Wednesday, January 19, 2011

Sonicwall 5.8 New Features


I'm very impressed by all the new features that Sonicwall has added to v5.8.  I spoke to Jock Breitwieser and Eric Crutchlow who gave us a nice overview of some of the features.  I wanted to make sure I didn't miss anything as there were quite a few changes.  There are even more NG (Next Generation) Firewall features coming this year in v6.0.  Sonicwall has been a great vendor for us, I am very happy we moved to their platforms.

Here is some of the new features (screenshots) with some explanation above the screen capture.

Before you can turn on the netflow sender (and built in netflow collector) you need to consider the impact this will have on your firewall.  You should keep an eye on your CPU and ensure you aren't running above 50%, or you will probably have CPU contention issues.  You also need to be aware that the memory usage of the netflow database and visualization will reduce your peek connections.  This model is a NSA 3500 (http://www.sonicwall.com/us/products/NSA_3500.html) which previous to netflow could handle 35,000 stateful connections can only handle 49,152 when I have all of the DPI (Deep packet inspection) and Netflow enabled.  This includes gateway antivirus, content filtering, IDS/IPS, and more.  As you can see we don't go over 4000 which makes this a non-issue.  Most firewalls can handle much higher workloads for connections and CPU than people are using.



First you have to turn on flow reporting.  You can turn it on internally and or file it off to another netflow collector :

http://www.networkuptime.com/tools/netflow/
http://www.solarwinds.com/downloads/ - Solarwinds makes a nice free netflow collector as well.



Once you have netflow turned on you can see the applications below being collected, there are many views, graphs, and other options:


Here is a user list with our AD users and how much traffic, connections, and throughput they are doing.  You will need to setup SSO for this to work (more on that later):
Here is the realtime monitor, this is the default view, which shows the main applications, you can filter by interface or by application and see realtime usage:


Here is a view of just some of the applications I picked : evernote, twitter, wikipedia, google, twitter:



Now for the SSO, you need to setup a small program on a windows host which will get requests from the firewall and lookup the users via active directory in order to correlate the DHCP (we use windows DHCP) address with the username.  Here is the SSO setup screen:
























When you click configure next to the "SonicWALL SSO Agent" then you get the following screen where you can setup the agent and view the stats to the agent process:

Sonicwall has also added in application control, which are rules which allow for much more customized actions based on the application detection engine.  Before you can use these rules you need to turn App Control on (below), and then turn it on for a zone.  After that you can control the applications.  I have attached some additional applications below as well:




You can also define you own custom applications as well which can be used in rules :

The Content Filter can use Users/Zones (legacy) or App Rules which are far more flexible.  They can be restricted and bandwidth controlled:



Email addresses and content can also be included in App Rules:

Here are the Action objects (what you want to do if an App Rule is matched).  You can also define your own.  Note that you have options such as Bandwitch Management, Blocking, Ignoring DPI, or enabling a packet capture session (for debugging those difficult to find issues).  

If you have any question please leave a comment or hit me up on twitter or instant messenger.  I hope you found this useful!