In this tutorial I will be showing you how find the SonicWall hidden configuration page. Well it’s hidden from most because there is no real easy way to access it from the GUI. In these simple steps I will show you how to access these amazing features.
Step 1: Log into your SonicWall.
Step 2: Replace the /main.html with /diag.html
Step 3: Click on the [ INTERNAL SETTINGS ] button to load the hidden features and configuration options.
Below are actually all the settings you can change under this features and configuration options page.
They provide you with a button to download trace logs.
Enable ARP bridging
Enable open ARP behavior (WARNING: Insecure!!)
Enable Source IP Address validation for being directly connected
Only allow ARP entries with unicast addresses
Limit ARPS of non-responsive IPs
Limit resolution of a same IP Address rate less than 10 100
Update exist ARP entry when gratuitous ARP received on a L2 bridge interface
Bypass ARP processing on L2 bridge interfaces
Enable Gratuitous ARP Compatibility Mode
Enable Secondary Subnets
Never broadcast more than Gratuitous ARPs in any 60 second period.
Periodically broadcast system ARPs every minutes.
Ignore ARPs with primary-gateway’s MAC received on other interfaces
Display MT Info
Routing and Network Settings
Flush flows on alternate path when normal route path is enabled (affects existing connections)
Update route version when route is enabled/disabled (affects existing connections)
Advertise FQDN based policy route to dynamic routing protocol
Never generate an interface-specific default route
Enable TCP packet option tagging
Fix/ignore malformed TCP headers
Enable TCP sequence number randomization
Perform SYN validation when not operating in strict TCP compliance mode
Enable granular debug in routing protocols
Debounce interface state changes for routing protocols
Clear DF (Don’t Fragment) Bit
Allow first fragment of size lesser than 68 bytes
Allow IPv6 Fragmentation Packets smaller than 1280 bytes
Enable ICMP Redirect on DMZ zone
Enable NAT option to override MAC address
Disable learning-bridge filtering on L2 bridge interfaces
Enforce strict TCP compliance with RFC 5961
Drop Record Route IP Packets
Prefer ARPA as suffix when commit IPv6 DNS Reverse Name Resolution
Enable stack traffic sending by DP core
Zero Touch can be disabled and edited using different settings.
DNS Proxy Settings
The percentage of DNS proxy process ability: %
Support fragmentation process on DNS packet
Resolution failure times that trigger DNS server failover: times
Lifetime of connection cache for DNS proxy packets: seconds
DNS Proxy Protocol: UDP and TCP UDP only
Exclude incoming VPN traffic from DNS Proxy processing
DNS Security Settings
The minimum DNS packet number for DNS Tunnel detection:
The ratio threshold for corner DNS types: %
The number threshold for normal DNS types:
Enable DHCP Server Network Pre-Discovery
DHCP Server Conflict Detect Period: Seconds
Number of DHCP resources to discover:
Timeout for conflicted resource to be rechecked: Seconds
Timeout for available resource to be rechecked: Seconds
Send DHCPNAK if the ‘requested IP address’ is on the wrong network
Time interval of DHCP lease database to be refreshed: Seconds
Number of DHCP leases in database to be refreshed:
Use client Etherner address instead of client-identifier option
Use unicast dst ip address and link-layer address when unicast flag is set
Maximum ‘public’ VoIP Endpoints:
H.323 Use Odd Media Control Port
Relax sequence number checking for RTSP media streams
Auto-add SIP endpoints
Transform SIP URIs to have an explicit port
Flush active media for SIP INVITEs without SDP
Flush unused media for SIP INVITEs without SDP
SIP: Bypass SIP transformation over VPN
SIP: Enforce Access Rule checking on anticipated control sessions
Do not adjust TCP MSS option for VPN traffic
Use interoperable IKE DH exchange
Fragment VPN packets after applying ESP
Use SPI/CPI parameter index for IPsec/IPcomp passthru connections
Accept Reserved ID Type in Quick Mode.
Remove VPN tunnel when IKEv2 peer has no response.
Trust Built-in CA certificates for IKE authentication and Local certificate import.
Enable Compatibility with Android 4.0 Client.
Preserve IKE Port for Pass Through Connections
Disable Auto-added VPN Management Rules.
Send notification to peer when fail to validate or verify received IKEv1 payload
Enable Hardware Encryption
DP stack Settings – Enable DP stack processing
DP stack mem from ( 0 : depends on fpa usage, 1: directly from memory, 2: directly from fpa):
Enable TLS compatible mode and Disable TLSv1_1
Do not go to TIME_WAIT state when TCP 4-ways FIN completed
FTP bounce attack protection
FTP protocol anomaly attack protection
Allow orphan data connections
Allow TCP/UDP packet with source port being zero to pass through firewall
IP Spoof checking
Disable Port Scan Detection
Timeout for anticipated TCP/UDP connections (seconds):
Terminate parent on timeout of anticipated TCP/UDP connections
Don’t allow ICMP TTL Exceed or Dest Unreachable to kill cache entries
Timeout for anticipated media connections (seconds):
Terminate parent on timeout of anticipated media connections
Trace connections to TCP port:
Include TCP data connections in traces
Enable Tracking Bandwidth Usage for default traffic
Enable to bandwidth manage WAN to WAN traffic
Decrease connection count immediately after TCP connection close
Disable CSRF Token Validation
Disable Secure Session ID Cookie
Protect against TCP State Manipulation DoS
Allocate sequential addresses when performing many-to-few NAT
Enable the ability to remove and fully edit auto-added access rules
Enable the ability to disable auto-added NAT policy
Enable Aggressive UDP/ICMP Flood Detecting
Control Plane Flood Protection Hold Time:
Enforce UDP/ICMP Flood Protection with 100-Millisecond Resolution
Enable System Overload Protection
System Overload Threshold (Packets / Sec):
Bypass VPN Traffic from Flood Protection
Set Connection Limitation of Management Policies
Log packet content, schedule and address object name
Deschedule Packet Count:
Reset User Successful Login counter every hours (0 for no reset)
Enable PortShield of Firewall Interfaces in HA mode
Enable Native Bridge of Firewall Interfaces in HA mode
Disable Clearing of Extended Switch Ports during bootup
Send RST on timeout TCP connection
FQDN Dynamic Address Object
FQDN Object Only Cache DNS Reply from Sanctioned Server
Offset for FQDN Objects(Seconds):
Refresh sub-domains of wildcard FQDN address objects
Donot delete expired hosts of an FQDN Network Object with active connections or until DNS re-query succeeds
Retain expired FQDN hosts until a successful DNS resolution occurs
Enable unlimited queries to resolve Custom FQDN objects
Stop DNS queries for Default FQDN objects after maximum threshold
FQDN Maximum Retry Threshold before stopping query:
Minimum Allowed TTL for FQDN objects(Seconds):
Enable support for Windows Messenger
Security Services Settings
Do not drop packets by DPI engine due to non-signature triggers.
Disable DPI Engine
Apply IPS Signatures Bidirectionally
Enable IP fragment reassembly in DPI
Extra dev debug info
Disable TCP expected sequence adjustment in DPI
Don’t proxy email packets in DPI
Disable App-Firewall SMTP CHUNKING modification
Disable Gateway AV POP3 Auto Deletion
Disable Gateway AV POP3 UIDL Rewriting
Disable Gateway AV SMB read/write ordering enforcement
Keep HTTP header Accept-range: bytes
Log Virus URI
Do not apply signatures containing file offset qualifiers
that trigger on TCP Streams with unidentified protocols.
Enable incremental updates to IDP, GAV and SPY signature databases.
Enable enforcement of a limit on maximum allowed advertised TCP window with any DPI-based service enabled.
Set a limit on maximum allowed advertised TCP window with any DPI-based service enabled (KBytes).
IDP Buffer Mempool 1500 Size (Bytes) REQUIRES RESTART.
Threshold above which size limits are enforced on Regex Automaton.
Maximum allowed size for Regex Automaton.
Disable signature database reload
Do not process IPS signatures
Do not process GAV signatures
Do not process Anti-Spyware signatures
Do not process App signatures
Enable Optimal Value below.
Disable Cross-Connectioin Cache Feature.
Limit IPS CFT scan
Do not drop packets by DPI engine.
IPS TCP anomaly detection.
Disable IPS Urg-bit anomaly detection.
Disable IPS EOOL anomaly detection.
Disable IPS overlap anomaly detection.
Disable IPS timestamp anomaly detection.
For Wire Mode traffic, do NOT drop packets except for Access Rules and DPI Service Policies
Enforce Host Tag Search for CFS
Enable CFS Fast Scan
Enable CFS Wire Mode
Enable CFS Cache Persist
Enable Websense Wire Mode
Enable Local CFS Server
Local Primary CFS Server Address:
Local Secondary CFS Server Address:
Client AV Cache Timeout (minutes):