Sonicwall NSA Firewall Placement

Posted on 2009-02-20
Last Modified: 2013-11-16
I'm new to the firewall placement scene and I had a few questions regarding physical network placement.

We need to place a Sonicwall NSA 3500 appliance (gateway av, network av, content filter, firewall, etc) in our network.
Where on the network is a firewall physically placed?  Does it go between the smart jacks and internet router or does it go after (behind) the internet router?  How can we make sure that an efficent and effect method is being utilized in connecting the LAN and WAN to the firewall?  Is there any method of placement that may cause a bottleneck or other issues?

Currently we have the following setup.  Sorry for the amature doodling.
INTERNET ========>INTERNET ROUTER (cisco 2600)========>4 SWITCHES --------------|
                                                                                                                                    ||                                  |
                                                                                                                                    ||                                  |
Branch 1========>WAN ROUTER (branch router)=======>OLD SONICWALL PRO3060      |
                                          ^    ^                                               |                                                                      |
         Branch 2 <=====||     ||=====> Branch 3                | -------VPN ROUTER-------------------------|
Question by:MightyMikey
    LVL 7

    Accepted Solution

    You will want to place it at the "perimeter" (the external edge leading to the Internet).  Using your ASCII topology map (Visio takes too long to draw anyways), place it between the INTERNET and INTERNET ROUTER (cisco 2600) or between the INTERNET ROUTER (cisco 2600) and the 4 SWITCHES.  I'd recommend between the INTERNET and INTERNET ROUTER (cisco 2600)

    The idea is to have it catch and block things before it has a chance to touch anything (even network hardware - routers and switches can be hacked).  Infact as far as topology goes if you keep the SonicWALL PRO3060 you can have a nice and quaint DMZ going between the two SonicWALLS, allowing you to have external-facing services (such as a web server) in the DMZ without jeopardizing your internal network.

    Author Comment

    The idea was to replace our current existing firewall since licensing is expiring for it soon, but come to think of it, we are going to launch a webserver soon too.  If we were to replace our current firewall by adding the new one before our internet router, would it still be secure to host websites and email?
    LVL 7

    Assisted Solution

    Best practice when it comes to web servers are to "sandwich" them between two firewalls, like so:

    { INTERNET }  ~~~~~~~ FIREWALL---------Web Server----------FIREWALL-------{Internal Network}

    The space between the two firewalls is what is known as the DMZ, or the Demilitarized Zone.  In a nutshell, it is a buffer zone where external-facing services (ie. web) are more easily accessible to the Internet.  In terms of security, the DMZ will isolate the web server from the rest of the internal network so that if in the event the web server is ever compromised and/or taken over, the internal network still has protection and isn't completely exposed to further attack (this is due to the second firewall between the web server and the internal network).  Servers in the DMZ will commonly be set in their own subnet/zone, and if a server were to be compromised they still have to break through the second firewall to reach the internal network's subnet/zone.  Traffic inside the internal network will be free to frolic with significantly reduced risk of snooping, poisoning, or general cracking/hacking.

    Author Closing Comment

    Thanks again!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
    Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    7 Experts available now in Live!

    Get 1:1 Help Now