I recently installed a brand new TZ215W at a new customer.  I loaded the latest 5.9.x firmware (which I have used on other Sonicwall’s) and didn’t see any issues.  But I did try something new and that is the “one touch” security config button that you see on the Settings page.  I’ve never used it before and I thought, “what the hell, I’ll give it a shot”.  What the hell, indeed …

Right from the get go the firewall gave me problems with passing PPTP traffic through to the Windows server on the LAN.  In fact, it would not pass the traffic at all  No matter what I tried the firewall blocked at least the GRE portion of the connection.  I even had Sonicwall support look at the problem with absolutely zero success (the support engineer didn’t strike me as having much of a clue).

In the end I blew the firewall away, reloaded with 5.8 firmware and rebuilt (it was a simple config, anyway) and, surprise, surprise, it all worked!  Of course I did NOT try the “one touch” config again (not even sure if that exists in 5.8 and I can’t be certain if the PPTP/GRE problem was a result of 5.9 OR of the One Touch config but, either way, it is something to be wary of.  I’ll do some more testing when I can of 5.9 firmware and PPTP but, for now, consider this a caution.  And don’t use the One Touch config unless you are 100% certain of the settings it makes.  While it is a great idea in theory it may not work for you in practice.

Sonicwall firmware and the “one touch security config” (5.9.x), caution!
Tagged on:         

One thought on “Sonicwall firmware and the “one touch security config” (5.9.x), caution!

  • The One-Touch setting feature is a little bit dangerous as you mentioned, especially if you opt for the “One-Touch DPI and Stateful Firewall” one.

    From the GUI you can get a list on what is really activated as below, where I have done some comments all starting with “[Dennis:]”

    FROM THE GUI:

    Using the One-Touch DPI and Stateful Firewall high security applies the following configurations to the system. A system restart is then required for the updates to take full effect.

    System>Administration

    Password must be changed every 90 days
    Bar repeated password changes for 4 changes
    Enforce password complexity: Require alphabetic, numeric and symbolic characters
    Apply the above password constraints for: all user categories

    [Dennis: If you have Guest accounts this will in certain cases clash with the passwords automatically created]

    Enable administrator/user lockout
    Failed Login attempts per minute before lockout: 7
    Enable inter-administrator messaging
    Inter-administrator Messaging polling interval (seconds): 10

    Network>Interfaces

    Any interface allowing HTTP management is replaced with HTTPS Management
    Any setting to ‘Add rule to enable redirect from HTTP to HTTPS’ is disabled
    Ping Management is disabled on all interfaces

    Network>Zones

    Intrusion Prevention is enabled on all applicable default Zones
    Gateway Anti-Virus protection is enabled on all applicable default Zones
    Anti-Spyware protection is enabled on all applicable default Zones
    App Rules is enabled on all applicable default Zones
    SSL Control is enabled on all default Zones

    Network>DNS

    Enable DNS Rebinding protection
    DNS Rebinding Action: Log Attack & Drop DNS Reply

    Firewall>Access Rules

    Any Firewall policy with an Action of Deny, the Action is changed Discard
    Source IP Address connection limiting with a threshold of 128 connections is enabled for all firewall policies

    Firewall>App Rules

    If licensed, the Enable App Rules setting is turned on

    Firewall Settings>Advanced

    Turn on Enable Stealth Mode
    Turn on Randomize IP ID
    Turn off Decrement IP TTL for forwarded traffic
    Connections are set to: DPI Connections (DPI services enabled with additional performance optimizations)
    Turn on Enable IP header checksum enforcement
    Turn on Enable UDP checksum enforcement

    Firewall Settings>Flood Protection

    Turn on Enforce strict TCP compliance with RFC 793 and RFC 1122

    [Dennis: This setting will sometimes create very hard to troubleshoot issues, I have seen HP Procurve switch GUI getting weird, seen this affect certain FTP-sites performance etc.]

    Turn on Enable TCP handshake enforcement
    Turn on Enable TCP checksum enforcement
    Turn on Enable TCP handshake timeout
    SYN Flood Protection Mode: Always proxy WAN client connections

    Firewall Settings>SSL Control

    Turn on Enable SSL Control
    Set Action to: Block connection and log the event
    For Configuration, enable all categories

    [Dennis: SSL Control with these settings will reset any connection with a site using self-signed certificates]

    VPN>Advanced

    Turn on Enable IKE Dead Peer Detection
    Turn on Enable Dead Peer Detection for Idle VPN sessions
    Turn on Enable Fragmented Packet Handling
    Turn on Ignore DF (Dont Fragment) Bit
    Turn on Enable NAT Traversal
    Turn on Clean up Active tunnels when Peer Gateway DNS name resolves to a different address
    Turn on Preserve IKE port for Pass Through Connections

    Security Services>Gateway Anti-Virus

    If licensed, Enable Gateway Antivirus
    Configure Gateway AV Settings: Turn on Disable SMTP Responses
    Configure Gateway AV Settings: Turn off Disable detection of EICAR test virus
    Configure Gateway AV Settings: Turn on Enable HTTP Byte-Range requests with Gateway AV
    Configure Gateway AV Settings: Turn on Enable FTP REST request with Gateway AV
    Configure Gateway AV Settings: Turn off Enable HTTP Clientless Notification Alerts

    Security Services>Intrusion Prevention

    If licensed, Enable IPS
    Turn on Prevent All and Detect All for High Priority Attacks
    Turn on Prevent All and Detect All for Medium Priority Attacks
    Turn on Prevent All and Detect All for Low Priority Attacks

    [Dennis: This setting was probably what killed your PPTP session, since a lot of “good” traffic is marked as LOW Prio. Preventing LOW Prio events will kill ICMP, MS Remote Access etc too]
    Security Services>Anti-Spyware

    If licensed, Enable Anti-Spyware
    Turn on Prevent All and Detect All for High Priority Attacks
    Turn on Prevent All and Detect All for Medium Priority Attacks
    Turn on Prevent All and Detect All for Low Priority Attacks
    Configure Anti-Spyware Settings: Turn on Disable SMTP Responses
    Configure Anti-Spyware Settings: Turn off Enable HTTP Clientless Notification Alerts

    AppFlow>Flow Reporting

    Turn on Send AppFlow To Local Collector
    Turn on Enable Real-Time Data Collection

    Log>Log Monitor

    Set Logging Level: Debug

    Log>Name Resolution

    Set Name Resolution Method to: DNS then NetBIOS

    Internal Settings

    Turn on Protect against TCP State Manipulation DoS
    Turn on Apply IPS Signatures Bidirectionally
    Allow launching of AppFlow Monitor in a stand-alone browser frame
    Enable Visualization UI for Non-Admin/Config users

Leave a Reply

Your email address will not be published. Required fields are marked *