MSS FW Best Practices: Network

CAUTION: These documents are intended to provide partners with firewall configuration recommendations ONLY. They contain examples and caution should be exercised when making changes to your firewall as unplanned changed could result in downtime based on the complexity of the environment and/or configuration. 

---

MSS Recomended SonicWall Firewall Best Practices Index

Zones

1. Make sure all desired security services are enforced on proper zones.
2. When creating new zones, NEVER leave any of the Auto-Generate Rules boxes checked.
   • This means you MUST manually add firewall rules.

Interfaces

Set the following options for all network interfaces:

1. Disable HTTP management on all interfaces.
2. Disable redirect from HTTP to HTTPS
3. Link Speed: Set to Auto or, if possible, hard code on both sides to best possible (i.e., 1000/full duplex)

Failover & Load Balancing

1. Load Balancing MUST be enabled even if there is only 1 active WAN interface.
2. If multiple WAN interfaces are in the LB group, edit each and ensure the probe configuration is set to the following: (This will ensure the firewall is probing the WAN interface using both ICMP AND DNS)
   •  Logical/Probe Monitoring enabled.
   • Probe succeeds when either Main Target or Alternate Target responds.
   • Main Target: TCP
     • Host: responder.global.sonicwall.com
     • Port 50000
   • Alternate Target: Ping (ICMP)
     • Host: 8.8.4.4
   • Default Target IP: 204.212.170.23

Routing

Static Routes

• Configuring Static Routes

Dynamic Routing

• Advanced Routing Services Information (OSPF And RIP)
• OSPF Example: Setup OSPF Between Multiple SonicWalls Within The Same Area

Boarder Gateway Protocol (BGP)

SonicWall Firewalls can ONLY support 1 ASN!

• BGP Configuration/BGP multihoming with single ISP- Dual Homed | SonicWall
• How can I configure BGP (Border Gateway Protocol) with single ISP and advertise your public network? | SonicWall

DNS

1. These servers are ONLY used by the firewall so set accordingly.
2. Enable DNS Rebinding protection:
   1. Action: Log Attack & Drop DNS Reply

DHCP Server

1. If the SonicWall is the acting DHCP server enable:
   1. Conflict Detection
   2. DHCP Server Persistence
2. Disable all unused DHCP scopes.
3. Disable DHCP if the SonicWall is not acting as a DHCP server.

Bandwidth Management

Gen 7 - Configuring Advanced Bandwidth Management