Transcription
SonicWall GlobalManagement System ExternalIDSAdministration
1ContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Configuring External IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4External IDS Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Enabling External IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Filtering Traffic to the EIDS: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5556SonicWall Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7About This Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Global Management System 9.3 AdministrationContents2
1OverviewThis provides the configuration information necessary for setting up and testing the SonicWall ExternalIntrusion Detection System (EIDS). It also describes how to configure a third-party Intrusion Detection System(IDS) on a SonicWall EIDS virtual appliance.In this document, the third-party IDS, Snort, is used in the configuration examples, and OinkMaster are used fortesting. Links to their Web sites are as follows: Snort — https://www.snort.org OinkMaster — http://oinkmaster.sourceforge.netThis document does not cover the details of Snort software. Refer to the original user documentation fordetailed information about Snort and other third-party IDSs.The EIDS virtual appliance is deployed as a virtual machine and can be installed on either the VMware orHyper-V platforms. The VMware or Hyper-V server that contains the EIDS virtual appliance should be connectedto a firewall, usually through a switch.A third-party IDS can be installed into a software container on the EIDS virtual appliance. The software containeris an isolated user-space instance that isolates access to the EIDS host system. You can install a third-party IDS,such as Snort, into the EIDS software container, and you can provide users login access to the softwarecontainer, but they cannot access the EIDS operating system.You can use SSH to access the EIDS software container and do CLI configurations.Global Management System 9.3 AdministrationOverview3
2Configuring External IDSTopics: User Interface External IDS StatusUser InterfaceThe External Intrusion Detection System (EIDS) User Interface (UI) is integrated into GMS, and it appears in thefirewall navigation panel under Security as External IDS. External IDS is only visible and accessible when theEIDS product has been licensed. See External IDS Settings.From this page, you can: Enable and monitor a third-party IDS Configure a third-party IDSUntil the EIDS is fully enabled, only the External IDS Status section is visible.Global Management System 9.3 AdministrationConfiguring External IDS4
External IDS StatusTopics: Status Enabling External IDS Filtering Traffic to the EIDS:StatusThe Status section displays the state of the necessary External IDS license and the date of its expiration.SettingsThe Settings section allows you to forward traffic to an external IDS appliance (configured at Network Interfaces), link the EIDS and configure the firewall interface used for the EIDS.After the EIDS is enabled, traffic passing through the firewall is mirrored to the EIDS, and you can begin using themanagement functions.Traffic FilterThe Traffic Filter section allows you to control which traffic is mirrored to the EIDS, by letting you select thesource and destination interfaces, the source and destination address objects, and the service objects you want.Enabling External IDSTo enable External IDS on the firewall:1 On the Status page, in the Settings panel, select Forward traffic to External IDS.2 From the Ext.IDS Interface drop-down menu, select the firewall interface that you want.A VLAN interface is created on the same port for use with the mirrored traffic.NOTE: This setting affects the interface configuration of other co-processor appliances, includingthe WXAs used for WAN Acceleration.3 Press Accept for the change to take effect.The firewall now probes for and discovers the EIDS. You can force the probe to hasten its detection of theEIDS by clicking Probe.Global Management System 9.3 AdministrationConfiguring External IDS5
Filtering Traffic to the EIDS:To select the interfaces and ports you want to use to filter traffic to the EIDS:1 From the Source Interfaces drop-down menu, select the source interfaces through which traffic ispassing that should be filtered to the EIDS. The default is any, which means the all interfaces aremirrored.2 From the Destination Interfaces drop-down menu, select the destination interfaces through which trafficis passing that should be filtered to the EIDS. The default is any, which means the all interfaces aremirrored.3 Source Addresses — The address object or group that contains the source IP addresses where thepackets originate.4 Destination Addresses — The address object or group that contains the destination IP addresses for thepackets.5 Service Object — The service object that contains the service ports for the traffic to be filtered.6 If you want to explicitly include SSL traffic, select one or two or all three of the following checkboxes: Include SSL-VPN traffic Include DPI-SSL traffic Include SonicOS trafficWhen you select the SSL traffic that you want to explicitly include, the SSL traffic is decrypted so that itcan be inspected by the EIDS and allow alerts to be triggered.The Forward DPI-SSL traffic option depends on DPI-SSL. You must get the DPI-SSL license and enableclient DPI-SSL before you can use the Forward DPI-SSL traffic option.7 Click Update.Global Management System 9.3 AdministrationConfiguring External IDS6
3SonicWall SupportTechnical support is available to customers who have purchased SonicWall products with a valid maintenancecontract.The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours aday, 365 days a year. To access the Support Portal, go to https://www.sonicwall.com/support.The Support Portal enables you to: View knowledge base articles and technical documentation View and participate in the Community forum discussions upport. View video tutorials Access MySonicWall Learn about SonicWall professional services Review SonicWall Support services and warranty information Register for training and certification Request technical support or customer serviceTo contact SonicWall Support, visit Global Management System 9.3 AdministrationSonicWall Support7
About This DocumentLegendNOTE: A NOTE icon indicates supporting information.IMPORTANT: An IMPORTANT icon indicates supporting information that may need a little extra attention.TIP: A TIP indicates helpful information.CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.Global Management System External IDS AdministrationUpdated - November 2020Software Version - 9.3232-005189-00 RevBCopyright 2020 SonicWall Inc. All rights reserved.The information in this document is provided in connection with SonicWall and/or its affiliates’ products. No license, express or implied, byestoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of products. EXCEPT ASSET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, SONICWALL AND/OR ITSAFFILIATES ASSUME NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITSPRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, ORNON-INFRINGEMENT. IN NO EVENT SHALL SONICWALL AND/OR ITS AFFILIATES BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL,PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESSINTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF SONICWALL AND/ORITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SonicWall and/or its affiliates make no representations orwarranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes tospecifications and product descriptions at any time without notice. and/or its affiliates do not make any commitment to update theinformation contained in this document.For more information, visit https://www.sonicwall.com/legal.End User Product AgreementTo view the SonicWall End User Product Agreement, go to: ements.Open Source CodeSonicWall is able to provide a machine-readable copy of open source code with restrictive licenses such as GPL, LGPL, AGPL when applicableper license requirements. To obtain a complete machine-readable copy, send your written requests, along with certified check or moneyorder in the amount of USD 25.00 payable to “SonicWall Inc.”, to:General Public License Source Code RequestSonicWall Inc. Attn: Jennifer Anderson1033 McCarthy BlvdMilpitas, CA 95035Global Management System 9.3 AdministrationSonicWall Support8
source and destination interfaces, the source and destin ation address objects, and the service objects you want. Enabling External IDS To enable External IDS on the firewall: 1 On the Status page, in the Settings panel, select Forward traffic to External IDS. 2 From the Ext.IDS Interface drop-down menu, select the firewall interface that you want.
