• SonicOSX 7
• Security Action Profile
  • Adding Security Action Profiles
  • Editing Security Action Profiles
  • Cloning Security Action Profiles
  • Deleting Security Action Profiles
• DoS Action Profile
  • Adding DoS Action Profiles
  • Editing DoS Action Profiles
  • Cloning DoS Action Profiles
  • Deleting DoS Action Profiles
• SonicWall Support
  • About This Document

Adding Security Action Profiles

Security Action Profiles can include any combination of profile services, with access to each service's configuration within a single page. Within the Security Action Profile pages, you can configure profile options for:

• Bandwidth/QoS
• Anti-Virus
• Intrusion Prevention
• Anti-Spyware
• Botnet Filter
• Content Filter
• Block Page and Logging
• Miscellaneous

Bandwidth/QoS

Application layer bandwidth management (BWM) allows you to create a policy that regulates bandwidth consumption by specific file types within a protocol, while allowing other file types to use unlimited bandwidth. This enables you to distinguish between desirable and undesirable traffic within the same protocol. Application layer bandwidth management is supported for all Application matches, as well as custom Security Action Profiles using HTTP client, HTTP Server, Custom, and FTP file transfer types.

As a best practice, configuring the Bandwidth Management profile settings on the OBJECT | Profile Objects > Bandwidth page should always be done before configuring any BWM policies.

Application layer bandwidth management configuration is handled in the same way as Access Rule bandwidth management configuration. However, with Security Action Profiles you can specify all content type, which you cannot do with access rules.

For a bandwidth management use case, as an administrator you might want to limit .mp3 and executable file downloads during work hours to no more than 1 Mbps. At the same time, you want to allow downloads of productive file types such as .doc or .pdf up to the maximum available bandwidth, or even give the highest possible priority to downloads of the productive content. As another example, you might want to limit bandwidth for a certain type of peer-to-peer (P2P) traffic, but allow other types of P2P to use unlimited bandwidth. Application layer bandwidth management allows you to create policies to do this.

A number of BWM action options are also available in the predefined, default action list. The BWM action options change depending on the Bandwidth Management Type setting on the OBJECT | Profile Objects > Bandwidth page.

Guaranteed bandwidth for all levels of BWM combined must not exceed 100%.

To configure a Bandwidth/QoS Security Action Profile

1. Navigate to OBJECT | Action Profiles > Security Action Profile.
2. Click +Add or click the Edit icon from the Configure column.

3. The opening screen is the Bandwidth/QoS tab.

   

4. Enter a friendly Action Profile Name.

Bandwidth Management Profile

The Bandwidth Management feature can be implemented in two separate ways:

• Per Policy Method – The bandwidth limit specified in a policy is applied individually to each policy.

Example: two policies each have an independent limit of 500kb/s, the total possible bandwidth between those two rules is 1000kb/s.

• Per Action Aggregate Method – The bandwidth limit action is applied (shared) across all policies to which it is applied.

Example: two policies share a BWM limit of 500kb/s, limiting the total bandwidth between the two policies to 500kb/s.

1. Select either or both Enable Egress Bandwidth Management and Enable Ingress Bandwidth Management. These options are not selected by default.
2. Select a Bandwidth Object for Ingress or Egress from the drop-down menus.
3. Click Enable Tracking Bandwidth Usage.
4. Click Save.

You can now associate this Actions policy with the Bandwidth profile at OBJECT | Profile Object Objects > Bandwidth.

QoS Marking Profile

Both 802.1p and DSCP marking as managed by SonicOSX Security Rules, provide four actions: None, Preserve, Explicit, and Map. The default action for DSCP is None and the default action for 802.1p is Preserve.

QoS marking: Behavior describes the behavior of each action on both methods of marking:

QoS Marking: Behavior

Action	802.1p (Layer 2 CoS)	DSCP (Layer 3)	Notes
None	When packets matching this class of traffic (as defined by the Security Rule) are sent out the egress interface, no 802.1p tag is added.	The DSCP tag is explicitly set (or reset) to 0.	If the target interface for this class of traffic is a VLAN subinterface, the 802.1p portion of the 802.1q tag is explicitly set to 0. If this class of traffic is destined for a VLAN and is using 802.1p for prioritization, a specific Security Rule using the Preserve, Explicit, or Map action should be defined for this class of traffic.
Preserve	Existing 802.1p tag is preserved.	Existing DSCP tag value is preserved.
Explicit	An explicit 802.1p tag value can be assigned (0-7) from a drop-down menu that is presented.	An explicit DSCP tag value can be assigned (0-63) from a drop-down menu that is presented.	If either the 802.1p or the DSCP action is set to Explicit while the other is set to Map, the explicit assignment occurs first, and then the other is mapped according to that assignment.
Map	The mapping setting defined in the OBJECT | Action Profiles > Security Action Profile page is used to map from a DSCP tag to an 802.1p tag.	The mapping setting defined in the OBJECT | Action Profiles > Security Action Profile page is used to map from an 802.1 tag to a DSCP tag. An additional checkbox is presented to Allow 802.1p Marking to override DSCP values. Selecting this checkbox asserts the mapped 802.1p value over any DSCP value that might have been set by the client. This is useful to override clients setting their own DSCP CoS values.	If Map is set as the action on both DSCP and 802.1p, mapping only occurs in one direction: if the packet is from a VLAN and arrives with an 802.1p tag, then DSCP is mapped from the 802.1p tag; if the packet is destined to a VLAN, then 802.1p is mapped from the DSCP tag.

Anti-Virus

SonicWall Gateway Anti-Virus (GAV) service delivers real-time virus protection directly on the SonicWall network security appliance by using SonicWall's IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the SonicWall gateway. Building on SonicWall's reassembly-free architecture, SonicWall GAV inspects multiple application protocols, as well as generic TCP streams, and compressed traffic. Because SonicWall GAV does not have to perform reassembly, there are no file-size limitations imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a single-pass, per-packet basis.

SonicWall GAV delivers threat protection by matching downloaded or emailed files against an extensive and dynamically updated database of threat virus signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are created and added to the database by a combination of SonicWall's SonicAlert Team, third-party virus analysts, open source developers, and other sources.

SonicWall GAV can be configured to protect against internal threats as well as those originating outside the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer applications, and dozens of other stream-based protocols, to provide you with comprehensive network threat prevention and control. Because files containing malicious code and viruses can also be compressed and therefore inaccessible to conventional anti-virus solutions, SonicWall GAV integrates advanced decompression technology that automatically decompresses and scans files on a per-packet basis.

SonicWall GAV parses supported email protocols for the header fields To, CC, and BCC. The information in these fields are displayed and logged in Capture ATP for both sender and receiver.

To configure a Anti-Virus Security Action Profile

1. Navigate to OBJECT | Action Profiles > Security Action Profile.
2. Click +Add or click the Edit icon from the Configure column.

3. Click the Anti-Virus tab.

   

4. Enter a friendly Action Profile Name.

5. Select Enable Gateway Anti-Virus to enable SonicWall Gateway Anti-Virus.

   You must specify the zones you want SonicWall Gateway Anti-Virus protection on the NETWORK | System > Interfaces page.

6. If your Anti-Virus software exists in the Cloud, select Enable Cloud Gateway Anti-Virus Database to enable SonicWall Anti-Virus protection.

7. Enable Inbound Inspection. By default, SonicWall Gateway Anti-Virus inspects all inbound HTTP, FTP, IMAP, SMTP and POP3 traffic. Within the context of SonicWall Gateway Anti-Virus, the enabling the Inbound Inspection protocol traffic handling refers to:

   • Non-SMTP traffic initiating from a Trusted, Wireless, or Encrypted zone destined to any zone.
   • Non-SMTP traffic from a Public zone destined to an Untrusted zone.
   • SMTP traffic initiating from a non-Trusted zone destined to a Trusted, Wireless, Encrypted, or Public zone.

   • SMTP traffic initiating from a Trusted, Wireless, or Encrypted zone destined to a Trusted, Wireless, or Encrypted zone.

8. Enable Outbound Inspection for HTTP, FTP, SMTP, and TCP traffic

9. You can restrict the transfer of files with specific attributes by enabling Prevent. Prevent restricts data file transfers for each protocol, except the TCP Stream.

10. Enable Log to keep a record of your SonicWall Gateway Anti-Virus traffic.

Application Protocol Settings

1. Restrict Transfer of password-protected Zip files - Disables the transfer of password protected ZIP files over any enabled protocol. This option only functions on protocols (for example, HTTP, FTP, SMTP) that are enabled for inspection.
2. Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) - Disables the transfers of any MS Office 97 and above files that contain VBA macros.

3. Restrict Transfer of packed executable files (UPX, FSG, etc.) - Disables the transfer of packed executable files.

   Packers are utilities that compress and sometimes encrypt executables. Although there are legitimate applications for these, they are also sometimes used with the intent of obfuscation, so as to make the executables less detectable by anti-virus applications. The packer adds a header that expands the file in memory, and then executes that file.

   SonicWall Gateway Anti-Virus currently recognizes the most common packed formats: UPX, FSG, PKLite32, Petite, and ASPack. Additional formats are dynamically added along with SonicWall Gateway Anti-Virus signature updates.

4. To suppress the sending of e-mail messages (SMTP) to clients from SonicWall Gateway Anti-Virus when a virus is detected in an e-mail or attachment, select Disable SMTP Responses. This option is not selected by default.
5. The EICAR Standard Anti-Virus Test file is a special virus simulator file that checks and confirms the correct operation of the SonicWall Gateway Anti-Virus service. To suppresses the detection of the EICAR, select Disable detection of EICAR Test Virus. This option is selected by default.
6. To allow the sending of byte serving, the process of sending only a portion of an HTTP message or file, select Enable HTTP Byte-Range requests with Gateway AV. This option is selected by default.

The SonicWall Gateway Anti-Virus security service, by default, suppresses the use of HTTP Byte-Range requests to prevent the sectional retrieval and reassembly of potentially malicious content. This is done by terminating the connection and thus preventing the user from receiving the malicious payload. By enabling this setting you override this default behavior.

1. To allow the use of the FTP REST request to retrieve and reassemble sectional messages and files, select Enable FTP 'REST' requests with Gateway AV. This option is selected by default.

   The Gateway Anti-Virus service, by default, suppresses the use of the FTP 'REST' (restart) request to prevent the sectional retrieval and reassembly of potentially malicious content. This is done by terminating the connection and thus preventing the user from receiving the malicious payload. By enabling this setting you override this default behavior.

2. To suppresses the scanning of files, or parts of files, that have high compression rates, select Do not scan parts of files with high compression rates. This option is selected by default.
3. To block files containing multiple levels of zip and/or gzip compression, select Block files with multiple levels of zip/gzip compression. This option is not selected by default.

Intrusion Prevention

In this section you can create Intrusion Prevention Action objects to be used along with the Intrusion Preventions created at OBJECT | Profile Objects > Intrusion Prevention.

To configure the Intrusion Prevention tab

1. Navigate to OBJECT | Action Profiles > Security Action Profile.
2. Click +Add or click the Edit icon from the Configure column for the Action you would like to modify.

3. Click the Intrusion Prevention page.

   

4. Enter a friendly Action Profile Name.

5. Select Enable Intrusion Prevention to enable the SonicWall Threat Prevention Service (IPS).

6. Select whether to build this Action object using Global Settings or your own Profile Settings.

   Selecting Profile Settings grays out the Low, Medium, and High Priority/Risk options because your Threat Protection Profile addresses those capabilities.

7. Select the remaining options based on your needs to Prevent, Log, and for how long to use the Redundancy Filters.
8. Click Save.

Anti-Spyware

In this section you can create Anti-Spyware Security Action Profile objects.

To configure an Anti-Spyware Security Action Profile

1. Navigate to OBJECT | Action Profiles > Security Action Profile.
2. Click +Add or click the Edit icon from the Configure column for the Action you would like to modify.

3. Click the Anti-Spyware tab.

   

4. Enter a friendly Action Profile Name.

5. Select Enable Anti-Spyware to activate SonicWall's Anti-Spyware protection.

6. Select Enable Inbound Inspection to make inbound traffic available for inspection.
7. Enable HTTP Clientless Notification Alertsto show an error message when blocking a request.

8. Enable Inspection of Outbound Spyware Communication to make outbound traffic available for inspection.

9. Click Disable SMTP Responses to suppress the sending of email messages (SMTP) to clients from SonicWall Anti-Spyware when a virus is detected in an email or attachment.
10. Select the remaining options based on your needs to Prevent, Log, and for how long to use the Redundancy Filters.

Botnet Filter

In this section you can create a Botnet Filtering Security Action Profile.

To configure the Botnet Filter Security Action Profile

1. Navigate to OBJECT | Action Profiles > Security Action Profile.
2. Click +Add or click the Edit icon from the Configure column for the Action you would like to modify.

3. Click the Botnet Filter tab.

   

4. Enter a friendly Action Profile Name.

5. Select Enable Botnet Filter to activate SonicWall's Botnet Filtering service.

6. Select the remaining options based on your needs to Log and for how long to use the Redundancy Filters.
7. Click Save.

Content Filter

In this section you can create Content Filtering Service (CFS) Security Action Profile.

To configure the Content Filter Security Action Profile

1. Navigate to OBJECT | Action Profiles > Security Action Profile.
2. Click +Add or click the Edit icon from the Configure column for the Action you would like to modify.

3. Click the Content Filter tab.

   

4. Enter a friendly Action Profile Name.

5. Select Enable Content Filtering to activate SonicWall's Botnet Filtering service.

6. Select a Content Filter Action; Allow, Confirm, or Passphrase, and the Content filter action is applied to your security rule using the profile that has the Action set to CFS. Blocked pages served are different from the General action profile section of this profile.

General

To open the dialog

1. Navigate to OBJECT | Action Profiles > Security Action Profile | Content Filter tab. Scroll to the General tab section.

   

   By default, none of the options are selected.

2. To enable content filtering for HTTPS sites, select the Enable Content Filtering option.

   HTTPS content filtering is IP based and does not inspect the URL, but uses other methods to obtain the URL rating. When this option is enabled, CFS performs URL rating lookup in this order:

   • Searches the client hello for the Server Name, which CFS uses to obtain the URL rating.
   • If the Server Name is not available, searches the SSL certificate for the Common Name, which CFS uses to obtain the URL rating.
   • If neither Server Name nor Common Name is available, CFS uses the IP address to obtain the URL rating.

While HTTP content filtering can perform redirects to enforce authentication or provide a block page, HTTPS filtered pages are silently blocked.

3. To enforce Safe Search when searching on any of the following websites, select the Enable Safe Search Enforcement option:

   • www.yahoo.com
   • www.ask.com
   • www.dogpile.com
   • www.lycos.com

This enforcement cannot be configured at the policy level as the function employs DNS redirection to HTTPS sites. For HTTPS sites, client DPI-SSL with content filter must be enabled.

4. To override the Safe Search option for Google inside each CFS Policy and its corresponding CFS Action, select the Enable Google Force Safe Search option.

   Typically, Safe Search happens automatically and is powered by Google, but when this option is enabled, SonicOSX rewrites the Google domain in the DNS response to the Google Safe Search virtual IP address.

   This feature takes effect only after the DNS cache of the client host is refreshed.

5. To access YouTube in Restrict (Safe Search) mode, select the Enable YouTube Restrict Mode option.

   YouTube provides a new feature to screen videos that may contain inappropriate content flagged by users and other signals. When this feature is enabled, SonicOSX rewrites the DNS response for the YouTube domain to its Safe Search virtual IP address.

   This feature takes effect only after the DNS cache of the client host is refreshed.

6. To override the Safe Search option for Bing inside each CFS Policy and its corresponding CFS Action, select the Enable Bing Force Safe Search option.

   When this feature is enabled, SonicOSX rewrites the DNS response for the Bing domain to its Safe Search virtual IP address.

   This feature takes effect only after the DNS cache of the client host is refreshed.

7. Click Wipe Cookies to remove cookie trace pages of visited websites.

8. Click Save.

Passphrase

This screen appears in the Add Security Rule Action dialog.

To create a password-protected web page

1. Navigate to OBJECT | Action Profiles > Security Action Profile. Click +Add/Edit and click the Content Filter tab.

2. Scroll to the Passphrase tab.

   

3. In the Enter Password field, enter the passphrase/password for the web site. The password can be up to 64 characters. You can enable or disable Mask Password to hide or reveal your password entry.

4. Enter your password again in the Confirm Password field.

5. Enter the time, in minutes, of the effective duration for a passphrase based on category or domain in the Active Time (minutes) field. The minimum time is 1 minute, the maximum is 9999, and the default is 60 minutes.

6. A default Passphrase Page is defined already, but you can fully customize the web page that is displayed when users attempt to access a blocked site. Or, you can create your own page.

   To create the page that displays when a site is blocked:

   • To see a preview of the display, click Preview.
   • If you have not modified the provided code, clicking Preview displays the default web page. The web site URL, Client IP address, policy, reason, and active minutes are shown along with a field for entering the password.
   • To remove all content from the Passphrase Page field, click Clear.
   • To revert to the default passphrase page message, click Default.
7. Click Save.
8. Click the Confirm tab.

Confirm

Requiring confirmation (consent) only works for HTTP requests. HTTPS requests cannot be redirected to a Confirm page.

To create a restricted web page that requires confirmation before a user can view it

1. Enter the time, in minutes, of the effective duration for a confirmed user, based on category or domain in the Active Time (minutes) field. The minimum time is 1 minute, the maximum is 9999, and the default is 60 minutes.
2. A default page is defined already, but you can fully customize the web page that is displayed to the user when access to a confirm site is attempted. Or, you can create your own page.
3. To see a preview of the display, click Preview.
4. If you have not modified the provided code, clicking Preview displays the default web page. The web site URL, Client IP address, block policy, and the reason for the block are shown along with a field for entering the confirmation.
5. To remove all content from the Confirm Page field, click Clear.
6. To revert to the default blocked page message, click Default.
7. Click Save.
8. Click the Consent tab.

Consent

Consent only works for HTTP requests. HTTPS requests cannot be redirected to a Confirm (consent) page.

1. To enable consent, which displays the Consent (Confirm) page when a user visits a site requiring consent before access, select the Enable Consent option. This option is not selected by default.

   When this option is selected, the other options become available.

2. To remind users that their time has expired by displaying the Consent page, enter the idle-time duration in the User Idle Timeout (minutes) field. The minimum idle time is one minute, the maximum is 9999 minutes, and the default is 15 minutes.

3. In the Consent Page URL (optional filtering) field, enter the URL of the website where a user is redirected if they go to a website requiring consent. The Consent page must:

   • Reside on a web server and be accessible as a URI by users on the network.
   • Contain links to the following two pages in the SonicWall appliance, which, when selected, tell the firewall the type of access the user wishes to have:
     • Unfiltered access: <appliance's LAN IP address>/iAccept.html
     • Filtered access: <appliance's LAN IP address>/iAcceptFilter.html

4. In the Consent Page URL (mandatory filtering) field, enter the website URL where the user is redirected if they go to a website requiring mandatory filtering. The Consent page must:

   • Reside on a web server and be accessible as a URI by users on the network.
   • Contain a link to the <appliance's LAN IP address>/iAcceptFilter.html page in the SonicWall appliance, which tells the firewall that the user accepts filtered access.

5. From the Mandatory Filtering Address drop-down menu, choose an Address Object that contains the configured IP addresses requiring mandatory filtering.

   Enable Consent must be enabled to activate this feature.

6. Click Save.
7. Click the Custom Header tab.

Custom Header

You can configure the firewall as a web proxy server to control web service, such as preventing users from signing in to some web services using any accounts other than the accounts provided, or restricting the content viewable by users. The web proxy server adds a custom header to all traffic matched by the Content Filtering policy, and the header identifies the domains whose users can access the web services or the content that users can access. Encrypted HTTPS traffic is supported if DPI-SSL is enabled.

This feature requires the following

• Content Filter Service is enabled.
• Custom header insertion is enabled in the matched CFS profile object.
• DPI-SSL is enabled for custom header insertion with encrypted HTTPS requests.

To configure a CFS custom header and enable custom header insertion

1. Navigate to OBJECT | Action Profiles > Security Action Profile. Click +Add/Edit and click the Content Filter tab.

2. Scroll to the Custom Header tab.

   

3. Click +Add to configure the Domain, Key, and Value for the custom Dynamic Header entry.

   

4. Click Save. The Header appears in the Custom Header list.
5. Click Save.

Block Page and Logging

In this section you can create Block Page and Reporting Action objects that utilize the Profiles you established in OBJECT | Profile Objects > Block Page.

To configure the Block Page and Logging Security Action Profile

1. Navigate to OBJECT | Action Profiles > Security Action Profile.
2. Click +Add or click the Edit icon from the Configure column for the Action you would like to modify.

3. Click the Block Page and Logging tab.

   

4. Enter a friendly Action Profile Name.
5. Under Web Block Page Settings, enable Show block page for dropped client web connections to show a Global, Default, or custom Block Page you created in Profiles for dropped client web connections.
6. Enable Include Policy Block Details if you would like to include an explanation as to the reason the page was blocked.
7. Select a Reporting Object Block Page from the Block Page Object drop-down menu. You can use the Global page, a Default Block Page, or a custom Block Page that you create in OBJECT | Profiles > Block Page.
8. Under Reporting Profile, select a Reporting Profile Object from the Reporting Profile Object drop-down menu. You can use the Global page, a Default Block Page, or a custom Block Page that you create in OBJECT | Profile Objects > Block Page.
9. Enable or disable Flow Reporting and Packet Monitor.
10. Click Save.

Miscellaneous

In this section you can enable and disable additional settings in relation to your profiles and action objects.

To modify Miscellaneous settings

1. Navigate to OBJECT | Action Profiles > Security Action Profile.
2. Click +Add or click the Edit icon from the Configure column for the Action you would like to modify.

3. Click the Miscellaneous tab.

   

4. Enter a friendly Action Profile Name.
5. Modify Connection Settings, Advanced Settings, SIP/H.323 Transformation settings, and so on.
6. Click Save.