Skip to main content

Best practices for SonicWall VPN Tunnel configuration

There are some factors that we need to consider when we setup Site to Site VPN Tunnel with SonicWall Firewall.
If we forgot to conside these factors, we will encounter frequent connection drop on your Tunnel. (e.g. RDP connection timeout)
Below are those we should consider when we setup VPN Tunnels with SonicWall.

1) TCP Timeout
TCP Connection Inactivity Timeout value of SonicWall and other Firewalls are 15 minutes by Default.
In real world, this value can make your RDP connection drop frequently.
So, Firewall Tech Support are recommended to set the TCP Timeout Value from 30minutes to 60minutes.
Higher TCP Timeout Value are inviting some unnecessary security threats and that's why we should only allow for specific connection in your Policy-Based VPN Tunnels or Route-Based VPN Tunnels.

2) Packet Fragmentation
As RDS is a streaming protocol, packet fragmentation should be avoided.
Almost all Firewall including SonicWall has Fragmented Packet Handling and Ignore DF (Don't Fragment) Bit options.
Tech Support are recommended to enable Fragmented Packet Handling option and disable Ignore DF (Don't Fragment) Bit option.

3) Path Maximum Transmission Unit (Path MTU or PMTU)
As described above, fragmentation of the RDP streaming protocol is undesirable and should be avoided.  The most common cause of such fragmentation is incorrect Maximum Transmission Unit (MTU) values for the traffic's path.
Default MTU value of SonicWall is 1500 Bytes. But we cannot use 1500 Bytes fully as 56 Bytes for Cyptographic overhead and size of used protocols header too. For example, we need to subtract 28 Bytes if we are using IP+ICMP. So, MTU Size will be (1500-56-28=1416 Bytes)
If you want to know how to find MTU settings of your host, pleas read this Article as I am lazy to write. :D
If you want to know how to change MTU settings on your host, please read this Article.

4) Bandwidth Management
Limitation of Bandwidth on Internet connection also is common cause of streaming protocol performance problems.
So, it is recommend to configure Real Time Bandwidth Management Rule for your end to end host connection.

5) Security Services
Security services including Gateway Anti-Virus (GAV), Anti-Spyware (AS) and Intrusion Prevention Service (IPS) are scan specific traffic types (e.g. SMTP, FTP, etc.) or the whole TCP stream for threats.  Whilst they are very efficient in terms of scanning speed, they do introduce some additional latency (typically at least 1ms) and cause dropped RDS connections when applied to the whole TCP stream.
Assuming that the end-points are sufficiently trusted, it is worth considering disabling the firewall's scanning services (at least AS and IPS) to obtain best RDS performance and connection reliability.
But we have to tighten end point security in our host as Firewall Security Services are bypass for these host.

Well. The above are things that we need to consider when we setup VPN Tunnels with SonicWall.
These facts are also usefule to reference for setting up VPN Tunnels on other Firewalls although I write for SonicWall.

Have a good day.
(Be knowledgeable, pass it on then)


  1. I am truly impressed by the details that you have provided regarding Firewall Security It is an interesting blog for me as well as for others. Thanks for sharing such a blog here.

  2. You can also check this one and can share your opinions on IT consultant London


Post a Comment

Popular posts from this blog

Fortigate guide for Begineer - 6

I would like to explaine how to troubleshoot the Fortigate Unit configured by Transparent Mode in step by step this time. Let's assume, you have one Fortigate Unit that configured as Transparent Mode. But devices from Internal/Private Network unable to access Internet/Public Network through your Fortigate Unit. OK. Let's troubleshoot with following steps, 1) Check the physical network connections between the network and the FortiGate unit, and between the FortiGate unit and the Internet. 2) Check the router and ISP-supplied equipment to make sure it is operating correctly. 3) Verify that you can connect to the internal interface by connecting to the management IP address of the FortiGate unit from the Internal network. From the internal network, attempt to ping the management IP address. If you cannot connect to the internal interface, verify the IP configuration of the PC and make sure the cables are connected and all switches and other devices on the network are powered on a

Solving the "A general system error occured:Invalid fault" error in vSphere 4

Below error was come out when you try to migrate VM to other host for some reason. Below error was come out when you try to edit VM setting. Below error was come out when you power on the VM. How to solve those error? Here is how I resolve the error! Login to the Host that errored VM exist by using Terminal or Direct Console. Enter below command and press enter. restart Wait until all VMware Services are restarted. After that try to Power On/Edit Settings or Migrate the errored VM and you will see all you can do without any error pop-up. This kind of errors can occur if you shutdown/restart VM unproperly or shutdown/restart the Host unproperly that VM exist. You can check log file deeply if you willing to know precisely on this. May you all be happy. (Be knowledgeable, pass it on then)

Link Aggregating with Synology NAS and Cisco Switch

I’d like to share how to setup Link Aggregating between Synology NAS and Cisco Switch. I’ve got one Synology NAS with 4 Network Ports and I’m going to use 2 of them. Both Network Port to be as one Logical Link, Fault Tolerance and Load Balancing. To do that, I need to configure Link Aggregating on Synology NAS and EtherChannel with LACP on Cisco Switch. Below is brief steps to do to meet with my requirements. - Get connected Synology NAS and Cisco Switch as shown in picture. - Bonding two Network Ports of Synology NAS and assign IP Address - Configure EtherChannel with LACP in Cisco Switch and add two physical ports as Member. OK. Let’s begin from Synology NAS. - Login to the Synology and go to Control Panel>Network>Create>Create Bond - Select IEEE 802.3ad to get Fault Tolerance and Load Balancing Featureyou’re your switch not support 802.3ad you can only select Fault Tolerance only feature). After that click “Next”. - Choose the network port f