SonicWall basic configuration step by step (part 1)
Вставка
- Опубліковано 18 жов 2024
- This video is a step by step guide for initial configuration of a SonicWall firewall. We will:
Activate the firewall
Download latest firmware
Install latest firmware
Change admin password and set time zone
Configure zone and interfaces
Do VLAN interfaces (vlan tagging, trucking)
Set interface as native bridge
Create access rules
NSM video with zero touch deployment:
• SonicWall NSM Overview
Network segregation:
• Network segregation wi...
My personal tips and tricks:
• JP's 4 basic security ...
Videos to enable security services:
IPS: • How to configure Sonic...
GAV: • How to configure Sonic...
CFS: • How to configure Sonic...
You are legendary! Thank you for making this fantastic tutorial series! Very helpful!
I'm glad to see someone who works for the company creating simple to follow tutorials. I had a competing product a few years ago and had no idea how to configure the units properly even though I am an experienced network engineer. Saves enormous time to know which steps to take when. Thanks again.
Just upgraded a TZ100W to TZ270W. Thanks to your videos (I have watched all of them more than once) I have a better understanding of how to properly set it up. Great work, love the humor you throw in once in a while. Keep them coming!
thanks Dave,
yeah not everyone likes my jokes. that's on them... lol
@@JeanPierTalbot I like the jokes...lol I've been learning lots on SonicWall next gen FWs through your video's...Appreciate it as well!
Finally! Someone did this for the updated interface, way to go
Meanwhile, I still love the old UI (legacy)
@@TheOneWhiteST no I agree I hate the new UI, it is not user friendly regardless of the claim, i am less productive with it. The CTA reports are worthless compared to previous versions
Thank goodness for this video! I kept getting stuck on the 2nd screen of the basic setup wizard (NSA 2700) it saying enter the required fields even though I had. Rebooting, re-entering, nothing worked. The real error after watching this was that it requires anything that can give internet plugged into X1 during setup. Apparently on the 2nd screen if X1 is not plugged into any wire with internet it errors telling you that you didn't enter all the required fields when the error really is that it can't detect Internet on X1. Many hours wasted, but was happy more wasn't because of this video. Thank you!
Jean-Pier cant thank you enough for your videos. They are easy to follow and explained well. Very Much appreciated
Thanks!
Good to see more SonicWall content on UA-cam, I have to set up a new NSA today in fact!
Thanks so much, @Jean-Pier Talbot, for teaching this step-by-step guide to us. Thank you!!!
Only just starting my more in-depth Sonicwall journey thanks for all these videos, you have a good way of explaining the setup and what you’re doing.
Perfect for the purppose. Well done Jean-Pier. I'm enjoying your other videos now that my firewall is set up and working great.
Congratulations on the excellent video. One suggestion: how to remotely collect SonicWall metrics via snmp.
Keep up the video . You definitely know your stuff.
Excellent video, really helped with setup, thank you
Thank you for doing this video.
I love all your tutorials, thank you so much.
Thanks!
amazing, thank you brother.
Thank you for the great and informative video! I had a quick question. Since the X3 interface has multiple subnets created listening for different VLAN tags, should the port on the switch that is connected to X3 on the SonicWall be configured as a trunk port for all VLAN information to pass through?
Hi Jean, thank you so much for your effort.
question: did you register the Firewall twice ?
No.
You active the SN on the website and then activate the firewall on the firewall UI
Good stuff, keep it up!
Thank you so much.
Great video, I'm new to configuring Sonic Firewalls and could use a little personal help, do you provide phone support?
I don’t/can’t.
Send me an email, I’ll put you in touch with the local sonicwall team. They will have different options for professional services. (Email on my big monitor on each videos)
Nice shit. I'm glad to find this channel. Keep up the good job, buddy :)
:-)
Thanks
Thank you
Great Video! Some aggressive typing there for a French Canadian.
Lol yeah keyboard is right next to the microphone. I always try to talk and type a different time so I can cut out the typing parts. But I tend to forget at time…
Thanks for the feedback on the videos!
Great video, thank you.
JP, is that what I see w Guiness World Record? my curiosity takes over sometimes! how did you get a record?
Lol I was an early adopter of electric car and I was part of a parade of 200+ cars. That record got soon taken. But still. I have been part or a world wide record!!! Lol
Great videos. Could you do one on setting up a TZ unit that has Wireless built in, for a Staff and Guess wifi access config?
Good idea :-)
very nice explanation /
Hi Jean-Pier, love your videos! Been watching and learning a bunch. Quick question about native bridge mode. I was able to get this working on a test TZ370. Set up 1 port with multiple virtual interfaces but I can't seem to find the option for native bridge mode for my production TZ370's that are in HA. Does this feature not work when that's enabled?
I believe that’s not supported in HA.
@@JeanPierTalbot Hi, is there any workaround to enable it in HA. Could Preempt mode or Virtual Mac settings help? because I'm need to enable this feature for vlans. Thanks
@@magedsms well, you can turn it on. it might work. but it's not supported. so if things dont work well. dont call support. and if you do, as soon as they find out you are doing something unsupported, they will ask you to disable it in order to move forward with the ticket.
and that's not a sonicwall specific things. any manufacturer if you do something unsupported, dont hope for support 🙂
Jean-Pier, I enjoyed your basic configuration video on the SonicWall. Do you have video instruction for VOIP? I currently have mine on the same port X2 as the Manager which is also my main computer. When Enable Endpoint Security Enforcement My phones do not work correctly. I am thinking that the VOIP needs to on there own port.
Setting Zones 13:15
Thanks Jean-Pier Talbot!
I see this product on the SW website listed under the SMB category, is this a device that can be purchased as home user?
Yes, you can use them at home. Smallest model is a tz270
If you can, an IPv6 video would help a lot, I didn't find any videos about this. I'm trying to forward an WAN/IPv6 to DMZ/IPv4, but no success so far. Only IPv4 to IPv4 and IPv6 to IPv6, couldn't achieve a working NAT64 yet.
Great video, thanks! When bridging the VLANS you created to X1, would that not be overloading that single port as lessening the available bandwidth? Would it not be better to utilise the other free ports x4 x5 x6 etc? Or was this just for demo purposes
You are right.
And yes that was for demo purposes. Many ask how to bridge a vlan to an interface.
Awesome video, is the user interface for this firewall the same for soho 250? Thanks!
No, soho 250 is a gen6 device. But you should not be lost too much….
@@JeanPierTalbot Got it! I ended up getting the TZ270W. I have another question regarding wifi. In sonicwall is pass phrase the same as password for the ssid? That has me a little confuse. I am trying to set up wireless connection. Thanks!
Good video!
Jean-Pier, thank you for the videos. I just found them. I am brand new to the firewall scene but I have a quick question. I'm putting a TZ270W in a company setup, and this setup is behind an open network (think a hotel or starbucks) where while it is an open WLAN, a password is required to login. They are using a VPN to access the internet from there and then they are using this firewall for the WAP. Would i have to set the DNS server address for this firewall to the default gateway address for the local router of the network it is going through?
And then I guess call the network admin of the building to reserve 10 ip addresses for me to statically configure on each device.
And then connect the firewall to the VPN network and then it should work?
hi, I assume your WAN is set to be DHCP so the WAN interface of the firewall gets an IP, default gateway and DNS from the open network (think a hotel or starbucks). then you can set the DHCP server on the firewall and enable "Inherit DNS Settings Dynamically from the SonicWall's DNS settings" in your DHCP scope. that way, firewall will give the DNS it got to the wireless clients.
Your channel has a lot of great content. Just one question. When you changed the admin password how come you didn't change the admin username? This is one of the things I love about Sonicwall. Think about it simply...what names will a hacker try to brute force? Admin, Administrator, Root, Master, Manager, etc. changing this name takes another step at protecting your firewall.
Agreed, I could have done that too.
hi,
is it possible to change hardware interface by an sonicwall nsv or is it static that Port 1 in VMWARE/KVM is X0 or can it be changed?
Do you have any recommendations on videos / playlists I can watch for free that will help me prep for SNSA cert test?
Use the student guide of SNSA. It convers what’s in the exam
Hi jean, thank you for your videos. I have learnt a lot from your videos, They are very helpful. I'm currently taking CCNA certification. I want to buy a real Sonicwall to practice. Can I have your recommendation? I know some sec features will need to be licensed but i only need the basic things like VPN, creating outbound/inbound rules, etc. What do you think about TZ270 that cost $260? Thank you very much.
I would personally try:
Hey boss, I would need a sonicwall at home. Since I work often from home and would need a lab firewall to try stuff to not test on our production firewall and bring our network down. Best would be to have the same model as we have here, but a small tz270 should be suffisant and save us some money.
Let us know if that worked! :-)
@@JeanPierTalbot Appreciated that
hi its really good vedio
I don't drink coffee! How can I ever reboot my SonicWall? :D
More seriously, thanks for the video 🙂
Well, if you don’t drink coffee you are probably facing much bigger challenges in your life than the firewall…
- how do you get up?
- how do you drive to work?
- how do you conquer gravity?
:-)
@@JeanPierTalbot --- you're a young Padawan. Wait until after 50 and the first answer will likely present itself. :-D
Can I use tz270 as a secondary wireless firewall with my Netgear nighthawk router which I already like for all clients? I would like to use TZ to monitor traffic but not do any dns/dhcp services or NAT.
I can't figure out how to use/setup Groups in the DHCP Server Static Advanced section. Can you do a video to explain the scope and use of that?
For example, if I have 16 ip cameras, can I create a group such that I can easily change the lease time from 24hrs to 10mins all all 16 cameras?
AFAIK, there is not much grouping possible other than per interface.
Only solution I see would be to have an interface dedicated to cameras and set the timeout you want
JP, awesome video. sparked ideas in my brain, but im still conflicting w my current need. we have 70 sites all with sonicwall firewalls, we have Unifi access points everywhere and we have the guest wifi set on the AP so it isolates the devices that connect to that SSID, but we are now in need of segregating guest altogether so that the devices on guest are not seeing on security scans that the company undergoes. we could set VLAN on unifi for the Guest network, but how can I centralize DHCP and the VLAN to our core firewall for example, so that all guest go for IP to firewall-X and they then sit on the specific VLAN? 90% of the sites are SDWAN w cloudgenix, and others are IPSEC VPN back to COLO. isnt that a great issue to have! :)
Awesome, glad my videos are having that effect. Reach out to me by email (email listed on my screen.) I’ll put you in touch with your local sonicwall SE)
@@JeanPierTalbot thanks!!
I have already configured the Static Public IP(Provided by internet service) But we need host the Public static IP in server operating machine and we need to use to browse same Public in through out Lan Network. Its is possible to Use and Browse in the same network
You won’t be able to have your WAN IP on the firewall AND on your server at the same time.
Have a look at my inbound NAT video. The WAN ip will be on your firewall only. Your server will have a LAN iP. Firewall will redirect incoming traffic on specific port(s) to your server.
If you go that route, have a look also at my network segregation video. I would strongly advice to put anything accessible from the outside in a different network. Always think that way: « one day, that server will get hacked. How do I prevent that from spreading in my entire network? »
Thank you so much for your excellent series of videos - keep them coming! These are VERY helpful as we transition from a different brand to SW products. Definitely agree with the separation of network parts. Important question I hope you can help with. Say we have some public access desktops we put on one segment. We have software on them to allow our staff to remotely view the screen if needed (check for appropriate use). How do we go about preventing the Client computer under one segment (say 192.168.50.x) from reaching anything in the staff side (say 192.168.60.x), while still allowing the staff machine to see that client machine desktop?
Is the best way to setup a rule that says Client port 5900 (the vnc inbound) is allowed to communicate to anything in 60.x?
Similarly, for the client machine to access DNS from the office server (which the staff also use for DNS) is the best approach to only open port 53 for the client to the DNS server IP on the staff side of the 60.x network?
I would setup a firewall rule to block all ports from one zone to another, unless specifically whitelisted, Firewall > Access rules > new rule , Action=deny, From=zoneA To=zoneB, service Any
Then create a 2nd rule with same zones but Allow, and then specify specific ports or services
Your videos have been very helpful. We upgraded our old SonicWall and implemented a TZ470. We are very happy with it.
However, I have a problemthat I cannot figure out. I do not know how to setup alerts so that I only email receive Alerts for Threats. I have the alerts email setup and working fine. Just way too many emails so I just need to tweak the email alerts down to just receiving Alerts for Threats.
Any tips on how to do that would be muchly appreciated. Thank you.
Thanks for the feedback!
Have you looked at this KB?
www.sonicwall.com/support/knowledge-base/how-can-i-view-and-get-alerts-and-notifications-for-sonicwall/170505804806898/
@@JeanPierTalbot I read over the article. It was a bit cryptic to me. Let's say, that the only email notification I would like is if there is a "HOSTS WITH AN OBSERVED THREAT" as shown on the TZ470, Home/Dashboard/System. What exactly do I need to adjust so that I get that email? Any guidance is appreciated. Thank you. Ken
At 21:21 the three VLANs are associated with unassigned X3. Shouldn't it already be assigned? Or am I getting it wrong?
It does not have to be assigned. X3 (the native/untag vlan) can be unassigned AND you can have multiple tagged vlan. That works.
Agreed, a little uncommon. :-)
What is the difference between using portshield versus native bridge?
Any tutorials on how to enable IPv6 SLAAC on a subnet? I figured how to enable IPv6 with DHCPv6, fixed IPv6, but can't seem to have SLAAC working correctly.
IPv6 could be a good one!
Unfortunately I don’t have it in my list of videos to do soon as IPv6 is not heavily used. Well, not as much as “site to site VPN” which I want do to a video on :-)
@@JeanPierTalbot Thank you for the feedback. I was able to figure out how to do it. One must not forget to disable WIN10 ipv6 privacy and temporary addresses to check on a WIN10 host that IPv6 SLAAC and prefix advertisement is working correctly.
Hi. first of all thanks to upload these videos, these videos are making my life easier. I have created a VLAN Interface on my X4 (X4:V6) which is native bride to my Default LAN(X0, 192.168.9.XXX). VLAN ID's are different (X4:V6 & X0 is running on default VLAN ID)but i am still able to ping each other. Isn't this incorrect .? because different VLAN ID aren't supposed to talk to each other.?
Please reply. Waiting for your respone
It is expected. When you bridge them, you tell the firewall to act as a switch (kind of) and firewall will be smart enough to to remove/add the vlan so that bridging works.
@@JeanPierTalbot then portshield doing the same thing.?
Hi Bro!
Have you face issue like when excluding the address group in-app rule it's showing an error. ("Command exclusion address name does not match")
I love you oui oui baguet accent
I am looking for a video on SWS12-8POE in setting up VLAN and Trunk port. Do you have any videos on this switch?
Not yet.
Manage them thought the cloud. They are pretty intuitive to manage
On a TZ270W had to first set the admin auto-logoff to more than the default 5 minutes as it interrupted to firmware upload/update and prevented it from completing.
You must have been remote when doing the firmware upgrade?
Otherwise if you need 5 minutes to transfer a couple hundred Mb on your LAN, there is something very wrong on your LAN.
Would be GREAT if you could create a walk through on setting up Guest Services accounts on TZ model. So that when a guest joins the WiFi for guests, it sets up a time or data limit for that visitor to a max per day or per week. I've read through some manual pages, but it does not seem to make sense for how to do it. We have many visitors come and go over the day. It is not practical to create and manage a username and password for that kind of flow. But we want to limit an individual visitor to a max time or max data per day so that they don't just come in and sit on our Wifi all day long.
Good one. Yes quota exist. Good topic!
So I was setting a TZ370 up in a office but they already had a building wifi that was static so it won't let me search the IP in the URL. Do I need to change the IP address?
I can't get the part around 7:30 to work. My firewall can't get an IP address from the DHCP server. If I look though the logs, it keeps saying "Retransmitting DHCP DISCOVER", "Network for interface X1 overlaps with another interface", and occasionally "DHCP Server not available. Did not get any DHCP OFFER". For the life of me I can't get the MAC address of the firewall to show up in any ARP table on the network. The light on the port is green so its connected, but nothing will talk to it.
Looks like you used, for instance, 192.168.1.1 as the IP of the firewall in your LAN (X0) and that your ISP is trying to give you an IP in the same subnet (192.168.1.x) on you WAN (x1).
Best would be to call your ISP so that they put their router/modem thing in pass through mode so that your sonicwall gets the read WAN ip.
Or quick fix could be to use something else than 192.168.1.x on you LAN. Like 192.168.10.1
Hi. Is there any way where the i can create multiple VLAN under same Port and Assign IP within same subnet but with different VLAN ID.?
I never tried as it could get pretty confusing and cause routing issues. I would advice to not do that
@@JeanPierTalbot Sure. Will go with diffrent subnets. Thanks
What if you have more VLANS than interfaces? Router on a stick type of setup or L3 Switch
You can look at data sheet you will find the maximum quantity of vlan supported. That number is much larger than the amount of interfaces on the appliance
I bought a TZ 350W and my issue is that is not using all the available bandwidth. The internet is 300mbs and the speed test says 90mbs. The ISP router is fine, I connected the laptop to it and ran a test and I got all the speed. I went to the Zones, then the WAN and LAN and disabled the security, set performance optimized on another menu. Still getting the same speed. 😩
Hi Jerry.
You checked pretty much everything I would have thought about. Give a call to support.
Thanks
Jean, can I do this setup with out product register? my nfr could not be registred in my account.
not really. NFR are reserved for reseller and can only be registered in a reseller account.
@@JeanPierTalbot yes, I had to ask for sonicwall guys change my account. It works now!
I'm trying to setup dhcp server for one of my vlans on my sonicwall but my devices are getting ip addresses from the default scope. What would I need to do to have them get ip from dhcp scope for the vlan?
It’s generally pretty simple. Only thing I can think of is that your traffic does not arrive to the firewall with the VLAN tag. So you get an IP from the interface itself (no vlan)
Generally speaking, laptop are not sending their network traffic with a tag. You would need a special software or something to send traffic from your laptop with a vlan tag, unless you use a managed switch in the middle to add a tag. IP phone for instance have that capability built in.
@@JeanPierTalbot or put a switch between the PC and FW. PC to sw [vlan x] and sw [trunk] to fw. Then the sw will tag the traffic to the fw. If you have a sw between the Fw and your laptop, and the sw is doing L3, your SVI for the PC vlan may need DHCP helper address.
Yea - I was the 1k Like
Awesome! Lol!
Where did you get the ip at 20:45 where is that coming from?
I created a new network. So I pick any IP I wanted from private ip subnet (192.168.0.0/16, 172.16 to 32 et 10.0.0.0/8)
Love the tutorial's. @time stamp 12:52 “change password”, wouldn’t it also be better to change de “admin” name at the same time and set “Admin/user lockout”.
Sure, you can always do better. This is a basic tutorial. You could also turn on 2FA on the management
www.sonicwall.com/support/knowledge-base/how-to-configure-two-factor-authentication-using-totp-for-https-management/190201153847934/
@@JeanPierTalbot I have 2FA enabled too.
@@JeanPierTalbot Hello !! i need help on a SonicWall SOHO can you help me ?
I need some help for SonicWall Tz500 configuration
hopefully my videos will be helpful.
otherwise, I see 3 options:
(1) SonicWall support is there to help. but they wont set it up for you. they can help if you are stuck somewhere. you configure a feature but is does not work. that's support.
(2) SonicWall offers ($) a Remote Installation Service (RIS) that is delivered by a sonicwall certified reseller to performe RIS. Someone will, remotely, set it up for you with the features you want enabled.
(3) If you want someone to configure it for you, on site, email me. ill put you in touch with a reseller that offer professional services ($) and will be able to set it for you.
Helll Guys,
Does anyone know if the NSA 2700 have PoE ports or maybe disabled by default?
I've been trying to plug my Unifi AP on one of the ports and it doesn't give out any link or connection, no LED lights.
NSa 2700 does not have POE ports.
Thanks
@@JeanPierTalbot thanks so much for the info, I'll just have to use a PoE switch for the APs to connect...
If I'm not mistaken then VLANs would still work as long as the SonicWall port and the AP VLANs are tagged the same and the switch is just past through plug and play.
i wish these translated to DELL's version... I can't get anything to talk through the ports nothing but errors and no native bridge
Sonicwall is not owned by Dell since 2016, 7 years ago. I think it is time to upgrade. I have things I keep until they die, but security product that don’t get any updates for years, they have to go. :-)
How sonicfirewall can be configured over broadband connection
It's TZ 270
hi,
under X1 interface, turn on HTTPS management so you (and the entire world) will be able to have access to the manage interface of the firewall from the outside. a strong password is obviously recommended as well as setting up 2FA www.sonicwall.com/support/knowledge-base/how-to-configure-two-factor-authentication-using-totp-for-https-management/190201153847934/
can you share link for the VM firewall? not able to find it in the sonicwall website after login>trial software. there is no trial software link on the website as of now.
I can see it. Mysonicwall.com, product management, trial software.
You should have sonicwall NSv 270
If not, email your local sonicwall team. If you don’t know them, email me, I’ll introduce you
@@JeanPierTalbot Thanks, not showing for account registered with personal email id. If using org email id then it is showing :)
Can anyone help me with configuration of fortigate to sonicwall ipsec vpn tunnel
If you have setup your VPN and it does not work, you can reach to sonicwall tech support.
Try to ensure fortigate is the one trying to build the VPN to sonicwall. That way the sonicwall will show plenty of logs as to why the VPN does not build.
If it’s the other way around (sonicwall initiating VPN to fortigate) all you will see on the sonicwall is something like « IPSec phase1 rejected by remote peer » and all valuable info as to why it didn’t work will be in fortinet logs.
I want video arabi
I understand. I which I could speak all languages people ask, but I can only do French and English.
Man you sure do miss a lot of steps, and you do a lot do videos on theee. Like at 8:17 you put in the access code and o know it says email or authentication app but I’m not getting a email or anything from my Microsoft and Google apps. You just floated right by one of the most important steps.
You do that a lot👎🏽
Yes there are things I take for granted, like I don’t explain what is a subnet mask and other basic IT stuff.
For the 2FA, in your mysonicwall.com account, you have that setting. It can be off or on with either email or an authentication thing my Google or MS Authenticator. I believe the default it with your email. So if you don’t get it, check you spam or junk box.