Sean Wallbridge
I recently installed a brand new TZ215W at a new customer. I loaded the latest 5.9.x firmware (which I have used on other Sonicwall’s) and didn’t see any issues. But I did try something new and that is the “one touch” security config button that you see on the Settings page. I’ve never used it before and I thought, “what the hell, I’ll give it a shot”. What the hell, indeed …
Right from the get go the firewall gave me problems with passing PPTP traffic through to the Windows server on the LAN. In fact, it would not pass the traffic at all No matter what I tried the firewall blocked at least the GRE portion of the connection. I even had Sonicwall support look at the problem with absolutely zero success (the support engineer didn’t strike me as having much of a clue).
In the end I blew the firewall away, reloaded with 5.8 firmware and rebuilt (it was a simple config, anyway) and, surprise, surprise, it all worked! Of course I did NOT try the “one touch” config again (not even sure if that exists in 5.8 and I can’t be certain if the PPTP/GRE problem was a result of 5.9 OR of the One Touch config but, either way, it is something to be wary of. I’ll do some more testing when I can of 5.9 firmware and PPTP but, for now, consider this a caution. And don’t use the One Touch config unless you are 100% certain of the settings it makes. While it is a great idea in theory it may not work for you in practice.
The One-Touch setting feature is a little bit dangerous as you mentioned, especially if you opt for the “One-Touch DPI and Stateful Firewall” one.
From the GUI you can get a list on what is really activated as below, where I have done some comments all starting with “[Dennis:]”
FROM THE GUI:
Using the One-Touch DPI and Stateful Firewall high security applies the following configurations to the system. A system restart is then required for the updates to take full effect.
System>Administration
Password must be changed every 90 days
Bar repeated password changes for 4 changes
Enforce password complexity: Require alphabetic, numeric and symbolic characters
Apply the above password constraints for: all user categories
[Dennis: If you have Guest accounts this will in certain cases clash with the passwords automatically created]
Enable administrator/user lockout
Failed Login attempts per minute before lockout: 7
Enable inter-administrator messaging
Inter-administrator Messaging polling interval (seconds): 10
Network>Interfaces
Any interface allowing HTTP management is replaced with HTTPS Management
Any setting to ‘Add rule to enable redirect from HTTP to HTTPS’ is disabled
Ping Management is disabled on all interfaces
Network>Zones
Intrusion Prevention is enabled on all applicable default Zones
Gateway Anti-Virus protection is enabled on all applicable default Zones
Anti-Spyware protection is enabled on all applicable default Zones
App Rules is enabled on all applicable default Zones
SSL Control is enabled on all default Zones
Network>DNS
Enable DNS Rebinding protection
DNS Rebinding Action: Log Attack & Drop DNS Reply
Firewall>Access Rules
Any Firewall policy with an Action of Deny, the Action is changed Discard
Source IP Address connection limiting with a threshold of 128 connections is enabled for all firewall policies
Firewall>App Rules
If licensed, the Enable App Rules setting is turned on
Firewall Settings>Advanced
Turn on Enable Stealth Mode
Turn on Randomize IP ID
Turn off Decrement IP TTL for forwarded traffic
Connections are set to: DPI Connections (DPI services enabled with additional performance optimizations)
Turn on Enable IP header checksum enforcement
Turn on Enable UDP checksum enforcement
Firewall Settings>Flood Protection
Turn on Enforce strict TCP compliance with RFC 793 and RFC 1122
[Dennis: This setting will sometimes create very hard to troubleshoot issues, I have seen HP Procurve switch GUI getting weird, seen this affect certain FTP-sites performance etc.]
Turn on Enable TCP handshake enforcement
Turn on Enable TCP checksum enforcement
Turn on Enable TCP handshake timeout
SYN Flood Protection Mode: Always proxy WAN client connections
Firewall Settings>SSL Control
Turn on Enable SSL Control
Set Action to: Block connection and log the event
For Configuration, enable all categories
[Dennis: SSL Control with these settings will reset any connection with a site using self-signed certificates]
VPN>Advanced
Turn on Enable IKE Dead Peer Detection
Turn on Enable Dead Peer Detection for Idle VPN sessions
Turn on Enable Fragmented Packet Handling
Turn on Ignore DF (Dont Fragment) Bit
Turn on Enable NAT Traversal
Turn on Clean up Active tunnels when Peer Gateway DNS name resolves to a different address
Turn on Preserve IKE port for Pass Through Connections
Security Services>Gateway Anti-Virus
If licensed, Enable Gateway Antivirus
Configure Gateway AV Settings: Turn on Disable SMTP Responses
Configure Gateway AV Settings: Turn off Disable detection of EICAR test virus
Configure Gateway AV Settings: Turn on Enable HTTP Byte-Range requests with Gateway AV
Configure Gateway AV Settings: Turn on Enable FTP REST request with Gateway AV
Configure Gateway AV Settings: Turn off Enable HTTP Clientless Notification Alerts
Security Services>Intrusion Prevention
If licensed, Enable IPS
Turn on Prevent All and Detect All for High Priority Attacks
Turn on Prevent All and Detect All for Medium Priority Attacks
Turn on Prevent All and Detect All for Low Priority Attacks
[Dennis: This setting was probably what killed your PPTP session, since a lot of “good” traffic is marked as LOW Prio. Preventing LOW Prio events will kill ICMP, MS Remote Access etc too]
Security Services>Anti-Spyware
If licensed, Enable Anti-Spyware
Turn on Prevent All and Detect All for High Priority Attacks
Turn on Prevent All and Detect All for Medium Priority Attacks
Turn on Prevent All and Detect All for Low Priority Attacks
Configure Anti-Spyware Settings: Turn on Disable SMTP Responses
Configure Anti-Spyware Settings: Turn off Enable HTTP Clientless Notification Alerts
AppFlow>Flow Reporting
Turn on Send AppFlow To Local Collector
Turn on Enable Real-Time Data Collection
Log>Log Monitor
Set Logging Level: Debug
Log>Name Resolution
Set Name Resolution Method to: DNS then NetBIOS
Internal Settings
Turn on Protect against TCP State Manipulation DoS
Turn on Apply IPS Signatures Bidirectionally
Allow launching of AppFlow Monitor in a stand-alone browser frame
Enable Visualization UI for Non-Admin/Config users