Sean Wallbridge
I was running a Sonicwall lunch and learn with Jeremy and Louis yesterday and it became pretty clear that there was a lot of confusion about zones and Portshield groups. I figured if they were confused there is a pretty good chance that a lot of other people would be, as well. So, here is my quick and dirty primer!
A zone on a Sonicwall implies a network (or networks) that sit behind a firewall “barrier”. All Sonicwalls ship with at lest 2 pre-configured zones – LAN and WAN – and the zones are each bound to one or more ports on the box. Traffic between the zones MUST pass through the firewall barrier and, by definition, the firewall rules that are set for that zone. When you look at the rules matrix (like the following) it’s easy to picture the flow between zones:
You can see that there are firewall “barriers” between the LAN and the WAN and vice versa as well as barriers between the other zones; each of the blue buttons implies a firewall barrier.
You need to think about how your network traffic flows and where you need to impose firewall rules in order to figure out what zones you might need to create. Keep in mind that zones also allow you to control how the various security services/features are applied (gateway a/v, IPS, anti-spyware, etc), it’s not just about firewall rules. You could, for example, impose IPS or Content Filtering controls on one zone but not on another. You can see what controls are enabled on a zone from the ZONE screen:
For the most part, zones encompass physical ports on the Sonicwall but there are zones that are “virtual” such as VPN, MULTICAST and SSLVPN. The virtual zones work in the same fashion as the zones that contain physical ports but their rules essentially “overlay” other zones. As an example, there are rules that apply to all traffic passing from the WAN to the LAN. However, a client connecting over the SSL VPN connection should have a different set of rules applied even though they are connecting to the LAN via the WAN port, hence the need for the “virtual” zones.
So, to recap: zones are a group container for one or more networks that then sit behind a specific firewall barrier that imposes a specific set of firewall rules that controls traffic flow into and out of the group (zone).
OK, this is all well and good; zones make sense. So how do you create zones and/or assign physical ports to a zone? Glad you asked!
There are two distinct steps, creating the new zone and then manipulating ports. Zone creation is accomplished from the ZONE screen by clicking the Add button and following the prompts (the following screenshot is form the newest 5.9 firmware, your machine may not show as many options).
The name can be anything descriptive that you would like. The Security Type defines what the auto-generated firewall rules will be between this zone and other zones. In this case I have selected Trusted as I’m defining this zone to be similar to my LAN zone. The other options pretty much speak for themselves.
Once created the new zone shows up on the ZONE page:
At this point I don’t have anything attached to the zone so now I have to go and assign a port to the zone and this leads into the discussion about Portshield.
Portshield is a fancy name for “port aggregation”. In other words, Portshield allows me to group two or more ports together so that those ports function in the same way in the same zone. When you runs the Sonicwall Setup Wizard one of the things that you are prompted for is the port layout you would like: LAN/WAN, LAN/OPT/WAN or LAN/WAN/LAN2. This is simply setting up the default Portshield groups. If you select LAN/WAN then X1 is assigned to the WAN and X0 (and all of the rest of the Xn ports) are assigned to the LAN. This means there are two Portshield groups, one for the WAN and the rest for the LAN. Of course, your Portshield groups may look different (depending on your unit) but you get the drift.
Here are the Portshield groups on my TZ215 at this point:
I have a LAN Portshield group with one port (X1), a WAN Portshield group with 2 ports (X1 and X6) and the rest of my ports are unassigned meaning they are not in any Portshield group and are available for use in a new group. I want to assign X5 to my new TEST Network zone and assign appropriate IP addressing for that Zone to the port. To do this I need to go to Network –> Interfaces and configure the interface. When I click on the edit button for the X5 interface I get the following screen:
Note the is no Zone, it is “Unassigned”. I have to pick a Zone from the dropdown:
Once I pick the zone I can fill in all of the appropriate IP info:
Clicking OK will save the config and I will have completed the setup; X5 is now live as the gateway on the TEST Network. My firewall matrix screen will be updated with the new Zone and default firewall rules will be in place between this new zone and all of the pre-existing zones.
I can remove the port from the Zone by reversing my previous steps and simply put the port back into Unassigned status. This effectively pulls the zone from the firewall matrix.
Now for a slight variation on the theme. In the last case I added the port to a zone and set IP addressing on it which made it the gateway for that zone. What if I just want to add another port to an existing zone that already has a gateway? The port does not need an address in this case. This is pretty simple!
Go to Network –> Portshield Groups and click on the edit button for the port.
Clicking on the Portshield Interface dropdown allows me to select a zone gateway port (a Portshield Interface) to attach to:
By selecting the X0 interface we add the X5 port onto the same network as the X0 port and use X0 as the gateway.
Now there are two ports on the X0 Portshield.
I hope this discussion helps you to better understand Zones and Portshield groups on your Sonicwall.
question, i can no longer make port shield groups like i used to after updating the firmware to the last few.
old groups i had are fine, but if i take one off now, it goes away permanently and i can’t add it back.
i heard SW would add the functionality back, do you have any ideas?
I’m not sure what you mean by this as I have not had any issues with PortShield groups on newer firmware. However, I can tell you that I have run into problems if I make a big jump in firmware levels sometimes to the point of having to factory reset the box then import previous settings or even recreate settings. Once thing I do know is that older, slower units like TZ100’s probably should not go past the 5.8.x firmware. I’ve upgraded a few TZ100’s to 5.9 and I no longer have the ability on those units to create backup settings (boo, Sonicwall) and they seem to be “bogged down” under that firmware. Newer faster units like TZ215’s, NSA220’s and such really do well under 5.9.
Keep in mind that it really is a bets practice to export your settings before you flash your firmware to a newer version, specially so when there is a lot of new functionality being added. I’ve learned the hard way that it can be pretty hard to downrev to an older firmware and keep settings in place. A settings export can be your saviour when it all goes wrong.
Hi,
I have a question. Just recently go a SonicWall. I have X0 configured with multiple VLANS (I have separate networks (Guests, LAN, Wifi) on different VLANS)
I also have multiple switches, and need the X0 configuration to be replicated to X2, X3 (So each of these can connect to a different switch)
Is port aggregation the way to go? How do I achieve this?
If you just need the configuration to be applied to X2, X3 and you do NOT need to change gateways then, yes, PortShield X2 and X3 to X0 and X2 and X3 will take on the exact same characteristics of X0. I’m not sure I would have set things up the way you have with the multiple VLAN’s off X0 but, in the end, it comes down to whatever works for you. I assume at this point that you have X2 and X3 sitting as “Unassigned” at this point. To bind X2 and X3 to X0 in PortShield, login to your Sonicwall and go to Network –> PortShield Groups. Click on the edit icon (pencil) on the port you want to change (X2, X3) and then select X0 at the PortShield Interface selection and click OK to save. That’s it! The port is now bound to X0 with the exact same characteristics as X0. In essence, the PortShield group creates a “mini-switch” inside the Sonicwall and all ports assigned to that group act likes ports on a switch behind the gateway IP(‘s) assigned to the main port. In your case, the VLAN’s will also end up being bound to the assigned ports and all should be good.
Let me know how it works out for you.
Robert
Hi Robert
Thank you for your reply. I will try the configuration. You’ve mentioned you wouldn’t create the vlans on X0. How would you recommend it be done?
Thanks
Shruthi
Hi, Shruthi:
I wasn’t so much commenting on creating VLAN’s on XO (which you can, as you have seen) as I was commenting on how I would not, necessarily, mix and match different categories of traffic (Guest, Wifi) on the same port. That said, so long as you have classified the traffic correctly and have set the firewall zones, there should be no issue. I would have split the traffic out to different ports to give max bandwidth (but that’s just me …).
Hi Robert
Thanks. I actually hadn’t thought about it that way. Let me see what the best design would be. Thanks again for your help! I’ll let you know how the configuration works.
Hi, Shruthi:
No problem, my pleasure! Let me know how it goes, always interesting to see another tech’s “take” on these things.
Robetr
Hey Robert, I am currently setting up a network with a TZ215 and several VLAN’s, and am trying to determine exactly how to set things up. I came across your post here, and am interested in how segregating different types of traffic would provide max bandwidth?
In my mind, if I’m aggregating multiple ports together and allowing all VLAN’s on this one interface, I will be able to achieve the theoretical max for the combined interfaces, regardless of which VLAN may have more / less traffic. If it were physically separated in a VLAN per port basis, and VLAN100 had nearly no traffic, but VLAN200 was dropping traffic due to overutilization, would I not have been better in an aggregate situation?
Sorry to necro a little, I know your answer is rather dated now, but like I said I am planning a deployment with 100+ HD cameras (1 VLAN), 40 LAN users (2nd VLAN), access control equipment (3rd), management (4th), and wireless (5th). I am trying to decide if router-on-a-sticking the Sonicwall is a good idea, and if so, if I am going to aggregate the interfaces, which is why I value your feedback!
Thanks, Tom.
Hi, Tom!
Wow, lots of stuff to think about. With a Sonicwall, when you aggregate ports it is as a “switch” and not as a “team” (as in bonded NIC’s). I’m not sure that you will get the throughput you are looking for unless, somehow, the traffic is spread across all the ports that are supporting the VLAN’s. But if VLAN200 is saturated and it is only coming in on, say, X3, having X4 and X5 also part of the same port-switch isn’t really going to help. On the other hand, if your switching downstream of the Sonicwall is spreading the load out across all the port-switch ports on the Sonicwall, then you’ll get better performance. To be honest, with the network that you describe I think you are going to find the TZ215 to be underpowered and not able to perform the way that you want. If you can, look at upgrading to one of the new TZ family like a TZ300 or TZ400. The new TZ’s (other than the TZ SOHO) are Gen6 boxes with greatly improved performance and abilities (mix of new hardware and SonicOS 6 firmware. Sonicwall does offer “tradein” deals where you can get a new box c/w 2 years of CGSS coverage for the price of the same box with only 1 year CGSS coverage. Decent deal considering what they ask for CGSS on a year over year basis.
Ah yes, point taken. In my mind I was considering a scenario where all switches would be collecting some traffic from each VLAN, opposed to a physical switch per VLAN; not exactly ‘load-balanced’, but far from all high-def video entering one physical interface (and VLAN), yet a small amount of mgmt traffic on another. Thanks for the clarification!
I didn’t really lay out my network appropriately for simplicity of my post, I was mostly interested the aggregate question I had asked. The TZ215 should be fine for what I need of it – all 100 HD cameras on their own VLAN feed recording servers on the same subnet; none of this traffic is required to traverse the firewall, with the exception of an operator console for viewing/reviewing the camera feeds. Regular LAN traffic destined for the internet would of course traverse the firewall, but similar to the camera subnet, any local network resources (samba shares, etc) would largely be on the same subnet. For the most part, the Sonicwall will be playing a 40 user SMB role, with some interVLAN routing and firewalling for security for me, but not much traffic by volume between VLANs.
Like the site, you have a lot of Sonicwall knowledge which is great for someone reasonably new to them (like me!). Keep up the great work!
Tom
Tom:
Thanks for the update and the compliments! Glad I could help.
Robert
Hi Robert,
Just wanted to let you know that I did the PortShield config and it worked. I also split my vlans (Have similar zones on X0, X2, X3 and the others on a X5)
So far so good, I’m live. Any idea where I can get a good list of standard firewall rules? Currently my config is fairly open and I definitely want to change that
Thank you for your help!
Shruthi:
Excellent! Glad to hear that things are working for you!! As for standard firewall rules — there really isn’t such a thing as each organization has its own, unique requirements. That said, my rule of thumb is to lock down certain access such as outbound SMTP traffic. SMTP should ONLY be allowed outbound from your actual mail servers and/or specified devices. I’m going to shoot you my email address so you can give me a bit more detail about what you are doing and maybe I can make a few suggestions for you.
Robert
Hi, Let me ask you one doubt. As above mentioned configuration If I connect a sonicpoint to X5 interface will I get the same IP range of X0 interface for the wireless users?
Thank u
Soji Daniel
Soji:
I’m not sure how you have set up your wireless users, I assume that they are NOT on a different subnet from that on the X1 interface. So, if this is the case and, for example, you have subnet 192.168.1.0 on the X0 interface and wireless users are picking up 192.168.1.x addresses then, yes, X5 can also pass out the same addresses. To do this the X5 interface has to be PortShielded to the X0 interface (which means that X0 and X5 are all on the same internal “switch”). If you haven’t changed the basic configuration of the firewall (you picked the default settings when you first set up the unit) then all ports after X1 will be PortShielded to X0 (they are all LAN ports). If you have changed the configuration then you will have to look at your settings and determine if X5 can be POrtShielded to X0.
Robert
I have a second lan with a EOC (Ethernet over Coax). I need to only allow 192.168.25.0 traffic across ports x2 and x3. Can I do that?
Mike:
Yes, you should be able to do that. I assume that the 192.168.25.0 net is all that you will allow on X2 and X3. If so, best thing to do is set your gateway IP on X2 (eg 192.168.25.1 or 25.254) and then Portshield X3 to X2, this makes X2 and X3 a “mini-switch” that only passes .25.x traffic and then you can actually set firewall rules between the .25.0 network and your other networks (think of the .25 network as its own ZONE and you’ll see what I mean). Let me know how it goes. Ping me if you need more help.
Robert
Hi, can this be used to increase my wan speed?
I have two wan 8mbps adsl and want to increase upload which is currently 1Mb for each line?
No, you cannot increase your upload speed using PortShield. Your upload speed will be constrained by two main factors: 1) What is the speed your ISP gives you (max upload bandwidth) and, 2) what scanning do you have in place. Sonicwall UTM models can really bog down when a lot of scanning is in place and the TZ series models generally cannot keep up with the full bandwidth provided by the ISP’s. (This is a broad statement but true overall, the new TZ series (TZ300, 400, 500, 600) have been built to address this issue as they have a load more horsepower than the older models). If you have two WAN feeds then you could set up some rules to manage traffic so that you can better utilize the bandwidth you have available to you, otherwise one feed is liable to be more used on UPLOAD than the other. As an example in our office we have feeds from two different ISP’s. I have rules in place that explicitly map our workstations to one of the WAN feeds for outbound connections leaving the other feed for our server-driven traffic. Kind of a “poor man’s load balancing” but it ensures that one feed is not overloaded with all of our outbound traffic. Our inbound traffic is split across both feeds, as well, based on our external DNS settings. The net effect is bandwidth is better utilized but I have not “doubled” speed.
Hope this helps!
Robert
Thanks for this post, it was helpful but I still have a few questions.
TZ210
SonicOS Enhanced 5.8.1.15-71o
I’m running 2-4 VLANs (tagged VLANs from Virtual machines) and currently have them set up as follows:
LAN X0 10.10.0.x
VLAN 20 10.10.2.x
VLAN 30 10.10.3.x
etc
These VLANs are all sub zones on the main x0 interface (so X0:V20 X0:V30 etc)
By default these VLANs are allowed to communicate with each other.
I do not want this but instead want them segregated.
Does this mean I need to have a separate physical link from my downstream switch handling each VLAN to a separate physical interface on the sonicwall? (Currently all VLAN’s are passed through port 1 and allowing that particular VLAN through)
I understand I can go create access rules to deny, but it seems like it might be a lot of rules each time i create a VLAN.
Whats the best/correct way to segregate these VLANs.
Thank you for your time
Hi, Dan:
You can create new Zones, one per VLAN. By default, Zones create firewall boundaries so you can quickly allow/deny communications between the Zones. This means that you have firewall rules but probably way fewer than you would just having one LAN zone then creating a bunch of rules within the LAN zone to allow/deny traffic between the VLAN’s. And Zones would not require segregating the traffic to individual ports. If you look at my posts on wireless and SonicPoints you’ll get the idea as it is the same idea. Each VLAN ends up with it’s own gateway IP on the firewall and its own Zone. You then have total control on traffic egress/ingress on each VLAN, between the VLAN’s and beyond the VLAN’s.
Hope this helps, let me know how it goes.
Robert
Interesting article about VLANS, however I have a question, can you assign the same VLAN over multiple SonicWALL interfaces (we have a SonicWALL 3600)? Reason being – we are having to connect a mobile network which in fact is a CCTV trailer on the move. This CCTV trailer will connect to various established networks when going from place to place around our town (the actual WAN networks in town consist of microwave links – and there will be a microwave link from the trailer to the nearby microwave network). Each of these established CCTV subnets all converge to the same SonicWALL 3600 – but each partitioned subnet has its own interface on the SW (the 3600 has many physical interfaces). However the problem with the mobile network is that we can’t setup a static return route because the trailer will hop from interface to interace (effectively). So – thoughts were to just have a single VLAN configured on each interface so that when the trailer hooks up that VLAN will be active across the transparent bridge.
Chris: Apologies for being tardy responding to this question. I don’t have enough experience with VLAN’s to properly answer your question I’m afraid. I *believe* the VLAN’s can be configured so they would be available across the bridge but I cannot say for sure. This is one that yo really should take to Dell Sonicwall support.
Robert
Thanks for the info.
Question, is it possible to do portshield groups with port redundancy? I want everything on X0 to be replicated to X5 and X6 be redundant to X5. Meaning I have 2 switches stacked for redundancy with right now each switch is plugged into X5 and X6 with X6 set as redundant to X5. That way if 1 switch dies, traffic is still flowing. Will putting these 2 ports into a portshield group maintain the same functionality?
John:
I’m not sure I completely understand your question BUT a Portshield group in essence is a “mini switch”, each port has the same characteristics as the others in the group (just like on a switch). So, in theory, it SHOULD work as you think!
Robert
I guess I wasn’t very clear. I figured it out, portshield 2 interfaces and enable link aggregation on the sonicwall and the switch for load balancing, then it 1 switch goes down, the other takes over. It is working perfectly for what I need. Thanks.
Thanks for the info, makes things a bit clearer.
Can I run my scenario by you?
I have 2x SW NSA3600 in HA. On our network we have some devices/PC’s which we would like to segregate from the rest of the network. The option I was originally thinking of was to create another VLAN in a different subnet and assign the devices to it, change their IP addresses etc and create FW rules for access. The problem is reconfiguring the devices with new settings is going to break a few things.
If I understand correctly, I should be able to use portshield in this instance? I.e. create the new VLAN on our switches, and connect this VLAN through the second portshield interface and create rules for access etc. without having to change IP addresses of the devices i want to segregate?
Hi, Greg:
I think I understand what you are thinking. For the sake of argument, let’s say that you have all of your non-WAN ports in the same portshield group so they are all on the same “switch” on the same LAN Zone (eg 192.168.1.X). You want to end up with a net new ZONE (let’s call it LAN2) with its own subnet (eg 192.168.100.x) segregated to a specific port or group of ports on the 3600 (let’s use X4 for this discussion). So, yes, you can create the new zone, portshield the port so that it is it’s own “network”, apply the new subnet (192.168.100.X) to the port and you are set. Because the port is in a new zone you automatically have a firewall boundary created that allows you to set firewall rules for ingress/egress to/from the new zone to other zones on the firewall.
This will work and NOT break things for you so long as the subnet/vlan you want to use on the new zone already exists in terms of the IP addresses you are already using on your network devices. Keep in mind that you will have to remove that vlan or subnet from the current ALN zone before you attempt to plug it into the new zone you want to create. You might get caught out with your netmask on the current zone as the firewall might “fight” you if your netmask on the current zone is broad enough to cover the network you want to create on the new zone.
Hope this helps! Let me know how you make out.
Robert
Hmm not quite, maybe I don’t understand portshield as much as I thought.
What I was thinking was segregating a hand full of devices that are currently on our LAN without changing their IP’s.
E.g. if our LAN subnet was 172.16.0.0. We have a number of machines on it that should really have been segregated from the start but for one reason or another weren’t. I was hoping that portshield would allow me to keep the addressing and also firewall them from the rest of the LAN.
So, new VLAN just for these devices. Same subnet, etc.
If it’s not possible then we will just have to bite the bullet and change these devices to use a new subnet.
Thanks,
Greg
Greg:
OK, If I understand correctly, you just want to move one VLAN to a new portshield group and keep everything else the same, correct? Portshield WILL allow the firewalling, I’m not 100% sure about just moving a VLAN (I’d have to do some digging to figure it out). Let me know if this is what you want and I’ll see if I can figure it out. Sounds like a fun puzzle!
Robert
Yeah pretty much, except only a handful of devices on the VLAN.
So simplified version of what I would *like* to do:
Say I have just one VLAN, VLAN1, on my switches containing all of my devices on the 172.16.0.0 subnet and physically presented on the firewall port X3.
The devices I would like to move are for example 172.16.1.10-13.
Create a new VLAN on the switches, VLAN2, move the 172.16.1.10-13 devices onto that VLAN and physically present it to the firewall on port X9 for instance. So that although they are part of the same subnet, traffic between them is firewalled.
Hopefully that makes sense.
Thanks,
Greg
Greg:
Yes, that makes sense and I think it is doable. You will need to portshield off one port and you need to give it a gateway address on the 172.16.0.0 subnet and also you will need to create a Zone to bind it to. Then create the VLAN2 on it and see how it goes. The key is the gateway address as it will tie in routing rules. IF the system lets you create the gateway address on the port then all of the rest of it will fall into place. If you CAN’T create the gateway then you are stuck.
There might be other ways to accomplish what you want, if your unit is under support you can call SonicWALL for help, they are usually pretty good at walking you through the steps.
Robert