Sonicwall Technical Day Tomorrow

Sitting in the Marriot World Center hotel in Orlando, FL tonight. Perched up in the back of the bar with a Long Island Ice Tea and the ball game on the big screen. I will be attending a Sonicwall Technical Day tomorrow which is being held here in the hotel. I am excited to see some of the new products that I haven’t had the chance to play with yet.

The Marriot has an interesting approach to internet access. You can get wired or wireless access for $15 dollars a day, or sit in the bar. It really depends on who you are as to which is the more affordable option XD


Sonicwall IPS Blocking Flash Player

Recently, a client explained to me that he was unable to view Flash based content. He went on to say that he reinstalled Flash for Internet Explorer and Firefox. So I spent about three minutes trying the same thing thinking that he must have done something wrong. No luck, the normal “You must have Flash player installed….” message did not come up, but neither did the content.

After reviewing the issue with the client a little bit further, he explained that other users are having the same issue. Obviously, this isn’t a client computer / Flash issue.

I logged into the Sonicwall and checked the logs. Sure enough, the Sonicwall ran its daily IPS signature update and started blocking Flash. The really interesting thing is that we have pretty much no IPS configured, Sonicwall just deemed Flash unsafe. Keep an eye out for this, because if Flash “breaks” the last place you might look may be the firewall.

The IPS engine put this in the logs:

IPS Prevention Alert: MULTIMEDIA Shockwave Flash (SWF) Download 3, SID: 575, Priority: Low


Sonicwall GVPN w/ Simple Client Provisioning

In this post I am going to cover one of the ways that you can configure your Sonicwall device so that it provides secure client access to your internal network using the Sonicwall Global VPN client. There are several different ways that you can connect clients using the Global VPN client, but in this example I will cover one of the easiest and fastest ways to get the job done. For this example I will be using a Sonicwall TZ170 running standard OS. The steps will be nearly identical on other Sonicwalls running the standard OS. This configuration should also work just fine on devices running the enhanced OS provided that you aren’t running some off-the-wall configuration.

Step 1: Firewall configuration

Using your favorite browser login to your Sonicwall by going to https://x.x.x.x (<- Your IP here.) Go to the Users menu item and choose Local Users. Click on add and enter in the desired username and password for this user. Put a check mark in the “Access from VPN client with XAUTH” box and click OK.

Next we need to open the VPN menu item. By default there will be a VPN policy named GroupVPN. Make sure that this policy has the Enable box checked and then click on the edit button under Configure. The first two tabs require zero configuration for this how-to. Select the third tab which is named Advanced and make sure that “Require Authentication of VPN Clients via XAUTH” under Client Authentication is selected. On the client tab look for the setting “Cache XAUTH User Name and Password on Client” and change it to Always. Under Client Initial Provisioning make sure to place a checkmark next to “Use Default Key for Simple Client Provisioning” and click OK.

The final item to complete in this step is to send the GVPN policy to the client. Back on the main VPN page under Configure, click on the Export/Save button (Floppy disk icon). Accept all defaults on the pop-up window and click Yes. Once again, accept any defaults presented and enter a password so that the exported VPN policy is encrypted, this is important for several obvious reasons. Click on Submit and save the file. Now you can send the exported VPN policy to any user that needs it.

Step 2: Client Configuration

Using your MySonicwall account or original Sonicwall media install the Global VPN client on the desired PC and accept all defaults. Open the Global VPN client and press cancel when presented with the connection wizard. Go to the File menu and choose Import Connection. Click on the …Browse box and navigate to the exported GVPN policy. Now enter in that password that we used to encrypt the file earlier and click OK. You should now see the imported policy in the list of connections. Right click on the connection select Enable. Enter in the username and password that we created in step1 under Local Users. Put a checkmark in the “Remember my username and password” box and click OK. After a few moments of provisioning and passing encryption information, you should see the status as connected. Your client is now connected to your internal LAN securely via VPN.

Now you can create additional users as needed and send them the exported GVPN policy.

NOTE: I highly recommend sending the exported GVPN policy and encryption password separately. I generally accomplish this by emailing the policy and then sending a text message of the encryption password to the intended user and/or give it to the user verbally.