Справочник Пользователя для SonicWALL 5.8.1
Network > Address Objects
308
SonicOS 5.8.1 Administrator Guide
Enforcing the use of sanctioned servers on the network
Although not a requirement, it is recommended to enforce the use of authorized or sanctioned
servers on the network. This practice can help to reduce illicit network activity, and will also
serve to ensure the reliability of the FQDN wildcard resolution process. In general, it is good
practice to define the endpoints of known protocol communications when possible. For
example:
servers on the network. This practice can help to reduce illicit network activity, and will also
serve to ensure the reliability of the FQDN wildcard resolution process. In general, it is good
practice to define the endpoints of known protocol communications when possible. For
example:
•
Create Address Object Groups of sanctioned servers (e.g. SMTP, DNS, etc.)
Feature
Benefit
FQDN entry
caching
caching
Resolved FQDN values will be cached in the event of resolution attempt failures subsequent to
initial resolution. In other words, if “www.moosifer.com” resolves to 71.35.249.153 with a TTL of
300, but fails to resolve upon TTL expiry (for example, due to temporary DNS server
unavailability), the 71.35.249.153 will be cached and used as valid until resolution succeeds, or
until manually purged. Newly created FQDN entries that never successfully resolve, or entries that
are purged and then fail to resolve will appear in an unresolved state.
initial resolution. In other words, if “www.moosifer.com” resolves to 71.35.249.153 with a TTL of
300, but fails to resolve upon TTL expiry (for example, due to temporary DNS server
unavailability), the 71.35.249.153 will be cached and used as valid until resolution succeeds, or
until manually purged. Newly created FQDN entries that never successfully resolve, or entries that
are purged and then fail to resolve will appear in an unresolved state.
MAC Address
resolution
using live ARP
cache data
resolution
using live ARP
cache data
When a node is detected on any of the SonicWALL’s physical segments through the ARP
(Address Resolution Protocol) mechanism, the SonicWALL’s ARP cache is updated with that
node’s MAC and IP address. When this update occurs, if a MAC Address Objects referencing that
node’s MAC is present, it will instantly be updated with the resolved address pairing. When a node
times out of the ARP cache due to disuse (e.g. the host is no longer L2 connected to the firewall)
the MAC AO will transition to an “unresolved” state.
(Address Resolution Protocol) mechanism, the SonicWALL’s ARP cache is updated with that
node’s MAC and IP address. When this update occurs, if a MAC Address Objects referencing that
node’s MAC is present, it will instantly be updated with the resolved address pairing. When a node
times out of the ARP cache due to disuse (e.g. the host is no longer L2 connected to the firewall)
the MAC AO will transition to an “unresolved” state.
MAC Address
Object
multi-homing
support
Object
multi-homing
support
MAC AOs can be configured to support multi-homed nodes, where multi-homed refers to nodes
with more than one IP address per physical interface. Up to 256 resolved entries are allowed per
AO. This way, if a single MAC address resolves to multiple IPs, all of the IP will be applicable to
the Access Rules, etc. that refer to the MAC AO.
with more than one IP address per physical interface. Up to 256 resolved entries are allowed per
AO. This way, if a single MAC address resolves to multiple IPs, all of the IP will be applicable to
the Access Rules, etc. that refer to the MAC AO.
Automatic and
manual refresh
processes
manual refresh
processes
MAC AO entries are automatically synchronized to the SonicWALL’s ARP cache, and FQDN AO
entries abide by DNS entry TTL values, ensuring that the resolved values are always fresh. In
addition to these automatic update processes, manual Refresh and Purge capabilities are
provided for individual DAOs, or for all defined DAOs.
entries abide by DNS entry TTL values, ensuring that the resolved values are always fresh. In
addition to these automatic update processes, manual Refresh and Purge capabilities are
provided for individual DAOs, or for all defined DAOs.
FQDN
resolution
using DNS
resolution
using DNS
FQDN Address Objects are resolved using the DNS servers configured on the SonicWALL in the
Network > DNS page. Since it is common for DNS entries to resolve to multiple IP addresses, the
FQDN DAO resolution process will retrieve all of the addresses to which a host name resolves,
up to 256 entries per AO. In addition to resolving the FQDN to its IPs, the resolution process will
also associate the entry’s TTL (time to live) as configured by the DNS administrator. TTL will then
be honored to ensure the FQDN information does not become stale.
Network > DNS page. Since it is common for DNS entries to resolve to multiple IP addresses, the
FQDN DAO resolution process will retrieve all of the addresses to which a host name resolves,
up to 256 entries per AO. In addition to resolving the FQDN to its IPs, the resolution process will
also associate the entry’s TTL (time to live) as configured by the DNS administrator. TTL will then
be honored to ensure the FQDN information does not become stale.