sonicwall® gms 8.7 software · performance of reporting modules. read the “capacity planning and...

SonicWall® GMS 8.7 SoftwareGetting Started Guide

1Contents

Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Record Configuration Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Installing and Upgrading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Installing Universal Management Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Before Upgrading to GMS 8.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Upgrading From an Earlier Version of GMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Upgrading the SonicWall GMS Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Registering and Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Registering/Licensing After a Fresh Install . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Registering Associated Servers in a Distributed Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Registering Associated Servers in a Closed Network Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Configuring UMH Deployment Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Deployment Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Deployment Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Using the Role Configuration Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Manually Configuring the System Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Configuring the All In One Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Configuring the Database Only Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Configuring the Console Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Configuring the Agent Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Configuring the Reports Summarizer Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Configuring the Monitor Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Configuring the Event Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Configuring the Syslog Collector Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Configuring the Flow Server Role (Virtual Appliances Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Configuring the All in One-Flow Server (Demo Mode Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Configuring the Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Configuring Database Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Configuring Deployment Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Controlling Deployment Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Introduction to the Management Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Overview of the Two Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Switching Between Management Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40UMH System Interface Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Management Interface Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Login Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Live Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Multi-Firewall Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

SonicWall GMS 8.7 Getting Started GuideContents

2

Management Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Using the GMS TreeControl Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Provisioning and Adding Units . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Provisioning a SonicWall Firewall Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Provisioning a SonicWall Firewall Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Provisioning a SonicWall SMA SMB Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Provisioning a SonicWall E-Class SMA Series Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Provisioning a SonicWall Email Security Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Adding SonicWall Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Adding SonicWall Appliances Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Importing SonicWall Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Managing Multiple Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56SonicWall Live Product Demos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

SonicWall Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58About This Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

SonicWall GMS 8.7 Getting Started GuideContents

3

1

Before You Begin

This Getting Started Guide contains installation procedures and configuration guidelines for deploying SonicWall® GMS on a server on your network. SonicWall GMS is a Web-based application that can configure, manage, and monitor the status of thousands of SonicWall firewalls, Internet security appliances and non-SonicWall appliances from a central location. SonicWall GMS provides the following benefits:

• Centralized security and network management

• Sophisticated VPN deployment and configuration

• Active device monitoring and alerts

• Intelligent reporting, analytics, and activity visualization

• Centralized logging and offline management

Topics:

• System Requirements on page 4

• Record Configuration Information on page 9

System RequirementsSonicWall GMS software comes with a base license to manage either 5, 10, or 25 nodes. You can purchase additional licenses on MySonicWall. For more information on licensing additional nodes, read the “SonicWall Upgrades” section of the GMS 8.7 Console Admin Guide.

Before installing SonicWall GMS, review the following requirements.

Topics:

• Operating System Requirements on page 5

• Unsupported Platforms on page 5

• GMS Hardware Resource Requirements on page 5

• Hard Drive HDD Specifications

• Browser Requirements on page 6

• Database Requirements on page 6

• Java Requirements on page 6

• Microsoft Azure Platform Requirements on page 7

• SonicWall Appliance and Firmware Support on page 8

• Non-SonicWall Appliance Support on page 9

• SonicWall GMS Gateway Recommendations on page 9

SonicWall GMS 8.7 Getting Started GuideBefore You Begin

4

Operating System Requirements SonicWall GMS Software release supports the following operating systems:

• Windows Server 2016 Standard (English and Japanese language versions)

• Windows Server 2012 Standard 64-bit

• Windows Server 2012 R2 Standard 64-bit (English and Japanese language versions)

• Windows Server 2012 R2 Datacenter

These Windows systems can either run in physical standalone hardware platforms, or as a virtual machine under Microsoft Azure or Windows Server 2012 Hyper-V or VMware ESXi.

Unsupported PlatformsThe following platforms have been dropped from support:

• CDP management and reporting

• UMA EM5000 as part of the GMS deployment

• Windows 32-bit as part of the GMS deployment

• Firewalls with firmware older than SonicOS 5.0

• Gen4 or older Firewalls

GMS Hardware Resource RequirementsUse the Capacity Planning Tool to determine the hardware requirements for your deployment.

Hard Drive HDD SpecificationsThe following hard drive HDD specifications are required when using GMS Software on a Windows Server or a GMS Virtual Appliance:

TIP: All listed operating systems are supported in both virtualized and non-virtualized environments. In a Hyper-V virtualized environment, Windows Server is a guest operating system running on Hyper-V. GMS is then installed on the Windows Server virtual machine that is layered over Hyper-V.

NOTE: GMS is not supported on Amazon Web Services EC2.

NOTE: A Windows 64-bit operating system with a RAM of 16GB is highly recommended for better performance of reporting modules. Read the “Capacity Planning and Performance Tuning” appendix in the GMS 8.7 Firewall - Manage Administration Guide.

Hardware Requirements

Requirement Details

Spindle Speed 10,000 RPM or higher

Cache 64 MB or higher

Transfer rate 600 MBs or higher

Average latency 4 microseconds or lower


5

https://www.sonicwall.com/gms-capacity-planning-tool/

Browser RequirementsSonicWall GMS uses advanced browser technologies such as HTML5 that are supported in most recent browsers. SonicWall recommends using the latest Chrome, Firefox, Internet Explorer, or Safari browsers for administration of the SonicWall GMS.

This release supports the following Web browsers:

• Chrome 42.0 and higher (recommended browser for dashboard real-time graphics display)

• Mozilla Firefox 37.0 and higher

• Microsoft Edge 41 or higher

• Internet Explorer 11.0 and higher (do not use compatibility mode)

Mobile device browsers are not recommended for SonicWall GMS system administration.

Database RequirementsSeparately installed instances of MySQL are not supported with GMS.

The following SQL Server versions are supported:

• SQL Server 2014

• SQL Server 2012

Java Requirements

Download and install the latest version of the Java 8 plug-in on any system that accesses the GMS management interface. This can be downloaded from:

www.java.com

or

https://www.oracle.com/technetwork/java/javase/downloads/index.html

NOTE: Internet Explorer version 10.0 in Metro interfaces of Windows 8 is currently not supported. Turn off Compatibility Mode when accessing the GMS management interface with Internet Explorer. For more information, see the Knowledge Base article located at: https://www.sonicwall.com/en-us/support/knowledge-base/170502904412584

NOTE: If using Chrome version 42 and newer to access GMS 7.2 and older, you will need to enable NPAPI support in Chrome, which by default has been disabled starting with version 42.

NOTE: For SQL Server deployments in countries in which English is not the default language, set the default language to English in the Login Properties of the GMS database user in the SQL Server configuration.

NOTE: A database user with “DB Creator” privileges must be provided to GMS during the Role Configuration process of any GMS Server.

NOTE: Java is required only when you are using Net Monitor.


6

https://www.sonicwall.com/en-us/support/knowledge-base/170502904412584

http://www.java.com/

http://www.oracle.com/technetwork/java/javase/downloads/index.htm

Network RequirementsTo complete the SonicWall GMS Software deployment process documented in this Getting Started Guide, the following network requirements must be met:

• The SonicWall GMS server must have access to the Internet

• The SonicWall GMS server must have a static IP address

Microsoft Azure Platform RequirementsSonicWall Global Management System (GMS) can now be deployed as software on a Microsoft Azure cloud computing platform. This allows you to have more flexibility in the types of server you select to host GMS. Refer to the following documentation to set up the Azure platform:

• Tutorial: Create and Manage Windows VMs with Azure PowerShell

• Quickstart: Create a Windows Virtual Machine in the Azure Portal.

NOTE: GMS 8.7 supports closed network deployments. A closed network deployment does not require Internet access, see the GMS 8.5 Closed Network Deployment Guide for more information.

NOTE: Depending on the configuration of SonicWall log settings and the amount of traffic handled by each device, the network traffic can vary dramatically. The 1 KB/s for each device is a general recommendation. Your installation requirements can vary. Refer to the Capacity Planning Tool.

NOTE: You need to have the following ports open in Microsoft Azure to deploy GMS: 3389, 3306, 514, 8585, 2055, 443, and 21021.


7

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-manage-vm

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/quick-create-portal

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-manage-vm

https://www.sonicwall.com/en-us/support/technical-documentation/gms-8-5-closed-network-deployment-guide

https://www.sonicwall.com/en-us/gms-capacity-planning-tool

https://www.sonicwall.com/en-us/gms-capacity-planning-tool

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/quick-create-portal

SonicWall Appliance and Firmware SupportSonicWall GMS supports SonicWall firewall App Control policy management and reporting. Refer to the SonicOS documentation for information on which SonicOS firmware versions support these features.

SonicWall GMS 8.7 supports the following SonicWall appliances and firmware versions:

Notes:

• Appliances running firmware newer than this GMS release can still be managed and reports can still be generated. However, the new features in the firmware will be supported in an upcoming release of GMS.

• GMS 8.7 does not support SonicOS 5.8 or earlier using RC4.

NOTE: GMS 8.7 does not support legacy SonicWall appliances, including:• Firewall appliances running firmware earlier than SonicOS 5.0• CSM Series• CDP Series

Component Requirements

SonicWall Platforms SonicWall Firmware Version

Network Security Appliance

NSsp 12000 6.5.1.8-1n or newer

SuperMassive 10000 series SonicOS 6.0 or newerNOTE: Only partial policy management and reporting support is currently available. The following SuperMassive specific features are not supported for centralized policy management in GMS:

• Multi-blade Comprehensive Anti-Spam Service (CASS)• High Availability/Clustering• Support for Management Interface• Flow Reporting Configurations• Multi-blade VPN• Advanced Switching • Restart: SonicOS versus Chassis

Contact your SonicWall Sales representative through https://www.sonicwall.com/en-us/customers/contact-sales for more information.

SuperMassive 9000 series SonicOS 6.1 or newer

NSA/NSa series SonicOS 5.5 or newer

NSv series SonicOS 6.5.2 or newer

TZ series and TZ Wireless SonicOS 5.5 or newer

SonicWall SOHO SonicOS 5.9.1.3 or newer 5.9 versions

SOHO Wireless SonicOS 6.2.6 or newer 6.x versions

Secure Mobile Access

SRA/SSL-VPN Series SSL-VPN 2.0 or newer (management)SSL-VPN 2.1 or newer (management and reporting)

E-Class SRA Series E-Class SRA 9.0 or newer

SMA 6200/7200 SMA 10.7.2 or newer

Email Security/Anti-Spam

Email Security Series Email Security 7.2 or newer (management only)


8

https://www.sonicwall.com/support


Non-SonicWall Appliance SupportSonicWall GMS provides monitoring support for non-SonicWall TCP/IP and SNMP-enabled devices and applications.

SonicWall GMS Gateway RecommendationsA GMS gateway is a SonicWall firewall appliance that allows for secure communication between the SonicWall GMS server and the managed appliance(s), using VPN tunnels.

A GMS gateway is not required in all deployment scenarios, but when deployed, the GMS gateway must be a SonicWall VPN-based network security appliance running SonicOS Enhanced firmware or another VPN device that is interoperable with SonicWall VPN. The GMS gateway provides a VPN management tunnel for each managed appliance. The number of management tunnels depends on the number of VPNs supported by the GMS gateway appliance and could be a limiting factor.

For complete information about SonicWall GMS management methods and requirements for a GMS Gateway, see the “GMS Gateway Requirements” section in the GMS 8.7 INTRODUCTION - DASHBOARD Administration Guide.

Record Configuration InformationBefore continuing, record the following configuration information for your reference:

SMTP Server Address: The IP address or host name of your Simple Mail Transfer Protocol (SMTP) server. For example, mail.emailprovider.com.

HTTPS Web Server Port: The number of your secure (SSL) Web server port if customized. The default port is 443.

GMS Administrator Email 1: The email address of a SonicWall GMS administrator who receives email notifications from SonicWall GMS.

GMS Administrator Email 2: The email address of an additional SonicWall GMS administrator who receives email notifications from SonicWall GMS. This field is optional.

Sender Email Address: The email address from which the email notifications are sent by SonicWall GMS.

GMS Gateway IP: The IP address of the SonicWall GMS gateway between the GMS agent and the network. This optional field is only applicable if you have a GMS gateway.

GMS Gateway Password: The password for the SonicWall GMS gateway. This optional field is only applicable if you have gateway between the GMS and the network.

Database Vendor: Your database vendor if you are using a SQL Server database.*

Database Host/IP: The IP address of the database host. This is not required when using the bundled database on this server.*

Database User: The MySQL user name for the database administrator. This is not required when using the bundled database on this server 1

1. This information is needed if Microsoft SQL Server is used, or in the case of a distributed deployment.

Database Password: The MySQL password for the database administrator. This is not required when using the bundled database on this server. 1


9

2

Installing and Upgrading

SonicWall GMS Software can be configured for a single server or in a distributed environment on multiple servers.

SonicWall GMS can be installed as a fresh install or as an upgrade from a previous version.

Topics:

• Installing Universal Management Suite on page 10

• Before Upgrading to GMS 8.7 on page 14

• Upgrading From an Earlier Version of GMS on page 14

Installing Universal Management SuiteIn SonicWall GMS, all software components related to GMS, including the MySQL database, executable binary files for all GMS services, and other necessary files, are installed using the Universal Management Suite (UMS) single-binary installer. The initial installation phase takes just a few minutes for any type of installation, such as GMS server, database server, or any other role.

To do a fresh install of the Universal Management Suite from the single binary installer, complete the following steps:

1 Log in to your GMS management computer as the administrator (Windows).

2 Launch the Universal Management Suite installer, by right-clicking the file:

sw_gmsvp_win_eng_8.7.xxxx.xxxx.exe (where xxxx represent the exact version numbers)

3 Select Run as administrator. It could take several seconds for the InstallAnywhere self-extractor to initialize.

NOTE: You must disable the User Account Control (UAC) feature on Windows before running the SonicWall GMS installer. In addition, disable Windows Firewall or your personal firewall before running this installer.

SonicWall GMS 8.7 Getting Started GuideInstalling and Upgrading

10

4 In the Introduction screen, click Next.

5 In the License Agreement screen, check the box for I accept the terms of the License Agreement.


11

6 Select the path to the folder where you would like to install the files.

You can:

• Accept the default path C:\GMSVP.

• Enter a new path.

• Click Choose to navigate to the selected folder.

7 When you are finished, click Next.

8 In the Universal Management Suite Settings screen, select or enter the IP address to which the GMS services should bind to listen for inbound TCP, UDP, SNMP, syslog, or other packets. The installer detects and offers radio buttons for any IP addresses associated with the system. The default is your management computer IP address. To use a different IP address, select Other and enter the IP address into the field.

9 Click Next.

10 To use a custom port for HTTPS traffic to the system’s Web Server, enter the port number into the HTTPS Port field.

11 Click Install.

NOTE: Do not include spaces in the installation path.

NOTE: On a Windows system that has IPv4 and IPv6 addresses, the installer detects both IP addresses. You must select both IPv4 and IPv6 addresses.

TIP: If you specify a custom port, you need to modify the URLs you use to access GMS by using the following format:

https://localhost:<port>/ (to login from the local host)or

https://<ipaddress>:<port>/ (to login from a remote location)For example, if you specified https port 8080, the URLs would look like this:

https://localhost:8080/ (for a local host login)or

https://10.0.93.20:8080/ (for a remote login)

NOTE: If you receive the message “Cannot bind to the port number specified, please specify a different one” the port you specified is in use by another program, for example, Internet Information Services (IIS). Specify a different, unused port, such as 8080.


12

12 If you see a Windows Security Alert for Java, click Unblock.

13 The installer displays a progress bar as the files are installed. Wait a few minutes for the installer to finish.

14 After the files are installed, whether or not the system has a Personal Firewall such as Windows Firewall enabled, a dialog is displayed notifying you to either disable the firewall or manually open the syslog and SNMP ports, and to ensure that these ports are open on your network gateway or firewall if you plan to use HTTPS Management mode for managing remote appliances (instead of GMS Management Tunnel or Existing Tunnel modes). It also mentions that it you have AntiVirus software running on your system, you need to exclude the folders associated with this product from being scanned by the AntiVirus Software. Be sure to adjust the settings as recommended.

15 Click OK. The Universal Management Installer closes and the Universal Management Suite icon appears on the desktop.

16 Access the SonicWall GMS Software UMH system interface by either:

• Clicking on the new desktop shortcut for Universal Management Suite (your default Web browser launches: https://localhost/appliance/login).

• Pointing your browser to: https://localhost/.

17 Log in using the these credentials:

• Username — admin

• Password — password

You are prompted to change your password.

To register and license SonicWall GMS, see Registering and Licensing on page 16.

NOTE: You must change your password the first time you log in.


13

Before Upgrading to GMS 8.7

Consider the following before upgrading to GMS 8.7:

• GMS 8.7 does not support 32-bit Windows, and the installer cannot upgrade such a system.

• You must disable the User Account Control (UAC) feature on Windows before running the GMS installer. In addition, disable Windows Firewall or your personal firewall before running this installer.

• For appliances under management using a GMS Management Tunnel or Existing Tunnel, make sure that HTTPS management is allowed from the GMS servers. This is because GMS 8.7 logs in to the appliances using HTTPS only.

• When performing a fresh installation of GMS on Windows, the installer prompts for an IPv6 address of the server if it detects an IPv6 network.

In a distributed environment, you must upgrade all GMS servers in your deployment to the same version of GMS. You cannot have some servers running version 8.7 and others running earlier versions.

Upgrading From an Earlier Version of GMSGMS can be upgraded from previous versions. To upgrade GMS from a version earlier than 8.6, see the knowledge base article located at: https://www.sonicwall.com/support/knowledge-base/gms-8-7-upgrade/190412145920365/.

For SonicWall GMS deployments, upgrading from GMS 8.6 to 8.7 can be performed by logging in to the windows system, downloading the GMS 8.7 file, and running the installation wizard. After successfully completing the installation wizard, you can first log into the GMS appliance interface and then log in to the sgms interface. SonicWall recommends rebooting after upgrading the appliance.

Shut down all GMS servers except the one that is running the database. Then upgrade the Console/AIOP first and then the other servers. You must upgrade all GMS servers in your deployment to the same version of SonicWall GMS 8.7. You cannot have some servers running version 8.7 and others running an earlier version.

To register and license SonicWall GMS, see Registering and Licensing on page 16.

Upgrading the SonicWall GMS Software

This section provides procedures for upgrading an existing SonicWall GMS 8.1 or newer installation to GMS 8.7. GMS can be configured for a single server or in a distributed environment on multiple servers. GMS 8.7 can only be installed as a fresh install or as an upgrade from GMS 8.6. To upgrade GMS from a version earlier than 8.6, you need to upgrade to major versions of GMS until you reach 8.6, then you can upgrade GMS 8.6 to GMS 8.7.

To upgrade, complete the following:

1 Open a web browser and navigate to www.mysonicwall.com.

CAUTION: If you have an UMA EM5000 appliance or a Windows 32-bit GMS Server currently in your deployment, you must migrate them first to a Windows 64-bit GMS server or decommission these systems, before upgrading to 8.7. A pop-up message displays and installation stops if the deployment has an active UMA or a Windows 32-bit GMS Server.

CAUTION: If you are upgrading to GMS 8.7 and still have CDP appliances under management, those appliances are automatically removed from GMS after the upgrade.

NOTE: You must have a valid support license to upgrade your GMS.


14

http://www.mysonicwall.com

https://www.sonicwall.com/support/knowledge-base/gms-8-7-upgrade/190412145920365/

2 Use your credentials to log in to your account.

3 Navigate to Resources & Support > My Downloads.

4 Download the GMS 8.7 software.

5 After the file has downloaded, double-click the file and follow the onscreen instructions. The Installer detects any previous installations of GMS. Click Install to proceed with the installation.

6 If you see a Windows Security Alert for Java, click Unblock. The installer displays a progress bar as the files are installed. Wait a few minutes for the installer to finish installing.

7 After the files are installed, whether or not the system has a Personal Firewall such as Windows Firewall enabled, a dialog is displayed notifying you to either disable the firewall or manually open the syslog and SNMP ports, and to ensure that these ports are open on your network gateway or firewall if you plan to use HTTPS Management mode for managing remote appliances (instead of GMS Management Tunnel or Existing Tunnel modes). Click OK. Be sure to adjust the settings as recommended.

8 After the installer has completed, reboot the system to complete the installation.


15

3

Registering and Licensing

All instances of SonicWall GMS Software must be registered and licensed before use. This requirement applies to both single server deployments or distributed deployments on multiple servers, to fresh or upgraded installations, and to software installations on Windows servers or to SonicWall UMH appliances.

Topics:

• Registering/Licensing After a Fresh Install on page 16

• Registering Associated Servers in a Distributed Deployment on page 18

• Registering Associated Servers in a Closed Network Deployment on page 19

Registering/Licensing After a Fresh InstallSonicWall GMS registration is done using the Universal Management Host (UMH) system interface. When installing Universal Management Suite (UMS) on a server, or host, a Web server is installed to provide the UMH system interface. The system interface is available by default after restarting the system at: https://localhost/.

To complete registration, the system must have access to the Internet and you must have a MySonicWall account. The SonicWall License Manager, available on the System > Licenses page of the UMH system interface, allows you to log in and enter your registration information on MySonicWall.

NOTE: MySonicWall registration information is not sold or shared with any other company.

SonicWall GMS 8.7 Getting Started GuideRegistering and Licensing

16

To register and license SonicWall GMS on this server, complete the following steps:

1 Launch the Universal Management Suite by double clicking on the UMS desktop icon, or by opening a Web browser and entering https://localhost/ to launch the UMH system interface.

2 Type admin in the User field, and password in the Password field and then click LOGIN.

3 The Login page reloads to force a password change. Enter a new password into both the New Password and Confirm New Password fields.

4 Click Submit.

5 On the System > Status page, the Registration Pending notification across the top of the screen indicates that the system is not registered, the Serial Number status is UNKNOWN, and the License status displays Not Licensed. To begin registration, click Register at the top of the screen.

6 On the License Management page, enter your MySonicWall user name and password into the appropriate fields and then click Submit.

7 On the second License Management page, Enter your 12-character software serial number into the Serial Number field and your authentication code into the Authentication Code field. Optionally, you can click the click here link to enter your 8-character serial number.

NOTE: If you specified a custom port (a port other than the default port 80), in Installing Universal Management Suite on page 17, modify the URL as follows:

https://localhost:<port>/ For example, if you specified port 8080, the URL would be: https://localhost:8080/

NOTE: If you do not have a MySonicWall account, you must create one before continuing. Click the link to create a MySonicWall account.

NOTE: If this is the first SonicWall GMS Software that you are registering in a multi-server deployment, the Serial Number and Authentication Code you received from your SonicWall sales representative is entered here. As you add more instances of SonicWall GMS Software on Windows Server systems to the distributed deployment, use the same serial number used for the installation of the first GMS Windows Software or SonicWall appliance. You can use the GMS Windows serial number to register associated servers if it is a full-retail GMS serial number, but not a Demo or Free Trial GMS serial number. See Registering and Licensing on page 16.


17

8 Enter a friendly into the Friendly Name field. The friendly name is displayed on MySonicWall to more easily identify the installation on this system.

9 Click Submit; the License Management screen displays a completion screen.

10 Click Continue; the license summary information is populated.

11 When registration is complete, the Deployment > Roles page displays. For instructions on configuring these settings, see Configuring UMH Deployment Options on page 20.

Registering Associated Servers in a Distributed DeploymentWhen you have a distributed SonicWall GMS deployment involving more than one SonicWall appliance or software instance of SonicWall GMS, you can associate these components during the registration process. A MySonicWall account is required. In a distributed deployment, SonicWall GMS must be registered and licensed on each server and associated with the initially registered instance of GMS. This is accomplished by entering the serial number of the primary instance of SonicWall GMS when registering each subsequent server in the distributed deployment.

When the primary instance of SonicWall GMS is an appliance, you can download the UMS installer from MySonicWall, so that you can install the UMS on Windows systems to be used in the distributed deployment. When registering the software instances of SonicWall GMS, use the serial number of the appliance.

To register a SonicWall GMS instance as an associated server in an existing GMS deployment, complete the following steps:

1 In a browser, log in to the system management interface.

2 Click Register.

3 Navigate to System > Licenses and click Manage Licenses.

4 On the License Management page, enter the same MySonicWall user name and password that you used when registering the primary instance of GMS into the appropriate field.

5 Click Submit.

6 On the second License Management page, do one of the following:

• Type the 12-character serial number of the primary GMS into the Serial Number field and type the authentication code of the primary GMS into the Authentication Code field. The primary GMS must already be registered.

• If adding an appliance as a secondary member of a distributed deployment, the License Manager automatically populates the Serial Number field. You do have the opportunity to add this unit to the existing deployment in a later step.

• If you have an eight-character serial number because you upgraded this distributed deployment from a previous version of GMS, and have the eight-character Serial Number, click the Click here if you have an 8-character serial number link and enter the serial number of the primary GMS.

NOTE: If this is the first SonicWall GMS Software that you have registered in a multi-server deployment, the Friendly Name for this system is also used as the name for the distributed deployment. See Registering and Licensing on page 16.

NOTE: The base 10-node or 25-node management license is not automatically increased when additional servers are associated with an existing SonicWall GMS deployment. You can purchase additional node licenses on MySonicWall.


18

7 Type a descriptive name for the system into the Friendly Name field.

8 Click Submit.

9 In the License Management completion screen, click Continue.

10 After registration, the next step is to select the role for this GMS server. Continue with the procedure described in Configuring UMH Deployment Options on page 28.

Registering Associated Servers in a Closed Network DeploymentTo complete registration in a closed network deployment, see the GMS 8.5 Closed Network Deployment Guide.


19

https://www.sonicwall.com/en-us/support/technical-documentation/gms-8-5-closed-network-deployment-guide/deployment-services

4

Configuring UMH Deployment Options

The role that you assign to your SonicWall GMS defines the Universal Management Suite services that it provides. SonicWall GMS uses these services to do management, monitoring, and reporting tasks.

Your SonicWall GMS can be deployed in any of the following roles:

• All in One

• Database Only

• Console

• Agent

• Report Summarizer

• Monitor

• Event

• Syslog Collector

• Flow Server

• All in One - Flow Server (Demo Mode Only)

Topics:

• Deployment Requirements on page 20

• Deployment Considerations on page 21

• Using the Role Configuration Tool on page 22

• Manually Configuring the System Role on page 25

• Controlling Deployment Services on page 38

Deployment RequirementsConsider the following before deploying the GMS:

• SonicWall GMS management is not supported on Apple MacOS.

• All modes of the application run in 64-bit mode.

• Using the Flow Server Agent role requires a minimum of:

• Quad Core

• 16GB of memory

• 300GB available disk space

SonicWall GMS 8.7 Getting Started GuideConfiguring UMH Deployment Options

20

Deployment Considerations • The Flow Server and All in One - Flow Server roles are only available for configuration on the GMS

Virtual Appliance platforms.

• In the UMH system interface, on the Deployment > Roles page, clicking Details in the same row as a role provides a list of the services that run on a system in that role, and information about using the role.

• As the number of managed appliances increases, a more distributed deployment provides better performance. To manage large numbers of SonicWall appliances, you can use several SonicWall GMS instances operating in different roles in a distributed deployment. These instances can run on Windows Server machines or on SonicWall UMH Virtual Appliances.

• You can include the MySQL database installation with any role. The All In One or Database Only roles automatically include the MySQL database. Only one server in a SonicWall GMS deployment should have the MySQL database included in its role.

• You can scale your deployment to handle more units and more reporting by adding more systems in the Agent role. Agents provide built-in redundancy capability, meaning that if an Agent goes down, other Agents can complete the configuration tasks and other tasks of the Agent that went down.

• When configuring the role for the first appliance in a distributed deployment, you should either include the database or be prepared to provide the IP address of an existing database server. You can meet this database objective in one of the following ways:

• By selecting a role that includes the database automatically, such as All In One or Database Only

• By selecting Include Database (MYSQL) if configuring the system with any other role

• By setting up a compatible database on another machine and providing that IP address when prompted

• When upgrading a distributed deployment, upgrade and register the primary system first. This is usually the SonicWall GMS Console system from the original deployment. All subsequent instances of SonicWall GMS uses the primary system’s 12-character serial number when registering as components of the deployment. Each server in the distributed deployment must be upgraded and registered individually.

• If the GMS Console (Web server) is set up for HTTPS management, the upgrade to GMS preserves the HTTPS settings for the GMS Web server.

• The upgrade installer checks with the SonicWall back end to see if the GMS deployment has a valid support license. If it does not, then the upgrade discontinues. If the SonicWall GMSSoftware installer detects that the SonicWall backend site is not accessible, it prompts you to enter an Upgrade Key. If the key is valid, it allows the upgrade to continue. If the key is invalid, the installation fails.

• In a distributed environment, stop all GMS services on all GMS servers before completing an upgrade. You must upgrade all GMS servers in your deployment to the same version of GMS. For example, you cannot have some servers running version 8.1 and others running 8.7.

• It is highly recommended, on all GMS servers prior to completing the SonicWall GMS upgrade, that you backup your database’s GMS installation folders, and the file:

• <GMS installation folder>\conf\sgmsConfig.xml


21

Using the Role Configuration ToolThe Role Configuration Tool is a wizard that guides you through the process of defining the deployment role for SonicWall GMS. Your system must be registered and licensed for SonicWall GMS to run the Role Configuration Tool.

There are two ways to access the Role Configuration Tool:

• After the appliance is registered for GMS, the Deployment > Roles page of the appliance management interface provides a link to the Role Configuration Tool wizard.

• The Wizards button in the top right corner of the page provides access to the Role Configuration Tool.

To use the Role Configuration Tool, complete the following steps:

1 Log in to the appliance management interface.

2 Navigate to the System > Status page.

3 Click the Wizards button at the top of the page.

4 Click the radio button for the Role Configuration Tool and click Continue.

5 In the Introduction page of the Role Configuration Tool, click Next.

6 In the Setup Type page, select either:

• Yes, if you are adding this system to an existing GMS deployment. Selecting Yes indicates to the wizard that there is an existing GMS database on another server.

• No, if this system is part of a new GMS deployment or is the only system in your GMS deployment.

7 Click Next.

8 If you selected Yes, proceed to Step 11.

9 In the Deployment Type page, select either:

• Yes, if this system is the only GMS server in the deployment.

• No, if there are multiple GMS servers.

10 Click Next

11 In the Role Configuration page, select the desired role for this system.

12 Select Include Database (MYSQL) if you want to configure a GMS database on this system.

13 Click Next.

14 In the Database Configuration page, enter the database parameters that are required for the selected role. The database fields varies depending on your previous selections.

NOTE: The list of roles on this page varies depending on your previous selections such as whether this system is part of an existing GMS deployment and if it is a single-server or part of a multi-server deployment. Neither the Database Only nor the Include Database (MYSQL) options are available if this system is part of an existing deployment.


22

Certain fields are pre-populated if you choice of role automatically includes the MySQL database or if you select Include Database (MYSQL).

For a MySQL instance, additional fields are available for configuring the database administrator credentials. The Administrator Credentials fields are only displayed and editable in the following circumstances:

• The Database Type is MySQL

• Include Database (MYSQL) is selected either manually or automatically for the chosen role

• The Database Host field is set to localhost and is not editable

When these conditions are met, the administrator password is required to create a regular access user account for the GMS application.

If you selected a role that does not include the MySQL database, you have the option of configuring the use of a SQL Server database in this dialog.

Note the following when selecting values for these fields:

• Database User – Do not use any special characters or sa, root, or admin.

• Database Password – Do not use any special characters.

• Admin Login – If using MySQL, the default Admin Login is 'root'. This cannot be changed.

• Admin Password – Do not use any special characters.

15 When finished entering the database parameters, click Next.

16 In the Other Configuration page, the fields vary depending on the selected role, as follows:

• Gateway Parameters – Required for All in One, Console, and Agent roles

• Syslog Server Parameters - Required for All in One, Console, Agent, and Syslog Collector roles

• SMTP Parameters - Required for All in One and Console roles

17 Enter the GMS Gateway IP address and connection password, if you are using a GMS gateway. Leave these fields empty if you are using HTTPS to connect to the managed appliances.


23

18 In the Syslog Server Port field, either enter the port used for receiving syslog messages or accept the default of 514.

19 For access to email on this system, including the ability to send email alerts, type the mail server IP address into the SMTP Server field and enter valid email addresses for the Sender Address and Administrator Address.

20 Click Next.

21 In the Summary page, verify that all parameters are correct.

22 Either click Back to make changes on a previous screen, or click Apply to accept the settings.

23 Wait for the settings to be applied. The screen displays a progress bar until it finishes, and then displays the status. This phase can take up to 10 minutes, especially if the database was included in the deployment.

24 Click Close to exit the Role Configuration Tool.


24

Manually Configuring the System RoleYou can manually configure the role of the SonicWall GMS system without using the Role Configuration Tool. All role configuration is done in the UMH system interface, available at the URL:

https://<IP address>:<port>/appliance/

Topics:

• Configuring the All In One Role on page 25

• Configuring the Database Only Role on page 26

• Configuring the Console Role on page 26

• Configuring the Agent Role on page 27

• Configuring the Reports Summarizer Role on page 27

• Configuring the Monitor Role on page 28

• Configuring the Event Role on page 29

• Configuring the Syslog Collector Role on page 29

• Configuring the Flow Server Role (Virtual Appliances Only) on page 30

• Configuring the All in One-Flow Server (Demo Mode Only) on page 31

Configuring the All In One RoleThe All In One role is used for demonstrating functionality in test environments, it should not be used in production environments.

The All In One role provides all services utilized by SonicWall GMS:


• Reports Scheduler

• Update Manager

• Reports Summarizer

• SNMP Manager

• Scheduler

• Monitoring Manager

• Web Server

• Database

To configure the Gateway settings for this role, refer to Configuring the Gateway on page 31

NOTE: SonicWall recommends that you use a multi-system distributed deployment in production environments, with the database on a dedicated server and the other services on one or more systems. When only one other system is deployed, the Console role should be assigned to it.


25

Configuring the Database Only RoleThe Database Only role is used in a multi-server SonicWall GMS deployment. In this role, the server is configured to run only the database service. SonicWall recommends that one of the servers in a multi-server GMS deployment is assigned a Database Only role.

Only the Universal Management Suite Database service runs on a Database Only system.

GMS can use a MySQL database installed on a SonicWall appliance or on a server, or a Microsoft SQL Server database installed on a server. Only the MySQL database included in the installer is supported. If upgrading from a GMS 5.0 installation that used the MySQL installer, GMS continues to support that MySQL installation.

On the Deployment > Roles page in the UMH system interface, you can configure your SonicWall GMS systems to use either a MySQL or a SQL Server database.

To deploy your SonicWall GMS in the Database Only role, complete the steps described in the Configuring Database Settings on page 34

Configuring the Console RoleThe Console role is used in a multi-server, distributed SonicWall GMS deployment. In this role, the SonicWall GMS server runs all Universal Management Suite services except for the Database. In this scenario, the Database role is assigned to a separate appliance or server.

In the Console role, the SonicWall GMS server behaves as an Agent, and also provides the following functions:

• Provides Web user interface for the SonicWall GMS application

• Emails Scheduled Reports

• Performs Event Management tasks

• Performs various periodic checks, such as checking for new appliances that can be managed, checking for new firmware versions of managed appliances, and similar functions


NOTE: In a multi-server deployment of GMS, configure port 5029 for the GMS Console Server to allow the central Web Server to communicate with the reporting databases to all GMS agents.


26

Configuring the Agent RoleThe Agent role can be used in a distributed deployment of SonicWall GMS. The primary functions of this role are:

• Manages units by acquiring them, pushing configuration tasks to the units and tracking their up/down status

• Performs monitoring based on ICMP probes, TCP probes, and SNMP OID retrievals

• Collects and stores syslog messages

• Performs report generation

The following Universal Management Suite services run on an Agent system:

• Monitoring Manager

• Reports Database

• Reports Summarizer

• Scheduler


• Web Service Server


Configuring the Reports Summarizer Role The Reports Summarizer role is used to dedicate a server for doing only summarization of reports in a multi-server SonicWall GMS deployment. Syslogs collected by the Syslog Collector service are consumed by the Reports Summarizer service to create generate reports. In such a deployment, it is essential that the Syslog Collectors running on various GMS Servers write syslogs to folders that are accessible by Reports Summarizer systems.

The following services run on a Summarizer system:

• SonicWall Universal Management Suite - Reports Summarizer

• SonicWall Universal Management Suite - Web Service Server


27

To deploy your SonicWall GMS in the Reports Summarizer role, complete the following steps in the appliance management interface:

1 Navigate to the Deployment > Roles page.

2 Under Host Role Configuration, select Reports Summarizer.

3 To include the MySQL database on this system, select Include Database (MYSQL). To use a MySQL or Microsoft SQL Server database on another system, do not select this checkbox.

4 Configure the database settings as described in the Configuring Database Settings on page 34.

5 Configure the Web port settings as described in the Configuring Web Server Settings on page 35.

6 To apply your changes, click Update. To change the settings on this page back to the defaults, click Reset.

Configuring the Monitor RoleThe Monitor role is used to dedicate the SonicWall GMS server to monitoring appliances and applications in a multi-server GMS deployment. The monitoring is based on ICMP probes, TCP probes and SNMP OID retrievals.

Only the Universal Management Suite Monitoring Manager service runs on a Monitor system.

To deploy your SonicWall GMS server in the Monitor role, complete the following steps in the UMH system interface:


2 Under Host Role Configuration, select Monitor.


28

3 To:

• Include the MySQL database on this system, select Include Database (MYSQL).

• Use a MySQL or Microsoft SQL Server database on another system, do not select this checkbox.



6 To apply your changes, click Update. To change the settings on this page back to the defaults, click Reset.

Configuring the Event RoleThe Event, or Event Management, role of a GMS Server is used to dedicate a server for doing only event-based alerting of appliances and applications in a multi-server SonicWall GMS deployment.

The following services run on an Event Management system:

• SonicWall Universal Management Suite - Event Manager

• SonicWall Universal Management Suite - Web Service Server

To deploy your SonicWall GMS in the Event role, complete the following steps in the appliance management interface:


2 Under Host Role Configuration, select Event.

3 To include the MySQL database on this system, select Include Database (MYSQL). To use a MySQL or Microsoft SQL Server database on another system, do not select this checkbox.

4 Configure the database settings as described in the Configuring Database Settings on page 34


To apply your changes, click Update. To change the settings on this page back to the defaults, click Reset

Configuring the Syslog Collector RoleThe Syslog Collector role can be assigned to a SonicWall GMS server in a multi-server deployment of GMS. In this role, the SonicWall GMS server is dedicated to collecting syslog messages on the configured port (by default, port 514). The syslog messages are stored in the SonicWall GMS server file system.


29

The syslog messages are used by the Reports Summarizer service running on another SonicWall GMS server or SonicWall appliance in the distributed deployment. The folder where the Syslog Collector server stores the syslog messages must be accessible by the server running the Reports Summarizer service.

Only the Universal Management Suite Syslog Collector service runs on a Syslog Collector system.

To deploy your SonicWall GMS server in the Syslog Collector role, complete the following steps in the UMH system interface:


2 Under Host Role Configuration, select Syslog Collector.

3 If this SonicWall GMS server listens for syslog messages on a non-standard port, enter the port number into the Syslog Server Port field. The default port is 514.

4 To:





7 To apply your changes, click Update.

To change the settings on this page back to the defaults, click Reset.

Configuring the Flow Server Role (Virtual Appliances Only)The Flow Server role can be used in a distributed deployment of SonicWall GMS. The Flow Server role is only available for configuration with the SonicWall GMS Virtual Appliance platforms. The primary functions of this role include the following:

• Collect and stores flows from the firewalls

• Performs report summarization

The following Universal Management Suite services run on an Agent system:

• SonicWall Universal Management Suite - Flow Server

The single service that runs in this role is SonicWall Universal Management Suite - Flow Server. The flows are collected and stored in internal databases. To be able to create reports out of these flows, you need to have a GMS server in this deployment with a minimum version of 8.0 and a role of Console or All in One, and so on. You also need to make sure that the following ports are open:

• UDP 2055

• UDP 5055

• TCP 9063

• TCP 9064

• TCP 9065

• TCP 9066


30

• TCP 9067

To deploy your SonicWall GMS in the Flow Server role, complete the following steps in the appliance management interface:


2 Under Host Role Configuration, select Flow Server.





Configuring the All in One-Flow Server (Demo Mode Only)The All In One-Flow Server role is used for demonstrating Flow Server functionality in test environments, it should not be used in production environments. This role configuration is available for the GMS Virtual Appliance only.

These services run on an All in One-Flow Server Management system:

• SonicWall Universal Management Suite - Database

• SonicWall Universal Management Suite - Event Manager

• SonicWall Universal Management Suite - Flow Server

• SonicWall Universal Management Suite - Monitoring Manager

• SonicWall Universal Management Suite - Reports Database

• SonicWall Universal Management Suite - Reports Scheduler

• SonicWall Universal Management Suite - Reports Summarizer

• SonicWall Universal Management Suite - Scheduler

• SonicWall Universal Management Suite - Syslog Collector

• SonicWall Universal Management Suite - Update Manager

• SonicWall Universal Management Suite - Web Server

• SonicWall Universal Management Suite - Web Services

Configuring the GatewayAfter choosing a role, select a gateway to configure:

• None on page 32

• NAT Device on page 32

• GMS Gateway on page 33


31

NoneNo gateway is specified.

If you do not wish to configure a gateway, complete the following steps:


2 For Gateway, click None.

3 Select HTTP or HTTPS for the MSM Server Protocol.

4 In the MSM Server Port -field, then enter the MSM Server port number.

5 In the Syslog Server Port -field, then enter the Syslog Server port number.


7 To change the settings on this page back to the defaults, click Reset.

NAT DeviceUse this option when a NAT device is configured as the gateway. The GMS appliance does not have to log in to the unit for any reason and all NAT configurations are taken care of by the network Administrator directly through the device’s management interface.

To configure the NAT device, complete the following steps:


2 For Gateway, click NAT Device.

3 In the NAT Device IP field, enter the NAT Device IP address.

4 In the NAT Device Syslog Port field, enter the NAT Device Syslog port number. This is the Syslog port used for Syslogs sent from the managed units.


6 In the MSM Server Port field, then enter the MSM Server port number.

7 In the Syslog Server Port field, then enter the Syslog Server port number.




32

10 After gateway configuration, the next step is to configure database settings. Continue with the procedures described in Configuring Database Settings on page 34.

GMS GatewayUse this option when a SonicWall device is acting as a Gateway. Using a SonicWall appliance is recommended, but can be setup as a NAT Device if all units are managed using an SSL tunnel.

To configure the GMS Gateway, complete the following steps:


2 For Gateway, click GMS Gateway.

3 If the SonicWall GMS connects to managed appliances through a GMS gateway, in the GMS Gateway IP field, enter the internal IP address of the device.

If you change the GMS gateway IP address or password, you must also change the settings on this page. To determine if a GMS Gateway is required, see the SonicWall Getting Started Guide for your product.

4 In the GMS Gateway Port field, enter the management port used to sign into the device.

5 In the GMS Gateway User field, enter the username used to sign into the device.

6 In the GMS Gateway Password field, enter the password used to sign into the device.

7 Confirm the GMS Gateway Password you entered.

8 In the GMS Gateway Syslog Port field, enter the Syslog port used for syslogs sent from the managed units.


10 In the MSM Server Port field, enter the MSM Server port number.

11 In the Syslog Server Port field, enter the Syslog Server port number.



14 After gateway configuration, the next step is to configure database settings. Continue with the procedures described in Configuring Database Settings on page 34.


33

Configuring Database SettingsDatabase settings configuration is largely the same for any role when you choose to include the database on that server. For roles that automatically include the default MySQL database, such as All In One or Database Only, the Database Type, Database Host, and Database Port fields are not editable. This is also the case for any role when Include Database (MYSQL) is selected. The Administrator Credentials fields are displayed only if the role has been defined to include the installation of the MySQL database. These are not available when a SQL Server database is selected.

This section describes the options for configuring the database settings for either the MySQL database or the Microsoft SQL Server database. SonicWall GMS can use either a MySQL or a SQL Server database.

To configure the database settings for any role, complete the following steps in the UMH system interface:


2 Select the role for this server.

3 To:



4 Under Database Configuration, if Include Database (MYSQL) was not selected in the previous step, select either MYSQL or SQL Server from the Database Type drop-down menu. This field is not editable if you previously selected Include Database (MYSQL) or if the selected role is All In One or Database Only.

5 In the Database Host field, type in the IP address of the database server or accept the default, localhost, if this SonicWall GMS server includes the database. This field is not editable if you previously selected Include Database (MYSQL) or if the selected role is All In One or Database Only.

6 To use a different user name when GMS accesses the database, enter the user name into the Database User field. The default user name is sa.

7 Type the password that GMS uses to access the database into both the Database Password and Confirm Database Password fields.

8 Under Administrator Credentials, enter the password for the administrator (root) account into both the Admin Password and Confirm Admin Password fields.

9 If your deployment uses a custom database driver, type the value into the Database Driver field. Otherwise, accept the default, com.mysql.jdbc.Driver.

10 If your deployment uses a custom database URL, type the value into the Database URL field. If you are using a different port, change the default port, 3306, in the URL. Otherwise, accept the default URL, jdbc:mysql://localhost:3306.


NOTE: If this appliance connects to a SQL Server system with a non-default instance name, then the entries are different than described in this section. Refer to the SonicWall GMS 8.7 Firewall - Manage Administration Guide for configuration instructions.

NOTE: The Administrator Credentials fields are only displayed and editable in the following circumstances:

• The Database Type is MySQL • Include Database (MYSQL) is selected either manually or automatically for the chosen role• The Database Host field is set to localhost and is not editable

When these conditions are met, the administrator password is required to create a regular access user account for the GMS application.


34


Configuring Deployment SettingsThis section describes the Deployment > Settings page, used for configuring Web port, SMTP, and SSL Certificate Access settings.

Topics:

• Configuring Web Server Settings on page 35

• Configuring SMTP Settings on page 36

• Configuring SSL Certificate Access on page 37

Configuring Web Server Settings

Web Server Settings configuration is largely the same on any role:

To change the Web server settings, complete the following steps:

1 Navigate to Deployment > Settings > Web Server Settings.

2 To use a different port for HTTP access to the SonicWall Analyzer Virtual Appliance, type the port number into the HTTP Port field. The default port is 80.

3 To use a different port for HTTPS access to the SonicWall Analyzer Virtual Appliance, type the port number into the HTTPS Port field. The default port is 443.

4 Click Enable HTTPS Redirection to redirect HTTP to HTTPS when accessing the Analyzer management interface.

5 In the Public IP field, enter the public IP or FQDN of the outside web services.

6 When you are finished configuring the Web Server Settings, click Update. The appliance restarts.

7 After the appliance restarts, use the new port to access the appliance management interface. For example:

• If you changed the HTTP port to 8080, use the URL:

NOTE: It might take 10 or 15 minutes for a database installation to complete. The database installation creates a minimal GMS database. To change database sizes, you might need to use database tools such as MySQL Server Enterprise Manager.

TIP: For optimal performance, you need to configure database maintenance plans. For information on configuring SonicWall GMS maintenance plans, refer to the GMS 8.7 Console Administration Guide.

NOTE: Changing the Server settings causes the system to restart.


35

https://<IP Address>:8080/appliance/• If you changed the HTTPS port to 4430, use the URL:

https://<IP Address>:4430/appliance/8 After changing the web server settings, the next step is to configure SMTP settings. Continue with the

procedures described in Configuring SMTP Settings on page 36.

Configuring SMTP SettingsThe SMTP settings are used for sending email alerts to the UMH system administrator. If the Mail Server settings are not configured correctly, you will not receive important email notifications, such as:

• System alerts for your GMS deployment performance

• Availability of product updates, hot fixes, or patches

• Availability of firmware upgrades for managed appliances

• Alerts on your managed appliances’ status

• Scheduled Reports

To configure SMTP settings, complete the following steps in the UMH system interface:

1 Navigate to the Deployment > Settings page.

2 In the SMTP Configuration section, enter the IP address of the SMTP server into the SMTP server field.

3 Click Use TLS if you would like to use Transport Layer Security (TLS) for your mail server connectivity, such as for Gmail or Office365. TLS ensures privacy between you and communicating applications on the Internet, and that no third-party can eavesdrop or tamper with your messages.

4 If the SMTP server in your deployment is set to use authentication, click Use Authentication. This option is necessary for all outgoing Analyzer emails to properly send to the intended recipients.

a Enter the username in the User field.

b Enter and confirm the password in the Password and Confirm Password fields.

This option provides the username/password used to authenticate against the SMTP server.

5 In the Sender address field, enter the email address that appears as the From address when email alerts are sent to the administrator.

6 In the Administrator address field, enter a valid email address for the administrator who receives email alerts.


36

7 In the Email send timeout field, enter a timeout interval (in minutes). If the server does not respond within the specified interval, the Email send action is stopped and an error is reported.

8 To test connectivity to the SMTP server, click Test Connectivity.


10 After SMTP configuration, the next step is to configure SSL Access Configuration settings. Continue with the procedures described in Configuring SSL Certificate Access on page 37.

Configuring SSL Certificate AccessMost SonicWall GMS deployments use the default certificate accompanied with your GMS Web Server. You can also choose to use a custom certificate and a respective unique password for your SonicWall GMS deployment as shown in the following figure. The SSL Access Configuration section allows you to configure and upload a custom Certificate file and Certificate Key file for SSL access to the GMS appliance, or select the default local keystore.

To configure SSL access, complete the following steps in the UMH system interface:

1 Navigate to the Deployment > Settings page.

2 In the SSL Access Configuration section, select one of these:

• Default to keep, or revert to, the default settings, where the default GMS Web Server certificate with gmsvpserverks keystore is used.

• Custom to upload a custom certificate for GMS SSL access.

3 In the Certificate file field, click Choose File to select your (.crt/.cer) certificate file.

4 In the Certificate Key file field, click Choose File to select your (.key) certificate key file.

5 Enter the password for the certificate into the Certificate password field.

6 Click View to display details about your certificate.

7 Click Update to submit your changes. A confirmation pop-up window appears.

NOTE: A Custom upload can be performed either of the following ways:• Directly as a Certificate: The certificate file (.crt/.cer), its corresponding key file (.key) and

the password are required.• Using a Keystore: The keystore and the store password are required, which would be

converted and stored as a certificate.


37

8 Click OK to accept the changes or Cancel to go back to the settings page.

Controlling Deployment ServicesThe Deployment > Services page lists the services that are running on your system as part of SonicWall GMS Software. It also provides a way to stop or start any of the services.

To stop a service that is currently Enabled, select the checkbox for that service and then click Disable/Stop.

To start a service that is currently Disabled, select the checkbox for that service and then click Enable/Start.

To restart a service that is either Enabled or Disabled, select the checkbox for that service and then click Restart.


38

5

Introduction to the ManagementInterfaces

This section describes the two SonicWall GMS management interfaces. An almost identical URL is used when accessing either the SonicWall GMS management interface or the Universal Management Host system interface, but the URL is modified to specify either “sgms” or “appliance.”

Topics:

• Overview of the Two Interfaces on page 39

• Switching Between Management Interfaces on page 40

• UMH System Interface Introduction on page 40

• Management Interface Introduction on page 40

Overview of the Two InterfacesThe SonicWall GMS Universal Management Suite (UMS) installs two separate management interfaces:

• SonicWall Universal Management Host (UMH) System Management Interface – Used for system management of the host server, including registration and licensing, setting the admin password, selecting the deployment role, and configuring other system settings.

To access the UMH system management interface on the default HTTPS port using a browser on the host server, use the URL:

https://localhost/appliance/From another system, access the UMH system management interface with the URL:

https://<IP address>:<port>/appliance/If you are using the standard HTTPS port, 80, it is not necessary to append the port number to the IP address.

• SonicWall GMS Management Interface – Used to access the SonicWall GMS application that runs on the Windows server. This interface is used to configure GMS management of SonicWall appliances, including creating policies, viewing reports, and monitoring networks, and for configuring GMS administrative settings.

Access the GMS management interface with one of the following URLs:

https://localhost/sgms/or

https://<IP address>:<port>/sgms/

NOTE: The GMS management interface is only available on systems deployed in a role that runs the Web Server service, such as the All In One or Console roles.

SonicWall GMS 8.7 Getting Started GuideIntroduction to the Management Interfaces

39

Switching Between Management InterfacesOn systems deployed in the All In One role, the “SuperAdmin” user can easily switch between the UMH system management interface and the SonicWall GMS management interface. The SuperAdmin is the master administrator for the entire GMS installation.

When logged in to either interface, the SuperAdmin can switch to the login page of the other interface by clicking Switch in the top right corner of the page. Switch is only visible for SuperAdmin users.

UMH System Interface IntroductionThe SonicWall Universal Management Host (UMH) system interface is used for system management of the SonicWall GMS instance, including registration and licensing, setting the admin password, configuring database settings, selecting the deployment role, and configuring other system settings.

When installing SonicWall Universal Management Suite on a host, a Web server is installed to provide the system management interface. The system interface is available by default at https://localhost/appliance/ after restarting the system.

The login screen allows you to securely log in to the SonicWall UMH system interface using your system user ID and password.

Management Interface IntroductionSonicWall GMS is a Web-based application for configuring, managing, monitoring and gathering reports from thousands of SonicWall firewalls, Internet security appliances and non-SonicWall appliances, all from a central location. This section provides an introduction to the main elements of the Web-based management interface.

Topics:

• Login Screen on page 41

• Dashboard on page 41

• Live Monitoring on page 42

• Multi-Firewall Management on page 43

• Management Interface on page 43

NOTE: The admin account on the system interface can have a different password than the admin account for SonicWall GMS.


40

Login ScreenThe login screen allows you to securely log in to SonicWall GMS using your MySonicWall user ID and password. The SonicWall GMS management interface is available by default at https://localhost/sgms/ after completing registration and role-configuration.

DashboardThe DASHBOARD view is a customizable dashboard of your SonicWall GMS deployment. The DASHBOARD view provides:

• Powerful network visualization reporting, monitoring, and search filtering tools consolidated into one area of the management user interface.

• An executive summary through a Universal Dashboard geographic map. As Geographic View shows, the Geographic View provides a scalable map that displays your GMS-managed units and servers using graphical icons that provide system state information with a mouse over.

• A centralized location to create Universal Scheduled Reports for Firewall, SMA, and Email Security reporting solutions.

• Top-of-the page menu items for customizing the settings of this page.


41

When the Dashboard loads after GMS login, the control bar is displayed and then becomes hidden until you place your mouse cursor at the top of the page as shown in the following figure. You can lock the control bar by clicking on the “pin the control bar” icon.

Geographic View

For more information on configuring the Universal Dashboard and Universal Scheduled Reports, refer to the “Using the Dashboard View” chapter in the GMS 8.7 INTRODUCTION - DASHBOARD Administration Guide.

Live MonitoringThe Live Monitoring feature provides users with the ability to monitor an entire network through the correlation of syslog messages received from appliances throughout a deployment. The collected syslogs are filtered with user-defined rules to become alerts. By viewing alerts in the Live Monitoring screen, users can monitor a network, analyze traffic based on protocols, Web usage and productivity, and detect viruses and attacks in the network.


42

Multi-Firewall ManagementThe Multi-Firewall Management feature in SonicWall GMS provides next generation management capability by allowing you to manage multiple firewalls appliance types (Firewall, SMB SMA, EX-Series SMA, and Email Security) through their respective Web user interfaces over HTTPS. Multi-Solution Management enables GMS Core Management functionality through the GMS user interface. Functions such as creating tasks, posting policies, scheduling tasks, and more are easily completed across multiple appliances at the Unit Node and Group Node levels.

Management InterfaceThe GMS management interface is the main control panel for GMS. The management interface allows you to add and modify appliances, complete monitoring and reporting tasks, set policies for managed appliances, and configure GMS settings.

Topics:

• Navigation Views on page 43

• Left Pane on page 44

• Center Pane on page 44

• Right Pane on page 44

• Description of Managed Appliance States on page 45

Navigation ViewsThe GMS management interface navigation views are located at the top of the management interface.

The navigation views are: DASHBOARD, FIREWALL, MONITOR, CONSOLE, SMA and ES. The MONITOR view provides real-time monitoring at the global, group or appliance level. The ES, and SMA views are only visible when enabled from the CONSOLE | Management > Settings screen. The CONSOLE view provides tools to


43

customize options found in the other GMS views and to manage GMS settings that affect the environment globally.

Left PaneThe left pane of the GMS management interface provides a tree control that displays the current GMS view and a list of managed appliances within the current view. The left pane is only displayed for the FIREWALL, SMA, ES, MONITOR, and CONSOLE views. The current category and view are indicated by a blue highlighting.

The left-pane tree control provides the ability to switch between views and displays the current state of each appliance under management. A single box in the tree control indicates a node at appliance or unit level. Two boxes in the tree control indicates a node at a group level. A global node at the top of the tree control is indicated by a three-box icon. The color and additional images superimposed on these icons provide useful status information. For detailed information about appliance states, refer to Description of Managed Appliance States on page 45.

Center PaneThe center pane displays in the FIREWALL, MONITOR, ES, SAM, and CONSOLE views. A navigational tree control that provides access to the configuration options available based on navigational view and left pane selections. The Reports panel provides reporting on the global or appliance level, and is only available for the Firewall and SMA view.

At the top of the Center pane there are three sub-tabs:

• Manage – Provides policy configuration options for managed appliances.

• Reports – Provides customizable reports and data visualization for usage, activity, attacks and more.

• Flows – Provides IPFIX-based Flow Reporting on the global, group, or appliance level.

The current selection in the center pane is indicated by the highlighted item. The center pane options change based on the navigational view and left pane selections, and selections in the center pane modify the display in the right pane.

Right PaneThe right pane displays the available status or tasks based on the current selection of navigational view, left pane and center pane options. Configurations completed in the right pane modify global, group, or appliance settings. The center pane displays in the FIREWALL view. A navigational tree control that provides access to the configuration options available based on navigational view and left pane selections. The Reports panel provides reporting on the global or appliance level, and is only available for the Firewall and SMA view.

At the top of the Center pane there are three panels:

• Manage – Provides policy configuration options for managed appliances.

• Reports – Provides customizable reports and data visualization for usage, activity, attacks and more.

• Flows – Provides IPFIX-based Flow Reporting on the global, group, or appliance level.

The current selection in the center pane is indicated by the highlighted item. The center pane options change based on the navigational view and left pane selections, and selections in the center pane modify the display in the right pane.

NOTE: If there is only one appliance visible in the Left Pane, then the Left Pane automatically collapses to present a larger screen for the rest of the UI.


44

Description of Managed Appliance StatesThis section describes the meaning of icons that appear next to managed appliances listed in the left pane of the SonicWall GMS management interface.

Appliance Status Description

One blue box indicates that the appliance is operating normally. The appliance is accessible from GMS, and no tasks are pending or scheduled.

Three blue boxes indicate that all appliances in the global group of this type (Firewall/SMA) are operating normally.

Three blue boxes indicate that all appliances in the global node of this type (Firewall/SMA) are live and communicating with GMS. All appliances of this type are accessible from SonicWall GMS and no tasks are pending or scheduled.

One blue box with a lightning flash indicates that one or more tasks are pending or running on the appliance.

Two blue boxes with a lightning flash indicate that tasks are currently pending or running on two or more appliances within the group.

Three blue boxes with a lightning flash indicate that tasks are currently pending or running on three or more appliances within the group.

One blue box with a clock indicates that one or more tasks are scheduled on the appliance.

Two blue boxes with a clock indicate that tasks are currently scheduled to execute at a future time on two or more appliances within the group.

Three blue boxes with a clock indicate that tasks are currently scheduled to execute at a future time on three or more appliances within the group.

One yellow box indicates that the appliance has been added to SonicWall GMS management (provisioned), but not yet acquired.

Two yellow boxes indicate that one or more appliances in the group have been added to SonicWall GMS management, but not acquired.

Three yellow boxes indicate that one or more of the appliances of this type (Firewall/SMA) have been added to SonicWall GMS management, but not acquired.

One yellow box with a lightning flash indicates that one or more tasks are pending on the provisioned appliance.

Two yellow boxes with a lightning flash indicates that tasks are pending on two or more provisioned appliances within the group.

Three yellow boxes with a lightning flash indicates that tasks are pending on three or more provisioned appliances within the group.

A green circle with the number 1 in the middle indicates that the unit is in an HA pair and is currently the Primary unit.

A yellow circle with the number 2 in the middle indicates that the unit is in an HA pair and is currently on backup.

One red box indicates that the appliance is no longer sending heartbeats to SonicWall GMS.

Two red boxes indicate that one or more appliances in the group are no longer sending heartbeats to SonicWall GMS.

Three red boxes indicate that one or more of the global group of appliances of this type (Firewall/SMA) are no longer sending heartbeats to SonicWall GMS.


45

Using the GMS TreeControl PanelThis section describes the content of the TreeControl Panel within the GMS management interface. You can control the display of the TreeControl Panel by selecting one of the appliance views at the top. For example, when you click the Firewall view, the TreeControl Panel displays all the managed firewall units. You can display any of the following appliance types when GMS is managing them:

• Firewall

• SMA (Secure Mobile Access)

• ES (Email Security)

You can hide the entire TreeControl Panel by clicking the Hide TreeControl Panel tab, and re-display the panel by clicking it again. This is helpful when viewing some reports or other extra-wide screens, especially on the Monitor or Console views.

To open a TreeControl Panel menu, right-click the View All icon, a Group icon, or a Unit icon.

One red box with a lightning flash indicates that the appliance is no longer sending heartbeats to SonicWall GMS and has one or more tasks pending.

Two red boxes with a lightning flash indicate that one or more appliance in the group are no longer sending heartbeats to SonicWall GMS and have two or more tasks pending.

Three red boxes with a lightning flash indicates that the appliance are no longer sending heartbeats to SonicWall GMS and have three or more tasks pending.

A box with a dot in the top-left corner indicates that the appliance is being managed by GMS using a static IP address.

This icon indicates a fail over to a secondary Ethernet port.

This icon indicates the a modem is connected using a dialup.

This icon indicates the wireless is connected using WWAN.

This icon indicates the unit’s Task Pending status is “Immediate.”

This icon indicates the unit’s Task Pending status is “Scheduled.”

Appliance Status Description

p


46

The following options are available in the right-click menu:

• Expand—Makes subbranches to the root visible.

• Expand All—Makes the entire branch visible.

• Collapse All—Compresses the entire view of all expanded hierarchies so that only the roots of the branches are visible.

• Find—Opens a Find dialog box that allows you to search for groups or units.

• Refresh—Refreshes the GMS user interface display.

• Add Unit—Add a new unit to the GMS management view. Requires unit IP and login information.

• Rename Unit—(unit node only) Renames the selected SonicWall appliance.

• Delete—Delete the selected unit or all units in the selected Group or Global Node, with option to delete interconnected SAs or to delete from NetMonitor.

• Import XML—Import an edited XML file to replace the current TreeControl navigation view.

• Modify Unit—(unit node only) Change basic settings for the selected unit, including unit name, IP and Login information, serial number, management port and encryption/authentication keys.

• Login to Unit—(unit node only) Login to the selected unit using SSL protocols.

• Modify Properties—Displays the properties for the selected SonicWall appliance, or all managed appliances in the selected group or global node.

• Manage Views—Opens a dialog box where you can create, delete, or modify a view.

• Change View—Select pre-set or user created views. Views are created in the Manage View window (see above).

• Re-assign Agents—Opens a dialog box where you can change the IP address of the primary and standby schedulers and the type of management mode used between GMS and the managed SonicWall appliances.


47

6

Provisioning and Adding Units

After installation, registration, and role configuration, the next steps in setting up your SonicWall GMS are provisioning SonicWall appliances to communicate with and support GMS and adding them to the SonicWall GMS.

Topics:

• Before You Begin on page 48

• Provisioning a SonicWall Firewall Appliance on page 48

• Adding SonicWall Appliances on page 51

Before You Begin1 Before you begin, you must have a MySonicWall account. Sign up for one at:

https://www.MySonicWall.com/user/registration.aspx.

2 Your MySonicWall account must be a partner account to register for a GMS tenant. To become a SonicWall partner, register at https://www.sonicwall.com/partners/.

Provisioning a SonicWall Firewall ApplianceAll SonicWall appliances must be provisioned before adding them to the SonicWall GMS. Make sure the provisioned SonicWall appliances have a valid GMS license, one for each SonicWall appliance.

Topics:

• Provisioning a SonicWall Firewall Appliance on page 49

• Provisioning a SonicWall SMA SMB Appliance on page 50

• Provisioning a SonicWall E-Class SMA Series Appliance on page 50

• Provisioning a SonicWall Email Security Appliance on page 50

SonicWall GMS 8.7 Getting Started GuideProvisioning and Adding Units

48

https://www.mysonicwall.com/user/registration.aspx

https://www.sonicwall.com/partners/

Provisioning a SonicWall Firewall ApplianceThis section describes the local configuration steps required on the individual firewall appliance before adding it to GMS management.

To provision a SonicWall firewall appliance to support GMS, complete the following steps:

1 Log in to the firewall appliance.

2 On Firewalls with firmware 6.2.1.x or older, navigate to System > Administration > Advance Management.

3 Select Enable Management using GMS and click on Configure. The Configure GMS Settings page displays.

4 Type the GMS host name or IP Address in the GMS host name or IP Address field.

5 Type the port number in the GMS Syslog Server Port field. The default is 514.

6 Select Send Heartbeat message only, if you are using GMS in a Management role with no reporting.

7 For GMS appliances running behind a gateway firewall, select GMS behind NAT device and enter the NAT Device IP address in the NAT Device IP Address field.

8 In the Management Mode section, select the management options from drop-down menu.

9 Click OK.

NOTE: Modify port number when using custom ports.

NOTE: You must select the same firewall management mode options that you selected for GMS.


49

Provisioning a SonicWall SMA SMB ApplianceThis section describes the local configuration steps required on the individual SMA SMB appliance before adding it to GMS management.

To provision a SonicWall SMA SMB appliance for SonicWall GMS management, complete the following steps:

1 Log in to the SMA SMB appliance.

2 Navigate to System > Administration and scroll down to the GMS Settings section.

3 Click the checkbox for Enable GMS Management.

4 Enter the GMS host name or the IP Address of the GMS server in the GMS HostName or IP Address field.

5 Type the GMS Syslog server port in the GMS Syslog Server Port field. The default port is 514.

6 Click Update.

Provisioning a SonicWall E-Class SMA Series ApplianceCurrently there is no GMS settings implementation in SonicWall E-Class SMA series appliances. To add GMS reporting support, use the Additional ViewPoint settings in the General Settings > Configure Centralized Management screen, and enter the GMS IP address and port number to start sending syslog.

To add GMS reporting support:

1 Use the Additional ViewPoint settings in the General Settings > Configure Centralized Management screen.

2 Enter the GMS IP address and port number to start sending syslog.

Provisioning a SonicWall Email Security ApplianceProvisioning a SonicWall Email Security appliance with SonicWall GMS is exclusively available on the Email Security Command Line Interface (CLI).

To provision an Email Security appliance for GMS, complete the following steps:

1 Login to the SNWLCLI as admin.

2 Enter the command gms. This displays the EMS current settings for the GMS heartbeat displayed.

3 Next, set the EMS appliance heartbeat. In this example, the heartbeat interval is 60 seconds.

NOTE: If this appliance is for Management only, click the checkbox for Send Heartbeat Status Messages Only.


50

4 Enter the destination IP address of your GMS server. In this example, the destination IP address is 10.195.11.38.

Adding SonicWall AppliancesGMS can communicate with SonicWall appliances through VPN tunnels, SSL, or directly over VPN tunnels that already exist between the SonicWall appliances and the GMS gateway. GMS should connect to the SMA appliance on the LAN port of the appliance. When GMS is deployed outside of the SMA LAN subnet, management traffic must be routed from GMS to a gateway that allows access into the LAN network, and from there be routed to the SMA LAN port.

The following sections describe two methods for adding SonicWall appliances to GMS:

• Adding SonicWall Appliances Manually on page 52

• Importing SonicWall Appliances on page 55

• Managing Multiple Appliances on page 55

NOTE: It is mandatory to send heartbeat messages to a GMS management server to reliably report the Unit Status (UP or DOWN) for an Email Security appliance in GMS.

NOTE: A SonicWall appliance might already be registered to a different MySonicWall account, in this case the “Register to MySonicWall.com” task cannot be executed, and will remain in the scheduled tasks queue. To take full advantage of GMS managed appliances, it is important that either the managed appliance is not registered when it is added into GMS, or it is registered to the same MySonicWall.com account as the GMS system that is managing the appliance. Active/Active clusters of SonicWall appliances can be added to GMS simply by adding the Master cluster node. Each individual cluster node sends syslogs directly to the Master cluster node’s serial number, GMS ends up aggregating the reports.


51

Adding SonicWall Appliances Manually

To manually add a SonicWall appliance using the GMS management interface, follow these steps:

1 Click the appliance view that corresponds to the type of appliance that you want to add: FIREWALL, SMA (Secure Mobile Access), or ES (Email Security).

2 Expand the GMS tree and select the group to which you will add the SonicWall appliance. Then, right-click the group and select Add Unit from the pop-up menu. To not specify a group, right-click an open area in the left pane (TreeControl pane) of the GMS management interface and select Add Unit or click the Add Unit icon in the tool bar. The Add Unit dialog box appears:


52

3 Enter a descriptive name for the SonicWall appliance in the Unit Name field.Do not enter the single quote character (‘) in the Unit Name field.

4 If applicable, choose a Domain to add this appliance to from the Domain pull-down list.

5 Enter the serial number of the SonicWall appliance in the Serial Number field.

6 For the Managed Address, choose whether to Determine automatically, or Specify manually. Most deployments are able to determine the IP address automatically. If you choose to specify the IP address manually, an option to Make manual address sticky is available. This retains the Manual Mode and the specified IP address is not overwritten.

7 Enter the Administrator login name for the SonicWall appliance in the Login Name field. The Administrator of the appliance can also enter a Local User or a Remote User name (as configured on the firewall) for GMS Management. If using Local User or Remote User names, they must be included in the user list created on the firewall.

8 Enter the password used to access the SonicWall appliance in the Password field.

9 For Management Mode, select from the following:

• If the SonicWall appliance is managed through an existing VPN tunnel or over a private network, select Using Existing Tunnel or LAN.

• If the SonicWall appliance is managed through a dedicated management VPN tunnel, select Using Management Tunnel.

• If the SonicWall appliance is managed using SSL, select Using SSL (default).

10 Enter the IP address of the managed appliance in the Management Port field.

11 For VPN tunnel management, enter a 16-character encryption key in the SA Encryption Key field. The key must be exactly 16 characters long and composed of hexadecimal characters. Valid hexadecimal characters are “0” to “9”, and “a” to “f” (such as 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). For example, a valid key would be “1234567890abcdef.”

12 For VPN tunnel management, enter a 32-character authentication key in the SA Authentication Key field. The key must be exactly 32 characters long and composed of hexadecimal characters. For example, a valid key would be “1234567890abcdef1234567890abcdef.”

13 Select the IP address of the GMS agent server that manages the SonicWall appliance from the Agent IP Address list box:

• If GMS is configured in a multi-tier distributed environment, you must select the GMS Agent whose IP address matches the IP address that you specified when configuring the SonicWall appliance for GMS management.

• If GMS is in a single-server environment, the IP address of the GMS agent server already appears in the field.

14 If GMS is configured in a multi-tier distributed environment, enter the IP address of the backup GMS server in the Standby Agent IP field. The backup server automatically manages the SonicWall appliance in the event of a primary server failure. Any Agent can be configured as the backup.

15 If a flow server has been configured, select the Flow Server Agent IP address from the list box.

NOTE: Domain selection is only available to the administrator of the LocalDomain. Individual domain administrators are only able to add an appliance to their respective domains.

NOTE: This key must match the encryption key of the SonicWall appliance. You can set the key on the appliance by logging directly into it.

NOTE: This key must match the authentication key of the SonicWall appliance.

NOTE: If GMS is deployed in a single server environment, leave this field blank.


53

16 To add the appliance to Net Monitor, select Add this unit to Net Monitor.

17 Click Properties. The Unit Properties dialog box appears.

18 This dialog box displays the category fields to which the SonicWall appliance belongs. To change any of the values, select a new value from the pull-down list. When you are finished, click OK. You are returned to the Add Unit dialog box.

19 Click OK. The Assign Privileges dialog box displays.

20 Select the user group or individual users to which read-write privileges should be assigned. Keep in mind that admins always maintain read-write privileges, regardless of your selection here.

21 Click OK. The new SonicWall appliance appears in the GMS management interface. It will have a yellow icon that indicates it has not yet been successfully acquired. GMS then attempts to establish a management VPN tunnel, set up an SSL connection, or use the existing site-to-site VPN tunnel to access the appliance. GMS then reads the appliance configuration and acquires the SonicWall appliance for management. This might take a few minutes.

NOTE: After the SonicWall appliance is successfully acquired, its icon turns blue, its configuration settings are displayed at the unit level, and its settings are saved to the database. A text version of this configuration file is also saved in the file: <gms_directory>/etc/Prefs. In a multi-tier distributed environment, both the primary and secondary GMS Agents must be configured to use the same management method.


54

Importing SonicWall Appliances To reduce the amount of information that you have to manually enter when adding SonicWall appliances, GMS enables you to import the saved prefs file of a SonicWall appliance.

To import a SonicWall appliance to the GMS management interface using the import option, follow these steps:

1 Navigate to FIREWALL | Manage | System > Status.

2 Right-click the appliance in the Tree Control menu and select Import XML.

3 Click Browse to locate the XML file.

4 Select the XML file and click Import. The appliance is added to GMS.

Managing Multiple Appliances GMS can handle multiple appliances depending on you much SYSLOG traffic your firewalls are generating. That data determines how busy each firewall would become. Other considerations would be the number of SYSLOG categories enabled and how much reporting you might want to generate. Use the Capacity Planning Tool to determine deployment requirements.

If the firewalls sent only heartbeats, with no additional SYSLOG reporting required, you could probably operate a single all-in-one instance of GMS and still manage up to 200 appliances. However, that scenario is not usually the case. So, a good starting place should offer some redundancy and scalability without immediately needing to add more components. That starting point might be:

• 1 database

• 3 agents

• 1 dedicated console

Run all of these components as Windows servers, not virtual machines. You should be sure the agents are running on servers with very fast disk IO. However, a fast disk IO is not necessary for the dedicated console and database. For the RAM and CPU, it is best to have 16GB and quad Xeon available. It is the agents that need the power and focus.

GMS can be expanded with no other cost than the hardware to run it on. So when the agents appear loaded, but reports are taking a long time to mail out, additional components can be added.


55

https://www.sonicwall.com/gms-capacity-planning-tool/

7

Support

SonicWall GMS reference documentation is available at the Technical Documentation Online Library:

https://support.sonicwall.com/

Certified SonicWall System Administrator (CSSA) video training is available at no charge, 24x7 at https://support.sonicwall.com/sonicwall-gms/training/109/global-management-system-certification-cssa-level-course:

The SonicWall GMS documentation set includes the following guides:

• SonicWall GMS Release Notes

• SonicWall GMS Getting Started Guide

• SonicWall GMS Virtual Appliance Getting Started Guide

• SonicWall GMS Administration Guide

SonicWall GMS 8.7 Getting Started GuideSupport

56

https://support.sonicwall.com/

at no charge, 24x7 at https://support.sonicwall.com/sonicwall-gms/training/109/global-management-system-certification-cssa-level-course

SonicWall Live Product DemosGet the most out of your GMS with the complete line of SonicWall products. The SonicWall Live Demo Site provides free test drives of SonicWall security products and services through interactive live product installations:

• Next-Generation Firewall

• Wireless

• Client Security

• Managing and Reporting

• Remote Access

• Email Security

• Capture Cloud Platform

For more information, visit: https://livedemo.sonicwall.com/

SonicWall GMS 8.7 Getting Started GuideSupport

57

http://livedemo.sonicwall.com/

A

SonicWall Support

Technical support is available to customers who have purchased SonicWall products with a valid maintenance contract and to customers who have trial versions.

The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year. To access the Support Portal, go to https://www.sonicwall.com/support.

The Support Portal enables you to:

• View knowledge base articles and technical documentation

• View video tutorials

• Access MySonicWall

• Learn about SonicWall professional services

• Review SonicWall Support services and warranty information

• Register for training and certification

• Request technical support or customer service

To contact SonicWall Support, visit https://www.sonicwall.com/support/contact-support.

SonicWall GMS 8.7 Getting Started GuideSonicWall Support

58


https://www.sonicwall.com/support/contact-support

About This Document

GMS Getting Started GuideUpdated - November 2019Software Version - 8.7232-005157-00 Rev A

Copyright © 2019 SonicWall Inc. All rights reserved.

SonicWall is a trademark or registered trademark of SonicWall Inc. and/or its affiliates in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective ownersThe information in this document is provided in connection with SonicWall Inc. and/or its affiliates’ products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of SonicWall products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, SONICWALL AND/OR ITS AFFILIATES ASSUME NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON- INFRINGEMENT. IN NO EVENT SHALL SONICWALL AND/OR ITS AFFILIATES BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF SONICWALL AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SonicWall and/or its affiliates make no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. SonicWall Inc. and/or its affiliates do not make any commitment to update the information contained in this document.For more information, visit https://www.sonicwall.com/legal.

End User Product AgreementTo view the SonicWall End User Product Agreement, go to: https://www.sonicwall.com/en-us/legal/license-agreements.

Open Source CodeSonicWall is able to provide a machine-readable copy of open source code with restrictive licenses such as GPL, LGPL, AGPL when applicable per license requirements. To obtain a complete machine-readable copy, send your written requests, along with certified check or money order in the amount of USD 25.00 payable to “SonicWall Inc.”, to:

General Public License Source Code Request SonicWall Inc. Attn: Jennifer Anderson1033 McCarthy BlvdMilpitas, CA 95035

Legend

WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.

CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.

IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.

SonicWall GMS 8.7 Getting Started GuideSonicWall Support

59

https://www.sonicwall.com/legal

https://www.sonicwall.com/en-us/legal/license-agreements

sonicwall® gms 8.7 software · performance of reporting modules. read the “capacity planning and...

Documents