Best Of
Re: I have a feeling most people are configuring their SW's incorrectly
DPI and DPI-SSL are different things. DPI is what gives you all the Next-Gen Firewall features and should be enabled if you want to utilize the security services.
DPI-SSL is broadening this to SSL encrypted traffic and requires a cert in each device. So it could be said that using DPI-SSL will make it possible to inspect 90+% of traffic, only using DPI about half if that and if you disable DPI altogether you aren't doing any deep packet inspection and only using the firewall as a packet filter.
If you would do that then there isn't much sense using a Next-Gen firewall at all and you could just use some open source packet filter firewall.
Turning on "performance optimizations" or "enhanced security" affects low risk threat inspection. More speed if you don't care about low risk threats.
Re: Packet Port Number Changes on Playstation Network
Solution:
Was to raise the NAT rule priority! Something SW techs didn't even come up with.
Re: About replace "NSA2600 single ( OS 6.5.4)" to "NSA2700 HA (OS 7.0)"
@Siuren no worries, it's simpler than you might think.
- Just make sure that the NSA 2600 is running on a Firmware that is supported by the Migration tool.
- Update the new NSa 2700 to 7.0.1-5145, which is officially supported by the Migration Tool
- convert the Configuration with the Migration Tool
- Import the Configuration into your NSa 2700
- Update the NSa 2700 to 7.0.1-5161 (7.1.2 is still very buggy)
- make the few additional changes for the HA configuration
It's a pretty straight forward task.
—Michael@BWC
Re: SonicWALL TZ 215 - Configuring second public IP address from different subnet
Can you configure your new network on a second WAN interface and have the DC remote hands plug that in for you?
Sonicwall does not support alias IPs either at all or in any straightforward way, so this is probably going to be your best approach long-term.
Re: Forward Lookup "Zones" for IP's Domains through a VPN Connection - TZ470
Have you confirmed this yourself with a packet capture? Plain-old DNS is unencrypted so easy to troubleshoot with Wireshark,
Re: Best Practices for Securing Network Traffic
No expert in gaming here but I would think they have SSL MITM countermeasures in place to prevent the use of tools for cheating, so games may not work with DPI-SSL.
Re: Site to Site VPN - expected performance?
Try iperf2 instead of iperf3 and you might see better results, as iperf3 is single-threaded so you might be hitting your CPU cap before network limits.
This seems unlikely to me. iperf uses next to no CPU, the OP would have to be using hardware from a previous millennium to be hitting a CPU limit at <30Mbps. On this 10yo laptop I am using, the CPU usage of iperf 2 and 3 disappears into the background noise. You can pass -V to iperf3 to summarise CPU usage at the end.
Re: Sonicwall support is useless
There was a webinar for SonicWall partners more than a year ago (should still be in SW University) that contained instructions on how to work with Support. It kind of up-ended a lot of what I thought I knew about the process. It also made me realize that "the powers that be" have no clue about what we have to deal with.
Best solution I've found so far:
Create the email case and attach all the relevant documentation (which you have manually put together because there's no automation to do it). Yes, that's right, 7 files from disparate screens and locations.
Wait a few minutes, call Support, and provide the case number the email create - then wait for the appropriately assigned queue technician to answer.
Accept the request for a remote session and insist on re-sending all the documentation.
Humble yourself, acknowledge that you don't know the answer, wait patiently while they go through their script, click through your screens, take a backup, and - whatever you do, DO NOT let them change settings - and when the results seem hopeless, ask that the issue be raised to a higher level of support.
After a week or so, someone with some sense should pick up on the problem.
I'm not saying this approach will fix the problem you have. It is merely designed to keep your frustration level at a realistic minimum.
The only alternative is to NOT use SonicWall products - but then you're gonna have to deal with another vendor's mishegas.
Re: Connect non sonic wall AP to TZ
@theroncooper you can attach any AP, they just will not be provisioned by the Firewall, but that's IMHO totally fine.
If you decide to place the AP in a Zone of Security Type "Wireless" just make sure that the option "Only allow traffic generated by a SonicPoint/SonicWave " is disabled, otherwise you should be good to go.
—Michael@BWC
Re: Block a Website with Access Rule
Does your FQDN object holds any IP addresses, if not it does not get populated and is useless for the Access Rule.
If you're using wildcard objects e.g. *.domain.com the Firewall needs to see the DNS traffic to catch the response. This does not work if you using something like DoH etc. Another possible reason could be if you have not activated the option "dns host name lookup over tcp for fqdn" and the response over UDP got truncated.
—Michael