SonicPoint-Ne / SonicPoint-Ni Getting Started Guide
SonicWALL SonicPoint-Ne / SonicPoint-Ni Getting Started Guide
This Getting Started Guide provides instructions for basic installation and configuration of the SonicWALL SonicPoint-Ne / SonicPoint-Ni wireless appliances in single-unit or distributed wireless deployments.

Step Procedure Est. Time

Before You Begin - page 3 Introduction to Secure Wireless - page 7 Registering Your Appliance - page 13 Configuring Your UTM Appliance for Wireless - page 17 Setting Up Your SonicPoint - page 23
Additional Configuration and Information
Support and Training Options - page 31 Product Safety and Regulatory Information - page 37
SonicWALL SonicPoint Getting Started Guide Page 1
SonicPoint Top Panel / Status LEDs

Antenna Connect

(SonicPoint-N ion e On s ly )

Power Test SafeMode

Status LEDs
(SonicPoint-Ne only) Provides 12VDC power connection Provides Power over Ethernet (PoE) and Ethernet connection

Power Port

cons o

LAN/PoE Port

Console Port
Provides management connection using CLI->DB9 cable (for command line management only)
Page 2 SonicPoint Top Panel / Status LEDs
Wireless Link Wireless Activity 1000mbps 100mbps 10Mbps

Ethernet Activity

Reset Button
Press and hold to manually reset

Before You Begin

In this Section:
This section provides a basic checklist of materials and information you will need before you begin. Check Package Contents - page 4 What You Need to Begin - page 5
SonicWALL SonicPoint Getting Started Guide Page 3

Check Package Contents

Before continuing, ensure that your SonicPoint package contains the following materials:
SonicPoint-Ne Appliance Checklist
This Getting Started Guide Document SonicPoint-Ne Appliance Mounting Kit (Ceiling Braces, Anchor and Screw Kit) Front LED/Logo Cover Plate Antennas (3) Power Adaptora
SonicPoint-Ni Appliance Checklist
This Getting Started Guide Document SonicPoint-Ni Appliance Mounting Kit (Ceiling Braces, Anchor and Screw Kit) Front LED/Logo Cover Plate
a. The included power cord is intended for use in North America only.

Any Items Missing?

If any of the items corresponding to your product are missing from the package, please contact SonicWALL support. A listing of the most current support documents are available online at: <http://www.sonicwall.com/us/support.html>
Page 4 Check Package Contents

What You Need to Begin

The SonicWALL SonicPoint-Ne/Ni security appliances are centrally managed by SonicWALL NSA E-Class appliances. For more information on deploying this SonicPoint with SonicWALL NSA series and TZ series platforms, contact your local SonicWALL sales representative for the supported SonicOS releases. SonicPoints receive auto-firmware updates from the central gateway SonicWALL, this device supports SonicOS 5.6.0.3 or higher releases. In addition to the above SonicOS firmware and hardware requirements, ensure that your network deployment includes: An 802.3af compliant PoE injector or PoE-capable switch (optional when using the SonicPoint-Ne) An active Internet connection A configured interface on the SonicWALL security appliance set to a zone type of wireless A location selected for placement of your SonicPoint such as a wall or ceiling Clients capable of 802.11n wireless communications1
1. Although clients with 802.11a/b/g hardware are supported, the presence of these legacy clients within range of your network may affect the connection speed of your 802.11n clients.
SonicWALL SonicPoint Getting Started Guide Page 5

Page 6

Introduction to Secure Wireless
This section contains excerpts from the SonicWALL Secure Wireless Network Integrated Solutions Guide. The content is meant to provide a brief introduction to Radio Frequency (RF) technology as it pertains to different deployment scenarios. Wireless RF Introduction - page 8 Placing Access Points - page 10 SonicWALL Wireless Firewalling - page 12
SonicWALL SonicPoint Getting Started Guide Page 7

Wireless RF Introduction

There are currently four widely adopted standards for 802.11 wireless network types: a, b, g, and n. Although 802.11n is the newest and highest capacity standard, each of the four standards has its own strengths and weaknesses. This section provides overviews of these standards. The following section provides a brief overview of RF technologies: Frequency Bands and Channels - page 8 802.11 Comparison Chart - page 8 Radio Frequency Barriers - page 9 RF Interference - page 9

802.11 Comparison Chart

The following table compares signal characteristics as they apply to the current 802.11 standards:
802.11a # of Channels in USA # of Channels in EU # of Channels in Japan Frequency Band Max. Data Rate Radius (Range) 15 5GHz 54Mbps 90ft/25m 802.11b 14 2.4GHz 11Mbps 120ft/ 35m 802.11g 14 2.4GHz 54Mbps 120ft/ 35m 802.11n 14 2.4/5GHz 150Mbps 300Mbpsa 300ft/90m
Frequency Bands and Channels
To allow multiple separate wireless networks in a shared and confined space, the RF medium is divided into channels. For devices in the 5GHz range (802.11a), this means the possibility of up to 23 discrete channels. For devices using the 2.4GHz range (802.11b, 802.11g), the wireless space is limited to a maximum of 14 overlapping channels. As a result of these overlapping channels, 2.4GHz technology provides only a total of three discrete channels. The newer 802.11n technology does not fit into either of these categories, as it is capable of using both 2.4GHz and 5GHz, but is limited to 14 overlapping channels for backward compatibility.
a. Full 300Mbps throughput is possible only in environments free from 2.4Ghz interference.
Note: Although 802.11b/g/n standards provide between 11
and 14 channels, only 3 of those channels are fully discrete (non-overlapping) channels. For more information on this topic, refer to the SonicWALL Secure Wireless Networking Integrated Solutions Guide.
Page 8 Wireless RF Introduction

Radio Frequency Barriers

Determining the location of RF barriers can be a painful part of the placement process, but keep in mind that they can be used beneficially in an attempt to block signals where you do not want coverage. The following tables list some common RF barrier types:
Barrier Type Open air Glass, drywall, cube partitions Stone floors and walls (brick/marble/granite) Concrete, security glass, stacked books/paper Metal, metal mesh (chicken wire), re-enforced concrete, water Faraday cage RF Signal Blocking Very Low Low Medium High Very High Extremely High

RF Interference

RF interference from home, office, and medical equipment is a common source of frustration in wireless deployments from the smallest home office to the largest multi-building campus. The following table lists several common sources of RF interference:
Interference Source 2.4GHz phones Bluetooth devices Microwave oven
Possible RF Interference Entire range (hundreds of feet) Within 30 feet Within 10-20 feet Short distance, varies Entire range Long-range wireless bridging
Band(s) Affected 802.11b/g/n 802.11b/g/n 802.11b/g/n 802.11b/g/n All All
Scientific and medical equipment Off-network access points RF reflective objects
a. Most newer model microwave ovens have sufficient shielding to negate possible RF interference.
SonicWALL SonicPoint Getting Started Guide Page 9

Placing Access Points

Problem Wireless product test labs and other (nonmalicious) rogue access points are problems in many Wi-Fi deployments. Solution Either eliminate all rogue access points, or force their owners to use a set channel that does not overlap with your distributed wireless solution.
Location B Spectrum noise for 2.4 GHz and 5 GHz
Problem Your phone system is partially wireless and uses the 2.4GHz spectrum. Solution Give VoIP a try. VoIP will work in tandem with your wireless network, instead of against it. For more on SonicWALL VoIP implementation and capabilities, refer to the Configuring VoIP SonicOS feature module available at: http://www.sonicwall.com/us/support.html
Location C Off-network access points
Problem Your neighbors need wireless, too! Unfortunately, only a few sheets of drywall separate you. Solution Overpowering your neighbors with high-gain antennas is an option, but not a particularly neighborly one. Instead, you could simply use a different channel for wireless access points bordering this wall and ensure that your neighbors do the same. Performance in some dualchannel wireless devices may take a hit, but it is better than dropped connectionsor unhappy neighbors.
SonicWALL SonicPoint Getting Started Guide Page 11
SonicWALL Wireless Firewalling
When a wireless device uses an access point to communicate with a device on another subnet or on a completely different network, traffic between the devices is forced to traverse the network gateway. This traversal enables Unified Threat Management (UTM) services to be enforced at the gateway. Standard practice for wireless firewalling (where one wireless client is communicating with another) bypasses many of the critical UTM security services. The illustration below shows the standard practice for wireless firewalling.
SonicWALL addresses this security shortcoming by managing the SonicPoint access points from the UTM appliance. This allows complete control of the wireless space, including zone enforcement of security services and complete firewalling capabilities, as shown in the illustration below.

SonicWALL SonicPoint

SonicWALL appliance
Content Filtering Service Client Anti-Virus Enforcement Gateway Anti-Virus Gateway Anti-Spyware

Other Security Appliance

Content Filtering Service Client Anti-Virus Enforcement Gateway Anti-Virus Gateway Anti-Spyware Intrusion Prevention Service
Intrusion Prevention Service

WLAN Zone

Security Services
Security Services WLAN Zone
Many security products on the market share this potential vulnerability when two users connected by a common hub or wireless access point wish to exchange data.
Page 12 SonicWALL Wireless Firewalling
Registering Your Appliance

This section provides instructions for registering your SonicWALL SonicPoint appliance. Creating a MySonicWALL Account - page 14 Registering and Licensing Your Appliance on MySonicWALL - page 14 Using SonicWALL UTM Security Services for Wireless Clients - page 15
Note: Registration is an important part of the setup process and is necessary to receive the full benefits of SonicWALL security
services, firmware updates, and technical support.
SonicWALL SonicPoint Getting Started Guide Page 13
Creating a MySonicWALL Account
A MySonicWALL account is required for product registration. If you already have an account, continue to the Registering and Licensing Your Appliance on MySonicWALL section. To create a MySonicWALL account: 1. 2. In your browser, navigate to www.mysonicwall.com. In the login screen, click the Not a registered user? link.
Registering and Licensing Your Appliance on MySonicWALL
You must register your SonicWALL security appliance on MySonicWALL to enable full functionality. To register your SonicPoint, perform the following tasks: 1. 2. 3. 4. 5. Login to your MySonicWALL account. If you do not have an account, you can create one at www.mysonicwall.com. Enter the serial number of your product in the REGISTER A PRODUCT field and click the Next button. Type a friendly name for the appliance, select the Product Group if any, type the authentication code into the appropriate text boxes, and then click Register. On the Product Survey page, fill in the requested information and then click Continue. To pair your SonicPoint with a SonicWALL UTM appliance, navigate to the Service Management page by clicking on the device you wish to pair with your SonicPoint. Scroll to the Associated Products section and click the SonicWALL SonicPoint link to associate your SonicPoint with the appliance.
6. 3. 4. 5. Complete the Registration form and click Register. Verify that the information is correct and click Submit. In the screen confirming that your account was created, click Continue.
Page 14 Creating a MySonicWALL Account
Using SonicWALL UTM Security Services for Wireless Clients
Any security services you purchased for your SonicWALL UTM appliance can also be applied to wireless clients. Simply enable the security services on the WLAN zone or on a custom wireless zone, and your wireless traffic will be protected along with your wired traffic. If you have not yet purchased a security service subscription for your SonicWALL UTM appliance, please speak with a sales representative or visit www.mysonicwall.com to register for free trials. To try a Free Trial of a service, click Try in the Service Management page. To purchase a product or service, click Buy Now in the Service Management page.

If you recently purchased security services, you will receive an activation key. This key is emailed to you after online purchases, or is on the front of the certificate that was included with your purchase. To activate existing licenses: 1. 2. 3. Log into mysonicwall.com and navigate to the My Products page. Select the registered product you want to manage. Locate the product on the Service Management page and click Enter Key in that row.
In the Activate Service page, type or paste your key into the Activation Key field and then click Submit.
When activation is complete, MySonicWALL displays an activation screen with service status and expiration information.
You have successfully registered your SonicWALL appliance, and now you need to enable UTM security services on the SonicWALL appliance itself. SonicWALL UTM security services are not enabled by default.
SonicWALL SonicPoint Getting Started Guide Page 15
Page 16 Using SonicWALL UTM Security Services for Wireless Clients
Configuring Your UTM Appliance for Wireless
An Introduction to Zones and Interfaces - page 18 Configuring Wireless Access - page 18
This section provides instructions for configuring the SonicWALL UTM appliance to connect with your SonicWALL SonicPoint.
SonicWALL SonicPoint Getting Started Guide Page 17
An Introduction to Zones and Interfaces
Zones split a network infrastructure into logical areas, each with its own set of usage rules, security services, and policies. Most networks include multiple definitions for zones, including those for trusted, untrusted, public, encrypted, and wireless traffic. Some basic (default) zone types include: WAN - Untrusted resources outside your local network LAN - Trusted local network resources WLAN - Local wireless network resources originating from SonicWALL wireless enabled appliances DMZ - Local network assets that must be accessible from the WAN zone (such as Web and FTP servers) VPN - Trusted endpoints in an otherwise untrusted zone (such as the WAN) The security features and settings configured for the zones are enforced by binding a zone to one or more physical interfaces (such as, X0, X1, or X2) on the SonicWALL UTM appliance.
The X1 and X0 interfaces are preconfigured as WAN and LAN respectively. The remaining ports (X2-X6) are also LAN ports by default. However, these ports can be configured to meet the needs of your network, either by using basic zone types (WAN, LAN, WLAN, DMZ, VPN) or configuring a custom zone type to fit your network requirements (for example: Gaming Console Zone, Wireless Printer Zone, Wireless Ticket Scanner Zone).

Configuring Wireless Access
This section describes how to configure SonicPoints with a SonicWALL UTM appliance. SonicWALL SonicPoints are wireless access points specially engineered to work with SonicWALL UTM appliances. Before you can manage SonicPoints in the management interface, perform the following steps: Configuring Provisioning Profiles - page 19 Configuring a Wireless Zone - page 21 Configuring the Network Interface - page 22
Page 18 An Introduction to Zones and Interfaces
Configuring Provisioning Profiles
SonicPoint Profile defines settings that can be configured on a SonicPoint, such as radio SSIDs, and channels of operation. These profiles make it easy to apply basic settings to a wireless zone, especially when that zone contains multiple SonicPoints. When a SonicPoint is connected to a zone, it is automatically provisioned with the profile assigned to that zone. If a SonicPoint is connected to a zone that does not have a custom profile assigned to it, a default profile is used. To add a new profile: 1. 2. 3. Navigate to the SonicPoint > SonicPoints page in the SonicOS interface. Click Add SonicPoint below the list of SonicPoint provisioning profiles. The Add/Edit SonicPoint Profile window displays.
802.11n Radio Tab 1. 2. 3. 4. 5. 6. 7. Select Enable Radio. Optionally, select a schedule for the radio to be enabled from the drop-down list. The most common work and weekend hour schedules are pre-populated for selection. Select a Radio Mode to dictate the radio frequency band(s). The default setting is 2.4GHz 802.11n/g/b Mixed. Enter an SSID. This is the access point name that will appear in clients lists of available wireless connections. Select a Primary Channel and Secondary Channel. You may choose AutoChannel unless you have a reason to use or avoid specific channels. Under WEP/WPA Encryption, select the Authentication Type for your wireless network. SonicWALL recommends using WPA2 as the authentication type. Fill in the fields specific to the authentication type that you selected. The remaining fields change depending on the selected authentication type.

Settings Tab 1. 2. 3. Select Enable SonicPoint. Enter a Name Prefix to be used internally as the first part of the name for each SonicPoint provisioned. Select the Country Code for the area of operation.
SonicWALL SonicPoint Getting Started Guide Page 19
Optionally, under ACL Enforcement, select Enable MAC Filter List to enforce Access Control by allowing or denying traffic from specific devices. Select a MAC address object group from the Allow List or Deny List to automatically allow or deny traffic to and from all devices with MAC addresses in the group. The Deny List is enforced before the Allow List.
Advanced Tab Configure the advanced radio settings for the 802.11n radio. For most 802.11n advanced options, the default settings give optimum performance. For a full description of the fields on this tab, see the SonicOS Enhanced Administrators Guide.
When you are finished, click OK.
Page 20 Configuring Wireless Access
Configuring a Wireless Zone
You can configure a wireless zone on the Network > Zones page. Typically, you will configure the WLAN zone for use with SonicPoints. To configure a standard WLAN zone: 1. 2. 3. On the Network > Zones page in the WLAN row, click the icon in the Configure column. Click on the General tab. Select the Allow Interface Trust setting to automate the creation of Access Rules to allow traffic to flow between the interfaces within the zone, regardless of which interfaces to which the zone is applied. For example, if the WLAN Zone has both the X2 and X3 interfaces assigned to it, selecting the Allow Interface Trust checkbox on the WLAN Zone creates the necessary Access Rules to allow hosts on these interfaces to communicate with each other.
Select the checkboxes for the security services to enable on this zone. Typically, you would enable Gateway AntiVirus, IPS, and Anti-Spyware. If your wireless clients are all running SonicWALL Client Anti-Virus, select Enable Client AV Enforcement Service. Click on the Wireless Tab. Select Only allow traffic generated by a SonicPoint to allow only traffic from SonicWALL SonicPoints to enter the WLAN Zone interface, providing maximum security.
Optionally, click the Guest Services tab to configure guest Internet access solely, or in tandem with secured access. For information about configuring Guest Services, see the SonicOS Enhanced Administrators Guide. When finished, click OK.
SonicWALL SonicPoint Getting Started Guide Page 21
Configuring the Network Interface
Each SonicPoint or group of SonicPoints must be connected to a physical network interface that is configured for Wireless. SonicOS by default provides a standard wireless zone (WLAN), which can be applied to any available interface. To configure a network interface using the standard wireless (WLAN) zone: 1. Navigate to the Network > Interfaces page and click the Configure button for the interface to which your SonicPoints will be connected.

2. 3. 4. 5. 6. 7.

Select WLAN for the Zone type. Select Static for the IP Assignment. Enter a static IP Address in the field. Any private IP is appropriate for this field, as long at it does not interfere with the IP address range of any of your other interfaces. Enter a Subnet Mask. In our example 255.255.255.0 is an appropriate mask. Optionally, choose a SonicPoint Limit for this interface. This option helps limit resources on port-by-port basis when using SonicPoints across multiple ports. Optionally, choose to allow Management and User Login mechanisms if they make sense in your deployment. Remember that allowing login from a wireless zone can pose a security threat, especially if you or your users have not set strong passwords.

Page 22

Setting Up Your SonicPoint
Installing Antennas (SonicPoint-Ne Only) - page 24 Connecting Ethernet Cable - page 24 Verifying Operation - page 28 Verifying WAN (Internet) Connectivity - page 28 Troubleshooting Tips - page 29 Onboard Help System - page 29
This section describes how to connect and configure physical aspects of the SonicPoint including cabling and mounting.
SonicWALL SonicPoint Getting Started Guide Page 23
Installing Antennas (SonicPoint-Ne Only)
To install the SonicPoint-Ne included antennas: 1. 2. 3. Remove the antennas from the bag and place one on each connector. Carefully finger-tighten the fittings. Adjust the antennas for optimal reception.
Note: The SonicPoint-Ne is authorized to use a dipole
antenna with 4dBi or less. Only use antennas provided by SonicWALL; otherwise your authority to use this unit may be revoked. Be aware of the regulations in your region before using other antennas.
Note: For optimal wireless coverage in most cases, the
SonicPoint-Ne antennas should be oriented vertically.
Connecting Ethernet Cable
The illustration on the following page depicts the SonicPoint within a typical network deployment.

Ethernet Cabling: SonicPoint-Ne vs SonicPoint-Ni
While the SonicPoint-Ne may be powered with either the included external power adaptor or through Power over Ethernet (PoE), the SonicPoint-Ni must be powered using Power over Ethernet (PoE). Both SonicPoint appliances should be cabled with CAT5, CAT5e, or CAT6 Ethernet cabling. In addition, the SonicPoint-Ni will not function unless the Ethernet connection to its LAN port is powered either by using the SonicWALL PoE line injector (sold separately), or by using a third-party 802.3af compliant PoE powered switch. For more information on the SonicWALL PoE injector, visit: <http://www.sonicwall.com/us/products_solutions.html>
The circular design of the SonicPoint aides in creating a strong tri-directional wireless signal pattern. In most cases, leaving the antennas straight up (as indicated in the illustration) will provide the best overall coverage.
Page 24 Installing Antennas (SonicPoint-Ne Only)

Connecting the PoE Cable

If your deployment uses a SonicWALL PoE injector, read and comply with instructions provided with the PoE first, then complete the following steps: 1. 2. 3. 4. Plug the power cord of the SonicWALL PoE injector into the power outlet. Using Ethernet cable (not included), connect the Data in port on the SonicWALL PoE Injector to the WLAN zone interface that you created earlier. Using Ethernet cable, connect the Data and Power out port on the SonicWALL PoE injector to the LAN port on the back of your SonicPoint. Wait for the link LED to illuminate. This indicates an active connection. It takes approximately one minute for the SonicWALL security appliance to auto-provision.
Internet (WAN) Remote VPN Users Remote Servers

Internet

X1 WAN X2 WLAN X0 LAN

Hotel / Home Office

PoE Injector or PoE Switch (optional for SonicPoint Ne)
Local Network (LAN) Local Clients Local Servers CDP Backup Appliance
Wireless (WLAN) Wireless Clients Wireless Devices

Front Lobby

Marketing

LAN/WLAN N

SonicWALL SonicPoint Getting Started Guide Page 25
Mounting Using Ceiling Brackets

For further information, visit: <http://training.sonicwall.com/>

Page 34 Training

Related Documentation
See the following related documents for more information: SonicOS Enhanced Administrators Guide SonicOS Enhanced Release Notes SonicOS Enhanced Feature Modules DPI-SSL MAC-IP Anti-Spoof Virtual Access Points SSL VPN Remote Access High Availability Multiple Administrators NAT Load Balancing Packet Capture Radio Frequency Monitoring Single Sign-On SSL Control Secure Wireless Bridging SonicWALL GMS Administrators Guide SonicWALL GVC Administrators Guide SonicWALL ViewPoint Administrators Guide SonicWALL GAV Administrators Guide SonicWALL IPS Administrators Guide SonicWALL Anti-Spyware Administrators Guide SonicWALL CFS Administrators Guide
For further information, visit: <http://www.sonicwall.com/us/support.html>
SonicWALL SonicPoint Getting Started Guide Page 35
SonicWALL Secure Wireless Network Integrated Solutions Guide
Looking to go wireless? Have questions about what it takes to build a truly secure wireless network? Check out the SonicWALL Secure Wireless Network Integrated Solutions Guide. This book is the official guide to SonicWALLs marketleading wireless networking and security devices. This title is available in hardcopy at fine book retailers everywhere, or by ordering directly from Elsevier Publishing at: <http://www.elsevier.com>
Page 36 SonicWALL Secure Wireless Network Integrated Solutions Guide
Product Safety and Regulatory Information
This section provides regulatory, trademark, and copyright information. Safety and Regulatory Information for the SonicWALL SonicPoint Wireless Appliance - page 38 SonicWALL SonicPoint Wireless Appliance Sicherheit und gesetzliche Vorschriften - page 39 FCC Part 15 Notice for the SonicWALL SonicPoint Wireless Appliance - page 40 Industry Canada Notices - page 41 Industrie Canada Notifications - page 41 NCC Statement - page 42 Copyright Notice - page 45 Trademarks - page 45
SonicWALL SonicPoint Getting Started Guide Page 37
Safety and Regulatory Information for the SonicWALL SonicPoint Wireless Appliance
Regulatory Model/Type APL21-06E APL21-083 Product Names SonicPoint-Ne SonicPoint-Ni
Cable Connections All Ethernet and RS232 (Console) cables are designed for intrabuilding connection to other equipment. Do not connect these ports directly to communication wiring or other wiring that exits the building where the SonicWALL is located. Power Supply Information for APL21-083 If the power supply is missing from your SonicWALL product package, please contact SonicWALL Technical Support at 408752-7819 for a replacement. This product should only be used with a UL listed power supply marked Class 2 or LPS, with an output rated 48 VDC, minimum 0.35 A, Tma: minimum 40 degrees C. Power Supply Information APL21-06E If the power supply is missing from your SonicWALL product package, please contact SonicWALL Technical Support at 408752-7819 for a replacement. This product should only be used with a UL listed power supply marked Class 2 or LPS, with an output rated 12 VDC, minimum 1.5 A, Tma: minimum 40 degrees C. If power is provided by the Ethernet cable plugged into the "lan" port, this is called "Power Over Ethernet" or "POE". The POE source should only be UL listed marked Class 2 or LPS, with an output rated 48 VDC, minimum 0.35 A, Tma: minimum 40 degrees C.

SonicWALL SonicPoint Getting Started Guide Page 39
For more information regarding the following statements, please contact SonicWALL, Inc. at: 2001 Logic Drive San Jose, CA 95124-3452 1-408-745-9600
Authorized Channels SonicWALL declares that the APL21-083 (FCC ID: QWU-083) and APL21-06E (FCC ID: QWU-06E) when sold in US is limited to CH1~CH11 by specified firmware controlled in the USA. (1) This device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation. Caution: The device for the band 5470 -5725 MHz is only for indoor usage to reduce potential for harmful interference to co-channel mobile satellite systems. The APL21-06E device has been designed to operate with an antenna having a maximum gain of 4 dBm. Antenna having a higher gain is strictly prohibited. The required antenna impedance is 50 ohms. Dynamic Frequency Selection(DFS) is required on all Wireless LAN Mater devices (usually Access Points) and Wireless LAN Clients (usually Wireless NICs) that operate within 5470 MHz 5725 MHz. SonicPoints that have these frequencies and channels enable in this range comply with North American and International DFS requirements. Some frequencies are blocked, and cannot be selected by the user per each specific regional approval. Specific to the USA; at the urging of the Federal Communication Commission (FCC) user/installers should avoid operation frequencies near Terminal Doppler Weather Radar (TDWR) systems frequencies 5600-5650 MHz when installing SonicPoint within 35 km of line-of-site of TDWR sites. If TDWR is within 35 km the SonicPoint frequencies should be set to at least 30 MHz above or below any TDWR system frequency at that site. TDWR locations and specific frequencies used can be found at <http://spectrumbridge.com/udrs/home.aspx>. Detailed current and background information can be found at <http://www.wispa.org/?page_id=2341>.
FCC Part 15 Notice for the SonicWALL SonicPoint Wireless Appliance
NOTE: This equipment was tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses, and can radiate radio frequency energy. And, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If the equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try and correct the interference using one or more of the following measures: Reorient or relocate the receiving antenna. Increase the separation between the equipment and the receiver. Connect the equipment into an outlet on a circuit different from the receiver connection. Consult SonicWALL for assistance. Caution: Any changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate this equipment. Radiation Exposure Statement This equipment complies with FCC and IC RF radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with a minimum distance of 20 centimeters (7.9 inches) between the radiator (antenna) and your body. This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter.

Page 40 FCC Part 15 Notice for the SonicWALL SonicPoint Wireless Appliance

Industry Canada Notices

Authorized Channels SonicWALL declares that the APL23-06E (IC: 4408A-06E) and APL23083 (IC: 4408A-083) when sold in Canada is limited to CH1~CH11 byspecified firmware controlled in the USA. Operation This device complies with RSS-210 of the Industry Canada Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation. Radiation Exposure Statement This equipment complies with IC radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with minimum distance 20cm between the radiator & your body. Antenna Under Industry Canada regulations, this radio transmitter may only operate using an antenna of a dipole type and maximum 4dBi at 5GHz and at 2.4Ghz (or lesser) gain approved for the transmitter by Industry Canada. To reduce potential radio interference to other users, the antenna type and its gain should be so chosen that the equivalent isotropically radiated power (e.i.r.p.) is not more than that necessary for successful communication. L'impdance d'antenne requise est de 50 ohms Caution: (DFS band use) (i) the device for operation in the band 5150-5250 MHz is only for indoor use to reduce the potential for harmful interference to co-channel mobile satellite systems; (ii) the maximum antenna gain permitted for devices in the bands 52505350 MHz and 5470-5725 MHz shall comply with the e.i.r.p. limit; and (iii) the maximum antenna gain permitted for devices in the band 57255825 MHz shall comply with the e.i.r.p. limits specified for point-to-point and non point-to-point operation as appropriate.
Users should also be advised that high-power radars are allocated as primary users (i.e. priority users) of the bands 5250-5350 MHz and 5650-5850 MHz and that these radars could cause interference and/or damage to LE-LAN devices.
Industrie Canada Notifications
Chanes autorises SonicWALL dclare que l'APL23-06E (IC : 4408A-06E) et APL23-083 (IC: 4408A-083) une fois vendu au Canada est limit CH1~CH11 par spcifique microprogramm aux Etats-Unis. Opration Le prsent appareil est conforme aux CNR d'Industrie Canada applicables aux appareils radio exempts de licence. L'exploitation est autorise aux deux conditions suivantes : (1) l'appareil ne doit pas produire de brouillage, et (2) l'utilisateur de l'appareil doit accepter tout brouillage radiolectrique subi, mme si le brouillage est susceptible d'en compromettre le fonctionnement. Dclaration de l'exposition aux radiations Cet quipement est conforme l'exposition aux rayonnements IC limites tablies pour un environnement non contrl. Cet quipement doit tre install et utilis avec un minimum de 20 cm de distance entre le radiateur et votre corps. Antenne Conformment la rglementation d'Industrie Canada, le prsent metteur radio peut fonctionner avec une antenne d'un dipole type et d'un gain maximal 4dBi at 5GHz and at 2.4Ghz (ou infrieur) approuv pour l'metteur par Industrie Canada. Dans le but de rduire les risques de brouillage radiolectrique l'intention des autres utilisateurs, il faut choisir le type d'antenne et son gain de sorte que la puissance isotrope rayonne quivalente (p.i.r.e.) ne dpasse pas l'intensit ncessaire l'tablissement d'une communication satisfaisante. The required antenna impedance is 50 ohms.

SonicWALL SonicPoint Getting Started Guide Page 41
Attention: (utilisation de bande DFS) (i) les dispositifs fonctionnant dans la bande 5 150-MHz sont rservs uniquement pour une utilisation lintrieur afin de rduire les risques de brouillage prjudiciable aux systmes de satellites mobiles utilisant les mmes canaux; (ii) le gain maximal dantenne permis pour les dispositifs utilisant les bandes 5 250-MHz et 5 470-MHz doit se conformer la limite de p.i.r.e.; (iii) le gain maximal dantenne permis (pour les dispositifs utilisant la bande 5 725-MHz) doit se conformer la limite de p.i.r.e. spcifie pour lexploitation point point et non point point, selon le cas. De plus, les utilisateurs devraient aussi tre aviss que les utilisateurs de radars de haute puissance sont dsigns utilisateurs principaux (c.--d., quils ont la priorit) pour les bandes 5 250-MHz et 5 650-MHz et que ces radars pourraient causer du brouillage et/ou des dommages aux dispositifs LAN-EL.

NCC Statement

Page 42 NCC Statement
Declaration of Conformity
Certificate #: EU00170-A This device is a 2.4 GHz wideband transmission system (transceiver), intended for use in all EU member states and EFTA countries, except in France and Italy where restrictive use applies. In Italy the end-user should apply for a license at the national spectrum authorities in order to obtain authorization to use the device for setting up outdoor radio links and/or for supplying public access to telecommunications and/or network services. This device may not be used for setting up outdoor radio links in France and in some areas the RF output power may be limited to 10 mW EIRP in the frequency range of 2454 2483.5 MHz. For detailed information the end-user should contact the national spectrum authority in France.
Manufacturer/ Responsible Party Type of Equipment Type Numbers May be Marketed as Application of council Directive Standard(s) to which conformity is declared 2004/108/EC (EMC) 2006/95/EC (LVD) 1999/5/EC (R&TTE) EN 55022:1998 +A1 +A2 Class B EN 55024:1998, +A2 EN 61000-3-2:2000, +A2 EN 61000-3-3:1995, +A2 EN 60950-1:2006, +A11:2009 National Deviations: AR, AT, AU, BE, CA, CH, CN, CZ, DE, DK, FI, FR, GB, GR, HU, IL, IN, IT, JP, KE, KR, MY, NL, NO, PL, SE, SG, SI, SK, US EN V1.7.1:2006 EN V1.5.1:2008 EN V1.8.1:2008 EN 301 489-17 V2.1.1:2009a EN 50385:2002 SonicWALL, Inc. 2001 Logic Drive San Jose, California 95124-3452 USA 802.11b/g/n access point APL21-06E APL21-083 SonicPoint-Ne SonicPoint-Ni

SonicOS

SonicOS Enhanced 5.6.5.1 Release Notes

Contents

Platform Compatibility..... 1 Licensing...... 2 Key Features...... 2 Known Issues..... 5 Resolved Issues..... 7 Upgrading SonicOS Image Procedures.... 8 Related Technical Documentation.... 13

Platform Compatibility

The SonicOS 5.6.5.1 release is supported on the following SonicWALL security appliances: SonicWALL NSA E8500 SonicWALL NSA E7500 SonicWALL NSA E6500 SonicWALL NSA E5500 SonicWALL NSA 5000 SonicWALL NSA 4500 SonicWALL NSA 3500 SonicWALL NSA 2400 SonicWALL NSA 240 SonicWALL TZ 210 / 210 Wireless-N SonicWALL TZ 200 / 200 Wireless-N
This release supports the following Web browsers: Internet Explorer 8.0 and higher Chrome 4.0 and higher Mozilla 3.0 and higher Strong SSL and TLS Encryption Required in Your Browser The internal SonicWALL Web server only supports SSL version 3.0 and TLS with strong ciphers (128 bits or greater) when negotiating HTTPS management sessions. SSL implementations prior to version 3.0 and weak ciphers (symmetric ciphers less than 128 bits) are not supported. This heightened level of HTTPS security protects against potential SSLv2 roll-back vulnerabilities and ensures compliance with the Payment Card Industry (PCI) and other security and risk-management standards. TIP: By default, Mozilla Firefox 2.0 and Microsoft Internet Explorer 7.0 enable SSL 3.0 and TLS, and disable SSL 2.0. SonicWALL recommends using the most recent Web browser releases. If you are using a previous release of these browsers, you should enable SSL 3.0 and TLS and disable SSL 2.0. In Internet Explorer, go to Tools > Internet Options on the Advanced tab and scroll to the bottom of the Settings menu. In Firefox, go to Tools > Options on the Advanced tab, and then select the Encryption tab.
SonicOS Enhanced 5.6.5.1 Release Notes P/N 232-002002-00 Rev B

Licensing

Licensing for the Active/Active Clustering (including Stateful High Availability) and BGP Advanced Routing features is included with the following SonicWALL NSA E-Class appliances, when registered: SonicWALL NSA E8500 SonicWALL NSA E7500 SonicWALL NSA E6500 SonicWALL NSA E5500 To activate these licenses, register each appliance on MySonicWALL. Even when deployed in a High Availability pair, each unit must be individually registered to activate the licenses. When available, a SonicOS Expanded License can be purchased for the following SonicWALL appliances to activate the BGP Advanced Routing feature: SonicWALL NSA 5000 SonicWALL NSA 4500 SonicWALL NSA 3500 SonicWALL NSA 2400 SonicWALL NSA 240 SonicWALL TZ 210 / 210 Wireless-N SonicWALL TZ 200 / 200 Wireless-N Note: Active/Active Clustering is supported only on SonicWALL NSA E-Class appliances. No free trial is available for the BGP Advanced Routing feature.

Key Features

The following key features are available in SonicOS 5.6.5.1: Active/Active Clustering High Availability Active/Active Clustering is the most recent addition to the High Availability feature set in SonicOS. A typical Active/Active Clustering deployment includes four firewalls of the same SonicWALL model configured as two Cluster Nodes, where each node consists of one Stateful High Availability pair. For larger deployments, the cluster can include eight firewalls, configured as four Cluster Nodes. With Active/Active Clustering, you can assign certain traffic flows to each node in the cluster, providing load sharing in addition to redundancy, and supporting a much higher throughput without a single point of failure. Earlier High Availability features, such as Stateful Synchronization and Active/Active DPI (previously called Active/Active UTM), continue to be supported and are recommended for use in conjunction with Active/Active Clustering. Active/Active Clustering is supported only on SonicWALL NSA E-Class appliances. BGP Advanced Routing Border Gateway Protocol (BGP) advanced routing is a large-scale routing protocol used to communicate routing information between Autonomous Systems (ASs), which are well-defined, separately administered network domains. BGP support allows for SonicWALL security appliances to replace a traditional BGP router on the edge of a network's AS. The current SonicWALL implementation of BGP is most appropriate for "single-provider / single-homed" environments, where the network uses one ISP as their Internet provider and has a single connection to that provider. SonicWALL BGP is also capable of supporting "singleprovider / multi-homed" environments, where the network uses a single ISP but has a small number of separate routes to the provider. Because BGP transmits packets in the clear, SonicWALL supports using an IPSec tunnel for secure BGP sessions. The IPSec tunnel is configured independently within the VPN configuration section of the SonicOS Web-based management interface, while BGP is enabled on the Network > Routing page and then configured on the SonicOS Command Line Interface. BGP Advanced Routing is available on all SonicWALL NSA and TZ appliances supported in SonicOS 5.6.5.1.

Link Aggregation Link Aggregation provides the ability to group multiple Ethernet interfaces to form a trunk which looks and acts like a single physical interface. SonicOS 5.6.5.1 supports Static Link Aggregation, in which the two ends of the trunk have the same configuration. Up to 4 ports can be grouped to form a single aggregate link. If any of the ports fail, SonicOS continues to pass traffic (at a diminished throughput) while there is at least one active interface. Link Aggregation is useful in deployments requiring more than 1 Gbps throughput for traffic flowing between two interfaces. This feature is available on all SonicWALL NSA E-Class appliances. Link Aggregation is supported only on SonicWALL NSA E-Class appliances. Port Redundancy Port Redundancy provides the ability to configure a second, redundant, physical interface for any Ethernet interface on a SonicWALL NSA E-Class appliance. When the primary interface is active, it handles all traffic to and from the interface. If the primary interface fails, the backup interface takes over and handles all incoming and outgoing traffic. When the primary interface comes up again, it takes over all the traffic handling duties from the backup interface. This is very useful in high end deployments to avoid a single point of failure, such as the connection to a switch. With Port Redundancy, a second interface can be connected to the same or another switch to provide an alternate path for the traffic. Port Redundancy is supported only on SonicWALL NSA E-Class appliances.
The following are the key features supported in all versions of SonicOS 5.6: Deep Packet Inspection of SSL encrypted data (DPI-SSL) Provides the ability to transparently decrypt HTTPS and other SSL-based traffic, scan it for threats using SonicWALLs Deep Packet Inspection technology, then re-encrypt (or optionally SSL-offload) the traffic and send it to its destination if no threats or vulnerabilities are found. This feature works for both client and server deployments. It provides additional security, application control, and data leakage prevention functionality for analyzing encrypted HTTPS and other SSL-based traffic. The following security services and features are capable of utilizing DPI-SSL: Gateway Anti-Virus, Gateway Anti-Spyware, Intrusion Prevention, Content Filtering, Application Firewall, Packet Monitor and Packet Mirror. DPI-SSL is supported on SonicWALL NSA models 240 and higher. 3G and Modem Support SonicOS 5.6 supports 3G and Modem configurations for WAN Load Balancing (WLB). (3G and Modem support is available on all NSA models except the SonicWALL NSA 2400.) Command Line Interface Enhancements Provides increased support through the command line interface to configure and modify Network Address Translation (NAT) Policies, Access Rules, Service Objects, and Service Groups. Diagnostic Improvements Includes a diagnostic tool which automatically checks the network connectivity and service availability of several pre-defined functional areas of SonicOS. The tool also returns results and attempts to describe causes, if any exceptions are detected. Dynamic DNS per Interface Provides the ability to assign a Dynamic DNS (DDNS) profile to a specific WAN interface. This allows administrators who are configuring WAN Load Balancing to advertise a predictable IP address to the DDNS service. Increased DPI Connection Support Provides the ability to increase the number of simultaneous connections on which SonicWALL security appliances can apply Deep Packet Inspection (DPI) services (Intrusion Prevention Service, Application Firewall, Gateway Anti-Virus, and Gateway Anti-Spyware). This feature is intended for high-end (E-Class) customers who need to support a large number of concurrent connections. (Note: There is a slight performance decrease when this option is enabled.) FairNet for SonicPoint-N Provides the ability to create policies that equally distribute bandwidth for all wireless users connected to a SonicPoint-N.

MAC-IP Spoof Detection and Prevention Provides additional protection against MAC address and IP address based spoofing attacks (such as Man-in-the-Middle attacks) through configurable Layer 2 and Layer 3 admission control. Packet Mirroring Provides the ability to capture copies of specified network packets from other ports. This is commonly used for network appliances that require monitoring of network traffic, such as an intrusion detection system. Customers can now gather data from one of the other ports on a SonicWALL to look for threats and vulnerabilities and help aid with diagnostics and troubleshooting. Route-based VPN with Dynamic Routing Support Extends support for advanced routing (either OSPF or RIP) to VPN networks. This simplifies complex VPN deployments by enabling dynamic routing to determine the best path that traffic should take over a VPN tunnel. Signature Download through a Proxy Server Provides the ability for SonicWALL security appliances to download signatures even when they access the Internet through a proxy server. This feature also allows for registration of SonicWALL security appliances through a proxy server without compromising privacy. Single Sign-on for Terminal Services and Citrix Provides support for transparent authentication of users logged in from a Terminal Services or Citrix server. This transparent authentication enables Application Firewall and CFS policy enforcement in Terminal Services and Citrix environments. NOTE: The SonicWALL Terminal Services Agent is not supported in SonicOS 5.6.5.1 due to limitations of current SSO agent functionality that prevent its use with Active/Active Clustering. SSL VPN Enhancements o o o o SonicOS 5.6 provides a number of SSL VPN enhancements:
Bookmarks for SSH and RDP Provides support for users to create bookmarks on the SSL VPN Virtual Office to access systems using SSH, RDP, VNC, and Telnet services. Granular User Controls Allows network administrators to configure different levels of policy access for NetExtender users based on user ID. One-Time Password Provides additional security by requiring users to enter a randomly generated, single-use password in addition to the standard user name and password credentials. Separate Port and Certificate Control Provides separate port access for SSL VPN and HTTPS management certificate control, allowing administrators to close HTTPS management while leaving SSL VPN open. Virtual Assist Provides a remote assistance tool to SonicWALL security appliance users. SonicWALL Virtual Assist is a thin client remote support tool provisioned via a Web browser. It enables a technician to assume control of a customers PC or laptop for the purpose of providing remote technical assistance.

Unbounded Multiple WAN Support Provides the ability to enable any number of WAN Ethernet interfaces for WAN Load Balancing and Failover on SonicWALL appliances. VPN Policy Bound to VLAN Interface configuring a site-to-site VPN. Allows users to bind a VPN policy to a VLAN interface when
WebCFS Server Failover Provides the ability to enable WebCFS server failover, allowing a SonicWALL security appliance to contact another server for URL rating information if the local server is unavailable. This ensures performance continuity for Web navigation and Web content filtering functionality.

Known Issues

This section contains a list of known issues in the SonicOS 5.6.5.1 release. Symptom In Active/Active clustering, a node cannot access MySonicWALL for license synchronization, and diagnostic tests to the Default Gateway and DNS server fail. Condition / Workaround Occurs when the node does not own a Virtual Group, which can occur when it is configured with factory defaults and not aware of its A/A Clustering license, or when the license is activated, but the unit is not yet configured to own a Virtual Group. Workaround: Before connecting the node to the A/A Cluster, register the units and synchronize with MySonicWALL. Occurs when High Availability is enabled for Active/Passive mode, and X4 or another interface is configured as a redundant port for X1, and then the X1 interface is physically disconnected. Workaround: Disable High Availability and then traffic is passed on the redundant port. Occurs when a remote router or firewall is connected to a SonicWALL appliance (X1 on router is connected to a DMZ zone port (X2) on the appliance). OSPF is enabled on both devices, the router advertises a default route to the appliance, and the appliance adds the default route to its routing table. However, the gateway IP address for the default route is set to the IP address of the routers X1 interface, rather than to the routers gateway IP address. Occurs when verifying NAT policies after running the Public Server Wizard. The IP address for X1-Virtual Group 2 incorrectly displays the address for X1-Virtual Group 1 instead. Occurs when the policy is bound to Virtual Group 1 and a node-level failover occurs while the tunnel is in active use on Node 1. Issue 97905

The redundant port for the X1 WAN interface does not pass traffic after X1 is disconnected.
The gateway IP address is wrong for default routes received from OSPF.
In Active/Active clustering, the IP address for interface X1, Virtual Group 2 reverts to the IP address for X1, Virtual Group 1. In a two-node Active/Active cluster, an active Manual Key VPN policy tunnel does not appear in the VPN settings of a backup unit in Node 2, although traffic continues to pass and the active unit shows the tunnel. When Active/Active clustering is enabled, settings for the Packet Monitor filter are copied to the Display filter. The Display filter settings cannot be removed. When using Active/Active Clustering with four nodes where each node is part of HA pair, traffic from the HA idle units cannot go out and they cannot connect to the License manager.
Occurs when the Packet Monitor filter settings are added before enabling Active/Active clustering. The Display filter contains these settings even after manually clearing them and then restarting the SonicWALL appliance. Occurs on Active/Active clusters with four nodes configured as HA pairs. Multiple WAN interfaces are configured and probing/probe target is enabled. When one of the WAN interfaces is down, the default route of the idle units remain pointed to the down WAN interface.
Symptom Traffic over static VPN routes is dropped after a node level link failover.
Condition / Workaround Occurs after the X1 link on the Master node is disconnected. Traffic will drop over the VPN tunnel, but after flushing the connection, traffic will recommence flowing through the tunnel. Occurs when trying to use IP Helper in an Active/Active clustering deployment. Occurs when viewing the comment settings for a BGP route in the Network > Routing page. The comment should show as BGP route. Occurs when deleting a node from the Active/Active Nodes table and then viewing the Network > Interfaces page. Workaround: Click the edit icon for the deleted interface and then click OK. The interface will be deleted. Occurs when the option is enabled to advertise the default route when the WAN is up, and WLB Probing is enabled on the WAN. Upon a WAN link failure, OSPF will still display the default route. Occurs when a preferences file is uploaded containing custom routes in which the Destination network is pointing to a LAN subnet and the Default Gateway is in the same subnet, or the Destination firewall interface IP address is routed to the Default Gateway IP address.

Issue 90215

Active/Active clustering IP Helper support does not yet exist. On the Policy-Based Routing screen, BGP routes are shown as OSPF or RIP route. When a node is deleted from the Active/Active Nodes table on the High Availability page, the interface is not deleted from the Network > Interfaces page. OSPF continues to advertise the Default Route even after a WAN link failure due to WAN Load Balancing logical probing. Incorrectly configured routes prevent the user from connecting to or pinging the directly connected network.

89265 89112

Resolved Issues
This section contains a list of resolved issues in the SonicOS 5.6.5.1 release. Symptom Changes made on the primary unit of a High Availability pair are not automatically synchronize to the backup unit. A firewall access rule using an FQDN destination object does not work normally after restarting the appliance. With BGP disabled and Stealth mode enabled, the firewall resets the connection for TCP port 179 when a port scan occurs. A Virtual Group IP address is not accessible in an Active/Active cluster. On a SonicWALL TZ 210 Wireless-N appliance, some buttons/links are missing from the Network > Interfaces page, preventing the administrator from adding a subnet to the WLAN zone. When Virtual MAC is enabled, modifying the Virtual MAC interface value causes the logical IP address of the interface to become inaccessible. Condition / Workaround Occurs when the HA pair is fully configured and then the backup unit is powered down while changes are made on the primary unit, and then the backup is powered up again. Occurs when a deny rule is configured for traffic from the LAN to the WAN zone. After configuring the rule, pings do not go through from LAN to a destination on the WAN. After restarting the appliance, pings succeed. Occurs when performing a TCP port scan on the WAN after disabling BGP and enabling Stealth mode on the Firewall > Advanced screen. Occurs when attempting to access the LAN Virtual Group IP address of Node 2 in the cluster. All the other Virtual IP addresses are accessible. Occurs because the Add WLAN Subnets button and the 3G/4G/Dial-up use can be set at Network > Failover & LB link are missing from the Network > Interfaces page. Occurs when the option to override Virtual Mac is enabled and the Virtual Mac interface value is modified, in a Stateful High Availability environment with Virtual Mac enabled. After disabling Virtual Mac and then reenabling it, the logical IP is accessible again. Issue 97875

Upgrading SonicOS Image Procedures
The following procedures are for upgrading an existing SonicOS image to a newer version: Obtaining the Latest SonicOS Image Version.... 8 Saving a Backup Copy of Your Configuration Preferences... 8 Upgrading a SonicOS Image with Current Preferences.... 9 Importing Preferences to SonicOS 5.6.... 9 Importing Preferences from SonicOS Standard to SonicOS 5.6 Enhanced... 10 Support Matrix for Importing Preferences.... 11 Upgrading a SonicOS Image with Factory Defaults.... 12 Using SafeMode to Upgrade Firmware.... 12
Obtaining the Latest SonicOS Image Version
To obtain a new SonicOS firmware image file for your SonicWALL security appliance: 1. Connect to your mysonicwall.com account at http://www.mysonicwall.com. 2. Copy the new SonicOS image file to a directory on your management station. You can update the SonicOS image on a SonicWALL security appliance remotely if the LAN interface or the WAN interface is configured for management access.
Saving a Backup Copy of Your Configuration Preferences
Before beginning the update process, make a system backup of your SonicWALL security appliance configuration settings. The backup feature saves a copy of your current configuration settings on your SonicWALL security appliance, protecting all your existing settings in the event that it becomes necessary to return to a previous configuration state. In addition to using the backup feature to save your current configuration settings to the SonicWALL security appliance, you can export the configuration preferences file to a directory on your local management station. This file serves as an external backup of the configuration preferences, and can be imported back into the SonicWALL security appliance. Perform the following steps to save a backup of your configuration settings and export them to a file on your local management station: 1. On the System > Settings page, click Create Backup. Your configuration preferences are saved. The System Backup entry is displayed in the Firmware Management table. 2. To export your settings to a local file, click Export Settings. A popup window displays the name of the saved file.
Upgrading a SonicOS Image with Current Preferences
Perform the following steps to upload new firmware to your SonicWALL appliance and use your current configuration settings upon startup: 1. Download the SonicOS firmware image file from mysonicwall.com and save it to a location on your local computer. 2. On the System > Settings page, click Upload New Firmware. 3. Browse to the location where you saved the SonicOS firmware image file, select the file, and click Upload. 4. On the System > Settings page, click the Boot icon in the row for Uploaded Firmware. 5. In the confirmation dialog box, click OK. The SonicWALL restarts and then displays the login page. 6. Enter your user name and password. Your new SonicOS image version information is listed on the System > Settings page.

Importing Preferences to SonicOS 5.6
Preferences importing to SonicWALL security appliances is generally supported from the following SonicWALL appliances running SonicOS: NSA Series NSA E-Class Series TZ 210/200/100/190/180/170 Series PRO Series There are certain exceptions to preferences importing on these appliances running the SonicOS 5.6 release. Preferences cannot be imported in the following cases: Settings files containing Portshield interfaces created prior to SonicOS 5.x Settings files containing VLAN interfaces are not accepted by the TZ 100/200 Series firewalls Settings files from a PRO 5060 with optical fiber interfaces where VLAN interfaces have been created Full support for preferences importing from these appliances is targeted for a future release. At that time, you will need to upgrade your firmware to the latest SonicOS maintenance release available on MySonicWALL.
Importing Preferences from SonicOS Standard to SonicOS 5.6 Enhanced
The SonicOS Standard to Enhanced Settings Converter is designed to convert a source Standard Network Settings file to be compatible with a target SonicOS Enhanced appliance. Due to the more advanced nature of SonicOS Enhanced, its Network Settings file is more complex than the one SonicOS Standard uses. They are not compatible. The Settings Converter creates an entirely new target Enhanced Network Settings file based on the network settings found in the source Standard file. This allows for a rapid upgrade from a Standard deployment to an Enhanced one with no time wasted in re-creating network policies. Note: SonicWALL recommends deploying the converted target Network Settings file in a testing environment first and always keeping a backup copy of the original source Network Settings file. The SonicOS Standard to Enhanced Settings Converter is available at: https://convert.global.sonicwall.com/ If the preferences conversion fails, email your SonicOS Standard configuration file to settings_converter@sonicwall.com with a short description of the problem. In this case, you may also consider manually configuring your SonicWALL appliance. To convert a Standard Network Settings file to an Enhanced one: 1. Log in to the management interface of your SonicOS Standard appliance, navigate to System > Settings, and save your network settings to a file on your management computer. 2. On the management computer, point your browser to https://convert.global.sonicwall.com/. 3. Click the Settings Converter button. 4. Log in using your MySonicWALL credentials and agree to the security statement. The source Standard Network Setting file must be uploaded to MySonicWALL as part of the conversion process. The Setting Conversion tool uses MySonicWALL authentication to secure private network settings. Users should be aware that SonicWALL will retain a copy of their network settings after the conversion process is complete. 5. Upload the source Standard Network Settings file: Click Browse. Navigate to and select the source SonicOS Standard Settings file. Click Upload. Click the right arrow to proceed. 6. Review the source SonicOS Standard Settings Summary page. This page displays useful network settings information contained in the uploaded source Network Settings file. For testing purposes, the LAN IP and subnet mask of the appliance can be changed on this page in order to deploy it in a testing environment. (Optional) Change the LAN IP address and subnet mask of the source appliance to that of the target appliance. Click the right arrow to proceed. Select the target SonicWALL appliance for the Enhanced deployment from the available list. SonicOS Enhanced is configured differently on various SonicWALL appliances, mostly to support different interface numbers. As such, the converted Enhanced Network Settings file must be customized to the appliance targeted for deployment. Complete the conversion by clicking the right arrow to proceed. Optionally click the Warnings link to view any differences in the settings created for the target appliance. Click the Download button, select Save to Disk, and click OK to save the new target SonicOS Enhanced Network Settings file to your management computer. Log in to the management interface for your SonicWALL appliance. Navigate to System > Settings, and click the Import Settings button to import the converted settings to your appliance.

8. 9. 10. 11. 12.

Support Matrix for Importing Preferences
Upgrading a SonicOS Image with Factory Defaults
Perform the following steps to upload new firmware to your SonicWALL appliance and start it up using the default configuration: 1. Download the SonicOS firmware image file from mysonicwall.com and save it to a location on your local computer. 2. On the System > Settings page, click Create Backup. 3. Click Upload New Firmware. 4. Browse to the location where you saved the SonicOS firmware image file, select the file, and click Upload. 5. On the System > Settings page, click the Boot icon in the row for Uploaded Firmware with Factory Default Settings. 6. In the confirmation dialog box, click OK. The SonicWALL restarts and then displays the Setup Wizard, with a link to the login page. 7. Enter the default user name and password (admin / password) to access the SonicWALL management interface.
Using SafeMode to Upgrade Firmware
The SafeMode procedure uses a reset button in a small pinhole, whose location varies: on the NSA models, the button is near the USB ports on the front; on the TZ models, the button is next to the power cord on the back. If you are unable to connect to the SonicWALL security appliances management interface, you can restart the SonicWALL security appliance in SafeMode. The SafeMode feature allows you to quickly recover from uncertain configuration states with a simplified management interface that includes the same settings available on the System > Settings page. To use SafeMode to upgrade firmware on the SonicWALL security appliance, perform the following steps: 1. Connect your computer to the X0 port on the SonicWALL appliance and configure your IP address with an address on the 192.168.168.0/24 subnet, such as 192.168.168.20. 2. Do one of the following to restart the appliance in SafeMode: Use a narrow, straight object, like a straightened paper clip or a toothpick, to press and hold the reset button on the front of the security appliance for more than 20 seconds. Use the LCD control buttons on the front bezel to set the appliance to Safe Mode. Once selected, the LCD displays a confirmation prompt. Select Y and press the Right button to confirm. The SonicWALL security appliance changes to SafeMode. The Test light starts blinking when the SonicWALL security appliance has rebooted into SafeMode. Note: Holding the reset button for two seconds will send a diagnostic snapshot to the console. Holding the reset button for six to eight seconds will reboot the appliance in regular mode. 3. Point the Web browser on your computer to 192.168.168.168. The SafeMode management interface displays. 4. If you have made any configuration changes to the security appliance, select the Create Backup On Next Boot checkbox to make a backup copy of your current settings. Your settings will be saved when the appliance restarts. 5. Click Upload New Firmware, and then browse to the location where you saved the SonicOS firmware image, select the file, and click Upload. 6. Select the boot icon in the row for one of the following: Uploaded Firmware New! Use this option to restart the appliance with your current configuration settings. Uploaded Firmware with Factory Defaults New! Use this option to restart the appliance with default configuration settings. 7. In the confirmation dialog box, click OK to proceed. 8. After successfully booting the firmware, the login screen is displayed. If you booted with factory default settings, enter the default user name and password (admin / password) to access the SonicWALL management interface.

Related Technical Documentation
SonicWALL user guides and reference documentation is available at the SonicWALL Technical Documentation Online Library: http://www.sonicwall.com/us/Support.html For basic and advanced deployment examples, refer to SonicOS Guides and SonicOS TechNotes available on the Web site.
______________________ Last updated: 4/7/2011