By default, the TZ 190 locks down your network. All traffic from the Internet to the LAN is denied by the stateful packet inspection firewall unless an Access Rule is created to allow it. Opening ports on the firewall is relatively easy with the Public Server Wizard, which walks you through three simple steps for access to various services on your network. Using this wizard, I was able to easily open the firewall for SSH, VNC and Terminal Services access to servers on my network.
Once an Access Rule is added, either manually or with the wizard, a NAT policy is created. A NAT policy is the mapping of origination IP addresses and ports to destination IP addresses. The SonicWALL OS allows the creation of 512 different NAT policies. NAT policies are important to understand, as deleting a Firewall Access Rule requires you first delete the NAT policy.
The concepts of Zones and Address Objects are also key to understanding SonicWALL security. Zones are a nice way to control traffic between interfaces. Interfaces can be grouped into Zones, and then traffic types can be allowed or blocked between those Zones. For example, the default Zone configuration blocks wireless LAN clients from accessing clients or devices on the wired LAN. Enabling access from the WLAN to the LAN can be accomplished by changing the default Firewall Access Rule from Deny to Allow for traffic from the WLAN to the LAN; see below.
Figure 14: Zone Access Rules
Address Objects are efficient configuration tools for the network administrator, allowing you to name key devices on your network and then select them in drop-down configuration lists throughout the SonicWALL OS. I set up an Address Object naming my VoIP Server as below, making Access Rule configurations more intuitive.