![Best practices sonicwall youtube Best practices sonicwall youtube](/uploads/1/2/5/3/125379457/341493245.png)
I've never set up a dmz to this day. Click to expand.Yeah, i'm sure there are better gateways out there like the one you mentioned, but honestly its been pretty stable over the last 3 years. We went through 2 gateways in two years time before. (the exact gateway i have is: sonicwall PRO 2040 Enhanced email security)It has,4 ports, as i'm typing this, i just checked.
Block the QUIC Protocol. You can do this via SonicWall’s Application Control Advanced page, or use a standard firewall rule to block UDP port 443. To block QUIC using SonicWall’s Application Control: Go to Security Services Application Control (or Rules Advanced Application Control in SonicOS 6.5 and above).
And the ports can be classified. There is DMZ in the picklist in fact.As of now X0 = LAN (to switch) X1=Comcast X2=DSL X3= nothingSo we have a block of external ips to work with now (5 of them).I'm not sure i follow best practices. I mean the way it sounds from your suggestion is this:WAN-Sonicwall X3-another assignment as public ip? -to a nic on a host machine, which that nic will be the 'public' nic?The x3 port can be:Transparent.Layer2 BridgeStaticFor transparent, it lists these options:Transparent range:All interface IP, all wan ip, all x1 management ip, all x2 management ip, wan interface ip, wan subnets, default gateway, sec.
Default gateway, wan primary ip, wan primary subnet, x2 ip, x2 subnetThen for bridge:Bridged to: select an interface: X0,x1, x2, x3I dont know much of what all this implies. But it sounds like maybe one of these is the answer.So then the question is. Too much reading.This is how I would go about this. I'm giving you 2 options.1st option. 1 firewall, 2 isps, 2 separate switches. One switch is dedicated to your lan devices and the other one is dedicated to dmz devices.
The firewall does all of the nat for the lan and dmz and also has all of the firewall settings between all of the networks.2nd option. 1 firewall, 2isps, 1 switch capable of vlans (and it doesn't have to be layer 3, just has to be able to tag vlans). Still the same as above except that you create 2 vlans on the switch. Lets say vlan 1 for all of your lan devices and vlan 2 for all of your dmz devices. Tag all of the appropriate ports for vlan 2 traffic and then cable those up appropriately.The biggest thing to keep in mind that the sonicwall is doing it all. Nat for the lan and Nat for the DMZ and the rules between all of the networks. No extra switch, no software firewall, nothing.
Sonicwall is doing itIn my opinion that would be your best be to accomplish what you want. Click to expand.Thanks.
This makes sense to me. I guess vlans arent technically super secure like a dmz dedicated switch, but it works for now.same thing with my hyperv hosts. Ill just use one of the nic ports as a 'dmz' port and create a virtual switch from that, then all vm's i want to be associated with the dmz will use that virtual nic.One thing i dont think is achievable is reverse proxy (OCS/OWA). From what i've read you have to have ISA 2006 installed. I guess i can just avoid that and configure port 443 to go through to those services (kinda like i'm doing now) and use a public ssl cert on the webservices.
I have two Dell X1052 switches and a SonicWall TZ400 firewall. The SonicWall has a WAN port and then 6 available LAN ports.Is it best practice to connect a network cable from the LAN port of the SonicWall to my first X1052 switch and then connect a network cable from the first X1052 switch to the second X1052 switch?OrIs it better to connect one network cable from the LAN port of the SonicWall to my first X1052 switch and then connect a second network cable from another LAN port on the SonicWall to my second X1052 switch?Thanks for the help! The answer will depend on where most of your internal LAN traffic will be going:If most of your LAN traffic is INTERNALLY BOUND (ie, to a local File Server, Terminal Server, Intranet server, etc) then you definitely want to choose 1 switch as your 'main/core' switch and connect the SonicWALL's LAN to it, along with the 2nd switch and any other switches.
Plug the server(s) into the main switch, along with the most critical workstations.The reason for this is: if most traffic is internal then you don't want to waste the SonicWALL's resources switching those frames from Switch #1 to Switch #2 - in fact it is probably not as fast as the dedicated switches doing that. If you plugged both switches into the SonicWALL's LAN ports then ALL traffic from Switch #1 to Switch #2 would go through the SonicWALL.If most of your LAN traffic is EXTERNALLY BOUND (ie, to the Internet; eg. You have few internal resources and connect mainly to Cloud Based resources, like Office 365 or various websites) then it may actually make sense to connect both switches separately to the SonicWALL's LAN ports.The reason for this is: if most of your traffic is going out through the SonicWALL then you might as well connect directly to the SonicWALL instead of having one switch pass additional frames from the 2nd switch. Plus if the 'main' switch were to fail then the other switch would still be connected.In either case if you have separate subnets/VLANs then I wouldn't change anything - your Dell X1052 switches are Layer 2 only so any routing of packets from one network/subnet/VLAN to another will require the SonicWALL router to route those packets. It wouldn't matter if you configured one of your LAN ports to be on a different network/subnet (eg. A DMZ) or if you configured an internal interface and trunked 1 or more VLANs through a single port. In both cases the SonicWALL is doing all the routing.Of course if you have a large/complex network with multiple subnets I would recommend a Layer 3 switch to off load from the SonicWALL.
The SonicWALL's job is firewall/UTM/packet inspection and it is not going to be as fast as a switch at either plain old layer 2 switching or layer 3 routing. I think your firewall have 6 LAN network intrefaces to divide your networks, on the way to have varios networks and apply security policies. The best practice is to connect one switch to a LAN port and this gonna be your intranet zone were will be located all your private lan and network infraestructure. Second, you can connect the other switch to a second LAN port ans this gonna be your DMZ zone, where will be located servers and services that are needed to be accesed from the outside, eg, a web server. This DMZ will be a place where you need to plan carefully your security and access from the outside. This one is the better practice.If you dont need to have a DMZ zone, you can connect the 2 switch like you explain on your first case, one next to the other.