Best Of
Migration from Sophos XG "Failed to upload configuration file."
On Sophos XG135, I have a menu "backup/restore" where I can backup a password protected configuration and another menu "import/export" where I am unsure whether the config or something related to the API is being exported. Under backup/restore I get a file without extension and under import/export I get a tar file containing an XML, a json and the certificates.
In the migration tool, the migration fails with both files with the error below
Failed to upload configuration file.
Re: Migration from Sophos XG "Failed to upload configuration file."
It's just a hunch, but I assume you're trying to migrate from a Sophos to a SonicWall firewall?
The Release Notes do not show any details about which Sophos versions are supported, but there was an Issue ID mentioned, which should be addressed with Support. DEVT-3102
—Michael@BWC
Re: Linksys Router E1200 Behind Sonic TZ670
The metric is only a synthetic value between 1-20, used for cost calculation ie you can have multiple routes to a destination via different "COST" links ie :-
A 1GB leased line circuit (metric 1) vs a slower VPN ( metric 3) vs a 4G link (metric 10)
Metric: 1 This is for highest priority, any number between 1 and 20 can be used. The lower the number, the higher the priority
Re: NAT access is not possible with Multiple IP address WAN
I've never attempted multiple PPPoE logins on the same interface so not sure what it would look like. That screenshot looks to me like the PPPoE is untagged and then there are VLANs on top of it.
Re: IPSec VPN keeps dropping after 60 minutes.
Hmmm, that might be no coincidence that your Phase 2 lifetime has the exact value when the problem occurs.
It could be either that both sides are not in sync with their time settings or maybe the multi proposal offering of your Splicecom connection is causing trouble when rekeying P2. It does not having trouble for the initial SA.
Can you convince the peer admin to configure AES256 only?
—Michael@BWC
Re: IPSec VPN keeps dropping after 60 minutes.
Hi @NathanFS what are your settings for Phase 1 and Phase 2 lifetime?
The Peer is probably pushing multiple Proposals, but this does not seem to be the issue 60 minutes in.
—Michael@BWC
Re: TZ670 - Control Plane Flood Protection Threshold Exceeded
Maybe @MustafaA or @Community Manager could shed some light on how this feature actually functions.
The log entry is just a warning, it doesnt indicate anything bad is happening. It's not that it doesn't matter, if this was constantly being logged than something would be up. Our standard is protection is enabled @ 65% threshold and we see this warning regularly, not constantly. I figured 65% provides enough buffer either way the feature functions.
Re: TZ670 - Control Plane Flood Protection Threshold Exceeded
The entire point of this feature is to protect the control plane from being overwhelmed with non-control traffic and slow the system management functions down.
My understanding when the log entry is generated is that the control plane is dropping non-control traffic because the amount of non-control traffic on the control plane reached the remainder (25% of control plane) of the specified threshold (75%) - right?
AFAIK there is no historic control plane data in the UI (and no way to obtain core specific data via SNMP), and the only real way to see usage is on the System Dashboard under 'System Status \ Management Plane'.
The log entry is stating its protecting management functions, and supports suggestion is to INCREASE the threshold (in theory reducing the allowed amount of non-control traffic). Wait, wouldn't that also increase the number of times we see the log entry (since were only allowing the remainder and are already hitting it with a lower threshold)?
So really I don't think this setting is clear, nor does it function the way its understood to. I think the threshold is actually the usage amount of allowed non-control traffic to hit the control plane. So 75% means up to 75% usage of the control plane is allowed for non-control data.
Anyone else agree?
Re: TZ670 - Control Plane Flood Protection Threshold Exceeded
The TZ670 is rated for 5.0Gbps without DPI-SSL.
That's aggregate throughput when every physical interface is in use [eg 5 WANs and 5 LANs]. Don't expect to see those numbers in real life [real life = 1 LAN and 2 WANs, for example].
I am not 100% clear on what control plane traffic is. I assume using the management interface, pinging the firewall, fetching stats with SNMP, would all count. But that wouldn't scale linearly with payload throughput. One example of "using the management interface" would be, leaving SSH management enabled on WAN with no access control. Then it's being "used" whether you like it or not.
Finally, if you're not actually having issues, then maybe it doesn't matter :)
Re: SonicWall NetExtender 10.3.0 Linux client (equivalent --always-trust like 10.2.850 version?)
but I can't add it on the Linux side because I don't know the password to it
You don't need the password - certificates don't have them. Only private key is sometimes protected by password.
The part which should be added to CA store is a public part - the certificate - and is always sent to client in unencrypted channel at the first part of establishing a SSL/TLS connection.
You cant save that cert into file using openssl
:
openssl s_client -showcerts -connect server_address:443 -servername server_address </dev/null 2>/dev/null|openssl x509 -outform PEM > server_cert.pem
You can then check downloaded certificate details with openssl
too:
openssl x509 -in server_cert.pem -noout -text
In that way you can download certificate sent by any server during SSL/TLS handshake.