MSS FW Best Practices: Advanced Firewall Settings

CAUTION: These documents are intended to provide partners with firewall configuration recommendations ONLY. They contain examples and caution should be exercised when making changes to your firewall as unplanned changed could result in downtime based on the complexity of the environment and/or configuration. 

MSS Recomended SonicWall Firewall Best Practices Index

Advanced

1. Network > Firewall
   1. Enable Stealth Mode
      1. With this enabled, the firewall will not respond to any inbound connection requests which makes the firewall essentially invisible to hackers.
   2. Enable Randomize IP ID
      1. This makes it more difficult for hackers to “fingerprint” the firewall using the IP packets with random IP IDs. Enabling this precents hackers using various detection tools to detect the presence of the firewall.
   3. Enable Decrement IP TTL for forwarded traffic
      1. This decreases the TTL value for packets to allow queries to occur more frequently.
   4. Enable RTSP Transformations
      1. This allows the firewall to better support on-demand, real-time data delivery such as audio and video.

Connections

Only change this if directed by a supervisor or SonicWall support.

How to optimize connections on the firewall for better throughput or security | SonicWall

Flood Protection

1. Turn on Enforce strict TCP compliance with RFC 793, RFC 1122, and RFC 1323
2. Turn on Enable TCP handshake enforcement.
3. Turn on Enable TCP checksum enforcement.
4. Turn on Enable TCP handshake timeout.

• If the customer has VoIP phones behind the SonicWall, you might need to increase the “UDP Flood Attack Threshold (UDP Packets / Sec)” if the firewall is seeing the VoIP traffic as an UDP flood.