Network Security SonicOS Contents Overview... 1 System or Network Requirements / Prerequisites... 3 Deployment Considerations... 3 Configuring Amazon VPC with a Policy-Based VPN... 4 Configuring Amazon VPC with a Dynamic Route-Based VPN... 19 Configuring the VPC for Deployment in Elastic Compute Cloud... 36 Glossary of Terms... 43 Overview This TechNote describes how to connect a Dell SonicWALL firewall to the Amazon Virtual Private Cloud (VPC) via a static policy-based VPN or dynamic route-based VPN. SonicOS for Amazon VPC is a Network Security feature that enables network administrators to configure a Dell SonicWALL Security Appliance firewall in a VPC on Amazon Web Services (AWS), providing an easy-to-use cloud computing platform that is suitable for individuals and organizations of all sizes. Two VPN types are supported by SonicOS, depending on the SonicOS release: VPN Type Static policy-based VPN Dynamic route-based VPN Version of SonicOS 5.8.1.8 and higher 5.9.0.0 and higher 6.1.1.0 and higher 5.9.0.0 and higher
The following graphic shows a typical topology for connecting a Dell SonicWALL firewall to an AWS VPC. Amazon VPC offers failover capability to customers by providing two tunnels for each instance of a VPN the customer creates. 2
System or Network Requirements / Prerequisites SonicOS configuration for Amazon Virtual Private Cloud (VPC) is supported on the following versions of SonicOS: SonicOS 5.8.1.8 and higher SonicOS 5.9.0.0 and higher SonicOS 6.1.1.0 and higher SonicOS configuration for Amazon Virtual Private Cloud (VPC) is supported on the following Dell SonicWALL products running SonicOS 5.8 or 5.9: NSA 220 / 220W NSA 240 NSA 2400 NSA 250M / 250MW NSA 3500 NSA 4500 NSA 5000 NSA E5500 NSA E6500 NSA E7500 NSA E8500 NSA E8510 TZ 100 / 100 Wireless TZ 105 / 105 Wireless TZ 200 / 200 Wireless TZ 205 / 205 Wireless TZ 210 / 210 Wireless TZ 215 / 215 Wireless SonicOS configuration for Amazon Virtual Private Cloud (VPC) is supported on the following Dell SonicWALL products running SonicOS 6.1 or higher: NSA 2600 NSA 3600 NSA 4600 NSA 5600 NSA 6600 SuperMassive 9200 SuperMassive 9400 SuperMassive 9600 Deployment Considerations No special license is needed, but you must have a current support contract for SonicOS 5.8.1.8. The SonicWALL firewall for Amazon VPC is not supported on the NSA 2400MX. The SonicWALL firewall for Amazon VPC does not support a secondary customer VPN gateway on a secondary WAN interface, in the same VPC. VPNs are deployed on one interface only in a single VPC. The SonicWALL firewall for Amazon VPC cannot be deployed behind a NAT device. Amazon does not support NAT traversal. Some platforms may require an expanded license for BGP support, required for a dynamic route-based VPN. 3
Configuring Amazon VPC with a Policy-Based VPN To configure a policy-based VPN between the Dell SonicWALL firewall and the Amazon Virtual Private Cloud (VPC), perform the following tasks: Amazon Web Services Configuration Tasks 1. Initializing the VPC 2. Creating the Subnet 3. Creating the Virtual Private Gateway 4. Attaching the Virtual Private Gateway to the VPC 5. Creating a Customer Gateway SonicOS Configuration Tasks 1. Configuring the Tunnel Interface VPN Policy 2. Configuring a Static Route Amazon Web Services Configuration Tasks To create a Virtual Private Cloud on Amazon Web Services (AWS), perform the tasks in this section on the AWS portal: Initializing the VPC 1. On your PC, from your browser, go to https://console.aws.amazon.com/console/home. 4
2. Go to Services > VPC. This takes you to the VPC home page. 5
3. In the left column, click Your VPCs. TechNote 4. Click the Create VPC button. 5. In the CIDR Block: box, enter the network IP address. For example, enter 10.0.0.0/16. 6. Click the Yes, Create button. 6
Creating the Subnet 7. In the left column, click Subnets. 8. Click the Create Subnet button. 9. In the CIDR Block: box, enter the subnet IP address. For example, enter 10.0.1.0/24. 10. Click the Yes, Create button. 7
Creating the Virtual Private Gateway TechNote 11. In the left column, click Virtual Private Gateways. 12. Click the Create Virtual Private Gateway button. 13. Click the Yes, Create button. 8
Attaching the Virtual Private Gateway to the VPC 14. Select the Virtual Private Gateway you just created. 15. Click the Attach to VPC button. 16. Select the VPC you created. 17. Click the Yes, Attach button. 9
Creating a Customer Gateway TechNote 18. In the left column, click Customer Gateways. 19. Click the Create Customer Gateway button. 20. In the Routing box, select Static. 21. In IP Address box, enter the WAN IP address of the SonicWALL appliance. For example, enter 192.0.2.1. 22. Click the Yes, Create button. 10
To create a VPN: 23. In the left column, click Route Tables. TechNote 24. Select the appropriate Route Table. 25. In the second row of the Route Table, in the Destination column, enter 0.0.0.0/0 in the box. 26. Click the Add button. 27. In the left column, click VPN Connections. 28. Click the Create VPN Connection button. 11
29. In the Virtual Private Gateway list, select the appropriate Virtual Private Gateway. 30. In the Customer Gateway list, select the appropriate Customer Gateway. 31. Select the Use static routing option. 32. In the IP Prefix box, enter the prefix of the interface on the protected subnet of the SonicWALL appliance. For example, 192.168.0.0/16. 33. Click the Yes, Create button. 34. Click the Static Routes tab to add more subnets. To download the configuration text file to configure the Dell SonicWALL appliance connection to the AWS VPC: 35. In the left column, click VPN Connections. 12
36. Select the appropriate VPN connection. 37. Click Download Configuration. TechNote 38. In the Vendor list, select Generic. 39. In the Platform list, select Generic. 40. In the Software list, select Vendor Agnostic. 41. Click the Yes, Download button. 42. Save the text file to your PC. Open the text file you just downloaded from AWS. This text file contains the tunnel interface VPN policy configuration for the firewall. You can configure the VPN policy on your Dell SonicWALL Security Appliance by using the values from the text file. 13
SonicOS Configuration Tasks To connect a firewall to your AWS VPC, a matching VPN policy must be configured on the Dell SonicWALL Security Appliance. A tunnel interface is created by configuring a VPN policy of type Tunnel Interface on a physical interface from the firewall to the remote AWS gateway. Configuring the Tunnel Interface VPN Policy To configure a tunnel interface VPN policy: 1. In the SonicOS management interface on your Dell SonicWALL appliance, go to VPN > Settings. 2. Under VPN Policies, click the Add button. 14
3. Click the General tab. 4. In the Policy Type list, select Tunnel Interface. 5. In the Authentication Method list, select IKE using Preshared Secret. 6. In the Name box, type the name of your policy. 7. In the IPsec Primary Gateway Name or Address box, enter the matching identity address from the text file that you downloaded from AWS. The matching identity address is the IP address of the Amazon Virtual Gateway. 8. In the IKE Authentication section, enter the required information using the configuration text file you downloaded from VPC. 15
9. Click the Proposals tab. 10. In the Exchange list, select Main Mode. 11. In the DH Group list, select the value that matches the group value from the AWS text file. For example, Group 2. 12. In the Encryption list, select the value that matches the encryption value from the AWS text file. For example, AES-128. 13. In the Authentication list, select the value that matches the authentication value from the AWS text file. For example, SHA1. 14. In the Life Time box, enter the value that matches the lifetime value from the AWS text file. For example, 28800. 16
15. Click the Advanced tab. 16. Select the Enable Keep Alive option (box should be checked). 17. In the VPN Policy bound to list, select the appropriate interface (the WAN interface on the SonicWALL Security Appliance). For example, Interface X1. 18. Click OK. 17
Configuring a Static Route To configure a static route: TechNote 19. In the SonicOS management interface on your Dell SonicWALL appliance, go to Network > Routing. 20. Under Route Policies, click the Add button. 21. In the Source list, select Any. 22. In the Destination list, select the appropriate subnet. For example, 10.30.1.0. (This is the protected subnet on the AWS VPC. If it does not appear in the list, you must first create it. See To create a Subnet: in the Configuring the AWS VPC section.) 23. In the Service list, select Any. 24. In the Gateway list, select Default Gateway. 25. In the Interface list, select the name of your VPN policy. 26. Select the Auto-add Access Rules option. 27. Click OK. 18
Configuring Amazon VPC with a Dynamic Route-Based VPN To configure a dynamic route-based VPN between the Dell SonicWALL Firewall and the Amazon Virtual Private Cloud (VPC), perform the following tasks: Amazon Web Services Configuration Tasks 1. Initializing the VPC 2. Creating the Subnet 3. Creating the Virtual Private Gateway 4. Attaching the Virtual Private Gateway to the VPC 5. Creating a Customer Gateway SonicOS Configuration Tasks 1. Configuring the Tunnel Interface VPN Policy 2. Configure Routing Amazon Web Services Configuration Tasks To create a Virtual Private Cloud on Amazon Web Services (AWS), perform the tasks in this section on the AWS portal: Initializing the VPC 1. On your PC, from your browser, go to https://console.aws.amazon.com/console/home. 19
2. Go to Services > VPC. This takes you to the VPC home page. 20
3. In the left column, click Your VPCs. TechNote 4. Click the Create VPC button. 5. In the CIDR Block: box, enter the network IP address. For example, enter 10.0.0.0/16. 6. Click the Yes, Create button. 21
Creating the Subnet 7. In the left column, click Subnets. 8. Click the Create Subnet button. 9. In the CIDR Block: box, enter the subnet IP address. For example, enter 10.0.1.0/24. 10. Click the Yes, Create button. 22
Creating the Virtual Private Gateway TechNote 11. In the left column, click Virtual Private Gateways. 12. Click the Create Virtual Private Gateway button. 13. Click the Yes, Create button. 23
Attaching the Virtual Private Gateway to the VPC 14. Select the Virtual Private Gateway you just created. 15. Click the Attach to VPC button. 16. Select the VPC you created. 17. Click the Yes, Attach button. 24
Creating a Customer Gateway TechNote 18. In the left column, click Customer Gateways. 19. Click the Create Customer Gateway button. 20. In the Routing box, select Dynamic. 21. In the BGP ASN text-field, enter your BGP ASN number. 22. In IP Address box, enter the WAN IP address of the SonicWALL appliance. For example, enter 192.0.2.1. 23. Click the Yes, Create button. 25
To create a VPN: 24. In the left column, click Route Tables. 25. Select the appropriate Route Table. 26. In the second row of the Route Table, in the Destination column, enter 0.0.0.0/0 in the box. 27. Click the Add button. 28. In the left column, click VPN Connections. 29. Click the Create VPN Connection button. 26
30. In the Virtual Private Gateway list, select the appropriate Virtual Private Gateway. 31. In the Customer Gateway list, select the appropriate Customer Gateway. 32. In the IP Prefix box, enter the prefix of the interface on the protected subnet of the SonicWALL appliance. For example, 192.168.0.0/16. 33. Click the Dynamic Routes tab to add more subnets. To download the configuration text file to configure the Dell SonicWALL appliance connection to the AWS VPC: 34. In the left column, click VPN Connections. 27
35. Select the appropriate VPN connection. 36. Click Download Configuration. TechNote 37. In the Vendor list, select Generic. 38. In the Platform list, select Generic. 39. In the Software list, select Vendor Agnostic. 40. Click the Yes, Download button. 41. Save the text file to your PC. Open the text file you just downloaded from AWS. This text file contains the tunnel interface VPN policy configuration for the firewall. You can configure the VPN policy on your Dell SonicWALL Security Appliance by using the values from the text file. 28
SonicOS Configuration Tasks To connect a firewall to your AWS VPC, a matching VPN policy must be configured on the Dell SonicWALL Security Appliance. A tunnel interface is created by configuring a VPN policy of type Tunnel Interface on a physical interface from the firewall to the remote AWS gateway. Note: VPC requires a customer gateway to configure 2 route based VPN tunnels for each instance of dynamic route based VPNs at VPC. So there needs to be 2 tunnel interface VPNs and 2 tunnel interfaces, each with its own BGP configuration. Configuring the Tunnel Interface VPN Policy To configure a tunnel interface VPN policy: 1. In the SonicOS management interface on your Dell SonicWALL appliance, go to VPN > Settings. 2. Under VPN Policies, click the Add button. 29
3. Click the General tab. 4. In the Policy Type list, select Tunnel Interface. 5. In the Authentication Method list, select IKE using Preshared Secret. 6. In the Name box, type the name of your policy. 7. In the IPsec Primary Gateway Name or Address box, enter the matching identity address from the text file that you downloaded from AWS. The matching identity address is the IP address of the Amazon Virtual Gateway. 8. In the IKE Authentication section, enter the required information using the configuration text file you downloaded from VPC. 30
9. Click the Proposals tab. 10. In the Exchange list, select Main Mode. 11. In the DH Group list, select the value that matches the group value from the AWS text file. For example, Group 2. 12. In the Encryption list, select the value that matches the encryption value from the AWS text file. For example, AES-128. 13. In the Authentication list, select the value that matches the authentication value from the AWS text file. For example, SHA1. 14. In the Life Time box, enter the value that matches the lifetime value from the AWS text file. For example, 28800. 31
15. Click the Advanced tab. 16. Select the Enable Keep Alive option (box should be checked). 17. In the VPN Policy bound to list, select the appropriate interface (the WAN interface on the SonicWALL Security Appliance). For example, Interface X1. 18. Click OK. 32
Configure Routing 19. In the SonicOS management interface, navigate to the Network > Interfaces page. 20. Click the Add Interface drop-down menu, then select Tunnel Interface. 21. In the General tab, select the following options: Zone VPN VPN Policy the VPN policy that was previously created IP Address the IP address provided by Amazon Subnet Mask the subnet mask provided by Amazon 22. Click the OK button. 33
23. Navigate to the Network > Routing page. TechNote 24. In the Routing Mode drop-down menu, select Advanced Routing. 25. In the BGP drop-down menu, select Enable (configure with CLI). 26. Log in to the Dell SonicWALL firewall console command line interface (CLI). 27. Perform the following: Execute the conf command to enter the configuration mode. Execute the routing command to enter the routing configuration mode. Execute the bgp command to enter the bgp configuration mode. Execute the following commands: router bgp 65011 network 192.168.168.0/24 neighbor 169.254.253.5 remote-as 7224 neighbor 169.254.253.5 timers 10 30 neighbor 169.254.253.5 default-originate neighbor 169.254.253.5 soft-reconfiguration inbound Note: 65011 is the BGP ASN, 192.168.168.0/24 is the network you want to publish to Amazon VPC, 169.254.253.5 is the tunnel interface IP address provided by Amazon, 7224 is the BGP ASN provided by Amazon. 34
28. After the firewall learns the route from the Amazon VPC, navigate to the Firewall > Access Rules page in the SonicOS management interface. 29. Add a following firewall rule: Note: This is an example, please change the options accordingly to match your deployment. 35
Configuring the VPC for Deployment in Elastic Compute Cloud This section provides the steps for creating the VPC instance and deploying the VPC on an AWS virtual server for Elastic Compute Cloud (EC2). To configure your EC2 settings: 1. Go to Services > EC2. 2. Click Instances. 36
3. Click Launch Instance. 4. Select the Classic Wizard option, and Click the Continue button. 37
5. Under the Quick Start tab, choose one of the Amazon Machine Images (AMIs) and click Select. (Select whichever system you like from the list of AMIs. For example, Amazon Linux AMI.) The Request Instances Wizard dialog appears. 6. In the Number of Instances box, enter the number of instances you want. 7. In the Instance Type list, select Medium. 8. Select the Launch Instances option. 38
9. Select the VPC option. 10. In the Subnet list, select the appropriate subnet. 11. Click the Continue button. 12. In the IP Address box, enter the IP address of your VPC instance. For example, if the subnet IP address is 10.0.1.0/24, the IP address for the VPC instance could be 10.0.1.7. 13. Click the Continue button. 14. In the Storage Device Configuration dialog, click the Continue button. 39
Note: A metadata tag consists of a case-sensitive key/value pair, which is used to simplify the administration of your EC2 infrastructure. 15. In the Key Name box, enter a key name for the key/value pair tag. 16. In the Value box, enter a value for the key/value pair tag. 17. Click the Continue button. 18. In the name box, enter a name for your key pair. 19. Click Create & Download your key pair. 20. Click the Continue button. 21. Save the key pair to your PC. 40
22. Select the Choose one or more of your existing Security Groups option. 23. Select the appropriate security group. 24. Click the Continue button. 41
25. Click the Launch button. 26. Click the Close button. 27. Go to Services > VPC. 28. In the left column, click Security Groups. 29. In the lower pane, click the Inbound tab to configure an inbound rule. To configure an inbound rule: Follow the steps given in the AWS Getting Started Guide, Step 8: Update Your Amazon EC2 Security Group: http://docs.amazonwebservices.com/gettingstarted/latest/computebasics/getting-started-securitygroup.html 42
Glossary of Terms TechNote The following abbreviations are used in this document: AWS Amazon Web Services EC2 Elastic Compute Cloud VPC Virtual Private Cloud Last updated: 5/22/2014 43