What is a PortShield interface SonicWall?

Hello folks,

We have a SonicWALL firewall with interface X2 configured as "Portshield to X1". Interface X1 has an IP address and X2 does not. I investigated what portshield was and I came to the conclusion its basically binding both interface in the same Subnet, then the "master" port is the only one with an IP address the "slave" port does not have an IP address but is in the same subnet as the "master" one, (like a switch) . I guess this is like when we have an SVI in a cisco switch environment and then have 2 interfaces in that vlan, the only difference is that in the SonicWALL the IP is configured on one of the interfaces itself and not in a "virtual interface". That is my understanding, please correct me if I missed something.

Anyways, my issue is that I need to know what is physically connected to X2, because we only have 1 switch in that site and I found only one interface connected to it from the firewall which is X1. I found only the SonicWall mac address from X1 in the switch, nothing else, however the X2 interface on the SonicWALL says under status: "1 Gbps Full Duplex". It does not say "No link".

I don't have much experience working with SonicWall, but when an interface says something like "1 Gbps Full Duplex" that means that it is connected to something indeed. Thing is I am not able to figure out where X2 is connected to.

So here is my question, How could I find the mac addresses connected to my X2 interface? So I can figure out what is connected to that port?

Note: The ARP table on the SonicWall GUI does not shows nothing out of port X2, only X1 and the other interfaces, maybe that's the normal behavior for a portshield interface, not sure)

Also, am I safe to assume that since X2 is showing "1 Gbps Full Duplex" there is something connected to it??

Thanks for the help!!

17 People found this article helpful

55,742 Views

Port Shield architecture enables you to configure some or all the LAN ports into separate security contexts, providing protection not only from the WAN and DMZ but between devices inside your network as well. In effect, each context has its own wire-speed Port Shield that enjoys the protection of a dedicated, deep packet inspection firewall.

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

To configure a Port Shield interface, perform the following steps:

1.  Click on the Network | Interfaces page.

2. Click the Configure button for the interface you want to configure. The Edit Interface window displays.

3. In the Zone pulldown menu, select a zone type option to which you want to map the interface.

4. In the IP Assignment pulldown menu, select Port Shield Switch Mode.

5. In the Port Shield to pulldown menu, select the interface you want to map this port too. Only ports that match the zone you have selected are displayed.

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

To configure a Port Shield interface, perform the following steps:

1. Navigate to the Network | Interfaces page.

2. Click the Configure button for the interface you want to configure. The Edit Interface window displays.

3. In the Zone pulldown menu, select a zone type option to which you want to map the interface.

4. In the IP Assignment pulldown menu, select Port Shield Switch Mode.

5. In the Port Shield to pulldown menu, select the interface you want to map this port too. Only ports that match the zone you have selected are displayed.

• Firewalls > TZ Series > Networking

• Products
• Solutions
• Partners
• Support
• COMPANY
• PROMOTIONS
• MANAGED SERVICES
• Contact Sales
• Menu

07/28/2022 380 People found this article helpful 197,181 Views

Transparent Mode works by defining a Transparent Range which will retain their original source IP address (will not be NAT'd) when egress from the WAN interface. While, a PortShield interface is a virtual interface with a set of ports assigned to it. These interfaces in the PortShield group will shared the same network subnet.

PortShield interface can work in two modes (Static and Transparent). This article covers the feature how to configure a PortShield interface in transparent mode.

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

We are going to configure PortShield for Transparent mode.

1. Assume, We have X1 interface configured as WAN with IP 1.1.1.2/24 IP subnet.
   
2. We need to configure X2 and X3interfaces in a PortShield group with a transparent IP range (1.1.1.3 to 1.1.1.5).
3. We need to connect SMTP server with IP as 1.1.1.3/24 to interface X2, two servers (one FTP server with IP 1.1.1.4/24 and one Web server with IP 1.1.1.5/24) connected to interface X3.
   
   To configure the PortShield interface in transparent mode, please complete the following steps.

Create Address Object for DMZ Range:

1. Login to your SonicWall management page and click Object tab on top of the page.
2. Navigate to Match Object | Address page. On right Side, Click Address objects tab and select View as Custom.
3. Click  Add button under Address Objects, to get Add Address Object Window.
4. Create an address object as below.
   
   
   
   

     

NOTE: the address range must be within the WAN zone and must not include the WAN interface and WAN gateway IP address.

      Configure Transparent Mode:

     

NOTE: WAN interface IP address must be static assigned when configuring transparent mode

1. Login to your SonicWall management page and click Network tab on top of the page.
2. Navigate to System | Interfaces page. configure X2 interface as below.
   
3. Zone: DMZ
4. Mode /IP Assignment: Transparent IP Mode (Splice L3 Subnet).
5. Transparent Range: DMZ IP (Created in Step 1).
6. Comment: DMZ (Any useful information for the interface)
7. Click OK.
   
   
   
   

          Configure PortShield Mode:
           1. Login to your SonicWall management page and click Manage tab on top of the page.
           2. Navigate to Network | Interfaces page. configure X3 interface as below.

• • Zone: DMZ.
  • Mode /IP Assignment: PortShield Switch Mode.
  • PortShield to: X2

  • Click OK.
    

    
    
     NOTE:  PortShield can also be configured through page Network | PortShield Groups.
    
    Configuring the servers connected to the PortShield interfaces X2 and X3.
  • The servers connected to the interfaces X2 and X3 should be configured with the IP addresses within the Transparent Range. The default gateway could either be the upstream ISP router address or the SonicWall WAN interface IP. Once the servers are configured appropriately they will be able to go online with the IP address assigned to them without being NAT'ed.
    
    
  • At the moment, if you need to reach the servers with the IP addresses assigned to them from the WAN side of SonicWall

    Access Rule from WAN to DMZ

    1. Login to your SonicWall management page and click Policy tab on top of the page
    2. Navigate to Rules and Policies| Access Rules.
    3. Modify the default access rule from WAN to DMZ zone as below to allow all traffic.
       
       

       Check the configuration from the WAN side.

       • Ping Server 3.3.3.3 connected to X9.

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

We are going to configure PortShield for Transparent mode.

• Assume, We have X1 interface configured as WAN with IP 1.1.1.2/24 IP subnet.
• We need to configure X2 and X3interfaces in a PortShield group with a transparent IP range (1.1.1.3 to 1.1.1.5).
• We need to connect SMTP server with IP as 1.1.1.3/24 to interface X2, two servers (one FTP server with IP 1.1.1.4/24 and one Web server with IP 1.1.1.5/24) connected to interface X3.

To configure the PortShield interface in transparent mode, please complete the following steps.

Create Address Object for DMZ Range:

1. Login to your SonicWall management page and click Manage tab on top of the page.
2. Navigate to Objects | Address Objects page. On right Side, Click Address objects tab and select View as Custom.
3. Click  Add button under Address Objects, to get Add Address Object Window.
4. Create an address object as below.
    
   
   
    NOTE: the address range must be within the WAN zone and must not include the WAN interface and WAN gateway IP address.

Configure Transparent Mode:

1. Login to your SonicWall management page and click Manage tab on top of the page.
2. Navigate to Network | Interfaces page. configure X2 interface as below.
   • Zone: DMZ.
   • Mode /IP Assignment: Transparent IP Mode (Splice L3 Subnet).
   • Transparent Range: DMZ IP (Created in Step 1).
   • Comment: DMZ (Any useful information for the interface)
3. Click OK.
   
   
   
    NOTE: WAN interface IP address must be static assigned when configuring transparent mode.
   

Configure PortShield Mode:

1. Login to your SonicWall management page and click Manage tab on top of the page.
2. Navigate to Network | Interfaces page. configure X2 interface as below.
   • Zone: DMZ.
   • Mode /IP Assignment: PortShield Switch Mode.
   • PortShield to: X2
3. Click OK.
   
   
   
    NOTE:  PortShield can also be configured through page Network | PortShield Groups.
   
   

 Configuring the servers connected to the PortShield interfaces X2 and X3. 

1. The servers connected to the interfaces X2and X3 should be configured with the IP addresses within the Transparent Range. The default gateway could either be the upstream ISP router address or the SonicWall WAN interface IP. Once the servers are configured appropriately they will be able to go online with the IP address assigned to them without being NAT'ed.
   
2. At the moment, if you need to reach the servers with the IP addresses assigned to them from the WAN side of the SonicWall.

 Access Rule from WAN to DMZ

1. Login to your SonicWall management page and click Manage tab on top of the page
2. Navigate to Rules| Access Rules. 
   2) Modify default access rule from WAN to DMZ zone as below to allow all traffic.
   
   

Check the configuration from the WAN side.

• Ping Server 3.3.3.3 connected to X10.

The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.

We are going to configure PortShield for Transparent mode.

• Assume, We have X1 interface configured as WAN with IP 3.3.3.1/24 IP subnet.
• We need to configure X9 and X10 interfaces in a PortShield group with a transparent IP range (3.3.3.2 to 3.3.3.4).
• We need to connect SMTP server with IP as 3.3.3.2/24 to interface X9, two servers (one FTP server with IP 3.3.3.3/24 and one Web server with IP 3.3.3.4/24) connected to interface X10.

To configure the PortShield interface in transparent mode, please complete the following steps.

1. Navigate to Network | Address Objects to create an address object (IP Range: 3.3.3.2 to 3.3.3.4) for transparent mode configure.
    
   
   
   NOTE: The address range must be within the WAN zone and must not include the WAN interface and WAN gateway IP address.

2. Navigate to Network | Interfaces page, click Edit button of interface X9 and do the following configuration.
   • Zone: DMZ.
   • Mode /IP Assignment: Transparent IP Mode (Splice L3 Subnet).
   • Transparent Range: DMZ IP (Created in Step 1).
   • Comment: DMZ (Any useful information for the interface)
     
     
     
     
     
     NOTE: WAN interface IP address must be static assigned when configuring transparent mode.

3. Navigate  to Network | Interfaces page, click the Edit button of interface X10 and do the following configuration.
   • Zone: DMZ.
   • Mode /IP Assignment: PortShield Switch Mode.
   • PortShield to: X9 ( interfaces in the same Zone will be displayed for selection)
   
   
   NOTE: PortShield can also be configured through page Network | PortShield Groups.

4. Navigate  to Network | Interfaces or Network | PortShield Group page to check the configuration.
   
   
   TIP: If you cannot see the PortShield interface , you can click the button Show PortShield Interfaces on the top left of Network | Interfaces page.

5. Configuring the servers connected to the PortShield interfaces X9 and X10. The servers connected to the interfaces X9 and X10 should be configured with the IP addresses within the Transparent Range. The default gateway could either be the upstream ISP router address or the SonicWall WAN interface IP. Once the servers are configured appropriately they will be able to go online with the IP address assigned to them without being NAT'ed.

   At the moment, if you need to reach the servers with the IP addresses assigned to them from the WAN side of the SonicWall, please navigate to Firewall | Access Rules page.

   • Select radio button Matrix .
     
   • Select from WAN to DMZ.
   • Click Add button.
     
     
6. Check the configuration from the WAN side. Ping Server 3.3.3.3 connected to X10.

• Firewalls > NSa Series > Networking
• Firewalls > TZ Series > Networking