Best practices for SonicWall VPN Tunnel configuration

There are some factors that we need to consider when we setup Site to Site VPN Tunnel with SonicWall Firewall.
If we forgot to conside these factors, we will encounter frequent connection drop on your Tunnel. (e.g. RDP connection timeout)
Below are those we should consider when we setup VPN Tunnels with SonicWall.

1) TCP Timeout
TCP Connection Inactivity Timeout value of SonicWall and other Firewalls are 15 minutes by Default.
In real world, this value can make your RDP connection drop frequently.
So, Firewall Tech Support are recommended to set the TCP Timeout Value from 30minutes to 60minutes.
Higher TCP Timeout Value are inviting some unnecessary security threats and that's why we should only allow for specific connection in your Policy-Based VPN Tunnels or Route-Based VPN Tunnels.

2) Packet Fragmentation
As RDS is a streaming protocol, packet fragmentation should be avoided.
Almost all Firewall including SonicWall has Fragmented Packet Handling and Ignore DF (Don't Fragment) Bit options.
Tech Support are recommended to enable Fragmented Packet Handling option and disable Ignore DF (Don't Fragment) Bit option.

3) Path Maximum Transmission Unit (Path MTU or PMTU)
As described above, fragmentation of the RDP streaming protocol is undesirable and should be avoided.  The most common cause of such fragmentation is incorrect Maximum Transmission Unit (MTU) values for the traffic's path.
Default MTU value of SonicWall is 1500 Bytes. But we cannot use 1500 Bytes fully as 56 Bytes for Cyptographic overhead and size of used protocols header too. For example, we need to subtract 28 Bytes if we are using IP+ICMP. So, MTU Size will be (1500-56-28=1416 Bytes)
If you want to know how to find MTU settings of your host, pleas read this Article as I am lazy to write. :D
If you want to know how to change MTU settings on your host, please read this Article.

4) Bandwidth Management
Limitation of Bandwidth on Internet connection also is common cause of streaming protocol performance problems.
So, it is recommend to configure Real Time Bandwidth Management Rule for your end to end host connection.

5) Security Services
Security services including Gateway Anti-Virus (GAV), Anti-Spyware (AS) and Intrusion Prevention Service (IPS) are scan specific traffic types (e.g. SMTP, FTP, etc.) or the whole TCP stream for threats.  Whilst they are very efficient in terms of scanning speed, they do introduce some additional latency (typically at least 1ms) and cause dropped RDS connections when applied to the whole TCP stream.
Assuming that the end-points are sufficiently trusted, it is worth considering disabling the firewall's scanning services (at least AS and IPS) to obtain best RDS performance and connection reliability.
But we have to tighten end point security in our host as Firewall Security Services are bypass for these host.

Well. The above are things that we need to consider when we setup VPN Tunnels with SonicWall.
These facts are also usefule to reference for setting up VPN Tunnels on other Firewalls although I write for SonicWall.

Have a good day.
(Be knowledgeable, pass it on then)

Post a Comment