Release Notes. Release Purpose... 1 Platform Compatibility... 1 Upgrading Information... 1 Browser Support... 1 Key Features... 2 Known Issues...

Transcription

1 SonicOS SonicOS Contents Release Purpose... 1 Platform Compatibility... 1 Upgrading Information... 1 Browser Support... 1 Key Features... 2 Known Issues Release Purpose SonicOS is the initial release for the Dell SonicWALL SuperMassive 9000 Series Next-Generation, Reassembly-Free Deep Packet Inspection security appliances. Platform Compatibility The SonicOS release is supported on the following Dell SonicWALL security appliances: SuperMassive 9600 SuperMassive 9400 SuperMassive 9200 The Dell SonicWALL WXA series appliances (WXA 500 Live CD, WXA 5000 Virtual Appliance, WXA 2000/4000 Appliances) are also supported for use with Dell SonicWALL SuperMassive appliances running The minimum recommended firmware version for the WXA series appliances is Upgrading Information For information about obtaining the latest firmware, upgrading the firmware image on your Dell SonicWALL appliance, and importing configuration settings from another appliance, see the SonicOS 6.1 Upgrade Guide on the Product Documentation page for the SuperMassive series, at Browser Support SonicOS uses advanced browser technologies such as HTML5, which are supported in most recent browsers. Dell SonicWALL recommends using the latest Chrome, Firefox, Internet Explorer, or Safari browsers for administration of SonicOS. This release supports the following Web browsers: Chrome 18.0 and higher (recommended browser for dashboard real-time graphics display) Firefox 16.0 and higher Internet Explorer 8.0 and higher (do not use compatibility mode) Safari 5.0 and higher Mobile device browsers are not recommended for Dell SonicWALL appliance system administration.

2 Key Features Release Notes SonicOS 6.1 includes a number of major key features, described in this section. Real-Time Visualization Dashboard Enhancements... 3 Multi-Core Monitor... 3 Real-Time Monitor... 4 AppFlow Monitor... 5 Application Intelligence + Control... 5 AppFlow Reports... 6 User Monitor... 7 BWM Monitor... 7 Connection Monitor... 8 AppFlow Server... 9 App Control Policy Configuration Using App Flow Monitor Application Usage and Risk Report IPFIX and NetFlow Reporting Global BWM Ease of Use Enhancements Networking Enhancements Wire Mode (2-Port Wire) Tap Mode (1-Port Tap) BGP Advanced Routing High Availability Active-Active Clustering High Availability Active-Active Clustering Full-Mesh Redundancy Link Aggregation Port Redundancy User Management Enhancements LDAP User Group Mirroring LDAP Primary Group Attribute LDAP Group Membership by Organizational Unit Auto-Configuration of URLs to Bypass User Authentication NTLM Authentication with Mozilla Browsers SSL VPN NetExtender Update Enhanced Connection Limiting Current Users and Detail of Users Options for TSR Security Services Enhancements One-Touch Configuration Content Filtering Enhancements Reassembly-Free Regular Expressions for DPI Engine UDP and ICMP Flood Protection Deep Packet Inspection of SSL Encrypted Data (DPI-SSL) Gateway Anti-Virus Enhancements (Cloud GAV) General Enhancements NTP Authentication DHCP Scalability Enhancements SIP Application Layer Gateway Enhancements Enhanced CLI

3 Real-Time Visualization Dashboard Enhancements With the new visualization dashboard monitoring improvements, administrators are able to respond more quickly to network security vulnerabilities and network bandwidth issues. Administrators can see what websites their employees are accessing, what applications and services are being used in their networks and to what extent, in order to police content transmitted in and out of their organizations. The Dell SonicWALL Visualization Dashboard offers administrators an effective and efficient interface to visually monitor their network in real time, providing effective flow charts of real-time data, customizable rules, and flexible interface settings. With the Visualization Dashboard, administrators can efficiently view and sort real-time network and bandwidth data in order to: Identify applications and websites with high bandwidth demands View application usage on a per-user basis Anticipate attacks and threats encountered by the network Multi-Core Monitor The Multi-Core Monitor displays dynamically updated statistics on utilization of the individual cores of a single Dell SonicWALL SuperMassive or a High-Availability cluster. To maximize processor flexibility, functions are not dedicated to specific cores; instead all cores can process all data plane tasks. Memory is shared across all cores. Each core can process a separate flow simultaneously, allowing for up to 32 flows to be processed in parallel, depending on the appliance model. On the Multi-Core Monitor, the core allocated for the control plane is displayed in green, and the remaining cores allocated for the data plane are displayed in blue. On the SuperMassive 9000 Series, core 1 handles the control plane, and the remaining cores handle the data plane. 3

4 Real-Time Monitor The Real-Time Monitor provides administrators an inclusive, multi-functional display with information about applications, bandwidth usage, packet rate, packet size, connection rate, connection count, multi-core monitoring, and memory usage. Applications Monitor: The Applications data flow provides a visual representation of the current applications accessing the network. Ingress and Egress Bandwidth Flow Monitor: The Ingress and Egress Bandwidth data flow provides a visual representation of incoming and outgoing bandwidth traffic. The current percentage of total bandwidth used, average flow of bandwidth traffic, and the minimum and maximum amount of traffic that has gone through each interface is available in the display. Packet Rate Monitor: The Packet Rate Monitor provides the administrator with information on the ingress and egress packet rate in kilo-packet per second (KPps). Packet Size Monitor: The Packet Size Monitor provides the administrator with information on the ingress and egress packet rate in kilobytes per second (KB). Connection Rate Monitor: The Connection Rate Monitor provides the administrator with information on the number of connections per second (Cps). Connection Count Monitor: The Connection Count data flow provides the administrator a visual representation of current total number of connections, peak number of connections, and maximum. In this example, the y-axis displays the total number of connections from 0C (zero connections) to 1KC (one kilo connections). Multi-Core Monitor: The Multi-Core Monitor displays dynamically updated statistics on utilization of the individual cores of the Dell SonicWALL SuperMassive. 4

5 AppFlow Monitor AppFlow Monitor provides administrators with real-time, incoming and outgoing network data. Various views and customizable options in the AppFlow Monitor interface assist in visualizing the traffic data by applications, users, URLs, initiators, responders, threats, VoIP, VPN, devices, or by contents. Application Intelligence + Control This feature has two components for more network security: (a) Identification: Identify applications and track user network behaviors in real-time. (b) Control: Allow/deny application and user traffic based on bandwidth limiting policies. Administrators can now more easily create network policy object-based control rules to filter network traffic flows based on: o o o Blocking signature-matching Applications, which are notoriously dangerous and difficult to enforce Viewing the real-time network activity of trusted Users and User Groups and guest services Matching Content-rated categories Network security administrators now have application-level, user-level, and content-level real-time visibility into the traffic flowing through their networks. Administrators can take immediate action to re-traffic engineer their networks, and quickly identify Web usage abuse, and protect their organizations from infiltration by malware. Administrators can limit access to bandwidth-hogging websites and applications, reserve higher priority to critical applications and services, and prevent sensitive data from escaping the Dell SonicWALL secured networks. 5

6 AppFlow Reports The Dashboard > AppFlow Reports page provides administrators with configurable scheduled reports by applications, viruses, intrusions, spyware, and URL rating. AppFlow Reports statistics enable network administrators to view a top-level aggregate report of what is going on in your network. This enables network administrators to answer the following questions with a quick glance: What are the top most used applications running in my network? Which applications in terms of total number of sessions and bytes consume my network bandwidth? Which applications have viruses, intrusions, and spyware? What website categories are my users visiting? The report data can be viewed from the point of the last system restart, since the system reset, or by defining a schedule range. The page also provides the ability to schedule a report sent by FTP or by . The following reports are currently supported: Applications Viruses Intrusions Spyware Location Botnets URL Rating NOTE: These features must be licensed and enabled in order to get a complete AppFlow report. To enable and configure this feature, go to the AppFlow > Flow Reporting page. 6

7 User Monitor The Dashboard > User Monitor page provides a quick and easy method to monitor the number of active users on the Dell SonicWALL security appliance. The tool provides several options for setting the scale of time over which user activity is displayed. The tool can display all users, only users who logged in through the web portal, or only users who logged in remotely through GVC or L2TP. BWM Monitor The Dashboard > BWM Monitor page displays per-interface bandwidth management for ingress and egress network traffic. The BWM monitor graphs are available for real-time, highest, high, medium high, medium, medium low, low and lowest ingress/egress policy settings. The view range is configurable in 60 seconds, 2 minutes, 5 minutes, and 10 minutes (default). The refresh interval rate is configurable from 3 to 30 seconds. The bandwidth management priority is depicted by guaranteed, maximum, and dropped. 7

8 Connection Monitor The Dashboard > Connection Monitor page displays details on all active connections to the Dell SonicWALL SuperMassive. You can filter the results to display only connections matching certain criteria. You can filter by Source IP, Destination IP, Source Port, Destination Port, Source Interface, Destination Interface, and Protocol. Export the list of active connections to a file. Click Export Results, and select if you want the results exported to a plain text file, or a Comma Separated Value (CSV) file for importing to a spreadsheet, reporting tool, or database. 8

9 AppFlow Server The new AppFlow > AppFlow Server page provides the ability to configure an external collector for AppFlow and real-time data reporting and analysis. Network administrators can configure a central AppFlow Server to support multiple SonicWALL security appliances. To configure an AppFlow Server, perform the following steps: 1. To automatically retrieve status updates on your AppFlow server, select the Enable Keep-Alive with AppFlow Server checkbox. 2. In the AppFlow Server Address field, enter the IP address. 3. In the Source IP to use over VPN Tunnel field, enter the IP address reachable through a VPN tunnel. 4. In the AppFlow Server Max Flows field, enter the maximum number of flows stored in a single database file. 5. In the Server Communication Timeout field, enter the number of seconds to wait to receive a response from the AppFlow server for AppFlow Monitor data. The range accepted is between 60 to 180 seconds. 6. Enter the name of your Dell SonicWALL security appliance. This name must be unique if more than one Dell SonicWALL security appliance is used with a single AppFlow server. 7. In the Connection Passphrase field, enter the password for your AppFlow Server to respond to the Dell SonicWALL security appliance. 8. Select the Auto-Synchronize AppFlow Server checkbox. This will enable the Dell SonicWALL security appliance to send static flows to the AppFlow Server each time the Dell SonicWALL security appliance is rebooted. 9. Click the Test Connectivity button. This starts a hello packet transmission to the AppFlow Server. If the AppFlow Server responds, a green status message displays Up. If the Dell SonicWALL security appliance is registered on mysonicwall.com, a green status message displays Registered. A time stamp displays the 9

10 last time the Dell SonicWALL security appliance sent a hello packet and received an acknowledgment hello packet back from the AppFlow Server. 10. Click the Synchronize Server button. The Dell SonicWALL security appliance will start sending static flows to the AppFlow Server. 11. In the Discovered Servers section, the Discovery button displays all the AppFlow Servers directly connected to your Dell SonicWALL security appliance. In the Action column, click the Select button to autofill AppFlow Server IP address and settings information as the selected AppFlow Server for your Dell SonicWALL security appliance. The Flush All and Flush buttons clear the discovery list. Once AppFlow Server is configured and UP and registered, the appliance can use the AppFlow server for AppFlow Monitor and Real-Time Monitor pages. This is configured on the AppFlow > Flow Reporting page by selecting AppFlow Server for the Enable Flow Reporting and Visualization type. App Control Policy Configuration Using App Flow Monitor The Dashboard > App Flow Monitor page now provides a Create Rule button that allows the administrator to quickly configure App Rules policies for application blocking, bandwidth management, or packet monitoring. First, select the checkbox next to the item in the list for which you want to create a rule, and then click Create Rule. After you click Create Rule and select the options in the Create Rule popup, the new policy appears on the Firewall > App Rules page. Application Usage and Risk Report The Sonic OS Application Usage and Risk Report feature provides downloadable reports from the Dashboard > App Flow Monitor page. It uses as input the combined results of Dell SonicWALL Application Intelligence and Control, and Application Visualization to create a detailed application report based on your network traffic. The Dell SonicWALL Application Intelligence and Control feature allows administrators to maintain granular control of applications and users by creating bandwidth management and other policies based on local pre-defined categories, individual applications or signatures, users and groups, or custom match objects. With the Application 10

11 Visualization feature, administrators are able to view real-time graphs of applications, ingress and egress bandwidth, websites visited, and all user activity. Administrators are able to adjust network policies based on these critical observations. The SonicOS Application Usage and Risk Report combines the results of these two features in a downloadable report that provides the following information: Identify vulnerabilities detected List high-risk applications and protocols Present traffic distribution statistics by geographic location, URL category and traffic type Highlight the top 25 high-risk applications found Highlight the top 25 high-bandwidth applications found An example of the Top URL Categories in Use section of the report is shown below: IPFIX and NetFlow Reporting This feature enables administrators to gain visibility into traffic flows and volume through their networks, helping them with tracking, auditing and billing operations. This feature provides standards-based support for NetFlow Reporting and IPFIX. The data exported through IPFIX contains information about network flows such as applications, users, and URLs extracted through Application Intelligence, along with standard attributes such as source/destination IP address (includes support for IPv6 networks), source/destination port, IP protocol, ingress/egress interface, sequence number, timestamp, number of bytes/packets, and more. 11

12 Global BWM Ease of Use Enhancements Global Bandwidth Management improves ease of use for bandwidth management (BWM) configuration, and increases throughput performance of managed packets for ingress and egress traffic on all interfaces, not just WAN. The Firewall Settings > BWM page allows network administrators to specify guaranteed minimum bandwidth, maximum bandwidth, and control the number of different priority levels for traffic. These global settings are used in firewall access rules and application control policies. Global BWM provides: Simple bandwidth management on all interfaces. Bandwidth management of both ingress and egress traffic. Support for specifying bandwidth management priority per firewall rules and application control rules. Default bandwidth management queue for all traffic. Support for applying bandwidth management directly from the Dashboard > App Flow Monitor page. Global bandwidth management provides 8 priority queues, which can be applied to each physical interface. You can select either Global or None as the Bandwidth Management Type. In the global priority queue table, you can configure the Guaranteed and Maximum\Burst rates for each Priority queue. The rates are specified as a percentage. The actual rate is determined dynamically while applying BWM on an interface. The configured bandwidth on an interface is used in calculating the absolute value. The sum of all guaranteed bandwidth must not exceed 100%, and guaranteed bandwidth must not be greater than maximum bandwidth per queue. 12

13 Per interface bandwidth is configured for both ingress and egress directions from the Network > Interfaces page: Per Firewall Rule bandwidth settings are configured in the rule configuration screens available from the Firewall > Access Rules page, by enabling the direction in which to apply the bandwidth management, and setting the priority queue. 13

14 You can select Global BWM actions when configuring App Rules policies for application control: On the Firewall > Action Objects page, you can configure custom bandwidth management actions. When Global BWM is enabled, the global guaranteed and maximum bandwidth settings are used, but you can select the priority. If a selected priority is not enabled, the default enabled priority will be used. 14

15 Networking Enhancements Release Notes Wire Mode (2-Port Wire) Wire Mode is a deployment option where the Dell SonicWALL appliance can be deployed as a Bump in the Wire. It provides a least-intrusive way to deploy the appliance in a network. Wire Mode is very well suited for deploying behind a pre-existing Stateful Packet Inspection (SPI) Firewall. Wire Mode is a simplified form of Layer 2 Bridge Mode. A Wire Mode interface does not take any IP address and it is typically configured as a bridge between a pair of interfaces. None of the packets received on a Wire Mode interface are destined to the firewall, but are only bridged to the other interface. Wire Mode can be configured with the following Wire Mode Types: Bypass (via Internal Switch / Relay) - Bypass Mode allows for the quick and relatively non-interruptive introduction of SuperMassive Series hardware into a network. Upon selecting a point of insertion into a network (e.g. between a core switch and a perimeter firewall, in front of a VM server farm, at a transition point between data classification domains) the SuperMassive is inserted into the physical data path, requiring a very short maintenance window. One or more pairs of switch ports on the SuperMassive are used to forward all packets across segments at full line rates, with all the packets remaining on the SuperMassive s 240Gbps switch fabric rather than getting passed up to the multi-core inspection and enforcement path. While Bypass Mode does not offer any inspection or firewalling, this mode allows the administrator to physically introduce the SuperMassive into the network with a minimum of downtime and risk, and to obtain a level of comfort with the newly inserted component of the networking and security infrastructure. The administrator can then transition from Bypass Mode to Inspect or Secure Mode instantaneously through a simple user-interface driven reconfiguration. Bypass Mode can be configured between a pair of interfaces. All traffic received is bridged to the paired interface. There is no SPI or Deep Packet Inspection (DPI) processing of traffic in this mode. There is no Application Visibility or Control in Bypass Mode. Inspect (Passive DPI of Mirror Traffic) - Inspect Mode extends Bypass Mode without functionally altering the low-risk, zero-latency packet path. Packets continue to pass through the SuperMassive s switch fabric, but they are also mirrored to the multicore RF-DPI engine for the purposes of passive inspection, classification, and flow reporting. This reveals the SuperMassive s Application Intelligence and threat detection capabilities without any actual intermediate processing. Inspect Mode can be configured for a single interface. All traffic received is never sent out of the firewall, but the firewall performs full SPI and DPI processing. There is full Application Visibility, but no Application Control in Inspect Mode. Typically, a mirror port is set up on the switch to mirror the network traffic to the firewall. Secure (Active DPI of Inline Traffic) - Secure Mode is the progression of Inspect Mode, actively interposing the SuperMassive s multi-core processors into the packet processing path. This unleashes the inspection and policy engines full-set of capabilities, including Application Intelligence and Control, Intrusion Prevention Services, Gateway and Cloud-based Anti-Virus, Anti- Spyware, and Content Filtering. Secure Mode affords the same level of visibility and enforcement as conventional NAT or L2 Bridge mode deployments, but without any L3/L4 transformations, and with no alterations of ARP or routing behavior. Secure Mode thus provides an incrementally attainable NGFW deployment requiring no logical and only minimal physical changes to existing network designs. Secure Mode can be configured between a pair of interfaces. All traffic received is fully processed by the firewall. There is full Application Visibility and Control in Secure Mode. 15

16 Wire Mode is available as an additional option under the IP Assignment pull-down menu. Wire Mode is only available for interfaces in the LAN zone: In the Paired Interface drop-down menu, select the interface that will connect to the upstream firewall. The paired interfaces must be of the same type (two 1 GB interfaces or two 10 GB interfaces). In the Paired Interface Zone drop-down menu, select the destination zone. Access rules are applied to the Wire Mode pair based on the direction of traffic between the source Zone and its Paired Interface Zone. For example, if the source Zone is WAN and the Paired Interface Zone is LAN, then WAN to LAN and LAN to WAN rules are applied, depending on the direction of the traffic. Tap Mode (1-Port Tap) Tap Mode provides the same visibility as Inspect Mode, but differs from the latter in that it ingests a mirrored packet stream using a single switch port on the SuperMassive, eliminating the need for physically intermediated insertion. Tap Mode is designed for use in environments employing network taps, smart taps, port mirrors, or SPAN ports to deliver packets to external devices for inspection or collection. Similar to Wire Mode, Tap Mode can operate on multiple concurrent port instances, supporting discrete streams from multiple taps. Tap Mode is configured for a specific interface from the Network > Interfaces page. 16

17 BGP Advanced Routing Border Gateway Protocol (BGP) advanced routing is a large-scale routing protocol used to communicate routing information between Autonomous Systems (AS s), which are well-defined, separately administered network domains. BGP support allows for Dell SonicWALL security appliances to provide BGP functionality at the edge of a network's AS. The current Dell SonicWALL implementation of BGP is most appropriate for "single-provider / single-homed" environments, where the network uses one ISP as their Internet provider and has a single connection to that provider. Dell SonicWALL BGP is also capable of supporting "single-provider / multi-homed" environments, where the network uses a single ISP but has a small number of separate routes to the provider. Because BGP transmits packets in the clear, SonicOS supports using an IPsec tunnel for secure BGP sessions. The IPsec tunnel is configured independently within the VPN configuration section of the SonicOS Web-based management interface, while BGP is enabled on the Network > Routing page and then configured on the SonicOS Command Line Interface. High Availability Active-Active Clustering Active/Active Clustering is the most recent addition to the High Availability feature set in SonicOS. A typical Active/Active Clustering deployment includes four firewalls of the same Dell SonicWALL model configured as two Cluster Nodes, where each node consists of one Stateful High Availability pair. For larger deployments, the cluster can include eight firewalls, configured as four Cluster Nodes. With Active/Active Clustering, you can assign certain traffic flows to each node in the cluster, providing load sharing in addition to redundancy, and supporting a much higher throughput without a single point of failure. Earlier High Availability features, such as Stateful Synchronization and Active/Active DPI (previously called Active/Active UTM), continue to be supported and are recommended for use in conjunction with Active/Active Clustering. High Availability Active-Active Clustering Full-Mesh Redundancy Active/Active Clustering Full-Mesh configuration is an enhancement to the Active/Active Clustering configuration option and prevents any single point of failure in the network. All firewall and other network devices are partnered for complete redundancy. Full-Mesh ensures that there is no single point of failure in your deployment, whether it is a device (firewall/switch/router) or a link. Every device is wired twice to the connected devices. Active/Active Clustering with Full-Mesh provides the highest level of availability possible with high performance. Link Aggregation Link Aggregation provides the ability to group multiple Ethernet interfaces to form a trunk which looks and acts like a single physical interface. SonicOS 6.1 supports Static Link Aggregation, in which the two ends of the trunk have the same configuration. Up to 4 ports can be grouped to form a single aggregate link. If any of the ports fail, SonicOS continues to pass traffic (at a diminished throughput) while there is at least one active interface. Link Aggregation is useful in deployments requiring more than 1 Gbps throughput for traffic flowing between two interfaces. This feature is available on all Dell SonicWALL SuperMassive appliances. Port Redundancy Port Redundancy provides the ability to configure a second, redundant, physical interface for any Ethernet interface on a Dell SonicWALL SuperMassive appliance. When the primary interface is active, it handles all traffic to and from the interface. If the primary interface fails, the backup interface takes over and handles all incoming and outgoing traffic. When the primary interface comes up again, it takes over all the traffic handling duties from the backup interface. This is very useful in high end deployments to avoid a single point of failure, such as the connection to a switch. With Port Redundancy, a second interface can be connected to the same or another switch to provide an alternate path for the traffic. 17

18 User Management Enhancements Release Notes LDAP User Group Mirroring LDAP User Group Mirroring provides the ability to manage LDAP User Groups only on the LDAP server without needing to do any duplication of that on the SonicWALL appliance. The groups and group-group memberships will be periodically read from the LDAP server via the existing import mechanism and local user groups will be created to mirror them. The name of the local user group that is auto-created to mirror one on the LDAP server will include the domain where the group is located, formatted This will ensure that we have a unique user group name when mirroring user groups from multiple domains. The following will apply for these auto-created mirror user groups: They will not be user-deletable, and the group name and comment will not be editable (the latter will show as Mirrored from LDAP ). The appliance administrator will be able to add local users to them as members, but will not be able to add any member groups (member groups can only be set on the LDAP server). They will allow setting VPN client access networks, CFS policy, SSLVPN bookmarks and other settings as per other user groups. They will be selectable in access rules, App rules, IPS policies, etc. If a user group is deleted on the LDAP server its mirror group will be automatically deleted if it is not being used by anything, but it will not be deleted if it has been set in any access rules, App rules, IPS policies, etc. On disabling LDAP user group mirroring the local mirror user groups will not be deleted, but they will be changed to be user-deletable. If it is subsequently re-enabled then they will be changed back. If a mirrored group name matches a user-created (non-mirrored) local user group the latter will not get replaced, but its group memberships will get updated to reflect any group nestings set on the LDAP server. If a user group name is found on the LDAP server with a name that matches one of the default user groups on the Dell SonicWALL SuperMassive appliance, then no local mirror user group will be created for it. Instead the memberships in that default user group will be updated to reflect any user group nestings present in the group read from LDAP. For backwards compatibility with local user groups created pre-user group mirroring, when setting memberships on login, if a local user group exists with a simple name (no domain component) that matches the LDAP user group name, the user will be given membership to that group as well as to the mirror group. For example, if a user is a member of Group1 in somedomain.com then there will be a mirror user group named Group1@somedomain.com which the user will get membership to. If a local user group named Group1 also exists then the user will get membership to that too. LDAP Primary Group Attribute To allow Domain Users to be used when configuring policies, membership of the Domain Users group can be looked up via an LDAP "Primary group" attribute, and SonicOS 6.1 provides a new attribute setting in the LDAP schema configuration for using this feature. 18

19 LDAP Group Membership by Organizational Unit The LDAP Group Membership by Organizational Unit feature provides the ability to set LDAP rules and policies for the users who are located in certain Organizational Units (OUs) on the LDAP server. This is accomplished through the new "Set membership for LDAP users at/under location" setting in local user groups. When a user logs in or is authenticated via SSO and user groups are being set via LDAP, when the user object is found on the LDAP server the user will be made a member of any such groups that its location matches. It will now be possible to set any local user group, including the default user groups (apart from Everyone or Trusted Users) as one whose member users are set from their location in the LDAP directory tree, and to configure the location in the group object. When groups are configured this way: When a user's group memberships are looked up via LDAP during login or after SSO authentication, their location in the LDAP tree is learned. That will now be checked against any local user groups set this way. If it matches any then the user will be set as a member of those groups for the login session. On login success or failure, the event log will now include the user s distinguished name in the notes when that has been learned from LDAP. This is to help with troubleshooting should a user fail to get memberships of these groups as expected. Auto-Configuration of URLs to Bypass User Authentication SonicOS 6.1 introduces a new auto-configuration utility to temporarily allow traffic from a single, specified IP address to bypass authentication. The destinations that traffic accesses are then recorded and used to allow that traffic to bypass user authentication. Typically this is used to allow traffic such as anti-virus updates and Windows updates. To use this feature, navigate to Users > Settings and click the Auto-configure button in the Other Global User Settings section. NTLM Authentication with Mozilla Browsers As an enhancement to Single Sign-On, SonicOS can now use NTLM authentication to identify users who are browsing using Mozilla-based browsers (including Internet Explorer, Firefox, Chrome and Safari). NTLM is part of a browser authentication suite known as Integrated Windows Security and should be supported by all Mozilla-based browsers. It allows a direct authentication request from the Dell SonicWALL appliance to the browser with no SSO agent involvement. NTLM authentication works with browsers on Windows, Linux and Mac OS, and provides a mechanism to achieve Single Sign-On with Linux and Mac OS that are not able to interoperate with the SSO agent. SSL VPN NetExtender Update This enhancement supports password change capability for SSL VPN users, along with various fixes. When the password expires, the user is prompted to change it when logging in via the NetExtender client or SSL VPN portal. It is supported for both local users and remote users (RADIUS and LDAP). Enhanced Connection Limiting Connection Limiting enhancements expand the original Connection Limiting feature which provided global control of the number of connections for each IP address. This enhancement is designed to increase the granularity of this kind of control so that the SonicOS administrator can configure connection limitation more flexibly. Connection Limiting uses Firewall Access Rules and Policies to allow the administrator to choose which IP address, which service, and which traffic direction when configuring connection limiting. 19

20 Current Users and Detail of Users Options for TSR SonicOS 6.1 provides two new checkboxes, Current users and Detail of users, in the Tech Support Report section of the System > Diagnostics page. These options allow the currently connected users to be omitted from the TSR, included as a simple summary list, or included with full details. The options work together to provide different levels of user information in the TSR, as described in the following matrix: Current users Selected Current users Not Selected Detail of users Selected The TSR includes a list of all currently logged in users, including local and remote users no matter how they were authenticated, and gives 8 to 9 lines of detailed information on each user. The information varies according to the type of user, but includes things like timers, privileges, management mode if managing, group memberships, CFS policies, and VPN client networks. No information about current users is included in the TSR. Detail of users Not Selected The TSR includes the list of current users, but with just one line of summary information for each user. This includes the IP address, user name, type of user and, for administrative users who are currently managing, their management mode. For example: Users currently connected: : Web user admin logged in (managing in Config mode) : Auto user Administrator (SD80\Administrator) auto logged in No information about current users is included in the TSR. 20

21 Security Services Enhancements Release Notes One-Touch Configuration The One-Touch configuration helper resides on the System > Settings page and allows for automatic setting of a number of security features based on the deployment profile chosen. Using the One-Touch DPI and Stateful Firewall high security applies the following configurations to the system. Note: A system restart is required for the updates to take full effect. SonicOS Setting System > Administration One-Touch Configuration Password must be changed every 90 days Bar repeated password changes for 4 changes Enforce password complexity: Require alphabetic, numeric and symbolic characters Apply the above password constraints for: all user categories Enable administrator/user lockout Failed Login attempts per minute before lockout: 7 Enable inter-administrator messaging Inter-administrator Messaging polling interval (seconds): 10 Network > Interfaces Network > Zones Network > DNS Firewall > Access Rules Firewall > App Rules Any interface allowing HTTP management is replaced with HTTPS Management Any setting to 'Add rule to enable redirect from HTTP to HTTPS' is disabled Ping Management is disabled on all interfaces Intrusion Prevention is enabled on all applicable default Zones Gateway Anti-Virus protection is enabled on all applicable default Zones Anti-Spyware protection is enabled on all applicable default Zones App Rules is enabled on all applicable default Zones SSL Control is enabled on all default Zones Enable DNS Rebinding protection DNS Rebinding Action: Log Attack & Drop DNS Reply Any Firewall policy with an Action of Deny, the Action is changed Discard Source IP Address connection limiting with a threshold of 128 connections is enabled for all firewall policies If licensed, the Enable App Rules setting is turned on 21

22 Firewall Settings > Advanced Firewall Settings > Flood Protection Firewall Settings > Flood Protection VPN > Advanced Security Services > Gateway Anti-Virus Security Services > Intrusion Prevention Turn on Enable Stealth Mode Turn on Randomize IP ID Turn off Decrement IP TTL for forwarded traffic Turn on Never generate ICMP Time-Exceeded packets Connections are set to: Recommended for normal deployments with DPI services enabled Turn on Enable IP header checksum enforcement Turn on Enable UDP checksum enforcement Turn on Enforce strict TCP compliance with RFC 793 and RFC 1122 Turn on Enable TCP handshake enforcement Turn on Enable TCP checksum enforcement Turn on Enable TCP handshake timeout SYN Flood Protection Mode: Always proxy WAN client connections Turn on Enable SSL Control Set Action to: Block connection and log the event For Configuration, enable all categories Turn on Enable IKE Dead Peer Detection Turn on Enable Dead Peer Detection for Idle VPN sessions Turn on Enable Fragmented Packet Handling Turn on Ignore DF (Don t Fragment) Bit Turn on Enable NAT Traversal Turn on Clean up Active tunnels when Peer Gateway DNS name resolves to a different address Turn on Preserve IKE port for Pass Through Connections If licensed, Enable Gateway Antivirus Configure Gateway AV Settings: Turn on Disable SMTP Responses Configure Gateway AV Settings: Turn off Disable detection of EICAR test virus Configure Gateway AV Settings: Turn on Enable HTTP Byte- Range requests with Gateway AV Configure Gateway AV Settings: Turn on Enable FTP REST request with Gateway AV Configure Gateway AV Settings: Turn off Do not scan parts of files with high compression ratios Configure Gateway AV Settings: Turn off Disable HTTP Clientless Notification Alerts If licensed, Enable IPS Turn on Prevent All and Detect All for High Priority Attacks Turn on Prevent All and Detect All for Medium Priority Attacks Turn on Prevent All and Detect All for Low Priority Attacks 22

23 Security Services > Anti-Spyware AppFlow > Flow Reporting Log > Categories Log > Name Resolution Internal Settings If licensed, Enable Anti-Spyware Turn on Prevent All and Detect All for High Priority Attacks Turn on Prevent All and Detect All for Medium Priority Attacks Turn on Prevent All and Detect All for Low Priority Attacks Configure Anti-Spyware Settings: Turn on Disable SMTP Responses Configure Anti-Spyware Settings: Turn off Disable HTTP Clientless Notification Alerts Turn on Enable Flow Reporting and Visualization Set Logging Level: Debug Set Alert Level: Warning Set Name Resolution Method to: DNS then NetBIOS Turn on Protect against TCP State Manipulation DoS Turn on Apply IPS Signatures Bidirectionally Enable ability to launch monitor pages in stand-alone browser frames Enable Visualization UI for Non-Admin/Config users Content Filtering Enhancements The CFS enhancements provide policy management of network traffic based on Application usage, User activity, and Content type. Administrators are now able to create multiple CFS policies per user group and set restrictive Bandwidth Management Policies based on CFS categories. Reassembly-Free Regular Expressions for DPI Engine Dell SonicWALL has added reassembly-free regular expression functionality to the SonicWALL Reassembly-Free Deep Packet Inspection (RF-DPI) engine. This proprietary implementation of regular expression matching does not require any buffering of the input content and works across packet boundaries. Users can now apply regular expressions to match objects in App Rules and use them across all currently supported application protocols and policy types. SonicWALL supports Perl-compatible regular expressions syntax. A few typical regular expression features are not supported in this release: Back-references are not supported, as they cannot be performed in linear time with respect to the network packet length. SonicOS does not provide substitution or translation functionality, since regular expressions are used only for inspection of network traffic not for modifying any part of the traffic. 23

24 UDP and ICMP Flood Protection UDP and ICMP Flood attacks are two types of denial-of-service (DoS) attacks. These can be initiated by sending a large number of UDP or ICMP (ping) packets to random ports on a remote host. The UDP and ICMP Flood Protection feature defends against these attacks by monitoring UDP and ICMP traffic that passes through the appliance for UDP and ICMP Flood attacks. UDP and ICMP Flood Protection are configured on the Firewall Settings > Flood Protection page: Enable UDP (or ICMP) Flood Protection Enables or disables UDP or ICMP Flood Protection. UDP (or ICMP) Flood Attack Threshold Specifies the maximum number of allowed UDP or ICMP packets per second that can be sent to a Host, Range, or Subnet. UDP (or ICMP) Flood Attack Blocking Time Specifies the time to block UDP or ICMP traffic after detecting a flood attack, in the unit of second. UDP (or ICMP) Flood Attack Protected Destination List Specifies the destination addresses list which will be protected from UDP or ICMP Flood Attack. Default UDP Connection Timeout Moved to the Flood Protection page to be consistent with TCP settings. Deep Packet Inspection of SSL Encrypted Data (DPI-SSL) DPI-SSL provides the ability to transparently decrypt HTTPS and other SSL-based traffic, scan it for threats using Dell SonicWALL s Deep Packet Inspection technology, then re-encrypt (or optionally SSL-offload) the traffic and send it to its destination if no threats or vulnerabilities are found. This feature works for both client and server deployments. It provides additional security, application control, and data leakage prevention functionality for analyzing encrypted HTTPS and other SSL-based traffic. The following security services and features are capable of utilizing DPI-SSL: Gateway Anti-Virus, Gateway Anti-Spyware, Intrusion Prevention, Content Filtering, Application Control, Packet Monitor and Packet Mirror. Gateway Anti-Virus Enhancements (Cloud GAV) The Cloud Gateway Anti-Virus feature introduces an advanced malware scanning solution that compliments and extends the existing Gateway AV scanning mechanisms present on Dell SonicWALL firewalls to counter the continued growth in the number of malware samples in the wild. Cloud Gateway Anti-Virus expands the Reassembly-Free Deep Packet Inspection engine capabilities by consulting with the data center based malware analysis servers. This approach keeps the foundation of RFDPI-based malware detection by providing a lowlatency, real-time solution that is capable of scanning unlimited numbers of files of unlimited size on all protocols that are presently supported without adding any significant incremental processing overhead to the appliances themselves. With this additional layer of security, Dell SonicWALL s Next Generation Firewalls are able to extend their current protection to cover multiple millions of pieces of malware. 24

25 General Enhancements NTP Authentication When adding a Network Time Protocol server, the Add NTP Server dialog box provides a field to specify the NTP authentication type, such as MD5. Fields are also available to specify the trust key ID, the key number and the password. DHCP Scalability Enhancements The DHCP server in Dell SonicWALL appliances has been enhanced to provide between 2 to 4 times the number of leases previously supported. To enhance the security of the DHCP infrastructure, the SonicOS DHCP server now provides server side conflict detection to ensure that no other device on the network is using the assigned IP address. Conflict detection is performed asynchronously to avoid delays when obtaining an address. SIP Application Layer Gateway Enhancements SonicOS 6.1 provides SIP operational and scalability enhancements. The SIP feature-set remains equivalent to previous SonicOS releases, but provides drastically improved reliability and performance. The SIP Settings section under the VoIP > Settings page is unchanged. SIP ALG support has existed within SonicOS firmware since very early versions on legacy platforms. Changes to SIP ALG have been added over time to support optimized media between phones, SIP Back-to-Back User Agent (B2BUA), additional equipment vendors, and operation on a multi-core system. The SIP protocol is now in a position of business critical importance protecting the voice infrastructure, including VoIP. To accommodate the demands of this modern voice infrastructure, SIP ALG enhancements include the following: SIP Endpoint Information Database The algorithm for maintaining the state information for known endpoints is redesigned to use a database for improved performance and scalability. Endpoint information is no longer tied to the user ID, allowing multiple user IDs to be associated with a single endpoint. Endpoint database access is flexible and efficient, with indexing by NAT policy as well as by endpoint IP address and port. Automatically Added SIP Endpoints User-configured endpoints are automatically added to the database based on user-configured NAT policies, providing improved performance and ensuring correct mappings, as these endpoints are pre-populated rather than learned. SIP Call Database A call database for maintaining information about calls in progress is implemented, providing improved performance and scalability to allow SonicOS to handle a much greater number of simultaneous calls. Call database entries can be associated with multiple calls. B2BUA Support Enhancements SIP Back-to-Back User Agent support is more efficient with various algorithm improvements. Connection Cache Improvements Much of the data previously held in the connection cache is offloaded to either the endpoint database or the call database, resulting in more efficient data access and corollary performance increase. Graceful Shutdown Allows SIP Transformations to be disabled without requiring the firewall to be restarted or waiting for existing SIP endpoint and call state information to time out. 25

26 Enhanced CLI SonicOS 6.1 introduces a new, more-robust, enterprise-level Command Line Interface (CLI). The CLI can be accessed via the console and SSH. The new CLI is designed to follow the organization of the SonicOS management GUI. For example, the user related commands are categorized as follows: Commands for user authentication settings These are commands to do with managing settings governing user authentication and maintenance of user sessions, as per settings on the Users / Settings page in the management GUI. Commands for local users and user groups These are commands to do with users and user groups in the appliance s local database, as per settings on the Users / Local Users and Local Groups pages in the management GUI. Commands for displaying user status These are commands to do with displaying information on current user sessions etc., equivalent to the information shown on the Users / Status page in the management GUI. Commands for guest services These are commands to do with configuring guest services, as per settings on the Users / Guest Services and Guest Accounts pages in the management GUI. Commands for displaying guest status These are commands to do with displaying information on current guest sessions, equivalent to the information shown on the Users / Guest Status page in the management GUI. Commands for user other authentication related features These are commands for configuring and displaying information about the following other features related to user authentication (RADIUS, LDAP, Single Sign On). 26

27 Known Issues Release Notes This section contains a list of known issues in the SonicOS release. Note: Current LCD functionality is limited to the display of the product name. DPI-SSL Symptom Condition / Workaround Issue DPI-SSL does not take effect for a wireless guest user. The certificate from the remote server is not rewritten using the designated certificate. Occurs when guest services are enabled on the WLAN zone and a guest user logs in and attempts to access a website using HTTPS, such as High Availability Symptom Condition / Workaround Issue The virtual IP address for a Stateful HA pair becomes unresponsive to ping or other access attempts, then the monitoring IP address becomes unresponsive, then a failover occurs and all IP addresses are responsive again. Active-Active Clustering Link interfaces are still assigned and cannot be removed after some nodes are removed from the cluster. The master node continues to own all other nodes in the original cluster. On a Stateful HA pair, gratuitous ARP packets are not sent during failback to the primary unit, causing transactions to fail until the ARP entry is deleted or timed out. Dynamic routes are not synchronized on the idle unit in a Stateful HA pair. Occurs when a configuration change, such as disabling port redundancy, is made to the X4 interface of the active firewall. The change is synchronized to the idle firewall, but the virtual IP address becomes unresponsive. X4 is configured as the WAN interface and is assigned the virtual IP address, as well as distinct monitoring IP addresses on each firewall in the HA pair. Physical/link monitoring and logical monitoring are both enabled on X4. Occurs when Active-Active Clustering is configured using 4 nodes, all Active-Active Clustering Links are configured, and then two nodes are deleted from the cluster. The interfaces all show an Active- Active Clustering Link, even though the HA > Setting page shows only 2 links left that can be configured. Occurs when Preempt Mode is enabled and the primary unit is restarted. A gratuitous ARP is seen before the secondary unit takes over, but not when the primary unit takes over again. Occurs when using Advanced Routing, with OSPF and Redistribute Connected Networks enabled on a physical interface (X3) and on a router connected to the same hub used by X3. Routes advertised by OSPF appear in the routing table of the active unit, but the idle unit does not show dynamic routes in the SonicOS UI, TSR, or CLI