall network security appliance.

CAUTION: Uploading new firmware will overwrite any existing uploaded firmware image

• Browse to the firmware file located on your local drive.

• Click the Upload button to upload the new firmware to the SonicWall security appliance. The

Firmware Management table displays the new firmware.

• A success message displays in the Status bar.

NOTE: It is at this point that the digital signature of the image is verified. If the verification fails, a

failure to upload message is presented.

• Click the Boot icon for the firmware you just downloaded.


• Select whether you want to install the new firmware with your current configuration or a the

default configuration.

• A warning message displays.

• Click OK. A information message about the time to boot the firmware displays.

• Click OK. An information message about the boot status displays in the Status bar

• Log back in when the log in dialog displays. Both the MONITOR | Current Status | System Status

and MANAGE| Updates | Firmware & Backups pages reflect the firmware update


Auditing SonicOS can simultaneously send the same messages (i.e. event messages) to an external, user-

configured Syslog Server for viewing. If the connection to the audit server is lost, the logs are stored in a

32 kilobyte rolling log buffer. When the buffer becomes full, the oldest logs are overwritten and access

to these records is restricted to authorized administrators with the appropriate privilege.

9.1. Configuring Syslog Settings

In addition to displaying event messages in the GUI, the SonicWall security appliance can send the same

messages to an external, user‐configured Syslog Server for viewing. The Syslog message format can be

selected in Syslog Settings and the destination Syslog Servers can be specified in the Syslog Servers

table.

SonicWall Syslog captures all log activity and includes every connection source and destination name

and/or IP address, IP service, and number of bytes transferred. SonicWall Syslog support requires an

external server running a Syslog daemon; the UDP Port is configurable.

SonicWall has fully compatible Syslog viewers, such as GMS and Analyzer, which can generate useful

reports based on received Syslog messages. When GMS or Analyzer has been enabled, the destination

hosts are automatically added as one of the Syslog Servers

The Log Settings > Syslog page enables you to configure the various settings you want when you send

the log to a Syslog server. You can choose the Syslog facility and the Syslog format.

9.2. Syslog Settings To configure Syslog settings on your firewall:

• Navigate to the Logs & Reporting | Log Settings > Syslog page


• In the Syslog ID field, enter the Syslog ID. The default is firewall

• The Syslog Facility may be left as the factory default. Optionally, however, from the Syslog

Facility drop‐down menu, select the Syslog Facility appropriate to your network:

• From the Syslog Format drop‐down menu, select the Syslog format:

• Optionally, specify the maximum number of events in the Maximum Events Per Second field; the

minimum number is 0 per second, the maximum is 1000 per second, and the default is 1000.

This option limits events logged to prevent the internal or external logging mechanism from

being overwhelmed by log events.

• Optionally, specify the maximum number of bytesin the Maximum Bytes Per Second field; the

minimum is number is 0 bytes per second, the maximum is 1000000000 bytes per second, and

the default is 10000000. This control limits data logged to prevent the internal or external

logging mechanism from being overwhelmed by log events.

• Select the Enable NDPP Enforcement for Syslog Server.

• Click Accept.

9.3. Adding a Syslog Server To add a Syslog server to the firewall.

• Go to the Log Settings > Syslog page.

• Go to the Syslog Servers section


• Click Add. The Add Syslog Server dialog appears

Note: The parameter titled “Bind to VPN Tunnel and Create Network Monitor Policy in NDPP Mode”

configures SonicOS to send log traffic through an IKE/IPsec. IKE/IPsec tunnel configuration can be found

in the section titled “IPsec VPN” of this document.

9.4. Audit Logs The following events generate audit logs.

Requirement Auditable Events Additional Audit Record Contents

FAU_GEN.1 Administrative login and logout Username

Changes to TSF data related to configuration changes

Generating/import of, changing, or deleting of cryptographic keys

Resetting passwords Username

FCS_HTTPS_EXT.1 Failure to establish a HTTPS Session. Reason for failure

FCS_IPSEC_EXT.1 Failure to establish an IPsec SA. Reason for failure

Session establishment with peer Entire packet contents of packets transmitted/received during session establishment

FCS_TLSS_EXT.1 Failure to establish a TLS Session Reason for failure

FDP_RIP.2 None. None.

FIA_AFL.1 Unsuccessful login attempts limit is met or exceeded.

Origin of the attempt (e.g., IP address).

FIA_PMG_EXT.1 None. None.

FIA_UIA_EXT.1 All use of identification and authentication mechanism.

Provided user identity, Origin of the attempt (e.g., IP address).

FIA_UAU_EXT.2 All use of identification and authentication mechanism.

Origin of the attempt (e.g., IP address).


Requirement Auditable Events Additional Audit Record Contents

FIA_UAU.7 None. None.

FIA_X509_EXT.1/ Rev Unsuccessful attempt to validate a certificate

Reason for failure

Session establishment with CA Entire packet contents of packets transmitted/received during session establishment

FMT_MOF.1/ ManualUpdate

Any attempt to initiate a manual update None.

FMT_MTD.1/ CoreData All management activities of TSF data. None.

FPT_STM_EXT.1 Discontinuous changes to time - either Administrator actuated or changed via an automated process.

For discontinuous changes to time: The old and new values for the time. Origin of the attempt to change time for success and failure (e.g., IP address).

FPT_TUD_EXT.1 Initiation of update; result of the update attempt (success or failure)

None.

FTA_SSL_EXT.1 (if “terminate the session” is selected)

The termination of a local session by the session locking mechanism.

None.

FTA_SSL.3 The termination of a remote session by the session locking mechanism.

None.

FTA_SSL.4 The termination of an interactive session. None.

FTP_ITC.1 Initiation of the trusted channel. Termination of the trusted channel. Failure of the trusted channel functions.

Identification of the initiator and target of failed trusted channels establishment attempt.

FTP_TRP.1/ Admin Initiation of the trusted path. Termination of the trusted path. Failure of the trusted path functions.

None.

FFW_RUL_EXT.1 Application of rules configured with the ‘log’ operation

Source and destination addresses Source and destination ports Transport Layer Protocol TOE Interface

Indication of packets dropped due to too much network traffic

TOE interface that is unable to process packets Identifier of rule causing packet drop

FPF_RUL_EXT.1 Application of rules configured with the ‘log’ operation

Source and destination addresses Source and destination ports Transport Layer Protocol TOE Interface

Indication of packets dropped due to too much network traffic

TOE interface that is unable to process packets

Audit logs use standard syslog log format as shown in the following example,

May 11 10:40:48 scrooge disk-health-nurse[26783]: [ID 702911

user.error] m:SY-mon-full-500 c:H : partition health measures for /var

did not suffice

In the above example the following holds true,


• Column 1 = "May 11 10:40:48" > Timestamp

• Column 2 = "scrooge" > Loghost

• Column 3 = "disk-health-nurse[26783]:" > Application/Process

• Column 4 = "[ID 702911 user.error]" > Syslog facility.level

• Column 5 = "m:SY-mon-full-500" > Message ID

• Column 6 = "c:H : partition health..." > Message [possibly including rid, sid, ip]


--End of Document---

SonicWall® SonicOS 6.5 Common Criteria Addendum · SonicWall SonicOS CC Addendum 2 Version Date...

Documents

Transcript of SonicWall® SonicOS 6.5 Common Criteria Addendum · SonicWall SonicOS CC Addendum 2 Version Date...