SonicOS 6.2.1 Intro

Aug 19, 2016

@EstiNet Inc.

Yung-Sheng Lu, Terry Tsai, Daniel Fan

Outline

  • SonicWALL TZ600 Quick Start

  • Features

  • Command Line Interface (CLI)

  • About "Configuration"

  • Packet Monitor

  • Syslog

  • Log & SDN

SonicWALL TZ600

Quick Start

SonicWALL TZ600 Quick Start

X0 LAN Port

X1 WAN Port

Console Port

Network Security Appliance

  • CLI on Serial Connection via Console Port
  • CLI in an SSH Management Session via Ethernet
  • Management Interface (Web UI)

Login Interface

Login Interface

  • Link:
    • http://192.168.10.18
    • http://192.168.30.18
  • Username: admin
  • Password: password
  • Can be changed in "Wizards" (Web UI)

Management Interface

Features

Features

  • 應用程式細項管理 *
  • 即時應用程式監控 *
  • 即時頻寬狀況監控 *
  • 即時網路服務/應用程式過濾與分析 *
  • 使用者分析
  • 使用者/羣組過濾及分析
  • 網路分析功能
  • 優先權頻寬管理

應用程式細項管理

  • 應用程式頻寬管理
  • 應用程式流向管理
  • 應用程式使用管理
  • 機密文件阻擋
  • 網頁內容管理

即時應用程式監控

  • 目前應用程式使用狀況
  • 可依照 Top-N 或單一種類進行監控分析
  • 監控時間可定義,由每分鐘至最大可達 2 個月

即時頻寬狀況監控

  • 目前每個介面的頻寬及應用程式頻寬使用狀況
  • 傳送及接收的量等進行監控分析
  • 監控時間可定義,由每分鐘至最大可達 2 個月

即時網路服務過濾與分析

  • 可分析出發起或接收的國家、區域
  • 可分析出被入侵防禦系統 (IPS) 閘道防毒 (GAV) 內容過濾服務 (CFS) 阻擋的攻擊或病毒種類及封包內容
  • 應用程式遭受攻擊狀況

即時使用者分析

  • 可分析使用者的 Session 狀態
  • 可分析使用者分派到的 IP位址
  • 可分析使用者傳送及接收量
  • 可分析使用者遭受攻擊狀況

即時使用者/群組過濾及分析

即時應用程式過濾與分析

EX.1 頻寬塞爆,檢查誰在使用

網路分析功能

網路分析功能

MAC addr.

IP addr.

Port

Iface

網路分析功能

優先權與頻寬管理

  • 優先權管理
    • VoIP 應用
    • 重要電子商務網站
    • 重點部門
  • 頻寬管理
    • 頻寬保障
    • P2P 下載/上傳限制
    • 串流影音保證/限制

EX.2 新的應用程式沒內建

  • More info. [Ref 3.] - [Ref 6.]

Command Line Interface

Command Line Interface

  • SSH Login
> ssh admin@192.168.10.18
> password    # Password

Command Line Interface

  • SonicOS CLI
  • Command Hierarchy
    • System Commands
    • Level Commands

Command Line Interface

  • System Commands
  • Level Commands

Configuration

About "Configuration"

About "Configuration"

  • Configuration Settings
  • ​​Management and Monitor (App)
  • Security
  • Quality of Service
  • Others
  • Non-licensed

Non-licensed

  • app-control -
    Enter App Control Configuration Mode.
  • match-object -
    Add/edit match object and enter configuration mode.
  • action-object -
    Create/edit specified action object and enter its configuration mode.

Non-licensed

  • intrusion-prevention -
    Enter Intrusion Prevention Configuration Mode.
  • client-av-enforcement -
    Enter client Anti-Virus Enforcement Configuration Mode.
  • gateway-antivirus -
    Enter Gateway Anti-Virus Configuration Mode.
  • virtual-assist -
    Enter virtual assist configuration mode.

Configuration Settings

  • interface / interfaces
    Configure interface or add/edit sub-interface or WLAN tunnel interface.
  • routing - Enter routing configuration mode.
  • access-rule - Configure firewall access rule.
  • address-object / address-group
  • zone
  • voip - Enter VoIP configuration mode.
  • log

Management and Monitor

  • traceroute
  • ip-helper
  • network-monitor
  • packet-monitor
  • service-object / service-group​​
    Add/edit firewall and service object/group and enter configuration mode.
  • schedule

Security

  • security-services
    Enter security services configuration mode.
  • mac-ip-anti-spoof
  • firewall - Configure firewall settings.
  • rbl / rbl-lookup -
    Enter Real-Time Blacklist Configuration Mode.
    Lookup the specified realtime black list.

Security

  • tcp - Configure TCP settings.
  • udp - Configure UDP settings.

Security

  • dpi-ssl
    • client
    • server
  • vpn - Configure VPN
  • ssl-control
    Enter SSL control mode and configure settings.
  • ssl-vpn - Configure SSL VPN.

Quality of Service

  • bandwidth-object
    Add/edit a bandwidth object and enter its configuration mode.
  • bandwidth-management
  • high-availability -
    Configure high-availability.

Others

  • web-proxy -
    Set automatic proxy forwarding (web-only).
  • multicast - Configure multicast.
  • icmp - Configure ICMP settings.
  • failover-lb -
    Enter failover and load balancing configuration mode.

Others

  • boot -
    Boot current or uploaded firmware image with current or default settings or boot system backup.
  • import -
    Import system firmware or configuration.
  • restore-defaults -
    Restore the device to factory default settings.
  • license - License configuration.
    • synchronize
    • upgrade

Packet Monitor

log format

Parse result

Get data - ssh & ftp

Get data - ftp

Syslog

Syslog format

  • pri - priority
  • m - message id
  • mac - MAC address
  • proto - Protocol and service
  • src - Source IP
  • dst - Destination IP
  • c - Legacy category
  • spkt/rpkt - Packet send/recv

Priority & Facility

Reference to RFC 3164

Syslog - Attack

  • DoS
    • Ping of Death (PoD)
    • ICMP/UDP flood
    • SYN flood
    • LAND
    • Smurf
    • Wireless flood
    • Nestea/Teardrop attack
  • Fragement
  • IP
    • IP spoof
    • IPsec replay
    • VPN IPsec auth. fail (ERROR)
  • ARP (None)
  • Email
  • FTP
  • Scan behavior
    • TCP FIN/XMAS/NULL
    • Port
  • Credentials
  • Alert
    • IPS detection
    • Anti-spyware prevention
    • Gateway Anti-virus
    • Drop WLAN traffic

Example - attack

Example - traffic

Flow Chart

UML

UML

References

References

SonicOS 6.2.1 Intro

By David Lu

SonicOS 6.2.1 Intro

SonicOS 6.2.1 Intro

  • 1,751