Network > Interfaces
201
SonicOS 5.8.1 Administrator Guide
L2 Bridge Interface Zone Selection
Bridge-Pair interface zone assignment should be done according to your network’s traffic flow
requirements. Unlike Transparent Mode, which imposes a system of “more trusted to less
trusted” by requiring that the source interface be the Primary WAN, and the transparent
interface be Trusted or Public, L2 Bridge mode allows for greater control of operational levels
of trust. Specifically, L2 Bridge Mode allows for the Primary and Secondary Bridge Interfaces
to be assigned to the same or different zones (e.g. LAN+LAN, LAN+DMZ, WAN+CustomLAN,
etc.) This will affect not only the default Access Rules that are applied to the traffic, but also the
manner in which Deep Packet Inspection security services are applied to the traffic traversing
the bridge. Important areas to consider when choosing and configuring interfaces to use in a
Bridge-Pair are Security Services, Access Rules, and WAN connectivity:
Security Services Directionality
As it will be one of the primary employments of L2 Bridge mode, understanding the application
of security services is important to the proper zone selection for Bridge-Pair interfaces. Security
services applicability is based on the following criteria:
1. The direction of the service:
–
GAV is primarily an Inbound service, inspecting inbound HTTP, FTP, IMAP, SMTP,
POP3, and TCP Streams. It also has an additional Outbound element for SMTP.
–
Anti Spyware is primarily Inbound, inspecting inbound HTTP, FTP, IMAP, SMTP, POP3
for the delivery (i.e. retrieval) of Spyware components as generally recognized by their
class IDs. It also has an additional Outbound component, where Outbound is used
relative to the directionality (namely, Outgoing) ascribed to it by the IPS signatures that
trigger the recognition of these Spyware components. The Outgoing classifier
(described in the table below) is used because these components are generally
retrieved by the client (e.g. LAN host) via HTTP from a Web-server on the Internet
(WAN host). Referring to the table below, that would be an Outgoing connection, and
requires a signature with an Outgoing directional classification.
–
IPS has three directions: Incoming, Outgoing, and Bidirectional. Incoming and
Outgoing are described in the table below, and Bidirectional refers to all points of
intersection on the table.
–
For additional accuracy, other elements are also considered, such as the state of the
connection (e.g. SYN or Established), and the source of the packet relative to the flow
(i.e. initiator or responder).
2. The direction of the traffic. The direction of the traffic as it pertains to IPS is primarily
determined by the Source and Destination zone of the traffic flow. When a packet is
received by the SonicWALL, its source zone is generally immediately known, and its
destination zone is quickly determined by doing a route (or VPN) lookup.