Article Applies To:

 

Affected SonicWALL Security Appliance Platforms:

 

Gen5: NSA E7500, NSA E6500, NSA E5500, NSA 5000, NSA 4500, NSA 3500, NSA 2400, NSA 240
Gen5 TZ Series: TZ 100, TZ 100 Wireless, TZ 200, TZ 200 W, TZ 210, TZ 210 Wireless,
Gen4: PRO series: PRO 5060, PRO 4100, PRO 4060,PRO 3060, PRO 2040, PRO 1260
Gen4: TZ series: TZ 190, TZ 190 W, TZ 180, TZ 180 W, TZ 170, TZ 170 W, TZ 170 SP, TZ 170 SP Wireless, TZ 150, TZ 150 W, TZ 150 Wireless (RevB)
 

Firmware/Software Version: All Sonic OS versions.

Services: Gateway Anti-virus

 

 


Feature/Application: 

 

SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by using SonicWALL’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the SonicWALL gateway.

SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching downloaded or e-mailed files against an extensive and dynamically updated database of threat virus signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are created and added to the database by a combination of SonicWALL’s SonicAlert Team, third-party virus analysts, open source developers and other sources.

SonicWALL GAV can be configured to protect against internal threats as well as those originating outside the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols, to provide administrators with comprehensive network threat prevention and control. Because files containing malicious code and viruses can also be compressed and therefore inaccessible to conventional anti-virus solutions, SonicWALL GAV integrates advanced decompression technology that automatically decompresses and scans files on a per packet basis.

 

Procedure:

 

How to configure GAV Protection on your SonicWALL

 

  1. Enabling SonicWALL GAV
  2. Enforcing SonicWALL GAV Protection on Zones.
  3. Specifying Protocol Filtering
  4. Enabling Inbound Inspection
  5. Enabling Outbound Inspection
  6. Restricting File Transfers
  7. Configuring Gateway AV Settings
  8. Configuring HTTP Clientless Notification
  9. Configuring a SonicWALL GAV Exclusion List

 

The Security Services > Gateway Anti-Virus page provides the settings for configuring GAV on your SonicWALL security appliance.
 
 

You must select the Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings section to enable GAV on your SonicWALL security appliance. If your SonicWALL security appliance is running with the firmware SonicOS 3.0 or above, you must also specify the interfaces you want to apply GAV protection. Depending on the SonicWALL security appliance model you are using, you can choose the WAN, LAN, DMZ, OPT or WLAN port. After selecting the interface(s), click Apply. It is recommended you select the WAN and LAN interfaces.

 

(Screenshot of GAV in SonicOS Standard)

 

If your SonicWALL security appliance is running SonicOS Enhanced 3.0 or above, you must specify the Zones you want to apply GAV protection on in the Network > Zones page.

 

(Screenshot of GAV in SonicOS Enhanced)

 

 

 
If your SonicWALL security appliance is running SonicOS Enhanced 3.0 or above, you can enforce SonicWALL GAV not only between each network zone and the WAN, but also between internal zones. For example, enabling SonicWALL GAV on the LAN zone enforces anti-virus protection on all incoming and outgoing LAN traffic.
 
  1. In the SonicWALL security appliance management interface, select Network > Zones or from the Gateway Anti-Virus Status section, on the Security Services > Gateway Anti-Virus page, click the Network > Zones link. The Network > Zones page is displayed.
  2. In the Configure column in the Zone Settings table, click the edit icon. The Edit Zone window is displayed.
  3. Click the Enable Gateway Anti-Virus Service checkbox. A checkmark appears. To disable Gateway Anti-Virus Service, uncheck the box.
  4. Click OK. 

 

Note: You also enable SonicWALL GAV protection for new zones you create on the Network > Zones page. Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit Zone window.

 

 

Specifying Protocol Filtering

Application-level awareness of the type of protocol that is transporting the violation allows SonicWALL GAV to perform specific actions within the context of the application to gracefully handle the rejection of the payload. By default, SonicWALL GAV inspects all inbound HTTP, FTP, IMAP, SMTP and POP3 traffic. Generic TCP Stream can optionally be enabled to inspect all other TCP based traffic, such as non-standard ports of operation for SMTP and POP3, and IM and P2P protocols.


Enabling Inbound Inspection

Within the context of SonicWALL GAV, the Enable Inbound Inspection protocol traffic handling refers to the following:

  • Non-SMTP traffic initiating from a Trusted, Wireless, or Encrypted zone destined to any zone.
  • Non-SMTP traffic from a Public zone destined to an Untrusted zone.
  • SMTP traffic initiating from a non-Trusted zone destined to a Trusted, Wireless, Encrypted, or Public zone.
  • SMTP traffic initiating from a Trusted, Wireless, or Encrypted zone destined to a Trusted, Wireless, or Encrypted zone.

Enabling Outbound Inspection

The Enable Outbound Inspection feature is available for HTTP, FTP, SMTP, and TCP traffic.

Restricting File Transfers

For each protocol you can restrict the transfer of files with specific attributes by clicking on the Settings button under the protocol in the Gateway Anti-Virus Global Settings section.


 

These settings include:

  • Restrict Transfer of password-protected Zip files - Disables the transfer of password protected ZIP files over any enabled protocol. This option only functions on protocols (e.g. HTTP, FTP, SMTP) that are enabled for inspection.
  • Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) - Disables the transfers of any MS Office 97 and above files that contain VBA macros.
  • Restrict Transfer of packed executable files (UPX, FSG, etc.) - Disables the transfer of packed executable files. Packers are utilities which compress and sometimes encrypt executables. Although there are legitimate applications for these, they are also sometimes used with the intent of obfuscation, so as to make the executables less detectable by anti-virus applications. The packer adds a header that expands the file in memory, and then executes that file. SonicWALL Gateway Anti-Virus currently recognizes the most common packed formats: UPX, FSG, PKLite32, Petite, and ASPack. additional formats are dynamically added along with SonicWALL GAV signature updates.

Configuring Gateway AV Settings

Clicking the Configure Gateway AV Settings button at the bottom of the Gateway Anti-Virus Global Settings section displays the Gateway AV Settings window, which allows you to configure Clientless Notification Alerts and create a SonicWALL GAV Exclusion List.



If you want to suppress the sending of e-mail messages (SMTP) to clients from SonicWALL GAV when a virus is detected in an e-mail or attachment, check the Disable SMTP Responses box.

Configuring HTTP Clientless Notification

The HTTP Clientless Notification feature notifies users when GAV detects an incoming threat from an HTTP server. To configure this feature, check the Enable HTTP Clientless Notification Alerts box and enter a message in the Message to Display when Blocking field, as shown below.

 

 

Configuring a SonicWALL GAV Exclusion List

 

Any IP addresses listed in the exclusion list bypass virus scanning on their traffic.The Gateway AV Exclusion List section provides the ability to define a range of IP addresses whose traffic will be excluded from SonicWALL GAV scanning.


To add an IP address range for exclusion, perform these steps:

Step 1 Click the Enable Gateway AV Exclusion List checkbox to enable the exclusion list.
Step 2 Click the Add button. The Add GAV Range Entry window is displayed.
Step 3 Enter the IP address range in the IP Address From and IP Address To fields, then click OK. You IP address range appears in the Gateway AV Exclusion List table. Click the edit icon in the Configure column to change an entry or click the delete icon to delete an entry.
Step 4 Click OK to exit the Gateway AV Config View window.