Customer Community
MySonicWall
sonicwall.com/legalsonicwall.com/legal/end-user-product-agreements/sonicwall.com/supportsonicwall.com/support/contact-supportsonicwall.com/support/technical-documentation
User Guide for SONICWALL models including: SonicOS 7.0, SonicOS 7.0 Internal Wireless Administration, Internal Wireless Administration, Wireless Administration, Administration
SonicWall TZ470W Network Security/Firewall Appliance 03-SSC-0744 – FireOwls Corporation Click here for Additional pdf1Click here for Additional pdf7Click here for Additional pdf8
SonicWall TZ570P Network Security/Firewall Appliance 02-SSC-5668 – FireOwls Corporation
File Info : application/pdf, 51 Pages, 1.03MB
DocumentDocumentSonicOS 7.0 Internal Wireless Administration Guide Contents Wireless Overview 4 Device Support 5 Compliance 5 FCC U-NII New Rule Compliance 5 RED Compliance 6 Considerations for Using Wireless Connections 6 Recommendations for Optimal Wireless Performance 6 Adjusting the Antennas 7 Wireless Node Count Enforcement 7 About MAC Address Filtering 7 Status 8 WLAN Settings 8 WLAN Statistics 10 WLAN Activities 10 Station Status 11 Settings 12 Access Point 13 Wireless Settings 14 Wireless Virtual Access Point 17 Wireless Station 18 Wireless Settings 18 Advanced Radio Settings 19 Access Point & Station 20 Wireless Settings 21 Wireless Virtual Access Point 21 Station Setting 22 Security 23 About Authentication 23 Configuring the WEP Settings 25 Configuring WPA3/WPA2/WPA PSK Settings 26 Configuring WPA3/WPA2/WPA EAP Settings 27 Advanced 29 Beaconing and SSID Controls 30 SonicOS 7.0 Internal Wireless Administration Guide 2 Contents Green Access Point 30 Advanced Radio Settings 31 Configurable Antenna Diversity 33 MAC Filter List 34 Deployment Considerations 34 Configuring MAC Filter List 35 IDS - Wireless Intrusion Detection Service 36 Access Point IDS 36 Rogue Access Points 36 Configuring IDS Settings 37 Discovered Access Points 38 Authorizing Access Points on Your Network 39 Virtual Access Point 40 Wireless Virtual AP Configuration Task List 41 Virtual Access Point Profiles 42 Virtual Access Point Schedule Settings 43 Virtual Access Point Profile Settings 43 ACL Enforcement 46 Virtual Access Point Objects 47 VAP General Settings 47 VAP Advanced Settings 48 Virtual Access Point Groups 48 Enabling the Virtual Access Point Group 49 SonicWall Support 50 About This Document 51 SonicOS 7.0 Internal Wireless Administration Guide 3 Contents 1 Wireless Overview Only SonicWall wireless security appliances (TZ wireless platforms) display the pages under DEVICE | Internal Wireless for configuring wireless settings on the appliance. The SonicWall wireless security appliances support wireless protocols IEEE 802.11a, 802.11ac, 802.11b, 802.11g, and 802.11n and send data through radio transmissions. These transmissions are commonly known as Wi-Fi or wireless. The SonicWall wireless security appliance combines three networking components to offer a fully secure wireless firewall: an Access Point, a secure wireless gateway, and a stateful firewall with flexible NAT and VPN termination as well as initiation capabilities. With this combination, the wireless security appliance offers the flexibility of wireless without compromising network security. Typically, the wireless security appliance is the access point for your wireless LAN and serves as the central access point for computers on your LAN. In addition, it shares a single broadband connection with the computers on your network. Because the wireless security appliance also provides firewall protection, intruders from the Internet cannot access the computers or files on your network. This is especially important for an "always-on" connection such as a DSL or T1 line that is shared by computers on a network. However, wireless LANs are vulnerable to "eavesdropping" by other wireless networks, which means you should establish a wireless security policy for your wireless LAN. On the wireless security appliance, wireless clients connect to the Access Point layer of the firewall. Instead of bridging the connection directly to the wired network, wireless traffic is first passed to the Secure Wireless Gateway layer where the client is required to be authenticated through User Level Authentication. Wireless access to Guest Services and MAC Filter Lists are managed by the wireless security appliance. If all of the security criteria are met, then wireless network traffic can then pass through one of the following distribution systems: l LAN l WAN l Wireless Client on the WLAN l DMZ or other zone l VPN tunnel See the following topics for more information about using SonicWall wireless security appliances. SonicOS 7.0 Internal Wireless Administration Guide 4 Wireless Overview Topics: l Device Support l Compliance l Considerations for Using Wireless Connections l Adjusting the Antennas l Wireless Node Count Enforcement l About MAC Address Filtering See the following topics for information about using the SonicOS 7.0 Internal Wireless web management pages. l Status l Settings l Security l Advanced l MAC Filter List l IDS - Wireless Intrusion Detection Service l Virtual Access Point Device Support Internal Wireless functionality and settings are supported on the following wireless network security appliances (firewalls) running SonicOS 7.0: l TZ270W l TZ370W l TZ470W l TZ570W Compliance The wireless devices are required to comply with various requirements for sale and use of these devices in specific areas. For the latest information about regulatory approvals and restrictions for SonicWall wireless devices, see the Technical Documentation pages for your product at https://www.sonicwall.com/support/technical-documentation. Each device has a unique regulatory document that provides the relevant information. FCC U-NII New Rule Compliance FCC U-NII (Unlicensed National Information Infrastructure) New Rule (Report and Order ET Docket No. 13-49) is supported on TZ series wireless appliances. To comply with FCC New Rules for Dynamic Frequency Selection (DFS), a TZ wireless appliance detects and avoids interfering with radar signals in DFS bands. SonicOS 7.0 Internal Wireless Administration Guide 5 Wireless Overview RED Compliance The Radio Compliance Directive (RED) is supported on the TZ series wireless appliances. RED (2014/53/EU) sets essential requirements for safety and health, electromagnetic compatibility and the efficient use of the radio spectrum. Considerations for Using Wireless Connections When evaluating wireless versus wired connections, consider the advantages and disadvantages give your infrastructure and environment: Mobility Convenience Speed Range and Coverage Security Is your network mostly used by laptop computers, tablets or smartphones? Wireless is more portable than wired connections. Wireless networks do not require cabling to individual computers or opening computer cases to install network cards. If highest network speed is important to you, you might want to consider using Ethernet connections rather than wireless connections. If your network environment contains numerous physical barriers or interference factors, wireless networking might not be suitable for your network. Wireless networks have inherent security issues because of the unrestricted nature of the wireless transmissions. However, the wireless security appliance is a firewall and has NAT capabilities which provides security, and you can use WPA or WPA2 to secure data transmissions. Recommendations for Optimal Wireless Performance SonicWall recommends the following for optimal wireless performance: l Place the wireless security appliance near the center of your intended network. This reduces the possibility of eavesdropping by neighboring wireless networks. l Minimize the number of walls or ceilings between the wireless security appliance and the receiving points such as PCs or laptops. l Try to place the wireless security appliance in a direct line with other wireless components. Best performance is achieved when wireless components are in direct line of sight with each other. l Building construction can affect wireless performance. l Avoid placing the wireless security appliance near walls, fireplaces, or other large solid objects. l Placing the wireless security appliance near metal objects such as computer cases, monitors, and appliances can affect performance of the unit. SonicOS 7.0 Internal Wireless Administration Guide 6 Wireless Overview l Metal framing, UV window film, concrete or masonry walls, and metallic paint can reduce signal strength if the wireless security appliance is installed near these types of materials. l Installing the wireless security appliance in a high place can help avoid obstacles and improve performance for upper stories of a building. l Neighboring wireless networks and devices can affect signal strength, speed, and range of the wireless security appliance. l Devices such as cordless phones, radios, microwave ovens, and televisions might cause interference on the wireless security appliance. Adjusting the Antennas The antennas on the wireless security appliance can be adjusted for the best radio reception. Begin with the antennas pointing straight up, and then adjust as necessary. Note that certain areas, such as the area directly below the wireless security appliance, get relatively poor reception. Pointing the antenna directly at another wireless device does not improve reception. Do not place the antennas next to metal doors or walls as this can cause interference. NOTE: Be sure to connect antennas to the appliance before enabling the wireless radio. Wireless Node Count Enforcement Users connecting to the WLAN or connecting through the SonicWall GroupVPN are not counted toward the node enforcement on the SonicWall wireless network appliance. Only users on the LAN and non-Wireless zones are counted toward the node limit. The Station Status table lists all the wireless nodes connected. About MAC Address Filtering The SonicWall wireless security appliance networking protocol provides native MAC address filtering capabilities. When MAC address filtering is enabled, filtering occurs at the 802.11 layer and wireless clients are prevented from authenticating and associating with the wireless access point. Because data communications cannot occur without authentication and association, access to the network cannot be granted until the client has given the network administrator the MAC address of their wireless network card. SonicOS 7.0 Internal Wireless Administration Guide 7 Wireless Overview 2 Status The DEVICE | Internal Wireless > Status page provides status information for the wireless network, including wireless radio status and client station information. NOTE: The Internal Wireless > Status page applies only to wireless platforms. See Device Support for the list of supported platforms. The pages in the Internal Wireless menu group vary depending on the Radio Role selected on the Internal Wireless > Settings page. The Internal Wireless > Status page displays these tables: l WLAN Settings l WLAN Statistics l WLAN Activities WLAN Settings In the Internal Wireless > Status page, the WLAN Settings table lists the configuration information for the builtin radio. All configurable settings in the WLAN Settings table provide hyperlinks to their respective pages for configuration. NOTE: The displayed settings vary depending on the Radio Role selected on the Internal Wireless > Settings page. WLAN SETTINGS WLAN Settings WLAN SSID Primary BSSID Primary IP Address Primary Subnet Mask Value Enabled (Active) or Disabled (Inactive); click the Edit link to open the Internal Wireless > Settings page to configure this setting. Service Set Identifier for wireless network identification; click the Edit link to open the Internal Wireless > Settings page to configure this setting. MAC address / serial number of the wireless security appliance IP address of the wireless interface Netmask of the wireless subnet; this designates the network portion of the IP address SonicOS 7.0 Internal Wireless Administration Guide 8 Status Regulatory Domain Channel Radio Tx Rate Radio Tx Power Primary Security MAC Filter List Wireless Guest Services Intrusion Detection Wireless Firmware Associated Stations Radio Mode FCC - North America for domestic appliances MKK - Japan for Japanese appliances ETSI - Europe for international appliances Channel number selected for transmitting wireless signal; click the Edit link to open the Internal Wireless > Settings page to configure this setting. Wireless data transmission rate, Best or one of a dozen possible values in Mbps; click the Edit link to open the Internal Wireless > Advanced page to configure this setting. Current power level of the radio signal transmission, Full Power or one of several other settings; click the Edit link to open the Internal Wireless > Advanced page to configure this setting. Encryption settings for user authentication to the wireless radio, or Disabled; click the Edit link to open the Internal Wireless > Security page to configure this setting. Indicates whether a custom Allow list and/or Deny list of client wireless devices (MAC addresses) is Enabled or Disabled. Click the Edit link to open the Internal Wireless > MAC Filter List page to configure this setting. Enabled or Disabled. Guest Services can be enabled or disabled under Object > Zones, by editing the zone and updating the settings on the Guest Services screen of the dialog. Enabled or Disabled. Click the Edit link to open the Internal Wireless > IDS page to configure this setting. Firmware version on the radio card. Number of clients associated to the wireless security appliance, and the maximum number of supported wireless associations for this appliance. Current mode of the radio signal transmission, including: l Type 2.4GHz or 5GHz radio frequency band l Protocol 802.11 a, b, g, n, ac, or a combination indicated by `/' l Mixed or Only Mixed if multiple protocols are supported by the radio, Only if the radio mode is configured to connect only to devices using a specific single protocol Click the Edit link to open the Internal Wireless > Settings page to configure this setting. SonicOS 7.0 Internal Wireless Administration Guide 9 Status WLAN Statistics In the Internal Wireless > Status page, the WLAN Statistics table lists all of the traffic sent and received between the appliance wireless radio and the wireless client devices. The Wireless Statistics column lists the kinds of traffic recorded, the Rx column lists received traffic, and the Tx column lists transmitted traffic. WLAN STATISTICS Wireless Statistics Good Frames Bad Frames Good Bytes Management Frames Control Frames Data Frames Rx/TX Number of allowed frames received and transmitted. Number of frames that were dropped. Total number of bytes in the good frames. Number of management frames received and transmitted. Number of control frames received and transmitted. Number of data frames received and transmitted. WLAN Activities In the Internal Wireless > Status page, the WLAN Activities table summarizes the history of wireless client connections to the SonicWall wireless security appliance. WLAN ACTIVITIES Wireless Activities Associations Disassociations Reassociations Authentications Deauthentications Discards Packets Value Number of wireless clients that have connected to the wireless security appliance. Number of wireless clients that have disconnected from the wireless security appliance. Number of wireless clients that were previously connected that have reconnected. Number of wireless clients that have been authenticated. Number of authenticated clients that have disconnected. Number of discarded packets. SonicOS 7.0 Internal Wireless Administration Guide 10 Status Station Status In the Internal Wireless > Status page, the Station Status screen displays information about wireless client devices currently associated with the wireless security appliance. STATION STATUS Wireless Information Description Station MAC Address The name of the wireless client device The hardware address of the wireless network card on the client device Vendor The vendor who manufactured the client station SSID Authenticated The service set identifier of the wireless radio to which the client station is connected Status of the client authentication Associated Status of the wireless association between the client station and the SonicWall wireless appliance AID Signal Association ID, assigned by the security appliance Strength of the radio signal Connect Rate Speed of the connection between client station and wireless appliance, generally in Mbps Timeout Configure Number of seconds left in the session Options for controlling the client station: Allow the station to connect to the security appliance and add it to the Allow MAC Filter List. Block the station from connecting to the security appliance and add it to the Deny MAC Filter List. Logout and disassociate the station from the security appliance. SonicOS 7.0 Internal Wireless Administration Guide 11 Status 3 Settings You can set up the Wireless Radio Mode of your wireless appliance as an access point, a wireless distribution system (WDS) station, or as an access point and a WDS station. To configure the Wireless Radio Mode for the 802.11 wireless antenna: 1. Navigate to DEVICE | Internal Wireless > Settings. 2. Choose the Radio Role you want your wireless appliance to perform. IMPORTANT: Changing from one mode to the other drops clients and might require a reboot. NOTE: The options on the page change depending on which Radio Role you choose. The following sections describe how to configure your device for each Radio Role option: l Access Point l Wireless Station l Access Point & Station SonicOS 7.0 Internal Wireless Administration Guide 12 Settings Access Point Selecting Access Point for the Radio Role configures the SonicWall wireless security appliance as an Internet/network gateway for wireless clients as shown in the following figure: Topics: l Wireless Settings l Wireless Virtual Access Point SonicOS 7.0 Internal Wireless Administration Guide 13 Settings Wireless Settings IMPORTANT: When setting up the wireless appliance as an access point, you are responsible for complying with all laws prescribed by the governing regulatory domain and/or locale regarding radio operations. 1. Navigate to DEVICE | Internal Wireless > Settings. 2. Select Radio Role as Access Point from the drop-down menu. 3. Enable WLAN Radio to provide clean wireless access to your mobile users. The WLAN radio is disabled by the default. 4. Set the time that WLAN radio is active from the Schedule drop-down menu. The Schedule list displays the schedule objects you create and manage on the OBJECT | Match Objects > Schedules page. The default value is Always on. 5. Select the Country Code in which the appliance is being used. The country code determines which regulatory domain the radio operation falls under. 6. Select your preferred Radio Mode from the drop-down menu. The wireless security appliance supports the following modes: TIP: For optimal throughput speed solely for 802.11n clients, SonicWall recommends the 802.11n Only radio mode. Use the 802.11n/g/b Mixed radio mode for multiple wireless client authentication compatibility. l 802.11n/a/ac Mixed - Select this mode if 802.11a, 802.11ac, and 802.11n clients access your wireless network. l 802.11ac Only - Select this mode if only 802.11ac clients access your wireless network. SonicOS 7.0 Internal Wireless Administration Guide 14 Settings Radio Mode Definition 2.4GHz 802.11n/g/b Mixed Supports 802.11b, 802.11g, and 802.11n clients simultaneously. If your wireless network comprises multiple types of clients, select this mode. 2.4GHz 802.11n Only 2.4GHz 802.11g/b Mixed Allows only 802.11n clients access to your wireless network. 802.11a/b/g clients are unable to connect under this restricted radio mode. Supports 802.11g and 802.11b clients simultaneously. If your wireless network comprises both types of clients, select this mode. 2.4GHz 802.11g Only If your wireless network consists only of 802.11g clients, select this mode for increased 802.11g performance. You might also select this mode if you wish to prevent 802.11b clients from associating. 5GHz 802.11n/a Mixed Select this mode if 802.11a and 802.11n clients access your wireless network. 5GHz 802.11n Only Select this mode if only 802.11n clients access your wireless network. 5GHz 802.11a Only Select this mode if only 802.11a clients access your wireless network. 5GHz 802.11n/a/ac Mixed 5GHz 802.11ac Only Select this mode if 802.11a, 802.11n, and 802.11ac clients access your wireless network. Select this mode if you want to provide improved throughput. The remaining options in the Wireless Settings section might change, depending on which Radio Mode you selected. Topics: l 802.11n Wireless Settings l 802.11a/b/g Wireless Settings l 802.11ac Wireless Settings SonicOS 7.0 Internal Wireless Administration Guide 15 Settings 802.11n Wireless Settings When the Radio Mode field is configured for a mode that supports 802.11n only or a mixed mode that includes 802.11n, set following options: NOTE: The options you see could vary slightly, depending on the on the type of appliance being configured. Radio Band Sets the band for the 802.11n radio. Auto Allows the appliance to automatically detect and set the optimal channel for wireless operation based on signal strength and integrity. This is the default setting. Standard - 20 MHz Channel Specifies that the 802.11n radio uses only the standard 20 MHz channel. When this option is selected, the Standard Channel drop-down menu is displayed. Standard Channel Is set to Auto, by default, which allows the appliance to set the optimal channel based on signal strength and integrity. You can select a single channel within the range of your regulatory domain. Selecting a specific a channel can also help the appliance avoid interference with other wireless networks in the area. Wide - 40 MHz Channel Specifies that the 802.11n radio uses only the wide 40 MHz channel. When this option is selected, the Primary Channel and Secondary Channel drop-down menus are displayed. Primary Channel Set to Auto by default, or you can specify a specific primary channel. Secondary Channel The configuration of this drop-down menu is controlled by your selection for the primary channel: l If the primary channel is set to Auto, the secondary channel is also set to Auto. Enable Short Guard Interval Enable Aggregation Enable WDS AP SSID l If the primary channel is set to a specific channel, the secondary channel is set to the optimum channel to avoid interference with the primary channel. Enable this to have a higher Tx/Rx rate if supported. It applies only to 802.11ac/n mode. Enables 802.11n frame aggregation, which combines multiple frames to reduce overhead and increase throughput. It applies only to 802.11ac/n mode. Allows the WDS client to connect to this access point. Is filled with a default value of sonicwall- plus the last four characters of BSSID; for example, sonicwall-C587. The SSID can be changed to any alphanumeric value with a maximum of 32 characters. SonicOS 7.0 Internal Wireless Administration Guide 16 Settings TIP: The Enable Short Guard Interval and Enable Aggregation options can slightly improve throughput. They both function best in optimum network conditions where users have strong signals with little interference. In networks that experience less than optimum conditions (interference, weak signals, and so on), these options could introduce transmission errors that eliminate any efficiency gains in throughput. 802.11a/b/g Wireless Settings When the Radio Mode field is configured for a mode that supports 802.11a only, 802.11g/b mixed, 802.11a only, or 802.11g only, set the following option displays: Channel Allows the appliance to automatically detect and set the optimal channel for wireless operation based on signal strength and integrity. This is the default setting. You can select a single channel within the range of your regulatory domain. Enable WDS Allows the WDS client to connect to this access point. AP SSID Is filled with a default value of sonicwall- plus the last four characters of BSSID; for example, sonicwall-C587. The SSID can be changed to any alphanumeric value with a maximum of 32 characters. 802.11ac Wireless Settings When the wireless radio is configured for 802.11ac only, these options display: l Radio Band drop-down menu Sets the band for the 802.11ac radio which also allows support Band Wide-80 MHz Channel. l Channel drop-down menu Select a channel: l Auto Allows the wireless security appliance to automatically detect and set the optimal channel for wireless operation based upon signal strength and integrity. Auto is the default channel setting, and it displays the selected channel of operation to the right. Alternatively, an operating channel within the range of your regulatory domain can be explicitly defined. l Specific channel. Wireless Virtual Access Point If using wireless virtual access points, select a Virtual Access Point Group from the drop-down menu in the Wireless Virtual Access Point section or you can select a VAP group previously defined. When done with all Access Point settings, click Accept to save the settings. SonicOS 7.0 Internal Wireless Administration Guide 17 Settings Wireless Station The wireless appliance provides Internet/network access to another SonicWall wireless device or access point. Selecting Wireless Station as the Radio Role allows secure network communications between physically separate locations, without the need for long and costly Ethernet cabling runs. NOTE: The appliance cannot be used as a Wireless Station if a wireless virtual access point is in use. Topics: l Wireless Settings l Advanced Radio Settings Wireless Settings To configure wireless settings: 1. Navigate to DEVICE | Internal Wireless > Settings. 2. Select Radio Role as Wireless Station from the drop-down menu. 3. Enable Wireless Interface as WAN to use wireless interface as WAN. The default value is not enabled. 4. Enable WLAN Radio to provide clean wireless access to your mobile users. The WLAN radio is disabled by the default. In Wireless Station mode, after the radio is enabled, it acts as a client instead of an access point and does not provide wireless access to the client. 5. Select the following options: SonicOS 7.0 Internal Wireless Administration Guide 18 Settings SSID Is filled with a default value of sonicwall- plus the last four characters of BSSID; for example, sonicwall-C587. The SSID can be changed to any alphanumeric value with a maximum of 32 characters. Enable WDS Enable this option to sent the packets between AP and station with 4 addresses. If this option is not enabled, the packets between AP and station are sent with 3 addresses, which is same as normal station's behavior. Enable Short Guard Interval Enable this to have a higher Tx/Rx rate if supported. It applies only to 802.11ac/n mode. Enable Aggregation Enables 802.11n frame aggregation, which combines multiple frames to reduce overhead and increase throughput. It applies only to 802.11ac/n mode. Enable Wireless Client Periodically checks the wireless client connectivity by pinging a Connectivity Check and Auto user-defined IP address. In case of lost connection, performs an Reconnect auto-reconnection. Target remote IP to ping If you enabled the connectivity check previously, enter a remote IP address to ping. IMPORTANT: Make sure the specified IP address is pingable. Advanced Radio Settings To set the Advanced Radio Settings: 1. Set the Antenna Diversity. The default value is Best. 2. Select the Transmit Power from the drop-down menu: l Full Power sends the strongest signal on the WLAN. For example, select Full Power if the signal is going from building-to-building. l Half (-3 dB) is recommended for office-to-office within a building. l Quarter (-6 dB) is recommended for short distance communications. l Eighth (-9 dB) is recommended for shorter distance communications. l Minimum is recommended for very short distance communications. 3. Specify the Fragmentation Threshold (bytes). The minimum value can be 256 and the maximum is 2346. The default is set to the maximum. 4. Set the RTS Threshold (bytes). The minimum is 1 and the maximum is 2346, which also the default. 5. Click Accept to save the settings. NOTE: You can click Restore Default Settings to return to the factory default settings. SonicOS 7.0 Internal Wireless Administration Guide 19 Settings Access Point & Station When two or more hosts have to be connected with one another over the 802.11 protocol, and the distance is too long for a direct connection to be established, a wireless repeater is used to bridge the gap. SonicWall wireless security appliances have access point and bridge mode. While in Access Point & Station mode, one virtual access point is created as station and can connect to another access point. Other virtual access points works as normal access points. That is to say the unit configured as an Access Point & Station works in repeater mode. In this mode, we can also set the virtual interface which the station virtual access point used as a WAN interface. Topics: l Wireless Settings l Wireless Virtual Access Point l Station Setting SonicOS 7.0 Internal Wireless Administration Guide 20 Settings Wireless Settings IMPORTANT: When setting up the wireless appliance as an access point and station, you are responsible for complying with all laws prescribed by the governing regulatory domain and/or locale regarding radio operations. To configure wireless settings: 1. Navigate to DEVICE | Internal Wireless > Settings. 2. Select Radio Role as Access Point & Station from the drop-down menu. 3. Enable WLAN Radio to provide clean wireless access to your mobile users. The WLAN radio is disabled by the default. 4. Set the time that WLAN radio is active from the Schedule drop-down menu. The Schedule list displays the schedule objects you create and manage on the OBJECT | Match Objects > Schedules page. The default value is Always on. 5. Select the Country Code in which the appliance is being used. The country code determines which regulatory domain the radio operation falls under. 6. Select your preferred Radio Mode from the drop-down menu. 7. Enable WDS AP to allow the WDS client to connect to this device as an access point. 8. Validate that the SSID field is filled in correctly. It is given a default value of sonicwall- plus the last four characters of the BSSID; for example, sonicwallC587. The SSID can be changed to any alphanumeric value with a maximum of 32 characters. 9. Click Accept to save the settings. Wireless Virtual Access Point If using wireless virtual access points, select a Virtual Access Point Group from the drop-down menu in the Wireless Virtual Access Point section or you can select a VAP group previously defined. SonicOS 7.0 Internal Wireless Administration Guide 21 Settings Station Setting To configure the station settings: 1. Navigate to DEVICE | Internal Wireless > Settings. 2. In the Radio Role field, select Access Point & Station from the drop-down menu. 3. Scroll down to the STATION SETTING section. 4. Toggle Enable Station Mode to enable it. 5. Enter the AP SSID in the field provided. This is the access point name that users will see when connecting. 6. Select the AP Authentication Type from the drop-down menu. Choose from: l OPEN l WPA2-AUTO-PSK l WPA3-PSK 7. If a WPA authentication type is selected, type in a Pre-Shared Key. 8. Select a VLAN ID from the drop-down menu. To appear in the list, the VLAN ID must already have been created. The VLAN allows the internal wireless radio to identify which traffic belongs to this subnet. You can create VLAN interfaces in the NETWORK | System > Interfaces page by clicking Add Interface at the top of the Interface Settings screen. 9. Toggle Use Wireless Interface as WAN to enable access outside your local network. This option changes the wireless interface to a WAN zone interface that can provide WAN access. 10. Click Accept to save the settings. SonicOS 7.0 Internal Wireless Administration Guide 22 Settings 4 Security On the DEVICE | Internal Wireless > Security page, you configure the authentication and encryption settings for your wireless appliances. Different options are shown depending on the type of authentication you select. Topics: l About Authentication l Configuring the WEP Settings l Configuring WPA3/WPA2/WPA PSK Settings l Configuring WPA3/WPA2/WPA EAP Settings About Authentication The authentication types are described in the following table: AUTHENTICATION TYPES Type WEP (Wired Equivalent Protocol) Features and use l Protects data over wireless networks l Provides no protection past the SonicWall appliance l Provides minimum protection for transmitted dat l Uses a static key for encryption l Useful for older legacy devices, PDAs, wireless printers l Not recommended for deployments needing a high degree of security SonicOS 7.0 Internal Wireless Administration Guide 23 Security Type WPA (Wi-Fi Protected Access) WPA2 (Wi-Fi Protected Access, v2) WPA2-AUTO WPA3 WPA3/WPA2 Features and use l Good security (uses TKIP) l For use with trusted corporate wireless clients l Transparent authentication with Windows log-in l No client software needed in most cases l Requires a separate authentication protocol, such as RADIUS to authenticate the users l Uses a dynamic key NOTE: This option is only visible when it has been enabled on the diagnostics page. l Best security (uses AES) l For use with trusted corporate wireless clients l Transparent authentication with Windows log-in l Client software install might be necessary in some cases l Supports 802.11i WPA/WPA2 EAP authentication mode l No backend authentication needed after first log-in (allows for faster roaming) l Supports two protocols for storing and generating keys: PSK (Pre-Shared Key) and EAP (Extensible Authentication Protocol) NOTE: EAP support is only available in Access Point Mode (selected on the DEVICE | Internal Wireless > Settings page). EAP support is not available in Bridge Mode. l Tries to connect using WPA2 security l If the client is not WPA2 capable, the connection defaults to WPA l WPA3 is a WFA security standard for personal and enterprise networks l It improves Wi-Fi security by using modern security algorithms and stronger cipher suites. l Supports the following protocols for storing and generating keys: PSK (Pre-Shared Key), EAP (Extensible Authentication Protocol), and OWE (opportunistic wireless encryption) l Tries to connect using WPA3 security l If the client is not WPA3 capable, the connection defaults to WPA2 SonicOS 7.0 Internal Wireless Administration Guide 24 Security Type WPA3-EAP-192B Features and use l The 192-bit security mode offered by WPA3-Enterprise ensures the right combination of cryptographic tools are used and sets a consistent baseline of security within a WPA3 network. l Uses extensible authentication protocol. Configuring the WEP Settings The options shown in the below image can be set when one of the WEP options is selected for the Authentication Type. To configure the wireless appliance for WEP authentication: 1. Navigate to DEVICE | Internal Wireless > Security page. 2. Select the appropriate authentication type from the Authentication Type drop-down menu. l WEP - Both (Open System & Shared Key) (default): The Default Key assignments are not important as long as the identical keys are used in each field. l Open: In open-system authentication, the firewall allows the wireless client access without verifying its identity. All Web Encryptions Settings are grayed out an cannot be selected. l WEP -Shared key: Uses WEP and requires a shared key to be distributed to wireless clients before authentication is allowed. If Shared Key is selected, then the Default Key assignment is important. 3. From the Default Key drop-down menu, select which key is the default key: Key 1, Key 2, Key 3, or Key. 4. From the Key Entry options, select if your keys are Alphanumeric or Hexadecimal (0-9, A-F). SonicOS 7.0 Internal Wireless Administration Guide 25 Security 5. Enter up to four keys in the designated fields. For each key, select whether it is 64 bit, 128 bit, or 152 bit. The higher the bit number, the more secure the key is. Refer to the following table to see how many characters each type of key requires. KEY TYPES Key Type WEP - 64-bit Alphanumeric 5 characters Hexadecimal (0-9, A-F) 10 characters WEP - 128-bit 13 characters 26 characters WEP - 152-bit 16 characters 32 characters 6. Click Accept. Configuring WPA3/WPA2/WPA PSK Settings The settings shown in he below image can be defined when one of the WPA PSK options is selected for the Authentication Type. To configure wireless appliance for WPA authentication with a preset shared key: 1. Navigate to the DEVICE | Internal Wireless > Security page. 2. Select the appropriate authentication type from the Authentication Type drop-down menu. l WPA2 - PSK : Connects using WPA2 and a preset authentication key. l WPA2 - Auto - PSK : Automatically tries to connect using WPA2 and a preset authentication key, but falls back to WPA if the client is not WPA2-capable. l WPA3 - PSK : Connects using WPA3 and a preset authentication key. l WPA3/WPA2 - PSK : Automatically tries to connect using WPA3 and a preset authentication key, but falls back to WPA2 if the client is not WPA3-capable. 3. Select the EAPOL Version setting from the drop-down menu: l V2 (default)--Selects version 2. This provides better security than version 1, but might not be supported by some wireless clients. l V1--Selects version 1 of the protocol. SonicOS 7.0 Internal Wireless Administration Guide 26 Security 4. In WPA3/WPA2/WPA Settings section, specify these settings: l Cipher Type--Select TKIP. Temporal Key Integrity Protocol (TKIP) is a protocol for enforcing key integrity on a per-packet basis, but it is less secure and has lower throughput. AES and AUTO are also Cipher type options. l Group Key Update--Specifies when the SonicWall security appliance updates the key. Select By Timeout to generate a new group key after an interval specified in seconds; this is the default. Select Disabled when using a static key. l Interval--If you selected By Timeout in the Group Key Update field, enter the number of seconds before WPA automatically generates a new group key. The default is 86400 seconds. If you selected Disabled for Group Key Update, this option is not displayed. 5. In the Passphrase field, enter the passphrase from which the key is generated. 6. Click Accept to save and apply your settings. Configuring WPA3/WPA2/WPA EAP Settings The settings shown in the below image can be defined when one of the WPA EAP options is selected for the Authentication Type. To configure wireless appliance for WPA authentication: 1. Navigate to DEVICE | Internal Wireless > Security page. 2. Select the appropriate authentication type from the Authentication Type drop-down menu. l WPA2 - EAP : Connects using WPA2 and an extensible authentication protocol. l WPA2 - Auto - EAP : Automatically tries to connect using WPA2 and an extensible authentication protocol, but falls back to WPA if the client is not WPA2-capable. l WPA3 - EAP : Connects using WPA3 and an extensible authentication protocol. l WPA3/WPA2 - EAP : Automatically tries to connect using WPA3 and a preset authentication key, but falls back to WPA2 if the client is not WPA3-capable. SonicOS 7.0 Internal Wireless Administration Guide 27 Security NOTE: EAP support is available when the Radio Role includes Access Point mode, but not when Radio Role is set to Wireless Station alone. 3. Select the EAPOL Version setting from the drop-down menu: l V1--Selects the extensible authentication protocol over LAN version 1. l V2--Selects the extensible authentication protocol over LAN version 2. This provides better security than version 1, but might not be supported by some wireless clients. 4. In WPA3/WPA2/WPA Settings section, specify these settings: l Cipher Type--Select TKIP. Temporal Key Integrity Protocol (TKIP) is a protocol for enforcing key integrity on a per-packet basis, but it is less secure and has lower throughput. AES and AUTO are also Cipher type options. l Group Key Update--Specifies when the SonicWall security appliance updates the key. Select By Timeout to generate a new group key after an interval specified in seconds; this is the default. Select Disabled when using a static key. l Interval--If you selected By Timeout in the Group Key Update field, enter the number of seconds before WPA automatically generates a new group key. The default is 86400 seconds. If you selected Disabled for Group Key Update, this option is not displayed. 5. In the Extensible Authentication Protocol Settings (EAP) section, specify these settings: l Radius Server Retries--Enter the number of authentication retries the server attempts. The default is 4. l Retry Interval (seconds)--Enter the delay the server is to wait between retries. The default is 0 (no delay). l Radius Server 1 IP and Port--Enter the IP address and port number for your primary RADIUS server. l Radius Server 1 Secret--Enter the password for access to the primary RADIUS server. l Radius Server 2 IP and Port--Enter the IP address and port number for your secondary RADIUS server, if you have one. l Radius Server 2 Secret--Enter the password for access to the secondary RADIUS server. 6. Click Accept to apply your WPA3/WPA2 EAP settings. SonicOS 7.0 Internal Wireless Administration Guide 28 Security 5 Advanced On the DEVICE | Internal Wireless > Advanced page, you can customize a range of features for your wireless appliance. This page is only accessible when the firewall is acting as an access point. Topics: l Beaconing and SSID Controls l Green Access Point l Advanced Radio Settings l Configurable Antenna Diversity SonicOS 7.0 Internal Wireless Administration Guide 29 Advanced Beaconing and SSID Controls To configure the Beaconing and SSID Controls: 1. Navigate to the DEVICE | Internal Wireless > Advanced page. 2. Toggle Hide SSID in Beacon option, which suppresses broadcasting of the SSID name and disables responses to probe requests. Enabling this option helps prevent your wireless SSID from being seen by unauthorized wireless clients. This setting is disabled by default. 3. Type a value, in milliseconds, for the Beacon Interval. Decreasing the interval time makes passive scanning more reliable and faster because Beacon frames announce the network to the wireless connection more frequently. The default interval is 200 milliseconds. 4. Click Accept to apply your changes. Click Restore Default Settings to return to the default settings. Green Access Point A green access point uses power efficiently to reduce wasteful energy consumption and help protect the environment. To configure power efficiency: 1. To increase power efficiency, toggle the Enable Green AP option on the DEVICE | Internal Wireless > Advanced page. This setting is disabled by default. 2. In the Green AP Timeout(s) field, enter the number of seconds to wait after no clients are associated before entering power saving mode. The range is 20 to 65535. The default is 20 seconds. 3. Click Accept to apply your changes. Click Restore Default Settings to return to the default settings. SonicOS 7.0 Internal Wireless Administration Guide 30 Advanced Advanced Radio Settings To configure advanced radio settings: 1. Toggle the Enable Short Slot Time option on the DEVICE | Internal Wireless > Advanced page to increase performance if you do not expect 802.11b traffic. 802.11b is not compatible with a short slot time. This setting is disabled by default. 2. From the Antenna Rx Diversity drop-down menu, select which antenna the wireless security appliance uses to send and receive data. For more information about antenna diversity, refer to Configurable Antenna Diversity. The default is Best. 3. From the Transmit Power drop-down menu, select: l Full Power to send the strongest signal on the WLAN. For example, select Full Power if the signal is going from building-to-building. l Half (-3 dB) is recommended for office-to-office within a building. l Quarter (-6 dB) is recommended for shorter distance communications. l Eighth (-9 dB) is recommended for shorter distance communications. l Minimum is recommended for very short distance communications. 4. From the Preamble Length drop-down menu, select Short or Long. Short is recommended for efficiency and improved throughput on the wireless network, but is not supported by 802.11b. The default is Long. 5. Specify the Fragmentation Threshold (bytes). The minimum is 256; the maximum is 2346, and the default is 2346. You can fragment wireless frames to increase reliability and throughput in areas with RF interference or poor wireless coverage. Lower threshold numbers produce more fragments. Increasing the value means that frames are delivered with less overhead, but a lost or damaged frame must be discarded and retransmitted. SonicOS 7.0 Internal Wireless Administration Guide 31 Advanced 6. Specify the request-to-send (RTS) threshold in the RTS Threshold (bytes) field. The minimum is 1, the maximum is 2347, and the default is 2346. This field sets the threshold for a packet size (in bytes) at which a RTS is sent before packet transmission. Sending an RTS ensures that wireless collisions do not take place in situations where clients are in range of the same access point, but might not be in range of each other. If network throughput is slow or a large number of frame retransmissions is occurring, decrease the RTS threshold to enable RTS clearing. 7. Specify the DTIM (Delivery of Traffic Indication Message) interval in the DTIM Interval field. The minimum is 1, the maximum is 256, and the default is 1. For 802.11 power-save mode clients of incoming multicast packets, the DTIM interval specifies the number of beacon frames to wait before sending a DTIM. Increasing the DTIM Interval value allows you to conserve power more effectively. 8. Enter the number of seconds for client association in the Association Timeout (seconds) field. The default is 300 seconds, and the allowed range is from 60 to 36000 seconds. If your network is very busy, you can increase the timeout by increasing the number of seconds in this field. 9. Enter the Maximum Client Associations for each access point using this profile. The minimum value is 1; the maximum is 128, and the default is 128. This setting limits the number of stations that can connect wirelessly at one time. 10. From the Data Rate drop-down menu, select the speed at which the data is transmitted and received. Best automatically selects the best rate available in your area given interference and other factors. Or you can manually select a data rate from the options that range from 1 Mbps to 54 Mbps. 11. From the Protection Mode drop-down menu, select the protection mode: None, Always, or Auto. Protection can decrease collisions, particularly where you have two overlapping access points. However, it can slow down performance. Auto is probably the best setting, as it engages only in the case of overlapping access points. 12. Choose the Protection Rate from the drop-down menu: 1 Mbps, 2 Mbps, 5 Mbps, or 11 Mbps. The protection rate determines the data rate when protection mode is on. The slowest rate offers the greatest degree of protection, but also the slowest data transmission rate. 13. From the Protection Type drop-down menu, select the type of handshake used to establish a wireless connection: CTS-only (default) or RTS-CTS. NOTE: 802.11b traffic is only compatible with CTS. 14. Click Accept to apply your changes. Click Restore Default Settings to return to the default settings. SonicOS 7.0 Internal Wireless Administration Guide 32 Advanced Configurable Antenna Diversity The wireless SonicWall security appliances employ dual 5 dBi antennas running in diversity mode. The default implementation of diversity mode means that one antenna acts as a transmitting antenna, and both antennas act as potential receiving antennas. As radio signals arrive at both antennas on the secure wireless appliance, the strength and integrity of the signals are evaluated, and the best received signal is used. The selection process between the two antennas is constant during operation to always provide the best possible signal. To allow for external (higher gain uni-directional) antennas to be used, antenna diversity can be disabled. The Antenna Rx Diversity setting determines which antenna the wireless security appliance uses to send and receive data. Best is the default setting, and is currently the only option on SonicWall TZ270W, TZ370W, TZ470W and TZ570W. When Best is selected, the wireless security appliance automatically selects the antenna with the strongest, clearest signal. SonicOS 7.0 Internal Wireless Administration Guide 33 Advanced 6 MAC Filter List Wireless networking provides native MAC filtering capabilities that prevent wireless clients from authenticating and associating with the wireless security appliance. If you enforce MAC filtering on the WLAN, wireless clients must provide you with the MAC address of their wireless networking card. The SonicOS wireless MAC Filter List allows you to configure a list of clients that are allowed or denied access to your wireless network. Without MAC filtering, any wireless client can join your wireless network if they know the SSID and other security parameters, thus allowing them to break into your wireless network. Topics: l Deployment Considerations l Configuring MAC Filter List Deployment Considerations Consider the following when deploying the MAC Filter List: l The MAC Filter List can be enabled on the DEVICE | Internal Wireless > MAC Filter List page if a virtual access point (VAP) group is not configured. If a VAP group is configured, the MAC Filter function needs to be enabled on the VAP object. l The virtual access point can configure its MAC Filter List or inherit global settings configured on the DEVICE | Internal Wireless > MAC Filter List page. SonicOS 7.0 Internal Wireless Administration Guide 34 MAC Filter List Configuring MAC Filter List To configure the MAC Filter List: 1. Navigate to the DEVICE | Internal Wireless > MAC Filter List page. 2. Click Enable MAC Filter List. This setting is disabled by default. 3. From the Allow List drop-down menu, select the address group you want to allow: All MAC Addresses (default), Default ACL Allow Group, or a group you created. 4. From the Deny List drop-down menu, select the address group you want to deny: No MAC Addresses (default), Default ACL Deny Group, or a group you created. 5. If you want to add new address objects to the allow and deny lists, select Create New MAC Address Object Group... from either the Allow List or Deny List drop-down menu. a. In the Name: text field, enter a name for the new group. b. In the left column, select the group(s) or individual address object(s) you want to allow or deny. You can use Ctrl+click to select more than one item at a time. c. Click the Right Arrow to add the items to the group. d. Click Save. The address displays in the drop-down menu for selection. 6. Click Accept. SonicOS 7.0 Internal Wireless Administration Guide 35 MAC Filter List 7 IDS - Wireless Intrusion Detection Service Wireless Intrusion Detection Services (IDS) greatly increase the security capabilities of the SonicWall wireless security appliances. They enable recognition of, and countermeasures against, Rogue Access Points. This is the most common type of illicit wireless activity. Access Point IDS When the Radio Role of the wireless security appliance is set to Access Point mode, Rogue Access Point detection, by default, acts in a passive mode (passively listening to other Access Point Beacon frames only on the selected channel of operation). A Scan momentarily changes the Radio Role to allow the wireless security appliance to perform an active scan, and might cause a brief loss of connectivity for associated wireless clients. While in Access Point mode, the Scan function should only be scheduled when no clients are actively associated, or if the possibility of client interruption is acceptable. Rogue Access Points Rogue Access Points have emerged as one of the most serious and insidious threats to wireless security. In general terms, an access point is considered rogue when it has not been authorized for use on a network. The convenience, affordability and availability of non-secure access points, and the ease with which they can be added to a network creates a easy environment for introducing rogue access points. The real threat emerges in a number of different ways, including unintentional and unwitting connections to the rogue device, transmission of sensitive data over non-secure channels, and unwanted access to LAN resources. While this doesn't represent a deficiency in the security of a specific wireless device, it is a weakness to the overall security of wireless networks. The security appliance can alleviate this weakness by recognizing rogue access points potentially attempting to gain access to your network. It does this in two ways: active scanning for access points on all 2.4Ghz and 5GHz channels, and passive scanning (while in Access Point mode) for beaconing access points on a single channel of operation. SonicOS 7.0 Internal Wireless Administration Guide 36 IDS - Wireless Intrusion Detection Service See also: l Configuring IDS Settings l Discovered Access Points Configuring IDS Settings To schedule when to run an IDS scan, choose an option from the Schedule IDS Scan drop-down menu: l Disabled - This is the default. IDS scans do not take place when Disabled is selected. l Create New Schedule - The Add Schedule dialog displays and you can create a custom scheduled as described later in this section. l Work Hours l M-T-W-TH-F 08:00 to 17:00 l After Hours l SU-SA 00:00 to 24:00 l M-T-W-TH-F 17:00 to 24:00 l M-T-W-TH-F 00:00 to 08:00 l Weekend Hours l AppFlow Report Hours l SU-M-T-W-TH-F-SA 00:00 to 24:00 l App Visualization Report Hours l TSR Report Hours l SU-M-T-W-TH-F-SA 00:00 to 00:01 l Cloud Backup Hours l SU-M-T-W-TH-F-SA 02:00 to 03:00 l Guest Cycle Quota Update l SU-M-T-W-TH-F-SA 00:00 to 00:15 To create a new schedule: 1. In the Schedule IDS Scan field, select Create New Schedule. 2. Type a descriptive name into the Schedule Name field. SonicOS 7.0 Internal Wireless Administration Guide 37 IDS - Wireless Intrusion Detection Service 3. Select Once, Recurring, or Mixed for the Schedule Type: l With Once, you schedule a one-time event and only Start Time and End Time fields are active. l In the Once section, use the drop-down menus to schedule the start and end times for your IDS scan. l With Recurring, the display changes to show the fields needed to schedule a recurring event. l Under Select Day, choose the Day(s) for your scan. You can also enable Select All. l Enter a Start Time, using 24-hour format l Enter a Stop Time, using 24-hour format l Click Add to add those parameters to the Schedule List. l To delete an item from the list, click the Delete this Schedule button on the item's row. Click the Delete All button at the top to clear the Schedule List. l With Mixed, you schedule a mixed event and all fields for Once and Recurring are active. 4. Click Save to add this schedule to the Schedule IDS Scan drop-down list. Discovered Access Points Active scanning occurs when the wireless security appliance starts up and any time Scan is clicked at the top of the table on the DEVICE | Internal Wireless > IDS > Discovered Access Points screen. The appliance scans the environment and identifies other wireless devices in the vicinity. The Note above the table displays the number of Access Points found and the time, in days, hours, minutes, and seconds, since the last scan. To refresh the entries in the Discovered Access Points table, click Refresh. To do an immediate scan, click Scan. IMPORTANT: The Scan feature causes a brief disruption in service when operating in Access Point Mode. This interruption manifests itself as follows: l Non-persistent, stateless protocols (such as HTTP) should not exhibit any ill-effects. l Persistent connections (protocols such as FTP) are impaired or severed. If this is a concern, wait to use Scan at a time when no clients are active or until the potential for disruption becomes acceptable. The table on the Discovered Access Points page displays information on every access point (including wireless TZ appliances) that can be detected by the wireless security appliance: Field MAC Address (BSSID) SSID Channel Authentication Cipher Vendor Description The MAC address of the radio interface of the detected access point. The radio SSID of the access point. The radio channel used by the access point. The type of authentication. The cipher used. The manufacturer of the access point. SonicOS 7.0 Internal Wireless Administration Guide 38 IDS - Wireless Intrusion Detection Service Field Signal Strength Max Rate Authorize Description The strength of the detected radio signal. The fastest allowable data rate for the access point radio. Click the edit icon in the Authorize column to add the access point to the address object group of authorized access points. Authorizing Access Points on Your Network Access Points detected by the wireless security appliance are regarded as rogues until they are identified to the wireless security appliance as authorized for operation. To authorize an access point, click the Authorize icon. SonicOS 7.0 Internal Wireless Administration Guide 39 IDS - Wireless Intrusion Detection Service 8 Virtual Access Point A Virtual Access Point (VAP) is a multiplexed representation of a single physical access point--it presents itself as multiple discrete access points. To wireless LAN clients, each virtual access point appears to be an independent physical access point, when actually only one physical access point exists. Virtual access points allow you to control wireless user access and security settings by setting up multiple custom configurations on a single physical interface. Each of these custom configurations acts as a separate (virtual) access point and can be grouped and enforced on a single internal wireless radio. The benefits of using the VAP includes: l Radio Channel Conservation--Prevents building overlapped infrastructures by allowing a single physical access point to be used for multiple purposes to avoid channel collision problem. Multiple providers are becoming the norm within public spaces such as airports. Within an airport, for example, it might be necessary to support an FAA network, one or more airline networks, and perhaps one or more wireless ISPs. However, in the US and Europe, 2.4GHz networks can only support three usable (nonoverlapping) channels, and in France and Japan only one channel is available. After the channels are utilized by existing access points, additional access points interfere with each other and reduce performance. VAPs conserve channels by allowing a single network to be used for multiple purposes. l Wireless LAN Infrastructure Optimization--Shares the same Wireless LAN infrastructure among multiple providers, rather than building an overlapping infrastructure, to lower down the capital expenditure for installation and maintenance of your WLANs. Topics: l Wireless Virtual AP Configuration Task List l Virtual Access Point Profiles l Virtual Access Point Objects l Virtual Access Point Groups l Enabling the Virtual Access Point Group SonicOS 7.0 Internal Wireless Administration Guide 40 Virtual Access Point Wireless Virtual AP Configuration Task List A Wireless VAP deployment requires several steps to configure. The following section provides a brief overview of the steps involved: 1. Network Zone - The network zone is the backbone of your VAP configuration. Each zone you create has its own security and access control settings, and you can create and apply multiple zones to a single physical interface using wireless subnets. For more information on network zones, refer to the section OBJECT | Match Objects > Zones in SonicOS 7.0 Match Objects administration guide. 2. Wireless Interface - The W0 interface (and its WLAN subnets) represent the physical connections between your SonicWall network security appliance and the internal wireless radio. Individual zone settings are applied to these interfaces and forwarded to the wireless radio. For more information on wireless interfaces, refer to the section on NETWORK | System > Interfaces in the SonicOS 7.0 System administration guide. 3. DHCP Server - The DHCP server assigns leased IP addresses to users within specified ranges, known as Scopes. The default ranges for DHCP scopes are often excessive for the needs of most wireless deployments, for instance, a scope of 200 addresses for an interface that only uses 30. Because of this, DHCP ranges must be set carefully in order to ensure the available lease scope is not exhausted. For more information on setting up the DHCP server, refer to the section on NETWORK | System > DHCP Server in the SonicOS 7.0 System administration guide. 4. Virtual Access Point Profiles - The VAP Profile feature allows for creation of wireless configuration profiles which can be easily applied to new wireless Virtual Access Points as needed. Refer to Virtual Access Point Profiles for more information. 5. Virtual Access Point - The VAP Objects feature allows for setup of general VAP settings. SSID and wireless subnet name are configured through VAP Settings. Refer to Virtual Access Point Objects for more information. 6. Virtual Access Point Group - The VAP Group feature allows for grouping of multiple VAP objects to be simultaneously applied to a single internal wireless radio. Refer to Virtual Access Point Groups for more information. SonicOS 7.0 Internal Wireless Administration Guide 41 Virtual Access Point 7. Assign VAP Group to Internal Wireless Radio- The VAP Group is applied to the internal wireless radio and made available to users through multiple SSIDs. Refer to Enabling the Virtual Access Point Group for more information. Virtual Access Point Profiles A Virtual Access Point Profile allows you to pre-configure and save access point settings in a profile. VAP Profiles allows settings to be easily applied to new Virtual Access Points. Virtual Access Point Profiles are configured from the DEVICE | Internal Wireless > Virtual Access Point > Virtual Access Point Profiles. Select the profile name and click the Edit icon or click Add to create a new Virtual Access Point Profile. Click Accept when done. TIP: This feature is especially useful for quick setup in situations where multiple virtual access points share the same authentication methods. SonicOS 7.0 Internal Wireless Administration Guide 42 Virtual Access Point Topics: l Virtual Access Point Schedule Settings l Virtual Access Point Profile Settings l ACL Enforcement Virtual Access Point Schedule Settings Each Virtual Access Point can have its own schedule associated with it and by extension each profile can have a set schedule defined for it as well. To associate a schedule with a Virtual Access Point Profile: 1. Navigate to DEVICE | Internal Wireless > Virtual Access Point > Virtual Access Point Profiles. 2. Click Add if creating a new profile, or select a Virtual Access Point Profile and click on the Edit icon if editing an existing profile. 3. In the VAP Schedule Name field, select the schedule you want from the options in the drop-down menu. Virtual Access Point Profile Settings To set the Virtual Access Point Profile Settings: 1. Navigate to DEVICE | Internal Wireless > Virtual Access Point > Virtual Access Point Profiles. 2. Click Add if creating a new profile, or select a Virtual Access Point Profile and click on the Edit icon if editing an existing profile. 3. In the Virtual Access Point Profile Settings group, set the Radio Type. It is set to Wireless-InternalRadio by default. Retain this default setting if using the internal radio for VAP access; it is currently the only supported radio type. 4. In the Profile Name field, type a friendly name for this Virtual Access Point profile. Choose something descriptive and easy to remember as you apply this profile to new VAPs. 5. Select the Authentication Type from the drop-down menu. Choose from these options: Authentication Type Open Shared Both Definition No authentication is specified. A shared key is used to authenticate WEP encryptions settings. If no shared key is configured, it is same as an open network. If shared key is configured, it means open authentication with encrypted data traffic. SonicOS 7.0 Internal Wireless Administration Guide 43 Virtual Access Point WPA2-PSK Best security used with trusted corporate wireless clients. Transparent authentication with Windows login. Supports fast-roaming feature. Uses pre-shared key for authentication. WPA2-EAP Best security used with trusted corporate wireless clients. Transparent authentication with Windows login. Supports fast-roaming feature. Uses extensible authentication protocol. WPA2-AUTO-PSK Tries to connect using WPA2 security, if the client is not WPA2 capable, the connection defaults to WPA. Uses pre-shared key for authentication. WPA2-AUTO-EAP Tries to connect using WPA2 security, if the client is not WPA2 capable, the connection defaults to WPA. Uses extensible authentication protocol. WPA3-OWE WPA3 is a WFA security standard for personal and enterprise networks. It improves Wi-Fi security by using modern security algorithms and stronger cipher suites. Uses opportunistic wireless encryption. WPA3-PSK WPA3 is a WFA security standard for personal and enterprise networks. It improves Wi-Fi security by using modern security algorithms and stronger cipher suites. Uses pre-shared key for authentication. WPA3-EAP WPA3 is a WFA security standard for personal and enterprise networks. It improves Wi-Fi security by using modern security algorithms and stronger cipher suites. Uses extensible authentication protocol. WPA3/WPA2-PSK Tries to connect using WPA3 security, if the client is not WPA3 capable, the connection defaults to WPA2. Uses pre-shared key for authentication. WPA3/WPA2-EAP Tries to connect using WPA3 security, if the client is not WPA3 capable, the connection defaults to WPA2. Uses extensible authentication protocol. WPA3-EAP-192B The 192-bit security mode offered by WPA3-Enterprise ensures the right combination of cryptographic tools are used and sets a consistent baseline of security within a WPA3 network. Uses extensible authentication protocol. The Unicast Cipher field is auto-populated based on what authentication type you selected. NOTE: Different setting appear on the page depending upon which option you select. 6. In the Maximum Clients field, type in the maximum number of concurrent client connections permissible for this virtual access point. 7. Toggle the Enable VAP WDS (Wireless Distribution System) option to enable it. By default, this option is not selected. 8. Toggle the Allow 802.11b clients to connect option to enable it. By default, this option is not selected. Depending on the Authentication Type selected, an additional section with options is added to the Add/Edit Virtual Access Point Profile page. l If you selected Both or Shared, refer to WEP Encryption Settings for information on the settings. l If you selected an option requiring a pre-shared key (PSK), refer to WPA-PSK / WPA2-PSK Encryption Settings for information on the settings. l If you selected an option using the extensible authentication protocol (EAP), refer to RADIUS Server Settings for information on the settings. SonicOS 7.0 Internal Wireless Administration Guide 44 Virtual Access Point WEP Encryption Settings If you selected Both or Shared in Authentication Type drop-down menu during the creation of Virtual Access Point Profile, the section WEP Encryption Settings appears. WEP settings are commonly shared by virtual access points within a common physical access point. In the Encryption Key field, select Key 1, Key 2, Key 3 or Key 4 from the drop-down menu. WPA-PSK / WPA2-PSK Encryption Settings The WPA/WPA2-PSK Encryption Settings section appears when one of the following options for Authentication Type is selected in a Virtual Access Point Profile: l WPA2-PSK l WPA2-AUTO-PSK l WPA3-PSK l WPA3/WPA2-PSK When any of these authentication types are selected, a preshared key is used for authentication. Fill in the values in the following fields: Field Name Pass Phrase Group Key Interval Description Type in the shared passphrase users need to enter when connecting with PSKbased authentication. Type in the time period for which a Group Key is valid. The default value is 86400 seconds. Setting too low of a value can cause connection issues. RADIUS Server Settings The RADIUS Server Settings section appears when one of the following options for Authentication Type is selected in a Virtual Access Point Profile: l WPA2-EAP l WPA2-AUTO-EAP l WPA3-EAP l WPA3/WPA2-EAP When any of these authentication types are selected, an external 802.1x/EAP capable RADIUS server is used for key generation and authentication. Fill in the values in the following fields: Field Name Radius Server Retries Description Enter the number times a user can try to authenticate before access is denied. The default is 4. SonicOS 7.0 Internal Wireless Administration Guide 45 Virtual Access Point Field Name Retry Interval (seconds) Server 1 IP Server 1 Port Server 1 Secret Server 2 IP Server 2 Port Server 2 Secret Group Key Interval Description Enter the time period during which retries are valid. The default is 0. Input the IP address of the primary RADIUS authentication server. Input the port on which your primary RADIUS authentication server communicates with clients and network devices. The default port is 1812. Enter the secret passcode for your primary RADIUS authentication server. Input the IP address of your backup RADIUS authentication server. Input the port on which your backup RADIUS authentication server communicates with clients and network devices. The default port is 1812. Enter the secret passcode for your backup RADIUS authentication server. Input the time period (in seconds) during which the group key is enforced. The default value is 86400. ACL Enforcement Each Virtual Access Point can support an individual Access Control List (ACL) to provide more effective authentication control. The Wireless ACL feature works in tandem with the wireless MAC Filter List currently available on SonicOS. Using the ACL Enforcement settings, users are able to enable or disable the MAC Filter List, configure the Allow List, and configure the Deny list. Each VAP can have its own MAC Filter List settings or use the global settings. In Virtual Access Point (VAP) mode, each VAP of this group shares the same MAC Filter List settings. To enable MAC Filter List enforcement: 1. Toggle Enable MAC Filter List option to enable it. When the MAC filter list is enabled, the other settings are also enabled so you can set them. 2. Toggle Use Global ACL Settings option to enable it. This associates the Virtual Access Point with the already existing MAC Filter List settings for the SonicWall network security appliance. Note you cannot edit the Allow or Deny Lists with this option enabled. 3. In the Allow List, select an address object group from the drop-down menu. This identifies the MAC addresses of the devices allowed to access the virtual access point. Choose Create MAC Address Object Group if you want to create a new address object group containing MAC addresses of the devices that are allowed access. Refer to the SonicOS 7.0 Match Objects administration guide for information on how to create an address object group. 4. In the Deny List, select an address object group from the drop-down menu. This identifies the MAC addresses of the devices denied access to the virtual access point. Choose Create MAC Address Object Group if you want to create a new address object group containing MAC addresses of the devices that are denied access. Refer to the SonicOS 7.0 Match Objects administration guide for information on how to create an address object group. 5. Click Accept when done. SonicOS 7.0 Internal Wireless Administration Guide 46 Virtual Access Point Virtual Access Point Objects Virtual Access Point general and advanced settings are available on the DEVICE | Internal Wireless > Virtual Access Point > Virtual Access Point Objects page. You can set the SSID, VLAN ID, schedule, profile, authentication type, maximum clients and other settings when adding or editing a VAP Object. Topics: l VAP General Settings l VAP Advanced Settings VAP General Settings To define the Virtual Access Point General settings: 1. Navigate to the DEVICE | Internal Wireless > Virtual Access Point > Virtual Access Point Objects page. 2. To edit an existing virtual access point, click the Edit icon for that access point. To create a new access point, click on Add. 3. On the General screen, in the Name field, create a friendly name for the access point. 4. In the SSID field, type in a unique name. This name is a unique identifier attached to the packet header. It is case sensitive and can be up to 32 alphanumeric characters. The SSID is seen when users look for a Wi-Fi connection. 5. Select the VLAN ID from the drop-down menu. To appear in the list, the VLAN ID must already have been created. The VLAN allows the internal wireless radio to identify which traffic belongs to this subnet. You can create VLAN interfaces in the NETWORK | System > Interfaces page by clicking Add Interface at the top of the Interface Settings screen. 6. Toggle Enable Virtual Access Point option to enable it. 7. Toggle Enable SSID Suppress option if you do not want your SSID to be seen by unauthorized wireless clients. When enabled, it suppresses the broadcasting of the SSID name and disables responses to probe requests. 8. Click Accept. SonicOS 7.0 Internal Wireless Administration Guide 47 Virtual Access Point VAP Advanced Settings The Advanced settings screen provides schedule settings, authentication and encryption settings, and other settings for this virtual access point. The options are the same as those you define for a Virtual Access Point Profile. To define the Virtual Access Point Advanced settings: 1. Navigate to the DEVICE | Internal Wireless > Virtual Access Point > Virtual Access Point Objects page. 2. To edit an existing virtual access point, click the Edit icon for that access point. To create a new access point, click on Add. 3. Click Advanced. 4. In the Virtual Access Point Schedule Settings section, set the schedule for when this VAP is active and available. 5. In the Virtual Access Point Profile Settings section, choose a Profile Name from the drop-down menu. All the settings for that profile are auto-filled from the profile. 6. If you do not want to use a profile, leave the Profile Name set to No Profile and fill in the remaining fields as described in Virtual Access Point Profiles. 7. Click Accept. Virtual Access Point Groups The Virtual Access Point Groups feature allows multiple VAP objects to be grouped and simultaneously applied to your internal wireless radio. Virtual Access Point Groups are configured on the DEVICE | Internal Wireless > Virtual Access Point > Virtual Access Point Groups page. NOTE: Multiple virtual access points need to be set up before you can create a Virtual Access Point Group. If you have only one access point, it is automatically added to the default group Internal AP Group. To create a Virtual Access Point Group: 1. Navigate to the DEVICE | Internal Wireless > Virtual Access Point > Virtual Access Point Groups page. 2. To edit an existing virtual access point group, click the Edit icon for that group, or to add a new group click Add. 3. To add an object to the group, select the object you want to add from the Available Virtual AP Objects list and click the right arrow. 4. To delete an object from the group, select the object you want to delete from the Member of Virtual AP Group list and click the left arrow. 5. Click Accept when done. SonicOS 7.0 Internal Wireless Administration Guide 48 Virtual Access Point Enabling the Virtual Access Point Group After your virtual access points are configured and added to a VAP group, that group must be applied to the internal wireless radio and made available to the users. To make the group available: 1. Navigate to the DEVICE | Internal Wireless > Virtual Access Point page. 2. In the Virtual Access Point Groups screen, click the triangle icon to expand the Internal AP Group or other group which you want to enable. 3. Click Edit icon in the row for the VAP and select Enable Virtual Access Point in the Edit dialog. 4. Click Accept to update the configuration. SonicOS 7.0 Internal Wireless Administration Guide 49 Virtual Access Point 9 SonicWall Support Technical support is available to customers who have purchased SonicWall products with a valid maintenance contract. The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year. To access the Support Portal, go to https://www.sonicwall.com/support. The Support Portal enables you to: l View knowledge base articles and technical documentation l View and participate in the Community forum discussions at https://community.sonicwall.com/technology-and-support. l View video tutorials l Access https://mysonicwall.com l Learn about SonicWall Professional Services l Review SonicWall Support services and warranty information l Register for training and certification l Request technical support or customer service To contact SonicWall Support, visit https://www.sonicwall.com/support/contact-support. SonicOS 7.0 Internal Wireless Administration Guide 50 SonicWall Support About This Document SonicOS Internal Wireless Administration Guide Updated - September 2023 Software Version - 7.0 232-005336-10 Rev D Copyright © 2023 SonicWall Inc. All rights reserved. The information in this document is provided in connection with SonicWall and/or its affiliates' products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, SONICWALL AND/OR ITS AFFILIATES ASSUME NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL SONICWALL AND/OR ITS AFFILIATES BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF SONICWALL AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SonicWall and/or its affiliates make no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. and/or its affiliates do not make any commitment to update the information contained in this document. For more information, visit https://www.sonicwall.com/legal. End User Product Agreement To view the SonicWall End User Product Agreement, go to: https://www.sonicwall.com/legal/end-user-product-agreements/. Open Source Code SonicWall Inc. is able to provide a machine-readable copy of open source code with restrictive licenses such as GPL, LGPL, AGPL when applicable per license requirements. To obtain a complete machine-readable copy, send your written requests, along with certified check or money order in the amount of USD 25.00 payable to "SonicWall Inc.", to: General Public License Source Code Request Attn: Jennifer Anderson 1033 McCarthy Blvd Milpitas, CA 95035 SonicOS 7.0 Internal Wireless Administration Guide 51 SonicWall Support